If you have ever heard of Wilmington, North Carolina, it might be because the WW2 battleship North Carolina is moored there, or that it is a historically significant shipping town, or because of its role in the US-British Revolutionary War. But starting in 2023, it is also known as the east coast home for Techno Security & Digital Forensics Conference, which was previously held in Myrtle Beach. 2023 also marked the 23rd year of the conference and community, this year bringing together just over 1000 total participants.
Many of the sessions were directed at law enforcement officers, leaning into the digital forensics side of the conference, and a lot of the attendees work with various government agencies. There were also plenty of sessions for the general security community as well. Here are just a few of the highlights from this enlightening cybersecurity event.
Improving our security posture
Security special forces
In the keynote "Cyber Defense is the New Offense," Joseph "Rich" Baich, CISO at the CIA, shared how the cyber threat landscape continues to evolve. He began his talk by reminding us of the uphill challenge we all face: adversaries only need to be right once, while we must be ever vigilant and continually improve.
In our jobs to take the battle to the attacker, Rich referenced the martial art of Judo. in Judo, you are trained to lead your opponent to do something else than they initially set out to do, specifically something you can counter. In cybersecurity, this is exactly what we need to do through cyber deception, driving them to another part of the network where we can attack them.
We should take action to drive the cost up for adversaries to succeed. We know how they behave, and their operating procedures are pretty standard: They establish a beachhead, lateral expansion, and privilege escalation.
Embracing Zero Trust is another essential step in protecting our organizations. This means starting from a position of disallowing everything. We then need only to allow essential access, be that to a person or a service. Similarly, if we always start from a position requiring Multi-Factor Authentication, MFA, then it will be much easier to keep access locked down.
Rich suggested partnering with government agencies or at least being ready to when needed. In the US, for example, CISA and DHS have a lot of taxpayer-funded resources simply awaiting your requests. They can also be there when cybercriminals are actively attacking you, which you should prepare by pre-drafting lawyer-approved letters that allow you to share data and techniques with the government. He said this would save a lot of time and money in the long run; no one wants to call their lawyer in the middle of an incident to draft this after the fact.
Rich ended his session by encouraging us all to adopt a 'special forces' mentality, summed up in five truths:
1. Humans are more important than hardware.
2. Quality is better than quantity.
3. Competent special forces can not be created after an emergency occurs.
4. Special forces can not be mass-produced; they take individual time and attention.
5. Remember that special operations require non-special operation support. We can't do this alone.
Enabling better security culture
In his session "True Cyber Emergency Stories and Leadership Action Plans," Dan Lohrmann, Field CISO of Presidio, reminded us that ransomware is a very real and ongoing threat. At the time of this writing, the City of Dallas has been fighting an ongoing attack for months. Cybersecurity is a business risk issue, not just an IT issue. Supply chain attacks are opening eyes that it is not 'if,' but "when" an incident will occur.
He stressed we must practice like we want to perform. We must start to think in terms of real-world situations and not ideal circumstances. For example, in tabletop exercises, he gives a randomly chosen 1/3 of the room the 'day off,' not letting them participate. In day-to-day life, the reality if some essential team members will be sick, on vacation, or just unavailable in general
We need to think about ransomware as we do hurricanes, floods, and natural disasters. Do you have our plans backed up offline or at least off the network? Do you have a backup power supply?
While we live in a scary world, we can allow fear, uncertainty, and doubt (FUD) to dominate our cybersecurity programs. We must learn to enable, not disable, our teams and orgs. We all need to strive to be seen as enablers and trusted advisors. If you are seen as continually saying, "No, we can't do that," then you will not be trusted to empower the organization when there is an emergency.
Security for any size budget
We heard a lot of straightforward security best practices from Robert Wagner in his talk "Blue Team on a Budget." His main takeaway is that no matter how large or small your organization's security budget is, there is no reason security shouldn't be implemented.
Organizations tend to focus too much on technical solutions, forgetting that processes and people are just as crucial in our security equations overall. One way to get people more actively involved in security is by making it fun through contests and competitions to report the most phishing attempts or malicious sms messages, for example. For the price of a few Amazon or Starbucks gift cards, any org can turn entire non-technical departments into 'carbon-based threat detectors.' Training them to use password managers and to stop storing passwords under keyboards can go very far in keeping them safe.
Another very cost-effective measure is patching out-of-date software. An additional easy win could be blocking outgoing server access to everywhere it is not explicitly allowed. Blocking all executables from running that are not on an explicitly allowed list can also shut down many attacks.
Robert also suggested laying down some landmines in the form of canaries or honeytokens within your perimeter as well. No attacker in the world is going to pass up a file called "PasswordList," which you could stuff with decoy credentials. We 100% agree honeytokens are a great tool.
AI and the future of security
ChatGPT and AI are hot topics in most current cybersecurity conversations, and that is exactly what Ian O’Briant from CheckPoint explored in his session "Artificial Intelligence: Friend or Foe in the Context of Ransomware." Unfortunately, ransomware continues to be a growing threat, with the number of attacks increasing by 93% since the start of the year. Over the last couple of years, we have even seen the rise of "ransomware-as-a-service."
Ian explained we are in the middle of the AI revolution. In the last major shift, the industrial revolution, we had a transformation of muscle power being replaced by machine power. In this AI age, we are replacing brain power with machine power, or now, AI power. This is all driven by ever cheaper memory and ever cheaper hardware that you can now simply rent.
While we often hear about the ways criminals use AI tools like ChatGPT to write malware, the good guys are also making strides forward too. Ian walked us through how his team uses AI for Predictive Threat intelligence, exposing C&C servers and malicious domains faster than humans alone have ever been able to.
For examples of this, he brought up tools like Checkpoint's Huntress and CADET. Teams are able to leverage these tools to stop malware more effectively at the edge before those phishing emails ever enter email servers or hackers can gain a foothold. Combining predictive intelligence with best practices like MFA, keeping patches up to date, and strong content disarm & reconstruction, CDR, processes, we can stop the most common attacks and keep our orgs safe, even as threats evolve.
One of the best parts of open source tools is that they easily fit into any sized budget and still deliver amazing results and value. This was one of the many takeaways from the session "Open Web Application Security Project (OWASP) Zed Application Proxy (ZAP): Is My Web App Secure or Vulnerable?" by James Dodmead from Cyber Defense Solutions.
While there is no silver bullet in security, testing can prevent a lot of issues and save a lot of headaches. While static scanning tools, such as secrets scanning, are fantastic, dynamic scanning of a live application can uncover different types of problems. Fortunately, one of the best dynamic application scanners in the world is free and open source: OWASP ZAP.
ZAP, short for Zed Attack Proxy, is a tool that sits between your browser and an application. It features a lot of capabilities, including:
- A spider - to crawl web apps to find all paths,
- Passive scan - injects nothing into the application and just reports on what is returned from requests,
- Active scan - an attack mode to be used only on applications that you have explicit permissions to attack.
- Fuzzing - submitting lots of invalid or unexpected data to a target.
It comes with a choice of UI options, with a classic app frontend that displays lists and a folder view of issues when you first start the application. There is also a Heads up Display, HUD, that shows up as an overlay on top of the application in your browser.
James repeatedly reminded us that using ZAP in active scanning mode means you are actively attacking a web app. This is illegal unless you either own the app outright or have express written permission from the owners. Fortunately, for testing purposes, OWASP has another project you can freely download and use, Juice Shop. When run locally in a Docker container, you can test and experiment as much as you like, for free and completely legally.
James also left us with parting suggestions for free online security training. He suggested leveraging the free training course on Web Security Academy offered by Portswigger. He also pointed us to the National Vulnerability Database feeds and urged us all to stay up to date on the ever-evolving threat landscape.
Data-driven decisions making
Closing out the whole event was one of the most charismatic speakers I have ever had the opportunity to see. Dr. Joe Perez presented "Driving Decisions with Data: Delight or Disaster?" Rather than try and summarize his fantastic talk, I am going to simply encourage everyone to watch a recording of this same talk from a previous event he keynoted.
Keeping us safe is everyone's responsibility
The Techno Security & Digital Forensics Conference is a wonderful community, bringing together the folks on the front lines of cyber warfare, academics researching emerging and evolving threats, and industry professionals like myself focused on providing technical solutions to help us improve our security posture. It is through events like this that cybersecurity professionals can really grow and learn. I am very grateful to have had the chance to be part of it, sharing my knowledge about what to do when a secret leaks.
Whether you are building tools to catch malicious actors or just trying to make your internal org safer, GitGuardian can help you do it with more confidence around secrets management. Detecting leaked secrets quickly and accurately is just as important as storing and managing those credentials safely. Using GitGuardian Secret Detection can keep you on top of your secrets management game no matter how large your development team gets or how many repos you have. Combined with GitGuardian Honeytoken for immediate intrusion and leak detection, you can feel confident your secrets will really stay secret.