It is once again time for Security Summer Camp – the week in July that many of us descend upon Las Vegas for Black Hat and DEFCON. This is your official guide to what Cisco’s Talos Threat Intelligence team is doing at Black Hat 2017.

Whether you are looking to catch some great talks, hunting down the best parties, or just trying to avoid LineCon in all it’s forms, here is a quick run-down of where and how you can catch Talos speakers, Cisco events, and some fun stuff from other teams within Cisco as well.  Read on for the full details of what Cisco has in store for this year!

Event At-A-Glance:

Event microsite: http://demand.cisco.com/CiscoBlackHat2017
Black Hat USA website: blackhat.com/us-17
Chat with us: @CiscoSecurity and @TalosSecurity
 #700 – Snorty pigs, t-shirts, and amazing booth talks by the Talos crew and Cisco Security
Also visit: Cisco Cloud Security @ booth #240
Cisco Party / Talos VIP party: Private event at Heart of Omnia – Register early!

Wed. July 26

Talos Session – The Evolution of Threat Propagation Techniques- Craig Williams 3:00-3:50 p.m. Business Hall Theater B (on show floor)
Talos Flash Talks: 
10:00am- 7:00pm, Cisco Booth #700 – Full schedule below
Career Zone: 10:00am- 7:00pm, Black Hat Business Hall, Booth CZ2
Cisco Black Hat Party: 8:00pm, Heart of Omnia, Caesar’s Palace – Register early!
(Bonus: Get your Beers with Talos Podcast swag, available exclusively at the party!)

Thurs. July 27

Talos Session – Evolutionary Kernel Fuzzing – Rich Johnson 2:30 -3:20 p.m. Lagoon ABCGHI
Flash Talks: 
10:00am- 5:00pm, Cisco Booth #700 – Full schedule below
Career Zone:
 10:00am- 5:00pm, Black Hat Business Hall, Booth CZ2

The Details:

Cisco Party:

Wed. July 26, 8:00pm Heart of Omnia, Caesar’s Palace

Omnia Terrace

Join Cisco and the Talos team at the Heart of Omnia at Caesar’s Palace.

You will enjoy music, open bar, great food, and entertainment. Black Hat badge required for general admission entry.  Unwind, have fun with your peers and the Talos team!  We will be giving out an exclusive Beers with Talos podcast t-shirt as well.  Talos VIP attendees will be treated to some additional perks once inside, this party WILL be full, so register early!

The Evolution of Threat Propagation Techniques:

Wed. July 26, 3:00 – 3:50 p.m. Business Hall Theater B (on show floor)

Craig Williams Talos
Craig Williams, Talos Outreach

Join Talos Outreach Senior Manager Craig Williams on a journey through the evolution of todays threat landscape.  He will be covering specific insights on the latest techniques used by threats we have seen in recent weeks like Nyetya/NotPetya, WannaCry, and more.

The challenge with malware isn’t writing the malware itself but the ability to get the malicious software onto end systems. Every attacker struggles with this problem – “how do I get this malware on more end hosts?” Newer payloads like ransomware ensure attackers are making more money than ever before. As long as businesses continue to pay, this threat will increase, that’s basic economics.

This increase in cash flow drives the evolution of threats and propagation techniques like never before. In this talk we will discuss the evolution     of these techniques and how to defend against them.

Evolutionary Kernel Fuzzing:

Thurs. July 27 at 2:30 – 3:20 Lagoon ABCGHI

The modern model of vulnerability mitigation includes robust sandboxing and usermode privilege separation to contain inevitable flaws in the design and implementation of software. As adoption of containment technology spreads to browsers and other software, we see the value of exploits continue to rise as multiple vulnerabilities must be chained together with extreme levels of binary artistry to achieve full system control. As such, there has recently been a high demand to identify kernel vulnerabilities that can bypass sandboxes and process isolation to successfully achieve full system compromise.

With this heightened demand, the past few years has seen a massive first wave of kernel vulnerability discovery in the graphics layer of the Windows kernel and the peripheral drivers of the Linux kernel. This first wave has proven successful even though the methods utilized tend to be using more rudimentary techniques of dumb mutational fuzzing or manual code review. This is a good indicator that it is time for investment in more advanced techniques that can be applied to kernel vulnerability research such as evolutionary fuzzing guided by code coverage.

This lecture will discuss methods for applying evolutionary coverage guided fuzzing to kernel system calls, IOCTLS, and other low level interfaces. First, to understand what makes an effective guided kernel fuzzer, we will discuss the tools available for open source drivers and kernels such as trinity and syzkaller which have found hundreds of vulnerabilities in the Linux kernel. Next we will look at using system emulators like QEMU for instrumenting kernel interfaces with code coverage to gain an understanding of the performance and limitations of this approach. Finally we will leverage our own custom driver to enable hardware branch tracing with Intel Processor Trace as a new method for evolutionary fuzzing against unmodified kernel binaries on Linux and Windows. The driver enabling this approach on Windows is authored by the presenter and available to the security community as opensource. This will be the first public lecture showing how to use highly performant modern hardware tracing engines to enable closed source kernel vulnerability research using coverage guided fuzzing.

Cisco Booth Lightning Talks:

Wed. July 26, 10:00am–7:00pm
Thurs. July 27, 10:00am– 5:00pm

Cisco Booth #700

IMG_2064On the full schedule, we have 18 NEW talks from Talos, and 11 other talks from Umbrella, and Cisco’s Web Security and Services teams! You won’t want to miss these sessions. Have a seat and enjoy a 30-minute presentation in Cisco booth 700. Plus, grab some great swag and a t-shirt.

Here is the full schedule of booth talks at the Cisco/Talos booth area (Italics indicates a talk from the Talos team):

Wed July 26 Speaker Title
10:00 – 10:30AM Paul Rascagneres Player 3 Has Entered the Game: Say Hello to ‘WannaCry’
10:30 – 11:00AM Jaeson Schultz The Dark Side of the DNS
11:00 – 11:30AM Regina Wilson Vulnerability Disclosure Policy
11:30AM – 12:00 Richard Harman Internet Of Crap: Spelunking in Security Camera Firmware
12:00 – 12:30PM Earl Carter The Evolution of Malware Distribution
12:30 – 1:00PM Scott Bower Advanced Email Security – Combatting Today’s Blended Threats
1:00 – 1:30PM George Tarnovsky X-Ray Reverse Engineering
1:30 – 2:00PM Ronnie Flathers How I owned your Windows domain with “Informational Findings” and what you can do about it
2:00 – 2:30PM Sam Dytrych Analysis of Video Game DRM Bypass
2:30 – 3:00PM Kevin Parra Midyear Security Report
3:00 – 3:30PM Keti Kilcrease Learn by Doing- Segment Your Network with Software Defined Segmentation
3:30 – 4:00PM Alec Gleason Static Files in the Modern Web Age
4:00 – 4:30PM Nick Biasini Exploit Kits Are Dead, Long Live Exploit Kits
4:30 – 5:00PM Jaime Filson Images, not just for memes
5:00 – 5:30PM Brandon Stultz Protecting Networks with FirePOWER
5:30 – 6:00PM Patrick Mullen From Vaporware to Alpha – Snort 3.0!
6:00 – 6:30PM Vanja Svajcer Modified Zyklon and plugins from India
6:30 – 7:00PM Brian Ford Packet Capture for Incident Investigation and Response
Thurs July 27 Speaker Title
10:00 – 10:30AM Kevin Parra Midyear Security Report
10:30 – 11:00AM Earl Carter The Evolution of Malware Distribution
11:00 – 11:30AM Vanja Svajcer Nyetya Attack: Latest Updates
11:30AM – 12:00 Patrick Martin Talos Crete
12:00 – 12:30PM Nick Biasini Exploit Kits Are Dead, Long Live Exploit Kits
12:30 – 1:00PM Jaeson Schultz The Dark Side of the DNS
1:00 – 1:30PM Paul Rascagneres Player 3 Has Entered the Game: Say Hello to ‘WannaCry’
1:30 – 2:00PM Warren Mercer Introducing ROKRAT
2:00 – 2:30PM David Maynor Talos Interdiction: MeDoc and the Ukraine
2:30 – 3:00PM Atheana Altayyar The Anatomy of an Attack
3:00 – 3:30PM Kristyanne Patullo Preventing Tomorrow’s Attacks using Cisco Umbrella
3:30 – 4:00PM Brian Ford Finding Malware in Encrypted Connections Using Encrypted Traffic Analytics
4:00 – 4:30PM Andrew Akers Accelerated Response with Network Visibility and Enforcement
4:30 – 5:00PM Kevin Parra Midyear Security Report

Career Zone:

Wed. July 26 – Thurs. July 27
Black Hat Business Hall, Booth CZ2

now-hiringInterested joining the best threat intelligence team in the business? Talos is looking for the best, brightest, and most promising in the threat research and intelligence areas to join one of the largest teams in the industry. If you have the talent and a passion for threat research, malware hunting, interdiction, vuln dev, linguistics, reversing, machine learning, etc.,  we want to talk with you. Find us in the Career Zone at Black Hat and introduce yourself – you may even get an invite to some private events to meet more of the team – not to mention the best job you’ve ever had.

Friendly Reminders:

There are lots of things you should know before heading to Black Hat and DEFCON. Here’s a quick list of things to absolutely remember:

  • Business cards
  • Spare juice packs – nothing drains devices like a conference, although turning off Bluetooth and wi-fi radios helps and may not be a terrible idea at any conference.   If you aren’t charging, you are probably going to have a dead phone by the time the parties start in the evening.
  • Comfortable walking shoes – yes, many venues are connected, but they are connected via LONG walks. Many attendees rack up more than 8-10 miles per day on their pedometers!
  • Space in your suitcase – there is swag-a-plenty and you need to get it home!
  • Water – because it’s the desert.

We are looking forward to meeting and seeing everyone at Black Hat and DEFCON. Be sure to come by booth #700 and say hello …and, of course, pick up a NEW limited edition Snorty pig for your collection!

Staying for DEFCON?

Talos is a proud sponsor of the Packet Hacking Village at DEFCON this year!  Okay, now make sure your Bluetooth and Wi-Fi are off. You know what – just power down.  Also, make sure to join Talos Senior Security Research Engineer Patrick DeSantis for his talk in the DEFCON 101 track and Talos Research Lead Rich Johnson for his talk on kernel fuzzing:

From Box to Backdoor: Using Old School Tools and Techniques to Discover Backdoors in Modern Devices

Thursday at 11:00
DEFCON 101 track

Stringing together the exploitation of several seemingly uninteresting vulnerabilities can be a fun challenge for security researchers, penetration testers, and malicious attackers. This talk follows some of the paths and thought processes that one researcher followed while evaluating the security of several new “out of the box” Industrial Control System (ICS) and Internet of Things (IoT) devices, using a variety of well known exploitation and analysis techniques, and eventually finding undocumented, root-level, and sometimes un-removable, backdoor accounts.