Opening and welcome to the Dark Arts Village

Join us for an in-person Capture the Flag (CTF) competition at RSA hosted by Corelight, where players will compete to answer security challenges using Corelight’s Zeek-based logs in CrowdStrike’s Falcon LogScale platform. The challenges presented will model realistic cyber incident response and threat hunting scenarios and provide analysts with excellent training for NDR workflows and Zeek data proficiency. CTF players accrue points based on response accuracy and speed. Corelight has technical experts on hand to deliver private in-game support for players if they get stumped on a challenge or otherwise need help. Play to win and play to learn!

The Splunk Attack range framework provides different tools to allow security analysts to test network, host and applications against a number of known adversarial TTPs based on Mitre ATT&CK framework. The Splunk Attack Range framework allows the security analyst to quickly and repeatedly replicate and generate data as close to "ground truth" as possible, in a format that allows the creation of detections, investigations, knowledge objects, and playbooks in Splunk Phantom. This 2 hour workshop will provide attendants with access to Splunk Attack Ranges containing adversarial simulations engines (Operator, Atomic Red Team), target machines and a Splunk server receiving attack data. Instructors will provide step by step instructions on where to get the code for the framework, how to build it and how to use it to simulate attacks, create detections and defense artifacts. Join us in the Dark Arts Annex area.

Is your team prepared for the next supply chain attack or the next zero day? Reality check! We are all under attack, every day and we will all eventually be compromised! For this reason, your organization needs to be CyberResilient. Cyber resilience refers to an organization's ability to identify, respond, and recover swiftly from an IT security incident. Building cyber resilience includes making a risk-focused plan that assumes the business will at some point face a breach or an attack. We have recently released the new Cyber Resilience Workshop 5.0 attack and defend training simulation within Cisco dCloud. This program has existed for over 7 years and continues to grow in capability and provide red/blue team training globally for Cisco customers. It has been run at many global security events including Cisco Live, DefCon, RSA, B-sides, just to name a few. The Cyber Resilience Workshop utilizes much of the Cisco security portfolio, as well as IBM, Radware, Rapid7 and Splunk. From a Red team perspective, it provides hands on training on attack tools such as Kali Linux, Social Engineering Toolkit, Metasploit, Shodan, Armitage, Empire, Owasp ZAP, just to name a few. In this lab, you experience cyber security attacks in a virtualized enterprise lab environment where you play attacker and defender and learn, first-hand, why you need highly integrated security solutions and CyberOps skills. Please read on if you are ready to take on this challenge.

"In this presentation, we'll dive into the world of chatbots and learn how they can be leveraged for cybersecurity tasks. Specifically, we'll explore the use of large language models (LLMs) like ChatGPT and examine the advantages and limitations of this technology. We'll start with an introduction to chatbots and LLMs, including how they work and why they are relevant to cybersecurity. From there, we'll delve into the practical applications of chatbots for both defensive and offensive security. On the defensive side, we'll explore how chatbots can be used to automate tasks such as log parsing, web scraping, and data analysis. We'll also look at how they can simplify complex security concepts and help educate team members at various levels of expertise. On the offensive side, we'll examine how chatbots can be used for tasks such as social engineering and phishing simulations, as well as for automating various attack techniques. Throughout the presentation, we'll share real-world examples of how ChatGPT has been used in security engineering tasks, including generating python scripts, creating cybersecurity content for social media, and even helping with complex projects. By the end of the presentation, you'll have a better understanding of the potential of chatbots and LLMs for cybersecurity tasks, and how you can integrate these tools into your own workflow."

Web3 Hacks, Scam and Exploits

An IP without context is just a number, so this hands-on workshop will walk through the development and deployment of a Docker-based threat intelligence enrichment pipeline, which will add critical context to firewall data, including geographic location, as well as flagging potentially bad actors. With the help of a free Cribl Stream account, Redis, and OpenSearch, you’ll be able to enrich data in near-real time for faster detections. https://cribl.io/blog/enrichment-at-scale/

Dark Arts Opening

IHackWeb3 will open up at 10:00am, and stay open for the rest of the day. The first hour of the presentation will be a workshop to introduce players to smart contracts and the game. Any remaining time will be used to play the game along with the audience. GAME - IHackWeb3 is a learning-focused wargame where players are given vulnerable Ethereum smart contracts that need to be “hacked”. This involves using the functionality of the smart contract in an unexpected way in order to perform unintended actions, such as stealing ERC20 tokens or destroying the contract from the inside out. The goal of the game is to teach players the basics of smart contract security issues and give them tools to identify, exploit, and patch those issues. WORKSHOP - Crash Course in Smart Contracts: A primer for players completely new to blockchain and web3 technologies. Brief explanations will be given to core concepts of web3 from a developer point of reference. Topics discussed include blockchain technology, Ethereum and the EVM, smart contracts and Solidity programming. This workshop will also include a hands-on tutorial for writing, deploying and interacting with a Solidity smart contract on the Ethereum blockchain. Completion of the workshop will lead right into IHackWeb3, allowing participants to start building their new skills right away.

The Common Security Advisory Framework (CSAF) is a standard that enables the sharing of machine-processable security advisory and vulnerability exploitability information among stakeholders in the supply chain. This presentation will explore how CSAF can help improve supply chain security by enhancing the communication and remediation of security vulnerabilities. The presentation will discuss how CSAF can be used to streamline the vulnerability management process, promote consistent and accurate vulnerability reporting, and improve the efficiency and effectiveness of vulnerability remediation efforts. Additionally, we will provide examples of how CSAF has been used in real-world scenarios to improve supply chain security, including recent security vulnerabilities. As well as how it is used in combination with software bill of materials (SBOMs) and provide support for the Vulnerability Exploitability eXchange (VEX). We will also provide hands-on demonstrations of available open-source tools that you can use to get started producing or consuming CSAF content.

Adversaries and bug bounty hunters share a common TTP, they do extensive recon on their targets. Join Jason in this 2hour workshop as he goes through common tools and techniques when targeting an organization. Jason will cover email acquisition, technology profiling, external attack surface (cloud, mobile, ++), historical data mining for endpoints, and more. Jason will walk through each tool in the toolchain, live, for the students while he reveals his own personal tips and tricks in each section. The workshop will be performed on LIVE targets, so fasten your seatbelts! This workshop is a must-see for anyone in the offensive security space.

In this talk, we will explore the exciting new discipline of Prompt Engineering and its role in optimizing language models for efficient development. Additionally, we will delve into The Five Pillars of well-architected AI Infrastructure. Attendees will learn best practices for operational excellence, security, reliability, performance, and cost management, providing them with the tools they need to succeed in today's rapidly-evolving AI landscape. This talk is a must-attend for anyone interested in staying ahead of the curve in AI development and infrastructure. Join us at the RSA Conference to learn more. The Five Pillars of well-architected AI Infrastructure as listed below: Operational Excellence How support AI development and run workloads effectively. Security How to secure infrastructure, application and data. AI Safety best practices. Reliability How to perform application intended function correctly and consistently when it’s expected to. Performance How to use computing resources efficiently to meet system requirements. Cost How to run systems to deliver business value at the lowest price point.

A foundational element of innovation in today’s app-driven world is the Application Programming Interface, or API. Unlike traditional web applications that manage data handling on the server and send pre-rendered resources to the browser, APIs perform only data processing and leave the rendering to the client. By nature, APIs expose application logic and sensitive data such as Personally Identifiable Information (PII) and have increasingly become a target for attackers. In this workshop, you’ll exploit the most common API vulnerabilities in realistic scenarios.

Village Opening

We are living through the Singularity--artificial intelligence is exploding in importance, and it will change everything in tech in the next couple of years. We all need to learn how Machine Learning works, its merits, and its limitations. This talk introduces a simple series of hands-on CTF-style challenges to get you started coding and exploring, using Tensorflow on Google Colab. All materials are freely available at samsclass.info. Dark Arts Annex

A common attack vector for malicious actors is the humans behind the technology. People are manipulated through Social Engineering to achieve their attack goals. One Social Engineering attack is a phishing attack which is a fake email sent as legitimate content which can harbor malware. An effective method threat actors use to make their phishing emails more realistic is collecting Open-Source Intelligence (OSINT) beforehand. OSINT is a methodology to collect reconnaissance information on individuals or companies. This presentation will cover how OSINT is used to craft effective Social Engineering attacks through phishing emails.

Cloud threat modeling enables and drives secure cloud adoption. Threat modeling focuses on determining what to protect, who to protect it from, and how to protect it. Outcome is understanding of threats, assets, and implementing mitigating controls to reduce risk. In this talk, you will learn basics and how to perform threat modeling through an exercise, where we guide you through the different stages of a practical threat model based on an AWS and microservices migration.

The Dark Side of Twitter- OSINT on Twitter

In this talk, we'll explore the many capabilities of Flipper Zero, a powerful physical penetration testing tool. I'll start by providing an overview of Flipper Zero and its intended uses, including some cool projects that have been created using the device. Then, I'll dive into the technical details of Flipper Zero, discussing the resources available for maximizing its usage, such as custom firmware and community support. But the real highlight of this talk will be the digital forensics analysis on Flipper Zero. We'll discuss how to trace back or discover the tools that have been used with Flipper Zero, as well as the methods and techniques used to collect useful information during a forensics investigation. By the end of this talk, you'll have a better understanding of Flipper Zero and its potential for both security testing and digital forensics analysis. Join us at the Dark Arts Village - RSAC Sandbox at 12:00 Noon