BSidesAugusta 2024

Grab your badge and freebies, then check out the CTF, exhibitors, lock pick village, and raffle table.

Grab your badge and freebies, then check out the CTF, exhibitors, lock pick village, and raffle table.

Grab your badge and freebies, then check out the CTF, exhibitors, lock pick village, and raffle table.

Grab your badge and freebies, then check out the CTF, exhibitors, lock pick village, and raffle table.

Grab your badge and freebies, then check out the CTF, exhibitors, lock pick village, and raffle table.

Grab your badge and freebies, then check out the CTF, exhibitors, lock pick village, and raffle table.

Live in Track 1, Simulcast in Tracks 2-4
Remarks will be delivered by BSidesAugusta staff and special guests.

Live in Track 1, Simulcast in Tracks 2-4
Remarks will be delivered by BSidesAugusta staff and special guests.

Live in Track 1, Simulcast in Tracks 2-4
Remarks will be delivered by BSidesAugusta staff and special guests.

Live in Track 1, Simulcast in Tracks 2-4
Remarks will be delivered by BSidesAugusta staff and special guests.

Live in Track 1, Simulcast in Tracks 2-4

Evolving Cyber Threats to Industrial Systems: Understanding Trends and Applying Controls

Robert M. Lee will share the latest updates to the Dragos OT Cybersecurity Year in Review, the most comprehensive report on cyber threats facing industrial organizations today and trends shaping tomorrow. Robert will share details on the TTPs used by the most active OT threat groups, including VOLTZITE, which overlaps with Volt Typhoon. Robert will also detail FrostyGoop, the 9th ICS-specific malware and first that uses Modbus TCP communications to achieve an impact on OT—as seen in a January 2024 Ukraine cyberattack that left 600 apartment buildings without heat. Audience members will hear success stories of how industry, government and the vendor community collaborated for collective defense to get ahead of some of the most sophisticated, cross-sector OT threats ever seen. These threats include PIPEDREAM, and the Rockwell ControlLogix vulnerability and APT exploit. Also shared will be incident response insights, steps organizations should adopt to protect against these threats, and how to operationalize defensive recommendations and mitigation strategies to reduce the overall risk to ICS/OT environments.

Live in Track 1, Simulcast in Tracks 2-4

Evolving Cyber Threats to Industrial Systems: Understanding Trends and Applying Controls

Robert M. Lee will share the latest updates to the Dragos OT Cybersecurity Year in Review, the most comprehensive report on cyber threats facing industrial organizations today and trends shaping tomorrow. Robert will share details on the TTPs used by the most active OT threat groups, including VOLTZITE, which overlaps with Volt Typhoon. Robert will also detail FrostyGoop, the 9th ICS-specific malware and first that uses Modbus TCP communications to achieve an impact on OT—as seen in a January 2024 Ukraine cyberattack that left 600 apartment buildings without heat. Audience members will hear success stories of how industry, government and the vendor community collaborated for collective defense to get ahead of some of the most sophisticated, cross-sector OT threats ever seen. These threats include PIPEDREAM, and the Rockwell ControlLogix vulnerability and APT exploit. Also shared will be incident response insights, steps organizations should adopt to protect against these threats, and how to operationalize defensive recommendations and mitigation strategies to reduce the overall risk to ICS/OT environments.

Live in Track 1, Simulcast in Tracks 2-4

Evolving Cyber Threats to Industrial Systems: Understanding Trends and Applying Controls

Robert M. Lee will share the latest updates to the Dragos OT Cybersecurity Year in Review, the most comprehensive report on cyber threats facing industrial organizations today and trends shaping tomorrow. Robert will share details on the TTPs used by the most active OT threat groups, including VOLTZITE, which overlaps with Volt Typhoon. Robert will also detail FrostyGoop, the 9th ICS-specific malware and first that uses Modbus TCP communications to achieve an impact on OT—as seen in a January 2024 Ukraine cyberattack that left 600 apartment buildings without heat. Audience members will hear success stories of how industry, government and the vendor community collaborated for collective defense to get ahead of some of the most sophisticated, cross-sector OT threats ever seen. These threats include PIPEDREAM, and the Rockwell ControlLogix vulnerability and APT exploit. Also shared will be incident response insights, steps organizations should adopt to protect against these threats, and how to operationalize defensive recommendations and mitigation strategies to reduce the overall risk to ICS/OT environments.

Live in Track 1, Simulcast in Tracks 2-4

Evolving Cyber Threats to Industrial Systems: Understanding Trends and Applying Controls

Robert M. Lee will share the latest updates to the Dragos OT Cybersecurity Year in Review, the most comprehensive report on cyber threats facing industrial organizations today and trends shaping tomorrow. Robert will share details on the TTPs used by the most active OT threat groups, including VOLTZITE, which overlaps with Volt Typhoon. Robert will also detail FrostyGoop, the 9th ICS-specific malware and first that uses Modbus TCP communications to achieve an impact on OT—as seen in a January 2024 Ukraine cyberattack that left 600 apartment buildings without heat. Audience members will hear success stories of how industry, government and the vendor community collaborated for collective defense to get ahead of some of the most sophisticated, cross-sector OT threats ever seen. These threats include PIPEDREAM, and the Rockwell ControlLogix vulnerability and APT exploit. Also shared will be incident response insights, steps organizations should adopt to protect against these threats, and how to operationalize defensive recommendations and mitigation strategies to reduce the overall risk to ICS/OT environments.

In the 1800s, lamplighters were employed to light gas streetlights that had replaced the previous generation of candles and oil lamps. However, with the advent of incandescent lighting and the automation provided by electricity, lamplighters became largely obsolete.

For decades, we’ve relied on vulnerability scanners to assess our assets and generate reports containing IP addresses and their associated CVEs. CVEs add value but only represent a subset of your risk exposure. They completely miss critical variables such as the presence and state of endpoint IT management and security controls, making them largely obsolete when relied upon in a vacuum.

This reliance on CVE data leads to a distorted view of an asset's risk level, making it difficult to prioritize remediation efforts accurately. This also negatively impacts overall organizational risk, while the sheer volume of CVE data wastes time, money, and resources.

Does it matter how many CVEs you detect if the device has no controls to remediate them? A modern approach to vulnerability management must transcend the realm of CVEs and encompass exposures related to environmental vulnerabilities. These include gaps like missing endpoint controls, outdated or non-communicative controls, and misconfigurations.

When it comes to CVEs, in many cases, CVE data can be pulled directly from IT management and security controls that you already have installed on your endpoints. This negates or greatly reduces the value derived from a traditional vulnerability scanner, which, by its nature, can also be risky to run and onerous to operationalize as part of an integrated vulnerability management strategy. Regardless of where the operating system and application CVEs are derived, they must be correlated with environmental vulnerabilities.

After correlating CVEs and environmental variables, your vulnerability management strategy can be taken to the next level. Risk prioritization can include identity data and business context enrichment by linking assets with regulatory mandates, critical systems, supply chains, geographic regions, business units, etc.

With this level of accuracy in risk prioritization, automated ticketing and response integration capabilities can be efficiently and effectively leveraged with the understanding of which risks may be mitigated or are already being mitigated by existing IT management and security controls. Finally, your vulnerability management strategy can be more formally operationalized with real-time remediation validation to ensure that what was stated as being fixed was actually fixed and stays fixed, as well as metrics to measure the effectiveness of your remediation efforts.

Attending this presentation will allow audience members to answer these questions.
• Do I still need a vulnerability scanner for effective vulnerability management?
• What needs to be correlated with my CVEs for accurate risk prioritization?
• How can I improve my alerting and response capabilities to include remediation validation?
• What metrics can I derive to measure effectiveness and improve my vulnerability management strategy?

You are a new to the Airport IT staff at the IG International Airport Network Operations Center,
working your first holiday travel weekend. It has been a busy day managing the network with the
control tower reporting several small glitches. No alerts have been raised in the network, and
the glitches appeared to have been easily handled.

While taking your last break of the day, you decide to take a short walk around the concourse to
watch the sun set. Suddenly, your cell phone rings and the voice on the other end is a panicked
Control Tower Operator. A short time earlier, the tower had observed the runway lights turn off,
come back on, and are now randomly blinking. They also mentioned the Operator HMI (Human
Machine Interface) controlling the Runway Lighting system is non-responsive and they are
locked out of the Maintenance HMI to reboot the system. Time is critical – without the lights, the
planes circling the airport cannot land. With limited fuel stores, the planes are unable to divert to
another airport.

You sit down at your terminal to pull up the maintenance manual and troubleshoot the problem
only to discover you are locked out of your account. You are suddenly relieved that
management would not let you deploy security updates to the network because they feared
service interruptions may occur.

Once you regain access to the system and have all the reference material available, you bring
up the control logic for the runway lighting system on one screen and the HMIs on another and
quickly realize this is not a normal system failure. An unknown hacker or hacker group has
accessed and taken control of the system. They have manipulated the PLC’s (Programmable
Logic Controller) and impacted the HMIs.

Time is of the essence to restore operation to the Runway Lighting control system before the
planes run out of fuel.

Welcome to an IG Labs Cyber Capture The Flag (CTF) event where you will focus on the
essential Airport Runway Light SCADA/ICS system. Your mission, should you choose to accept
it: investigate the intrusion and restore control over the runway lights and the HMI. It is a race
against time to secure this critical infrastructure. Can you and your team rise to the occasion
and bring back normalcy to the airport?

Approximate amount of time to complete the activity: 30-45 minutes
Approximate skill level (beginner, intermediate, advanced): All Skill Levels
Equipment needed: None (all equipment is provided)

To register on the day of the conference, stop by the IG Labs table on 1st floor.

Do you attack or defend Microsoft/Entra ID ecosystems? If so, this talk is for you!

Join us for an adventure into the world of Kerberos exploitation in 2024. We'll explore common abuse scenarios, uncover some lesser-known exploitation techniques, and wrap up by open-sourcing a practice range for honing your Kerberos skills.

Operational security (OpSec) is a cornerstone in red teaming, necessitating continuous refinement of tools and techniques to avoid detection. This workshop is designed for penetration testers, aspiring red teamers, and individuals seeking to enhance their offensive capabilities. It focuses on customizing the Impacket toolset to improve OpSec during engagements.

Impacket tools such as wmiexec, smbexec, and secretsdump are staples in the toolkit of any red teamer due to their versatility and flexibility in Windows environments. However, their detectability has increased as defensive measures have become more sophisticated. This session proposes modifications to these tools to avoid default IOCs and detections.

Participants will explore various customization strategies, including changing default settings, altering network signatures, and integrating stealthier execution methods. Practical exercises will guide attendees through the process of modifying the Impacket scripts, demonstrating how these changes can significantly enhance operational security in simulated environments.

Attendees will gain hands-on experience modifying the Impacket tool set to remove common IOCs. The workshop aims to foster a deeper understanding of both the tools and the underlying network protocols, enabling participants to tailor their approaches to specific operational contexts and defensive landscapes.

The workshop will run from 10AM - 3PM with a break for lunch 11:45-12:30.

In the days where LLMs are beginning to explode into every web application and process, companies are adding additional attack vectors thereby increasing overall risk. According to OWASP, prompt injections as the top risk for LLMs that offer a chat feature and prompt injections can be broken down plainly into 10 distinct types. Balancing the bot’s desire to be helpful with adherence to company policy is a challenging task. Threat actors exploit this conflict, along with other inherent coding vulnerabilities, to generate malicious responses.
This presentation will give you an inside look at how the LLMs come to their conclusive answers, how we as hackers look to find manipulation techniques, and the unfortunate consequences companies will face in the future. We can create a library of example prompts to attempt malicious actions against all language models. Just like current coding vulnerabilities, there will be variation for success, but the fundamentals are the same. Combining multiple prompt injection types from the distinct 10 increases the malicious prompts likelihood of success. Utilizing skills similar to that of author or artist and a little bit of programming knowledge, anyone can be an LLM hacker.

Our CTF sponsor is the local RunCode.ninja team, who will be hosting the BSidesAugusta CTF from the Track 4 room. This CTF will present a number of challenges which are sure to challenge noobs and greybeards alike! Come join the RunCode team and hack all the things! Watch the RunCode.ninja (@runcode_ninja) social media for teasers and more information.

No additional registration is required. Bring your own laptop if you want to participate.

Break

Break

Break

In this insightful presentation, delivered at the 2024 Vigitrust Global Advisory Board meeting in Dublin, Tom Scott draws strategic parallels between the game of chess and the dynamics of building and nurturing cyber communities. The abstract concept of chess—wherein each piece plays a distinct role, moves are strategically planned, and the overarching goal is clear—mirrors the foundational principles required to cultivate a successful cyber community.

The talk outlines a comprehensive framework for community leaders aiming to enhance engagement, collaboration, and governance within cyber networks. Key focus areas include defining clear community objectives, understanding and utilizing the strengths of each member, establishing robust rules and guidelines, and implementing adaptive engagement strategies to respond to evolving challenges and opportunities.

This presentation not only provides a step-by-step approach to developing a thriving cyber community but also emphasizes the importance of leadership, participation, and long-term planning. The strategic insights offered aim to empower attendees to apply these principles within their organizations, fostering environments that are not only secure but also resilient and forward-thinking.

In this talk, we’ll shed light on the dangers of Google Apps Scripts to enterprises in a default Google Workspace. We’ll provide an overview of how App Scripts can gather data, harvest credentials, elevate privileges, how Google Workspace admins can abuse Data Loss Prevention policies to gather any data in Google Workspace. The talk will conclude with, how to detect and mitigate these types of attacks.

You've read all the introductory material about TPMs, and now you want to start using them in code. This talk gives starter examples in Golang to help get you off the ground.

Enjoy lunch provided by Chick-fil-A! A vegetarian option will also be available.

Enjoy lunch provided by Chick-fil-A! A vegetarian option will also be available.

Enjoy lunch provided by Chick-fil-A! A vegetarian option will also be available.

"Building an AI product for the everyday person is challenging - doing it in a privacy focused way is nearly impossible without support from the right people." - This session expands on a talk I gave at the DC32 Crypto Privacy Village, and demonstrates the value of getting things right from the beginning (and the struggles you face if you don't). We'll cover updated privacy pipelines, additional guardrails, and some policy suggestions that will keep you out of the news.

VPNs, intended to provide secure access, are a prime target for advanced attacks. This talk arms DFIR practitioners with essential techniques for analyzing intrusions where VPN access was the initial entry point. Attendees will gain a deeper understanding of how threat actors exploit VPN vulnerabilities, bypass authentication mechanisms, and deploy malware. We will dive into real-world case studies, noting actionable indicators of compromise (IOCs) specific to VPN-related attacks, focusing on unusual network traffic patterns, privileged account abuse, and persistence techniques. Attendees will leave with actionable insights for improving incident response processes, developing threat intelligence, and proactively hardening VPN defenses.

the one-upmanship just keeps on coming. Last year we presented our research on the HiatusRAT malware, which infected small office/home office (SOHO) routers belonging to selected targets and quietly stole access credentials for use against downstream systems. Now we'd like to present our latest research on a new malware that appears to have been written by the same authors, showing enhanced function and a greater threat, as it appears to have been designed for environments where TLS has increasingly been adopted and assets are protected in the cloud. Cuttlefish is stealthy, and sits passively on the router until it sees the conditions it was made for - either sniffing traffic or hijacking DNS and HTTP requests to steal authentication material it can use to enter systems downstream of the infected device. This talk with address the roots of the malware design, how it was discovered and how it performs each of its tasks, including the weaponization of stolen credentials. I'll discuss the infection pattern, timeline, and what you can do to protect yourself against this or similar infections.

As researchers focusing on attacker behavior, we often face the challenge of uncovering the true identities of cyber attackers who employ sophisticated anonymity tactics. Although IP addresses can offer vital clues, the task of accurately tracing attacks to specific nations is complicated by the attackers' extensive use of proxies.

To explore the prevalence of proxy use among attackers, we devised an innovative strategy. We set up a honeypot network comprising Windows servers with exposed RDP (Remote Desktop Protocol) access. Over a three-year period, this setup generated an extensive dataset of over 190 million events.

With the aid of our Monster-in-the-Middle tool, PyRDP, which provides exceptional monitoring capabilities, we scrutinized the RDP protocol to extract genuine source IP information from the protocol's metadata. By contrasting these authentic source IP addresses with the falsified ones, we uncovered notable differences in the geographic origins of the attackers. Predictably, the real source IPs frequently revealed locations different from those initially suggested.

This analysis enabled us to gain insights into the various attack strategies based on the geographic origins of IP addresses. Additionally, our study unearthed evidence of hacking tools being shared across borders, hinting at potential international collaboration in cyberattacks. This presentation will elaborate on these methodologies, offering evidence of cross-country alliances in cyber threats.

Through our research, we aim to enhance the understanding of global cyber threats, highlighting the cooperative nature of contemporary cyberattacks.

This talk will present Suricata at an overview level and how Suricata can alert and provide forensic data for incident responders and threat hunters.

Open-source software (OSS) is foundational to government, business, and personal technology sectors, highlighting its critical role in the digital ecosystem. This talk provides insights from a comprehensive submission to the National Cyber Director's Request for Information (RFI) on the security challenges of OSS. We will review key points from the submission, including proposed policies and frameworks.
Our discussion will cover:
- The Importance of OSS in Various Sectors: Understanding the pervasive role of OSS in government, business, and personal technology.
- Not-So-Obvious Security Challenges: An in-depth look at the specific security issues facing OSS, including vulnerabilities, supply chain risks, and maintenance challenges.
- The Messy Human Factors: The role of contributors, maintainers, and the broader community in ensuring OSS security.
- Finding Balance: Strategies for maintaining the openness and collaborative benefits of OSS while implementing effective security measures.

Join us for an informative exploration of OSS security, where we will share insights, discuss challenges, and propose solutions to safeguard the integrity of OSS in our increasingly digital world.

Break

Break

Break

Compliance-driven security programs have traditionally been plagued with weak 8-character passwords, missing security controls (because they are not required), and incomplete implementations of tools like FIM and DLP. In the wake of the Securities and Exchange Commission’s Cybersecurity decision last year, the game may have changed. Let’s talk about closing the loop on Compliance, Risk-Management, and Cybersecurity in a way that will help you build buy-in with the business and the Board to establish cybersecurity as a business imperative and accomplish your program goals.

Obfuscated, fileless malware poses a significant challenge to automated detection systems and wastes valuable time during manual analysis. This challenge occurs as the many layers of obfuscation must be unraveled before the true malicious payload is revealed. In this talk, research will be presented that demonstrates how the tree-sitter parser generator library can be used to write scalable, accurate, and attributable detections for malicious PowerShell payloads, as well as tooling for deobfuscating these scripts. We will demonstrate the effectiveness of these tools across a number of obfuscated scripts, including ones seen in the wild during real-life incident response engagements.

During the work on my SANS Master's thesis, I realized two things: I am not a developer and ChatGPT makes a pretty good one. Using ChatGPT to write the Python scripts for my research, I started to branch out and use it to write defensive tools such as for identifying unknown assets on the network as a listening service or offensively such as when taking a PLC out of Run mode remotely. If you can think through the process, ChatGPT (or other GenAI) can help you make it a reality. Want to Live off the Land and don't want to download a Python script which might be spotted? Use ChatGPT to convert it to PowerShell on the spot! Receiving error messages from the code it wrote for you? Don't worry - it can fix those issues too! The presentation will walk attendees through prompt creation for two sample coding projects - both with offensive/defensive capabilities, tools that attendees would be able to use back on the job. And, with inspiration, go out and create their own tools!

A common theme that has been extracted from the lessons learned of consulting on ICS cybersecurity for dozens of organizations has been that better practices beat out best practice recommendations with feasibility, cost, likelihood of implementation and improvement in security posture. Year over year of recommending best practices is met with reevaluating unchanged environments because lofty ambitions can lead to decision paralysis. This is a flaw in best practices, while they are theoretically the community agreed upon baseline for security, they leave something to be desired in the roadmap of an organization’s maturity. We have tried to remedy this with maturity roadmaps like C2M2 or CMMC but these too leave something to be desired as they offer abstract qualifications about practices that can be self-diagnosed into maturity class. In the meantime, all discrete and published security controls surround best practice implementation. Instead, lets focus on the better practices. A showcase of lessons learned from a few instances where a better practice to the current was a superior recommendation than a more often quoted best practice.

This presentation examines incident response strategies in enterprise environments, drawing insights from recent high-profile crises. We'll explore how the scale and complexity of large organizations influence their approach to managing and communicating during critical security events. Attendees will learn how to navigate the incident response process and gain valuable best practices applicable to enterprise-level security operations.

Can you be a cyber security expert without knowing the fundamentals and history of cybersecurity?
What will be the next life changing event in Cybersecurity? Will you be able to help prevent it or will you be the one to help clean up afterwards?

The cyber wars started 50 years ago and who knows how it will end?
Have all the easy problems in Cyber been solved and the next generation will be faced with an onslaught of Unknown Unknowns?
Others faced the unknowns and they succeeded. Will you be ready?

These four non-technical books (plus a Bonus Pamphlet) might make you reconsider your heavy reliance on technology and recognize the basic principles employed by those that came before you and ponder the hypothesized future.

.. NBS/ACM 1974 Executive Guide to Computer Security. (Bonus Pamphlet)
1. The Cuckoo's Egg. The true adventure of Cliff Stoll creating forensics and cybersecurity infrastructure on the fly and from scratch in the 1980s
2. The Hut Six Story: Breaking the Enigma Codes. What happened at Bletchley Park by one of the co-inventors of traffic analysis.
3. The Fifth Domain by Richard A. Clarke. An outline for how to defend our national infrastructure and online economy from an attack, written from the perspective of using military defense strategies.
4. One Second After. What the world might look like the first year after an attack on our national infrastructure and online economy.

When you ship new detection, are you crossing your fingers in hopes you did everything correctly? When there is a subtle problem in your detection pipelines, will you learn about it before a major incident occurs?

A former Red Teamer tells the story of the years-long project undertaken to cut down on the amount of broken detection shipped by his Blue Team, and the career move that followed. Starting from the shared pain of seeing a Blue Team come up short in Red Team operations, to bringing highly integrated offensive engineering principles to Detection Engineering.

This talk walks through how to read intelligence reports critically, the process of building a realistic adversary tests based on intelligence sources, establishing a test environment, collecting and analyzing test performance, automating retest activity to detect drift in the environment, and integrating this process into an end-to-end Test-Driven Detection workflow for your team.

This talk is most suitable for detection engineers, their leaders, and those who benefit from an elevated detection engineering practice.

In the fast-paced and ever-evolving world of cybersecurity, staying ahead of threats requires cutting-edge tools and techniques, especially on the Black Hat conference network. The latest exploits and attacks are constantly present in this challenging and austere environment. Still, through real-world stories, we will explore the clever strategies and techniques used to uncover threats and secure the network against those sophisticated attacks. This presentation will describe using Zeek and Suricata, two leading open-source NDR tools, to defend the Black Hat network globally. It will also cover interesting findings, ideas, and methodologies used for threat hunting and discuss the open-source tools and technologies that power the network detection stack.

Like most large organizations, the University of South Carolina is under constant attack from adversaries. In particular universities deal with a lot of credential theft attacks that lead to internal phishing. Over the last year we've been tracking a threat actor whose TTPs include the use of residential proxies to bypass geography based conditional access. Little did we know that one of our incidents would lead us to investigate a door controller on campus that participated in a proxy network for profit! We'll talk you through both the threat actor tracking, the cat and mouse with the attackers, and the details of the IoT compromise. The talk touches on doing cloud based forensics for identity, clustering threat actor techniques for tracking, and an IoT forensics case which had us "hacking" our own device.