CornCon X: Powering Cybersecurity Innovation Through Human Connection
Only one section of the Mississippi River runs East to West. That stretch of the Big Muddy is home to Davenport, Iowa. While not the largest city in the Hawkeye State, it is part of the "Quad Cities," a healthy-sized metropolitan area spanning the river into Illinois, and is successful because they are working together as one large community. That same spirit of getting together collaboration, regardless of what separates us, was present in 2024 at CornCon X, the 10th-anniversary edition.
Around 400 practitioners, thought leaders, and students gathered at The RiverCenter for a packed agenda that spanned three full days. Day one was the CISO Summit, an invitation-only event where CISOs and executives could speak freely while catching up on the current market trends. The final two days of activities featured 47 sessions, multiple workshops and CTFs, a K-12 Kids’ Hacker Camp, and a day-long High School Cybersecurity Event. On top of all that, there were multiple villages and a whole lot of hallway conversations where folks from all backgrounds and focus areas could swap stories and talk about the latest developments in cybersecurity.
Here are just a few highlights from CornCon X
We must debunk the myths of cybersecurity to find a better path ahead
In a real highlight for participants, CornConX featured Dr. Gene Spafford, Author and Professor at Purdue University, presenting "Myths and Misconceptions in Cybersecurity," based on his book of a similar title. This thought-provoking session explored some core issues holding us back as an industry, including the fact that we use language wholly unique to us in security but expect the larger world to know what we mean. For example, the word 'virus' means something very different to a blue teamer than it does to someone working in microbiology or public health. The term "ransomware" is unique to our space and not understood by the average user.
The first myth he debunked is that we even have a clear definition of cybersecurity. We have a rough agreement that it means "protecting our assets against all forms of threats." However, it falls very short when you take a larger view of that definition. We cannot, eventually, protect against all threats. Even NIST has three current different definitions of security. In reality, we are always balancing risks, opportunities, and costs in our journey to secure our world. Dr. Spafford believes we need to come to an agreement on what measurements matter for security. He asked, "We measure everything else, so why is it so elusive to measure security?"
Another myth he discussed was, "More tech is better," pointing out we really don't value simplicity in our systems. Simpler is easier to defend, after all. He quoted Bob Courtney, who said, "There are no tech solutions to management problems. There are management problems to technical solutions."
He left us with some inspiration on how we can make changes for the better. He encouraged us all to rethink current conventional methods, asking ourselves why we are doing things this way. He asked us to seek simplicity in our work, as simpler systems are easier to defend. We must think about the whole of our systems, including the people who use and implement our solutions. Finally, we must seek to promote good values in our work.
SaaS might be your attacker's best friend
In his session "The Saas and the Furious - A deep dive in SaaS compromises," Ryan Wisniewski, Incident Response Lead, Obsidian Security, started by asking us why attackers would even care about SaaS. To paraphrase bank robber Willie Sutton, the answer is, "That's where the data is." Attackers don't need to be skilled with tools or fancy exfiltration techniques. If they can access your SaaS applications, they can use the same click-box interfaces you do and likely just download any data they want. They can even email it to themselves in some situations.
Ryan has been working to update the MITRE ATT&CK framework to better account for SaaS. His research shows that identity compromises are the main way into our orgs for attackers. This makes sense when you realize that most teams rely on shared service accounts with long-lived, seldom-rotated credentials to manage these services. Worse yet, a lot of these accounts, up to 90% in his research, were not even in use in the last 30 days, making service accounts a large and juicy target for adversaries.
He walked us through the major steps common in all SaaS attacks: Initial Access, Persistence, Defense Evasion, Discovery, and finally, Impact. While most of his work was focused on Business Email Compromises, one of the most financially damaging attacks possible, according to the FBI, Ryan also talked us through some major breaches that involved password reset and even multifactor authentication resets, as we saw with MGM in 2023. Ryan directed us to his blog post for those who are interested in learning more about SaaS identity compromise.
Understanding access management means having conversations with humans
In his session, "Hacking other teams using social skills to strengthen your IAM program," Sean Juroviesky, Senior Security Engineer at SoundCloud, shared his hard-learned lessons about dealing with very different teams, all thinking about access management in wildly different ways. He said that no magic formula or approach will suddenly solve IAM for everyone. Still, with time, patience, and actually talking to human beings, there is a path forward.
We first need to understand what kind of access we are dealing with, be it employee-initiated, as is common with SaaS, or externally-initiated, as some providers like ServiceNow provide. There are also the proper channels that internal security teams set up, but if those paths are seen as slowing things down, they are often worked around. In the long term, we must work to understand what is happening and establish a baseline for how access is actually being managed before we can work to improve it.
Establishing that baseline means talking to the individuals who are managing these accounts and understanding what they are using and why they manage it the way they do. This can not just be a manager-level discussion, as each team member is going to be using slightly different tools. We also need to understand these SaaS offerings and pricing tiers, as for many, single sign-on (SSO) is only an option once you hit a certain price point.
If we work with our teams to understand them as human beings, when the time comes to help enable better access controls, they might not fight you as hard since they will know you are really on their side.
Threat Intelligence requires interpreting context
In her thought-provoking session, "What the heck is Hermeneutics, and how can it be used to level up your threat intel game?" Cherie Burgett, Director of Cyber Intelligence Operations at The Mining and Metals Information Sharing and Analysis Center (MM-ISAC), introduced a lot of the audience to the concept of Hermeneutics. This is the study of interpretation, particularly of biblical, philosophical, and wisdom literature. This field of study dates back to the 15th century. While originally used to studying ancient texts, looking at contextual clues writers left behind in their work, there is a lot we can use from this field of study when performing threat intelligence in modern cybersecurity.
She explained the Hermeneutics circle, which is to examine the context the written artifact comes from, the text of the writing itself, re-examination of the wider context the writing introduces, and interpreting the work there, which leads back to having more context to consider, beginning the cycle over again. While similar to the threat intelligence process of examining text, looking at context clues, performing an analysis, and making an action plan, the traditional modeling approach does not loop back through after feedback to re-think about the context and loop iteratively. Basically, the approach asks, "Why the why?" inviting us to go deeper and look at the context of any useful information we discover.
Cherie also warned us to be aware of the fallacies of built-in presuppositions. If we are told by an attacker, "If you don't pay us, we will sell your data and keep attacking you," then we naturally want to suppose that the opposite must hold true, "If you do pay us, we won't sell your data and will stop attacking you." While that would be a nice thing to believe, it is rarely true when dealing with ransomware criminals, and we must keep that in mind as we respond to the incident.
Finding our way through the 'maize' of security threats together as humans
There were a lot more sessions across the three speaking tracks covering a wide variety of security topics. Across every session I attended, and in almost all of the conversations I had in the hallway track and at the after-event networking socials, there was a common theme: Security requires humans to empathize with other humans. Your author even got to talk about this in my session "Hidden Dangers Of AI In Developer Workflows: Navigating Security Risks with Human Insight." We must design our processes and technology with empathy; the users of our tools and processes are other human beings, and ultimately, it is humans we are trying to keep safe.
Fortunately, there is a great way for us all to connect with other humans in person, and CornCon is just one good example. You don't need to wait until CornCon XI in 2025 to connect with the security community. You can likely find a meetup or local event near you. You may even see GitGuardian there, too.