Located directly east of Orlando, Florida kennedy space center.Home to one of the largest facilities Buildings on Earth, covering 8 acres It is best known as NASA's primary launch center for American spaceflight.A location surrounded by beautiful nature Merritt Island National Wildlife RefugeIt is home to many bird species and is ideal for museums and science centers dedicated to learning about advances in flight and space travel. The KCS Space Education Center brings together cybersecurity professionals to improve their skills and share knowledge. Hackspace Con 2024.
With the word “hack” in its name, this conference was truly a pro-red team and pro-pen tester event.The event kicked off with a keynote speech from a legendary offensive security leader. dave kennedy, he shared some detailed stories from those days and the field, and urged us to look forward to the challenges ahead, especially as AI changes the world. He encouraged us to set traps and make some of the cyber fraud efforts more obvious. For an attacker, there is nothing more frightening than being provoked by an obvious trap. In short, it means “come here.”
Dave set the tone for the rest of the event. Dozens of workshops and over 50 talks held throughout the event will prepare you to embrace the challenges to come in the age of AI and LLMs, while also occasionally going back to basics to remind you that we still have a long way to go to keep everything going. One thing was also brought into focus. Our systems and organizations are secure. Here are just some of the highlights from HackSpaceCon 2024.
AI will make our jobs both harder and easier
In his presentation, “Red/Blue/Purple AI: Practical AI for Security Practitioners,” he said: Jason Haddix, CEO and Founder of Arcanum Security. He shared his quest to improve tools through artificial intelligence. He first showed how AI-powered phishing attacks have become much more sophisticated in a very short period of time, producing emails that fool even the most experienced security experts. AI models can now analyze vast amounts of personal data from social media to create highly personalized and convincing phishing emails.
Jason also detailed the role of AI in creating dynamic, adaptive malware payloads specifically designed to evade detection by security systems such as CrowdStrike and CarbonBlack. These AI-driven threats are constantly adapting and evolving, posing significant challenges to existing cybersecurity defenses and highlighting the need for continued advances in AI security solutions.
But it's not all bad news. Jason also provided multiple examples of how he used ChatGPT and other AI tools to aid in defense. For example, tools like Nuclei and Nessuss have very good documentation, so you can quickly train the assisting tools to create advanced policies. As a way to consider technical training, Jason said SecGPT Security is also working on a bot, which he uses to dig into security questions he doesn't want to hear in public. He concluded by saying that AI is generally safe from posing a direct security threat at this point. Still, the landscape is rapidly evolving, and tools must embrace the power of AI before attackers take control.
There is more important infrastructure than you think.
Soledad Antelada, Google CISO Security Technical Program Manager OfficeIn his talk, “Analysis of Critical Infrastructure Attacks – Cybersecurity Lessons from Real-World Breaches,” he explained that critical infrastructure involves much more than just power grids and water systems. I explained that It's everything that keeps our lives running as expected, from banking systems and internet service providers to oil and gas refineries and pipelines to election-related systems. Protecting it is not optional, but unfortunately it has become increasingly targeted in recent years.
Soledad explained how digital transformation, combined with legacy systems that are often unpatched, creates fertile ground for cyberattacks. She walked us through several landmark breaches, including the Stuxnet attack, the Colonial Pipeline ransomware incident, SolarWinds, and her Dyn DDoS that disrupted much of the internet. These examples demonstrate the sophisticated nature of modern cyber threats and the extensive preparation and execution that entails. She said a multi-layered approach is absolutely necessary to protect critical infrastructure, and this includes not only technical solutions but also regulatory compliance and cross-sector collaboration.
Cybersecurity measures and policies such as MFA and biometrics should be introduced early in the planning and implementation stages of infrastructure projects. When modernizing older systems, you need to apply patch management strategies as well as implement network segmentation and better role-based access. He concluded by calling for a proactive stance on cybersecurity by strengthening security audits. She encouraged all of us, no matter what organization we work in, to anticipate potential threats and build security into the very fabric of our operations.
We are on the same page about the Red Team.
Author, Pentester, and Podcast Host Philip Wiley At the beginning of his talk, “Offensive Security Awareness,” he argued that most security professionals think that everyone knows this much about the basics of security. But like everything else in life, no one is born knowing everything. So his goal was to get everyone on the same page, especially those working in the “red team,” and get us into the state of mind of a threat actor.
Philip said the overall goal of all our efforts should be to identify and address security vulnerabilities before they are exploited. He defined terms such as “offensive security,” which involves assessing the security of targets in scope from the perspective of a threat actor. He explained the difference between “vulnerability management” and “vulnerability assessment.” The latter also takes into account exploitability. He compared three main types of penetration testing: the blind “black box”; “Gray Box”: Displays specific details and is the most common type. A “crystal box” engagement provides full access to all documentation in the system.
Additionally, Philippe emphasized the need for continued education and training in the cybersecurity field. He pointed out that many security breaches occur because staff lack basic security knowledge. Therefore, it is important to simplify and spread the concept of offensive security to all levels of the organization. His call to action was clear. The idea was to provide individuals with the knowledge to understand and participate more actively in security processes. If you want to dig deeper into these topics, check out his book.Pen tester blueprint. ”
Hack without exploiting technical vulnerabilities
In our highly informative baseball-themed workshop, Attacking the DevOps Pipeline, we tom porter & Colbert JouxBoth Accenture Security Consults conducted complete attacks against fictitious companies without exploiting a single technical vulnerability. The scenarios they set for this workshop were based on multiple real-world efforts performed using only a browser, a terminal, and a few open source tools found in Kali Linux. The factors they exploited were default credentials and compromised credentials in all environments along the attack vector.
After explaining some DevOps concepts, we dove directly into the scope they set up, a specific set of containerized environments that are meant to be legitimately attacked. Starting with a fictitious target company's Wiki, we quickly discovered users who had never updated their default passwords and quickly gained access to many private files. With just Wiki's built-in search, we were able to explore access to GitLab, Jenkins, Octopus, and multiple other services across our production pipeline. Then, using some pre-built tools and scripts easily found on GitHub, you can dump secret-filled credentials and log files from these systems, allowing for lateral movement. , we were able to simulate how a real penetration test would be performed.
The biggest takeaway from this session is that the problem of secret sprawl is very real. They emphasized that they frequently see much more secrets being leaked than the few secrets involved in the exercise. They acknowledged that most attackers target Active Directory in actual attacks, but it was still not necessary for success. He also said that for most of the work, he does not need advanced technical knowledge about CVEs or technical exploits, as the required keys are easily discovered during the work.I walked away thinking I was lucky to have some. Great solutions exist to help address sensitive issues that spread at scale.
Let’s prepare together for the future of cybersecurity
Through these diverse lectures, a common theme emerged. That means the future of cybersecurity means getting the basics right, leveraging AI to support existing tools. One of the fundamentals covered in almost every talk was the security of secrets. The author also spoke about making better use of Git Hooks, the automation platform built into the world's most popular source control management systems. Don't put secrets in your commits.
HackSpaceCon 2024 was held at the same time as the SpaceX Shuttle launch, and we were blessed with good weather and clear skies to see it. This was just another way for this group of cybersecurity professionals to connect and form a real community. We are a community looking to the future and proactively working to keep us all safe. I'm already looking forward to next year's event and hope to see the shuttle launch again and see you all there.
*** This is a Security Bloggers Network syndicated blog on GitGuardian Blog. Code Security for His DevOps Generation, written by Dwayne McDaniel. Read the original post: https://blog.gitguardian.com/hackspacecon-2024/
