The Technical Track is designed for IT security, system, and network professionals. Topics may include network penetration testing, technical security standards and best practices, intrusion detection, network and system forensics, incident handling, technical hacking and attack techniques, protecting the network, systems, devices and services that form the infrastructure for our organizations.

T1 – Leveraging Recursive File Scanning Frameworks to Amplify Reverse Engineering Results

Jason Batchelor & Joshua Acklin

Focused reverse engineering and malware analysis initiatives are often expensive endeavors whose results are highly underutilized among modern network defenders. In this talk, we will introduce a means through which traditional outputs, such as Yara signatures, data parsing, and decode scripts, may be included into an open source framework to increase agility and overall effectiveness. Using a public data set, we will demonstrate the effectiveness of this approach by deconstructing a targeted payload to expose actionable intelligence. We will also discuss how the exposure of malware taxonomy may inform innovative detections.

Bio

Jason Batchelor holds his masters in Networking and Systems Administration from the Rochester Institute of Technology. He possesses several years of experience in public and private industry, initially supporting both attack analysis and threat intelligence teams before finding his passion as a reverse engineer. Past career accomplishments include founding and leading a reverse engineering team, architecting a custom global sensor grid using Bro IDS, and open sourcing a recursive file scanning solution named the File Scanning Framework. Jason currently works at the Software Engineering Institute supporting security research initiatives. He is a great proponent of empowering analysts to drive capabilities forward, and innovate past their limitations.

Joshua Acklin holds his master’s degree in Software Engineering from the University of Auburn. During his time at Auburn he worked on developing sensor networks utilizing the Microsoft Kinect Sensor systems. Once completing his master’s degree Joshua now works at the Software Engineer Institute as a Cyber Security Engineer where he works on exercise development and prototyping. Prior to completing his education Joshua served in the United States Army as a Supply Sergeant. During his military career he has been deployed in support of Operation Iraqi Freedom, Operation New Dawn, and Operation Enduring Freedom. Joshua still serves as a Reservist and has recently started the transition into Army Cyber.

T2 – Modeling, Building, and Securing the Internet for Cyber Training Exercises

Ryan Lehman

As the the need to develop a cyber workforce in government or industry grows, the demand for high-fidelity training exercises grows with it. These exercises provide a way for participants to train against simulated scenarios and adversaries in a closed environment. Part of the challenge of creating such exercises lies in providing participants an environment with realistic traffic patterns such that scenario events are not easily singled out. This presentation details the simulated internet (called Gray Space) used in the some of the most recent US government cyber exercises and how it addresses that challenge. Time will be spent on the design choices behind Grey Space in relation to cyber security training, the construction of the network through programmatic traversal of a graph database, and certain security challenges involved – particularly focusing on an implementation of RPKI and BGPSEC within the network.

Bio

Ryan Lehman is a Cyber Exercise developer for the Software Engineering Institute’s CERT program at Carnegie Mellon University. He has been building large-scale cyber exercises for the United States Department of Defense since 2013.

Ryan earned a BA in Information Technology Leadership from Washington and Jefferson College and a MS in Information Security Policy and Management from Carnegie Mellon University. He has worked at Carnegie Mellon since 2013.

T3 – Bitclamp: A Permanent and Anonymous Publishing Platform Over Bitcoin

Joe Testa

This presentation describes Bitclamp, a new open-source project that uses the Bitcoin blockchain to permanently and anonymously publish files. This can be extremely useful for whistleblower-type documents.

We will describe the existing publication methods, analyze their major shortcomings, then discuss the goals for a new method (quick publication time, low cost, et al). We will detail how a deep code dive of Bitcoin’s code resulted in the discovery that multi-sig support can be re-purposed for carrying large data payloads. An in-depth analysis will show how this method is practical for both the Bitcoin and Dogecoin blockchains. Special features such as temporal encryption and deadman switches can be used to protect whistleblowers from retaliation.

Lastly, a public website front-end will be showcased, which allows ordinary users to browse, search, and publish files.

Bio

Joe Testa is co-founder of Positron Security, a Rochester-based computer security company. He specializes in penetration testing, exploit development, social engineering, and server & network hardening. Prior to co-founding the company, he excelled as a security researcher and vulnerability test programmer for Rapid7. Testa holds a Master of Science degree in Computer Security and Information Assurance from the Rochester Institute of Technology, along with a Bachelor of Science degree in Psychology and Computer Science from the University of Maryland at College Park.

T4 – Story of Indicators – The Gaza Hackers (AKA Xtreme RAT)

Nir Yosha

On October 2012, Israel admitted it has been targeted in a mass cyber-warfare campaign that has witnessed millions of attempts to hack state websites since the start of its Gaza offensive.

The first clue was a file with the MD5 7084f3a2d63a16a191b7fcb2b19f0e0d.
The Exploit, the Download, the Weapon (Poison Ivy) and other indicators led to a command and control maintained by the Gaza hackers group. How can we prevent similar incidents in the future?

Bio

Nir Yosha is the Threat Intelligence Engineer of ThreatQuotient, a threat intelligence platform company. Nir started his career as a squad leader in the Israeli Intelligence Corps. He helped with gathering intelligence about tracking the growth of terrorist organizations.

Nir has over 10 years of experience as a security engineer both in visual and network security areas. He worked for multiple cyber security vendors for firewall management, compliance, and user behavior analytics. Nir publishes his posts on LinkedIn and speaks occasionally at security conferences.