GrayHat 2020

Join BTV this year as particitpate in GrayHat 2020 (formally Texas Cyber Summit). The event will be taking place virtuall from October 29-31, 2020. More information will be posted the conference draws closer.


Join us

Discord   •   Twitch


Thursday, October 29, 2020

Panel: Cyber Threat Intelligance
9:30am - 10:45am
Moderator: Mick Baccio
Panelists:Kelsey Helms, Lauren Proehl, Valentia Palacin, Ruth Barbacil
Talk: Hiding in the Clouds
How attackers can use applications for sustained persistence and how to find it
11:00am - 11:45am
Presenter(s): Mark Morowczynski and Gloria Lee
Applications are modernizing. With that, the way permissions for these applications are granted are also changing. These new changes can allow an attacker to have sustained persistence in plain sight if we don’t understand how these work and where to look.  What’s the difference if an application has permissions or an application has delegated permissions? Why did that admin account consent to that application, should I be worried? Is that application overprivileged? I have thousands of apps, how do I account for this? In this session we will look to demystify and bring clarity to these questions. You’ll understand these new application models and how they can be abused for sustained persistence, how these permissions work and what overprivileged looks like and finally, how to find them in your environment.
Talk: Hack Your Next Job
Use Recruiter OSINT tactics to your Advantage
1:00pm - 1:45pm
Presenter(s): Alethe Denis
The cybersecurity industry was facing a talent shortage prior to Covid-19. As companies shifted to remote work, some cyber professionals were re-assigned to other tasks, including IT support. Nearly half a million workers are needed right now in cybersecurity roles around the country.

Use the OSINT tactics that recruiters us to discover new CyberSecurity candidates to get found, stand out and move your resume to the top of the pile.

We’ll take a look at ways recruiters are sourcing candidates for specific security roles and see how we can reverse this tactics to make your LinkedIn and resume stand out to recruiters and get your application past Human Resources and into the hands of decision makers.

Talk: Automating Threat Hunting on the Dark Web and other nitty-gritty things
2:00pm - 2:45pm
Presenter(s): Apurv Singh Gautam
What's the hype with the dark web? Why are security researchers focusing more on the dark web? How to perform threat hunting on the dark web? Can it be automated? If you are curious about the answers to these questions, then this talk is for you. The dark web hosts several sites where criminals buy, sell, and trade goods and services like drugs, weapons, exploits, etc. Hunting on the dark web can help identify, profile, and mitigate any organization risks if done timely and appropriately. This is why threat intelligence obtained from the dark web can be crucial for any organization. In this presentation, you will learn why threat hunting on the dark web is necessary, different methodologies to perform hunting, the process after hunting, and how hunted data is analyzed. The main focus of this talk will be automating the threat hunting on the dark web. You will also get to know what operational security (OpSec) is and why it is essential while performing hunting on the dark web and employing it in your daily life.
Talk: Schrödingers CISO
Is your Cybersecurity Program Dead or Alive? You can't tell, now what!? Tales from the Hard Side
3:00pm - 3:45pm
Presenter(s): Lyzia van Iterson
This talk will focus on how to steer your Cybersecurity Program through continuous chaos. Key topics are:

Organization will set you free.
  • Who should steer your program, and why?
  • Command and Cooperate; Planting Flags and Building Bridges
Hygiene x Hybrid = Relentless Improvement.
  • How getting the basics right and Continuous Vulnerability Management go hand in hand.
  • Why you can use it to aide your Purple Team efforts.
The Human Factor.
  • Lead alongside
  • The Attack of the Chaos Clowns and other internal threats
  • Clown Mitigation Strategies
These topics are based on real-life examples and strategies from the Cybersecurity Programs I've run in the past 15 years.
Talk: BTV Lighting Talks
4:00pm - 4:50pm
Come and share something

Friday, October 30, 2020

Talk: Rapid Threat Containment
Using Programmability to Detect, Prioritize, Contain and Report on Incidents
9:00am - 9:45am
Presenter(s): Hakan Nohre, Christopher Van Der Made
Detecting and responding to incidents is challenging. To do so automatically is even more challenging. There are many sources of information for security events such as endpoint security, DNS, Firewalls, Network Anomalies etc. Trying to automatically respond is typically avoided because of the risk for false positives. But can we, by combining different sources of events, and applying a penalty point system, reduce the likelyhood of false positives enough to allow for automatic response?

This lecture will outline a prototype for Rapid Threat Containment based on input from multiple sources. It will also discuss challenges, such as how to normalise the target of the attack (which could be hostname, IP address, MAC address, email address, username - depending on the source). It will also discuss some potential extra benefits such as creating automatic reports on breaches based on the information.
Talk: BlueHound Path Destroyer
Life and “Death” of a Tool
10:00am - 10:30am
Presenter(s): Mathieu
This talk is about a new tool that I built based on a methodology I developed for destroying Active Directory Attack Paths found by BloodHound.

This talk will cover the methodology and the various options that the script provide. All the features are aimed to help the Blue Team secure their Active Directory infrastructure. BlueHound is an open source project that will be made public at SecTor (October 21)
Talk: Async Intelligence Gathering with Python
11:00am - 11:45am
Presenter(s): Jeff Bowie
Successful hacking if often built upon successful intelligence gathering. But how much time and effort is required to gather actionable data points?

Even if you can find an efficient open-source tool, its behavior or signature may be detected and prevented. Nessus is noisy, and many engagements have too many hosts for manual analysis. We will discuss techniques, tools, and tricks utilizing Python, to acquire information on large scale, as quietly as possible.
Talk: Blue Teaming with Kusto Query Language (KQL)
1:00pm - 1:45pm
Presenter(s): Ashwin Patil
Threat Hunting has become an integral part of Blue teamers. Knowing the tools and techniques especially related to searching across vast amount of logs to find actionable insights and which can pivot to gather context on investigating existing incident or leading to become potential anomaly is an essential skill for success of any defender. In this presentation, we will introduce Kusto Query Language (KQL) which has been de-facto language of hunting across variety of data sources such as Microsoft Defender for Endpoint, Azure Sentinel, Microsoft Threat Protection. Knowing the language and mastering key skills required to effectively hunt across variety of Microsoft Threat protection solutions can be hugely beneficial for blue teamers. We will walk through Practical Threat Hunting Queries on multiple Cloud (Azure, AWS) , On-Premise (Windows, Linux) and Network data sources leveraging KQL features to effectively hunt and gather faster results. Apart from getting familiar with syntax, we will demonstrate how to use advanced features of KQL such as Time Series Analysis , windowing functions from GUI to find anomalous behavior. Lastly we will also showcase KQL programmatic interfaces such as Jupyter notebooks to do threat hunting at Scale by importing multiple KQL queries , execute them and gather results in automated fashion.
Talk: The Future of Security Automation is Collaborative
2:00pm - 2:45pm
Presenter(s): Mark Orlando
Security tools overwhelmingly favor expert users. If we want to grow and diversify our security teams to meet today’s challenges, and enable those teams to apply creativity and critical thinking at scale, we must focus on technology that helps humans and machines work together to amplify each other’s strengths. The future of security automation isn’t artificial. It’s collaborative.
Talk: Security Onion 2: Unravel Adversary Actions with Frighteningly Good Detection and Shocking Visibility
3:00pm - 3:45pm
Presenter(s): Wes Lambert
Security Onion is a completely free and open source platform for threat hunting, enterprise security monitoring, and log management. First developed in 2008 by Doug Burks, Security Onion has since grown through several distributions, and has been downloaded over 1 million times. Continuing with that growth, comes Security Onion 2, the next major iteration of the platform. In every iteration, the platform has weaved together many different open source applications in an attempt to make like easier for blue teamers, but this presentation will be focused primarily on the additions and improvements the new version brings, and how security professionals will be better prepared to peel back the layers of their computer networks, and make their adversaries cry.

To continue tipping the scales in the favor of network defenders, attendees will learn how they can leverage Security Onion (2) in a variety of ways. This includes the monitoring of network traffic -- we'll discuss the types of data that are collected, and the relative value of each. This data may include NIDS alerts from Suricata, protocol-specific metadata from Zeek, or even PCAP from Google Stenographer.

Ingestion of endpoint telemetry (ex. Wazuh, Osquery, Winlogbeat) and other data sources will be discussed, as well as how this data can be scoured and hunting actions can be performed (using Kibana, or the new Hunt interface).

While there are some great hunters out there, it can be much more efficient at scale to have pre-built detections assist us in identifying anomalous behavior (paired with regular hunting). A defined detection engineering process, and criteria for creating detections can really help us to achieve success with our overall detection strategy -- as a result, we'll discuss detection development and the management of detection playbooks, using Playbook.

Last, we'll cover how we can enrich events with additional information, and even perform response actions using TheHive and Cortex, also touching on how additional integrations might be achieved with Security Onion 2.

With all this context and capability, we'll have bad guys shaking in their boots, for free!
Panel: Getting In and Getting Good at Incident Response
A Meet-a-Mentor Panel
4:00pm - 5:30pm
Moderator: Muteki
Panelists:Lauren Proehl, Neumann Lim, Pierre Cadieux, Rhett Nieto
Mentors from the Blue Team Village's Meet-a-Mentor program discuss how they got into InfoSec and Incident Response specifically, how they developed their skillset, what they're currently working on, and answer other related mentee-sourced questions.

Talk: BTV After Panel Happy Hour
5:30pm - 6:30pm
Presenter(s): BTV Staff
Talk: BTV Game Night
8:00pm - 10:00pm
Presenter(s): BTV Staff
Games and Games

Saturday, October 31, 2020

Workshop: Threat intelligence, the malware analysis way
9:00am - 11:00am
Presenter(s): Felipe Durate
Debuggers, disassemblers, virtual machines, sandboxes, signatures. All of those concepts are commonly used on malware-related talks; but, do you actually know how to effectively use them to automate your malware analysis procedures and leaverage high quality threat intelligence? Well, this is the place to be if you want to answer this question.

Even though malware analysis could sound scary for some people, the art of dissecting and understanding the inner workings of a malicious sample can provide us an advantage in this cyber war. Keep in mind, that every time attackers send you a malicious sample they are giving you a low level representation of the actual source code. Yes, this is not a trivial representation that will be understood in 10 minutes, but if you have the proper tools and skills you will get its secrets (and its weaknesses).

We will start our workshop with an unknown malware sample and based on our observations during the analysis, we will build our own tools to detect it and automate its analysis, so next time you see it, you will spend just a couple of seconds in its analysis.
Panel: Getting In and Getting Good at SIEMs & Log Analysis
A Meet-a-Mentor Panel
11:30am - 1:00pm
Moderator: Muteki
Panelists:Chris Lynch, A. Skye, Chris Maenner, O'Shea Bowens
Mentors from the Blue Team Village's Meet-a-Mentor program discuss how they got into InfoSec and SIEMs & Log Analysis specifically, how they developed their skillset, what they're currently working on, and answer other related mentee-sourced questions.
Talk: AWS Security Best Practices
2:30pm - 2:45pm
Presenter(s): Mary Wang
Do you use Amazon Web Services (AWS)? It’s okay if you don’t use it and use another cloud provider. I’m going to discuss three important AWS security services and also which security controls are AWS’s responsibility and which are yours.

In this talk you will learn:
  • An overview of the AWS Shared Responsibility Model
  • Security best practices in AWS Identity Access Management (IAM)
  • Using AWS CloudTrail and CloudWatch for logging and auditing purposes

Finally, we’ll dive into how you might benefit from implementing other AWS security best practices.
Talk: Introductory advice on the OWASP Mobile Top 10 and how to fix the risks
3:00pm - 3:15pm
Presenter(s): Garrett Mosier
As more applications move to mobile devices, it is important to understand the core concepts you'll need to secure mobile applications. In this talk, we will focus on how to recognize the OWASP mobile top 10 vulnerabilities in your applications and how to fix them before anyone notices.
Talk: All Roads Lead to Infosec
3:30pm - 4:15pm
Presenter(s): Gyle dela Cruz
When one talks about infosec or cyber security as a career or profession, people immediately think of hackers in hoodies. Indeed, there are career paths for ethical hackers as pen testers and red teamers, but there are still a lot of unexplored options for people who want to break into the field. This presentation will clarify the misconceptions about infosec career paths, and will cover how certain skill sets from other non-infosec areas can lead to a non-traditional path to an infosec career.
Talk: Closing Remarks
4:30pm - 5:00pm
Presenter(s): BTV Staff