BSides CHS 2023 Schedule

Friday, Nov. 3 - Workshops

17:00 - 21:00

Workshops require separate registration.

The Attackers Toolbelt with Chris Traynor

Malicious Kubernetes with Adrian Wood & David Mitchell

Breaking Bad Code: A Web App PenTest Workshop with Jason Gilliam & Kevin Johnson

Saturday, Nov. 4 - Main Event

08:30 - 09:00

Registration

09:00 - 10:00

Keynote

Gerald Auger, Ph.D.

“What Game of Thrones Can Teach Us About Cyber Security”

Talk Abstracts & Speaker Bios

Gerald Auger, Ph.D.

Dr. Auger is a 20+ year cybersecurity professional, academic, and author. He has been the cybersecurity architect at MUSC, a multi-billion dollar academic medical center. He has built cybersecurity programs from the ground up, educates as Adjunct Faculty in The Citadel Military College Cyber Sciences department, and fulfills the role of Chief Content Creator on the successful YouTube channel Simply Cyber. Dr. Auger is passionate about cybersecurity and has educated 10's of thousands of students on the discipline. Dr. Auger holds a PhD in cyber operations and two Masters in Computer Science and Information Assurance.

“What Game of Thrones Can Teach Us About Cybersecurity”

In a realm where threats loom at every corner, where trust is a currency, and where the smallest oversight can lead to catastrophe, there is much to glean from the intricate tapestry of Westeros and the rich world of Game of Thrones.Drawing from two decades in the cybersecurity arena, this keynote presentation delves deep into the parallels between the worlds of "Game of Thrones" and today's cyber ecosystems. Just as the Houses of Westeros must continuously adapt to political and martial threats, organizations today must be agile in response to an ever-evolving cyber landscape.Participants will embark on a journey through the Seven Kingdoms, using pivotal moments and iconic characters from the series to illuminate key lessons in cybersecurity, and communicate valuable cybersecurity principles.In the realms of Westeros and cybersecurity alike, the night is dark and full of terrors – but with preparation and wisdom, one can navigate and overcome them.

Adrian Wood

Adrian Wood, aka threlfall, discovered a love for hacking from cracking and modding video games and from the encouragement of online friends. He has worked as a red team consultant for WHITEHACK, a company he founded, and later as a lead engineer for an offensive research team at a US bank, where he was very interested in appsec, container security, CI/CD security and also founded their bug bounty program. He currently works for Dropbox, working on their red team. In his free time, he enjoys playing saxophone, working on vintage cars, and fly-fishing.

“You sound confused - anyways, thanks for the jewels. Red Teaming with ML Models”

Machine Learning is the new hotness, full of interesting attack vectors. For instance, did you know ML models can contain malware, and still function as a normal model?

This presentation demonstrates how I have distributed malware using undocumented, novel techniques compromising some of the largest companies in the world, one of which I discovered entirely unintentionally! Additionally, I will show you how to write ML malware and how to distribute it. You'll see a demonstration on how to loot the machine learning environments. And finally  you'll learn how I developed a technique allowing me to avoid detection and what you can expect to find post-compromise.

All the work done will be released as open source code to help you do the same so you can try out your own ideas and to help secure your organization, as well as advice on mitigation and prevention.

Steven Cardinal

Steven Cardinal is an experienced, customer-focused information technology and security professional with expertise in establishing, implementing, and monitoring information security programs, including risk assessment, vendor management, architecture, security awareness and training, policy development, and system standards and baselines. Mr. Cardinal’s work prior to Soteria includes serving as Manager, Security Technology and Interim CISO at the Medical University of South Carolina, Sr Engineer at Centurum, and VP of IT and Security at Adheris.

“Let’s Talk About Risk, Baby!”

Every great security framework starts with understanding risk, and yet so many organization barely get past the thumb in the wind method of "yea, we kinda know where our big risks are". They look at things like the RMF, shudder, and close the PDF.

Getting started with risk assessments doesn't have to be painful. In this talk we'll discuss some simple ways to get started with identifying and measuring risk that you can knock out in a couple hours.

Don't let your security program wallow because you're focusing on the wrong priorities.

Casey Wilson

Casey Wilson is a senior software engineer with BusinessLoans.com. Prior to BusinessLoans.com, he served as lead developer at Call Experts. Casey has also spent time teaching as both an adjunct professor at the Citadel and a JRS Coding School instructor at the Harbor Entrepreneur Center. While earning his master of science in computer and information science at the College of Charleston, he was a graduate research assistant for both software development and intrusion detection.

“Shaping Passwordless Behavior with the WebAuthn PRF Extension”

Despite the fact that password and credential compromise are the primary culprit for cybersecurity incidents, and that mature and widely available technology authentication exists to replace password-based authentication, "passwordless" technology has mostly failed to replace username/password based authentication methods for most use cases. The primary hurdles that are often cited are often challenges related to user education, convenience, and willingness to use a new technology. One promising technology that provides "passwordless" technology capability to web users almost ubiquitously is the Web Authentication (WebAuthn) web standard implemented in modern browsers. WebAuthn has existed since 2016, but two technologies have recently emerged within the scope of WebAuthn that have the capability to increase user and website adoption: passkeys - a software based asymmetric authentication device, and the WebAuthn pseudo-random function (prf) extension, an experimental extension to the WebAuthn specification that allows creation and storage of symmetric keys using an authenticator device.

Most community focus has been on passkeys, but this talk focuses on the PRF extension. Specifically, this lecture will make the argument that the prf extension could help solve the hardest problem for passwordless, user adoption, by creating a WebAuthn-based flow to initiate a secure password-based login. This allows a gradual reshaping of user behavior that could act as a necessary intermediary set of behaviors to comfortably transition users from password-based to passwordless authentication methods. In this flow, a user's passwords are end-to-end encrypted with data derived from and stored in a user's authenticator device. This creates an intermediary step that allows WebAuthn to act as a secure password manager, while having a user perform a "passwordless" flow that first authenticates via WebAuthn, then decrypts passwords client-side in the same flow. The combination of a password-based login with a WebAuthn secured authentication flow could provide a transition step for users to feel confident to adopt a fully passwordless approach in the future.

Dale Rodriguez

Dale Rodriguez is an Enterprise Sales Engineer at Sysdig. Having roles in Product Management, Systems Engineering, and Technical Account Management allows Dale to understand technology from various areas. Dale also uses this experience to leverage his idea of "Happiness Engineering" (The idea of making tech easy, while making people laugh and smile) to create a more positive outlook on technology. Outside of work he is a father, beach bum, anime fan, poet, and foodie who loves travel.

“Cloud Security”

This conference session will share how cloud native security is different from other areas of security.

Will Baggett

From Tega Cay, South Carolina, Will Baggett will discuss how the InfoSec community can apply the CARVER methodology and principles to processing breached data from advanced persistent threats and ransomware groups.   Will draws from his experience as a former CIA officer specializing in Technical and HUMINT Operations and NATO SOF Cyber Security SME to apply the battlefield triage mindset to critical Cyber Threat Intelligence duties. The methodology does not rely on third party vendor tools or subscriptions, but rather, introduces the awareness and vulnerability of key data in a corporation.

“Conti Leaks and CARVER Analysis for Threat Intel Analysts”

In 2022, the Conti ransomware group's inner chat room discussions were leaked by a dissenting member of the group due to the Russian invasion of Ukraine. As a former intelligence officer, I applied the CARVER vulnerability assessment model to the leaked data to rapidly assess the potential risk posed to my large financial firm's enterprise model. This talk will share the methodology applied and the steps taken to maximize the intelligence value of this rare event.

James McQuiggan

James McQuiggan has over 20 years of experience in cybersecurity. He is currently a Security Awareness Advocate for KnowBe4, where he is responsible for amplifying the organization's messaging related to the importance of, effectiveness of and the need for new-school security awareness training within organizations through social media, webinars, in-person presentations, industry trade shows and traditional media outlets. McQuiggan is also a part-time faculty professor at Valencia College in the Engineering, Computer Programming & Technology Division. Within the Central Florida community, he is the president of the (ISC)2 Central Florida Chapter and a member of the ISC2 North America Advisory Council.

“The Hacker’s AI Playbook: Unraveling the Impact of Artificial Intelligence on Social Engineering and Cybersecurity”

Artificial intelligence (AI) revolutionizes multiple industries, providing unprecedented automation, analytics, and decision-making capabilities. However, the rapid advancements in AI technology have also led to the emergence of sophisticated social engineering attacks, posing significant challenges to individuals, businesses, and governments. This presentation will explore the impact of AI on social engineering, highlighting the potential benefits, dangers, and strategies for defending against these new-age threats.

Allyn Stott

Allyn Stott is a senior staff engineer at Airbnb on the infosec technology leadership team, where he works on threat detection and incident response. Over the past decade, he has built and run detection and response programs at companies including Delta Dental of California, MZ, and Palantir. Red team tears are his testimonials.

“How I Learned to Stop Worrying and Build a Modern Detection & Response Program”

You haven’t slept in days. Pager alerts at all hours. Constant firefights. How do you get out of this mess? This talk gives away all the secrets you’ll need to go from reactive chaos to building and running a finely tuned detection & response program (and finally get some sleep).

Gone are the days of buying the ol’ EDR/IDS/NGAV combo, throwing some engineers on an on-call rotation, and calling it your incident response team. You need a robust and comprehensive detection and response program to fight modern day attackers. But there’s a lot of challenges in the way: alert fatigue, tools are expensive, hiring talent is impossibly difficult, and your current team is overworked from constant firefights.

How do you successfully build a modern detection and response program, all while riding the rocket of never ending incidents and unforgiving on-call schedules?

This talk addresses the lack of a framework, which has led to ineffective, outdated, and after-thought detection and response programs. At the end of this talk, you will walk away with a better understanding of all the capabilities a modern program should have and a framework to build or improve your own.

Cody Craig

Cody Craig is a Senior Incident Responder at Mitiga. In this role, he has the unique opportunity to both respond to cloud-based attacks and proactively threat hunt for them. Prior to being at Mitiga, Cody worked in various roles that all focused on blue team efforts with a heavy focus in incident response and digital forensics. Throughout these years of work, he was able to obtain GCIH, GCFA, and GNFA certifications along with being a member of the SANS Advisory Board. Cody has a passion for teaching, mentoring, and collaboration as he does not believe that he would be where he is today without having both great teachers and mentors. Because of this, you can routinely find him at Charleston Infosec monthly meet-ups looking to interact with anybody interested in cyber security.

“Connecting The Clouds: Tracking Lateral Movement Between Cloud Vendors”

This presentation will discuss the challenges in tracking a threat actor that moves between different cloud vendors and how we can overcome those challenges. During this presentation, I will also highlight how there are some similarities when tracking lateral movement in the cloud versus on-premise environments, but there are also a lot of differences. The presentation will use the example of a threat actor gaining access to Microsoft My Apps and then uses this to jump to another cloud vendor, GitHub. During the talk, we will discuss the challenge when attempting to track this movement along with scoping an attack that leverages two log sources that might not have the same columns or even contain the same IP address and user name. This presentation will give incident response teams insight into what they will need to do proactively in order to be successful during a breach that involves multiple cloud vendors. While tracking lateral movement is well documented, unfortunately, the same cannot be said for understanding cloud logs and their configurations.

Derick Beckwith

Derick Beckwith leads the engineering team at Soteria, a Cybersecurity firm headquartered in North Charleston, SC. He enjoys leading small teams to build innovative solutions using software and has a masters degree in software engineering from Auburn University. Derick also has some experience teaching in the computer science department at Charleston Southern University as an adjunct professor, as well as volunteering on the CSU Industry Advisory Board, which advises the faculty on needs of local Cybersecurity and technology companies.  He has lived in the lowcountry for almost his entire life and this is his second year attending BSides Charleston.

“Automating Supply Chain Application Security”

As companies use more open source code in their products, preventing supply chain attacks continues to be a critical element of application security.  The Log4Shell vulnerability was one such example that illustrated just how disastrous exploits of supply chain vulnerabilities can become.  In this talk, we discuss strategies, tools and solutions that can be leveraged to build automation into the DevSecOps process so that supply chain attacks are prevented at the commit stage of development.

Hitarth Patel

Hitarth Patel, a tech enthusiast driven by a passion for cybersecurity, has carved a path through the digital realm. With a swift 2.5-year tenure as a Penetration Engineer/Tester at StrongCrypto Innovations (SCI), and a preceding 2-year stint as an AppSec engineer at CACI, Hitarth's journey reflects his unyielding dedication to the craft. Armed with a bachelor's degree in Computer Science, he now sets his sights on elevating his prowess through a master's in Information Security Engineering.

“Analyzed Java Code Snippets: The Corpus”

Static Code Analysis is a tried-and-true approach for identifying vulnerabilities in source code. However, it grapples with a significant Achilles' heel – the abundance of false-positive outcomes. These misleading results demand precious time and resources for resolution, diverting attention from addressing actual vulnerabilities. In response, this research undertook the creation of a comprehensive corpus. This corpus forms the foundation for the development of a machine-learning model, which holds the promise of separating genuine vulnerabilities from false alarms. Given the scarcity of available datasets for this project, the primary thrust is dedicated to the meticulous creation of datasets that will serve as the lifeblood for the machine-learning model. This paper serves as a guiding blueprint, charting the course for future research endeavors geared towards refining vulnerability detection

Rob Gresham

Rob's remarkable 20-year voyage in IT and cybersecurity showcases him as a steadfast guardian in the digital world, adeptly constructing formidable cybersecurity teams and managing critical incidents with skilled finesse. His multifaceted expertise spans from strategic security architecture to detailed forensics and forward-thinking threat intelligence, making him an invaluable asset in complex civil and criminal investigations. Beyond the battlefield, Rob is a dedicated mentor nurturing aspiring cybersecurity minds. Presently, he's making waves at Cisco, steering key explorations in Security Investigation, Automation, and Response, following impactful tenures at industry titans like Splunk, Phantom, McAfee, and Intel. His resume is not just corporate; Rob's profound consultancy for the U.S. military branches punctuates a 26-year service record, rounding off with his impactful role in the National Guard. Equipped with a degree from Regis University and a host of top-tier certifications such as CISSP, GSDA, GCIH, and GCIA, Rob continues to embody a relentless pursuit of cybersecurity excellence.

“How to build MITRE driven Response Playbooks?”

Embark on a cybersecurity adventure where MITRE is your initial guide, not your only tool. When digital alarms sound, it's not about isolated actions but leveraging an arsenal of expert strategies and playbooks. Here’s the twist: entering Generative AI, the game-changer in Security Operation Centers (SOCs). Although integrating AI can be as unpredictable as teaching feline tricks, the real magic unfolds when we overhaul our runbooks into precise, modular playbooks. These power tools, focused on results and primed for automation, are set to revolutionize your cyber strategies. So, buckle up! We’re on a mission to decode seamless, structured, and essentially hallucination-free automation, turning your SOC tasks into a streamlined cyber crusade.