Please select from the menu above
- Application Security Metrics
Speaker: Wong Caroline @carolinewmwong
What’s your current level of confidence in your application security program? Are you tracking any pen test metrics? Maybe you should.
This session will detail several application security metrics used to measure the effectiveness of penetration testing at both program and engagement levels.
The presenter will also share real world data from ~ 100 individual pen test engagements performed in 2016.
- Changing our future with 3D Printing
Speaker: Peed Emily @_K_G_G
3D Printing represents the last tool that will be necessary is shifting into our new 21st century economy, as we finally break ourselves free from the shackles of the wealth inequality generated during the first three and a half industrial revolutions and the general perversion of economic sensibilities. We will transform our own perceptions of what the world is to become as we grow into second half of the third industrial revolution, and blossom into the totality of the fourth and its wide adoption among society.
This is also an important shift in dynamic within the economy as larger corporations turn to automation to lessen their overhead costs and improve profitability. For many of the individuals displaced through automation, we must strive to replace their positions within the economy, provide new growth opportunities, retrain or open the market to be more competitive towards small businesses, and re-empower communities to be self-sufficient. Our definition of prosperity and what we consider a healthy community, economy, environment, and investment system must be restructured.
- Closing Keynote: Lectures or Life Experiences – Awareness Training that Works!
Speaker: Tottenkoph @tottenkoph
Speaker: Jones Cindy @sinderznashes
At some point in our careers, we have been subjected to user awareness training. Most of us have even taken part in buying or developing the training for our organizations. And despite our best intentions, it always ends up being the same information delivered the same way and has the same level of impact on our security posture (little to none).
In this talk, we will discuss the current state of user awareness training and how we can improve upon what we are already doing. We will give examples of how our customers (with names removed to protect the innocent) do user awareness to varying degrees of success. We will also discuss how we as an industry can do better by providing information that you can take back with you to build a successful user awareness program that works in tandem with your pre-existing information security program and policies.
- Creating Your Own Customized Metamorphic Algorithm
Speaker: Alvarez Raul @raulr_alvarez
Most malware uses metamorphic code to evade Antivirus detection. These techniques also slow down security researchers when digging deeper into the malware code. On the malware side, there are many ways to generate and implements the said algorithms, yet our ultimate goal is to detect them.
- Cryptocurrencies and Anonymity: The Good, The Bad, and The Future
Speaker: Brown Benjamin @ajnachakra
Cryptocurrencies are seeing an enormous uptick in use. While much of that use shows through the media as illicit or crime oriented, cryptocurrencies are seeing widespread legitimate use for transfers without the wiring fees, gifts, remittances, basic retail transactions, and as an alternative to an unstable fiat currency (think Argentina, South Africa, Brazil, Myanmar, Malaysia, and Indonesia). So much business is being done via cryptocurrency that the United States IRS just served a “John Doe” summons to Coinbase (currently the largest cryptocurrency exchange) requesting the identities of United States Coinbase customers who transferred any convertible virtual currency from 2013 to 2015 to ensure proper reporting and compliance under U.S. tax law. In this talk I will explain what cryptocurrencies are and what related blockchains are. Iâ€™ll then give an overview of the current markets and valuations as well as the up and comers. With that foundation we can look at the erroneous claims of cryptocurrency â€œanonymityâ€ and reveal how open transaction ledgers work. I will continue with current research, tools, and techniques for forensic cryptocurrency transaction analysis. Weâ€™ll then turn to techniques transactors use to further obfuscate their transaction trail and what the weaknesses of those techniques are. Finally, weâ€™ll look at the current innovations targeting cryptocurrency privacy concerns, how they work, and what challenges they face.
- Cybersecurity for real life: Using the NIST Framework to protect your critical infrastructure
Speaker: Koop Ryan @cohesivenet
Convince the suits why an industrial level of security is right for you. The C-level is terrified of a data breach, but not sure how to justify the resources. The antiquated focus on perimeter defenses overlooks the importance of internal network security. Donât let complex and distributed networks get used against you. All organizations deserve to have clear guidelines and advisors who value a practical and honest approach to security. Turn to the NIST Cybersecurity Framework to kickstart a practical path to cybersecurity. Secure the infrastructure critical to your organization. Learn how a Chicago-based subsidiary of the Gas Technology Institute used the NIST Framework to streamline reporting. Since they started, theyâve passed every penetration test and compliance audit.
- Detecting DNS Anomalies with Statistics
Speaker: Buening Jamie @JamieBuening
Defending against attackers has become increasingly difficult. Solutions using signature based detection such as IPS and anti-virus are still needed, but no longer prevent all malware or virus infections. What can be done to improve the ability to prevent attackers from completing their objectives? One option is to proactively look for them.
This talk will discuss options for analyzing DNS logs with a goal of identifying anomalies. DNS is a foundational technology that allows the internet to function and is present in practically every network. Malicious actors are using DNS for command and control as well as data exfiltration. Using some basic statistics it is possible to identify anomalies in DNS traffic. These anomalous events can be evaluated to identify potentially malicious activity.
Come see and hear about specific examples in finding DNS anomalies. Attendees will leave with new knowledge and ideas that can be used with their own data.
- DNS Dark Matter Discovery â Thereâs Evil In Those Queries
Speaker: Nitterauer Jim @jnitterauer
DNS is the engine that makes the Internet work, converting recognizable names into IP addresses behind the scenes. Only recently has the InfoSec community recognized the importance and value of logging DNS traffic and analyzing these logs to detect malicious activity. The development of a variety of open source tools has given network and security admins amazing resources for investigating DNS traffic for signs of improper configuration as well as tell-tale signs of compromise.
This discussion will examine examples of the common ways we see DNS being used to compromise networks including DNS Amplification, data exfiltration, Botnet C&C communication, DDoS via DNS and other less well known DNS exploits. We will then review some of the available open source tools including Graylog, Elasticsearch, Kibana, Packet Beats and NXLog that can be used to proactively log and monitor DNS and other traffic. The discussion will conclude by covering some practical solutions that can easily be implemented to enhance the security of any network. We will demonstrate simple and effective ways to discover compromised devices through DNS log analysis.
- Effective Report Writing for Security Practitioners
Speaker: Robinson Benjamin @ginjabenjamin
Say more with less! Improve your report writing through tools and technical writing to succinctly present meaningful information that recognizes the need to communicate with three audiences.
Security assessments and penetration tests communicate information that clients often struggle to understand and benefit from. Recognizing your audiences and their objectives allows for improved messaging that best serves your clients and increases the chances that your recommendations will be implemented.
- Everything is Not Awesome: How to Overcome Barriers to Proper Network Segmentation
Speaker: Beatty Jason @beattyj
Attacks are more and more likely to come from internal network sources, possibly being allowed in by unwitting accomplices. While itâs commonplace to have a web server DMZ and possibly a guest wireless network, few organizations take any steps to further segment their networks that might help prevent or detect lateral movement by an attacker. If the current common approach is that internal attack surface management is just as important as external hardening, then why arenât more defenders doing anything about it?Â In this talk, weâll look at common pitfalls that mire down internal segmentation efforts and ways to overcome them.
- Finding Your Way to Domain Admin Access and Even So, the Game Isn’t Over Yet.
Speaker: Lee Keith @keith55
In this presentation, we discuss the tricky scenarios we faced during internal penetration test engagements and how we have developed a tool to solve those issues.
- Fuzzing with AFL
Speaker: DC949 Adam @AdamOfDC949
Fuzzing is easy to learn, but hard to master. This will give you an overview of the fuzzer which have become the gold standard of fuzzing, lcamtuf’s American Fuzzy Lop (AFL). We’ll go over the logic of mutation based fuzzing, how the feedback loop works, different mutation strategies, and different execution paths are found. Then we’ll go over practical usage of AFL, and finally talk about the limitations of AFL and how people are working around them.
- How To Be Curious
Speaker: Mattingly Bret @bretmattingly
Curiosity is not just for killing cats. In fact, itâs *the heart* of the hacker mindset. Like many seemingly abstract mental qualities, those on the outside or those at the start of their journey can be left in the cold, wondering if theyâve âgot it in them.â This talk aims to demystify why some people seem more curious than others, and to equip you with tools to be more inquisitive and ask the right questions.
- Ichthyology: Phishing as a Science
Speaker: Burnett Karla @tetrakazi
Many companies view phishing as a given: employees will click links and enter credentials, and we just need to be okay with that. Phishing prevention usually takes the form of training, and a warning to be careful when reading email.
But does phishing training actually work?
In this talk, we’ll cover the psychology behind successful phishing campaigns, then walk through a series of attacks run against a Bay Area tech company. We’ll cover how effective campaigns were built, including bypassing existing protections. Finally, we’ll discuss evidence-based techniques to prevent, rather than just mitigate, credential phishing.
- It’s A Disaster!
Speaker: Biswas Cheryl @3ncr1pted
You don’t know what you don’t know. There are things we have no control over. Natural disasters, acts of god, kids and spitup. We do, however, have the benefit of history and experience. But as security bears out, we are selective in what we choose to learn. What would you do if something happened and where you âworkâ no longer worked?
At the mention of Disaster Recover, you get the perfunctory nods, the âYeah, we have thatâ response. Iâm here to rattle the bars on that cage and challenge what people think they know. Many businesses say they have a plan in place, but most have never tested them. Thatâs a pretty big risk to take. Especially given that DRP is a cornerstone of good security.
In this interactive talk, letâs explore the TTP required to make our plan work so we can work. Come prepared for a very bad day at the office.
Would you like to play a game?
- Leveraging Vagrant to Quickly Deploy Forensic Environmentshi
Speaker: Williams Jeff @blu3wing
As Incident Responders, we’re always on the lookout for tools that will allow us and our investigations to become more efficient. There are already a ton of great tools and pre-configured virtual images that provide us with workable forensics environments. It doesn’t hurt to have more than one trustworthy option when it comes to these resources.
Vagrant is a virtual management platform used to create and deploy virtual environments. Although it’s more commonly used by developers for testing, I thought about how I could leverage it for my DFIR needs. My goal was to provide a quick deployable forensics environment while leveraging the Vagrant platform. Dreamcatcher was born.
The Dreamcatcher project was shaped with a lightweight memory forensics environment in mind, and since then I have added more tools and features to its arsenal. As my contribution to the variety of DFIR “Swiss Army Knives” available, it is a fast, flexible alternative. With a clear list of ingredients – no hidden preservatives! – I will demonstrate why Dreamcatcher is a great DFIR addition to anyone’s toolkit.
- Network manipulation on video games
Speaker: Kot Alex @alex_s_kot
I will go over common misnomers of online cheating methods. Explain the realistic side of why Peer to Peer games can be broken. I will showcase a method I PoC 5 years ago, yet I haven’t seen this type of manipulation displayed online (video demo). I will also describe the benefit of dedicated servers or “Cloud” games. The reason I want to discuss these concepts is due to most FPS are moving from P2P to Cloud which mitigate most of these attacks. At the end will bring up a funny story of social engineering some person on XBL to have him apologize for threatening people.
- Network Security? What About The Data?
Speaker: 0ddj0bb 0ddj0bb @0ddj0bb
The data is the ultimate prize for threat actors. Bypassing the firewall is not their goal, but is rather a mere necessity. I am going to propose a possible different approach that better addresses data security than the network-centric model that is common place. Audience members will consider non-technical as well as non-network technology solutions to secure data.
- Open Sesamee
Speaker: Power Max @dontlook
Resettable combination locks are popular because they can be set to user-chosen codes. Multiple locks can be set alike to one another. Authorized users don’t have to keep track of key or other physical credentials. These locks are often used to control access to construction zones, infrastructure, and sensitive areas (such as utility equipment and cellular towers) across the country. The most popular of these locks is the Master 175. Methods of attacking this lock have been known for some time, however the descriptions and documentation were not readily available. The talk will discuss the best method for decoding this lock and examine the path I took to create my own cutaways and instructional models. In the end, this will hopefully provide people skills both at some home-machining and also help them decode the lock well enough to teach others.
- Opening Keynote: Words Have Meanings
Speaker: Tentler Dan @Viss
Getting your point across is important. Clear communications are essential. Why is the information security industry packed full of buzzwords, catchy phrases, logos for bugs and jargon that doesn’t make sense? Information Security is not only a difficult line of work to get into, it’s difficult to navigate once inside. Every different vendor has their own “language”, different compliance regulatory bodies have jargon as well, which isn’t congruent, and most of which is entirely made up, or completely false. Nobody can agree on whether certs matter or not. Charlatans and plagiarists sound exactly like 10-year-weathered veterans. Dozens of security organizations routinely confuse “Red Team Assessments” with “Vulnerability Scans” and “Pen Tests”. Words seemingly have no meaning anymore. How can we cope?
Like many other professions, communication is the foundation. If you can communicate effectively, you can make things happen. Conversely, use the wrong words, or mis-speak a few times, and the industry ceases to take you seriously. This is a massive problem if we as the security community intend on helping the public be safer and more secure together – everywhere from their phones, to their workstations, to their smart homes and embedded devices. How are they supposed to believe us if we don’t sound like we know what we’re talking about? Or if we perpetually contradict ourselves? Why is SQL injection a problem that’s 25 years old? Why can nobody agree on if XSS is important or not? Why are “ping” and “sslv3” critical findings?
This presentation will cover some of the pitfalls, landmines, baits, traps, common misconceptions and hazards you can expect to encounter living the infosec life. You will be baited, hunted, attacked, trapped, trolled and victimized. People who have zero experience but can “talk the talk” will put your feet to the fire. You will be called out on contradicting yourself or being a hypocrite. All of this, while you are trying to help. The words you elect to use when communicating about security are directly responsible for your success in making your point. If you are sincerely interested in making a difference, but feel that you just aren’t getting through to your audience, this talk is for you.
- OSINT For The Win – Tools & Techniques to Maximize Effectiveness of Your Social Engineering Attacks
Speaker: Gray Joe @C_3PJoe
Social engineering attacks remain the most effective way to gain a foothold in a targeted organization. But those attacks are only as good as the information used to create them. This presentation will arm you with the latest open-source intelligence (OSINT) tools and techniques needed for gathering detailed information on your targets, turning your social engineering ops into carefully targeted precision strikes that can greatly improve your results. We’ll also cover steps that you can take to reduce your own OSINT exposure, protecting you and your organization. You’ll see techniques for phishing, vishing, pretexting, impersonation, and more. Tool demonstrations will include how to make the best use of OSINT Websites and standalone tools such as Datasploit and recon-ng.
- Peakaboo – I own you: Owning hundreds of thousands of devices with a broken HTTP packet
Speaker: Serper Amit @0xamit
Imagine that you’ve purchased your small a cheap ip security camera to feel just a little better with your own physical security. Now imagine that the people who designed that camera know nothing about secure programming, security or programming at all. Imagine that your precious camera can be hijacked into a botnet with only one broken HTTP packet. Now stop imagining. In the end of 2016, my fellow researcher Yoav Orot and myself published our research paper about a hundreds of thousands of white labeled ip security cameras being vulnerable to a simple attack that allows an attacker to gain complete control of the camera, including code execution as root without any ability to patch. We did not publish any technical details yet since we had to wait for the vendor’s answer. This talk will dive deeply into the product, our research process and into the vulnerabilities themselves. I will walk through all of the steps in our research (from hardware hacking to firmware dumping and just plain ol’ reversing) and demo the exploits and explain, step by step, where the developers went wrong, what could have been done to avoid this situation and why this problem is so severe. There will be root shells, there will be exploits, there will be tears. Attendees of this talk will leave with some insights about IoT security and embedded device hacking.
- Ph’ing Phishers
Speaker: JAe @switchingtoguns
Credential phishing is super lame. Sadly it’s one of the main workhorses behind financing so much bad stuff that it deserves to be smacked around by a large trout. Over the past year I’ve written automation to help turn a monumentally mundane task of scraping/screenshotting/archiving and writing snort/suricata signatures for phish. This is not a phishing 101 talk, we will get techincal right off the bat. I will discuss various trends in backend phish templates that have been used to generate Emerging Threats IDS signatures and release scripts that can assist anyone who has an interest in making life harder for these scammers.
- Security Training: Making Your Weakest Link The Strongest
Speaker: Hnatiw Aaron @insp3ctre
It is a common joke amongst security professionals that the weakest link in any organizations security is the employees- the so-called “human element”. The unfortunate part about this joke is that it’s entirely accurate. The common approach to solving this problem is a combination of training and client-side security controls. Our security controls are often the first thing that we implement, but how often do we actually train our employees on security? The answer is- not often enough (if at all). This talk will cover how you can introduce security training into your organization, and once there, how to make it better. It will cover the common training methods currently available, how you can keep training engaging and fun, how often you should perform security training, and how to ensure that your employees have actually internalized the training material. After that, we will circle back to some specific examples from the speaker’s professional experience that show where a properly trained employee could have halted an attack in its tracks. Yes, while it is often said that humans are the weakest link in any organization’s security, with training they can become the strongest.
Speaker: Robertson Chad @chrooted
- Splunking Dark Tools – A Pentesters Guide to Pwnage Visualizationu
Speaker: Bates Nathan @Brutes_
Speaker: Kuntz Bryce @tweetFawkes
A rise in data analytics and machine learning has left the typical pentesters behind in the dust. This talk covers the required tools for consolidating, analyzing and visualizing the dark tools that are used by every red team. This can all be done at scale keeping up with even the most bleeding edge continues integration and deployments environments. We’ll release the required framework for getting the data where it needs to be, the technical add-ons to ensure this data is ingested in usable formats, and dashboards for Spunk to leverage this data for mass pawnage of your target!
- Tales from the Crypt (analyst)
Speaker: Man Jeff @MrJeffMan
As a certified Cryptanalyst for the National Security Agency, the speaker was classically trained in manual cryptography, but also pioneered some of the first computer-based cryptographic systems produced by the agency. Topics discussed will include applications of classic cryptography including one-time pads and various cipher methods to machine-based systems (such as the Enigma) and ultimately to modern computer-based algorithms such as public key cryptography. The talk will also explore the speaker’s experiences in the private sector and how the understanding of cryptography helped numerous times in penetration testing, vulnerability assessment, security architecture, and technical advising. Ultimately, this talk will guide you through a history and evolution of cryptography over the past thirty years using the speaker’s own experiences as a backdrop for a discussion of the migration of cryptography from manual to machine and ultimately to digital. Understanding the history and evolution of cryptography is essential for applying modern cryptographic solutions to solve today’s information security problems, particularly in understanding the residual risks, the shifting attack strategies, and the inherent weaknesses in the implementation or fielding of even the best cryptosystems and solutions.
- Talky Horror Picture Show: Overcoming CFP Fears
Speaker: Sweet Kat @TheSweetKat
I see you shiver with anticipation. For those who have never submitted a talk to an infosec conference, the process can seem nebulous and overwhelming. Fear is driven by uncertainty, so let’s combat that fear with facts. Come hear a reviewer break down what the CFP process actually entails, including what goes on behind the scenes once you’ve hit “submit”. You’ll also learn about resources to help you along the way. Performing a risk analysis of every step of the CFP lifecycle – from developing your initial idea, to writing and submitting a talk proposal, to preparing to speak once you’ve been accepted – we’ll see that the downsides are minimal and the benefits are numerous.
As a certain mad scientist put it: “Don’t dream it. Be it.”
- The Decision Makers Guide To Managing Risk
Speaker: Cardella Joel @JoelConverses
How do you arrive at the IT decisions you make? What factors do you use in security spending decisions? If you are having a hard time defining this, you are not alone. I am continually surprised at the lack of information organizations have, and still make critical business decisions. It may seem obvious, but it is a reality that bad decisions are being made all the time. Bad decisions increase organizational risk. Decision-making needs to have discipline and rigor just like any successful business process. This talk uses real world examples of successful and failed decisions, and their outcomes, as a learning tool. The takeaway is better, more solid ways to make, justify and defend your decisions.
- The Kids Aren’t Alright: Security and K-12 Education in America
Speaker: Pustell Vivienne @yellingviv
“Stupid users!” is a common lament. But users aren’t stupid, they’re just following their training. What is the education that users are getting? This talk will cover the training–or lack thereof–that is being given in American schools, the root of the “pipeline problem,” and what you can do about it.
- The Never Ending Hack: Mental Health Challenges in InfoSec
Speaker: Akacki Danny @dakacki
This is a presentation about feeling alone. It started out as a story of one hacker desperately looking for help to quell the noise and destruction in his own head. It quickly morphed into a call to arms to everyone in the security community fighting their own demons.
Mental health is a subject not many people are open to discussing. It carries the stigma of being “broken” or “flawed”. Because of this, many people think they have to deal with it alone. This is the worst kind of security through obscurity because it leaves the very people sworn to protect the data of their clients, vulnerable. How does feeling stressed, depressed or anxious affect our ability to defend against those that seek to hack the human? How can we protect others if we don’t have the means to protect ourselves? This talk endeavors to discuss these topics.
This talk is a flare, shot up through that darkness. Itâs a signal that no matter how dark life can get, you are most certainly not alone. I am sharing my story to act as a beacon for others, so they can see there is hope and support available. We are stronger together.
- The State of Security in the Medical Industry
Speaker: Cannibal (Billy) @Cannibal
Bringing awareness to the pain felt in the healthcare industry from a security standpoint, what attackers are targeting, and how the industry needs to steer itself to prevent further patient risk and mishandling of data.
- Threat Intelligence: Zero to Basics
Speaker: J Chris @rattis
This is an audience participation talk, on going from having DFIR with no Threat Intelligence to building a basic threat intelligence program. The majority of the data needed to start a Threat Intelligence program is probably already being captured by the DFIR program, and this talk is about taking that data, putting context around it to make it information, and then make that into something actionable (intelligence).
Attendees of this talk should be able to go back to the office after the conference and enhance their IR programs with Threat Intelligence. The presentation will show what Threat Intelligence is and how to collect the data from their own networks. The talk will cover why the majority Threat Intelligence shouldnât be paid for until later in the program, while discussing the few things that should be paid for at the start.
In parts of the talk Attendees will help pick the data points to capture, and work through the Alternative Competing Hypotheses to figure out the most likely reason for the event / incident.
- Trials and Tribulations of setting up a Phishing Campaign – Insight into the how
Speaker: Johnson Haydn @haydnjohnson
Phishing for clicks is like the VA portion of a Pentest. It feels nice being a hacker, but once you realize you aren’t getting command and control, that fuzzy feeling wears off quickly. Everyone knows in theory what Phishing is, what Phishing emails looks like, they even may even theoretically know how it all works.
What about executing a Phishing Campaign? This talk will show you the journey of setting up and executing a Phishing Campaign to gain command and control. I have tried a few frameworks, coded some pages myself and will show the way I learned to Phish. An important understand in Phishing (like any attack) is the side of the victim; what they see and do in receiving a phishing email; this is referred to as advancing ones tradecraft.
We will go through:
– The main difference between phishing for clicks and phishing for shells
– Choosing and setting up a Phishing Framework
– Actions I take when learning something new
– Testing delivery and bypassing Spam filters with Microsoft Click once
– Testing different user interactions for executing payloads
– Learning different payloads for command and control
– Understanding the email minefield
- We Don’t Always Go Lights and Sirens
Speaker: Cooley Kendra @4n6kendra
One of the most critical steps to Incident Response is the initial triage phase. The same can be said of the decision Paramedics make when responding to emergency calls. During this presentation we will review how to properly triage an incident based on the information available while relating the process back to real life emergencies.
- Why is the Internet still working?
Speaker: Troutman James @troutman
I have noticed that most InfoSec folks, even those coming from a network engineering background, tend to have a limited understanding of how the modern Internet that we all depend up actually works. This talk will be a primer on how today’s Internet is put together verses in the past, and how it manages to keep on working and scaling, thus far. This presentation won’t make anyone an instant expert, but it will provide you with an overview of Internet history, technical and security challenges, operational best practices, and business issues that you won’t find in any other single presentation. Topics will include a brief Internet history, definitions of Internet Service Provider Tiers, the difference between IP peering and IP transit, how Internet traffic distribution and costs have changed over time, the rise of Internet Exchange Points and Content Distribution Networks around the world, and post IPv4 exhaustion issues. Also discussed will be how technologies and techniques such as geo-targeting, Anycast DNS, and remote triggered black-holes help keep the Internet functioning during DDoS attacks, including the ones delivered via the dreaded fiber seeking backhoe.
- You’re not old enough for that: A TLS extension to put the past behind us
TLS evolves rapidly. We don’t all have the luxury of upgrading with it, unfortunately; new versions, extensions, cipher suites, and protocols require mutual support. This poses a serious problem for those who have legacy systems that cannot be upgraded (think IoT, or any device that needs certification). Accepting the risk of using a weak (but still sufficient, or better than nothing) protocol with those systems on an interim basis shouldn’t imply accepting the risk everywhere. I offer an alternative.
I propose a TLS extension that endorses certificates with certain supported features, and then performs a sanity check at the end of establishment or renegotiation. This can be used to detect and prevent downgrade attacks, and doubles as a policy enforcement tool.