For the second year, I was fortunate enough to attend and present at BSides Austin 2016. This year had a larger turnout and some exciting presentations!
Ed Skoudis, from SANS started off the first day with a great keynote.
Chester Wisniewsky of Sophos gave an entertaining and informative presentation titled “Protecting your toys: Attempts at protecting the IOT.” He discussed his discoveries after researching devices that probably shouldn’t have an internet connection. My favorite part was his description of an automatic door lock which unlocks when a paired phone is within 200 meters. Chester said it’s a useful feature when bringing home groceries, but that it has its drawbacks since he actually works just under 200 meters from his front door.
Thomas Arnold and Matt Bromiley from Mandiant presented “Purple Teaming: The Best of Both Worlds.” They discussed multiple attack techniques performed in a red team environment and effective blue team responses. The real world examples were smart and practical.
I presented some of my initial research of monitoring and detecting devices outside our networks as well as quick deployment of intrusion detection systems in varied environments. The feedback was great as it’s always nice to see how we differ in our approaches towards security implementations.
Afterward, several attendees turned into presenters by giving impromptu talks on a variety of security topics. They were all great, but my favorite was a demonstration of the security risks of using Airbnb, either as a renter or home owner. It was more about the risks associated with physical device security and ownership of data flowing over a personal network than using the website of Airbnb. The speaker listed off suggestions for securing your network as a renter, and some of the activity renters could engage in if given physical access to your devices.
Michael Gough presented “Commodity malware means YOU! Let’s look at one called Dridex.” He went through the history of Dridex and previous variants, as well as mitigations that have worked in the past and potential fixes as that malware family continues to change. He also demonstrated the use of his product, LOG-MD, a promising tool that makes the life of an Incident Responder so much easier by simplifying log analysis and auditing across large environments.
Daniel Crowley, of the NCC group presented, “Rapid covert physical entry.” He introduced different locking mechanisms and methods for bypassing them while avoiding detection. This included door locks that aren’t typically seen when visiting your local lock picking table at a security conference.
Martin Brough gave a presentation titled “Modern crypto and you!” He explained how encryption works and the differences between acronym’s such as SSL, TLS, PGP, PKI and more. He also touched on what may have happened with Truecrypt when they suddenly ceased development amidst a potential government intervention. Cryptography is a difficult topic to condense into a 45-minute presentation, but he did a fantastic job at educating beginners and advanced user alike. It’s unfortunate the whole world can’t experience his talk, because encryption should be available, understood, and easy to use for everyone.
Monty St. John and Christopher Rogers of ATXForensics presented “Virustotal spelunking.” This was really interesting to me as I spend a good deal of time hunting with VirusTotal. Hundreds of thousands of potential malware artifacts are uploaded and analyzed daily on the VirusTotal website and many tools are available for mining that data. VT provides an easy-to-use API, and this presentation alerted me to the fact that I’m barely using it. I use Yara rules on VT to find malware that’s of interest to me or my team, and a Python script to batch download the samples it finds. But after seeing this presentation, I’ve begun developing new processes for analyzing network captures from active malware and to automatically analyze phishing emails on VT. Expect a blog post on this as soon as the process is more finalized.
The last talk I was able to attend was something I’d been looking most forward to. Earl Carter of Talos presented the “Evolution of the Angler exploit kit.” He discussed his team’s research into the history of Angler EK, including direct work with a local ISP to watch not just the C2 servers, but also the management servers. He demonstrated analysis of various Angler components, revealing a possible change in ownership in the last year as well as new methods for delivering the Ransomware to victims.
One great thing about the conference was that multiple people included unsolicited information on how they use OpenDNS as part of their security layering to mitigate incidents in their environments. I generally kept quiet so as not to take over anyone’s talk, but often spoke with people afterwards about some of the methods OpenDNS employs to provide predictive security for its users. We chatted about NLPRank, our system for detecting domain names used on phishing, some of our research into discovering websites that have been compromised with Angler, and a few techniques we use in an attempt to limit infections by Locky, the most current Ransomware variant.
Thank you so much to BSides Austin for accepting my presentation and working so hard to educate the community!