Wild West Hackin' Fest - Deadwood 2024

It doesn’t matter how advanced your shellcode loader is, if you don’t protect your shellcode from prying AV & EDR sensors, you’re going to have a bad time. From simple encryption schemes like the Caesar cipher to more complex schemes like AES, reversing arrays, steganography, encoding shellcode as other data types, and other techniques, this talk will cover a variety of ways to hide shellcode in your loader. I’ll demonstrate how these techniques score against many engines using VirusTotal. In some cases, AV engines will detect the decoding routine. I’ll also discuss techniques you can use to break this detection. I will also be sharing a repository demonstrating the different evasion techniques discussed in this talk. Note – this talk will not cover behavioral evasion techniques like unhooking, direct and indirect syscalls, or other evasion techniques. Whether you’re new to obfuscating shellcode or an experienced pro, there’s something in this talk for you!

In my first career, I spent 35 years at the National Security Agency as a Vulnerability Analyst for the defense, from junior analyst to executive manager. I also had the honor of helping found and lead two of the Nation’s largest organizations dedicated to this mission – the Systems and Network Attack Center, and the Vulnerability Analysis and Operational Group. At NSA, Vulnerability Analysis for defense was a “full spectrum” activity, designed to emulate the resources of a nation-state adversary and their ability to operate at scale. In this talk, I’ll offer a historical and personal perspective how this field of analysis evolved from a focus on mathematics and cryptography, through systems and software, and then to “live” operational systems. And what’s it like to spend a career as a cyberdefender for the DoD and the nation, but homed inside of an intelligence agency? We’ll discuss the mission, technical, and cultural interplay of cyberdefense and offense/intelligence as it played out at NSA. War stories, culture clashes, bureaucratic mazes? Of course! But in the end, better security for all.

In this talk, we'll present Risk AIssessment - a risk assessment framework for AI-enabled applications. With the rush to embed generative AI in everything but your toaster (oh, it's in that now too?) there are a lack of usable assessment frameworks for organizations that are deploying these AI-enabled applications. The NIST AI RMF is fantastic if you're building AI foundation models or consumer services, but it's ill-suited and overly complex for organizations just adopting an application that has generative AI features. In this talk, we'll introduce the framework and show how organizations can utilize it to evaluate their risk to decide whether to adopt an application, prioritize compensating controls, or select between competing applications. Finally, we'll share case studies from using Risk AIssessment in numerous consulting engagements and show how it can be used in your organization to highlight risks.

You often hear the term, it only takes an adversary one main find to compromise an entire organization. The odds don't seem to be in our favor when it comes to defense. This talk will dive into effective methods to flip the odds into your own favor and things you can do quickly that doesn't take a three year strategic roadmap for. We'll be getting into some techniques you can leverage in deception and detection as well as methods that I've seen stop our red teams in the past. If I were a betting man, my bet is on defense.

Abusing API Security will discuss how to look at API security in a different way through multiple API attack techniques with a particular focus on GraphQL and gRPC.

Interacting with vulnerabilities is a core security practice. For a pentester, vulnerabilities should form a map to making risk actual, but our tools in this space often get in our way. Sirius Scan is a tactical vulnerability scanner. One dedicated to you, the operator.

In this talk, we will fluidly interact with and exploit network vulnerabilities by leveraging several open-source tools and tying their interactions with vulnerability intelligence.