Wow, what a trip! I just had the opportunity to not only live out a childhood dream of attending DEF CON, but I even had the privilege to be able to present at the DEF CON Recon Village! Talk about achievement unlocked!

If you've been following along on twitter, you might be aware that I've been working on a security automation framework with regards to bug bounty hunting; to increase our agility, automate the boring bits, and let us JustHackThings. It's something that our team (@anshuman_bh, @mhmdiaa, and myself) have been calling BountyMachine.

It's no secret in the security/pentest/bug bounty world that there are a lot of boring bits when it comes to assessments. The recon, finding good targets, and all those things that eventually lead to being able to do all of the sweet hacks. There are a lot of people thinking about and working in this space to try and make things better, both publicly/open source, as well as privately with their own methods and frameworks.

@anshuman_bh has been working on improving this space over a number of years, with various open source projects and explorations (such as brutesubs, FASTSAM, hodor, kubebot, etc) eventually leading us to where we are now. It was actually after I referenced some of his projects in my talk "Gophers, whales and.. clouds? Oh my!" (GitHub) at BSides Wellington last year that he reached out about this current project. Not to mention @mhmdiaa's "Automation For Bug Hunters" presentation on Bug Bounty World (slides) and other work in this space. With our views and efforts so closely aligned we decided to join forces and work on this latest rendition, a v3 of sorts, BountyMachine.

So coming back to our talk at DEF CON this year, "Bug Bounty Hunting on Steroids" was an opportunity to share what we have been working on, along with some of the process, patterns, ideas and lessons we have learned along the way; with the ultimate goal of inspiring others to think outside the current box, and reinvent the way we all approach our security research.

I put together a little overview post for our work blog at TSS (we had a few of us speaking this year!), so instead of repeating all of the talk specifics you can check that out. I will reshare the talk overview here though, for posterity:

Bug bounty programs are a hot topic these days. More and more companies are realizing the benefits of running a program, and researchers are jumping at the opportunity to grab some swag and make some extra cash from the bugs they find. Reporting security issues has never been as easy, open, and risk-free as it is right now. Everybody wins!

Though that doesn’t mean we should stop there. As researchers, we spend a lot of time doing the same menial tasks for each program: monitoring for new targets, checking for common issues, remembering just which flags you needed to pass to that tool (or even which tool is best for that job). We build new tools, hack together shell scripts, and generally make small incremental changes to our process. But surely there’s a better approach?

Are you sick of repeating the same tedious tasks over and over? Wouldn’t it be nice to have your own bug hunting machine? One that -

• Is always watching
• Reacts as soon as a new target becomes available
• Takes care of those tedious repetitive steps for you
• Makes life easy when you want to integrate a new tool/workflow
• Doesn’t cost the world to run, and trivially scales
• Leverages lessons and technologies battle tested in the dev world to improve your offensive capacity, capability and productivity
• Monitors your own infrastructure and reacts before hackers can (while saving you the cost of those Bug Bounty payouts in the meantime)

We call this approach Bug Bounty Hunting on Steroids. We will discuss our research and approach to building such a machine, sharing some of the lessons we learned along the way.

Now if you didn't manage to catch us at DEF CON (and I don't blame you, there was SO much happening ALL THE TIME.. it's such a non-stop week..) don't fret! Our slides are online, we put together a bit of a blog post covering a bunch of the areas we were talking about, and the talk was also recorded, so you can catch up on that at your leisure. Or if Twitter is more your style, go along and retweet this one (and make sure to follow the team for more BountyMachine updates!).

The response to our talk has been awesome: we packed out the presentation room, had a lot of really interesting questions after the talk; and have had a constant stream of feedback, questions and support on twitter and elsewhere since.

I truly believe that this is the space we need to be thinking and working in right now:

• encoding and automating our processes
• improving our tooling
• accelerating our agility
• collaboratively working to improve the entire security space

Does this resonate with you? Are you sick of the same repetitive manual processes again and again? Want to automate it? Want to save your precious time for actually doing the interesting hacks? Me too! Let's talk! You can find me here in the comments, twitter, or idling around the various slack channels (user: devalias) and otherwise across the internet. How can we work together to improve the entire state of things?

At the start of 2017, I set a loose goal in the back of my mind that I would like to "get out there more" and "speak about the things I do". Little did I know at the time that this would actually eventuate; leading to me having a pile of great experiences, and meeting some really cool and talented people!

TL;DR

• SecTalks Canberra (November 14th, 2017; Canberra, Australia)
  • "Hack FaaSter: Leveraging Docker and OpenFaaS for fun and offensive (security) profit."
  • Slides, workshop, etc: GitHub PDF, SpeakerDeck, SlideShare
• CSides Canberra (November 17th, 2017; Canberra, Australia)
  • "Gophers, whales and.. clouds? Oh my!" v0.2-prewlg-alpha
• BSides Wellington 2017 (November 23-24th, 2017; Wellington, New Zealand)
  • Speaker: Glenn 'devalias' Grant
  • "Gophers, whales and.. clouds? Oh my!"
  • Slides, etc: GitHub, PDF, SpeakerDeck, SlideShare

SecTalks Canberra

SecTalks Canberra is a monthly security meetup with more of a focus on participation and learning from others, rather than the traditional 'super awesome technical talk but how do I do it' style of things.

I had the opportunity to run a little workshop on how to use Docker and OpenFaaS to improve offensive capabilities.

Hack FaaSter: Leveraging Docker and OpenFaaS for fun and offensive (security) profit.

Slides, workshop files and more details are available from the 'TL;DR' section above.

Description:

Join us this month for Hack FaaSter - leveraging Docker and OpenFaaS to improve offensive tooling, with the glorious @_devalias (Github // LinkedIn)

CSides Canberra

CSides Canberra is a monthly security meetup run by the organisers of BSides Canberra.

I had the opportunity to present a v0.2-prewlg-alpha version of my BSides Wellington talk, and get some practice and feedback in before the big thing.

Gophers, whales and.. clouds? Oh my! (v0.2-prewlg-alpha)

Slides and more details are available from the 'TL;DR' section above, as well as the BSides Wellington section below.

BSides Wellington

BSides Wellington (Twitter) is an annual security conference (based in Wellington, New Zealand) that ran it's first event in 2017. Popping up to fill the void left by Kiwicon (Twitter), they had a strong first event, and hopefully will continue that trend into the future!

I had the opportunity to present my talk on leveraging DevOps trends and tools (Docker, Serverless, FaaS, Golang, etc), to increase my efficiency and effectiveness on the offensive side.

Gophers, whales and.. clouds? Oh my!

Slides and more details are available from the 'TL;DR' section above.

You can read the official brief of my talk:

Go, Docker and Microservices; some great technologies and buzzwords that we hear so much about on the development side of the fence, but how can we leverage these technologies to improve our offensive capacity? Armed with a passion for new tech, a vague theory, and an ‘nsa-o-matic’ approved project name; gopherblazer was born.

Whether through dockerising and improving existing tooling, leveraging Function-as-a-Service (FaaS) offerings, or just distributing offensive capabilities; I’ll share what I learned on my journey into improving my offensive capacity and productivity (while having an excuse to play with shiny technologies along the way!).

And I can even now say that I have a professional speaker bio:

Glenn ‘devalias’ Grant is a full-stack, polyglot developer with an acute interest in the offensive side of security. Whether building something new or finding the cracks to break in, there is always a solution to be found; even if it requires learning something entirely new. If you can improve/automate something, do it, and if you’ve put the effort in to do so, open-source it and share it with everyone else.

When not hacking and coding, Glenn can be found snowboarding the peaks of Japan, falling out of the sky, floating around underwater, or just finding the most efficient path between A and B (even if that’s over walls). Life is short. Do the things you love, embrace the unknown, live your dreams, and share your passion.

Overall, the conference was amazing. As expected, there were a number of deeply interesting technical talks, but as a bit of a twist from traditional security conferences, there were quite a few talks that focussed on mental health, impostor syndrome, and other 'culture based' topics that so often go unmentioned in the infosec industry. Very much appreciated and would love to see this sort of thing happen at more conferences in future.

If you missed the talks, or want to go back and re-watch them, videos should be posted online at some point (once the organisers recover from running the conference). A lot of the presenters also seem to be pushing their slides/content out online. Here's a selection of the few I've stumbled across so far (in no particular order):

• Glenn 'devalias' Grant, "Gophers, whales and.. clouds? Oh my!" (Twitter)
• Ben Hughes, "Layer 2 person spoofing and impostor syndrome" (Twitter)
• Serena Chen, "Design for Security — BSides Wellington 2017" (Twitter)
• "Alex", "Operation Luigi: How I hacked my friend without her noticing" (Twitter)
• @jenofdoom, "Give your users better feedback about rubbish passwords with zxcvbn"
• Simon 'bogan' Howard, "Influencing Meat
  Puppets Through
  Memes" (Twitter)

It looks like there are also some good summaries, notes and writeups of the conference popping up around the net. Some places to start looking:

• B-Sides Wellington - Day 1 (Notes) (Twitter)
  • My Talk: Gophers, whales, and clouds? Oh my.
• B-Sides Wellington - Day 2 (Notes)
• BSides Wellington Badge Challenge (Twitter)

And of course, Twitter is always full of content when it comes to the security industry, with 3 hashtags mainly being used throughout the conference:

• #bsideswlg
• #bsideswlg2017
• #bsidesnz

Conclusion

While at times I was definitely feeling the stress and pressure of having a few looming deadlines, and at times possibly not allocating enough time/energy/focus to working on them as I would have liked, it has been a great experience, and left a smouldering flame of passion to speak at more events in the future.

Know of any other writeups, slides or tools; or got a cool story to share from BSides Wellington? Would love to hear from you in the comments!