The Diana Initiative - Red Team Village

The Diana Initiative Virtual conference 2020


About The Diana Initiative

A conference focused on Women, Diversity, and Inclusion in Information Security that embraces all genders, sexualities, and skill levels. The Diana Initiative features multiple speaker tracks, fully expanded villages with hands-on workshops, and a women-led Capture the Flag event.
This year, our slogan “Breaking Boundaries Byte by Byte” allows us to focus on the different ways that representation in cybersecurity – whether gender, sexuality, skill level, or red/blue/purple team alignment – can help protect data today and into the future.

The Diana Initiative Virtual Confrence 2020, August 21 & 22, 2020 10:00 AM - 6:00 PM IST

Venue : Online.

Event url: https://www.dianainitiative.org/2020-event/
village url: https://www.dianainitiative.org/special-guests-red-team-village/
Schedule: https://www.dianainitiative.org/schedule/


The Diana Initiative Agenda:

  • Sessions about Red Teaming tactics, offensive cyber security and tools

The primary purpose of a Red Team assessment is to validate your organizations effectiveness against credible and realistic cyber threats. Threats are real and it makes the organizations to concentrate on full scope adversarial attack simulation engagements. Our talks are conentrated on such topics for the village at The Diana Initiative.


The Diana Initiative Village speakers:

Critical Infrastructure, Interconnected Risks, and Resiliency. Why Women Should Care?

Godha Bapuji, Founder WiCR

About the speaker: Godha Bapuji is a seasoned Information Technology and Security professional who has been in the industry since 1993 growing through various roles having started as a programmer in Unix OSs and C. She identifies herself as a South Asian woman of Indian Origin having lived in the US and the UK and worked for small to large corporations. In 2017, she took a sabbatical at the peak of her career, to pursue her passion for helping women, as adults, youth, and children, overcome structural barriers to personal growth. She decided to go back to school to study Social Sciences and towards the end of her academic work at Harvard University, she founded "Women in Crisis Response", a to-be non-governmental social organisation with its core foundation based on United Nations Security Council Resolution 1325 (UNSCR1325) on Women, Peace, and Security, and UN's Human Development Report 1995 definition of "Human Security". Through her organisation, she wants to bring about a systemic change in how individuals and communities think and act about security. Her work focuses on strengthening all aspects of Human Security i.e. including gender, and digital inequities that influence cyber-physical security

Abstract: This talk is specifically focused on increasing awareness about the interconnected of the internet not only in our day to day to lives but also into our critical civil infrastructure such as water treatment facilities, energy grids, hospitals, etc., she brings attention to the fact that just like essential workers are recognized as critical to continue BAU for our personal lives during the Covid-19 pandemic, these civic infrastructures are also essential services and that we must not wait for a serious incident like the pandemic to make us realize that but rather pay crucial attention to their safety and security and to the coupling impact they have on us proactively and work in strengthening their resilience. The talk highlights attention to the gender gap in cyber security and in this area and how women can help close this gap and gives an opportunity to discuss challenges and how to close them.
Download the slides from here. Watch the talk from here.

Moving left in the SDLC

Jaswinder Kaur, Senior cyber security engineer - T-Mobile

About the speaker: Jas is working with T-Mobile as a Senior cyber security engineer. Before that, she worked in the DC Government and Bank of America for many years. She is leading the blue team in her organization. For her, cyber security has never been more important, securing the important personal information that our customers provide and living up to their trust and expectations that we’ll keep their information safe is an important part of her role, and provides the purpose and conviction to do her job every day.
For Jas, Cyber security brings a new challenge every day, she calls it, “a fascinating game of cat and mouse where bad actors are always trying to break into your systems.” As an ethical hacker, her job is to try and protect our systems by thinking like one of the bad guys and trying to find ways to hack into systems, ultimately making them more secure. She believes you never run out of exciting scenarios to play with (hack) in cyber security. There is always something new to learn and to explore.

Abstract: Jas will talk about how moving security left in the SDLC benefits the organization, reduced risk and improved security. How security works TOGETHER, Not against, Developers.
Download the slides from here. Watch the talk from here.

Deploying discreet infrastructure for targeted phishing campaigns

Sreehari Haridas, Security engineer at UST Global

About the speaker: Sreehari is an experienced Security Researcher, who has 3 years of professional experience. He is a Web application Penetration tester and a renowned Bug Bounty Hunter. Currently Sreehari is working as a Cyber Security Engineer at UST Global, formerly a security consultant with EY. Being a security enthusiast, he has tested various applications and websites for vulnerabilities and has received 50+ Hall of fame in different companies like Google, Sony, Adobe, eBay etc. He also has interest in reverse engineering techniques and exploits development. He has bagged 3rd place in Asia region for the Global Cyberlympics Capture the flag(CTF) competition and 6th position in international Hackthebox.eu Capture the flag platform. He was involved in organizing Red Team Village - Red vs Blue CTF at C0c0n security conference., 2019
Sreehari is a member of DEFCON Group Trivandrum (https://dc0471.org/about.html), and an operator/CTF builder at Red Team Village community. (https://redteamvillage.org/) He was a board member of OWASP Kerala chapter and an active volunteer at Kerala Police Cyberdome.

Abstract: Phishing attacks are an extremely common attack vector that has been used for many years, and the potential impact and risk involved are well known to most Internet users. However, it is still a highly relevant attack vector being used in the wild, affecting many victims. Phishing attacks exploits the vulnerable human factor. The words easy and phishing never really seem to go together. Setting up a proper phishing infrastructure can be a real pain. This talk aims to walk you through the whole process of deploying an phishing campaign infrastructure from the perception of an attacker.
Download the slides from here. Watch the talk from here.

Offensive GraphQL API Exploitation

Arun S, Senior security consultant at IBM India software labs

About the speaker: Arun works as a Senior Security Consultant @ IBM India Software Labs, with more than 6 years of experience. He is a chapter leader for the null open source security community in Bangalore, also conducted training and workshops at c0c0n and BSides Delhi security conferences. Arun is a cobalt core team member with Cobalt.io, and He is an active member and contributor at various security communities like BSides Bangalore, Null & OWASP and holds various global certifications, such as OSCP, eWPT, ECSA etc.,

Abstract: PNowadays, the GraphQL technology is used by some of the big tech giants like Facebook, GitHub, Pinterest, Twitter, HackerOne. The main reason behind that is that GraphQL gives enormous power to clients. But, with great power come great responsibilities. Since developers are in charge of implementing access control and other security measures, applications are prone to classical web application vulnerabilities like Broken Access Controls, Insecure Direct Object References, Cross Site Scripting (XSS) and Classic Injection Bugs. This talk will be explaining the common security impacts faced while using the Graphql APIs and how an attacker makes use of it to attack the underlying infrastructure and ex-filtrate sensitive data from an organisation.
Download the slides from here. Watch the talk from here.

Internal Red Team Operations Framework - Building your practical internal Red Team

Abhijith B R(abx)

About the speaker: Abhijith has more than a decade of experience in the Information and Cyber Security domain. Leading offensive security operations for a global FinTech company. Formerly the Deputy Manager - Cyber Security at Nissan Motor Corporation, previously employed with EY as a Senior security analyst. Abhijith is the founder of https://RedTeamVillage.org, a red teaming community which actively organizes hacking villages and CTF competitions, also acts as the Lead Organizer of DEFCON Group Trivandrum (https://dc0471.org/). He has recently started running https://tacticaladversary.io/ blog.

Abstract: This talk is about building a practical internal red team. This is not an easy task. For organizations, it is essential to have an internal offensive team to continuously perform adversarial simulation to strengthen the security posture and enhance blue team capabilities. Many variables needs to be taken care of before going forward with such an initiative. Most important thing would be assessing the progress and maturity of the red team building process. Explains various steps to create an internal offensive team/red team from scratch and increasing the capabilities gradually on different phases. This talk introduces a proven way of building internal offensive teams, Internal Red Team Operations Framework. (IRTOF)
Download the slides from here. Watch the talk from here.