KEYNOTE SPEAKERS
FREE to register!
Join us at TRICON, a remote conference focused on Active Directory, Microsoft Cloud, and Identity Security. Register at bit.ly/TRICONReg
TRICON Schedule
9:00 - 9:20 am ET | Opening Remarks
Sean Metcalf
Grab a coffee and get comfy! It's time to start TRICON in style!
Trimarc CTO and Founder Sean Metcalf kicks off TRICON with an engaging opening keynote session.
9:30 - 10:15 am ET | The (almost) complete LDAP guide
Sapir Federovsky
Many blue teams avoid using LDAP for detections and sometimes do not understand the significant detection capabilities that can only be achieved using LDAP. There is very few information about decrypting encrypted LDAP (for example with NTLM GSS-API) and therefore many teams simply do not check encrypted queries and miss significant attacks. Attacks and information on Kerberos and NTLM are very common, and sometimes LDAP is pushed into a corner. It’s time to put it in the spotlight! In this talk, i will cover the following:
-
Implementation with winAPI
-
Authentication types
-
Encryption and decryption of LDAP sessions
-
Signature of attack tools based on the LDAP queries they create (this will be the main part)
-
LDAP attacks such as injection and obfuscation and various identification methods (this will be the main part)
-
Using LDAP to identify a dangerous configuration in the environment
-
LDAP in Active Directory Web Services
10:30 - 10:50 am ET | DFIR on Azure Cloud
Kiran Kumar
In this talk, I'm going to cover some of the top attacks within Azure AD and methods you can use to detect those attacks. I'll cover attacks such as:
-
Password spraying
-
Session cookie theft using Evilginx2
-
Token theft and replay using PTR and hunting for this attack in Azure Graph logs.
I'll also discuss the kinds of logs and policies useful in DFIR in Azure AD. When facing an incident, would you know what type of logs that you need to look into? Are you taking your storage policies for granted? For instance, depending upon licensing for things like E3 and E5, not all logs are stored more than 30 days. What's more, do you know where to look for specific type of attacks such as initial access?
11:00 - 11:20 am ET | AD security for Jr. SMB sys admins
Hermon Kidane
Securing Active Directory (AD) can be challenging for SMB administrators, especially when budget constraints limit access to advanced tools. However, there are proven strategies available to internal administrators to strengthen AD security without additional costs. This presentation explores practical measures such as reviewing password policies, authentication protocols, auditing best practices, AD security and hardening techniques, and the implementation of cyber deception tactics. These strategies are aimed at protecting SMBs from attackers and doing so in an effective and affordable manner.
11:30 - 11:50 am ET | FAST Times at Contoso High
John Askew
It's a classic coming-of-age tale... free-wheeling plans predictably go sideways in an awkward, humorous manner, as we gain wisdom and become more resilient to the demands of the "real world". At least, for the more fortunate characters in the story. In this fast-paced session, you will learn how inherent weaknesses of 1980s cryptographic design still exist in most modern Active Directory environments, and how you can potentially fix them. FAST is a Kerberos extension for armoring and protecting your Active Directory authentication traffic that you may not have even realized was vulnerable. Isn't it nice when the solution is right there in front of you before you even recognize there is a problem? Of course, the hard part - the part that takes the latter half of the movie to actualize - is the work of putting it into action. In the flash-forward epilogue, will you end up as a hopeful protagonist that overcomes their weakness to move forward, or a tragic side character that remains stuck in the past?
12:00 - 12:20 pm ET | Mitigating the identity attack surface: honeytokens to deflect identity threats
Suril Desai
Mitigating the Active Directory security findings is challenging for administrators. Service accounts are tied to critical services and applications, reducing the attack surface can result in impact to the business. For the identity attack surface that cannot be mitigated, honeytokens serve as an effective countermeasure. Honeytokens provide the benefit of detecting, and more importantly, diverting/deflecting the attacker away from the real service accounts and privileged admin accounts. While this has been known to be a mitigation measure, organizations need assistance on a strategy for the optimal count, placement, types of honeytokens. This talk discusses the evolution in identity threats, the need for reducing the identity attack surface, and the countermeasures based on honeytokens as a detection and diversion approach. Recommendations and best practices for an effective strategy for honeytokens will be shared with the community.
12:30 - 1:15 pm ET | Oops! I can read your Conditional Access Policies without being an admin?
Viktor Hedberg
During my work to make a PowerShell module to perform Entra ID Healtchecks, I stumbled onto something worrying. Regular user access is the bare necessity to dump Conditional Access Policies from any tenant using AAD Graph API. Now, those APIs are going out of business, but this way of exfiltrating the CA Policies allows an attacker today to identify any gaps in your policy structure. This session will look at how this is possible, and of course how to mitigate this in your tenant.
1:30 - 2:15 pm ET | Nightmare in SYSVOL: Dangerous and misconfigured logon scripts
Spencer Alessi
Internal networks are rife with lurking threats that often manifest in unexpected ways. Among these, logon scripts, a seemingly innocuous component of user and computer management, are one of the most subtle potential attack vectors. These scripts, intended to streamline user access and automate various tasks during login, can inadvertently become the Achilles’ heel of an organization’s security posture if not properly managed. It seems counterintuitive, but in an age where cyber threats continue to evolve, and adversaries continue to develop novel attack methods, it’s never been more important to get the basics right. Because of the “path of least resistance,” these and many other seemingly benign vulnerabilities could be the difference between an attacker fully compromising your environment versus deciding to move on to an easier target.
In this presentation, we will:
-
Describe four logon script misconfiguration categories
-
Detail how they can be used as an attack platform
-
And offer recommendations for remediating and mitigating these issues
-
Present a convenient, easy to use, and free tool for identifying these issues
2:30 - 3:15 pm ET | Nightmare misconfigurations of Active Directory
Crystal Wake
Nightmare misconfigurations of Active Directory's will focus on how certain configurations of AD have granted way more than appropriate access to the incorrect entities. This talk will go into talking about stories of incidents, how this was corrected, the mitigation process and how this could have been prevented in the first place.
3:30 - 4:15 pm ET | Driving security through Active Directory consolidation
Julian Stephan
In today's complex IT environments, organizations face the challenge of managing identities and access across multiple platforms while ensuring robust security measures are in place. This presentation explores the advantages and methodologies of performing Active Directory and Entra ID consolidations as measures to reduce your AD and Entra ID attack surface that have arisen over the years due to M&As or leaving directories in place for applications that are deemed to not be migrated due to business risk.
4:30 - 5:15 pm ET | Identity crisis: Combating Microsoft 365 account takeovers at scale
Matt Kiely
Every day in the United States, about $8 million is siphoned from individuals, small businesses, large corporations, and non-profit organizations as a result of business email compromise attacks. These attacks are the symptom of a new rising tide of cloud attack tradecraft. In the cloud, proof of identity is all that you need to access private resources, even if that proof is stolen. Welcome to the identity crisis! How wide is the attack surface for these identity attacks? In the case of Microsoft 365, it is about 345 million identities and counting! M365 remains a tantalizing target for cybercriminals who want to cash in on the relative simplicity of these attacks. This talk focuses on how we can cut off attackers during one of the most critical phases of their attacks: initial access. Through technical demonstration of three common initial access attacks, this presentation will cover how we can better approach detection, response, and deterrence of account takeovers. First, we will explore the problem statement when it comes to defending M365 from account takeovers. We will cover the high-level landscape of attacks and how they differ from their on-premise analogs. We will also cover some of the differences in our strategic approach to identity attacks compared to their predecessors. Then, we will step into the attack lab and learn three common M365 attacks that grant initial access when successful. For each attack, we cover the technical steps required to execute it. Then, we cover detections and mitigations for the attack, paying special attention to the best telemetry sources that allow effective threat hunting against the attack. By the end of this presentation, attendees will have a better understanding of the specifics of some of the most common and dangerous identity attacks that result in account takeover. But more importantly, they will see the clear shift in philosophy between how we should approach legacy threats and identity threats.
5:30 - 6:15 pm ET | Stay on the path: An introduction to exploiting Active Directory
Justin Palk
Mitigating the Active Directory security findings is challenging for administrators. Service accounts are tied to critical services and applications, reducing the attack surface can result in impact to the business. For the identity attack surface that cannot be mitigated, honeytokens serve as an effective countermeasure. Honeytokens provide the benefit of detecting, and more importantly, diverting/deflecting the attacker away from the real service accounts and privileged admin accounts. While this has been known to be a mitigation measure, organizations need assistance on a strategy for the optimal count, placement, types of honeytokens. This talk discusses the evolution in identity threats, the need for reducing the identity attack surface, and the countermeasures based on honeytokens as a detection and diversion approach. Recommendations and best practices for an effective strategy for honeytokens will be shared with the community.
6:15 - 7:00 pm ET | With a Little Help From My Friends: How I Joined a Community of Awesomeness (AND YOU CAN TOO)
Dr. Cathy Ullman
CLOSING KEYNOTE
Dr. Ullman wraps up our inaugural event with some inspiration and sage words of wisdom.
WHEN: Sunday, July 28 at 6 AM PT / 9 AM ET
WHERE: VIRTUAL on Zoom + Discord
HOW TO REGISTER:
-
Register via Zoom at bit.ly/TRICONReg
-
Join the conversation on the Trimarc Discord server (a link to join the Discord server will be sent post-registration)
TRICON SPEAKER LINEUP
.jpg)
.jpg)
Kiran Kumar
Cybersecurity Professional
Threat Hunting &Threat Intelligence