Artificial intelligence and machine learning are the new buzzwords in the industry. At present days, it has been widely used for analytics purposes and defensive mechanisms like detecting anomalies, raising alerts, etc. But what people are not aware of is its huge potential to be used as an offensive mechanism and another weapon in the toolkit of pentesters and red teams. In fact, proper implementation of such techniques can even eliminate the need for having red teams. Using AI, one can replace the need of human beings and can trigger attacks in a fully automated manner. Although it sounds a little futuristic, the truth is it is possible to build an AI BOT army as penetration testers to trigger comprehensive offensive attacks.

This talk is about how to apply various techniques of AI/ML into advanced cybersecurity use cases.

Here we will talk about various categories of use cases:

• Offensive attacks using AI
• Bypass authentication systems using AI
• Trigger social engineering attacks using AI
• How to attack various AI based systems

This talk will highlight areas within the MacOS ecosystem where system management policies are blatantly not enforced, and in at least 1 case, where MacOS actually ships with the tools necessary to bypass its own policies when applied in a security context. This talk will also cover Apple’s response, or lack thereof, to disclosure of these vulnerabilities, and how the implications of their response may highlight that MDM is wholesale not supported as a security apparatus within the entire Apple ecosystem.

Ever wanted to take your findings from some of your favorite tools, and add an autopwn component using Metasploit, all in code? Well now you can! With the unveiling of go-msf-rpc, your go program can now interact with Metasploit to automatically drive your finding to a shell.

For the better part of the last 30 years, the mass scale hack problem hasn’t been solved. Even entities with almost unlimited cybersec budgets like large companies & governments get hacked. It seems that stacking products and people doesn’t quite make the cut. So maybe it’s time to propose another path: free, collaborative security empowered by the power of the crowd. By leveraging a huge interception network, IPs used by malevolent actors can quickly be spotted and blocked before they even attack you.

We have produced a free (as in speech), open source tool that does just that by extracting unwanted behavior from logs, blocking the attacks, and sharing their metadata with all other users (after curation).

We see this as a form of Internet Neighborhood Watch system that should allow us to establish a Digital Herd Immunity - made by the community and for the community.

How do you talk security to leadership? How do you convince leadership to dedicate resources to fix issues found by your security capabilities? Do you have an answer when your CEO or CTO asks you what risks exist in a particular Business Unit or Product within the company?

Over the past year, we have been working on ways to create meaningful metrics at scale within Twilio and use them to drive change. In this presentation we will talk about motivations, challenges and how we built automated near - real time metrics that helped us use a data driven approach to working with engineering teams to move the needle forward on Twilio’s security posture.

In this talk, we’ll walk through a complete Bluetooth Low Energy security assessment by focusing our attention on a single device – from start to finish. Along the way, we’re going to discuss how to select interesting targets, how to spot vulnerabilities, and some reporting practices that might make your life a little easier. We’ll also cover basic tooling and implementation strategies, and I’ll share a few insights about building skillsets and how to approach your first BLE client engagement.

This talk will dive into WMI/MI and what it can do for both administrators and adversaries. We will cover the history of WMI/MI, how it works, how it is used normally, and how it can be used maliciously and finally how to spot misuse. Real world scenarios will be discussed along with more theoretical capabilities of WMI/MI misuse. We will be discussing modern (last 6 months) techniques that are being seen in the wild utilizing WMI and the challenges faced by defenders to identify these techniques. Since many tools do not fully detect these WMI events it can be difficult for administrators and incident responders to clearly and easily contain WMI worms or malicious activity.

Swift is a great language for offensive tooling due to ease of development compared to lower level languages (Objective-C/C/C++), while still having the flexibility to utilize said lower level languages when the job requires it.

In this talk, I’ll go into the research, development, and usage of a new Swift implant, Hermes, that can be used in modern red teaming operations. Hermes hooks into Cody Thomas’ Mythic framework, which serves as the controller.

I will dive into the various functionality implemented within Hermes that allows for secure communications, reconnaissance, code execution, data exfiltration, and extensibility with existing offensive tooling. Lastly, I will cover defensive considerations for different TTPs implemented within Hermes. Following this talk, Hermes will be open-sourced for security professionals to test and validate detections within macOS environments.

In late Summer 2020, leveraging the threat hunting methodology developed at Verizon Media, the Paranoids FIRE team identified a novel piece of macOS malware that would later be dubbed Silver Sparrow. In this session we’ll talk about a key TTP leveraged by the malware authors. We’ll show how it was found, and how it was used to create new detections to monitor Silver Sparrow activity. Finally, we’ll show how based on telemetry collected by the Paranoids, the infection count estimates originally published by news organizations were inaccurate: roughly 3,000 infected machines instead of about 30,000.

With the advent of detections for PowerShell and script-based attacks, threat actors have shifted to .NET as a preferred method to perform post-exploitation tradecraft. As .NET framework is available by default on all Windows-based environments, the success rate of executing .NET assemblies is very high. .NET allows to interact with the Win32 APIs which are abused by attackers in various ways such as load assemblies directly into memory and inject into processes using a ton of process injection techniques. However, EDR vendors have upped their game to look or hook into how the unmanaged code is invoked from managed code. An attacker may get caught upon execution of suspicious Win32 APIs. Hence in this talk, we will explore tradecraft that would help evade detections that depend on such mechanisms.

Ransomware seems to be the talk of the town. High profile targets such as the Colonial Pipeline and Kia Motors seem to make the news just about every month. Given that such large companies, with equally large pools of resources, are falling victim… just how are cities and local governments managing? In this talk we will explore just how public sector is holding up against the ever-growing threat of ransomware by dissecting some attacks I have responded to in my years of working in cybersecurity for local government and exactly how local governments are responding (or failing to respond) to such attacks.

Practical VLANning 101. An introduction to VLANs and how they can help improve a small business network. VLANs can help provide a basic foundation to improve upon by providing an easy means to control traffic and manage bandwidth.

In this presentation, we’ll share the basics of dev-focused tools and tech, and their security implications. You may never have to create a CI/CD pipeline or serverless function, but we’ll help you understand what it is, how it’s used in the real world, and how it can be compromised. So many buzzwords, so little time!

The root of every attack begins with information gathering. With modern networks, including corporate and BYOD mobile devices that may move between private and public networks, information gathering from mobile devices is important, too. This presentation will explain a technique that abuses the link preview functionality in many modern smartphones to leak data such as operating system version and rough location from any cell-tower-connected smartphone to a third party without the need for user interaction. Additionally, a defense for this attack and a tool built around the attack to automate and store the data will be presented.

To connect devices with each other and the Internet, developers rely on application programming interfaces (APIs) that specify the intended behavior of the device without revealing how it works. Connected devices are now commonplace, so it’s no wonder that securing exposed APIs has risen in importance when protecting against data breaches. In this talk, the author will describe the basics of API security, and give an example of his recent run-in with a weakly secured API (that made headlines)!

As Marc Andreesen so aptly noted “Software is eating the world”. Our technology-driven world increasingly relies on third party code, open source libraries and shared repositories. We don’t fully appreciate just how interconnected we are, and how that translates into software code dependencies. It took an event like the SolarWinds Orion attack to rattle the bars on that cage, and wake us up to what’s been going on for some time. The reality is that software supply chain attacks aren’t new. They’ve been around for many years, and we’ve been watching that check engine light but not really addressing the issues. Recent attacks show how easy it is to create confusion and send malicious code undetected through automated channels to trusting recipients. SolarWinds delivered a hard truth to defenders: everyone is vulnerable when trust can be abused. Where is the weakest link in your software supply chains of trust?