Case Studies I

Chair: Randy Smith, Boeing

Defeating the PCAP Problem: Making a Mountain into a Molehill, Leigh Metcalf, Carnegie Mellon University, cert     SLIDES
Abstract: Analyzing and monitoring network data at scale is a difficult process and can involve costly products to keep up with the amount of traffic users of a large organization can create.  CERT has created the open source tool, Analysis Pipeline, which can be used to monitor and analyze network traffic at scale.  Created to inspect network flow records as they are generated from a live network sensor, the Analysis Pipeline supports Watch lists, DNS query inspection, network profiling and more.  This talk will cover how Analysis Pipeline works and can solve many security tasks in an organization.
 
Bio: Leigh Metcalf has a PhD from Auburn University in Mathematics and spent nearly 10 years working in industry in Cybersecurity and related fields.  She has been at CERT for 9 years as a Cybersecurity researcher and is the co-Editor-in-chief of ACM Digital Threats:  Research and Practice.  She is also the primary author of the book Cybersecurity and Applied Mathematics and a co-author on the book The Science of Cybersecurity (in preparation with World Scientific).  Leigh specializes in analyzing assumptions found in Cybersecurity research and has written and released open source software.

“Operation CWAL”: The Dying Art of Product Penetration Testing,  Daniel Nguyen, Daniel Ladron, and Adrian Pirvu, The Boeing Company
Abstract:  Penetration testing in the embedded systems and avionics world attempts to duplicate the activity and impact a malicious actor would have on the overall mission of a product.  It relies on the tester’s judgment and experiences to identify appropriate attack vectors that are often difficult or impossible to ascertain through automated means. It is often seen as a stonewalled, adversarial relationship with the system owners. This is a dynamic, costly and naturally inefficient process that is negatively highlighted in a time sensitive ecosystem. Recent attempts to baseline and standardize testing has led to an over-reliance of frameworks (such as: RMF, PCI and OWASP) and unfortunately a lack of creativity in the industry. This has led to a major gap we often refer to as Mission vs Spec. In this talk we will discuss our experiences with this business shift, and detail some of the struggles and successes with conducting traditional penetration testing under a new guise, purple  teaming.
 
Bios: Daniel Nguyen is the lead product penetration tester for Boeing Test and Evaluation. His concentration is in penetration testing, exploit development and vulnerability assessments on avionics, embedded systems and IT support systems. Prior to his job at Boeing he was a security architect and red team lead.

Daniel Ladron is a Systems Security Engineer at The Boeing Company with a rich background in real-world cybersecurity research. Prior to Boeing, Daniel was a researcher, reverse engineer, and developer at the Florida International University Applied Research Center. Daniel specializes in systems engineering, vulnerability research, and network pen testing of embedded systems
 
Adrian Pirvu is a cybersecurity penetration tester working for the Boeing company. He specializes in reverse engineering and has completed the Offensive Security Certified Professional (OSCP) certification as well as the GIAC GXPEN. He is a level 40 Pokemon trainer and farms Pokemon in his free time.