Opening Ceremony

okay thank you everyone for coming out to besides appreciate uh everyone taking time other day their fridays to come down so i just want to start off by first thanking the sponsors i know it's been really chaotic with the pandemic but really appreciate the support from digicert and rsa and pope tech and adobe and red canary and corelight and red point and mimecast and salt stack so appreciate the sponsors so this is the b size logo for this year delaine did a great job getting that created so appreciate her hard work on that uh for those either that don't know i am bryce coons i typically wear these hawaiian shirts so if you're looking for

some of the hawaiian shirt around the con that may be me my handle on twitter is tweakfox and there's a b-side slack that you should be able to join from the b-sides slc.org website there's a link to join it so if you ever have any questions you can just throw them in general and b-sides and i should respond in a reasonable time period well welcome to b-side salt lake city glad to have this back in person so um the slogan for b-sides is really by the people for the people so i know there's always areas we can do better as a group as organizers but largely this conference is is here because of you and the people who are

willing to come out and provide the content so um you know if there's gaps that you see this year and you know we think could be better you know we'd love to have your help on in future years really there's four core principles of a b-sides event um so and and the first is really like we want to create an environment where you can have meaningful conversations with other participants here right so intentionally the word participant is used right because we want you know everyone here to be part of the community and and feel actively engaged and then the second is really connections we want everyone here to be able to make a few new connections

there's some rooms upstairs smaller rooms that are available for just kind of chilling out and breakout sessions and one of them's got some soldering irons so feel free to go in there and you know kind of hang out the third principle is community we're really trying to strengthen the community help us grow especially in the area of cyber security and the fourth is careers kind of a side effect of us all coming together and building relationships is people are able to improve their careers and we're able to help each other out more so if you're wondering where these four principles come from um i did not had i did not invent them so they they are

from a jack daniels talk that he did previously at b-sides so so we're kind of taking our direction from um you know the legacy here i'm just going to go over some logistics with the venue real quickly and then i'm just going to then i'll talk a little bit about some of the recent events in cyber security so here at the venue you're in the main hall uh that's track one uh if you go up the stairs there's two additional tracks track two has talks uh those talks are over zoom so the speakers there are remote but feel free to go in there and check out those talks as well as track three there are some

workshops um there's a red teaming workshop as well as a great container workshop um this afternoon so highly encourage you to check those out and yeah participate in them the three rooms that are down the hall the three end rooms on track two you're welcome to go in there there's power in the latter two rooms 226 and 228 you're welcome just chill in there and do whatever you want in 229 i believe wayland will be hanging out in there and answering any questions you may have about the elect the electronic badges right we went over this great and then these are the breakout rooms here two two nines where the badge will be located at

so the schedule is located on the website the only one update is that it says that this session starts at 10 pm uh it does not it starts at 10 a.m so that was just a typo okay so here's kind of a screenshot of the of the schedule things to note is that at 11 am right here we'll be having a hacker panel snow grifter and lean will be answering questions and marv will be asking the questions so i highly encourage you to check that out those are three great people that are all local to this area in utah and it's usually a good time as had by all so um at the end of the day at 5 pm waylon

will be giving a badge talk about the electric badge so there is a ctf or like a challenges inside of the badge so he may give some useful hints at that point so and he'll also be up in that chill out room throughout the day uh we have a few remote talks in track two so definitely check those out this is those would look really well polished and track three there's just two workshops the container security one looks great as well as the red teaming one okay so the b sides team um delaine got this sweet swag so hopefully you got yourself a beanie if you purchased a student ticket and you did not get a beanie um

you're at the end of tomorrow i am giving away the swag so come back and we'll give you a beanie so if there's any left there is i think we produced 200 beanies and we sold more than 200 tickets so um okay waylon created the badge there's challenges associated with the badge if you are one of the first people to solve that there is a prize for that come and show wayland that you solved it and and you can um you can get that prize from whelan it's pretty obvious if you solved it like all these snow lights are like blinking so the badge looks cooler right really appreciate all the hard work women puts into this batch

i can't tell you how many hours he puts into it so really appreciate that just as an fyi this is kind of some of the organizers that helped with the event really appreciate everyone's help really would not be possible without these individuals and all the hard work they put into it and once again just want to thank the sponsors they um they they make this possible right as an fyi we created a nonprofit of 501c3 that runs this b-sides conference here in salt lake city so as part of your if you purchase a ticket as far as your ticket you have the right to be a member of that non-profit right this is the board for the non-profit

so i am on the board and i'm also the lead executing the con right so um if you're interested in what that means or whatnot you can always hit me up in slack i'm there in the slack as well as there's a website with a little bit of information and there's my email there for the non-profit so happy to talk with you with you more about that okay so great okay so that was just some logistics associated with the con i you know if you have any questions feel free to hit anybody up we're all pretty friendly out there in reg or just come and talk to me um i'm happy to help so i'll point

you to the right person if i'm not that okay so i just want to talk about 2021 2021 was an interesting year we're still kind of mid the pandemic so that's um you know that's that's you know life now and i appreciate everybody following the the rules that are posted on the website regarding the health standards here at the conference including wearing masks and um and you know having the appropriate tests or vaccines so appreciate everyone being letting us follow the industry norms there so by 2021 actually had some really cool things in cyber security so one of my favorite is that in january there was a bug an oh day release for the sudo

binary right so the sudo binary if you get on a linux box as a normal user it allows you to change into the root user account right kind of that level of separation between user and root level access and there is an over 10-year bug which enables someone to just basically exploit a vulnerability in the app and get root privileges on the box so so super cool bug in march we saw oh multiple o days i believe four o days came out for the microsoft exchange servers and then we saw rapidly cyber criminals start to leverage those so that was you know also pretty exciting from a cyber security standpoint then in the may we saw the

colonial pipeline which maybe didn't affect us so much here in utah but literally shut down gas stations in you know the washington dc area and across the east coast so we saw you know cyber attacks really have a real world you know kinetic impact there you know we've seen multiple breaches across the year that seems you know from linkedin to neiman's marcus to twitch and then we saw the kind of microsoft's response there with the principal or vulnerabilities in in july where you know they thought the report you know vulnerabilities were reported to microsoft in the principle or service they thought they fixed it when researchers looked they found ways to bypass the fixes and they kept moving

and moving and moving so so really interesting year a lot of odays have come out that are kind of high impact here and you know explicitly that microsoft exchange it it they estimate it impacted over 250 000 organizations in the u.s alone right so cyber criminals were going through and basically any exchange server they could get to they were using these odas to get code execution on them the pipeline you know caused fuel shortages throughout the east coast and then the prince spooler rapidly as soon as that was discovered you know cyber criminals and ransomware's groups started to use that the example i found easily was you know in south korea victims were reporting they'd been hit using this so

okay so i just want to talk for a minute about road maps for improvements right so what what can we do as a cyber security community to really improve the overall security posture you know there's a lot of these incidents and breaches occurring what can we do as a group to really um defend against that and you know this isn't a comprehensive list this is just kind of like the top recommendations that i put together so so first is reduce attack services right so and generally speaking it's good to know what your attack surfaces are right um then try to limit them or reduce them as much possible so so um you know zero trust is really the

modern day solution for reducing attack services is trying to make you know old-school lateral movement techniques non-applicable so in in the traditional model you know you would send a spear phishing or phishing email into an organization the user would click on the email they'd get code execution on the endpoint and then they would subsequently start scanning the internal systems inside of that enterprise and they would move laterally from that beach head system onto other boxes in the network and expand their access like that well there's really not a a great use case why systems in that internal network you know why one workstation would really need to talk to another workstation maybe workstations need to talk to servers

you know maybe they need to talk to a file server or maybe they need to talk to an app like a web application server but there's not really a really strong reason there that they that one person's laptop would need to directly talk to another person's laptop so so zero trust has got a lot of buzz behind it but the basic of the concept is every endpoint is going to authenticate to kind of like a central point which is going to say which systems they can access in the network and that greatly reduces the amount of attack surface or options an attacker has from moving laterally so they basically have to go from the endpoint to another server

inside the inside of the inside of the organization and um yeah so that's that's one one approach right i'm not and uh you know all the xero trust vendors have their own way of implementing that but uh and and uh yeah so that's that's really helpful um but there's other ways you could implement that right i mean it could be just as simple as implementing firewall rules on your local on your laptops right using windows to active directory to roll out windows firewalls roles preventing people from connecting to certain ports and services from certain ip addresses another thing that i i strongly recommend is is really just getting a real solid multi-factor authentication strategy going at your

enterprise so you know a lot of those will involve you know the use of either verification via kind of a push notification to your phone or app or they'll involve the use of a hardware token right and those those are those are excellent way to upgrade your overall security game as an organization primarily because it shifts the the focus right so in the past attackers they really want to get those usernames and passwords sometimes they get them from breach data we've all probably heard about you know password spraying or and all that type of tax and and that's generally where you know you would have one password that you know is weak and a list of accounts and

you would try that same password against all the accounts so so an example of that is maybe you would try you know winter 2021 and you would try that against everyone's account in an organization and hopefully it would work as somebody's password in the organization to get you a foothold in so mfa the couple things it does two one you know username and password is no longer enough it makes you have another third piece of material key material to authenticate two it generally is going to involve some type of timeout right so when you authenticate successfully you'll generally get like an sso token in your browser maybe you're using octa or another similar service and you start

passing those to other applications and they they recognize your token and they authenticate you so so um so you're gonna have to re-authenticate at some point so even if there is a breach you're gonna time limit the amount of time the attacker can dwell without having to retain those credentials generally speaking and you know a lot of this is dependent on your specific implementation so um so that's kind of a good recommendation i i don't want to say that any of this stuff that i've just talked about is foolproof so please don't take that away as full proof and that's why my third recommendation comes into play which is continually test right you think you

have a good plan you think you've reduced the tax service you think two factors working all right now test it right get someone in or have someone in your team actually go and see if they can bypass it and it's alarming the number of organizations that really don't need a third party to come in and look at it they just need someone to spend a week or two looking at the implementation and come back with some recommendations on how to approve it and you know feed those recommendations back into your organization and into the road map on how you're going to improve the information systems over the next year i you know hardly ever when you implement something

does it work exactly the way you thought right so just getting a fresh set of eyes on it is extremely helpful so layered defenses um you know if if you really have those first three things crushed like you're like hey man like we know all of our ingress egress points going in and out to the internet we've got those all monitored they're locked down we got everything sso'd and we got strong authentication on it and we're testing it i mean the next thing that i really recommend is think about a layered defense strategy and namely really think about what are the crown jewels in my enterprise and is there any additional protections around the crown jewels than

there is the other information systems and you know generally speaking you want to have some additional controls in place now those are probably going to be pretty specific because the crown jewels for each organization probably are going to differ you know things that i've seen implemented in real life is you know some organizations are really concerned about an attacker gaining access to c-level information systems so they'll put additional monitoring on the c-level or board level members and ensure that there's extra monitoring and detection on those you know other organizations are really concerned about some type of data they collect from users so so they'll move that into like a separate network segment and they'll put additional security controls both on

the host and on the network layers so really you gotta figure out what makes sense for your organization but you know if you think about cyber security um not as a checklist like i got to do all this stuff on every single box but if you really think about it as like hey there's a battle here there's a terrain right maybe it's a mountainous train there's like a river in the terrain there's a forest right and then you think like the attackers got to go from point a to point b right to get to the top of that mountain what can i do to help make it more difficult for them to move through my information systems to

get to the top of that mountain so and that's where a layered defense strategy really comes in play i highly recommend as much as possible moving to an infrastructure as code or just an as code strategy in general and and the reason for this is and i know this is a larger lift for a lot of organizations but the reason for this is because then on the left side of the stack you can programmatically state uh when a new vulnerability comes out you can modify a template and say like okay update this version of sudo let's let's take that to do vulnerability the su-duke vulnerability comes out what would you normally have to do in a traditional

model you would have to ssh into all your systems you would have to do an upgrade on the ssh package right or you'd have to have some type of solution that that would do that in an infrastructure as code model you would go back to the template for your infrastructure and you would say in the template don't use that version of sido anymore use this version and then you would redeploy your infrastructure using the new version so and i know a lot of organizations through use of containers and kubernetes and and even just people using cloud services for using like kind of like the arm templates on azure or the cloud formation templates on aws

they're really able to leverage this kind of infrastructure as code concept so as much as possible when you're reducing the amount of time it takes you to make large scale changes across your enterprise and you're really baking that into your organization's processes at the core you're going to see a huge a huge security benefit albeit is kind of a culture shift okay and then the last thing that i highly recommend and this i thought i had a background slide but apparently maybe i skipped over it but so just as a little background about myself um so i'm bryce coons i'm tweak fox on twitter so i i used to work at homeland and at homeland i was over instant response and

focus operation for their unclassified network so there was over half a million computers there and it was really my job when we thought malware an attacker got on a system to lead the incident response efforts there as well as focus operations was kind of the term that we came up with before you know hunt and the apts were really a thing right so we're really focused on kind of those nation states and and trying to do cyber threat intel around them and and come up with strategies on how to defeat them right so so um the biggest thing on the on the defensive side is is really just the ability to get visibility into both the endpoint and the network right

so when you think something's suspicious how long does it actually take you to triage that so like i got to open a jira ticket with some sre and he's got to go ssh the box and the sre comes back and like everything looks cool right that's not that's not good enough right he's not trained in cyber security he doesn't have a background there so i think a lot of the tools that are out here which are in that kind of edr type space will give you the ability to respond a lot quicker get that visibility a lot quicker so i highly recommend you check those out as well as kind of have the right standard operating procedures in place

so that when an incident happens you guys can go and triage it and remediate it without having to do you know a lot of large changes so um yeah so that's kind of my where my background is on the defensive side and where these recommendations kind of come from you know in in full transparency uh you know i've subsequently since then shifted to the offensive side and uh um i do i used to work at nsa i i did red teaming type functions there as well as i built red teams out for tech companies and whatnot so um so you know i see a lot of hands on the ground cases at this point in my life where

security did not function well right okay great well that's me um i just wanted to kind of kick you off for a minute get you orientated on the conference and if there's any questions feel free to hit me up on slack or twitter and thank you all for coming out appreciate your time [Applause]

you