When you think of West Virginia, you might not immediately think about breaking the sound barrier. But it was a native of the “Mountain State” named Chuck Yeager who piloted the world’s first supersonic flight. The Charleston airport, which is named for him, sits on top of a mountain. When you fly in over seemingly endless mountain tops, you really must admire the pilots who are able to navigate and land so precisely, keeping us all safe while moving so fast. This same spirit of moving quickly and securely extends beyond the airfield and into the premier security conference in the state, SecureWV 2024.
Over 350 security professionals and students gathered for two very full days of sessions, villages, and a HackerCon CTF. The fun theme this year was “Wild, Wierd Security” and featured a regional cryptid theme, but each and every session delivered on the conference’s serious mission of “Information Security Education.” Your author was able to share two sessions at the event, which was celebrating its 15th year, teaching folks all about honeytokens and security champion programs.
There were too many sessions and too much fun to capture it all in this post, but here are some of the highlights from SecureWV.
Official SecureWV poster
Good security means good communication and connections
In his opening keynote, “Don’t Stop Believing on this Journey,” Matt Scheurer, ThreatReel podcaster and VP of Security at a major US organization, laid out the basics of modern cybersecurity and how to plot your personal path forward. He explained that most threat actors are financially motivated and what we are up against is really organized crime. He explained that “cybercrime as a service” is on the rise and takes many forms, from Phishing and Ransomware as a Service to initial access brokers, who break in, establish a persistent access path, and then sell that to the highest bidder.
Matt warned us to avoid the “wheel of blame,” which is when everyone in the organization says, “That breach couldn’t have been my fault. If only you had done this…” Instead of just focusing on “defense in depth” from a technical perspective, we need to focus on “people in depth” where we are truly able to support one another. We should be working toward security outcomes where everyone wins.
We can only get to this level of collaboration by connecting to the people we are trying to defend and listening to them. He emphasized that we must make these connections before an incident occurs by connecting as people over sports, music, or some other common interest. Matt explained that when they see you coming, you want them to be happy to see you, not coming to just yell at them again.
Matt Scheurer
Threat modeling does not need to be a fever dream
Hudson Bush, Principal Information Security Engineer at Dragos, gave a thought-provoking session, “Adversarial Thinking – Using Threat Modeling to Develop a Cognitive Map of Your Security Posture,” where he argued attackers have no limit to what they are willing to try. It is time we used the techniques to conceptualize our attack surface. He cited John Lambert, who said:
The biggest problem with network defense is that defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.
Hudon gave us a high-level attack path mapping, which takes a graph view of the network and how someone could realistically move through it. The process follows a few steps, including brainstorming attack paths, mapping to MITRE or other attack frameworks, accessing current defenses, and getting outside perspectives from your team.
He warned against getting trapped in hypotheticals, spending time worrying about esoteric attack paths. He told the story of making a ‘fever dream document’ where he stayed up all night thinking through every conceivable way into the network. Once he talked to his team, he realized that he had wasted a lot of time by not considering how any of those attacks could realistically be pulled off in their current environment. Always use logic to map things out.
Adversarial Thinking – Using Threat Modeling to Develop a Cognitive Map of Your Security Posture from Hudson Bush
Thinking our way through the threat landscape
In Security Awareness Advocate at KnowBe4 Erich Kron’s talk “Cyber Warzone: Establishing Your First Line of Digital Defense,” he took us through a high-level overview of the current threat landscape and gave us some advice for navigating it. Before ‘security’ was a department, IT was responsible for everything plugged into a wall. While that has changed, the single largest contributor to security breaches has never changed: the human element. Recognizing this is a first step toward a more secure future.
Erich stressed the financial costs of some of the most common attacks. For example, his research shows that “ransomware has gone crazy,” with an average ransom payment of $1.5 million, up from just over $812 thousand just the previous year. Business Email Compromise, BEC, attacks cost companies $43 billion in just the years 2016 to 2021. Deepfakes, targeted phishing, and voice phishing (vishing) attacks, which are on the rise, cost one company $25 million in stolen funds.
He asked us to think about risk in terms of mitigation, avoidance, and transference, not just acceptance. He reminded us that when we make plans, we need to test those plans. If you don’t practice, you will likely fail when a real incident occurs. Part of your plan needs to be about who is responsible for what and some clear timelines mapped out ahead of time.
Erich Kron
Security is not as scary if you are not alone
Throughout the event, we had Bigfoot and Mothman sightings and even a whole session titled “What Texas Urban Legends Taught Me About Information Security.” We had a good time sharing stories about these mythical creatures and the fun kind of fear, especially when we were in a well-lit conference center and with other like-minded folks. Fortunately for us all, dealing with the fears over security events caused by real-life threats can be accomplished in much the same way: by sharing our stories and best practices from a life in security.
This theme of improving security together seemed to be a theme throughout this and every event throughout this year’s spooky Cybersecurity Awareness Month. We at GitGuardian are happy to help you conquer your fear of the unknown by helping you identify where secrets have sprawled throughout your environments. Knowing where they are, in the light of day, is the first major step toward bravely making your organization safer.