BSidesCharm 2022 Schedule
There are two speaking tracks for each day, and one training classroom per day.
Registration
BSidesCharm Opening Remarks
Keynote - Securing Election Campaigns Panel
Moderator
Amelie Koran (@webjedi)
Senior Fellow, Atlantic Council
Panelists
Laila ElGohary
Former Deputy CTO at Biden for President
Michael Kaiser (@CyberNews4you)
CEO of Defending Digital Campaigns
Chip Stewart
CISO, State of Maryland
Mike Sager
Chief Technology Officer and Chief Information Security Officer
EMILY’s List | The Nation’s Largest Resource for Women in Politics
Visit Our Sponsors and Villages
While the main talk rooms are setup, please take the time to visit our sponsors and explore the villages and workshops.
Call the Plumber: Your Documents are Leaking
For most organizations, posting brochures, contract templates, whitepapers, and various forms of marketing collateral online is a standard practice. And for most threat actors, this can surreptitiously provide a wealth of information about the organization they are targeting.
In this talk, we will examine why cyber criminals benefit from the public sharing of organizational documents, how they make use of the metadata contained in the documents, how misconfigurations and lack of user awareness can lead to data leaks, and propose practical / open source methodologies organizations can employ to protect themselves.
Nick AscoliLet's Get Cooking with CyberChef
CyberChef is known as the “cyber Swiss army knife” because of the myriad operations you can perform with this most excellent tool. Developed by GCHQ, this open-source web application can encode and decode, encrypt and decrypt, compress and decompress, analyze files and images, and so much more. Every professional should have CyberChef in their toolbox and in this talk I will cover some of the operations I frequently use in my role as a security researcher.
Marcelle LeeLunch on your own
Check out the available options within the hotel or take a quick walk next door to the mall food court.
AD CS means "Active Directory is Cheese (Swiss)"
Active Directory is great.
Public Key Infrastructure is great.
So you’d think Microsoft’s AD-integrated PKI – AD Certificate Services – would be great too. And configured correctly, it is!
But in practice, Microsoft’s “easy” approach to PKI often creates security issues in typical deployments. Luckily, you can eliminate the most common & most dangerous misconfigurations with a few easy checks.
Jake HildrethSOCs and Shoes
The Security Operations Center, everyone has one, but is it really more than a checkbox or a place to go where dreams die? This talk will discuss some of the core issues that SOC’s face today as well as suggestions and ideas to get this pivotal role and department back on mission by trusting and empowering analysts to find badness.
Shawn ThomasInformation Literacy Makes for Better Information Security
The American Library Association defines ‘Information Literacy’ as, “a set of abilities requiring individuals to ‘recognize when information is needed and have the ability to locate, evaluate, and use effectively the needed information.” Correct and accurate information is crucial to Information Security, whether it be for Threat Intelligence gathering or monitoring an incident response. Learn tips and strategies from a former librarian on how to ascertain the validity of information before using it, or worse, passing along what may be disinformation. You will come away with this session with a better sense of data gathering and organization, in addition to being a more literate consumer of information.
Tracy Z. MaleeffMalware Wars: DarkSide Strikes Back as BlackMatter
Ransomware, and malware as a whole, does not exist in a vacuum; it is often developed to accomplish a goal, whether to further an espionage campaign or for monetary gain. Ransomware, in particular, is a fast-moving landscape driven by an intricate web of operators, tools and mystery. BlackMatter ransomware emerged in July 2021 as the successor to DarkSide ransomware, only to be shut down a few short months later…or was it? Besides amassing a large portfolio of victims, the BlackMatter operators released several versions of the ransomware. Recorded Future was the first to openly publish technical details on BlackMatter, as well as interview the ransomware operators themselves. In this session, we will take you through our discovery of the BlackMatter ransomware group and its evolution through the shutdown as well as provide a technical deep dive on the Windows, PowerShell and Linux ransomware itself. We will also address how this evolution trend shows up in the larger ransomware operator landscape, especially among sophisticated actors.
Lindsay Kaye, James NivenThreats lurking beneath the subsurface: Understanding and analyzing threats to Windows Subsystem for Linux (WSL)
In April 2016, Microsoft shocked the PC world when it announced the Windows Subsystem for Linux (WSL). WSL is a supplemental feature that runs a Linux image in a near-native environment on Windows, allowing for terminal functionality without the over-head of a virtual machine. While this new functionality was welcomed by developers, it also introduced a new attack surface threat actors can – and do – target. Black Lotus Labs recently identified several malicious files that were compiled in the Linux binary format ELF which utilized native windows APIs. Over the past several months, Black Lotus Labs has identified numerous agents – i.e. lightweight scripts that load more robust agents into memory – keyloggers, and in some cases fully functional remote access trojans. The novelty of using an ELF loader designed for the WSL environment gave the technique a detection rate nearly, or in some cases a, zero for sample found on Virustotal. This talk will briefly introduce WSL, then focus on the samples Black Lotus Labs observed abusing this feature in the wild.
Danny AdamitisBSidesCharm Happy Hour
Join us after talks have concluded for light snacks and beverages in the Warfields room. Meet new friends and reconnect with old ones!
Dinner break
Check out the available options within the hotel or take a quick walk next door to the mall food court.
BSidesCharm Arcade Party
Join us for an after-hours chill-out in the Warfields room for a night of arcade games and friends. A cash bar will be open.
Registration
BSidesCharm Opening Remarks
Keynote - Securing Election Campaigns Panel
Moderator
Amelie Koran (@webjedi)
Senior Fellow, Atlantic Council
Panelists
Laila ElGohary
Former Deputy CTO at Biden for President
Michael Kaiser (@CyberNews4you)
CEO of Defending Digital Campaigns
Chip Stewart
CISO, State of Maryland
Mike Sager
Chief Technology Officer and Chief Information Security Officer
EMILY’s List | The Nation’s Largest Resource for Women in Politics
Visit Our Sponsors and Villages
ICS/OT Cyber Threats, Vulnerabilities, and Incidents: Past and Present
Gain an in-depth look at old case studies and new research across 2021 highlighting new ICS threat groups, vulnerabilities, and insights from the field including incident response case studies of previously unreported incidents. This session will give a ground-truth reality and primer on what is really happening in our industrial environments.
Ben MillerKQL and Azure AD Workbooks for the Blue Team
As more IT resources are moved to the cloud organizations need the ability to access this log data as well as perform complex queries. KQL (Kusto Query Language) is a tool that belongs in every defenders toolkit for operations monitoring as well as threat hunting. But how do you even get started if you don’t know KQL? This session will be heavy on practical to get you up and running TODAY.
In this session, we will leverage some of the built-in Azure AD workbooks to understand the basics of KQL. Then we will progress to more complex KQL concepts and show you how you can take any existing workbooks and customize them for your own use or even create your own and contribute back to the community of workbooks that’s growing!
Corissa Koopmans, Tosin LufadejuLunch on your own
The tribe and the copycat - A look into Pakistani APT campaigns in recent years
In recent years, there has been a substantial uptick in the intrusions attributed to Advanced Persistent Threat (APT) groups aligned with Pakistan. The two groups, ‘Transparent Tribe’ and ‘SideCopy’ have operated a variety of campaigns to realize the unified goal of espionage. Transparent Tribe is a well-established group, known to have operated since at least 2016. SideCopy however, is a relatively new threat actor in nascent stages of its life cycle – only disclosed recently, circa 2020.
Using a combination of compromised and attacker owned infrastructure, the APTs have deployed bespoke malware against a variety of targets in the Indian sub-continent. Typical targets for the groups include government and military entities in Afghanistan and India.
In this presentation we take a deep dive into the tactics, techniques and procedures (TTPs) used by both the groups over the course of the past two years. The presentation will start by showing the initial patterns and themes of malicious documents and lures used by the groups in 2020. The presentation will finish with an evolutionary analysis of Transparent Tribe and SideCopy’s tactics resulting in the deployment of their Windows malware implants.
Asheer MalhotraExtortion, Chaos and Needless Busywork AKA Vendor Risk Management
Trends in the security and compliance include increased attention to the security posture of critical vendors known as Vendor Risk Management. This has led to the proliferation of third-party risk rating vendors, unwieldy questionnaires, and processes. This talk dives into real-world issues created by this rush-to-rate frenzy and discusses rational solutions for effectively rating vendor risk.
Jim NitterauerEngineering != (Admin || Analyst || Responder)
The field of Security Engineering has evolved as an essential function within the Information Security industry. Security Engineers are responsible for many aspects of protecting the enterprise; including designing of secure systems, supporting security operations, and protecting business platforms, data centers and now, the cloud. The nebulous role of Security Engineers is sometimes confused with system administrators, security analysts or even penetration testers. Yet the industry recognizes the need for Security Engineers with over 1000’s of opportunities in the DMV region alone. This talk will address questions such as “What is a security engineer?” and “Aren’t they the system administrators?” Reswob (reswob10) and Noog (nfltr8) will provide their experience as Security Engineers in Information Security (or Cyber) solving real problems for federal services and other industries. Heck, we will even throw in a framework that we created called the Security Engineering Triad. After all that fun, we want to inspire the next generation on what it takes to become security engineers in today’s world to include experience, education and certifications needed.
Craig Bowser, Ludwig GoonJob Hunting Like a Hacker
BSidesCharm Happy Hour
Join us after talks have concluded for light snacks and beverages in the Warfields room. Meet new friends and reconnect with old ones!
Dinner Break
Check out the available options within the hotel or take a quick walk next door to the mall food court.
BSidesCharm Arcade Party
Join us for an after-hours chill-out in the Warfields room for a night of arcade games and friends. A cash bar will be open.
Registration
Keynote - Secure the Era
From local to state to federal, all political campaigns continue to be targeted by bad actors and face growing cybersecurity risks. Drawing from experiences from the South Lawn to South Bend, Mick will discuss the unique challenges, lessons learned as the first CISO of any presidential campaign, and the potential for campaign cybersecurity in 2020 and beyond.
Presented by Mick Baccio
Visit Our Sponsors and Villages
While the main talk rooms are setup, please take the time to visit our sponsors and explore the villages and Hiring Village.
Three Bridges & a Compass: Navigating Risk Landscapes with Intelligence
A wealth of operational security resources – detections & red team tests – are now publicly available, enabling control validation cycles. Intelligence becomes near-essential to navigate which myriad controls to validate next. We will illustrate how intelligence informs prioritized control validation & risk reduction and review a new open-source tool to quickly identify addressable defensive gaps.
Scott SmallLog4j From the Trenches
As your company winds down for the holiday season, like clockwork, another fresh CVE with publicly available exploit code drops. The Apache Log4j exploit (CVE-2021-44832), also dubbed as Log4Shell, had widespread fallout as a result of the exploit being made publicly available, and organizations are still dealing with the associated problems even months later. This talk will discuss three unique scenarios observed as a result of Log4j being exploited on VMWare Horizon servers and include 1) exploitation for persistent access via a webshell, 2) exploitation leading to a Cobalt Strike beacon, and 3) exploitation leading to a cryptocurrency miner. The talk will demonstrate the exploit chain, artifacts of each investigation, and how you can detect the activity in your network using commercially available tools such as Microsoft Defender ATP, CrowdStrike Falcon, Carbon Black, and FireEye HX. On top of that, sources for threat intelligence pertinent to these types of attacks will also be discussed, as well as prevention mechanisms.
Max ThauerLunch on your own
Check out the available options within the hotel or take a quick walk next door to the mall food court.
Malware Analysis for the Masses
$how Me the Money!
It’s a challenge for smaller organizations to embrace security, and it can be a downright battle to start a security program. Here’s a guide to getting the buy-in you need and starting a security program at your company.
Carlota SageClosing Ceremonies
Stick around to hear the latest on how the conference went as well as win free prizes!
Registration
Keynote - Secure the Era
From local to state to federal, all political campaigns continue to be targeted by bad actors and face growing cybersecurity risks. Drawing from experiences from the South Lawn to South Bend, Mick will discuss the unique challenges, lessons learned as the first CISO of any presidential campaign, and the potential for campaign cybersecurity in 2020 and beyond.
Presented by Mick Baccio
Visit Our Sponsors and Villages
While the main talk rooms are setup, please take the time to visit our sponsors and explore the villages and Hiring Village.
Into the Breach: An Analysis of State Political Party Account Exposure
Targeted by both state-sponsored and criminal actors, political parties face an array of challenges in securing their organization’s digital footprint. State-level party offices are at a particularly heightened degree of vulnerability, owing to the inherently public nature of their organizations. A major security concern for state-level parity offices is the threat of sensitive organizational data being publicly leaked or manipulated to undermine the organization’s political objectives. The risk of this scenario is magnified by the widespread appearance of party-affiliated account data in large-scale data breaches. This session presents a novel data-mining solution that quantifies the level of exposure these organizations face due to account exposure in data breaches. Leveraging open-source web utilities to enumerate state-level party websites for provided email accounts, the tool compares the results from 195 state-level party websites with data breach detection services provided by the HaveIBeenPwned API. The results have dire implications for the security of our electoral system.
Andrew SchokaUnderground Insights: Criminal Exploitation of Multi-Factor Authentication
As organizations increasingly deploy or modify existing multi-factor authentication (MFA) techniques, cybercriminals are increasingly exploiting MFA. Regardless of whether organizations’ use of MFA requires SMS messages, authentication applications, or hardware-based security keys, Accenture Cyber Threat Intelligence (ACTI) is observing malicious actors buying and selling MFA bypass techniques, in addition to actors sharing and seeking information on the topic. In this talk, ACTI examines the underground activity focused on bypassing MFA, as well as threat actors buying and selling services to bypass MFA, including modified versions of publicly available tools, mobile malware, credential stealers, SIM swapping, Signaling System 7 (SS7) exploits, and services for bypassing MFA to hack cryptocurrency wallets.
Adam BumgarnerLunch on your own
Check out the available options within the hotel or take a quick walk next door to the mall food court.
Forecasting cyber-attacks - mathematical models & techniques
Wouldn’t it be fantastic if you could forecast the next cyber-attack, the number of attacks, and even how rapidly the attacks would occur? In this session, I’m going to show you how you can use the MITRE ATT&CK framework to build up your attack scenario then use the mathematical models to generate your forecasts. Don’t worry, you don’t have to be a mathematician (or even good at math) to use these models. The goal of this activity is to be proactive in developing mitigations and strategies for the next possible cyber-attack.
Charlene Deaver-VazquezThe Uncensorable Stack: Malicious Applications of Blockchain Tech
Blockchain technology introduces new opportunities for adversaries to level up their tradecraft. By combining different decentralized technologies full censorship resistant user-friendly applications can be built without a single point of failure. This talk will cover known attacker instances of blockchain based capabilities, dive into each layer of an uncensorable tech stack, demo what a malicious application might look like, and provide defenders mitigation strategies.
Jesse BuonannoClosing Ceremonies
PowerShell Crash Course
This course will give you the basics of PowerShell. You will learn the PowerShell syntax and what to Google if you need help. Learn things like repeating tasks, iterating through a list of objects, and the various things you can do with PowerShell objects. You will also learn to discover new cmdlets, modules, and functions. You will gain experience by practicing what the instructor is teaching and demos production scripts and tools. The target audience for this course is individuals who are new to scripting and new to PowerShell.
James HoneycuttPractical Dark Web Hunting using Automated Scripts
How can you effectively hunt data from the dark web using scripts? How can you circumvent scraping defenses on the dark web? How can you automate your scripts? If you are curious about the answers to these questions and want to learn how to effectively write automated scripts for this task, then this workshop is for you. There are many forums and marketplaces on the dark web where actors buy, sell, and trade goods and services like databases, exploits, trojans, ransomware, etc. Collecting data from the dark web can help any organization identify and detect risks that may arise due to their assets being sold on the dark web. In this workshop, you will learn why collecting data from the dark web is essential, what open-source tools you can use to collect these data, how you can create your tools & scripts, and automating your script for effective collection. The workshop’s primary focus will be on circumventing defenses put by forums & markets on the dark web against scraping.
Prerequisites:
Basic scripting in python
Knowledge of using VMs & Linux machines
Holistic AWS Cloud Security Design for Newcomers
Ditch the kale smoothie, it’s time to go big picture. Your organization is moving to AWS, and you’re in a panic. Which of the 42 billion AWS service offerings do you really need? How do you manage user and service accounts? What about those 7 different rogue AWS accounts you just found out about? We’ll walk through select essentials of organizing and standardizing your AWS environment(s), securing AWS accounts and services, managing authentication, protecting your applications, and explore a few key guardrails you can bring back to your organization. We’ll talk about balancing security with usability, how your existing architecture can work for you and against you, and how to identify and protect your attack surface in (and even out of) the cloud.
Cassandra Young