Tag Archives: DerbyCon

DerbyCon attendees and co-founder reflect on the end

After nine years running, DerbyCon held its ninth and final show, and attendees and a co-founder looked back on the conference and discussed plans to continue the community with smaller groups around the world.

DerbyCon was one of the more popular small-scale hacker conferences held in the U.S., but organizers surprised the infosec community in January by announcing DerbyCon 9 would be the last one. The news came after multiple attendee allegations of mistreatment by the volunteer security staff and inaction regarding the safety of attendees.

Dave Kennedy, co-founder of DerbyCon, founder of TrustedSec LLC and co-founder of Binary Defense Systems, did not comment on specific allegations at the time and said the reason for the conference coming to an end was that the conference had gotten too big and there was a growing “toxic environment” created by a small group of people “creating negativity, polarization and disruption.”

Kennedy claimed in a recent interview that DerbyCon “never really had any major security incidents where we weren’t able to handle the situation quickly and de-escalate at the conference with our security staff.”

Roxy Dee, a vulnerability management specialist, who has been outspoken about the safety for women at DerbyCon, told SearchSecurity that “it’s highly irresponsible to paint it as a great conference” given the past allegations and what she described as a lack of response from conference organizers.  

Despite these past controversies, attendees praised DerbyCon 9, held in Louisville, Ky from Sept. 6 to 8 this year, there have been no major complaints, and Kennedy told SearchSecurity it was everything the team wanted for the last year and “went better than any other year I can remember.”

“When we started this conference we had no idea what we were doing or how to run a conference. We went from that to one of the most impactful family conferences in the world,” Kennedy said. “It’s been a lot of work, a lot of time and effort, but at the end of the day we accomplished everything we wanted to get out of the conference and then some. Family, community and friendship. It was an incredible experience and one that I’ll miss for sure.”

As a joke, someone handed Kennedy a paper during the conference reading “DerbyCon 10” and the image quickly circled the conference via Twitter. Kennedy admitted he and all of the organizers “struggled with ending DerbyCon this year or not, but we were all really burned out.”

“When we decided, it was from all of us that it was the right direction and the right time to go on a high note. We didn’t have any doubts at all this year that there would ever be another DerbyCon. This is it for us and we ended on a high note that was both memorable and magical to us,” Kennedy said. “The attendees, staff, speakers and everyone were just absolutely incredible. Thank you all to who made DerbyCon possibly and for growing an amazing community.”

The legacy of DerbyCon

Kennedy told SearchSecurity that his inspiration for fostering the DerbyCon community initially was David Logan’s Tribal Leadership, “which talks about growing a tribe based on a specific culture.

“A culture for a conference can be developed if we try hard enough and I think our success was we really focused on that family and community culture with DerbyCon,” Kennedy said. “A conference is a direct representation of the people that put it on, and we luckily were able to establish a culture early on that was sorely needed in the INFOSEC space.”

April C. Wright, security consultant at ArchitectSecurity.org, said in her years attending, DerbyCon provided a “wonderful environment with tons of positivity and personality.”

“I met my best friend there. I can’t describe how much good there was going on, from raising money for charity to knowledge sharing to welcoming first-time attendees,” Wright said. “The quality of content and villages were world class. The volunteers and staff have always been friendly and kind. It was in my top list of cons worldwide.”

Eric Beck, a pen-tester and web app security specialist, said the special part about DerbyCon was a genuine effort to run contrary to the traditional infosec community view that “you can pwn or you can’t.”

“We all start somewhere, we all have different strengths and weaknesses and everyone has a seat at the table. Dave [Kennedy], set a welcoming tone and it meant that people that might otherwise hesitate took that first step. And that first step is always the hardest,” Beck said. “DerbCon was my infosec home base and where I recharged my batteries and I don’t know who or what can fill its shoes. I have a kiddo I thought I’d share this conference with and met people I assumed I’d see annually. I’m personally determined to contribute more in infosec and make the effort to reach out, but I have a difficult time imaging being part of something that brought in the caliber of talent and the sense of welcoming that this conference did.”

Danny Akacki, senior technical account manager with Gigamon Insight, said his first time attending was DerbyCon 6 and the moment he walked in to the venue he “fell in love with the vibe of that place and those people.”

“I still didn’t know too many people but I swear to god it didn’t matter. I made so many friends that weekend and I had the hardest bout of post-con blues I’ve ever experienced, which is a testament to just how profound an effect that year had on me,” Akacki said. “I had to skip 7, but made it to 8 and 9. Every year I went back, it felt like only a day had passed since the last visit because that experience and those people stay with you every day.” 

For Alethe Denis, founder of Dragonfly Security, DerbyCon 9 was her first time attending and she said the experience was everything she expected and more.

“The atmosphere was like a sleepover, compared to the giant summer camp that is DEF CON, and I really enjoyed that aspect of it. It felt like it was a weekend getaway with friends and the lack of casinos was appreciated. But I don’t feel that the quality of the talks and availability of villages was sacrificed in the least,” Denis said. “Even as small as Derby is, it was really tough to do everything I wanted to do because there were so many interesting options available. I feel like it brought only the best elements of the DEF CON type community and DEF CON conference to the Midwest.”

Micah Brown, security engineer at American Modern Insurance Group and vice president of the Greater Cincinnati ISSA chapter, echoed the sentiments of brother/sisterhood at DerbyCon and the cheerfulness of the conference and added another key tenet: Charity.

“One of the key tenets of DerbyCon has always been giving back. During the closing ceremonies, it was revealed that over the past 9 years, DerbyCon and the attendees have given over $700,000 to charity. That does not count the hours of people’s lives that go into making the presentations, the tools, the training that are freely distributed each year. Nor does it factor in the personal relationships and mentorships that are established and progress our community,” Brown said. “It was after my first DerbyCon I volunteered to be the Director of Education for the Greater Cincinnati ISSA Chapter and after my second DerbyCon I volunteered to be the Vice President of the Chapter. DerbyCon has also inspired me to give back by sharing my knowledge through giving my own presentations, including the honor to give back to the DerbyCon community with my own talk this year.”

Beyond DerbyCon

Xena Olsen, cyberthreat intelligence analyst in the financial services industry, attended the last two years of DerbyCon and credited the “community and sense of belonging” there with encouraging her to continue learning and leading her to now being a cybersecurity PhD student at Marymount University.

“The DerbyCon Communities initiative will hopefully serve as a means for people to experience the DerbyCon culture around the world,” Olsen said. “As far as a conference taking the place of DerbyCon, I’m not sure that’s possible. But other conferences can adopt similar values of community and inclusiveness, knowledge sharing and charity.” 

Wright said she has seen other conferences with similar personality and passion, “but none have really captured the heart of DerbyCon.”

“There are a lot of great regional cons in the U.S. that I think more people will start going to. They are affordable and easily accessed, with the small-con feel — as opposed to the mega-con vibe of ‘Hacker Summer camp’,” Wright said, referencing the week in Las Vegas that includes Black Hat, DEF CON, BSides Las Vegas, Diana Con and QueerCon plus other events, meetups and parties. “I don’t think anyone can fill the space left by DerbyCon, but I do think each will continue with its own set of ways and personality.”

Akacki was adamant that “no other con will ever take Derby’s place.”

“It burned fast and it burned bright. It was lighting in a bottle, never to be seen again. However, I’m not sad,” Akacki said. “I can’t even say that its vibe is rising from the ashes, because it would have to have burned down for that to happen. The fire that is the spirit of DerbyCon still burns and, I’d argue, it burns brighter than ever.”

I’m not sure any other con will be able to truly capture that magic and fill the space left by Derby.
Alethe DenisFounder, Dragonfly Security

Denis said it will be difficult for any conference to truly replace DerbyCon.

“I feel like the people who organized and were passionate about DerbyCon are what made Derby unique. I’m not sure any other con will be able to truly capture that magic and fill the space left by Derby,” Denis said. “But I guess that remains to be seen and hope that more cons, such as Blue Team Con in June 2020 in Chicago bring high quality content and engaging talks to the Midwest in the future.”

Wright noted that some of her favorite smaller security conferences included GRRcon, NOLAcon, CircleCityCon, CypherCon, Showmecon, Toorcon and [Wild West Hackin’ Fest], and she expressed hope that the proposed “DerbyCon Communities” project “will help with the void left by the end of the era of the original DerbyCon.”

The DerbyCon Communities initiative

The organizers saw DerbyCon growing fast, but “didn’t want to turn the conference into such a large production like DEF CON,” Kennedy told SearchSecurity.

“We wanted to go back to why DerbyCon was so successful and that was due to three core principles: Posivitiy and Inclusiveness, Knowledge Sharing and Charity. There is a direct need for a community to help new people in the industry and help charity at the same time,” Kennedy said. “The goal for the Communities initiative is to bring people together the same way DerbyCon did for one common goal.”

Kennedy also confirmed that there will be some involvement with the Communities initiative from the “core group” of organizers, including his wife Erin, Martin Bos and others.

Akacki said that with the local Derby Communities initiative, “the spirit of Derby has exploded into stardust, covering our universe.”

“You can’t kill what we’ve built, you can’t contain it and you can’t stop it,” Akacki said. “I’m not crying because it ended, I’m smiling and laughing … because it just became bigger than ever.”

On Sept. 11, Kennedy pitched the full idea of DerbyCon Communities to the team and said there should be four main areas of focus:

  • Chapter Groups
    • Independently run with chapter heads
    • Geographically placed
    • Volunteer network
  • Established Groups
    • Partner with similar groups that meet criteria and approval process to join DerbyCon network.
  • Conferences
    • Established or new. Allow for new conferences to be created.
  • Kids
    • Programs geared towards teaching next-gen children.

Ultimately, Kennedy told SearchSecurity he wants new groups to “be welcoming and accepting of new people and making a difference and impact in their local communities or worldwide.”

“Our hope is that not only do DerbyCon Chapters spawn up, but other conferences and chapter groups will join forces to create a DerbyCon network of sorts to grow this community in a positive way.”

Go to Original Article

DerbyCon panel discusses IT mistakes that need to stop

A panel of experts at DerbyCon discussed common IT mistakes that they don’t want to see happen anymore and offered some suggestions on how to avoid risks.

The talk broke down the IT mistakes the panelists thought needed to stop, ranging from basic security issues to more technical problems. The panelists included Lesley Carhart, principal threat analyst at Dragos Inc.; Chelle Clements, web content developer at Online Marketing and Publishing; April Wright, an application security architect; and Amanda Berlin, senior security architect at Blumira and CEO of Mental Health Hackers.

As the discussion went on, themes began to surface around education, communication and empowering users. Wright and Clements were advocates for not just better educating users, but finding ways to make that education more personal.

Wright focused on IT mistakes like oversharing on social media. She said oversharing can easily become a problem for enterprises, because all of that data can be used to spear-phish users and potentially gain access to a company network. 

“One thing that can be done to curb oversharing is to train users how to protect their families and themselves outside of work. Users need to understand what they’re doing and how it impacts others,” Wright said. “Learning to protect themselves will make them more aware and better advocates. If security isn’t personal to them, they won’t care, because they don’t care about your data; they care about their data.”

Clements agreed and cautioned users against oversharing on social media, as it “eventually comes back to bite them in the ass.”

She also added that basic security concerns are still an issue, including using bad passwords, visiting shady websites, opening email messages from unknown senders and clicking links within those messages.

Clements said finding better training methods is a must. She described security training that she set up over the years, including one-on-one sessions when possible, because “you may need a unique language to explain something. The way you explain something to a physicist will be different than a chemist.”

Wright added that there needs to be better training around the limitations of security products, because IT mistakes can come from users trusting products too much.

“A lot of people feel like they’re more protected than they really are. We [need to] teach them about the failings of what the technology is that’s designed to protect them,” Wright said. “The blinky boxes are great, but it’s really education that’s going to solve the problems of the users. It’s not putting in a bunch of things to protect them, like putting them in a rubber room. It’s teaching them that things are sharp and things are hot, and they shouldn’t touch them.”

Berlin added that these types of IT mistakes can happen with administrators, as well, who might not understand that a security product is “not a magic solution that you can just install and you’re done,” including not configuring products after installing them.

“It’s an ongoing process that you have to keep revisiting. If you have an MSSP [managed security services provider] or you’re doing it internally, that’s going to be someone’s full-time job. It’s something that you need to treat less of a project and more of an ongoing thing,” Berlin said. “Work closer with your security vendors and all your other vendors. They’re usually there to help you, and you are paying them. Keep them accountable. Actually work through the implementation, and make sure they’re continuously working on it and they don’t install it and forget it, as well.”

Beyond educating users, Carhart said IT staff needs to stop expecting security products to be perfect, because they are all just deterrents and, “ultimately, everybody is going to be vulnerable to phishing or a breach.”

“If you have a house, you put a door on that house, and that deters neighborhood kids from walking in. You put on a deadbolt, and that deters the casual thief. Then, maybe you put in an alarm system, and that deters the more dedicated [thieves]. But if someone is paying $10,000 to hire a hit man to kill you? Guess what that hit man is doing? He’s coming in and killing you. You’re going to die. I’m sorry,” Carhart said. “Security is like that. We add defense in depth, and we deter and deter, but people have to understand that you have to plan for that worst-case scenario.”

Empowering users

Carhart noted that many IT mistakes stem from users not feeling empowered to speak up, especially if they feel embarrassed after making a mistake. She said users need to be comfortable demanding better security and privacy from vendors, and be sure to speak up when the IT staff is asking for too much.

“We have all these tropes that we keep using over and over again, like, ‘Use a strong password, use a password manager,’ and stuff. And, sometimes, those are really tricky things to do,” Carhart said. “Have you ever tried to convert all of your passwords saved in a bunch of browsers to a password manager? That’s not an intuitive process. That’s really, really hard to do. So, I would like to see more end users tell their security people to go F themselves. Tell us when something is too hard.”

One reason users might not speak up, according to Wright, comes from social norms and users trying to be polite. This can lead to IT mistakes, because users aren’t willing to put themselves “in an uncomfortable situation” and ask questions regarding potential security incidents. 

“This is a very hard thing to fix. It’s a culture thing; it’s an education thing; it’s a training thing, where you have to make sure that people understand they have the power to make or break the security controls that you have in place,” Wright said.

She added later that this can happen because users don’t listen to their instincts. “If you don’t listen to that voice [in your head] … you might notice things, but you’re not going to pay attention them.”

Carhart added that even those with no security expertise should feel empowered to speak up and “realize that security isn’t magic. It’s something they can learn about.”

“I’m in industrial control systems now, and I’m dealing with a lot of eclectic legacy systems from the ’70s and ’80s. The people who know those systems the best are the guys or girls who have been there for 30 years. They might not know everything about security, but they could be very interested in it,” Carhart said. “I’d like, as a solution to that problem, to have users remember that they can contribute to security, and there are elements of knowledge that they bring to the table that we don’t have.”

Berlin noted that communication issues can also be a problem with red and blue teams, especially if those teams aren’t paired up.

“It’s a really big problem when it comes to doing defensive stuff, because we can’t fix what we don’t know is broken, especially when you’re a contractor or an MSSP, because you don’t know the networks and everything that they have internally, as well as the red teamer that broke in or their internal team,” Berlin said.

Go to Original Article

DerbyCon session tackles cyber attribution, false flag attacks

LOUSIVILLE, KY — A nearly hour-long talk at DerbyCon merely “scratched the surface” of various indicators that need to be studied in order to perform accurate cyber attribution after an attack.

The conceit of the talk by Jake Williams, founder and president of Rendition Infosec in Augusta, Ga., was to demonstrate how threat actors can manipulate indicators used in cyber attribution, and how much work must be done to properly attribute an attack. He told us afterward that it’s valuable for red teams to “get a chance to exercise detections for specific attacker tools,” but admitted “the bigger point of the talk was to not jump to attribution conclusions based on a single indicator.”

Williams ran through cyber attribution mistakes of the past, including attacks by the Cyber Caliphate being attributed to ISIS or the Olympic Destroyer malware being attributed to North Korea when deeper investigations found Russia to be the more likely threat actor in both cases.

With the Olympic Destroyer malware, Williams said confirmation bias took over because it was a cyberattack in South Korea and information in the portable executable (PE) header “tied it back to other North Korean malware.”

Williams said, “Roll forward though and researchers noticed as you dive deeper than the header there are some coding similarities to Russian malware. Nothing conclusive, but the problem here is that [Russia] sucks at tradecraft. Researchers noticed that the malware had been uploaded two weeks before to a scanning service in Eastern Europe … to make sure it wasn’t going to get caught by antivirus.”

Williams said the Olympic Destroyer malware had been uploaded under the name “olymp.exe” and the PE header — more specifically the rich header — “100% aligned with Russian malware.”

Beyond manipulating header information, Williams described other ways investigators could be misled in cyber attribution and noted that all of the tactics are already known by attackers.

“I have no doubt that after we talk about this, we’ll see more of this in the wild. But, the fact that we see more in the wild that more is happening in the wild, let’s be very clear about that,” Williams said. “What it means is we’re seeing more of it and, in many cases, that’s because our eyes are open to it.”

Williams said using IP addresses can be tricky with cyber attribution, because, on one hand, even nation state threat actors have been known to run attacks from their home country. But on the other, it is very easy to rent virtual private server space from other countries to mask an attack’s true origin and attackers have been known to use the same infrastructure or tools intentionally and unintentionally.

Other ways threat actors can mislead cyber attribution investigations is by creating false infrastructure via multiple online “supporter personas” that are used to “prop up” a specific group or “lookalike” email accounts.

Williams said because investigators want to find connections, they can be fooled by false personas, tracking the general times attackers are active to determine the original time zone, focusing on a specific type of event log, and much more.

Additionally, he warned that using encryption keys recovered from PowerShell or from compiled malware for attribution depends on if the keys are symmetric or asymmetric.

“Symmetric keys are trivial to reuse because the same key encrypts and decrypts. So, I can use a key the attacker has used previously, so you want to be very careful there,” Williams added. “With asymmetric, you only have one side of the key pair. When we evaluate evidence for attribution, we value symmetric keys far more highly if it hasn’t been published in a [cyber threat intelligence, or CTI] report because are the attackers really going to fake it? How well-known is it? But on the false flag side, I do want that published in the CTI report. I want it to be obvious for the investigator to make the connection.”

Given all of the evidence and ways to attempt to determine cyber attribution, Williams noted that as an attacker, “You can do a few things well, but doing everything well is pretty impossible.”

Williams told the DerbyCon crowd, “If you’re doing good wholesome forensics, you’re likely to uncover the false flag. If you’re relying on one or two indicators in isolation, this is where you’re likely to trip up. We’re hard-wired for cognitive biases and logical fallacies. We’re hard-wired to like a good conspiracy.”

Go to Original Article

Network lateral movement from an attacker’s perspective

LOUISVILLE, KY. — A security researcher at DerbyCon 7.0 showed how an attacker will infiltrate, compromise and move laterally on an enterprise network, and why it benefits IT professionals to look at infosec from a threat actor’s perspective.

Ryan Nolette, security technologist at Sqrrl, based in Cambridge, Mass., said there are a number of different definitions for network lateral movement, but he prefers the MITRE definition which says network lateral movement is “a step in the process” of getting to the end goal of profit.

Nolette said there are a lot of different attacks that can all be part of network lateral movement, including compromising a shared web root — things running as the same permissions as the web server — using SQL injection, remote access tools and pass the hash attacks.

According to Nolette there are five key stages to the network lateral movement process: infection, compromise, reconnaissance, credential theft and lateral movement. This process will then repeat from the recon stage for each system as needed, but the network lateral movement stage is “where the attack gets really freaking exciting,” Nolette told the crowd.

“You’ve already mapped out where you want to go next. You have credentials that you can possibly use to log in to use other systems,” Nolette said. “Now, it’s time to make an engineer or IT admin cry because now you’re going to start moving across their environment.”

Demonstrating network lateral movement

Nolette walked through a demo attack and made sure he had some roadblocks to overcome. First, he ran a Meterpreter payload in Metasploit which would allow him to “run plugins, scripts, payloads, or start a local shell session against the victim” and used it to determine the user privileges of the victim machine.

Finding the privileges were limited, Nolette loaded a generic Windows User Access Controls bypass — which he noted was patched in the current version of Windows — to escalate privileges to admin level.

In a blog post expanding on the attack, Nolette said that once the attacker has access to a system with these privileges, the aim is to map the network and processes, learn naming conventions to identify targets and plan the next move, which is to recover hashes in order to steal login credentials.

With credentials, Nolette said he targets local users and domain users.

It’s time to make an engineer or IT admin cry because now you’re going to start moving across their environment.
Ryan Nolettesecurity technologist at Sqrrl

“The reason I want the local users is because in every single large corporation, IT has a backdoor local admin account that uses the same password across 10,000 systems,” Nolette told the DerbyCon audience. “For the record, [Group Policy Object] allows you to randomize that password for every system and stores it in [Active Directory], so there’s really no excuse anymore for this practice.”

Another way Nolette said attackers can find more privileged users is by looking at accounts that break the normal naming convention of the organization. For example, Nolette said if a username is initial.lastname but an attacker sees a name like master_a, that could be an indication it is a domain user with higher privileges.

When mapping the potential paths for network lateral movement, Nolette said attackers will look for specific open ports and use PsExec to run commands on remote systems — both tactics used in the recent WannaCry and NotPetya ransomware attacks.

“If you use PsExec, SpecOps hates you because that’s a legitimate tool used by IT and is constantly run throughout environments and being abused,” Nolette said. He suggested one good security practice was to use whitelisting software to only allow PsExec to be run by very specific IT user accounts. 

Understanding attacker network lateral movement

“In a lot of presentations you don’t get to see the offense side. All you get to see are the after-effects of what they did. They move laterally, great, now I have a new process on this system. But, what did they actually do in order to do that?” Nolette said. “If I figure out what the attacker is doing, I can try to move further up the attack chain and stop them there.”

Nolette said the value of threat hunting to him was not about finding a specific attack or method, but rather in validating a hypothesis about how threat actors may be abusing systems.

“I find that valuable because that’s a repeatable process. When you’re trying to sell to your upper management what you want to do, you always want to use business terms: return on investment, high value target, synergy,” Nolette said. “In order to be a successful security practitioner, you have to know why the business [cares]. Security is not a money-maker. It is always a cost center. How to change that view with the upper management is to show them return on investment. By spending a few hours looking at this stuff, I just saved us a few million dollars.”