Welcome to BSides 2023! Nick & Cody welcome and introduce the event.

How Artificial Intelligence (AI), synthetic content, and evolving digital marketing techniques are enhancing scalability of highly targeted social engineering attacks.

At a key point in the history of cybersecurity operations, it was passively decided that SECOPS is an extension of IT OPS. This session will examine the thesis that SECOPS is an extension of the craft of Law Enforcement and the consequences of building SECOPS on IT models (that were derived from manufacturing models.) Approaches from Law Enforcement that can accelerate and improve SECOPS will be examined. Methods of safely leveraging law enforcement to reduce cyber risk and costs will also be demonstrated.

Practitioners often focus on putting limitations on users in the name of good security. After all, it has been proven time and time again that the human element is one of the weakest links. However, when users require freedom to build and create we as practitioners must change our approach. This talk focuses on ways to engage users in a meaningful way that fosters creativity while maintaining security.

First, a security team must understand its role in the organization. Security exists to be a business enabler, not the department of no. How the team engages with the company, both management and employees, sets this very important tone. If security is seen as an enabler of business, users are more likely to bring to light issues across the enterprise. On the contrary, if security is seen as a blocker then end users are more likely to brush issues under the rug out of fear of rejection or negative consequences.

With a proper tone set, a security team must then decide how best to actively engage with end users. It is critical that security be seen as an active member of the organization that brings value rather than a shadowy entity that people know little about. Training and active participation in business initiatives are great entry points.

The most challenging element is how to enforce good security in a user centered way. In a business with a high need for creativity, particularly software development creativity, typical heavy handed approaches may be poorly received and ultimately result in loss of talent. The user centered approach relies on enforcing ownership of devices and empowering end users with the tools and information required to execute on that ownership.

The Bradley Red Team is the group of students enrolled in the capstone course for Bradley University’s cybersecurity class: Advanced Ethical Hacking. This presentation is about the experience as a participant, outcomes of the engagements, and the program’s future. The class allows students in the undergraduate program to perform a fully authorized physical and digital penetration test for a local business in the Peoria area. The class has three phases: planning, executing, and reporting. This presentation gives a preview of the tactics, techniques, and procedures we’ve been able to attempt. The class highlights social engineering, intelligence gathering, and assessing vulnerabilities. There have also been several roadblocks and challenges as technology changes. We will also be discussing the plans for the program to expand in frequency and capabilities. We hope that by presenting, the Bradley Red Team can give insight into some of the areas we target, how we execute, and shed light on what students can accomplish in very ambiguous situations.

From the smallest of startups to the empire builders, Matt has seen and contributed to countless MSP architectures. In this session, hear about the dark side. Where these architectures break down and some of the most common mistakes.

We’re not talking about tools or products, except in a broad categorical sense. If you’re in the MSP world, come learn about what can go wrong that’s NOT about just buying more tools.

The practice of Threat Hunting is becoming more popular as our industry evolves to meet the ever-changing threat landscape; however, many individuals think that the hunt stops at detection. As Blue Teamers and Threat Hunters, we must do more than just detect the threat; we must also respond to it, mitigate it, and build better detections for the future. In order to perform a hunt, we must better understand what we are hunting for. What I am describing is looking at Threat Hunting as a cycle rather than a list of procedures. We must start our hunt based on threat intelligence that is relevant to the organization we are protecting. Once the chosen activity has been decided, we must then go hunt for it. For some, if the activity has been found, the Threat Hunt may be viewed as a success because the activity has been noted and their job done. Although the hunt has been completed, our job as Defenders is just getting started. We need to then indicate and verify the severity of the activity’s impact. Depending on our findings (and what one may classify as an incident), we may have an incident on our hands, and by extension, the incident response cycle will need to begin. Once the incident has been addressed, during the lessons learned phase, we as defenders can use the data gathered during our hunt to build better detections to strengthen our security posture in the future. Thus is the Threat Hunting cycle, where Threat Hunting and Incident Response are one in the same and are not two separate schools of thought. I have used this thought process in my own professional life, and not only does this make my team’s tactics better, but it also allows us to be more proactive Blue Teamers.

The dazzling special effects and light shows you see on prestigious buildings, bridges, theaters, and landmarks are controlled by a unique class of devices and communication protocols. But how do these systems turn complex lighting designs into reality? How easy it is to alter the carefully choreographed show to something more nefarious? What if you manipulate it from thousands of miles away, watching carefully from the comfort of your couch?

Industrial Lighting Controllers are commonly installed in large scale illumination projects for complex lighting effects; imagine historic bridges, national monuments, and massive award-winning convention centers. It turns out these devices, if not configured properly, lack the most basic security controls. It gets more fun when they are connected to the internet. And we have proof.

Nick Schroeder and Cody Kretsinger present their findings surrounding their research of Industrial Lighting Controls and their weaknesses (CVE(s) pending). This talk guides you from Nick and Cody’s initial curiosity in these systems to uncovering vulnerabilities in internet-exposed industrial lighting controllers across the world. The discussion includes covering a few popular Industrial Lighting Control products, their design, locations they’ve been installed in, what they control, and ultimately: sensitive information disclosure.

So, gather ’round, crack open a cold one, and join us for 25 minutes of compromise, laughs, and visual effects.

Thats it folks! We’re wrapping BSides 2023!