ATLSECCON 2025

My talk this year will be to emphasize that the inevitability of cyberattacks does not render an organization powerless.  The strength comes from being proactive, vigilant and adaptive so that we can significantly reduce risks and minimize the damage when an attack does occur.   I will discuss the measures that organizations need to take in order to bolster readiness.    This will include understanding the threat landscape by indetifying vulneratbilities and recognizing common attack types.   I will then talk about implementing security measures such as network security, endpoint protection, and encryption.   I will talk about training and awareness including incident response, business continuity and disaster recovery, followed by monitoring and response, compliance and best practices, and lastly how all of that integrates into an organizations culture.  

How hard do you think it would be to disable our civilization? Not as hard as you think.

The daily services, apps, and financial transactions that our civilization now depends on all require and assume the presence of a fully functioning and speedy Internet that can reach "The Cloud" of various large virtual datacenter platform providers.  Do  you remember where you were during the national Rogers netowrk outage in 2022?

"The Cloud" really is just someone else's computer.  All of those services and virtual servers depend on a massive amount of real physical servers, network equipment, and cabling that exists inside of data centers.  Those data centers are connected to your businesses, homes, schools, and phones via a complex web of aerial fiber optic cables attached to utility poles, or in underground conduits.  Our countries and continents are primarily interconnected with fiber optic cables that run under the sea.  The space based satellite Internet systems all require a connection to the fiber optic networks to function. All of that fiber is utilized by connecting it to the vast array of telecommunications equipment that is located in downtown carrier hotels, neighborhood cell tower sites, and roadside cabinets.   The Internet is a complex system that works surprisingly well, until it doesn't.   

We want to have a frank discussion about these risks. We will present some scenarios and outage possibilities that you may not have considered such as targeted intentional sabotage, terrorism, wars, natural disasters, electric grid outages, ransomware in the data center, the fiber optic cable seeking backhoe, and the ever popular "plain old human error" at scale.  

We will also discuss some mitigations for these risks, recommendations for critical infrastructure owners, and give you some actionable recommendations for how to stay connected.

DNS is a critical component of internet infrastructure, primarily known for resolving human-readable domain names into machine-readable IP addresses. However, its functionality extends beyond simple name resolution.  This talk exposes the hidden side of DNS, revealing how attackers can subtly manipulate its features, particularly TXT records, to achieve their malicious goals.  While most people in the information security realm are aware that DNS is a valid means of covert communication, not everyone fully understands how it works on a technical level. 


This presentation aims to educate attendees on exactly how DNS can and is used for both data infiltration and exfiltration, with coding examples, covering such topics as:

DNS Fundamentals: A clear explanation of how DNS operates, including the roles of different record types, and rhe query/response process.

Infiltration Techniques:  An in depth description of how DNS records can be used to covertly smuggle files into a secure, and sometimes segmented, network environment.


Exfiltration Techniques: Exploring how DNS requests can be leveraged to exfiltrate sensitive data out of an environment undetected.


EDR/AV Bypass: A high level overview of how DNS can be used to bypass a corporate security stack by keeping malicious code off disk and living in memory

When was the last time you felt like you had enough time in the day to get your work done? Are you exhausted by the never ending firehose of security challenges you have to deal with each and every day?

In this session, we are not going to change that reality. Sorry, security work is continuous, but it doesn’t have to be overwhelming.

This session looks at the workflows around your security practice and how it interacts with the business. Security is a service business, but teams are rarely set up in a way to deliver that service successfully.

There’s a lot of history that contributes to the current state of security teams, but that history typically isn’t serving a purpose. More often than not, the way we’ve built out our work leads to delays, frustrated colleagues, and eventually teams that work around us instead of with us.

This isn’t a talk about simply getting “buy in” from other leaders, it’s about breaking down our security goals and learning from other types of teams and businesses and how they are set up.

You’ll learn about the hidden challenges that impede your work, structures and workflows that can accelerate security improvements, and how to build stronger relationship with the rest of your organization.

In cybersecurity hindsight is very often 20/20 and it is more important than ever to build systems that are not only resilient but also anti-fragile. This means creating systems that are not only able to withstand unexpected disruptions (black swan events) but also emerge stronger and more capable as a result. In this presentation, we will explore the concept of anti-fragility and its relevance to cybersecurity protection in 2024.

Drawing on real-world examples of black swan events, such as the WannaCry ransomware attack of 2017, we will examine the causes and consequences of these disruptions and discuss strategies for building cybersecurity systems that are better prepared to handle them. We will also focus on the importance of basic security hygiene, particularly in the area of password management, as a critical component of an effective cybersecurity strategy.

Despite the increasing sophistication of cyber threats, many breaches can be traced back to weak or compromised passwords. By implementing simple yet powerful practices such as multi-factor authentication, regular password changes, and password managers, organizations can significantly reduce their risk of a breach. Moreover, by fostering a culture of cybersecurity awareness and training among employees, organizations can create a strong first line of defense against cyber attacks.

This presentation will provide practical guidance on how to build anti-fragile cybersecurity systems that can withstand black swan events and maintain robust security in the face of constantly changing threats. Through a combination of real-world case studies, best practices, and emerging trends, attendees will gain a deeper understanding of the role of anti-fragility and basic security hygiene in protecting their organization's digital assets.

Active Directory (AD) is a cornerstone of enterprise IT environments, providing critical services such as authentication, authorization, and identity management. However, its pervasive use also makes it a prime target for cyber attackers. This paper explores the evolving landscape of Active Directory cyber attacks, focusing on the methods and techniques used by threat actors to compromise AD environments. We will analyze case studies of recent high-profile breaches, highlighting the common vulnerabilities exploited and the tactics employed to escalate privileges, maintain persistence, and exfiltrate sensitive data. The discussion will include an examination of the tools and strategies used in these attacks, such as pass-the-hash, golden and silve ticket, kerberosting, DCSync, Golden SAML and Azure AD Token Theft attacks. We will also cover the latest defensive measures and best practices for securing Active Directory and Azure Active Director, including monitoring, detection, and incident response strategies. The aim is to provide IT professionals and cybersecurity practitioners with actionable insights to fortify their AD environments against sophisticated threats and ensure the integrity and security of their networks.

A brief overview of crypto currency and investigations into offences involving crypto currency.

There is a lot of hype around LLMs and Generative AI in cybersecurity - enough to make one roll their eyes into the back of their head. However, there are also a lot of organizations that are getting real value. In this talk, we will unpack some of the hype - and share real world use cases you can deploy NOW, showing how generative AI is being used today in security operations centers to take an existing process that is bottlenecked by humans, and supercharge it, using AI and automation to do what humans used to have to do - using both open-source as well as commercial tools.

Our personas are fabrications and constructions of our inner self that we project outwards.  We do this through various means and influences such as race, gender, sex, ability, age, culture, religion, norms,  class, and status. For the “real world” aka “irl” we do all this by expression in our clothing, makeup, hairstyling, our hobbies, our network of friends, colleagues, and acquaintances. We leverage all of these facets and we create masks, personas, that we think will best interact with the world around us. The same concepts apply when creating personas for infiltrating online communities. 

Online communities are built on trust, reputation, and currency which can take various forms such as data, crypto, intel and notoriety. This talk is an exploration of techniques; linguistics, OPSEC, OSINT, and SOCENG. Tactical operations and concepts like hours of online operation, timezone shifting, and using low ranking accounts as canon fodder for probing, and psychological models used in the infiltration of emerging threat actor groups.

Social engineering isn’t just about tricking people—it’s about understanding how humans think, behave, and make decisions in the moment. As a professional social engineer, Snow has spent her career breaking into buildings, bypassing security measures, and convincing people into handing over sensitive information. Sometimes, she succeeds. Other times, she gets caught. Either way, every engagement can reveal critical security gaps that organizations overlook.

In this keynote, Snow will take you inside the mind of a social engineer, sharing real-world stories, the tactics that work (and why), and the moments where organizations fought back effectively. We’ll also examine a hard truth: traditional security awareness training is failing us. But this isn’t just about her stories - it’s about your security. Throughout the talk, Snow will leave you with critical questions to take back to your organization.