SOURCE Conference Seattle
On October 12th and 13th I was given the opportunity to share some of my Domain Generation Algorithm (DGA) research to another SOURCE Conference audience, this time in Seattle, Washington.
Richard Thieme kicked off the conference with his talk entitled “Play Through the Pain? – The Impact of Forbidden Knowledge on Security and Intelligence Professionals” touching on the stresses associated with working in a field where you cannot discuss the details of your day’s work to anyone. I have had the pleasure of hearing Richard speak on this subject before at SOURCE Boston, and have only begun to understand the wealth of information he has on this topic. I look forward to hearing more from him in the future.
Next up was “DGA Antivenom: Stopping New Configurations before Analysis” by myself on track one. For a few details on my presentation, take a look at my writeup from SOURCE Boston. I focused more heavily on some aspects for this audience and was able to answer a few questions with discussion at the end. Bryan Brake of the “Brakeing Down Security podcast” captured a photo of my presentation in progress.
— Bryan Brake (@bryanbrake) October 12, 2016
I was followed by “Adversary Analysis and Defenses Using Domain and DNS OSINT” by Tim Helming of Domain Tools. It was a great pairing to be able to shift from one aspect of using DNS in my presentation, then to their use of pivoting off different information within DNS records, including historical information, to hunt and gain intelligence on threat actors.
The last presentation before lunch was from Shane MacAuley of IOActive. Shane’s talk focused mainly on memory forensics of cloud instances and some of the tools and techniques he uses to analyze them. For myself, once the tools come out, everything else fades into the background. He has an impressive set of tools that are available on hit github pages K2 and ShaneK2.
Now let me take a moment to acknowledge and thank the food trucks of Seattle. Mmmmmmmm.
Following a satisfying lunch, was a satisfying keynote from Masha Sedova of Salesforce, entitled “Expanding the Blue Team by Building a Security Culture Program.” I have firsthand experience of the SalesForce security culture as a guest, and three things are very clear when you visit. The security culture there is different, it is real, and it works. The magic behind it is the brainchild of Masha, a culture of security that is rewarding and fun to those who involve themselves in it.
If the keynotes and talks are the meat, the career development tracks are the potatoes of SOURCE Conference. The first potato was the Speed Networking session. Rob Cheyne, the conference organizer, leads a sort of mixer, where you break off in randomly chosen pairs and answer some icebreaker questions. I enjoyed this before in Boston, I was glad to see it again in Seattle. It turns a “recognizable conference attendee number one” into that person who would travel remote regions of the world if they had unlimited resources and time. It adds a character to the conference that I am very fond of.
The final keynote of the day was from Diedre Diamond, the founder of Cyber Security Network (CyberSN), on “Words to Stop Using Now.” The meta overview of this is that there are certain words used commonly that disempower the people you are communicating with whether you intend to or not. Sometimes it is the word itself, and sometimes using a synonym in the same context only softens the blow. It is difficult to avoid them, and in writing this particular paragraph, I am making an effort to do so. Doing so does not come easily and the effort must be made in order to succeed. The overall goal, is to speak to enable, or empower others.
The last talks of the day were lightning talks, given by anyone who volunteered to do so. Short, five minute talks on any subject. To quote Bill Nye, “Everyone you will ever meet knows something you don’t.” These lightning talks can attest to that. Knowing you are surrounded by security professionals you already expect talks on security and business, but to hear talks on topics like bonsai and free climbing helps to loosen up the atmosphere a little and have something else to talk about to break the ice.
Following opening remarks, was the first keynote of the day from Michael Roytman of Kenna Security. Michael went over a new project he had been working on related to Common Vulnerabilities and Exposures (CVE). He was able to map CVEs that exist to those seen being used by adversaries and malware in the wild. After removing the CVEs that had been patched, he found that many of the CVEs being exploited today were first identified between 1996 and 2014. This revealed that, although we are very good at patch management now, the old vulnerabilities still exist and are still being exploited today.
Next up was “At the Dawn of CET: Hunting Valid Gadget with Big Data” by Ke Sun, Ya Ou, Yanhui Zhao, and Xiaoning Li. In this talk, we learned about Control-flow Enforcement Technology (CET) from Intel and Control Flow Guard (CFG). CET is designed to stop certain types of exploits utilized by malware where the “return to” address of the function being executed gets replaced with some other address while its running so it can take over the process. CET does this by keeping its own copy of “return to” addresses (Shadow Stack) and verifying it later. GFC is something that must be enabled by the developer of a piece of software, and works by keeping track of valid addresses that a program can jump to and does not allow any invalid addresses to be jumped to. CET validates each jump it takes using CFG. Their research was focused on finding valid gadgets (pieces of code) that could be exploited using any of the above mentioned techniques.
Mike Shema of Cobalt.io followed up with a presentation on “Evolving a Bug Bounty Program.” He touched on things like consistency in the rewards given and being firm about what differentiates how critical a bug is to you and your company. One thing I had never considered was that sometimes a bug that is identified may be less critical than it seems to the person who found it, but you need to be able to acknowledge that they found it and still not give away your infrastructure in explaining why it is not as critical to you as they may think.
Then we had Sean Malone of FusionX presenting “Using and Expanded Cyber Kill Chain Model to Increase Attack Resiliency.” Sean’s work focused on taking the Cyber Kill Chain® and extending it where it was often misunderstood as the end of the line. Once an adversary reaches the internal network, there are many different strategies to utilize to minimize damage, not to mention, not all attacks originate from the outside. This expansion added a tree model, which illustrated the different attack vectors used, and lateral movement between them to the next target showing a full overview of an attack.
Speaking of lateral movement, following another food truck lunch (Mmmmm), we had another session in the career development track. This session was the Personal Development Panel, featuring Rob Cheyne (Big Brain Security), Richard Thieme (Thiemeworks), Masha Sedova (Salesforce), and James Wann (TUNE). The lateral movement here I speak of, is that everyone on the panel started somewhere other than where they are now. Stories of personal experiences were shared along with some other helpful tips.
— Mark Arnold (@lotusebhat) October 13, 2016
Following the Personal Development Panel, we had a talk from Rob Fuller of R5 Industries entitled “Attacker Ghost Stories – Revisited.” This was a themed presentation, that always went back to a campfire slide, which I thought was great. Rob spoke on various security subjects which are things that should be common knowledge in the security world, but are often overlooked and ignored.
The last presentation was from Rob Cheyne of Big Brain Security. Rob taught us, how he teaches security to others. Although I am a visual learner and teacher myself, his use of analogs to describe principals of security intrigues me. I always enjoy being able to teach concepts to others and finding acceptable analogs, that everyone understands, may help in that.