--[ Presentations

----[ Learning From the Mistakes of Others: Incident Response Edition

Presenter
$ getent passwd lpearson
.
├─── name: Luke Pearson
├──── org: Salesforce
└─ social:
   └─ linkedin: in/Luke-Pearson-infosec/
Experience

I'm passionate about digital forensics and incident response (DFIR) and helping others get better in the same. I've been a dedicated DFIR practitioner for the last 6 years, and have worked over 50 breach response engagements in that time. I have experience working with law enforcement, government, law enforcement and emergency services and military organisations doing incident response and training members of these organisations in the same.

Abstract

"... learning by the mistakes of others is a far simpler and less expensive process than making them all yourself." - American Machinist, 1920. Despite being over 100 years old, this quote is still relevant to businesses trying to maintain their security today. So let's learn from other's mistakes! Join me on a journey through the compromise of a fictitious company, from initial access all the way through to mission complete. We'll take stops along the way to zoom in on how the attacker did what they did, and discuss what the victim could have done to prevent these actions from being successful. We'll also talk about steps the victim could have taken to make their environment more “investigation ready”, and highlight that because these steps were not taken, the investigation was not conclusive. Being derived from real-world incident response engagements, you'll literally be learning from the mistakes of others. None of these recommendations are new or exciting, but it's my genuine hope that by showcasing them in the context of an active breach, their value will shine, and you'll take these lessons back to work and implement them tomorrow!

----[ Armchair Cyberwarriors: 6 Months of Cybercriminal and Hacktivist Activities Related to the Russian War in Ukraine

Presenter
$ getent passwd aleslie
.
├─ name: Alexander Leslie
└── org: Recorded Future
Experience

Alexander Leslie is an Associate Threat Intelligence Analyst with the Advanced Cybercrime & Engagements (ACE) Team at Recorded Future. He has a Master’s in Eurasian, Russian, & East European Studies from Georgetown University and a Bachelor’s in International Studies from American University. His research is focused on the intersection of geopolitics, public policy, and cybercrime in Eastern Europe. He is interested in the evolution of tools, targeting, and tactics, techniques, and procedures (TTPs) of Russian cybercriminal, hacktivist, and advanced persistent threat (APT) groups. He is also interested in the broader cybercriminal threat landscape and how cybercriminals adapt to law enforcement actions, geopolitical and economic crises, information operations (IOs), and more.

Abstract

From February 24, 2022 to August 24, 2022, Recorded Future observed the rise—and, in some cases, downfall—of over 250 cybercriminal and hacktivist groups that became indirectly involved in the Russian war in Ukraine. Following declarations of nation-state allegiance—which led to chaos in the cybercriminal underground—financially motivated, ego-driven, and patriotic hackers alike began to capitalize on geopolitical instability by exploiting individuals, entities, and critical infrastructure that they believed would advance their cause.

This talk will provide unique insights into major events that have shaped the evolution of cybercriminal threats since February 24, 2022. This talk will cover events such as the Conti and Trickbot leaks, seizures of Russian cybercriminal sources, major hacktivist campaigns—from threat actor groups such as IT Army of Ukraine, Killnet, Anonymous—and more. This talk will also discuss the role of plausible deniability in the Russian state’s relationship with cybercrime and how unspoken connections and unwritten rules have changed since the beginning of the war.

This talk will also examine transformative changes to the cybercriminal threat landscape, as a result of the war, and the implications for US law enforcement, foreign policy, and national security. We will discuss market disruptions to the malware-as-a-service (MaaS) industry and the use of commodity malware by Russian advanced persistent threat (APT) groups in Ukraine; changes to the dark web shop and marketplace ecosystem; the rise in payment card and financial fraud; ransomware groups targeting critical infrastructure, healthcare, and education; and other observations on database leaks, initial access brokers, and Russian state-sponsored information operations (IOs).

Following the daily monitoring of approximately 100 active cybercriminal groups—with varying ideologies, motivations, nation-state allegiances, and hacktivist alliances—1 million references in the Recorded Future Platform®, and regular threat actor engagements on dark web and special-access sources, this talk will document, summarize, and analyze the “armchair cyberwar” that took place over the first 6 months of the Russian war in Ukraine.

----[ PAI Operations: Everyone Can See What Lives Beyond Your Network Boundary

Presenter
$ getent passwd jdible
.
├─── name: Jared W. Dible
├──── org: Millennium Corporation
└─ social:
   └─ linkedin: in/jared-dible-691823160/
Experience

As the Senior Cyber Architect at Millennium Corporation, Jared is responsible for taking innovations across the company and making them a reality. Jared is a key leader in Millennium’s internal Research and Development efforts and oversees the Cyber Innovations Portfolio. Jared brings over 18 years of experience leading and executing highly technical services with a majority focus on systems engineering and cybersecurity inside the DoD.

Prior to joining the Millennium Team in 2016, Jared served in multiple Systems Engineer roles supporting intelligence systems for the US Air Force and US Navy. Jared also spent 6 years as a Cryptologic Technician in the US Navy before entering the civilian sector in 2007. Since joining Millennium as a Red Team Security Engineer, Jared has been instrumental in the planning and execution of countless cyber security assessments in support of Millennium’s customers as well as developing and implementing new corporate and customer cybersecurity capabilities.

Jared holds a Master’s Degree in Information Security from Friends University; a Bachelor’s Degree in Information Systems from Friends University; and he is a Certified Information Systems Security Professional (CISSP) and Offensive Security Certified Professional (OSCP).

Abstract

Open-Source Intelligence (OSINT) has been used for decades by the U.S. and adversaries alike to try and gain any information or competitive advantage. But with the explosion of work from home, bring your own device, advertisement data tracking, and cloud native platforms and data, the network perimeter has never been further away. Publicly Accessible Information (PAI) and commercially available data feeds are crucial in managing threats beyond the traditional security boundaries of any organization and the suppliers it depends upon to successfully execute their mission. PAI analysis is performed on data sets such as Internet netflow, Internet Domain Name System (DNS), Autonomous System Number (ASN), AdTech (geo-location, app usage, IP Address, and other metadata), and social messaging feeds without ever having to touch a target’s networks, systems, or users. This analysis can then be enriched with cyber threat intelligence or other data sources. For an organization’s security team, this analysis passively delivers visibility beyond their security boundaries, allowing for a broad compilation of use cases such as threat hunting and discovery, continuous monitoring, asset discovery, attack surface enrichment, and signature management. PAI can provide major impacts across Offensive and Defensive Cyber Operations, as well as Intel, Surveillance, Recon (ISR) and other DoD operations.

If an APT has gained initial access to a critical network inside an organization and successfully persisted, it likely means that they defeated both internal and perimeter security mechanisms to avoid detection. Before the adversary presence is ever known to the organization security team, the adversary must either trigger a defense mechanism with a future TTP in the attack chain or their 1st hop redirector must be flagged as malicious by a Cyber Threat Intelligence provider.

With PAI and commercially available data, analysts can work backwards starting at the attacker C2 server and analyze netflow traffic and DNS records across the various suspected redirectors, tunneled connections, and other obfuscated connections back to the target organization’s perimeter. The result of this analysis would be a tipper to the organization’s security team to guide internal investigations and incident response. Ultimately, this results in identification of a new IOC to be distributed to the organization and greater community for identification, remediation, and mitigation.

On the flip side, the same data sets and similar tactics can be employed for offensive purposes. A combination of netflow, DNS, AdTech, and social messaging can be analyzed to provide confidence in operational security of offensive TTPs and infrastructure. These data sets can also provide valuable insights and enrichment of a target attack surface. For both offensive use cases, it is important to realize that this analysis is performed on purely passive data sets, making this not only valuable intelligence but also an extremely stealthy means of enumeration, information gathering, and target development without ever touching a target network.

Millennium has spent the last 14 years supporting DoD Red Teams. This support and our desire to continually improve our customers capabilities led to the innovative and enhanced usage of PAI.

----[ Ransomware: Brokering Initial Access

Presenters
$ getent passwd
.
├── names:
│   ├─ Trevor Hilligoss
│   └──────── CW Walker
├──── org: SpyCloud
└─ social:
   ├─ linkedin: in/thilligoss/
   └─ linkedin: in/cwrwalker/
Experience

Trevor is an Army veteran and former Special Agent with the US Army's Criminal Investigation Division, Cyber Directorate, and spent several years working on an FBI Cyber Task Force focused on investigations into commodity malware, before departing government service to focus on cybersecurity research. Trevor enjoys creating overcomplicated Python scripts whose only purpose is to languish in GitHub repositories and woodworking while not researching bad actors on the internet.

CW began his career in the Federal Bureau of Investigations before becoming a Cyber Threat Intelligence Analyst in the private sector. CW has supported investigations ranging from Human Trafficking to Eurasian Cyber Counterintelligence both inside and outside of the FBI. When CW isn't trying to strip criminals of their anonymity, he can be found trying to automate his life and hanging out with his toddlers.

Abstract

With 68% of organizations hit by ransomware last year, organizations feel less confident than ever about their preventative measures. The SpyCloud Ransomware Defense Report launched in September, where infosec leaders told us the impact of ransomware to their enterprise and explored the gaps in their defenses and plans to shore them up. One of their biggest blind spots? Credential-siphoning malware on unmonitored devices. We’ll explore the implications of this plus additional findings, including how adversaries are exploiting vulnerable services and even bypassing multi-factor authentication using data stolen by commodity malware sold for as little as $100 a month.

----[ Breaking GraphQL

Presenter
$ getent passwd gsmith
.
├─── name: Grant Smith
├──── org: Virginia Tech AROTC
└─ social:
   └─ twitter: @S1n1st3rSecuri1
Experience

Grant is a current senior at Virginia Tech studying cybersecurity management. He has interned with Army Cyber Command, the Naval Postgraduate School, and the Walt Disney Company during which he has worked in exploit development, red teaming, and threat analysis. Grant specializes in web application testing and is the creator of the popular GraphQL assessment tool Graph Crawler.

Abstract

GraphQL is steadily growing in usage and is showing no sign of stopping. It is a very powerful API and with great power comes great responsibility to abuse it. That's where we step in. In this presentation we will cover what GraphQL is, how its used, how to get as much data from it as possible, and how to use that data against the endpoint. We will focus on how to attack it as a pentester but knowing these security misconfigurations and how easily they can be abused is helpful for everyone.

----[ Covertly Infiltrating and Monitoring C&C Servers

Presenter
$ getent passwd jfuller
.
├─ name: Jonathan D. Fuller
└── org: Army Cyber Institute
Experience

Jonathan Fuller is a Major in the United States Army and a research scientist for the Army Cyber Institute in the Electrical Engineering and Computer Science Department at the United States Military Academy. He has graduate degrees in Computer Science and Electrical/Computer Engineering. His research interests are cyber attack forensics, IoT security, and malware analysis. His current focus is to combine advanced program analysis techniques to explore malware and identify logic that can be reused for botnet counteraction.

Abstract

Current techniques to monitor botnets towards disruption or takedown are likely to result in inaccurate data gathered about the botnet or be detected by C&C orchestrators. Seeking a covert and scalable solution, we look to an evolving pattern in modern malware that integrates standardized over-permissioned protocols, exposing privileged access to C&C servers. We implement techniques to detect and exploit these protocols from over-permissioned bots toward covert C&C server monitoring. Our empirical study of 200k malware captured since 2006 revealed 62,202 over-permissioned bots (nearly 1 in 3) and 443,905 C&C monitoring capabilities, with a steady increase of over-permissioned protocol use over the last 15 years. Due to their ubiquity, we conclude that even though over-permissioned protocols allow for C&C server infiltration, their efficiency and ease of use continue to make them prevalent in the malware operational landscape. This paper presents C3PO, a pipeline that enables our study and empowers incident responders to automatically identify over-permissioned protocols, infiltration vectors to spoof bot-to-C&C communication, and C&C monitoring capabilities that guide covert monitoring post infiltration. Our findings suggest the over-permissioned protocol weakness provides a scalable approach to covertly monitor C&C servers, which is a fundamental enabler of botnet disruptions and takedowns.

----[ The Sliver Lining: Understanding the C2 Framework for Blue Team

Presenter
$ getent passwd tba
.
└─ name: TBA
Abstract

Blue Teamers must be aware of emerging tools and trends in order to rapidly detect malicious activity within the network. C2 frameworks provide adversaries additional capabilities to extend their reach and maintain persistence within the environment. Sliver has emerged in the last two years as an alternative C2 framework to Cobalt strike which APT29 has adopted in current operations. Currently detecting Sliver remains difficult as it is a relatively new framework being adopted, and it was built to evade current detection methods. We will discuss an overview of Golang, the capabilities of Sliver and detecting implant network traffic.

----[ Threat Modeling Internet Censorship: Towards Evaluation of Managed Attribution Software

Presenter
$ getent passwd amaster
.
├─── name: Alexander Master
├──── org: Purdue University
└─ social:
   └─ github: smolbytes
Experience

Alex Master is currently a Security Researcher and PhD Candidate at Purdue University. He has been an Army Cyber Officer for 7+ years. Alex is a former CNMF member, involved in both offensive and defensive cyberspace operations. His current research involves evaluating anti-censorship software and Internet privacy from an interdisciplinary perspective.

Abstract

Nation-states impose various levels of censorship on their Internet communications. Given concerns of Internet censorship and surveillance, software developers have created tools designed to circumvent censorship in places where it exists – enabling free communication and open access to information. This presentation will showcase ongoing research directed at characterizing threats to Internet communications, modeling censor activity based on Internet measurement data and academic literature. This research aims to inform and enable future evaluation studies on effectiveness of currently available anti-censorship technologies.

----[ Quantum Encryption in a Classical Internet

Presenter
$ getent passwd hbonds
.
├─ name: Hamilton T. Bonds
└── org: 2d Battalion, 1st IO Command (L)
Experience

Born and raised in Inman, SC and graduated the United States Military Academy in 2017. BS Physics with Cybersecurity minor, conducted research with quantum encryption. Serves as the Development Operations (DevOps) Team Lead, which is responsible for researching and developing new capabilities for the Army Red Team to emulate real-world adversaries on the DoD Information Network (DODIN). Five years as a Cyber Officer, 2 years providing cyber all-source analysis to Information Operations planners and Combatant Commands, 2 years serving actively as a capabilities developer. Computing languages: Python, C, ECMA. Spoken languages: Russian, Ukrainian.

Abstract

This presentation examines the importance, reliability, and feasibility of quantum encryption implementation for data in motion (DIM) in comparison to its classical counterparts. Quantum encryption devices are commercially available, affordable, effective, and compatible with classical internet systems. Such devices implement algorithms that are theoretically impervious to tampering and unauthorized decryption, harnessing properties of quantum mechanics to detect eavesdroppers and renegotiate private keys. The advent of "quantum-resistant cryptography" catalyzed the development of encryption algorithms that are intended to resist or negate the power of quantum computing, but this presentation argues that quantum key distribution (QKD) is a more technically sound solution.

Combining QKD research and real-world implementation, this presentation demonstrates the exact methods that quantum encryption devices use to protect data and illustrates the practicality of installing and operating quantum encryption devices. It stipulates that, in order to ensure all systems transmitting sensitive data are adequately prepared for future encryption-defeating capabilities and eavesdropping threats, organizations must include quantum encryption devices in their networks. Additionally, implementing QKD implies that cyberspace defenders must train to understand and operate quantum encryption devices.

----[ TBA

Presenter
$ getent passwd hzxf
.
└─ name: hzxf
Abstract

Reverse engineering RF signals can be a daunting task, but building intuition on the approach to solving the problem helps. Many sites and tweets show how to capture and replay a raw signals, and some even show the resulting 0s and 1s. What we often don't get to see is a process to getting from RF energy to interpretable data. In this talk, we'll see a way to reverse engineer Tesla's charge port remote control signal.

----[ Post-quantum Cryptography and U.S. Government Activities

Presenter
$ getent passwd scrislip
.
├─ name: Samuel Crislip
└── org: 782d Military Intelligence Battalion
Experience

CSM Samuel Crislip currently serves as the Battalion Command Sergeant Major for the 782D Military Intelligence Battalion (Cyber). He holds a bachelor's in Computer Information Technology from the University of Maryland Global Campus and a master's in Science and Technology Intelligence from the National Intelligence University. He has worked at the Army Cyber Institute at West Point and served as an Associate Instructor at the United States Military Academy, teaching Cyber Policy, Strategy, and Operations. He has published work on the Quantum Internet with Dr. Lubjana Beshaj and has also collaborated with her on DNA Computing. They are currently working on research in Post-Quantum Computing and other future technology concepts.

Abstract

The National Institute of Standardization and Technology (NIST) is running a standardization program for post-quantum cryptography to address the threat arising from future developed quantum computers capable of breaking our current cryptosystems. The speaker will address the underlying problems at a high level from a government perspective as well as discussing the current activities from the U.S. government (USG). The problem of downloading now, decrypting later (DNDL) will be discussed from the national security point of view and challenges that USG is going to face in the upcoming years as we see progress in building cryptographically relevant quantum computers.

----[ Cyber Threat Intelligence on the Deep and Dark Web

Presenter
$ getent passwd abritt
.
├─── name: Allen Britt
├──── org: Bluestone Analytics
└─ social:
   └─ linkedin: company/bluestone-analytics/
Experience

Allen Britt is a decorated veteran who has been expertly trained in multiple disciplines of cybersecurity, computer science, and electrical and mechanical engineering. His diverse background has afforded him opportunities to work within some unique areas within various government customers. He currently works as a Sales Engineer for a Dark Web Intelligence company, connecting customer needs with expertly engineered solutions

Abstract

The websites you visit every day represent just a small fraction of the whole Internet. Beyond this “surface web” is the Deep Web, and within the Deep Web is the Dark Web. The presentation will show examples of indications and warnings of APT campaigns and a wide range of nefarious activities on the Deep Web and Dark Web, including malware trafficking, credentials dumps, hackers for hire, and cyberattacks-as-a-service ecosystems that outmaneuver security defenses.

During a live demonstration, analysts will provide rare insights into threat actors on chans and forums and will explain the basics of dark nets, their associated technologies, and defining characteristics. The presenters will also guide participants through examples of APT campaign indications and warnings The session will wrap with highlights on the value of building a data repository and staying agile within this complex environment by leveraging collection and exploitation capabilities that continuously evolve.

Published data on the Deep Web and Dark Web is invaluable; unfortunately, it is often overlooked due to a lack of tradecraft for persistent collection or expertise in accessing it safely and securely. For many agencies and organizations, it means missed opportunities to detect and predict cyberattacks from intelligence that simply can't be found anywhere else.

----[ Brighten up the Ideal Sky: An Inside View of CharmingKitten's Holistic Support to IRGC Operations

Presenter
$ getent passwd jmiller
.
├─── name: Joshua M. Miller
├──── org: 75th Innovation Command (USAR)
└─ social:
   └─ twitter: @chicagocyber
Experience

Joshua Miller is a Senior Threat Researcher in Proofpoint’s Threat Research team, where he tracks and investigates state-aligned threats across the globe, with a focus in actors originating from the Middle East & North Africa.

Previously, Joshua has held threat intelligence positions across both private industry and the intelligence community, including time as an cyber analyst with the Federal Bureau of Investigation.

He’s also a Military Intelligence officer in the Army Reserve, an international conference speaker and currently holds a M.S. in Information Security (Lewis University), BA in Political Science (Wheaton College), CISSP, and GCTI. He can be found on Twitter at @chicagocyber.

Abstract

In 2022, the Islamic Revolutionary Guard Corps (IRGC) has reportedly increased planned kinetic operations against US & Israeli officials along with Iranian dissidents. In this increasingly hostile operating environment, what support has TA453/CharmingKitten/PHOSPHORUS provided? We’ll use sensitive collection from adversary infrastructure along with Proofpoint telemetry to better understand TA453 and delve into this question.

We will first examine some of the different techniques TA453 utilizes to engage their targets with spear phishing. Having established the baseline of typical TA453 activity, we can then look at outliers, both in targeting and techniques used. These anomalies, where TA453 deviate from their typical tactics to increase their odds of success, give us insight into how they approach particularly high value targets.

Once we understand how TA453 is collecting information, we’ll combine Proofpoint telemetry with data from TA453’s own collection to categorize and analyze TA453’s targeting. This will allow us to identify their priorities and strengthen our attribution with how they align with the IRGC IO’s intelligence requirements.

We’ll conclude by looking at evidence suggesting TA453 provides holistic support to IRGC operations including physical surveillance, intimidation operations and possible assassination plots.

----[ Cyber Domain Dominance: Who Has It, How to Get It and How To Keep It

Presenter
$ getent passwd glane
.
├─── name: Gentry Lane
└─ social:
   ├─ linkedin: in/gentrylane/
   └── twitter: @BadassDoGooder
Experience

Gentry Lane is the CEO & Founder of ANOVA Intelligence, a venture-backed cyber national security software company that serves American critical infrastructure companies. She holds a DoD-appointed position to the NATO Science & Technology Organization tech panel on the cyber defense of military systems, is a senior fellow at the Potomac Institute for Policy Studies and a fellow at the National Security Institute at George Mason University.

Ms. Lane is a senior software executive and statistician. She worked with Oak Ridge National Laboratory’s computational security department to develop and commercialize groundbreaking discoveries in the fields of computational anomaly detection and memory forensics. Ms. Lane is a frequent speaker on cyber national security, an internationally recognized subject matter expert on cyberconflict strategy, and she advises members of Congress, NATO and U.S. defense and intelligence leaders. A scholar of military strategy, she believes deterrence in the cyber domain is essential for the preservation of liberal democracies and a free, open, interoperable internet.

A staunch STEMinist, Ms. Lane mentors young women interested in technology with national security applications and is a board advisor to deep tech startups. She is bilingual (English & French).

Abstract

Contrary to the consensus view, the major threat actors view the optimal use offensive cyber effects not as a digital version of a precision-targeted kinetic effect, but is as a shaping tactic to systematically erode the weight-bearing pillars of critical institutions so that the US is either too weak or too distracted to contest their ascent in the global world order. My theory posits that adversaries leverage cyber power in salami tactics to both avoid the appearance of a trigger event and to effectuate nearly imperceptible, incremental incapacitation of the US's ability to project power and maintain domestic stability.

If this is true, our triage-prioritized counter response is wrong. While the US is preparing for a Cyber Pearl Harbor that will never come, the major threat actors are achieving mission success in a death by a 1000 papercuts strategy.

In this talk, I will show that the current condition is not sustainable, and propose a viable coercion strategy to counter adversary, and talk about the optimal outcome of this new strategy. Drawing from historic precedent from the advent of air power, I will show how to adapt operationalize military strategy from traditional theatres into the cyber domain.

----[ Kinetic Cyber Effects for the Win

Presenter
$ getent passwd brhodes
.
├─── name: Brad Rhodes
├──── org: 76th ORC, USAR
└─ social:
   └─ linkedin: in/brad-rhodes-1951ba7/
Experience

Brad Rhodes, Senior Manager at Accenture Federal Services in Denver, CO, holds numerous professional certifications and he has 25+ years experience in the military, government, and private sectors. Brad is a Veteran who continues to serve in the US Army Reserve as the G6/Chief Information Officer for the 76th Operational Response Command delivering communications for the Nation’s CBRNE response mission. Brad's major research includes utilizing Open Source capabilities to help organizations close security gaps, characterize their cyber operating environments, and gain visibility to stacks of data. He's been known to drown Lego people illustrating the reality of cyber effects.

Abstract

Despite the impact of cyber vulnerabilities, exploits, and attacks on a global scale it is still challenging for operators to convince leadership of the need to invest in the training and technologies to stay ahead of increasingly sophisticated threat actors. This is because leaders cannot actually "see" the results of cyber-attack firsthand. This is where simple kinetic cyber effects demonstrations come into play, providing a display of effects in the real world that leaders can actually see and touch. While only a simulation of attacks, the tangible aspects of the kinetic effects can deliver the "ah ha" moment leaders need to understand the need to focus on cyber operations.

The presentation provides an example of a working kinetic cyber demonstration capability, along with an overview the design methodology using inexpensive and open source tools. The presentation takes the audience through the story leading up to a cyber attack (pulled from the headlines) with kinetic effects. Finally, the cyber attack is demonstrated from beginning to end with the kinetic effects realized ultimately helping leaders grasp the potential impacts that threat actors can deliver in and through cyberspace.

----[ Why Won't U Boot?

Presenter
$ getent passwd rgreer
.
├─ name: Ryan Greer
└── org: REDLattice
Experience

Ryan is a security researcher at REDLattice in Virginia. Prior to this he was a Captain in the US Army at the 781st MI BN. His research interests are in embedded device security and modern vulnerability analysis.

Abstract

Working with embedded Linux devices can be intimidating. Flash, serial, bootloaders, kernels, firmware... it all sounds very complicated. So complicated, in fact, that it can be difficult to know exactly what will break things. Sometimes, attempting to patch a firmware upgrade results in a "soft-brick" which is a device that won't boot due to a problem with the software. Other times, it is simply necessary to run firmware other than what was intended by the manufacturer. Understanding the boot process and relevant components is critical to solving these problems and many others.

The purpose of this talk is to discuss these topics and demonstrate that they aren't that complicated after all. This talk will cover a common open-source embedded bootloader, U-Boot, and common firmware-related activities such as extraction, flashing, and modification that can be accomplished through U-Boot. Attendees can expect to leave with a better understanding of embedded Linux boot processes and the confidence to tackle this type of challenge in the future.

----[ Future Army Security Capabilities From the Cyber Security Collaborative Research Alliance

Presenter
$ getent passwd tjaeger
.
├─ name: Trent Jaeger
└── org: Penn State University
Experience

Prof. Jaeger is a professor of Computer Science and Engineering at Penn State University and Consortium Lead for the Army Research Laboratory's Cyber Security Collaborative Research Alliance. He has over 25 years of experience in researching cybersecurity problems in software, networks, and operating systems. In particular, he has made a variety of contributions to the Linux kernel, including to the Linux Security Modules framework, SELinux, and the Linux Intergrity Measurement Archiecture. He worked for IBM Research for nine years prior to joining Penn State in 2005.

Abstract

In this talk, we will examine the future Army security capabilities under development in the Cyber Security Collaborative Research Alliance (CSec CRA). This project focuses on three major research areas: Detection, Agility, and Learning for Deception. In this talk, we will discuss key research results in each area and how they could impact the Army's future security capabilities. For example, we will discuss the development of Adversarial Machine Learning techniques that originated in the CSec CRA project, and how they impact the development of robust ML techniques. In addition, we will describe recent work that applies attack graphs more broadly to improve defenses, guide detection, and leverage agility systematically.

----[ The Future of Defensive Cyber Operations

Presenters
$ getent passwd
.
├─ names:
│  ├─── John Black
│  ├─ Henry Coller
│  ├─── Chris Wild
│  └─ David Vaughn
└── org: Army Reserve Cyber Protection Brigade (ARCPB)
Experience

CW2 John Black is a Cyber Warfare Technician, currently assigned to the 75th Innovation Command in its Cyber and Electromagnetic Activities (CEMA) team. He has a varied background in multiple military specialties and an industry career in cybersecurity technology, red team, cyber threat intelligence, and data analtics.

Abstract

Operating in the cyber environment of the future will require significant evolution of current practice. The computer network environment that was once more static, homogenous, and manageable as separate enclaves, continues to be transformed by widespread virtualization, migration to cloud services, the rise of mobility, and the explosion of numbers and variety of connected cyber-physical systems from the enterprise to the battlefield. Threats are becoming more sophisticated, automated, and adaptive to defeat defenses. Defending cyberspace will depend, in part, on successful cyber operations. Drawing on their military background and civilian industry experience, a panel of Cyber Warfare Technicians from Army Reserve Cyber Protection Brigade will lead a discussion of the rapidly changing environment and threats and how defensive cyber operations (DCO) will need to evolve to keep up with these changes.

Panelists will present three subtopics to open discussion and questions from panelists and from audience participation.

  • The future of DCO is AI (through automation and machine learning).

  • The future of DCO is IoT (including the tactical internet of battlefield things or IoBT).

  • The future of DCO is OCO (hunting forward and adopting an attacker's mindset to "shift left" of the attack).

The Future of Defensive Cyber Operations (FDCO) is a research project that originated from within Army Reserve Cyber Protection Brigade (ARCPB) as a catalyst for cyber workforce development and the continuing evolution of tactics, techniques, and procedures in DCO.

----[ Semantic Hypergraphs May Win the Next War

Presenter
$ getent passwd bgonzalez
.
├─ name: Brandon Gonzalez
└── org: Cyber Protection Team 185 (USAR)
Experience

Brandon began his journey on the internet at 9600 baud and installed Linux the old fashioned way by compiling his own kernel. Since then, he has been bridging the gap wherever possible between mathematics, computer science and machine learning. His professional experience includes leading a startup of 40 engineers as a CTO and founding a consulting firm that specializes in high performance computing and financial forecasting. He currently works for Amazon Web Services (AWS) as a Solutions Architect supporting Army Intelligence and serves as an Operations Officer in Cyber Protection Team 185 (USAR). He holds a B.S. in Applied Mathematics and Engineering from the University of Colorado and an M.S. in Computer Science from Johns Hopkins University.

Abstract

What does an investment by a Chinese firm in a Georgia company have to do with keeping troops on the ground in Syria safe? How can we attribute exploits to the same advanced persistent threat based on timestamp ordering alone? The hypergraph can reveal how. In cybersecurity, intelligence collection and general computing, we have been stuck relying on the simple keyword string match. Users must be precise in the search term or miss out on critical matching and subsequent alerting. Even after a match is found, relationships and connections must be imputed by human or a database pivot. We present a novel way to encode information semantically - leveraging natural language processing, graph databases and vector search engines. The result is faster, more relevant, and rich search returns which can provide new insights not observed by keyword search or regular expressions. The model trains a knowledge graph and then leverages graph theory and network analysis to analyze subsequent text and compare that to entities and relationships of interest. The results are visual and semantic which can be presented to a human analyst or an automatic alerting system to take follow-on actions. This approach can benefit cybersecurity, intelligence, warfighting, and planning in both storing and recalling information.

----[ Talent Management in a Competitive World

Presenter
$ getent passwd ifrist
.
├─── name: Ian S. Frist
├──── org: West Virginia Army National Guard
└─ social:
   └─ linkedin: in/ian-frist-ms-cybersecurity-cissp-cmmc-pa-pi-3028a9181/
Experience

SSG Ian Frist is an experienced civilian cyber security professional who serves as a medic in the West Virginia Army National Guard with 14 years in service, he also holds a 25D MOS. He holds an MS in Cybersecurity, his CISSP, CMMC-PA,PI as well as numerous other industry certifications.

Abstract

The Army has a cyber talent management problem. If the Army wants to recruit and retain the best cybersecurity talent, it cannot compete directly with the civilian cybersecurity industry. Instead, the Army needs to think outside the box to ensure that it stays competitive within the cybersecurity space. SSG Ian Frist, a traditional National Guardsman, will discuss his journey through the Army Cyber/Signal branches, how he believes the Army can better manage talent in the cyber workforce, and the unique place the Guard and Reserve Components have in solving that problem.

----[ Creating a Custom Machine Learning Object Detection Model with YOLOv5

Presenter
$ getent passwd jgraham
.
├─ name: Jack M. Graham
└── org: CSD-M Data Science Crew
Experience

Graduated USMA '16 with a B.S. in Computer Science, then attended Dartmouth '18 for a M.S. in Computer Science, because I loved it so much the first time! Upon reaching Fort Gordon, I had the awesome opportunity of working with Defense Digital Service as tech lead for a team of mixed silicon valley and military talent developing a mobile biometrics app. Currently very excited to be with CSD-Maryland and the Data Science Crew.

Abstract

We will walk through all the steps of creating a brand new Object Detection model using the popular YOLOv5 algorithm. This includes framing the scope of an Object Detection problem, building a dataset for training (with a few demonstrated best practices), model training, and finally model deployment. We will do all this while showing an end to end example to make the process tangible and easy to follow.

----[ Hacking DevOps

Presenter
$ getent passwd pmarlow
.
├─── name: Phillip Marlow
├──── org: MITRE
└─ social:
   ├─ linkedin: in/phillipmarlow/
   └── twitter: @wolramp
Experience

Phillip Marlow is DevOps engineer and Security Expert (GSE #263). Through his role at MITRE, he helps government organizations design for modern, secure software systems by understanding how DevOps practices can be adopted to increase their security, not just their delivery speed. Phillip holds several security, cloud, and agile certifications as well as a Master’s Degree in Information Security Engineering from SANS Technology Institute.

Abstract

Incidents like the SolarWinds compromise show the extreme impact that a compromise of the software supply chain can have. DevOps pipelines often sit right at the heart of modern software supply chains. Used by development teams to increase the quality of their software and speed of delivery, these pipelines are also target-rich environments for attack. Additionally, they are often not as well protected as other software services. This talk will highlight common DevOps misconfigurations and how they can be leveraged by an attacker to escalate privileges, move laterally to other targets, and even perform supply chain compromises. Each example will also cover how to protect and defend against such an attack, and even how to use DevSecOps principles to protect the pipelines themselves.

----[ Joint Services Talent Recruitment

Presenters
$ getent passwd
.
├── names:
│   ├────── Brandon Cea
│   └─ Gabriel Menchaca
├──── org: Cyber Training Battalion
└─ social:
   └─ linkedin: in/gabe-m-5b8154134/
Experience

2LT Brandon Cea. Cyber and Electronic Warfare Officer currently in BOLC. Commissioned from USMA in '21. Interned for the Asymmetric Warfare Group and has 2LT Brandon Cea. Cyber and Electronic Warfare Officer currently in BOLC. Commissioned from USMA in '21. Interned for the Asymmetric Warfare Group and has advised projects for the DARPA/GE Measuring Biological Aptitude Program, the Microsoft/PEO Integrated Visual Augmentation System/Squad Immersive Virtual Trainer, the ONR Squad With Autonomous Teammates Competition, and the DARPA Squad X Program. At USMA, he founded the Space Engineering and Applied Research Program. While there, he built and launched hypersonic rockets exceeding Mach 5.5 and altitudes of 90 km. Published findings in AIAA. He is currently working on an integrated high-altitude balloon and hypersonic missile mesh network.

2LT Gabriel Menchaca. Cyber and Electronic Warfare Officer currently in BOLC. Commissioned from Ole Miss '22. Graduate of the Chinese Language Flagship Capstone Program at the Defense Language Institute. Cumulative seven months spent living in China. 3/3/3 Mandarin. Published thesis on AI/ML and China. Presented paper to all DLIFIC faculty and students in Chinese on Chinese and Taiwanese views on facial recognition.

Abstract

This research seeks to identify emerging trends, pinpoint challenges, and gain data-driven insights into the forces shaping the technical talent pipeline of national defense in the United States. Our research focused on the United States Army, which has one of the country's largest concentrations of engineers and technicians. The rapid advance of Artificial Intelligence / Machine Learning, Quantum Computing, and Hypersonic Weapons has disrupted traditional approaches to national defense and policy. It is dramatically reshaping the technical talent landscape. Simultaneously, generational transition and foreign entities are forcing significant cultural changes. Individuals and organizations must hone 21st-century skill sets to dominate the modern battlespace. The technical talent pipeline is failing to provide sufficient quantities of leaders and calls for a stepping up of technical reskilling. In terms of stepping up to meet the foreign and domestic challenges of the 21st century, four themes have emerged:

  1. Individuals must comprehend the current state of global competition and understand their individual and group responsibilities within that space.

  2. Teams must be specialized while retaining the flexibility to create 'good enough' outcomes in multiple domains.

  3. Companies must be incentivized through a call to action to take calculated risks and be on the creative bleeding edge of building and training this '21st-century skillset'.

  4. The need for accelerated education development reform must manifest itself in giving younger generations more opportunities to contribute to the United States. An empirical investigation focused on the United States Army was conducted with the support of national industry, educational institutions, and government agencies. Three critical segments of national defense were interviewed relative to the talent pipeline: 1) participants, 2) builders, and 3) influencers. Based on responses to a series of questions using the DOTMLPF-P framework, this research presents an overview of some proofs-of-concept that could contribute to building out the generational technical talent pipeline if adequately scaled. Our research also explored individual motives and behavioral styles. These findings provide valuable insights into what educators, industry, and policymakers should address to upgrade the technical talent pipeline in the age of disruptive technologies to protect and ensure the United States' global leadership position.

----[ Protect Yourself from Gamer Input II

Presenter
$ getent passwd rguiler
.
├─ name: Rob Guiler
└── org: USAF
Experience

Rob is a USAF Captain who has 9 years of experience with Cyber Mission Force. He has presented talks at ShowMeCon and AvengerCon 2021. He is currently scheduled to separate from the Air Force in January of 2023.

Abstract

At AvengerCon VI, I presented PYFGI, which provided an overview of different, unique methods to gain control of retro gaming consoles through the games themselves using only controller inputs. Part 2 of this talk focuses on answering the most popular question: "How do they find these bugs?". This talk will present numerous methodologies on how hackers test gaming systems, from SNES to PC, for exploits. Want to know how to trick Zelda into giving you an infinite sword? How about how hackers find ways to duplicate items on PC games? You will be surprised how easy it is to find ways to exploit games after this talk.

----[ MFA Is Not Enough!

Presenter
$ getent passwd dsmilyanets
.
├─── name: Dmitry Smilyanets
├──── org: Recorded Future
└─ social:
   └─ twitter: @ddd1ms
Experience

Mission-driven and Russian-speaking intelligence analyst with type A personality. Dmitry has twenty years of experience and expertise in cybercrime activity that includes being a former member of an elite Russian-based hacking organization. Currently, as a principal product manager, Dmitry is building the Recorded Future Identity Intelligence module that addresses the account takeover threat.

Abstract

Many organizations rely on multi-factor authentication (MFA) for identity security. But, while MFA provides an extra layer of security, it’s not enough to secure credentials, often creating a false sense of security.

As an example, a new threat from cybercriminal group, Lapsus$ Group, appeared on the FBI's most-wanted list in March 2022, with one attack vector standing out: identities compromised with Infostealer Malware. In most cases, when the infection goes unnoticed, this malware obtains credentials saved in victims’ browsers. Hours, days, or years later, credentials to corporate or personal infrastructures are obtained by threat actors, who are able to seamlessly hijack sessions undetected, by appearing as an employee.

----[ Media Effects Used in Influence Operations

Presenter
$ getent passwd ktzvetanov
.
├─ name: Krassimir Tzvetanov
└── org: Purdue University
Experience

Krassimir Tzvetanov is a graduate student at Purdue University focusing on Threat Intelligence, Operational Security and Influence Operations, in the cyber domain. In the recent past, Krassimir was a security engineer at a small CDN, where he focused on incident response, investigations and threat research. Previously he worked for companies like Cisco and A10 focusing on threat research and information exchange, DDoS mitigation, product security. Before that Krassimir held several operational (SRE) and security positions at companies like Google and Yahoo! And Cisco. Krassimir is very active in the security research and investigation community. Krassimir holds Bachelors in Electrical Engineering, Masters in Digital Forensics and Investigations, and a Masters in Information Technology with focus on Homeland Security.

Abstract

Over the past 5 years, the InfoSec community has had a miopic focus on some of the technical components of influence operations such as twitter bots. At the same time they show marginal, if any, understanding of the underlying social and media theories used in influence operations. In this talk we cover some of the basics that have worked for hundreds of years before social media existed. It focuses on the Media Effects such as two-step flow of information, gatekeeping, agenda-setting, priming, framing, spiral of silence, echo chambers, and cultivation, used to conduct those operations.

The talk itself is an introduction and highlights particular theories, and provides links for further reading. It will briefly also cover Bezmenov’s Subversion Model to provide a frame for the explanation of the social division we have been observing over the past few years, as well as support the thesis with a sociometric study showing the effects.

----[ BIRDBOX: If You See It, It's Already Too Late

Presenter
$ getent passwd gsieretzki
.
├─ name: George Sieretzki
└── org: ARE CYBERCOM
Experience

Major George Sieretzki is an Army Intelligence officer assigned to ARE USCYBERCOM. In his civilian career George is a penetration tester who over the last two decades has conducted hundreds of assessments for government and commercial customers. United Airlines once paid him 50,000 travel miles for a bug bounty which he promptly had to pay taxes on, ..but never used because he flies Southwest.

Abstract

Did you know that as you sit working behind your MS Windows workstation, you may be unwittingly aiding an aggressor by sending them your credentials?! In this presentation will introduce "forced authentication attacks", or "NTLM relay" attacks in the MS Domain environment. We will look at a number different types of triggers for these attacks including BIRDBOX, ADIDNS, WPAD, DHCP, HTTP, EFSRPC, and maybe more. We will examine some common tools, example payloads, limitations, mitigations, and one or two live (fingers crossed) demos.

----[ (Back) Into the Breach: Political Party Account Exposure and Why It Matters

Presenter
$ getent passwd aschoka
.
├─── name: Andrew Schoka
├──── org: 780th MI BDE (Cyber)
└─ social:
   └─ twitter: @schoka_7
Experience

Andrew Schoka is a Cyber Operations Officer at U.S. Army Cyber Command and has spent the last six years tending the office coffee pot in different roles across government and academia. He holds an M.S. in Cybersecurity from Georgia Tech, a B.S. in Systems Engineering from Virginia Tech, and a number of industry security certifications.

Abstract

As high-value targets for both state-sponsored and criminal actors, political parties face an array of challenges in securing their organization’s digital footprint. State-level party offices, in particular, are at a heightened degree of vulnerability, owing to varying levels of IT experience, unpredictable funding cycles, and the inherently public nature of their organizations. A major security concern for state parties is the threat of sensitive account or organizational data being publicly leaked or manipulated to undermine the organization’s political objectives. The risk of this scenario is magnified by the widespread appearance of party-affiliated account data in large-scale data breaches.

This session offers a follow-on to AvengerCon V’s 'Into the Breach' talk, which detailed the anomalous results from data-mining and analyzing state political party account exposure data at scale and comparing the results with data breach detection services provided by the HaveIBeenPwned API. With the benefit of hindsight, this year’s talk focuses on a longitudinal analysis of how the threat landscape has evolved, and overlays the project’s data collection with real-world examples of state political party cybersecurity incidents from the last 18 months. The results speak to the importance of integrating security programs with the core mission and culture of political parties across the country.

----[ Large Scale Sentiment Modification Campaign Creation with Open Source Technology

Presenter
$ getent passwd mreid
.
├─── name: Mike Reid
├──── org: Xorre
└─ social:
   └─ linkedin: in/miker-pmp/
Experience

Mike is a PMP certified project manager based in Virginia Beach with a decade of experience in Cloud security and infrastructure. He is a public speaker and trainer who has participated in over 30 national tech events and is an organizer for WordCamp Virginia Beach 2023. Mike is an open source software evangelist and enthusiastic part of the WordPress project. He's currently focused on secure communication and offensive security, with a focus on applying AI and ML procedurally.

Abstract

This session will focus on large scale sentiment modification campaigns, and how we can use AI and ML to create operations significantly more complex that those currently used. These campaigns are designed to withstand intense scrutiny and last years.

We will look at one example campaign in detail based on a state sponsored malware group, and examine how the techniques could be utilized in practice.

The presentation will be geared towards a general audience and will focus on high level concepts and outcomes. The specific technologies presented will all be open source.