Highlights from BSides Buffalo 2024
Sedara attended Buffalo’s very own BSides conference in early June. BSides are cybersecurity conferences held across the world, often planned and hosted by grassroots organizers. They’re a great way to learn about the latest trends in the industry and network with both established and aspiring professionals. Several of our team members attended this year’s conference, and here are their takeaways.
Chris Bruns, Penetration Tester
What was your favorite session from BSides Buffalo?
My favorite session was “Please Waste My Time” by Qasim “Q” Ijaz. Q is a longtime penetration tester who has tested the security of a lot of different enterprise environments. Throughout his career, he’s had penetration tests go easily, such as quickly compromising a domain admin account without the organization detecting him. But he’s also had penetration tests that were much more difficult due to security controls and detection mechanisms put in place by defenders (i.e., Blue Teams).
Q’s session covered the latter kinds of tests, the kind that’s difficult for penetration testers—and malicious actors—which is what Blue Teams want. Q urged Blue Teams to “waste” penetration testers’ time, meaning using preventative and detective controls to slow down penetration testers’ simulated attacks, causing them to try attack vectors that lead to dead ends. Some of the controls Q covered included canary files, fake credentials, fake authentication requests, and fake broadcast traffic. By setting up fake low-hanging fruit files or network traffic that are backed up by strong detection mechanisms, Blue Teams can misdirect penetration testers and, ideally, shut off their attack vectors once their activity is detected.
As a penetration tester myself, I have fallen victim to these Blue Team techniques, and I love it when it happens. Sure, it makes my job harder, but that’s good because it means a malicious actor would experience the same difficulties. Malicious actors often conduct two kinds of attacks: targeted and opportunistic. Targeted attacks are those against a specific organization for a specific reason. Opportunistic attacks are those done against any organization that’s low-hanging fruit. By wasting a penetration tester’s time, you are inoculating your organization against being low-hanging fruit, and you are ideally slowing down and providing detection capabilities during targeted attacks. So, please, Blue Teams, waste my time!
Cris Trevino, SOC Analyst
What was your favorite session from BSides Buffalo?
Well, it looks like Sedara’s Chris/Cris duo had the same favorite session. Dare I say great C(h)ris’ think alike!?
Uh…sure.
Anyways, I’ll expand on the controls Q suggested Blue Teams use. Canary files are files that look enticing for malicious actors, such as a file named passwords.txt, but are actually benign and are backed up by strong detection mechanisms. So, if a Blue Team saves this canary file in a part of their network, and if the file is accessed by someone, they would immediately receive an alert informing them who accessed it. The file could be placed in a such a way where normal users wouldn’t ever access it, so it would tip off Blue Teams that something was wrong if it were accessed. This strategy is just as useful for detecting insider threats as it is external malicious actors.
Another strategy is for Blue Teams to detect malicious actors who may be hiding on their network and trying to perform an on-path or “person-in-the-middle” attack. Blue Teams can craft fake broadcast request-response traffic for a server that doesn’t actually exist. A malicious actor could fall for the trick by pretending to be the server, which the Blue Team knowns does not exist and therefore is evidence of a malicious actor.
The throughline with these strategies is Blue Teams aren’t just passively waiting for bad things to occur—they are proactively and intentionally involved in defense and detection strategies to slow down attackers and shut off their attack vector. As a SOC analyst, I specialize in helping organizations detect and respond to threats. Working with Blue Teams to craft detection capabilities for their assets, real or fake, is high leverage way to “waste” attackers’ time.
Lucas Desjardins, Cybersecurity Engineer
What was your favorite session from BSides Buffalo?
My favorite session was “Which Vault? Don’t Tell Me Your Secrets!” by Michel Schildmeijer. He discussed the process of vetting secrets management tools, such as CyberArk Conjur, Kubernetes Secrets, and HashiCorp’s Vault, for use in a private cloud environment. Secrets are any sensitive data used for authentication, such as API keys, credentials, tokens, certificates, and passwords. Security best practices dictate that secrets should be generated, stored, distributed, and rotated in a centralized and secure manner. Schildmeijer’s presentation described the process of establishing criteria and weighing options for selecting a secrets management platform. For example, a secrets management tool should be chosen to prevent the hard coding of secrets within configuration files or environment variables. Hard coding secrets is not secure, scalable, or reliable. Also, a secrets management tool that frequently rotates secrets should be chosen. Vetting and selecting secrets management tools that support secure practices is a critical step in building a cloud environment.
Why not use built-in secrets management solutions from the major cloud providers?
Well, you certainly can. But Schildmeijer was mainly talking about his experience building a cloud environment from the ground up, which not a lot of people know you can do—you don’t necessarily have to use the major cloud providers like AWS, Azure, or GCP. Schildmeijer described a project that involved creating a cloud to support classified government operations for the Netherlands. The need for secrecy and national sovereignty for this use case excluded the ‘big three’ cloud providers from consideration. Therefore, the cloud was architected and built using tools that would enable a fully independent and compartmented private cloud. The mission was essentially to replicate a ‘big three’ cloud without using ‘big three’ services, which is an incredible feat! Regardless of what type of cloud organizations choose to use, they should be careful to ensure it’s intentionally architected to support their desired security controls, such as, in this case, secrets management.
Jason Taylor, Cybersecurity Program Analyst
What was your favorite session from BSides Buffalo?
My favorite session was “Eyes Wide Open: A Beginners Journey Into OSINT” by Ross Flynn. OSINT (Open-Source Intelligence) is the process of gathering publicly available data for reconnaissance purposes. Non-cybersecurity folks do OSINT all the time, even if they don’t realize it, when they, say, use a search engine or social media to figure out what became of that old high school classmate they haven’t seen in twenty years.
In the cybersecurity world, OSINT is used for a variety of purposes, such as by malicious actors to gather data about a target, by privacy-minded people interested in limiting what’s publicly available about them, and by Blue Teams wanting to identify and protect their attack surface.
What struck me the most from Ross’ presentation was a metacognitive case study of how he approached finding the exact location where a random internet photo was taken. The sample photo was of a couple standing behind a car parked on the left side of the street. The photo was taken from above the couple, and in the dark background what looked like a park and a bus terminal could vaguely be seen. Ross described how the car parked on the left side of the street might mean it was taken in a country where cars drive on the left side, or it could mean it’s taken in a country where cars drive on the right side, but the street was a one way with left hand parking. He surmised the latter and used a search engine to browse for bus routes in large American cities. While examining various bus routes, he found a bus stop in Boston located next to a park and on a one-way street. Using Google Maps, he was able to verify the exact location where the photo was taken from, including the exact window of a second story building. Using other OSINT tools, someone could try to determine who lived in the building at the time the photo was taken.
This reminds me of those geo-guessers popular on social media, the people who can guess with remarkable accuracy and speed where a photo was taken just by glancing at it.
Right. They’re somewhat related. But geo-guessing and image analysis are just a few kinds of OSINT. Ross described other kinds of OSINT sources and strategies, such as searching publicly available financial information, biological information, government database information, and myriad other places where the breadcrumbs of our personal and digital lives exist. There’s a tenuous relationship between privacy and accessibility in today’s internet. And the takeaways from the session Chris and Cris attended have got me thinking how Blue Teams can leverage OSINT for their own benefit.
Conclusion
BSides Buffalo was a great way to kick off June. Our team is always attending local and national cybersecurity events to stay up-to-date on the latest industry trends. If you’re looking for support enhancing your cybersecurity program and reducing your risks, it’s time to get started! Reach out to the team at Sedara to find out how you can protect your organization.
More Reading on This Topic
- BSides Buffalo website: https://www.bsidesbuffalo.org/