Queen City Con 0x3: Lessons on Hacking and Building Cyber Resiliency

Read full article here: https://blog.gitguardian.com/queen-city-con-0x3/?utm_source=nhimg

Cincinnati holds the distinction of being the first U.S. city to establish a municipal fire department in 1853 and the first to install a fire‑station pole. This innovation, like the steam pump, initially faced skepticism but ultimately transformed firefighting. Over 120 years later, security defenders face a similar challenge: AI and automation technologies in security are still met with doubt. This parallel made Cincinnati the perfect backdrop for Queen City Con 0x3, a three-day security conference bringing together hackers, students, compliance experts, and security professionals.

The event featured 71 speakers, hands-on labs, workshops, and 10 themed villages, delivering a DEF CON-like experience without the long lines. Here are the key takeaways.

Machines Now Define Your Perimeter

In his talk, Scott Smith, Principal Consultant at New Era Technology, explored the growing attack surface presented by Non-Human Identities (NHIs). NHIs include:

• Tokens, API keys, OAuth keys
• Certificates
• Bots and service accounts

These machine identities are automatically created, often poorly governed, and widely distributed across code, environments, and systems, making them a prime target for attackers. Scott highlighted that over 50% of breaches involve machine identities, and 77% of web application attacks start with stolen credentials.

Key recommendations for NHI security:

1. Discover and inventory NHIs – classify and prioritize based on risk.
2. Manage credentials proactively – rotate static keys, right-size permissions, integrate automated secret scanning in CI/CD pipelines.
3. Govern at scale – establish policies that endure growth, particularly in microservices, automation, IoT, and MLOps environments.

“The perimeter is identity now. Protect more than your workforce.” – Scott Smith

Cloud Security’s Preventable Failures

 Matt Scheurer, VP, Computer Security & Incident Response, shared lessons from AWS, Azure, and Google Cloud security incidents. He stressed that most cloud failures are avoidable with proper configuration, training, and awareness.

Common pitfalls include:

• Publicly accessible storage buckets with sensitive data
• Default credentials left unchanged
• Misconfigured remote access creating unintended attack paths

Key advice:

• Use threat models like STRIDE and data-flow mapping
• Enable detection, logging, and performance monitoring (e.g., AWS GuardDuty, CloudTrail, CloudWatch; Azure Defender and Sentinel; GCP Security Command Center)
• Avoid trading security for convenience

Matt introduced SaaD (Stupidity-as-a-Disservice) as a reminder: many incidents result from preventable mistakes, not advanced attacks.

Defaults That Let Users Own Your Forest

our , Principal Security Consultant at Semperis, and John Askew, Hacker and Founder of Terrapin Labs demonstrated how default Active Directory (AD) settings create high-risk scenarios:

• ms-DS-MachineAccountQuota allows certain users to add up to 10 computers to a domain
• SeMachineAccountPrivilege lets authenticated users join machines

These defaults, ubiquitous across 80% of AD deployments, allow attackers to pivot from a single machine to the entire forest.

Mitigation steps:

1. Set MachineAccountQuota to 0
2. Restrict SeMachineAccountPrivilege to admins only
3. Pre-create computer accounts in controlled OUs or use Offline Domain Joins
4. Monitor for new machine accounts via Event ID 4741

Detection by Design: Resilience First

Trent Liffick, Principal Cyber Threat Analyst at Fifth Third Bank, emphasized the importance of resilient detection engineering:

• Lifecycle: gather intel → design → develop → test → deploy → monitor → iterate
• Avoid brittle rules based on filenames or specific strings; focus on behavioral patterns
• Principle: “Shift down, not left” – ensure detections survive evasion tactics and changing attack methods

Effective detection requires modeling attacker behavior, abstracting patterns, and evolving faster than adversaries.

Discipline Over Defaults

A recurring theme across Queen City Con 0x3: defaults, drift, and convenience create the most preventable risks.

Key takeaways for security teams:

• Identity is the new perimeter, including non-human accounts
• Apply least privilege principles consistently
• Turn principles into daily operational habits: asset inventory, logging, key rotation, and review

Model over mechanism: define “good” behavior, measure it, and enforce it, rather than relying on dashboards or tools alone.

Culture decides outcomes: resilience comes from embracing friction and discipline early, not convenience.

Conclusion: Firefighting Lessons for Cybersecurity

Cincinnati’s early firefighters adopted steam technology and mastered new procedures to save lives. Similarly, modern security teams must adopt NHI-aware identity governance, enforce cloud security basics, and embrace disciplined detection practices to reduce risk.

Queen City Con 0x3 highlighted that the solutions are often straightforward but require diligence and culture change. Security is less about fancy tools and more about posture, process, and proactive management of machine identities.