Talk Archive ∼ October 2nd 2021

Panel Discussion - Unorthodox Advice for a Great Career in Cybersecurity

  • Lindsey Cerkovnik, DHS ICS Vulnerability Management Lead
  • Todd Keller, Dragos
  • Mark Stacey, Dragos
  • Virginia Wright, Energy-Cyber Portfolio Manager , Cybercore, INL

Everyone, these days, has advice for what it takes to succeed in a cybersecurity career. From deep esoteric knowledge, to ninja-like skills, there are a seemingly endless and overwhelming number of required steps and certifications needed to fuel your career. But, while each of these is useful, they miss the core essence of what drives cybersecurity professionals to succeed and what keeps them in this field when the days are long, and the work is seemingly endless. This panel presentation will provide unorthodox insights which, when paired with training and skills, can jump-start and enrich a professional cybersecurity practice.
Threat Intelligence and Sensemaking
Presented by S. Freeman

No Bio

Sensemaking, a core concept in intelligence analysis, is the process of creating situational awareness from limited or incomplete analysis. Within the field of cybersecurity, cyber-attacks present unique challenges for intelligence analysis. Attribution, for example, may be limited as the origin and motivation of cyber-attacks can be distorted, cyber weapons can be stolen and re-purposed, and false flag operations are possible. Given the complexity of the cyber domain, new approaches are needed to respond to these attacks and develop deterrence strategies. This presentation aims to identify the unique challenges of attribution within the cyber space and proposes recommendations for intelligence analysis within these constraints. This presentation will provide the audience with an overview of cyber threat intelligence (CTI), including the intelligence cycle, understanding why CTI is important, and recognizing customer needs. I will introduce term and trend analysis, as well as methods and open-source tools to get started in this domain.
Covert Cognizance: Embedded Intelligence for Physical Process Defense
Presented by Arvind Sundaram

Arvind Sundaram is a third-year Ph.D. student from Manama, Bahrain, in the School of Nuclear Engineering at Purdue University, where he works on cybersecurity research for industrial systems. His work focuses on developing self-awareness in industrial systems to protect them from sophisticated threats such as insider attacks and advanced persistent threats. His research employs a form of active fingerprinting to create system signatures that cannot be reverse-engineered by AI and machine-learning algorithms. He hopes to extend the work to data masking, source verification, and data recovery in compromised environments.

Can industrial systems be made self-aware, alert operators to misuse while cleverly lulling capable adversaries into a false sense of superiority? Achieving these goals forms the focus of covert cognizance (C2 ). The C 2 paradigm is an active cyber defense that aims to serve as an additional layer of physical process defense against highly sophisticated attacks such as advanced persistent threats where the attack vector has privileged access at the human-system interface level, representing the top of the hierarchy in terms of component access and sophistication. C 2 perturbs systems in a manner that induces cognizance by storing incorruptible information about the process such as its execution history in the process itself. It does so in a covert manner by exploiting the vast redundant space inherent to dynamical systems without the introduction of additional variables that may leave a footprint. Moreover, the perturbations are designed to be impervious to pattern-detection techniques like AI and ML to further reinforce the covertness requirement. This work falls under the broad framework of cyber-informed engineering approach adopted by the nuclear community.
Harry Potter and the Use of Low Cost SDR and Open Source ELK Stack to Implement an Aviation Data Link Capture Infrastructure
Presented by Carl Schuett and Jesse Young

Jesse and Carl are Security Researchers for QED Secure Solutions. A small security firm that specializes in security research and assessments of embedded devices, critical infrastructure, and medical systems. Jesse has extensive cybersecurity experience both with QED as well as with the Air National Guard, Microsoft, and Kaiser Permanente. Carl joined QED after retiring from the Air Force and is everything you would expect from someone with years of government service.

This presentation demonstrates the use of the open-source Elasticsearch-Logstash-Kibana (ELK) technology stack as a data analysis platform for raw aircraft-communications data captured via software-defined-radio (SDR). The ELK Stack is intended as a log analysis tool capable of ingesting structured data from unknown sources and deriving fields from the structured data for system monitoring, system health, visualizations, and other functions. ELK is routinely used to ingest, index, and display (and natively recognizes) data from common IT utilities such as web servers, security audit logs, etc. For example, security operations teams regularly use the ELK stack to centralize monitoring and perform hunt operations on networks they defend. Here, we demonstrate how to leverage the ELK stack’s capabilities to ingest data that has nothing to do with common IT utilities – in particular, raw aircraft communications data captured via SDR.
Using a system of relatively low-cost components, open-source software, and cloud computing, we will demonstrate how we captured raw Aircraft Communications Addressing and Reporting System (ACARS) data across multiple locations, structured it for transport, and pushed it through an ingestion pipeline for analysis and display on our own AWS-hosted infrastructure. This presentation will cover the following topics:
  • Brief history of ACARS
    • Origin
    • Deployment
    • Expansion
  • Modulation schemes used to support Aircraft data links
    • VHF Data Link Mode 0/A
    • VHF Data Link Mode 2
  • Aircraft data link applications
    • Aviation VHF Link Control (AVLC) and ACARS over AVLC
    • Controller Pilot Data Link
    • Automatic Dependent Surveillance – Contract
    • Future Air Navigation System 1/A+
  • Tools for setting up your own ACARS receiver
    • Antennas
    • Software Defined Radio
  • Open-source decoders and advantages/disadvantages/capabilities of each.
    • Acarsdec
    • Vdlm2dec
    • Dumpvdl2
  • Different methods that can be used to capture ACARS VDL transmissions
    • Air Band Scanners
    • Audio Receivers (MultiPSK, Acarsd)
  • How to use the ELK stack to perform analysis on captured data, reverse engineer encoded data, and expand Logstash filters based on the results of reverse engineering
    • ELK Stack Overview
    • Cloud infrastructure
    • Our receiver Infrastructure
    • Logstash Filters
  • Examples of unique captured message types
    • Free text
    • Air Terminal Information Services
    • Position reports
    • AOC Formats
    • Performance data
MIGRATE! COVID-19 and Operation and WFH
Presented by Kerry Hazelton

Kerry Hazelton - better known by his hacker handle of "Professor Kilroy" - has spent nearly twenty five years between Information Technology and Security, and over that time has developed considerable experience with systems and network support, data center operations, and information security. As such, he considers himself a “cybersecurity enthusiast” due to his desire and motivation to read up on the latest trends within the industry, to learn about a new exploit or tool, or his willingness to teach and share with others his experiences over the years. He is the creator of the Cloud Forensics Challenge, which is an all-day technical workshop and CTF competition that focuses on learning about the science of cloud forensics and its real-world applications to test students' comprehension and their skills.

The impact of COVID-19 had a profound effect on a number of businesses globally, forcing many to rapidly shift to a remote environment to accommodate their workers. Some businesses opted to leverage the power of the Cloud in this effort to accommodate these workers, but with it came many risks and many hard lessons. In this talk we will discuss what some of those risks were along with lessons learned, and discuss ideas on how businesses who have yet to adopt a Cloud-based WFH strategy can avoid the same security pitfalls.
Cyber Insider Threats & Physical Security
Presented by Charlie Nickerson

Charlie Nickerson: Research Analyst for Nuclear Systems.
Mark Fabro: Lofty Perch, President and Chief Security Scientist.

Responding to insider threats is a critical component of a cybersecurity program. It also represents the core vulnerability in a physical protection system. Data generated by sensors, processed by controllers, and condensed into viewable media that is assessed by a human in the loop is ripe with opportunities for an insider to leverage knowledge, access, and authority to gain permission into sensitive information, functions, and then relay those permissions to other malevolent actors. The challenge is amplified as organizations seek to increase levels of collaboration which consequently force increases in insider risk tolerances.

This presentation evaluates a potential scenario and then analyzes opportunities for detecting anomalous behavior. The goal is to identify the ripe potential for research for insider/cyber nexus in critical OT functions that seek to integrate cyber and physical methods for detecting and correctly assessing anomalous behavior while at the same time, right-sizing the effort to the true risk.

Presented by Charlie Nickerson (Idaho National Laboratory) who will be in person &
Mark Fabro (Lofty Perch) who will participate virtually.
Some heroes do wear a KAPE
Presented by Jeremiah Bess

An Incident Responder with 17 years of Cybersecurity experience, including 12 years of Air Force service. Linux geek. Father of nerdlings.

In the world of Digital Forensics and Incident Response (DFIR), gathering evidence from an endpoint quickly and accurately is critical to the investigation process. To this end, Kroll’s Eric Zimmerman created the Kroll Artifact Parser and Extractor (KAPE) to rapidly collect and parse artifacts key to any incident.

This talk will teach you how to use KAPE to collect evidence targets and how to run modules to parse those gathered artifacts. Both the GUI and command line versions will be covered, as well as how to extend the functionality of KAPE by creating your own targets and modules.

As a bonus, a custom target and module will be shared to help you deal with friends, family, or co-workers who say “I’ve been hacked” and ask for your help. In the end, you’ll be able to don your superhero KAPE for your next investigation.

Implementing Cybersecurity for Distributed Wind: An Exercise in ICS Security Application
Presented by Megan Culler

Megan Culler (INL) is a power system engineer and researcher for Idaho National Laboratory. She received a B.S. degree in electrical engineering in 2019 from Texas A&M University, and an M.S. degree in electrical engineering in 2021 from the University of Illinois at Urbana-Champaign. Culler has worked at INL since 2019, most recently as a graduate fellow. Her research interests include distributed energy resource integration and cybersecurity for power systems.

Distributed wind is a unique and fast-growing component of the energy production mix, but cybersecurity for distributed wind lags behind. In this presentation, we will introduce distributed wind as an example of difficult-to-secure critical infrastructure. We will first provide background on distributed wind architectures, applications, and stakeholder roles. We will explain the need an challenges for cybersecurity for distributed wind, pointing to both academic studies and real-world events.

The key component of this presentation will discuss recommendations for different aspects of security, such as risk assessments, communications, and access control, that specifically call out considerations that apply uniquely to distributed wind. We will discuss what sets distributed wind apart from other ICS and energy applications, and how to account for these features in a comprehensive security plan. This process is demonstrative of the type of analysis needed to adapt traditional security guidelines and standards to narrow and focused applications.
Maker-Breaker Bias -- Why We Are Still Creating Vulnerable Technology and What Can be Done
Presented by Ginger Wright

Virginia “Ginger” Wright is the Energy Cybersecurity Portfolio Manager for Idaho National Laboratory’s Cybercore division within its National and Homeland Security directorate. She leads programs focused on cybersecurity and resilience of critical infrastructure for DOE, DARPA and other government agencies including DOE’s CyTRICS™ program. Ms. Wright’s recent research areas include supply chains for operational technology components, incident response, critical infrastructure modeling and simulation, and nuclear cybersecurity. Mrs. Wright has a Bachelor of Science in Information Systems/Operations Management from the University of North Carolina at Greensboro.

The Roman Poet Ovid wrote of a sculptor Pygmalion who, determined to sculpt the perfect woman, ultimately fell in love with his creation. For Pygmalion, the story ends happily. The goddess Aphrodite was moved by his prayers and brought his ivory sculpture to life. For the rest of us, though, Pygmalion’s story serves as a warning that by becoming overly enamored with the features of our creations, we lose sight of their shortcomings and we leave critical flaws in place with no gods and goddesses to rescue us. Though it may seem that we have advanced far from 8 AD and have little in common with the Romans, Pygmalion is alive and well in every developer and engineer who creates digital technology without considering how an intelligent adversary or an oblivious user may misuse their creations.

This talk will explore the Maker-breaker bias as it applies to cybersecurity, and how we all fall victim to it as well as what we can do to build in critical protections throughout the lifecycle of our technology. It will cover insights from modeling misuse-cases examining potential negative system consequences, as well as additional defensive design techniques which should be considered to ensure that necessary critical protections for technology are designed-in. It will leverage insights from Cyber-Informed Engineering 1 , but will apply them for a software engineering and development audience.

As long-time supporters of BSides, and all community-centric educational opportunities... BSides is thrilled that the College of Eastern Idaho will be hosting this years event, in conjunction with the Grand Opening of their new CEI Cyber Facility. Since they are graciously allowing our confrence to happen we will be following all of their COVID-19 procedures and we ask you to also follow their rules on COVID-19. You can find more information about their COVID-19 procedures here.