Learning Security by ATT&CK’ing Yourself

Travis Smith (@MrTrav)

Back in 2016, I presented on how I taught high school students about security by building, hacking, and then securing an internet controlled robot. This year I changed my tactics and leveraged the MITRE ATT&CK framework as a teaching tool instead. In this talk I will go over what the ATT&CK framework is and how I used it to teach students about security. The program was so successful that we are now using it to teach security to anyone from junior to senior level practitioners. Even seasoned veterans have something to learn from the collective knowledge found inside this framework.

Travis is a security researcher based here in Portland at Tripwire. He focuses on how defenders can gain an unfair advantage over attackers.

CyberPDX: A Camp for Broadening Participation in Cybersecurity

Wu-chang Feng

With society’s increasing dependence on technology infrastructure, the importance of securing the computers, networks, data, and algorithms that run our digital and physical lives is becoming critical. To equip the next generation of citizens for the challenges ahead, an effort is underway to introduce security content early in a student’s academic career. It is important that these efforts broaden participation and increase diversity in the field. While many camps and curricula focus on introducing technical content and skills related to cybersecurity, such approaches can prematurely limit how students view career opportunities in the field, potentially limiting those who ultimately pursue it. In addition, it is likely that many problems in cybersecurity can only be addressed in an interdisciplinary manner by those trained in the arts and humanities as well as in technical fields.

In this talk, we describe CyberPDX, a residential summer camp that introduces cybersecurity to high school students. Key to CyberPDX is its focus on the range of societal issues that will be impacted by cybersecurity as well as its coverage of the breadth of roles that students can play to help address them. Through four learning threads taught by faculty in Computer Science, Sociology, and Film Studies, the CyberPDX curriculum spans topics from constitutional law, cyberpolicy, ethics, and filmmaking to programming, cryptography, security, and privacy in order to show students how broad cybersecurity issues are and the many ways they can participate in helping to solve them.

Wu-chang Feng is a Professor in the Department of Computer Science at Portland State University where he offers courses on Internet and Cloud Systems, Web Security, Malware Reverse Engineering, and Blockchain Applications. He currently serves as the program chair for USENIX’s Advances in Security Education and is (a bit shamelessly) seeking submissions for next year’s workshop.

SAST and the Bad Human Code Project

John L. Whiteman

Static application security testing (SAST) is the automated analysis of source code both in its text and compiled forms. Lint is considered to be one of the first tools to analyze source code and this year marks its 40th anniversary. Even though it wasn’t explicitly searching for security vulnerabilities back then, it did flag suspicious constructs. Today there are a myriad of tools to choose from both open source and commercial. We’ll talk about things to consider when evaluating web application scanners then turn our attention to finding additional ways to aggregate and correlate data from other sources such as git logs, code complexity analyzers and even rosters of students who completed secure coding training in an attempt to build a predictive vulnerability model for any new application that comes along. We’re also looking for people to contribute to a new open source initiative called “The Bad Human Code Project.” The goal is to create a one-stop corpus of intentionally vulnerable code snippets in as many languages as possible.

John L. Whiteman is a web application security engineer at Oregon Health and Science University. He builds security tools and teaches a hands-on secure coding class to developers, researchers and anyone else interested in protecting data at the institution. He previously worked as a security researcher for Intel’s Open Source Technology Center. John recently completed a Master of Computer Science at Georgia Institute of Technology specializing in Interactive Intelligence. He loves talking with like-minded people who are interested in building the next generation of security controls using technologies such as machine learning and AI.

Rastrea2r: Collecting & Hunting for IOCs with Gusto and Style

Sudheendra S Bhat (@eaglesparadise)

Rastrea2r (pronounced ““rastreador”” - hunter- in Spanish) is a multi-platform open source tool that allows incident responders and SOC analysts to triage suspect systems and hunt for Indicators of Compromise (IOCs) across thousands of endpoints in minutes. To collect forensic artifacts of interest from remote systems (including memory dumps), rastrea2r can execute sysinternal, system commands and other 3rd party tools (including custom batch scripts) across multiples endpoints, saving the output to a centralized share for automated or manual analysis. By using a client/server RESTful API, rastrea2r can also hunt for IOCs on disk and memory across multiple systems using YARA rules. As a command line tool, rastrea2r can easily integrate with AV consoles and SOAR tools, allowing incident responders and SOC analysts to collect forensic evidence and hunt for IOCs without the need for an additional agent, with ‘gusto’ and style!

Sudheendra (Sudhi) Bhat is an Information Security Professional, currently holds a role of Product Security Architect in Security Operations Group at McAfee. Sudhi has been developing software for last 12+ years and has worked for a variety of Software Corporations ranging from small startups to fortune 100’s. It was while working at Intel 6 years back, Sudhi got exposed to the analyzing Security vulnerabilities which influenced him to pursue Security as a Career Interest. Sudhi Bhat has a Bachelor Degree in Computer Science from MSRIT, Bangalore (India) and Masters Degree in Computer Science from George Mason University, Virginia and holds various Software and Security Certifications, the most recent one being GIAC GWEB (Analyst # 641). Sudhi Bhat is passionate about OpenSource projects and currently maintains and contributes to the projects under rastrea2r organization in GitHub. Sudhi’s current research areas include Forensic Data Collection, Web Services Security and Automotive Security. Apart from Software and Security, Sudhi loves traveling and outdoor photography.

State of Cyber Education

Tobin Shields (@TobinShields)

There is a massive skills gap in the information security field. While many organisations forecast unbelievably high numbers, even the most conservative estimates show that there will be and overwhelming number of positions that go unfilled in the coming years. This “State of Cyber Education” talk will highlight education and workforce development programs that are trying to train the incoming workforce and close that gap. In addition, the talk will end with a call-to-action that will encourage local information security professionals to mentor, engage with, and help train a new generation of students.

I am a information security instructor at Mt. Hood Community College. I have been teaching security topics for the past four years in the Portland/Gresham area and have worked with both high school and college-level students.

Threat Modeling Authentication

Kelley Robinson (@kelleyrobinson)

Passwords get pwned. SMS 2FA gets compromised. We spend time clicking stop signs to convince computers we’re human. Is there a better way? Idealistic and technically challenging solutions for authentication (password reset protocol!, identity on the blockchain!) are tempting but unproven.

This talk will introduce practical ideas for designing your authentication systems and the UX considerations that will influence your architecture. We’ll walk through how to evaluate the risk associated with your business and how to protect your customers appropriately. Putting identity on the blockchain is probably not the answer right now, but together we can find a way to make your users more secure.

Kelley works on the Account Security team at Twilio, helping developers manage and secure customer identity in their software applications. Previously she worked in a variety of API platform and data engineering roles at startups in San Francisco. She believes in making technical concepts, especially security, accessible and approachable for new audiences.

How open source security solutions can solve your problem!

Jeff Bryner (@0x7eff)

You have a set budget for people and blinky boxen and an unlimited set of infosec problems. How can open source help you? Mozilla is working on a new initiative to help curate a set of open source security solutions to common problems. Come here a preview of that work and how you can help!

Jeff is the Director of the Enterprise Information Security team at Mozilla, responsible for risk management, incident response, threat management, intrusion detection, red team exercises and the web bug bounty program. Speaker at 3 DEF CONs, a bunch of B-sides and an RSA (but he didn’t mean it), he enjoys focusing on bringing diversity to infosec and finding new, collaborative ways of solving our now ancient infosec problems.

Survival of the fittest: password edition! Implementing the new NIST guidance into your password policy

Kevin Neely (@ktneely)

Historically, corporate and service password policies are all the same: some combination of characters, length, and 90 days before it expires. What if your security team took a different approach? By testing the passwords with cracking tools and using the results to create a strength metric, you can allow employees to keep their strong password if they landed upon a strong, difficult-to-crack password, only forcing the weak to expire.

This talk will describe the password policy we use, which involves the security team actively attempting to crack employee passwords, forcing a change when discovered, and allowing them to keep the password if it isn’t cracked. More than two years into this program, I will review our mature implementation and present an analysis of the collected password data demonstrating how this approach has markedly raised security awareness of our employees and improved the strength of their passwords. Day-to-day blue team security is hard and draining; this approach gives the defense team members a chance to play the role of attacker with a fun task quite different from their day-to-day.

I will also talk about how to explain this approach to a skeptical customer base and SOX auditor that request and are accustomed to the policy style every company has had for the past 20 years.

Lastly, I will link to a detailed step-by-step approach along with scripts to analyze the discovered passwords available in a public github repository for your immediate use.

*By Most Days: Leads the security team at Pure Storage

By Other Days: BSidesSF volunteer, perennial DEFCON attendee, legal scholar, cyclist.

By Night: Wannabe chef and alcoholic beverage enthusiast*