3:00 - 3:55 PM - Johnathan Kuskos (Chaotic Good Information Security)
Hacking the Hackers Hacks: Good, Fast, Cheap, Pick ALL 3!
Delivering high pressure consultant bakeoffs, non impressive discoveries usually result in losing the client. Knee jerk last minute security assessments (such as it’s a lovely Sunday afternoon and you get a call that the thing is going live Monday morning).
We’ve heard it everywhere and it applies to hacking as well: Good, fast, and cheap, and you can only have two.
Buckle in because this is going to be a fun one. I’ve spent over a decade in the weeds on security assessments. Some of the highest pressure moments have included the following:
Panic hunting 0 day IOC’s so that the companies I worked for could get patched before the latest tweeted payload wrecked us.
Covering for a friend on a Wednesday for an assessment due Friday and they’ve barely made it off of the unauthenticated portions.
All of these things have one major thing in common: there’s never enough time. This talk is going to be about how to tackle security assessments when you’re having to choose between a good night's rest or funneling the next 8 hours into what you suspect is a blind SQLi, but really isn’t exploitable in the end. We’re going to talk about prioritization, what to automate, what NOT to automate, rabbit holes, off the shelf tooling, custom tooling, the 15 minute rule, and more. By the end of this chat, you should have a feeling for how an experienced hacker is able to balance picking the right things to focus on, with the most appropriate tool for the job, and getting through each piece of work while still being home in time for dinner. This talk will be technical, a hair philosophical, but ultimately focus on helping you think of the areas you can personally iterate on to be a stronger and well rounded penetration tester or bug bounty hunter.