0.22
2023
BSidesSATX 2023
2023-06-10
2023-06-10
1
00:05
https://cfp.bsidessatx.com/2023/schedule/
America/Chicago
2023-06-10T10:00:00-05:00
10:00
00:45
Track 1 (UC Conference Rm A)
2023-103-i-came-in-like-a-wrecking-ball
https://cfp.bsidessatx.com/2023/talk/EWYKQZ/
false
I Came in Like a Wrecking Ball
Full Talk
en
In this presentation, we will cover the methods an attacker can take to conceal their identity and disguise their digital footprints, as well as real-world examples from the previous year in which full compromise was achieved through human error, seemingly harmless configurations, and insecure products. Then, we'll examine opportunities for engaging employees and management through gamification and highlight cost-effective strategies for creating a more secure environment.
In 2022, businesses with fewer than 1,000 employees were the primary target of about half of all cyberattacks. Why do criminals prey on small businesses? These organizations are the proverbial low-hanging fruit since they lack the resources and security competence.
In this presentation, we will cover the methods an attacker can take to conceal their identity and disguise their digital footprints, as well as real-world examples from the previous year in which full compromise was achieved through human error, seemingly harmless configurations, and insecure products. Then, we'll examine opportunities for engaging employees and management through gamification and highlight cost-effective strategies for creating a more secure environment.
iamv1nc3nt
2023-06-10T11:00:00-05:00
11:00
00:25
Track 1 (UC Conference Rm A)
2023-142-malware-and-malicious-code-in-the-open-source-software-supply-chain
https://cfp.bsidessatx.com/2023/talk/JZLVBQ/
false
Malware and Malicious Code in the Open Source Software Supply Chain
Short Talk
en
Bad actors are targeting your developers through open source software. In this talk you will find a variety of specific examples of recent supply chain attacks in software ecosystems such as npm and PyPI. You will also learn about recent trends and techniques in these attacks, and ideally you will learn about how to lower the risk of a compromise in your software development environment. This talk is intended for all audiences, and no prior knowledge of malicious code or malware is assumed.
The open source software ecosystem is a vast, sprawling global metropolis full of opportunities and dangers. Yet, we as software developers often approach it with a small-town mentality. Whereas in some, few places it is perfectly safe to leave your keys in the car running while you make a quick trip into the convenience store, it would be foolish do so in places where a bad actor is waiting to take advantage of your naïvety. Success is not due to sophistication, but rather the ability to take advantage of a fundamental assumption that you had about the relative security of your location.
And so it is with open source software security. Some attacks are successful because of technical prowess - some esoteric technical bug that a sophisticated actor manages to exploit and deploy. But many others, especially some recent widespread ones, are successful simply because they prey on our cultural assumptions and human frailties as software developers. Bad actors deploy relatively unsophisticated packages in our open source software ecosystems hiding under layers of obfuscation that exploit not merely our systems, but our humanity as well.
The barrier to entry for these attackers is pitifully low, and the reward can be astonishingly high, similar to the risk/reward proposition of email spammers from an earlier era. Attackers have proven capabilities that demonstrate automated publication of these malicious packages in open source ecosystems, and before the repository maintainers can take these packages down, they have already been installed by some unsuspecting developer.
In this talk you will learn about these kinds of attacks, their volume, and their velocity through specific examples of recent attacks (e.g., typosquatting, combosquatting, starjacking, dependency confusion, and others) on PyPI and npm. You will also learn about how a defense-in-depth approach can mitigate these risks for developers. Finally, you will ideally leave this talk with a new perspective on the dangers lurking in open source software ecosystems.
Ross Bryant
2023-06-10T11:30:00-05:00
11:30
00:45
Track 1 (UC Conference Rm A)
2023-124-the-darkside-of-graphql
https://cfp.bsidessatx.com/2023/talk/NDZBDH/
false
The Darkside of GraphQL
Full Talk
en
GraphQL is a query language for APIs that provides a powerful and efficient way to query and manipulate data. As powerful and versatile as GraphQL is, its downside is that it can be vulnerable to certain security threats. In this presentation, we will discuss the security vulnerabilities associated with GraphQL, from the basics to more advanced threats, and how to best protect against them. After this presentation, attendees will have a better understanding of security vulnerabilities in GraphQL
Parth Shukla
2023-06-10T13:00:00-05:00
13:00
00:45
Track 1 (UC Conference Rm A)
2023-123-scifi-to-reality-use-of-ai-in-cybersecurity-pre-recorded-
https://cfp.bsidessatx.com/2023/talk/CKYKLN/
false
SciFi to Reality: Use of AI in Cybersecurity (Pre-Recorded)
Full Talk
en
Global spending on AI is expected to reach $500 billion by end of 2023, how will hackers use this technology?
Join SAP Cybersecurity Expert Sandip Dholakia and find out more about how AI will be used by cybercriminals to infiltrate systems and how the cybersecurity industry is fighting back.
Sandip will enlighten the audience with facts about how hackers can compromise your privacy and security using AI and how cybersecurity professionals can use AI to protect your data and information.
Artificial Intelligence looks very cool in SciFi movies and books, but what is the reality? Is it something we can embrace? Is it more dangerous than nuclear weapon? Can AI be used to hack into the system or can be used to protect the system?
Find out answers to these and other questions.
Since the launch of ChatGPT, the topic of artificial intelligence has gained a lot of momentum within cybersecurity industry. The presentation will open with a short introduction, fundamentals of AI and real-world use cases of AI. The core of the presentation will focus on how hackers can compromise your privacy and security using AI and how cybersecurity professionals can use AI to protect your data and information. The discussion will highlight various AI based tools that can be used to secure cloud as well as on premise environments.
Sandip Dholakia
2023-06-10T14:00:00-05:00
14:00
00:25
Track 1 (UC Conference Rm A)
2023-113-driving-your-own-vulnerability-how-to-navigate-the-road-of-byod-attacks
https://cfp.bsidessatx.com/2023/talk/GZGVDU/
false
Driving Your Own Vulnerability: How to Navigate the Road of BYOD Attacks
Short Talk
en
Detecting and preventing attacks that use Bring Your Own Vulnerable Drivers (BYOVD) pose a unique threat to Windows security, but what makes a driver vulnerable, and how prevalent are vulnerable device drivers? In addition to answering these questions, this talk provides categories of vulnerabilities that are unique to windows drivers and provides real world vulnerable driver case studies to illustrate the theoretical concepts.
Intro
-Quick overview of Windows device driver basics
- Overview of device drivers used in attack chains
- Prevalence of drivers
- - Drivers uploaded to VirusTotal
- - YARA rules for detection
- RtCore64 (Video driver for Micro-Star's MSI AfterBurner)
- - BlackByte Ransomware
- - Earth Longzhi
- - CVE-2019-16098
- dbutil_2_3 (Dell Client firmware update utility)
- - Lazarus
- - CVE-2021-21551
- IQVW32 (Intel Ethernet diagnostics driver)
- - Scattered Spider
- - CVE-2015-2291
- Detections and Mitigations
- - Challenges
- - Suggestions
- Conclusion
Dana Behling
2023-06-10T14:30:00-05:00
14:30
00:25
Track 1 (UC Conference Rm A)
2023-144-homophonic-collisions-hold-me-closer-tony-danza
https://cfp.bsidessatx.com/2023/talk/FC83UK/
false
Homophonic Collisions: Hold Me Closer, Tony Danza
Short Talk
en
We’ll demonstrate a few practical approaches to exploiting human misunderstanding as a result of homophones to passively collect sensitive information, along with some redacted real-world examples. Domains registered for soundsquatting purposes are likely to be missed by typosquatting detection tools like DNSTwist. We will release defensive and detection mechanisms to help find vulnerable use cases within registered domains, language packaging pipelines, and social media handles.
This talk will delve into the risks posed by homophonic collisions, an understudied vector for cybersecurity threats. Despite extensive research on domain generation algorithms for homoglyphs and typosquatting, there has been relatively little research on homophonic collisions, which take advantage of human audible misinterpretations.
The talk will examine the practical implications of homophonic collisions and discuss existing vulnerabilities in human perception and our systems. Attendees will learn about the limitations of current detection tools and gain insights into new detection methodologies that account for human misunderstandings.
Real-world examples of the risks associated with homophonic collisions will be shared, and strategies for protecting brand and critical assets will be covered. We will demo our tooling to detect soundsquatted entities.
This talk is relevant to cybersecurity professionals and anyone interested in the latest developments in cybersecurity threats. It will provide valuable insights into this rapidly-evolving field and equip attendees with practical skills for detecting and mitigating the risks associated with homophonic collisions.
Reagan ShortJustin Ibarra
2023-06-10T15:00:00-05:00
15:00
00:45
Track 1 (UC Conference Rm A)
2023-133-how-lockbit-orchestrated-the-destruction-of-a-domain-and-network-and-how-we-kicked-them-off-stage
https://cfp.bsidessatx.com/2023/talk/LMFE8Y/
false
How LockBit Orchestrated the Destruction of a Domain and Network and How We Kicked Them Off Stage
Full Talk
en
In this talk we take the audience through a LockBit 3.0 and LockBit ESXi investigation, containment, and recovery case. We cover how we identified infected systems, attacks that don't match TTPs from the FBI and CISA, and how we helped our client get back up and running again.
Jacob Wellnitz
2023-06-10T16:00:00-05:00
16:00
00:45
Track 1 (UC Conference Rm A)
2023-134-kickstarting-your-in-house-red-team-challenges-and-approaches
https://cfp.bsidessatx.com/2023/talk/DRMSQQ/
false
Kickstarting your in-house Red Team: Challenges and approaches
Full Talk
en
This talk aims to help attendees address these challenges and kickstart their internal red team programs, proposing approaches to improving communication, integrating enterprise functions, and measuring program effectiveness. It covers our experiences managing a team of red team operators, helping organizations build a red team program, and what was observed in many companies trying to develop similar initiatives.
You have to build your organization’s Red Team from scratch. Where do you start? Organizations building internal red teams and penetration testing programs to keep up with the latest threats typically face three challenges: translating results to other security functions and leadership, aligning the red team program with business objectives, and demonstrating value.
This talk aims to help attendees address these challenges and kickstart their internal red team programs by:
- Outlining challenges, positive results, and setbacks identified while building internal red team programs;
- Proposing approaches to improving communication, integrating enterprise functions, and measuring program effectiveness
- Discussing our experiences managing a team of red team operators, helping organizations build a red team program, and what was observed in many companies trying to develop similar initiatives.
The goal is to help attendees kickstart an in-house red team program, providing ideas to communicate with other security functions, keep red team operators engaged, and deliver meaningful outcomes aligned with the overall cybersecurity goals. After the talk, attendees should be capable of taking the first steps toward deploying a team focused on improving the organization’s security posture instead of rinse-and-repeat testing.
Daniel C. MarquesVictoria Dea
2023-06-10T10:00:00-05:00
10:00
00:45
Track 2 (Moody Rm 101)
2023-148-two-sides-of-the-same-coin-interview-lessons-as-learned-by-both-interviewee-and-interviewer
https://cfp.bsidessatx.com/2023/talk/XB9XP9/
false
Two Sides of the Same Coin: Interview lessons, as learned by both interviewee and interviewer
Full Talk
en
When people think of interviews — especially in cybersecurity — they focus on the opposition of interviewer vs. interviewee, of hiring company vs. potential candidate. However, successful interviews result when the perspectives of both interviewer and interviewee are kept in mind, regardless of what side of the proverbial table you’re sitting on. In this talk, hiring managers and potential new hires alike will learn how to approach all stages of "The Interview" from both perspectives.
In this talk, I aim to share with attendees all the lessons learned from my most recent experiences on both sides of the interview table, focusing on how the interviewer and interviewee perspectives are more alike than different, and why this parallelism will help set both parties up for a positive and successful interview experience. We’ll start with recurring pre-interview activities, such as regularly scheduled reminders to update resumes or job descriptions, respectively. We’ll move on to general interview prep, which includes both parties preparing a list of questions that reflect their individual and/or company values and priorities. Then, we’ll get into the hearts of both technical and cultural fit interviews, where questions and answers alike will be encouraged to beget honest and genuine communication. Finally, we’ll discuss post-interview tasks, in which both parties can play an active role. At each stage, I’ll give real-world examples and applications of the lessons shared: sample emails, questions, preparation materials, etc. This talk will be a dissection of even the most daunting types of interviews in the world of cybersecurity, resulting in a more holistic understanding of the interview process. In addition, there will be a handful of takeaways from my personal successes and failures that everyone in the industry can learn from to improve and optimize their interview experiences for all parties and stakeholders involved. Welcome to the one-stop interview shop!
Sara Friedfertig
2023-06-10T11:00:00-05:00
11:00
00:45
Track 2 (Moody Rm 101)
2023-143-cyberpatriot-mentoring-the-next-generation
https://cfp.bsidessatx.com/2023/talk/UNRL3B/
false
CyberPatriot: Mentoring the Next Generation
Full Talk
en
For everyone that is currently working in the cyber/I.T. industry, have you thought to yourself "I wish they had CyberPatriot when I was in school?" In CyberPatriot XV San Antonio there were nearly 400 teams registered under the San Antonio City of Excellence. The one thing all of these teams' need are technical mentors to guide the next generation of cyber professionals. Come to my session to learn about CyberPatriot and how to be a technical mentor.
Frank Hall
2023-06-10T12:30:00-05:00
12:30
00:25
Track 2 (Moody Rm 101)
2023-129-cybersecurity-careers-how-to-find-your-fit
https://cfp.bsidessatx.com/2023/talk/PDUV9B/
false
Cybersecurity Careers: How to Find Your Fit
Short Talk
en
Join for an informative and entertaining presentation on some of the many jobs and career paths available in cybersecurity. I will provide an rundown of some of the more common roles and responsibilities within cybersecurity and highlight the "entry-level" jobs that are available in this exciting and ever-changing field.
This cybersecurity presentation will provide an overview of some of the more common jobs and career paths available in the cybersecurity industry. The talk will also discuss many of the roles and responsibilities for these roles in cybersecurity, including technical and non-technical positions. Participants will learn about the required skills and qualifications for each job and what types of "entry-level" jobs are available for those who are relatively new to the field.
I will discuss the challenges and opportunities of working in cybersecurity, as well as the benefits of pursuing a career in this field. The presentation is designed to be informative, entertaining, and easy to understand, making it accessible to both technical and non-technical audiences.
Whether you are a student interested in cybersecurity, a job seeker looking to switch careers, or simply curious about the industry, this presentation is for you. Join me as I explore the exciting world of cybersecurity jobs and learn how you can start your journey in this dynamic and growing field.
Frank Buckholdt
2023-06-10T13:00:00-05:00
13:00
00:45
Track 2 (Moody Rm 101)
2023-120-discovering-the-dark-side-an-introduction-to-malware-reverse-engineering
https://cfp.bsidessatx.com/2023/talk/VQFJFF/
false
Discovering the Dark Side: An Introduction to Malware Reverse Engineering
Full Talk
en
This course would provide an overview of most common RE tools and how to use them for beginners wanting to look into malware reverse engineering. This course will specifically avoid assembly based tools as they are more advanced and time consuming to cover fully in the timeslot.
Andrew Neumann
2023-06-10T14:00:00-05:00
14:00
00:45
Track 2 (Moody Rm 101)
2023-146-siem-slam-tricking-modern-siems-with-fake-logs-and-confusing-blue-teams-pre-recorded-
https://cfp.bsidessatx.com/2023/talk/PV3AU8/
false
SIEM Slam: Tricking Modern SIEMs with Fake Logs and Confusing Blue Teams (Pre-Recorded)
Full Talk
en
Our research has uncovered a sneaky tactic that attackers use to outsmart modern Security Information and Event Management (SIEM) tools, such as Splunk. By creating and injecting fake logs, attackers can divert the attention of blue teams and conceal their real attacks. In this study, we explore this devious approach and provide an in-depth analysis of how it can be used to deceive security operations. Specifically, we examine the vulnerabilities of SIEM tools, with Splunk as a prime example.
Here is the introduction part of our whitepaper:
For many organizations, Security Information and Event Management (SIEM) tools like Splunk have been essential components of their security operations for a long time. SIEM tools are critical for blue teams because they enable them to detect potential attacks and respond to them quickly. By collecting and analyzing logs from various sources, including network devices, servers, and applications, SIEM tools can identify suspicious activity and generate alerts. These alerts can then be used by security analysts to investigate and remediate any potential threats. Without SIEM tools, security teams would need to manually review and analyze each log, which would be a time-consuming and error-prone process. The speed and accuracy of SIEM tools make them an essential component of any organization's security operations.
However, as SIEM tools have become more prevalent and sophisticated, attackers have also evolved their tactics to circumvent them. In our original research, we have discovered that one particularly effective strategy is to create and insert fake logs into the SIEM tool, which can mislead and distract the blue team and hide the real attack. In this paper, we will explore how attackers use fake logs to deceive security operations and how security teams can defend against these attacks. We will focus specifically on Splunk, a modern SIEM tool, and demonstrate how to create and inject fake logs to mislead the blue team.
By the end of this paper, readers will have a better understanding of the vulnerabilities of modern SIEM tools and the tactics attackers can use to exploit them, as well as the best practices for defending against these attacks.
Ozgun Kultekin
2023-06-10T15:00:00-05:00
15:00
00:45
Track 2 (Moody Rm 101)
2023-121-defectdojo-taking-your-devsecops-to-11
https://cfp.bsidessatx.com/2023/talk/YQ7MSL/
false
DefectDojo, Taking your DevSecOps to 11
Full Talk
en
DefectDojo was created by DevSecOps people for DevSecOps people. In this talk, you’ll learn about DefectDojo and how to make the most of it. DefectDojo can be your single pane of glass for discovered security vulnerabilities, report generation, aggregation of over 150+ different security tools, and so much more. DefectDojo was the heart of an AppSec automation effort that saw an increase in assessments from 44 to 414 in two years. Don't you want 9.4 times more output from your AppSec program?
You’re tasked with ‘doing DevSecOps’ for your company and you’ve got more apps and issues than you know how to deal with. How do you make sense of the different tools outputs for all your different apps? DefectDojo is an open source platform that can be your single pane of glass by aggregating, distilling, and automating your AppSec and DevSecOps tools.
DefectDojo was created by DevSecOps people for DevSecOps people. In this talk, you’ll learn about DefectDojo and how to make the most of the many features it offers including its REST-based API. DefectDojo can be your single pane of glass for discovered security vulnerabilities, report generation, aggregation of over 150+ different security tools, inventory of applications, tracking testing efforts / metrics on your AppSec program. DefectDojo was the heart of an AppSec automation effort that saw an increase in assessments from 44 to 414 in two years. Don't you want 9.4 times more output from your AppSec program? It's time to ditch spreadsheets and get DefectDojo.
Matt Tesauro
2023-06-10T16:00:00-05:00
16:00
00:25
Track 2 (Moody Rm 101)
2023-145-accidentally-exposed-classifying-publicly-exposed-cloud-files
https://cfp.bsidessatx.com/2023/talk/EEVMEE/
false
Accidentally Exposed - Classifying Publicly Exposed Cloud Files
Short Talk
en
Join this talk, for a technical deep dive into the analysis and classification of publicly exposed files in cloud buckets and how those buckets get exposed in the first place.
Out of the over 300 million files Laminar has scanned and classified, there are some mind-boggling things out there, like financial data, personal information, and business secrets that are unknown, unprotected, and publicly exposed for anybody to see. During this session, we’ll share our discoveries as well as dive into the technical aspects of the best way to analyze, prioritize, and classify data in the cloud.
The lessons you’ll learn:
Technical techniques and tips to find and classify sensitive data in the cloud
How data stored in cloud object storage can become accidentally exposed to the public
How to ensure sure these mistakes don’t happen to your organization
Michael Holburn
2023-06-10T16:30:00-05:00
16:30
00:25
Track 2 (Moody Rm 101)
2023-131-use-dmarc-do-not-let-others-abuse-your-brand-
https://cfp.bsidessatx.com/2023/talk/CA7QFT/
false
Use DMARC, do not let others abuse your brand!
Short Talk
en
DMARC is the best way to make sure bad actors cannot use your good brand against you. Hint, the hardest part is working with your vendors.
Paul Guido, CISSP, CCSP
2023-06-10T10:00:00-05:00
10:00
00:45
Track 3 (Moody Rm 102)
2023-138-challenging-the-standard
https://cfp.bsidessatx.com/2023/talk/NR88PR/
false
Challenging the Standard
Full Talk
en
With the ever-evolving threat landscape, the cyber community faces new challenges daily. From advanced persistent threats (APTs) to targeted attacks, the need for comprehensive threat intelligence has never been greater. This presentation will delve into the threat intelligence strategies used by threat hunters to detect and thwart APTs, as well as highlight the actions that the industry must take to stay ahead of the game.
Dr. J. will shed light on the discoveries from a Qualitative Case Study called "Strategies Using Threat Intelligence to Detect Advanced Persistent Threats." The presentation will delve into the pressing challenges that we are facing in the cybersecurity industry today, specifically when it comes to threat intelligence. Dr. J. will be emphasizing the strategies that threat hunters are employing to detect and prevent APTs. Lastly, the talk will conclude with an analysis of the necessary actions that the cybersecurity community must collectively take to counteract the destructive effects of APTs. Overall, this talk will be an insightful, informative, and eye-opening experience for professionals in the industry.
Dr. J
2023-06-10T11:00:00-05:00
11:00
00:45
Track 3 (Moody Rm 102)
2023-111-trending-cloud-security-threats-and-defense
https://cfp.bsidessatx.com/2023/talk/WABXMK/
false
Trending cloud security threats and defense
Full Talk
en
If you're responsible for defending a cloud estate -- of any size -- you know that there are myriad threats, but which do you focus on first? This talk begins with a survey of the current top threats to cloud infrastructures, such as stolen credentials, misconfiguration, multi-cloud complexity, and even attackers' use of AI and automation. As we go, we'll discuss effective defenses against these threats, as well. We'll wrap up with general tips and best practices for protecting the cloud.
Gabe Schuyler
2023-06-10T13:00:00-05:00
13:00
00:45
Track 3 (Moody Rm 102)
2023-130-how-i-learned-to-stop-worrying-and-build-a-modern-detection-response-program
https://cfp.bsidessatx.com/2023/talk/RMLT7L/
false
How I Learned to Stop Worrying and Build a Modern Detection & Response Program
Full Talk
en
You haven’t slept in days. Pager alerts at all hours. Constant firefights. How do you get out of this mess? How do you successfully build a modern detection and response program, all while riding the rocket of never ending incidents and unforgiving on-call schedules? This talk gives away all the secrets you’ll need to go from reactive chaos to building and running a finely tuned detection & response program (and finally get some sleep).
Gone are the days of buying the ol’ EDR/IDS/NGAV combo, throwing some engineers on an on-call rotation, and calling it your incident response team. You need a robust and comprehensive detection and response program to fight the modern day attackers that threaten to disable, disrupt, degrade, destroy, and steal from the enterprise you protect. But there’s a lot of challenges: alert fatigue, budgets, hiring talent, and your current team is burned out.
How do you successfully build a modern detection and response program, all while riding the rocket of never ending incidents and unforgiving on-call schedules?
This talk addresses the lack of a framework for building a modern detection and response program, which has led to ineffective, outdated, and after-thought programs.
## Who will enjoy this talk?
* A CISO that wants to better understand what modern detection and response should look like and how it fits into their overall program
* Managers and directors building processes and hiring the people executing this type of work
* Engineers that want to understand the bigger picture of how all the tools, capabilities, and processes should fit together and drive business value
* Program managers and project managers supporting detection and response teams
* Anyone interested in learning more about detection and response
## Key Takeaways
* A framework to guide leadership and engineers in building or improving a modern detection and response program
* A better understanding of what processes, capabilities, and skill sets are needed to detect and respond to modern threats
* Methods to measure and report on the effectiveness, efficiency, and threat coverage of a detection and response program (and how to identify failures or inefficiencies early and course correct)
* Lessons learned on how to empower your teams to succeed and overcome operational timesinks
Allyn Stott
2023-06-10T14:00:00-05:00
14:00
00:25
Track 3 (Moody Rm 102)
2023-147-writing-effective-triage-notes-in-the-soc-the-importance-of-clarity-actionability-and-leadership-support
https://cfp.bsidessatx.com/2023/talk/TZ7YWF/
false
Writing Effective Triage Notes in the SOC: The Importance of Clarity, Actionability, and Leadership Support
Short Talk
en
With remote work and ever-evolving threat scenarios, Security Operations Center(SOC) has a significant role. The SOC lays its foundation on people, processes, and technology. The confluence of process and technology plays a vital role in the analyst triaging/reviewing the alerts. In this presentation, I would go over a few tips for writing good triage notes, a topic that is not very well discussed, and the role of leadership.
With remote work and ever-evolving threat scenarios, Security Operations Center(SOC) has a significant role. The SOC lays its foundation on people, processes, and technology. The confluence of process and technology plays a vital role in the analyst triaging/reviewing the alerts. In this presentation, I would go over a few tips for writing good triage notes, a topic that is not very well discussed, and the role of leadership.
The presentation will provide tips to the listener to write coherent, actionable notes by the end, helping them to give a crisp summary of who, what, when, where, and how. It will also emphasize the crucial role of leadership in supporting and guiding SOC analysts in their efforts to safeguard the organization's digital assets. This is important because we can't align with the business and leadership without the proper guidance, and communication in the correct verbiage.
Abhishek Tripathi
2023-06-10T14:30:00-05:00
14:30
00:25
Track 3 (Moody Rm 102)
2023-104-cover-your-saas-cloud-threat-detection-beyond-endpoints
https://cfp.bsidessatx.com/2023/talk/3JCQZC/
true
Cover your SaaS: Cloud threat Detection beyond Endpoints
Short Talk
en
As businesses around the world continue to rapidly adopt SaaS solutions and products, defenders need to evolve their threat detection and response capabilities to this new landscape, which means thinking beyond the standard endpoint and into the SaaS applications themselves. Defense-in-depth means not just monitoring activity on your own systems and infrastructure but actively looking for threats and suspicious activities within the myriad SaaS applications in use at your organization.
Most threat detection and response programs are built around monitoring infrastructure and endpoint logs such as: Windows/Linux/MacOS logs, EDR/XDR logs, AWS/Azure cloud logs, and various network logs. These are all critical to monitor in order to maintain security but, they leave a dangerously incomplete picture of the threats you can detect. As more employees and businesses rely on SaaS tools, defenders need to use novel detection methods to find and stop malicious activity on these platforms. This talk aims to introduce attendees to the concept and process of monitoring SaaS platforms for suspicious activity as well as creating practical detections to catch attacker activity.
Jeremy Galloway
2023-06-10T15:00:00-05:00
15:00
00:45
Track 3 (Moody Rm 102)
2023-127-infrastructure-as-remote-code-execution-how-to-abuse-terraform-to-elevate-access
https://cfp.bsidessatx.com/2023/talk/MJCZ77/
false
Infrastructure as Remote Code Execution: How to abuse Terraform to elevate access
Full Talk
en
This talk will focus on ways to abuse the use of Terraform to elevate privileges, expose data, and gain further footholds in environments from a developer's perspective. We'll cover the common uses of Terraform and how a malicious actor could abuse Terraform and even bypass security controls to execute unapproved code. This talk will include multiple demos of ways to exploit Terraform cloud.
The talk will focus on research done on Terraform implementations and ways a malicious user could abuse it. The talk will cover how Terraform works, how common Terraform security controls are applied, and multiple ways to bypass them and gain further access to environments.
Outline:
How Terraform works
How plan and apply impact security controls
Remote code execution methods:
Remote-exec
Local-exec
External data
Data gathering methods:
Data sources
Secrets
Security control bypasses
Solutions
This talk will introduce people new to Terraform to the concepts and then explain in-depth ways it can be abused.
Michael McCabe
2023-06-10T16:00:00-05:00
16:00
00:45
Track 3 (Moody Rm 102)
2023-106-cybersecurity-metrics-kpis-and-kris
https://cfp.bsidessatx.com/2023/talk/RNCB33/
false
Cybersecurity Metrics, KPIs and KRIs
Full Talk
en
This session provides practical advice to establish cybersecurity metrics, KPIs and KRIs. Provides tips to design metrics based on a new process or function. Includes examples attendees can leverage upon returning to work. The session includes 22 metrics and seven resources for many more.
This session provides practical advice to establish cybersecurity metrics, Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs). We begin with an explanation of the differences between them and why each are needed.
Examples of how to design metrics, KPIs and KRIs are provided. Areas of focus include cybersecurity measurements for all organizations, for processes & functions and in alignment with a control framework. The end game is to measure if processes and controls are functioning as designed.
We walk through tips for communicating new metrics and go-to-green updates for metrics in red or yellow status.
The session includes 22 metrics and seven resources for many more. All of this saves time and can assist with enhancing your program.
Gideon T. Rasmussen