This was originally posted as an INSIGHT for Wolf & Company, P.C. here.
What is DerbyCon?
In recent Banking Technology Connections articles such as How Safe is Your Active Directory?, our Information Technology (IT) Assurance department discussed key takeaways from this year’s DEF CON, which is one of the largest hacker conventions in the world. DEF CON largely focuses on offensive or “Red Team” attack tactics, with presenters sharing their knowledge on the newest exploitations and hacking techniques. In addition to Def Con, another major information security conference our department participates in is DerbyCon. Speakers use this event as a platform to release the results of their research and development of new tools and projects, and unlike DEF CON, the presentations tend to be more defensive, or Blue Team-focused.
How Can I Attend?
Although tickets go on sale months in advance in early May, they typically sell out in mere minutes. If you want to attend in person, you should carefully monitor the DerbyCon website as well as the conference’s Twitter account for advanced notice of ticket sale times; otherwise, you can watch their YouTube live streams.
What Does the Conference Look Like?
This year was DerbyCon 7.0. It was the seventh year of the conference and spanned three days in Louisville, Kentucky (hence the name). Presentations were broken out into five tracks:
- Break Me – Focused on new attacks or Red Team activities.
- Fix Me – Focused on defensive techniques, or Blue Team activities.
- Teach Me – Mainly focused around research and case studies.
- Three Way – Included a mix of the aforementioned three tracks
- Stable Talks – Shorter talks (thirty minutes) that cover a wide range of topics.
You can access the presentation recordings here.
What Were the Key Takeaways?
DerbyCon helps us keep up with the latest defensive measures an organization can implement to keep the hackers away to share with our clients. Some of the things we learned include:
Securing Windows with Group Policy
Josh Rickard of msadministrator.com presented some of the advanced features in Windows Active Directory that are largely ignored in enterprise environments. He broke down the different ways that an organization can secure their network without investing in additional technologies, and provided detail on several approaches to clean up the low hanging fruit, including:
- Restricted Groups
- Default User Permissions
- Task Scheduler
Exploring these recommendations may sound like a project you don’t have time for, but Josh break’s them down into smaller steps, which will help you to make incremental steps towards a more secure network. You can view his presentation here.
Defend Against PowerShell Attacks
Lee Holmes is the lead security architect of Microsoft’s Azure Management group and provided some excellent insights into PowerShell attacks. While some organizations recommend blocking PowerShell outright, this does not fully address the underlying security problems. Blocking PowerShell outright is also going to remove the benefits of automation your support team is likely already taking advantage of. Additionally, many of the advanced administrator tasks are only available via PowerShell, as Microsoft is moving away from the Graphical User Interface (GUI) for many tasks. This applies to on premise Microsoft networks, as well as those hosted in the cloud.
You can implement granular role-based access control, down to the allowed PowerShell commandlets per user. In addition to restricting PowerShell usages based on a user’s role, the real benefit in recent PowerShell versions is the extremely detailed logging. These logs will not only aid in administrator activity monitoring, but can also be critical for incident investigations. One major logging configuration allows an obfuscated command to be run, but the event log will record the de-obfuscated code. There is also an easy win identified by implementing application whitelisting for PowerShell scripts.
View the presentation here.
Run Your Security Program Like a Boss/Practical Governance Advice
Lastly, Justin Leapline, PCI Practice Lead, and Rockie Brockway, Advisory Services Practice Lead Advisory Services at TrustedSec, shared practical tips for engaging senior leadership and getting your organization to buy-in to your risk management process. They focused on how you can solidify the basics of understanding what assets exist in your environment, identify the critical areas of the business, and use an independent approach to risk management.
Justin and Rockie also acknowledged how convoluted the “security framework” space can be – with new frameworks coming out at what feels like a daily frequency. They released two new tools that may be of value to you:
- Enterprise Security Architecture (ESA) – a set of tools to aid in measuring an organization’s security posture.
- Episki – an open source GRC tool
View the presentation here.
If you are interested in ESA or Episki, we also recommend you take a look at WolfPAC Integrated Risk Management. WolfPAC is a secure, web-based enterprise risk management solution used to automate the identification of risks, threats, and control gaps.
These are just a few examples of the great content shared at this year’s DerbyCon. Even though the event has passed, you can benefit from all of the presenters’ research by accessing their presentations online (link above). DerbyCon is an important conference to attend and pay attention to if you want to learn from professionals who are leading the way in advancing network defense tactics.
The Personal Blog of Sean Goodwin 