Source Zero Con 2022 Video Hub

 

A Trove of Technical Security Guidance and Expertise.

Source Zero Con is a virtual event bringing the technical community together to educate future security leaders. This video repository features the latest presentations and interactive workshops led by Optiv’s Source Zero research and innovation team from June 2022. Tune in for timely insights as our experts discuss emergent security concepts and capabilities from an array of practices, including Attack and Penetration, Application Security, Cyber Threat Intelligence, Digital Forensics, Incident Response and Vulnerability Management and Remediation (TVMR).

Visit Source Zero

 

Up-to-date red and blue team tools and solutions.

 

Incident Response and Vulnerability Management

 

Introduction to Vulnerability Management

 

Speaker:

Dav Wilson

Senior Consultant II, Optiv

 

View Session Description

 

Build or Enhance Your Vulnerability Management Program

 

Speaker:

Luis Castillo

Technical Manager, Vulnerability Management & Remediation, Optiv

 

View Session Description

 

Mitigating Risks Posed by Threats & Vulnerabilities Using Advanced Remediation Management

 

Speaker:

Luis Castillo

Technical Manager, Vulnerability Management & Remediation, Optiv

 

View Session Description

 

Risk-Based Vulnerability Management and Remediation: A Better Way to Add Context to Your Vulnerability Management Program

 

Speaker:

Shaun Kummer

Senior Consultant I, Optiv

 

View Session Description

 

Leveraging Data Science and Machine Learning to Modernize Vulnerability Management and Remediation

 

Speaker:

Carl Manion

Practice Director, Vulnerability Management & Remediation, Optiv

 

View Session Description

 

Wildfire: What Wildland Firefighting Can Teach Us About Responding to Destructive Malware Attacks

 

Speaker:

Curtis Fechner

Engineering Fellow, Enterprise Incident Management, Optiv

 

View Session Description

 

Live, Laugh, LoLBAS

 

Speaker:

Mathew Lyons

Practice Manager, Optiv

 

View Session Description

Establishing an effective vulnerability management (VM) program is not an easy task. Organizations often fail to comprehend or consider all the requirements for success. There are various supporting components (such as people, policies and processes) that go beyond buying and deploying a VM tool or technology. We’ll discuss the essential fundamentals for establishing a successful program for your organization. Learn methods for aligning VM within your security operations while gaining insight into how Optiv partners with clients to establish and improve their cybersecurity efforts through outcome driven solutions.

The speed at which modern IT has advanced over the past decade has contributed to an exponential rise in system vulnerabilities, matched by a dramatic increase in the volume and sophistication of cyberattacks. To successfully deal with this challenge, a well-defined, risk-based vulnerability management program is essential, helping an enterprise improve its security posture by structuring processes and resources to perform VM activities continuously and proactively. Unfortunately, most organizations lack program maturity or don’t have a program at all.

The cybersecurity threat landscape has changed significantly over the past decade. These evolving threats, combined with an exponential rise in system vulnerabilities, has made it difficult for organizations to come up with an adequate model to assess risk and respond appropriately. This leads to gaps in unmitigated threats and vulnerabilities. It’s vital to adopt a systematic approach to respond to these, and to make operational changes that strengthen the security posture of the organization.

Mitigating vulnerabilities can seem like a daunting task, especially for organizations without proper staffing to tackle the endless number of vulnerabilities emerging every day. Whereas vulnerability management processes focus mainly on identifying vulnerabilities and classifying them based only on severity (rather than their true risk to your organization), risk-based vulnerability management adds contextual information relating to the risk and impact to your environment.

Combining data science and machine learning to process and analyze the latest data on known vulnerabilities and correlate it with threat and exploit intelligence feeds, organizations can leverage their security telemetry to give them a much more accurate view of their overall risk exposure. This presentation focuses on how using modern risk-scoring techniques, along with remediation intelligence and best practices, can get you the info you need to make truly data-driven decisions better and faster.

Destructive cyberattacks have continued to evolve as a common event. As cyberattacks grow, the significant impacts and associated risks cannot be underestimated by organizations. This talk explores the logic, process and science applied to wildland firefighting incident management while illustrating the lessons that can be carried over into the cyber domain. The subjects of discussion include incident alerting and triage, containment and recovery in the face of a destructive cyberattack. Additionally, the session will discuss how the keys to mastering a virtual wildfire can be found by adopting a wildland firefighter’s mindset.

Building custom tools is hard. Why reinvent the wheel when the perfect tool for malicious activity was already approved by IT and available to every host in the network? The goal of this talk is to provide some additional insights into how threat actors leverage living off the land binaries and scripts (LoLBaS) to be successful in their attacks. We will do this by first establishing a common language and mindset for threat hunting these techniques. Then we cover some specific programs that are leveraged by threat actors and the gaps in current detection methods. And finally, we walk through some programs that are underutilized in the wild, but have a lot of potential.

Attack and Penetration

 

Certified Privileged Escalation as-a-Service

 

Speakers:
Zachary Stein
Security Consultant, Optiv

 

Garrett Foster
Security Consultant, Optiv

 

View Session Description

 

How Easy Is It to Break Into Your Building?

 

Speakers:
Savannah Lazzara
Technical Manager, Attack &
Penetration, Optiv

 

Ariyan Suroosh
Security Consultant II, Optiv

 

View Session Description

 

Leveling Up Your Tradecraft - How to Bolster Your Toolkit

 

Speaker:
Matthew Eidelberg
Engineering Fellow, Optiv

 

View Session Description

 

OSINT: Enhanced IP & Subdomain Enumeration

 

Speakers:
David DiEnna
Practice Manager, Optiv

 

Lars Cohenour
Security Consultant, Optiv

 

View Session Description

 

Thinking in Shades of Red

 

Speakers:
Aaron Martin
Technical Manager, Optiv

 

Matthew Eidelberg
Engineering Fellow, Optiv

 

View Session Description

 

Hardware Hacking 101

 

Speaker:
Jess Hires
Practice Manager, Optiv

 

View Session Description

 

It Doesn’t Have to be STUXNET: Attacks on ICS Environments

 

Speaker:
Keith Thome
Principal Consultant, Optiv

 

View Session Description

 

Day in the Life of a Pen Tester

 

Speakers:
Matt Burch
Technical Manager, Optiv

 

Matthew Eidelberg
Engineering Fellow, Optiv

 

Tim Elrod
Demand and Delivery Manager, Optiv

 

Savannah Lazzara
Technical Manager, Attack & Penetration, Optiv

 

Ariyan Suroosh
Security Consultant II, Optiv

 

View Session Description

In this talk, Angelo reviews advanced database testing techniques such as timing attacks. He presents a few real-world findings where he successfully extracted PHI from a database through a web assessment using a database timing attack. Angelo also addresses other, more advanced side-channel attacks for databases. 

Active Directory (AD) presents one of the largest attack surfaces within an enterprise network when configured improperly. In this talk, we describe newly documented vulnerabilities within Active Directory Certificate Services (AD CS) brought to light recently by SpectreOps. We’ll also discuss the most prevalent misconfigurations in this service that Optiv has observed in enterprise environments. Attendants of this talk will take away a better understanding of AD CS, the risks it can pose to an organization and current TTPs being used by attackers.

Physical security is crucial to any organization, but as more and more enterprises shift to a primarily remote workforce, it can sometimes take a back seat. However, many companies still maintain a physical office presence, and protecting employees working from the office, along with other critical assets is vitally important. An attacker gaining access into a building through social engineering or other means of physical entry may access unattended workstations, open file cabinets, server rooms or other information inside the organization. Skilled attackers may only need a few moments to slip into a building and plant a remote access device on the network. Savannah and Ari discuss how attackers leverage various tools, tactics and procedures to physically breach a building. This session deep dives into reconnaissance, methods of entry, badge cloning, post exploitation and why a trip to the local thrift store along with twenty dollars can sometimes be more effective than any tool on the market.

Attackers employ sophisticated techniques to circumvent various organizations' technical controls for protection. As a result, defenders have a driving need to detect and prevent these attacks. Red teams are continually leveling up their tradecraft to evade ever-evolving defensive countermeasures. But how can you improve your tradecraft these days? Where do you start? This talk covers all the operational considerations, strategies and tradecraft theories that Matthew has developed, as well as a toolkit to help augment your loaders.

Thorough discovery and profiling techniques can enhance the success rate of a penetration test, regardless of whether the focus is on wireless, perimeter, internal networks, or even social engineering and other attempts to gain physical access to a target’s facility. Specifically, properly performed IP discovery and subdomain enumeration are key factors for identifying well-known and partially obfuscated assets, effectively "painting the picture" of the target's available attack surface. This is a continuation of our previous SZC OSINT talk, diving deeper into the specific TTPs used by professional pen testers to accurately identify a target’s internet-facing profile, and aiming to reduce the likelihood of false positives prior to conducting dedicated attacks.

The cyber threat landscape is constantly evolving. Traditional penetration testing is no longer sufficient to keep an organization updated with the latest cyber threats. It has become a necessity for organizations to start performing adversary-based simulations. This talk walks through the phases of a red team assessment, shining a light on the mindset of a red team and how they approach the task of compromising an organization covertly. This session aims to educate those wanting to get into red teaming, as well as organizations who wish to learn what to expect on their first red team engagement.

Internet-connected smart devices are becoming more prevalent in the home and the business. IoT devices cover a wide variety of products, including routers, security cameras, light bulbs and more with wired or wireless internet connectivity. These devices are often not adequately hardened by the manufacturer, which may allow access to privileged functionality, the underlying operating system or exposed data that the device should be protecting. This session covers how to fingerprint and attack IoT hardware.

During this presentation, we discuss the current state of Supervisory Command and Data Acquisition (SCADA) and Industrial Control Systems (ICS) devices around the world from an attacker’s perspective. Indeed, heavy focus and emphasis has been placed on nation-state sponsored attacks toward large environments, with the goals of these attacks to affect change within a geopolitical atmosphere. Attacks by actors that lack the same resource pool are also on the rise, however, targeting smaller organizations with the same success. We explore and demonstrate an attacker’s perspective within a simulated environment, from initial breach to lateral movement to finally ransoming a hypothetical organization controlling multiple SCADA/ICS devices with the threat of mass destruction. Along the way, we’ll discuss methods to combat these types of attacks at each phase, from a technological, ideological and industrial design standpoint.

Have you ever wondered what it's like to be a penetration tester? What off-the-wall funny stories do career pen testers have? Or how do you to get into the field of penetration testing? This panel of Optiv offensive security consultants will provide insight into what it's like working in offensive security professional services, based on audience questions sent to our Source Zero Twitter.

Application Security

 

What Eastern Medicine Can Teach Us About Application Security

 

Speaker:

John Tsangaris

Technical Manager, Optiv

 

View Session Description

 

Magic Crypto Dust

 

Speaker:

Damian Profancik

Technical Director, Optiv

 

View Session Description

 

Adversarial Testing of Smart Health Card Applications

 

Speaker:

Tim Farley

Principal Consultant, Optiv

 

View Session Description

 

WORKSHOP – Android: The Vulnerable App

 

Speaker:

Vandan Pathak

Senior Consultant, Optiv

 

View Session Description

 

WORKSHOP – Exploit Development: Chaining Exploits for Maximum Gains

 

Speaker:

Tanner Scott

Consultant II, Optiv

 

View Session Description

 

Drowning in APIs: How to Improve Your API Security With Proper Inventory, Prioritization and Automation

 

Speaker:

Doug Rogahn

Senior Security Consultant, Optiv

 

View Session Description

 

Securing Technology in the Medical Space

 

Speaker:

Nikhil Ollukaren

Senior Application Security

Consultant, Optiv

 

View Session Description

 

Secure SDLC Assessments

 

Speakers:

Sharon Millar

Security Consultant II, Optiv

 

View Session Description

 

Catch a Person a Vish, Feed them for a Day. But Teach a Person to Vish, Feed them for a Lifetime!

 

Speaker:

Eric DiPietro

Security Consultant, Optiv

 

View Session Description

 

Uncovering the Unknown Unknowns Within Your Secure SDLC Program

 

Speaker:

Nick Hawley

Practice Manager, Optiv

 

View Session Description

Eastern medicine uses two views when treating health problems: immediate treatment and systemic/holistic treatment. Application security should be approached in the same way —implementing both immediate treatments as well as viewing the system holistically to apply the best prescription for that company's circumstances, needs and "lifestyle." This talk breaks down the similarities, using Eastern medicine analogies and anecdotes to describe why holistic application security is the best course for longevity.

Cryptography is not magic ... though some developers consider it as such. It is, however, a useful tool for gaining more confidentiality and integrity for your application. Despite its benefits, cryptography can actually be a detriment to an application's security if not implemented correctly. Damian discusses some ways that he has seen cryptography implemented poorly and the attacks that can be performed against it. He also discusses how to implement cryptography in a correct fashion and avoid some of these pitfalls.

A defacto digital vaccine passport has emerged in the U.S. and Canada called Smart Health Cards. It is based on familiar web app technologies including JSON Web Tokens, JSON Web Keys, ECDSA public key signatures and more. Over 500 organizations including hospitals, pharmacies, states and provincial governments have adopted the standard and issue these credentials for their patients. By some estimates, over 300 million people have access to Smart Health Cards. In part because of the controversy over COVID and vaccines, there is plenty of criminal activity that has been documented in regard to COVID, such as vaccine card forgery. Like any other form of crime, this extends to the digital realm as well. Meanwhile the infrastructure supporting Smart Health Cards consists of hundreds of websites, over 75 smart phone applications and other pieces of code developed very quickly to respond to the COVID crisis. Are all these pieces of code free from security flaws exploitable by cybercriminals? A few flaws have been published and fixed on individual applications, but no publicly available security testing methodology for Smart Health Cards has been developed. In this presentation, Tim documents a testing methodology he has developed this year. He demonstrates how flaws in Smart Health Card applications can allow forgery and other attacks. He also documents some actual flaws in real implementations that have been detected.

Vandan has built a vulnerable application on the Android platform. This application can allow an attacker to practice their AppSec skills.

This workshop covers how to write a python script using the requests library to chain multiple vulnerabilities together found in a web application. After providing the basics of the requests library, the workshop allows attendees to exploit a loose comparison vulnerability in PHP followed by a file upload allowing for remote code execution on the server. After this workshop, attendees should have a better grasp on how to develop an exploit for web applications.

With increasing cloud migration and IoT device use, the number of APIs being developed has increased exponentially. The requirement to perform security testing on all new development before it can be moved to production has increased the workload for security testing teams, and simply “staffing up” to these challenges is not feasible. Doug discusses some strategies for discovering existing APIs and key attributes to consider when building an inventory. For example, with an inventory in place, how do you prioritize and identify how the APIs interact with other applications? How do you efficiently secure all those end points, how does SDLC hardening fit into this picture, what testing can be automated, and finally, how do you prioritize what end points need to be manually assessed?

This presentation looks at the current role security plays in the medical space. We start with how technology has enhanced the medical space and become woven into the fabric of care. Then we look at how it’s integrated as well as the friction points and compliance requirements it causes for medical professionals and administrative staff. Finally, we dive into methods of testing and verifying compliance and security posture, along with ways we can help shift security left in the ecosystem.

Application security begins and ends with the software development lifecycle (SDLC). All software products are going to have bugs and some of them might have security implications. The monetary and time impact on software security defects is significant, but these costs can be greatly reduced by mitigating security defects early. In this presentation, Brendon Collins and Sharon Millar will introduce SDLC hardening and its two distinct workflows, leveraging the OWASP SAMM model. This introduction includes the five security pillars, 15 security practices and their associated streams, as well as an outline of how a successful assessment is performed. The goal of this presentation is to emphasize how slight changes can impact an enterprise's security maturity level.

Security consultants who are extremely familiar with performing web application assessments may have little or no understanding of how vishing is done. While web application assessments and vishing assessments may seem totally disparate, there are many things that connect the two. By giving examples of common web application vulnerabilities and drawing a comparison to how they relate to techniques used in a vishing assessment, Eric draws parallels. While not a deep dive into vishing, web app work or vulnerabilities, this discussion will prove interesting for anyone who is only familiar with one of these two types of assessments.

Many organizations struggle to identify what’s most important when trying to apply security to their software development lifecycle (SDLC). With all the threats to their enterprise, where should they spend their energy and resources? What are they good at, what are they bad at, and most importantly, what don’t they know? In this session we look at practical applications of the OWASP SAMM framework to identify unknown risks within an organization. We consider organizations that are just starting on their secure SDLC, as well as mature organizations that are much further along. By applying this framework, organizations can analyze their programs and identify security measures they may not have considered. Identifying these blind spots can help organizations create awareness in what security gaps exist within their SDLC program and some practical steps to address them.

Career Pathing

 

Consulting Skills to Pay the Bills

 

Speaker:

Gerren Murphy

Practice Manager – Attack & Pen,

Optiv

 

View Session Description

 

Military to Civilian - From Aim Higher to Aim Cyber

 

Speakers:

Kevin Ayala

Consultant II, Optiv

 

Garrett Foster

Security Consultant, Optiv

 

John Quadrino

Consultant II, Optiv

 

Travis Weathers

Practice Director, Threat

Management, Optiv

 

View Session Description

 

Networking to Get Your Next Role

 

Speaker:

Heather Hall

Demand and Delivery Manager, Optiv

 

View Session Description

So, you wanna be a paid hacker — I mean — security consultant. Hacking is the easy part, but consulting? Sometimes…that’s not so easy. The first six to 12 months for someone brand new to consulting can be challenging and rage quit inducing. Being a solid security consultant is a mix of skills that requires technical knowledgeable in many different areas, as well as being able to communicate this knowledge to others in a clear and concise manner. Additionally, there are reports to write, clients to manage, meetings to attend, and the list goes on. In this talk, we’ll cover tips, tricks and sanity maintenance for aspiring or newly minted security consultants that will help you prepare for and better understand life as a consultant.

This presentation shares experiences from veterans on the Optiv Attack and Penetration team regarding transitioning from the military to civilian cybersecurity industry. Considering the COVID-19 pandemic and subsequent Great Resignation’s impact on the job market, the civilian work force is ripe for military members seeking civilian employment to put their best foot forward and seek positions that align with their passions and skill sets. Speakers cover common pitfalls, how to avoid them and best practices to learn new tools and TTPs. It’s important to note that this mentorship session is not limited to military members already in the cybersecurity field! Attendants of this talk will take away the importance of having a mentor, practicing tools and TTPs and some do’s/don’ts associated with the hiring process.

Heather Hall discusses how networking can be a source for your next opportunity. She'll share activities, lessons and steps she took that helped her gain knowledge, notoriety and roles. Networking is an avenue to meet people and help each other serve. The talk will emphasize how growing relationships through networking can help you reach unknown avenues.

Looking for Red and Blue Team Tools and Solutions?

 

Contact Us

 

Would you like to speak to an advisor?

How can we help you today?

Image
field-guide-cloud-list-image@2x.jpg
Cybersecurity Field Guide #13: A Practical Approach to Securing Your Cloud Transformation
Image
OptivCon
Register for an Upcoming OptivCon

Ready to speak to an Optiv expert to discuss your security needs?