Why do skilled analysts still chase dead ends, misread signals, or miss the obvious? Often it isn’t a tooling problem — it’s a framing problem. Incident response relies on the mental “lens” we use to interpret clues, and when that lens is too narrow, we get tunnel vision; too wide, and we drown in noise. This talk shows how hidden analytical frames shape investigations, how they quietly bias our hypotheses, and how to switch lenses quickly without derailing momentum. Through systems thinking, security engineering insight, and a few crisp, hyperbolic examples, you’ll learn a practical method for improving IR clarity, reducing cognitive blind spots, and accelerating your investigative process — all without slipping into analysis paralysis.
Everyone has a plan until they get punched in the face.” Mike Tyson’s line sums up incident response better than any manual. You can draft the neatest IR plan in the world, but unless you have practised taking the hit, it will fold the moment reality lands a blow.
Many cybersecurity roles ask for experience before you’ve had the chance to get hired. This presentation breaks down practical, proven ways to build hands-on cybersecurity experience without waiting for a job offer. You’ll learn how to create real evidence of skills through labs, projects, volunteer work, competitions, and public documentation that employers actually value.
Incident Response has shifted. Gone are the days when responders waited for dead disk images to begin investigations. Today's threats demand speed, agility, and immediate access to live data. This session explores the evolution from traditional dead-disk forensics to modern live response and triage techniques. We'll discuss real-world approaches to quickly gathering volatile data, practical tools and scripts that streamline collection, and how organizations can make faster, better decisions during incidents. Attendees will leave with actionable methods to enhance their IR capabilities and move at the speed of the threat.
This talk examines ransomware negotiations as strategic psychological engagements, not just financial transactions, revealing how disciplined tactics like timing and message control influence outcomes beyond price while exposing critical mistakes that increase organizational cost and exposure.
Most DLP and EDR systems claim to detect threats based on behavioral analysis, but how many actually rely on format signatures, magic bytes, and file headers? This presentation introduces Veriduct, a format destruction framework that systematically tests whether security controls detect based on content and behavior versus pattern matching. We’ll demonstrate empirical results from testing production APT malware across 68 security engines, achieving 0 detections after format destruction and perfect reconstruction with hash verification, proving that many behavioral detection claims are marketing rather than reality.
Operational Security (OPSEC) and personal privacy failures are rarely caused by missing tools or misconfigured settings. More often, they result from inconsistent habits, unexamined assumptions, and gradual drift in how people behave over time.
This talk applies a red team mindset to OPSEC and privacy. Not to teach evasion techniques, but to examine how adversarial thinkers identify attribution signals created by routine actions and cognitive bias. Drawing from intelligence analysis principles and real-world security practice, the session focuses on how attackers and investigators reason about exposure, rather than on specific tools or tactics.
Attendees will learn how to define realistic threat models, recognize common OPSEC failure patterns, and apply disciplined, repeatable thinking to improve privacy outcomes. The goal is not perfect anonymity, but resilient, defensible privacy practices that hold up under scrutiny.
This session focuses on how offensive security teams reliably establish and maintain persistent network connectivity to a physical penetration-testing dropbox using only built-in protocols no malware, no exploits, and no client-side configuration changes.
We demonstrate how SSH can be abused as a resilient access layer to survive restrictive egress controls, segmented networks, and jump-host dependencies. Starting from a remote operator system, we show how to chain tunnels, validate traffic flow, proxy tooling, and recover cleanly from dropped connections all while avoiding whitelisting, firewall exceptions, or special accommodations from the client.
This talk is not about finding vulnerabilities. It is about operational dominance: making sure access works every time, in every environment. Attendees will leave with a repeatable access engineering workflow that mirrors how real attackers and professional red teams operate during internal assessments.
Cloud security shouldn’t feel like deciphering a spellbook written during a power outage. This talk starts by breaking down the core concepts of cloud architecture and access control using clear, memorable analogies—yes, “Pizza as a Service” makes an appearance. In just a few minutes, the audience will understand how IAM, org policies, and service boundaries compare to the on-prem world, and how attackers use these same models to find weak spots.
Then it’s showtime. We dive into real-world cloud misconfigurations and the attack paths they create, with a mix of live demos (plus recorded backups, because the demo gods can be fickle) and open-source tools that anyone can use. We’ll walk through everything from “accidental” data exposure to the infamous public GitHub token that launched hundreds of crypto-mining VMs without detection. And yes—why cryptominers are often just the decoy for something far more concerning.
The software supply chain is under constant attack, and nowhere is this clearer than the JavaScript ecosystem. In 2023, over 5,000 malicious npm packages were removed; by mid-2024 that number exceeded half a million. Recent compromises like NX Singularity, Chalk/Debug, and the Shai-Hulud1 and Shai-Hulud2 worm show that attackers are no longer uploading random malware but hijacking trusted packages with millions of downloads.
This talk breaks down how attackers infiltrate npm through typosquatting, dependency confusion, and maintainer account takeovers, and how payloads are delivered using install-time scripts, obfuscated JavaScript, bundled binaries, and worm-style propagation.
We also explore AI’s role in analyzing malicious packages: when it succeeds, where it fails, and whether a deny-by-default policy is practical. Attendees will leave with real incident timelines, concrete malware examples, code walkthroughs, and actionable defenses they can apply immediately.
How hard do you think it would be to disable our civilization? Not as hard as you think.
Everything, everywhere, all the time now depends on a working power grid and telecommunications, and there are few organizations still willing or able to conduct business “when the system is down”.
Everyone now assumes the universal availability of a fast, reliable Internet to reach "The Cloud”. But as always, “The Cloud" is just someone else's computer, part of a series of large virtual datacenter platforms that host most of the SaaS systems used by modern business. This cloud is an ever-growing mass of tangible physical equipment inside data centers across the nation and the world, interconnected via complex webs of power and fiber cables on utility poles, in underground conduits, or undersea. All of which are vulnerable to the natural elements, targeted attacks, and to unforeseen and unknown systemic interdependencies.
From our experiences as an infrastructure engineer and a threat intel analyst, we will discuss the physical and cybersecurity risks to the operations of the Internet and other critical infrastructure systems. Think natural disasters, ransomware in data centers, terrorism and sabotage, plus human error at scale. We’ll discuss how outages created by threat actors, climate change, or bad planning are impacting society via the businesses and services our civilization depends on. And because we can still prepare in advance, we’ll give you some recommendations and mitigation strategies to try to keep your organization or community connected. State sponsored adversarial attacks will increasingly seek to exploit our weaknesses to “Disrupt and Disable” then leverage the ensuing communications blackouts to incite mass panic or worse.
Phishing-resistant authentication is shifting from optional to mandatory. Not only are attackers using phishing as the primary mechanism to evade traditional forms of MFA, but they are also evolving their attacks to find ways around implementations where phishing-resistant auth is only preferred and not enforced. The road to deploying passkeys, Windows Hello for Business and Mac Platform SSO looks easy enough in the Microsoft docs, but what does it look like to implement them as mandatory across a workforce?
In this session we’ll cover how we went from a handful of FIDO2 keys to phishing-resistant authentication across our enterprise in Entra ID at breakneck speeds. We’ll explore the ins-and-outs from a technical and organizational perspective of the implementation, the gotchas we hit along the way, and how we overcame them. We’ll cover edge case scenarios, and how deploying passkeys is just part of the bigger equation to going phishing-resistant. We’ll also examine phishing attack trends we were seeing, which helped inform and shape policy so that phishing-resistant authentication isn’t an option – it’s the only option.
Active Directory is still the fastest way to take control of an enterprise, and attackers know it. Modern compromises rarely rely on a single “big exploit.” Instead, threat actors chain misconfigurations, delegated rights, and credential abuse into repeatable attack paths that quietly lead to Tier 0 control.
This session breaks down the real-world exploit methods used to compromise AD today, including credential theft techniques like Kerberoasting, AS-REP Roasting, password spraying, NTDS.dit extraction, and DCSync. We will also cover privilege escalation and persistence techniques such as unconstrained delegation, Golden and Silver Tickets, AD CS abuse, SIDHistory injection, and identity trust exploitation.
Attendees will leave with a practical understanding of how attackers move from initial access to full domain compromise, plus the “toxic combinations” that create hidden attack paths most defenders never see until it is too late
2025 witnessed a surge in Kerberos reflection vulnerabilities, fundamentally challenging our understanding of Windows authentication security. This presentation dissects the technical evolution of Kerberos relay-to-self attacks, with particular focus on authentication vulnerabilities even after Microsoft patches.
Despite patches addressing CVE-2025-33073 and CVE-2025-58726, the latter enabling SMB Server privilege escalation through reflective authentication, the core architectural issue persists. The Kerberos protocol's permissive handling of computer accounts requesting service tickets for themselves, combined with other known attacks such as system coercion and default permissions of low-priv Active Directory accounts, creates a powerful attack primitive that continues to expose organizations to risk.
This presentation expands on the necessary prerequisites for understanding these attacks, including Active Directory SPN registration mechanics, default DNS permissions or non-privileged AD user, the Kerberos TGS-REQ/TGS-REP message flows in reflection scenarios, and authentication coercion techniques that enable attackers to force victim machines into exploitable authentication sequences. The exploitation methodology provides a comprehensive walkthrough from a standard use account, demonstrating how attackers circumvented CVE-2025-33073 mitigations to achieve SMB server exploitation as documented in CVE-2025-58726.
From a defensive perspective, this presentation offers detection engineering guidance across multiple security stack layers. We explore multi-layer detection of anomalous SPN queries and TGS requests, DNS record creation, and event log correlation strategies for identifying self-issued Kerberos tickets (Event ID 4769), and behavioral detection of unusual SPN registration patterns. These detection strategies provide security operations centers with actionable playbooks for identifying reflection attacks in enterprise environments.
Security professionals attending this presentation will gain comprehensive understanding of why 2025 saw such an increase for Kerberos reflection attacks, bridging academic research and operational security requirements. This presentation includes live demonstrations of key attack techniques and detection opportunities, with attendees receiving comprehensive detection playbooks ideas and hardening guidelines applicable to enterprise Windows environments.