9:00 am - 9:15 am
MT
3:00 pm - 3:15 pm UTC | Welcome & Opening Remarks |
9:15 am - 10:00 am
MT
3:15 pm - 4:00 pm UTC | Keynote
Show More
|
10:00 am - 10:20 am
MT
4:00 pm - 4:20 pm UTC | Break |
10:20 am - 10:55 am
MT
4:20 pm - 4:55 pm UTC | Virtual Track Automating incident response: scalable & fast, within minutes In today's rapidly evolving digital landscape, the increasing frequency and the scale of security incidents pose significant challenges for incident response teams. The traditional approach, rooted in digital forensics, is no longer sufficient nor is it efficient enough. It's time for a shift towards an automated incident response strategy that combines the investigative prowess of a digital detective with a DevOps mindset. In this talk, we will present how the incident response process of acquiring data, processing data, and analyzing information can be automated. Based on how we have built our incident response lab using open-source software packages developed by Microsoft (AVML), Spector Ops (SharpHound), Google (Timesketch, Plaso and WinPmem), Rapid7 (Velociraptor), Fox-IT (Dissect), Elastic (Filebeat, Logstash, Kibana and Elasticsearch), KROLL (KAPE), HashiCorp (Terraform, Packer, Vault) and Jupyter (Jupyter Notebook). We will guide you from using tools manually to using these tools automatically and magically. Well not really magically, but we will emphasize the application of a DevOps mindset to the process that most incident responders execute on a daily basis including ourselves, combined with examples that can be put into practice.
Show More
|
10:20 am - 10:55 am
MT
4:20 pm - 4:55 pm UTC | How persistent is an APT? Battling Three Threat Actors in a Single Environment As seasoned incident responders we help organizations eradicate and remediate threat actors on a daily basis. Yet, what happens when our efforts to neutralize one threat inadvertently collide with another? Imagine the scenario: you're on the verge of thwarting a financially motivated threat actor, only to discover that your actions disrupted the operations of a Chinese state-sponsored adversary. And just as you prepare to execute a kill-switch operation against the first, a second Chinese APT emerges, throwing a wrench into your carefully laid plans. In this presentation, we delve into the intricacies of combating multiple threat actors concurrently. Drawing from real-world experiences, we offer a firsthand account of the cat-and-mouse game that unfolds between incident responders and their adversaries. We'll uncover the tactics employed by highly persistent threat actors in response to our remediation efforts. From adapting indicators of compromise (IOCs) to evading detection within networks, we'll shed light on the myriad challenges encountered. Join us as we share our lessons learned and strategies for combating state-sponsored threat actor.
Show More
|
11:00 am - 11:35 am
MT
5:00 pm - 5:35 pm UTC | Virtual Track Machine Learning for Enhanced Malware Detection & Classification Malware continues to increase in prevalence and sophistication. VirusTotal reported a daily submission of 2M+ malware samples. Of those 2 million malware daily submissions, over 1 million were unique malware samples. Successfully exploiting networks and systems has become a highly profitable operation for malicious threat actors. Traditional detection mechanisms including antivirus software fail to adequately detect new and varied malware. Artificial Intelligence provides advanced capabilities that can enhance cybersecurity. The purpose of this talk is to deliver a new framework that uses Machine Learning models to analyze malware, produce uniform datasets for additional analysis, and classify malicious samples into malware families. Additionally, this research presents a new Ensemble Classification Facility we developed that leverages several Machine Learning models to enhance malware classification. To our knowledge, this is the first research that utilizes Machine Learning to provide enhanced classification of an entire 200+gigabyte-malware family corpus consisting of 80K+ unique malware samples and 70+ unique malware families. New, labeled datasets are released to aid in future classification of malware. It is time we leverage the capabilities of Artificial Intelligence and Machine Learning to enhance detection and classification of malware. This talk provides a pathway to incorporate Artificial Intelligence into the automated malware analysis domain. Who Touched My GCP Project? Understanding the Principal Part in Cloud Audit Logs
Show More
|
11:00 am - 11:35 am
MT
5:00 pm - 5:35 pm UTC | Cutting Through the Chaos: File Detection and Analysis Using Strelka File analysis at scale remains a major challenge for cybersecurity teams, often leading to alert fatigue and missed threats. In this talk, we'll dig into Strelka - an open-source, detection-oriented file analysis tool developed at Target. We'll highlight how Strelka is capable of characterizing hundreds of millions of files daily, providing scalable detection potential across your enterprise. By attending this session, you'll learn strategies to effectively leverage Strelka's scanning capabilities aimed at enhancing file analysis workflows and threat detection abilities. We'll demonstrate practical use cases showcasing how Strelka integrates into modern security stacks, serving as a critical pillar for responding to emerging cyber threats.
Show More
|
11:40 am - 12:15 pm
MT
5:40 pm - 6:15 pm UTC | Virtual Track Who Touched My GCP Project? Understanding the Principal Part in Cloud Audit Logs We'll delve into the intricacies of Google Cloud Platform (GCP) audit logs, specifically focusing on how GCP principles are represented and authenticated within these logs. Attendees will gain practical insights and hands-on understanding of deciphering GCP audit logs to detect authentication details, impersonations and analyze principal identities. We will walk through the “authenticationInfo” field in the logs, understanding what information we have. On to understanding the diverse types of entities and identities we can have in GCP. What types of impersonations can we have, how are they used, and by who (GCP VMs as well). Finally, we will show what internal GCP accounts perform or don't in our environment, and when we do not have any logged identities at all! Through real examples and demonstrations, this session will empower attendees to enhance their cloud security monitoring and incident response capabilities. Takeaways: 1. Attendees will gain practical insights into deciphering GCP audit logs, focusing on authentication details and principal identities. 2. Participants will acquire the skills to identify different types of impersonations and workload identities within GCP audit logs. 3. Participants will discover the significance of service agents and the impact of missing identities in logs.
Show More
|
11:40 am - 12:15 pm
MT
5:40 pm - 6:15 pm UTC | The Allure of The Hunt: Drawing New Talent Into DFIR Digital Forensics and Incident Response is continuously evolving, and there is a pressing need for talent to address emerging threats. This presentation highlights what attracts students and newcomers to DFIR, emphasizing their motivations and what excites them about the industry. I'll discuss the appeal of solving complex cyber challenges, defending against security threats, and teamwork within the DFIR community based on insights from interviews and personal experiences. The talk also highlights beginners' main challenges, such as the steep learning curve, the necessity for hands-on experience, and the gap between academic studies and practical work requirements. I'll share effective strategies and initiatives that have helped attract and keep new talent, improving their skills and readiness for the field. Additionally, I will suggest some practical steps for seasoned DFIR professionals and organizations to create a supportive and efficient environment for the newcomers. By supporting the development of emerging talent, the DFIR community can grow together and become better prepared to protect against threats. I want to share an early career student's perspective on what students are doing now and how we can empower the next generation of DFIR professionals, preparing them to make meaningful contributions and drive innovation in the industry.
Show More
|
12:15 pm - 1:15 pm
MT
6:15 pm - 7:15 pm UTC | Lunch |
1:15 pm - 4:45 pm
MT
7:15 pm - 10:45 pm UTC | Skull Games |
1:15 pm - 1:50 pm
MT
7:15 pm - 7:50 pm UTC | Gaining Better Visibility on a Cloudy Day: Additional Microsoft Cloud Data Sets You May Not Be Looking At But Probably Should For organizations using Microsoft Entra ID (the artist formerly known as Azure Active Directory) and O365, it’s fairly well understood that a set of default logs are readily available for use, no matter what log management tooling an organization is using. However, this standard logging has its limits. This past fall, the team at Black Hills Information Security released a post exploitation kit called GraphRunner. This tool is focused on interacting with the Microsoft Graph API, which is the backbone that services Entra ID, O365 and many other services in the Microsoft cloud. The release of GraphRunner and future tools like it streamlines a number of activities that an adversary would perform after gaining access, making it simpler for anyone to use. While GraphRunner is a post exploitation toolkit, there are authentication functions that highlight how adversaries could use the OAuth authorization code flow to their advantage. As a defender, this presents a set of challenges. Less sophisticated adversaries have a lower barrier to entry once they have gained access to the Graph API than they did before. It also highlights that the standard logging may not be sufficient to gain visibility into actions like the refreshing of tokens or other activities that a tool like GraphRunner provides. This talk is designed to provide insight into additional data sets that Microsoft cloud users have access to but may not be as widely deployed. These additional data sets can provide defenders additional insight, detect suspicious activity and can serve as a hunting ground when confronted with an adversary using techniques like those found in GraphRunner. Because GraphRunner contains numerous modules and is written in PowerShell, an adversary can customize it to their own needs. While we won’t be able to cover all possible permutations, our goal is to identify data sets and events that can assist defenders while using GraphRunner as a representative of the kinds of methods that adversaries might use. Attendees will come away from this talk with: A greater understanding of GraphRunner and its capabilities Awareness of the logging available for the Graph API beyond the standard logging Ideas around how detections and hunts can be designed to identify GraphRunner activity
Show More
|
1:55 pm - 2:30 pm
MT
7:55 pm - 8:30 pm UTC | Dormant Devices, Chatty Logs: Extracting Forensic Artifacts from Seemingly Idle iOS Devices Have you ever wondered the sheer amount of forensic artifacts being generated by your seemingly idle iPhone just laying on your desk? Or perhaps you have an iOS device where a Full File System (FFS) image isn’t supported but you are still missing crucial pieces of information relevant to your investigation that aren’t found in your logical image. Join us as we delve into some newly discovered iOS artifacts and how System logs may hold the piece of data we need. While these logs were initially intended for Apple and developers to keep track of crash logs, application data and general system information, they harbor a trove of artifacts relevant for forensic analysts they could potentially be missing.
Show More
|
2:35 pm - 2:50 pm
MT
8:35 pm - 8:50 pm UTC | Break |
2:50 pm - 3:25 pm
MT
8:50 pm - 9:25 pm UTC | Not All Androids Who Wonder Are Lost. Exploring Android's Find My Device System. In 2021 Apple introduced the AirTag as a way to keep track of things you care about the most. Almost immediately there were privacy concerns that arose about potential misuse by stalkers and others with nefarious intentions, and Android users were affected the most. Since then, Android users have gained the ability to detect rogue AirTags and, with the enhancement to Google's Find My Device network, other Bluetooth trackers. Additionally, they have also gained the ability to natively track other compatible Bluetooth trackers made by third parties. This presentation will delve into the Find My Device system, identify artifacts that are left behind due to an Android phone encountering rogue trackers and trackers that may be associated with the Android owner's Google account, and any tracker data that may reside with Google and available via Takeout or legal process.
Show More
|
3:25 pm - 4:00 pm
MT
9:25 pm - 10:00 pm UTC | Getting down and dirty with Mac imaging Working with Mac's can be a pain. This session will talk about the challenges encountered, the state of macOS imaging and, hacks and workarounds to confirming you have a usable collection using free Windows and Linux tools
Show More
|
4:05 pm - 4:40 pm
MT
10:05 pm - 10:40 pm UTC | When VPNs Become Open Doors: Forensic Analysis of Advanced Intrusions Matt Lin, Senior Consultant, Incident Response, Mandiant VPNs, intended to provide secure access, are a prime target for advanced attacks. This talk arms DFIR practitioners with essential techniques for analyzing intrusions where VPN access was the initial entry point. Gain a deeper understanding of how threat actors exploit VPN vulnerabilities, bypass authentication mechanisms, and deploy malware. Through real-world case studies, learn to identify indicators of compromise (IOCs) specific to VPN-related attacks, focusing on unusual network traffic patterns, privileged account abuse, and persistence techniques. Attendees will leave with actionable insights for improving incident response processes, developing threat intelligence, and proactively hardening VPN defenses.
Show More
|
4:45 pm - 5:00 pm
MT
10:45 pm - 11:00 pm UTC | Wrap-Up |