An event where new techniques
and threats can be disclosed

November 5, 2019 at the Westin St. Francis in San Francisco.

register now


Disclosure is an experimental security event that aims to bring together bleeding edge researchers and security professionals. Our goal is to create an environment where the latest research can be discussed. Somewhere where new techniques and threats can be disclosed to the information security community.


Headshot of Katie Moussouris

Katie Moussouris

Sara-Jayne “SJ” Terp

Sara-Jayne “SJ” Terp

Photo of Zac Franken

Zac Franken

Kurt Opsahl

Kurt Opsahl

Photo of Dan Kaminsky

Dan Kaminsky

Jennifer Granick

Jennifer Granick

Juan Andres Guerrero-Saade

Juan Andres Guerrero-Saade

Photo of Marc Rogers

Marc Rogers

Photo of Brian Bartholomew

Brian Bartholomew

Headshot of Gal Shpantzer

Gal Shpantzer

Ryan Kalember

Ryan Kalember

Headshot of Jon Nelson

Jon Nelson


8:00am - 9:00am


8:00am - 9:00am


9:00am - 9:30am

Welcome Keynote

Marc Rogers, Executive Director of Cybersecurity at Okta

9:30am - 10:00am

With Great Power Comes Great Responsibility

Kurt Opsahl, Deputy Executive Director and General Counsel at Electronic Frontier Foundation

The Electronic Frontier Foundation works to protect programmers and developers engaged in cutting-edge exploration of technology, as well as activists and groups using technology to to support human rights and freedom. Security and encryption researchers help build a safer future for all of us using digital technologies, but too many legitimate researchers face serious legal challenges that prevent or inhibit their work. In this talk, Kurt Opsahl, EFF's Deputy Executive Director and General Counsel, and the lead for EFF’s Coders Right project, will talk about how security teams can use their roles responsibly to promote and protect digital rights:

  • Removing barriers to discovering security vulnerabilities
    • Clear paths for reporting
    • Reverse engineering EULA and other barriers to research
    • Supporting CFAA reform
  • Weighing human rights when when addressing and disclosing attacks and security vulnerabilities
    • User centric disclosure coordination.
  • User centric engineering: Encrypt all the things

10:00am - 10:30am

Security Should be Smarter, NOT Harder

Katie Moussouris, Founder + CEO at Luta Security

Risk management is to security as dental hygiene is to preventing tooth decay and considered as sexy a topic. As in, it's not sexy at all, yet it is the proven effective way to manage, prevent, and reduce harm. No wonder it's been a struggle for large and small organizations and governments to even get a handle on security basics. It stands to reason that in the 20+ year history of professional cyber security product and service offerings that have spawned a multi-billion dollar security industry, the sexiest solutions have thrived, while the workhorse basics often fail to survive. With a young security industry still developing metrics around what practices and products can actually help prevent breaches, the world continues with a global dependence on technology that we lack the capacity as an industry to secure effectively now, and in the future. Join security industry veteran and pioneer Katie Moussouris, as she corrects some popular misconceptions about the efficacy of one of the sexiest, yet least effective on a grand scale, security trends that she herself helped ignite: bug bounties. We will go on a data-driven journey that spans labor markets, black markets, and bug markets. The arc of Internet history can bend toward sustainable security, if we correct our trajectory calculations soon.

10:30am - 11:10am

Morning Break

11:10am - 11:40am

Highway to the Logger Zone: Enabling Analytics with a Pipeline Strategy

Gal Shpantzer, CISO Advisor

CISOs are being inundated with requests to exploit telemetry from old and new log sources, not to mention old and 'new' ideas about what to do with those logs. While most of this intense marketing is focused on 'helping' you make decisions on which techniques and tools will help you search and analyze the logs (ML/DL/AI, ELK/Splunk/Backstory/Sentinel/etc), very little attention is paid to the critical but non-sexy plumbing that gets the logs from their sources to the different tools that use those techniques (the sexy stuff...)

Even a remotely realistic PoC for a new analytical platform can be a daunting task, since these logs over here have to get to that platform over there... in the right format/schema/latency appropriate for that particular test case, in addition to where they currently need to be.

This talk focuses on the fundamental plumbing problem, and answers the following questions at a management level, with key Dos and Dont's for each of these questions that you can take back to your org next week.

11:40am - 12:10pm

Hacking Developer Ergonomics for a Kinder Decade

Dan Kaminsky, Founder + Chief Scientist at WhiteOps

You wouldn’t buy a car that couldn’t go backwards. Maybe we don’t always drive that direction, but reverse is not some other universe of mobility. It is in software engineering, and that’s caused more problems than perhaps we’ve recognized. I’m going to discuss aspects of what I see the next ten years of development to look like, informed by how we break things, and how we eventually get around to fixing them.

12:10pm - 1:10pm


1:10pm - 1:40pm

Nice One, Dad: Dissecting a Rare Malware Used by Leviathan

Brian Bartholomew, Principal Researcher at Kaspersky Lab

Leviathan's appearance has gone by without fanfare. However, this threat actor is consistently targeting defense and government organizations, engineering firms, shipping and transportation, manufacturing, and educational institutions. Perhaps the lack of coverage can be attributed to their elusiveness, as they learn from previous mistakes and improve their cyberespionage operations to fly under the radar of defenders and researchers alike. Recently, Kaspersky researchers observed Leviathan (aka APT40) deploying a rare piece of malware reserved for the most important targets. Despite rumors of its involvement in high-profile events, all that's been publicly reported is the codename, 'DADJOKE', and not much else. This talk will navigate over Leviathan’s history, and focus on their rarer DADJOKE malware. We will explain the complete infection chain, targeting profiles, and how victims can respond to the group’s attacks. Fair warning: dad jokes ahead.

1:40pm - 2:10pm

Ryan Kalember, EVP of Cybersecurity Strategy, at Proofpoint

2:10pm - 2:40pm

Through a Scanner Darkly: Hunting the Next Step in the Adversary Stack

Juan Andres Guerrero-Saade, Research Tsar at Chronicle Security

As we become more acquainted with the true apex predators of cyberspace, we're starting to discern patterns. Though a single APT may rely on multiple subsequent or parallel toolkits, developmental quirks and traits are often consistent. In some cases, those consistencies bridge beyond a single threat actor to suggest unexpected connections between seemingly diverse malware clusters. In the most curious cases, those connections form the shape of a shared supplier, a consistent development partner, or what has been referred to as a 'digital quartermaster'.

Considering that part of the defeatist strength of the high-end targeted threat actor is their seeming invincibility, their ability to retool and attack anew, it's imperative that we shift our gaze further up the adversary stack —from proactively hunting for specific attackers to hunting for their suppliers. In the age of large-scale data mining capabilities and complex malware processing pipelines, we now have the requisite tooling to consistently search for these quartermasters. All that's required is a shift in approach.

2:40pm - 3:10pm

Adventures in Hardware Hacking

Zac Franken, Director at Franken Systems Ltd

The world is still in the infancy of embedded systems security. With embedded devices being produced in ever greater numbers, the security challenges and implications are numerous.

I will share some creative ways used to solve some hardware specific challenges, some ways in which manufacturers have embraced the security challenge and ways others have not. One of the problems that exists in hardware design is that good hardware engineering practices make for easy reverse engineering.

There are a number of ways to add additional layers of security to embedded systems down to board design and component choices, often small alterations can be made to greatly enhance device security some of these will be explored in this talk.

3:10pm - 3:50pm

Afternoon Break

3:50pm - 4:20pm

Why Traditional Endpoint Security Doesn’t Work

Jon Nelson, Staff Solution Engineer at VMware

Today's attackers are smart. They are constantly evolving and adapting to bypass traditional endpoint security, making it difficult for many organizations to keep their systems safe. Simply relying on signatures - which are easily changeable - is no longer an effective way of protecting your systems. In order to future-proof yourself from emerging threats, you need to take an approach that looks at behavior and attack patterns.

Modern attackers know how to live off the land and evade prevention and detection capabilities. Nation State leaks like the Shadow Brokers and Vault 7 have given even ordinary cyber criminals the ability to look like approved processes and accounts within your systems. Defense in Depth is no longer sufficient to address these modern threats. Data is always moving and lives in the cloud and on endpoints. To address these modern threats a shift must be made in our mindsets, our technology and our teams. While these techniques tactics and procedures have given the threat actors an advantage, cyber defenders must also seize their inherent advantages to disrupt the attackers before they take off with your data. Join us as we discuss shifting your defenses to disruption in depth and hunting the attackers when they are inside your environment. Attackers only have to be right once but we should make them have to be 100% right once they are inside our environment…and they do make mistakes.

4:20pm - 4:50pm

Coders Rights and Coders Responsibilities

Jennifer Granick, Surveillance and Cybersecurity Counsel at American Civil Liberties Union

The world is far different today for hackers than it was when many of us started our careers. Then, many people were doing their best research alone. Today, the best hackers might work for computer giants. Back then, there was an immense amount of personal legal danger. Now, everyone has pretty much accepted that information security is an important public good. Then, the internet was more decentralized and less commercial. Today, a few big commercial players dominate. Current circumstances are leading many people, including hackers, to evolve our views of what it means to act in the public interest. Content moderation. Privacy protection. Crime fighting. Protecting human rights. There are real tradeoffs and the public is demanding that coders, hackers, and online platforms start to “solve” some of these social and political problems. What do these demands mean for security and civil liberties? We’ll talk about encryption, machine learning and content moderation, and the market for hacking tools, among other relevant phenomena.

4:50pm - 5:20pm

Misinfosec: Tooling Up For Cognitive Security

Sara-Jayne “SJ” Terp, Founder + Chief Scientist at Bodacea Light Industries

Disinformation is the deliberate promotion of false, misleading, or mis-attributed information, often designed to change the beliefs of large numbers of people. Power-motivated disinformation has been studied as an information security problem, information operations problem, a form of conflict, a social problem and a news source pollution. It’s an information security problem in part because information technology and the internet are how misinformation messages are generated, transmitted and received.

Influence campaigns and disinformation incidents are now widespread: the Internet has enabled nationstates and non-state actors to conduct large-scale, difficult-to-attribute influence campaigns with diplomatic, economic and military effects. To create better ways to detect and respond across platforms and groups, we’ve linked information operations, artefact-based data science and narrative analysis of disinformation campaigns, and adapted infosec frameworks, principles and tools for misinformation use. This talk covers disinformation as an information security problem, and shows tools including AMITT (a misinformation version of the ATT&CK framework), STIX extensions for misinformation, and other components needed for large-scale incident response.

5:20pm - 5:50pm

Closing Keynote with Marc Rogers

Marc Rogers, Executive Director of Cybersecurity at Okta

6:00pm - 8:00pm

Networking Reception

Sponsored by ProofPoint