ATLSECCON 2025

As the digital landscape continues to evolve, so do the threats and challenges that businesses face. IT disaster recovery (DR) has traditionally focused on scenarios such as fires and loss of network connectivity, yet the majority of disruptions are happening as a result of cyber-attacks that deliberately target your backups and secondary hosting sites to cause maximum damage. Further compounding this challenge is the fact that most organizations have a mix of systems hosted on-premise, systems managed by third parties and SaaS solutions that need different recovery approaches.
This presentation will explore modern approaches to IT DR using both cloud and no-cloud options, with automation where possible. We will also discuss the typical causes of delays during recovery from cyber-attacks, and solutions for speeding up recovery in situations where incident response teams need time to do their forensics work but business operations need to resume.

Join Nick Scozzaro, Founder and CEO of ShadowHQ and former Head of Enterprise Mobility Engineering at BlackBerry, and George Plytas, Head of Information Security at Canadian Automobile Club (CAA ) as they explore emerging trends and best practices that enhance how organizations respond after a breach. Discover how Business Continuity, Cyber Response, Disaster Recovery, Crisis Management, and Executive Leadership are converging around the CISO and how they can better support all efforts of a response.

Attendees will gain critical insights to emerging trends, see where traditional IR plans are failing and learn best practices to help improve their security program, enabling a faster, cohesive and effective recovery plan

When a security event occurs, most teams tend to jump into a circle of blame. Everyone takes their turn saying, "It can't be my fault. If only that user had not clicked on that link," or "If that developer had not hardcoded that credential, then none of this would have happened." Unfortunately, for many companies, the Security team is ultimately seen as at fault when a breach happens; after all, it is a security incident. 

Long-lived credential leaks, aka secrets sprawl, are possibly the single largest security risk every organization is currently facing. The reality is that no security team can solve this growing issue on its own. This is going to take a full team effort and rethinking some of the relationships and silos we have become accustomed to in the tech world. There has never been a better time to rethink how we build complex applications and how they interact with the world. 

In this talk, you will:
- Get an update on the latest secrets security research 
- Ask who really owns security and identity
- Map possible routes for a secrets-free future
- Rethink git and pull requests workflows and see why that is more involved than you think

Modern software is complex and developers heavily rely upon third party code. Securing the software supply chain gained a lot of attention following the Solar Winds compromise. However in the years following this compromise, very little has effectively moved the needle to reduce risk related to third party code and the software supply chain.

This talk will walk through the following problems with securing the software supply chain and propose some solutions to help companies:

1. Walk through example tech stack
2. Break down each of the compoennts of the stack
3. Highlight the scope of third party software and services used
4. Discuss the academic vs reality in approching securing the supply chain
5. Talk about how companies are approaching the problem
6. Understanding software composition analysis and problems with these tools
7. Vulnerability reporting is broken and the state of NVD
8. Problems with software bill of materials (SBOMs)
9. Walk through of ecosystems for third party code - Homebrew, Operating systems package managers, PyPI, NPM, etc
10. Examples of attackers abusing these ecosystems to compromise organizations
11. Walk through containers and Kubernetes
12. Walk through AI supply chain and new Chinese AI models
13. Examples of how security professionals are being targetted
14. Approaches for securing the software supply chain that are working
15. Descriptions of the challenges
16. Open source options - OpenSSF Scorecard
17. Startups and commercial solutions with unique solutions
18. Options to cache or proxy third party code
19. How ecosystem maintainers are trying to protect against attackers
20. Options to secure the CI/CD and developer endpoints

In the complex world of OT/ICS environments, traditional approaches to threat hunting often fall short when handling vast datasets and detecting sophisticated threats. This talk introduces practical Jupyter Notebooks designed for large-scale threat hunting, with a focus on graph-based visualizations to uncover anomalies. Using APT Volt Typhoon’s tactics, techniques, and procedures (TTPs) as a case study, attendees will explore scalable methods for anomaly detection and detection engineering. The session emphasizes actionable strategies to build alerts for OT protocols like DNP3, BACnet, and Modbus, arming SOC teams to proactively safeguard critical infrastructure.

Encrypt your data in the cloud, or someone else will do it for you. Here’s just one of the learnings we will share with you at ATLSECCON 2025. We’ve spent a ridiculous amount of time in the data protection and backup industry. In this session, we’ll share with you what we’ve learned so you won’t have any backdoors, surprises, mistakes or other unfortunate circumstances to put your data at risk. We will share common breakdowns in data protection strategies when it comes to ransomware recovery (and how to avoid them) as well as some practical advice for using backup data for analytics and cyber forensic purposes.

Modern information stealers have evolved far beyond simple credential harvesters into sophisticated tools that capture complete digital fingerprints of their victims. In this technical deep-dive, we unveil groundbreaking research into stealer architecture, attack chains, and defensive countermeasures. Through analysis of real-world compromise scenarios, including desktop screenshots captured at infection moments, we reveal how threat actors leverage compromised ad networks and trojanized software for mass deployment. 
Building on hands-on experience with stealer log analysis, we detail how modern threats bypass multi-factor authentication, compromise (or not) password managers, and extract cryptocurrency wallets. We examine Chrome's application-bound encryption and why, although already circumvented, it creates new detection opportunities. The session concludes with practical defensive strategies and the release of two community resources: a PowerShell script for automated credential testing against Entra ID and a curated dataset of stealer logs for security research.
This presentation equips security practitioners with concrete insights and tools to defend against one of today's most consequential yet underexamined threats.

Canada struggles to find and keep cyber-talent. If cybersecurity is addressed in schools at all it tends to be as a passive media marketing campaign, but cyber-skills are teachable and approaching them that way also develops mentorships. In 2025 the Global Forum for Cybersecurity Excellence published a cyberstory about CyberTitan, Canada's national student cyber competition and the importance of intergenerational relationship building in an industry so new that it has no mechanisms for this essential process.

Cybersecurity has an image problem which causes many young people to opt out of opportunities in the field. In addition, cyber struggles to retain talent even when it can find it because the discipline is relatively new and has yet to mature into a sustainable field of study where human connections are supported professionally. Until cyber nurtures these professional relationships (which are evident in established fields through apprenticeships and other mentoring mechanisms), it will struggle to sustain itself as the essential component of digital infrastructure that it is.

One of the most challenging aspects of anyone’s cyber journey is finding mentors to support their growth. The challenges implicit in this early stage of digital security are not only faced by younger people. Many senior cyber specialists leave due to overwork and frustration around a lack of resources, many of which are (ironically) related to an inability to hire new talent.

How do we nurture these intergenerational human aspects of cybersecurity to encourage a more sustainable approach to the discipline?

In developing CyberTitan, the Information & Communication Technology Council of Canada (ICTC-CTIC) has partnered with the Communications Security Establishment (CSE-CST – Canada’s cryptography agency) to develop a nationwide initiative to develop the real world cyberskills in Canadian students while also illuminating pathways into the field. To create a sustainable cyber future in Canada we must work together to build these intergenerational bridges. We have the tools, we can build the homegrown talent.

There have been a variety of global attacks that disrupted power distribution, fuel distribution, and shipments. The attacks were successful because they exploited vulnerabilities in Operational Technology (OT). Due to the nature of OT, these disruptions not only cause a loss in revenue but can cause a loss of life as well. However, the industry is changing, and as assets become exposed to the Internet, the fundamental technologies of IT can help secure them. The presentation focuses on understanding past OT attacks, the differences and similarities between securing IT and OT technologies, and how we can merge the two to be able to have safer critical infrastructure.