It is once again time for Security Summer Camp – the week in July that many of us descend upon Las Vegas for Black Hat and DEFCON. This is your official guide to what Cisco’s Talos Threat Intelligence team is doing at Black Hat 2017.
Whether you are looking to catch some great talks, hunting down the best parties, or just trying to avoid LineCon in all it’s forms, here is a quick run-down of where and how you can catch Talos speakers, Cisco events, and some fun stuff from other teams within Cisco as well. Read on for the full details of what Cisco has in store for this year!
Event At-A-Glance:
Event microsite: http://demand.cisco.com/CiscoBlackHat2017
Black Hat USA website: blackhat.com/us-17
Chat with us: @CiscoSecurity and @TalosSecurity
Booth: #700 – Snorty pigs, t-shirts, and amazing booth talks by the Talos crew and Cisco Security
Also visit: Cisco Cloud Security @ booth #240
Cisco Party / Talos VIP party: Private event at Heart of Omnia – Register early!
Wed. July 26
Talos Session – The Evolution of Threat Propagation Techniques- Craig Williams 3:00-3:50 p.m. Business Hall Theater B (on show floor)
Talos Flash Talks: 10:00am- 7:00pm, Cisco Booth #700 – Full schedule below
Career Zone: 10:00am- 7:00pm, Black Hat Business Hall, Booth CZ2
Cisco Black Hat Party: 8:00pm, Heart of Omnia, Caesar’s Palace – Register early!
(Bonus: Get your Beers with Talos Podcast swag, available exclusively at the party!)
Thurs. July 27
Talos Session – Evolutionary Kernel Fuzzing – Rich Johnson 2:30 -3:20 p.m. Lagoon ABCGHI
Flash Talks: 10:00am- 5:00pm, Cisco Booth #700 – Full schedule below
Career Zone: 10:00am- 5:00pm, Black Hat Business Hall, Booth CZ2
The Details:
Cisco Party:
Wed. July 26, 8:00pm Heart of Omnia, Caesar’s Palace
Join Cisco and the Talos team at the Heart of Omnia at Caesar’s Palace.
You will enjoy music, open bar, great food, and entertainment. Black Hat badge required for general admission entry. Unwind, have fun with your peers and the Talos team! We will be giving out an exclusive Beers with Talos podcast t-shirt as well. Talos VIP attendees will be treated to some additional perks once inside, this party WILL be full, so register early!
The Evolution of Threat Propagation Techniques:
Wed. July 26, 3:00 – 3:50 p.m. Business Hall Theater B (on show floor)
Join Talos Outreach Senior Manager Craig Williams on a journey through the evolution of todays threat landscape. He will be covering specific insights on the latest techniques used by threats we have seen in recent weeks like Nyetya/NotPetya, WannaCry, and more.
The challenge with malware isn’t writing the malware itself but the ability to get the malicious software onto end systems. Every attacker struggles with this problem – “how do I get this malware on more end hosts?” Newer payloads like ransomware ensure attackers are making more money than ever before. As long as businesses continue to pay, this threat will increase, that’s basic economics.
This increase in cash flow drives the evolution of threats and propagation techniques like never before. In this talk we will discuss the evolution of these techniques and how to defend against them.
Evolutionary Kernel Fuzzing:
Thurs. July 27 at 2:30 – 3:20 Lagoon ABCGHI
The modern model of vulnerability mitigation includes robust sandboxing and usermode privilege separation to contain inevitable flaws in the design and implementation of software. As adoption of containment technology spreads to browsers and other software, we see the value of exploits continue to rise as multiple vulnerabilities must be chained together with extreme levels of binary artistry to achieve full system control. As such, there has recently been a high demand to identify kernel vulnerabilities that can bypass sandboxes and process isolation to successfully achieve full system compromise.
With this heightened demand, the past few years has seen a massive first wave of kernel vulnerability discovery in the graphics layer of the Windows kernel and the peripheral drivers of the Linux kernel. This first wave has proven successful even though the methods utilized tend to be using more rudimentary techniques of dumb mutational fuzzing or manual code review. This is a good indicator that it is time for investment in more advanced techniques that can be applied to kernel vulnerability research such as evolutionary fuzzing guided by code coverage.
This lecture will discuss methods for applying evolutionary coverage guided fuzzing to kernel system calls, IOCTLS, and other low level interfaces. First, to understand what makes an effective guided kernel fuzzer, we will discuss the tools available for open source drivers and kernels such as trinity and syzkaller which have found hundreds of vulnerabilities in the Linux kernel. Next we will look at using system emulators like QEMU for instrumenting kernel interfaces with code coverage to gain an understanding of the performance and limitations of this approach. Finally we will leverage our own custom driver to enable hardware branch tracing with Intel Processor Trace as a new method for evolutionary fuzzing against unmodified kernel binaries on Linux and Windows. The driver enabling this approach on Windows is authored by the presenter and available to the security community as opensource. This will be the first public lecture showing how to use highly performant modern hardware tracing engines to enable closed source kernel vulnerability research using coverage guided fuzzing.
Cisco Booth Lightning Talks:
Wed. July 26, 10:00am–7:00pm
Thurs. July 27, 10:00am– 5:00pm
Cisco Booth #700
On the full schedule, we have 18 NEW talks from Talos, and 11 other talks from Umbrella, and Cisco’s Web Security and Services teams! You won’t want to miss these sessions. Have a seat and enjoy a 30-minute presentation in Cisco booth 700. Plus, grab some great swag and a t-shirt.
Here is the full schedule of booth talks at the Cisco/Talos booth area (Italics indicates a talk from the Talos team):
| Wed July 26 | Speaker | Title |
| 10:00 – 10:30AM | Paul Rascagneres | Player 3 Has Entered the Game: Say Hello to ‘WannaCry’ |
| 10:30 – 11:00AM | Jaeson Schultz | The Dark Side of the DNS |
| 11:00 – 11:30AM | Regina Wilson | Vulnerability Disclosure Policy |
| 11:30AM – 12:00 | Richard Harman | Internet Of Crap: Spelunking in Security Camera Firmware |
| 12:00 – 12:30PM | Earl Carter | The Evolution of Malware Distribution |
| 12:30 – 1:00PM | Scott Bower | Advanced Email Security – Combatting Today’s Blended Threats |
| 1:00 – 1:30PM | George Tarnovsky | X-Ray Reverse Engineering |
| 1:30 – 2:00PM | Ronnie Flathers | How I owned your Windows domain with “Informational Findings” and what you can do about it |
| 2:00 – 2:30PM | Sam Dytrych | Analysis of Video Game DRM Bypass |
| 2:30 – 3:00PM | Kevin Parra | Midyear Security Report |
| 3:00 – 3:30PM | Keti Kilcrease | Learn by Doing- Segment Your Network with Software Defined Segmentation |
| 3:30 – 4:00PM | Alec Gleason | Static Files in the Modern Web Age |
| 4:00 – 4:30PM | Nick Biasini | Exploit Kits Are Dead, Long Live Exploit Kits |
| 4:30 – 5:00PM | Jaime Filson | Images, not just for memes |
| 5:00 – 5:30PM | Brandon Stultz | Protecting Networks with FirePOWER |
| 5:30 – 6:00PM | Patrick Mullen | From Vaporware to Alpha – Snort 3.0! |
| 6:00 – 6:30PM | Vanja Svajcer | Modified Zyklon and plugins from India |
| 6:30 – 7:00PM | Brian Ford | Packet Capture for Incident Investigation and Response |
| Thurs July 27 | Speaker | Title |
| 10:00 – 10:30AM | Kevin Parra | Midyear Security Report |
| 10:30 – 11:00AM | Earl Carter | The Evolution of Malware Distribution |
| 11:00 – 11:30AM | Vanja Svajcer | Nyetya Attack: Latest Updates |
| 11:30AM – 12:00 | Patrick Martin | Talos Crete |
| 12:00 – 12:30PM | Nick Biasini | Exploit Kits Are Dead, Long Live Exploit Kits |
| 12:30 – 1:00PM | Jaeson Schultz | The Dark Side of the DNS |
| 1:00 – 1:30PM | Paul Rascagneres | Player 3 Has Entered the Game: Say Hello to ‘WannaCry’ |
| 1:30 – 2:00PM | Warren Mercer | Introducing ROKRAT |
| 2:00 – 2:30PM | David Maynor | Talos Interdiction: MeDoc and the Ukraine |
| 2:30 – 3:00PM | Atheana Altayyar | The Anatomy of an Attack |
| 3:00 – 3:30PM | Kristyanne Patullo | Preventing Tomorrow’s Attacks using Cisco Umbrella |
| 3:30 – 4:00PM | Brian Ford | Finding Malware in Encrypted Connections Using Encrypted Traffic Analytics |
| 4:00 – 4:30PM | Andrew Akers | Accelerated Response with Network Visibility and Enforcement |
| 4:30 – 5:00PM | Kevin Parra | Midyear Security Report |
Career Zone:
Wed. July 26 – Thurs. July 27
Black Hat Business Hall, Booth CZ2
Interested joining the best threat intelligence team in the business? Talos is looking for the best, brightest, and most promising in the threat research and intelligence areas to join one of the largest teams in the industry. If you have the talent and a passion for threat research, malware hunting, interdiction, vuln dev, linguistics, reversing, machine learning, etc., we want to talk with you. Find us in the Career Zone at Black Hat and introduce yourself – you may even get an invite to some private events to meet more of the team – not to mention the best job you’ve ever had.
Friendly Reminders:
There are lots of things you should know before heading to Black Hat and DEFCON. Here’s a quick list of things to absolutely remember:
- Business cards
- Spare juice packs – nothing drains devices like a conference, although turning off Bluetooth and wi-fi radios helps and may not be a terrible idea at any conference. If you aren’t charging, you are probably going to have a dead phone by the time the parties start in the evening.
- Comfortable walking shoes – yes, many venues are connected, but they are connected via LONG walks. Many attendees rack up more than 8-10 miles per day on their pedometers!
- Space in your suitcase – there is swag-a-plenty and you need to get it home!
- Water – because it’s the desert.
We are looking forward to meeting and seeing everyone at Black Hat and DEFCON. Be sure to come by booth #700 and say hello …and, of course, pick up a NEW limited edition Snorty pig for your collection!
Staying for DEFCON?
Talos is a proud sponsor of the Packet Hacking Village at DEFCON this year! Okay, now make sure your Bluetooth and Wi-Fi are off. You know what – just power down. Also, make sure to join Talos Senior Security Research Engineer Patrick DeSantis for his talk in the DEFCON 101 track and Talos Research Lead Rich Johnson for his talk on kernel fuzzing:
From Box to Backdoor: Using Old School Tools and Techniques to Discover Backdoors in Modern Devices
Thursday at 11:00
DEFCON 101 track
Stringing together the exploitation of several seemingly uninteresting vulnerabilities can be a fun challenge for security researchers, penetration testers, and malicious attackers. This talk follows some of the paths and thought processes that one researcher followed while evaluating the security of several new “out of the box” Industrial Control System (ICS) and Internet of Things (IoT) devices, using a variety of well known exploitation and analysis techniques, and eventually finding undocumented, root-level, and sometimes un-removable, backdoor accounts.
Make mobile a standard: When physicians can use tablets/portable devices to chart notes, or patients can easily use apps to access portals, they’re more likely to maximize the benefits of an EHR.
Demand strong security measures: To take advantage of digitization opportunities, healthcare organizations must rigorously attend to security and regulatory requirements to keep their patients, facilities, data, and devices safe, sound, and secure.
Ensure systems run quickly and effectively: Slow load times and data entry latency frustrate clinicians and staff and eat into limited time, both work time and patient/provider face time. The technology infrastructure supporting the EHR system matters—a lot.
