This workshop aims to provide insights on how leveraging YARA can significantly enhance incident response and malware hunting capabilities
Have you ever wanted to learn more about cyber threat intelligence and hunting threat actors? In this workshop, Will Thomas, a professional CTI researcher who hunts threat actors for a living, will walk participants through the fundamentals of creating threat actor profiles. This workshop will involve using a template developed by Will Thomas and Freddy M called the ‘Threat Actor Profile Guide for CTI Analysts’. The guide was originally created for the Curated Intelligence trust group, an international community of over 150 CTI analysts and is used by many on a daily basis.
In the rapidly evolving landscape of cybersecurity, the first step to secure or penetrate any network is reconnaissance. A poorly executed recon phase can leave you blindsided, either missing critical vulnerabilities or wasting time on irrelevant leads. This 90-minute workshop is designed to give you the tools and techniques you need for an effective reconnaissance strategy, using a real-world target for your learning.
Mobile Applications are some of the most widely used pieces of technology by people. However, one side of penetration testing that isn't as well known is mobile application penetration testing.
In this workshop students will be shown how to setup and proxy an android emulator, how to reverse engineer an Android application, how to bypass certificate pinning, and some basic tests they can perform against the application.
One of the challenges for security teams is writing and deploying detections that generate actionable alerts with rich context while also reducing noisy alerts. This hands-on workshop will teach the fundamentals of Purple Teaming and detection-as-code to help build new detections.
This session will show how to leverage Purple team techniques to develop hypotheses for new detections and strengthen their defenses against future attacks.
I will show how to use open-source offensive security tools to simulate attacks against lab infrastructure and use an investigative approach to learn and build new detections & manage them using detection-as-code principles to eliminate noise and false positives.
Who should attend?
This hands-on virtual workshop is perfect for detection & security teams who are expected to develop and write detections to support new log sources, threat models, and vulnerabilities that are exploited in the wild.
APIs are one of the most popular development tools used today, so it is no surprise they have become a significant target for threat actors. Supported by API development tools and platforms, developers can now easily make and share APIs with others in the community.
This talk will explore the core security issues facing the API security landscape, including how, through common vulnerabilities, APIs can be misused. I will also show how not only are traditional vulnerabilities an issue, but also the attitude towards security of APIs. This will be explored through my personal experience, having found a series of exposed keys on a global API development platform. I will discuss how I found these leaked API keys, and how through communication with the company themselves, extra protection measures were put in place to ensure the security of the API development community.
Ever wondered how to apply the NIS regulations to a 160-year-old railway? Think it's as simple as rolling out some security monitoring, deploying a few agents and crafting an incident response plan? Think again!
We will delve into the fascinating world of securing a railway infrastructure that has stood the test of time. Imagine applying modern cybersecurity principles, the technical intricacies of introducing cutting-edge security monitoring into a railway system that was conceived long before the digital age. How do you secure a system that predates the concept of cybersecurity itself? The challenges, the complexities, and the implementation - it's all here.
Keeping the Wheels Turning, Safely isn't just about the past; it's about safeguarding the future. Discover how we conquer the obstacles to ensure the continued, secure operation of the railway. Your safety, our safety, and the safety of generations to come depend on it.
Buckle up, because this is not your ordinary railway story. This is a thrilling expedition through time and technology, where we'll unlock the secrets of securing an icon that has been transporting us for over a century and a half.
The web platform's openness and composability provide many benefits. Yet, the ability for websites to interact with each other has provided many opportunities for attacks that abuse the core principles of the web.
With the evolution of web frameworks and browsers, Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) have become increasingly rare. In response, researchers have found new ways to reveal sensitive information about users, giving rise to a new class of vulnerabilities known as XS-Leaks.
XS-Leaks abuse interactions between websites to leak sensitive information about users. Among other things, this includes leaking the user's visit history, leaking the content of a cross-site page, and leaking response status codes in order to de-anonymize a user on the web. In certain cases, this allows a cross-origin site to perform an XS-Search, where characters in a search query are brute-forced to find a query with valid results.
For example, an HTML injection without XSS can be weaponized to leak response status codes of API endpoints, and browser behaviour when approaching the browser's URL length limit can be used to leak 302 redirects.
In this talk, we will explore various XS-Leak techniques that exist in 2023, their mitigations, and some bypasses.
Special offer, Two for one! This talk will be composed of two research topics that Mandiant conducted recently regarding evasion of EDR's. In the first talk we will go over how to bypass Linux EDRs and lessons learned during. In the second part we will discuss how Windows EDR could be bypassed using WSL.
The main aim of security risk management is to identify and describe a potential risk in such way that key stakeholders fully understand with a shared remit to either accepting or treating the risk.
All too often, this process is misunderstood and/or overcomplicated.
The premise of this rookie presentation will aim to provide a simple approach to security risk management because simple is better and this will be my first presentation.
Are you interested in learning more about the dark web? If so, this rookie track talk could be just what you're looking for! I will showcase my findings about different dark web forums, marketplaces and talk about the scams that you can encounter there. During this talk you will learn why the dark web is still useful. You sure do not want to miss a great opportunity to learn more about the dark web.
Locks, at their core, are some of civilisation's oldest security devices; and, much like any other security product, not all of them are created equal. The current boom in IoT devices makes "smart locks" a tempting proposition, with many options promising affordable and robust security. But how good are they actually? How would you even find that out?
In this talk, Alex and Miłosz shine a light on a popular line of smart locks commonly recommended on major UK marketplaces. Although the build quality of the locks makes them relatively resistant to picking and common physical attacks, multiple issues with their "smart" functionality means that a small amount of reverse engineering of the associated smartphone app allows anyone to construct valid unlock requests without any knowledge of authorisation material, and without alerting the owner.
This talk is beginner-friendly and no prior knowledge will be assumed. We will discuss the process of discovering the vulnerabilities, explain how the manufacturer got things wrong (and how they could have done it better), and finally tempt the Demo Gods with a live demonstration of unauthorised unlocking of the devices.
Topics covered will include: Bluetooth Low Energy communications, reverse-engineering of Android applications, basic API/Web security
As multifactor authentication (MFA) has continued to gain traction in mainstream information security practices criminals are not letting any grass grow under their feet. There are many ways to approach breaking into accounts protected by MFA and this talk is designed to go into the details of how the most common MFA methods work, how they may be bypassed, and the policies and tools we can use to find the appropriate level of security for each use case. The talk includes examples of real world attacks on MFA.
Of course Walter White will be assisting to deliver this messaging throughout the presentation in carefully chosen pre-recorded segments.
In today's interconnected world, where routers form the backbone of our digital lives, security vulnerabilities in these devices can have far-reaching consequences. By exploring the intersection of cloud technology and router security, I will demonstrate how malicious actors can exploit these APIs to compromise home and enterprise networks.
Despite the multiple mitigations available to defend against Cross-Site Scripting (XSS) attacks, it remains a common vulnerability in 2023. This presentation aims to provide testers with a few methodological considerations when examining web applications for XSS vulnerabilities. Examples will be inspired by real life security assessments. The presentation will then conclude with a suggested layered defence-in-depth approach to mitigating XSS attacks.
Satellite eavesdropping on a budget with a further look at the current state of space hacking vectors, and actors.
This presentation will delve into the critical practice of red teaming within the realm of safeguarding our critical infrastructure. As the threat of cyber attacks on these vital systems continues to escalate, their potential consequences for society and the economy are increasingly severe. Red teaming, an innovative simulation-based approach, has emerged as an indispensable tool for uncovering vulnerabilities within these systems and shoring up defenses. Through real-world examples and case studies, we will explore the practical usage and tangible benefits of red teaming exercises. By the conclusion of this presentation, attendees will not only grasp how red teaming can significantly enhance the security of critical infrastructure but also gain actionable insights into staying one step ahead of Advanced Persistent Threats (APTs).
Email-based attacks remain at the forefront of the cybersecurity threat landscape, ever-evolving to circumvent defenses and trick unsuspecting users. In this presentation, we will discuss the nuances of the latest trending social engineering techniques including QR codes, image-as-content attacks, HTML Smuggling SVGs, and more. We will examine several real-world examples, discuss attacker objectives, and explore the tactics used to make them appear legitimate. Additionally, we will discuss methods of detection and prevention by analyzing signals unique to these attacks.
The pervasiveness of QR codes in daily life, combined with the ease of generating them, presents unique security challenges. Their quick-scan nature means users often trust and act on them without the scrutiny given to URLs. Moreover, most traditional email security systems are geared towards analyzing text-based content, making QR-encoded URLs slip through undetected.
In parallel, attackers are leveraging images to embed the text of their attacks. Since many email security scanners rely on analyzing suspicious text and URLs embedded directly in the body of messages, attackers are often able to bypass traditional detection.
Attendees will come away from this talk with a better understanding of the latest email threats and the methods they can use to protect themselves and their organizations against them.
What do you get when you cross a bored security researcher with a gullible scammer? You get this talk, of course – an epic dive into weeks of trolling, lulz, and horrendous OPSEC.
I’ve been trolling scammers as a hobby for a while now, amusing myself by replying to their email lures with deliberately outrageous scenarios and turns-of-phrase. Usually, the scammers figure out I’m on the wind-up and disengage pretty quickly.
Not this time.
Join me as we walk through a complex, long-term email scam from start to finish – a journey featuring a ‘solicitor’ who out of the goodness of his heart wanted to help me claim an inheritance worth millions, and a ‘bank’ which was only too willing to facilitate this.
Along the way we’ll meet my alter egos (the intended victims of this scam), and their fictional, put-upon, and possibly kidnapped roommate, Tarquin Fortitude. Together they turned a simple phishing lure into a litany of trolling involving increasingly ludicrous personal details, the most amateurishly-fabricated library card ever, a fake bank transfer, a giant purple envelope, and hilarious misunderstandings. Every time I thought I’d gone too far – like when I asked the scammer to send ME money – the scammer continued to reply, even laying the groundwork for a follow-up scam by telling me their son was undergoing cancer treatment.
But it wasn’t all just for the lulz. As I trolled, I also documented every domain, snippet of information, and attachment, which provided a useful insight into how modern email scammers operate and the techniques and tactics they use. It also eventually resulted in me obtaining some very interesting details about the scammer…
In this talk I’ll tell you the story in all its gory detail, explore some practical learning points, and share the IOCs and TTPs I collected.
Phishing remains one of the most effective attack vectors in the cybersecurity landscape. This talk sheds light on the comprehensive setup and intricacies of orchestrating a phishing campaign, dissected into distinct phases: Reconnaissance, Planning, Building, Pre-Execution, and Post-Execution. By diving deep into the attacker's mindset and methodology, participants will gain insights into how a successful phishing campaign is carried out.
In the immortal words of David Byrne, well... how did we get here?
This talk will be a look at 74 years of malware history, from John von Neumann's first proposals for self-replicating automata to the present day. We'll cover the ground-breaking, the destructive, the infectious, and the funniest.
In this electrifying session, we'll delve into the mystifying fog surrounding businesses' massive shift toward cloud migration. Brace yourself as we scrutinize the age-old debate: Is the cloud always the silver lining, or does on-premises have its own unique thunder? We'll navigate the treacherous storms of cloud attacks, from sneaky access control breaches to misplaced trust in cloud service providers. Discover the aftermath of these attacks: compliance nightmares, reputational tremors, and the struggle to rebuild. Fear not, for we shall also unveil the arsenal of security measures, from powerful IAM controls to vigilant resource monitoring. Join us, and let's secure the future of cloud together!
Cabled IoT devices are now everywhere around us and due to the lack of regulations and standards regarding installation and cable security in the UK, many of these cables are left vulnerable...
With an increasing number of companies, like start-ups and fintech firms, transitioning to macOS environments, the demand for macOS red team expertise is increasing. Setting up a comprehensive and effective macOS lab environment is a critical foundation for both offensive and defensive cybersecurity professionals. We all know how important this is, either to test payloads or create new one for the next gig.
However, the unique nature of macOS can pose challenges while simulating an environment, for those familiar with other platforms. This workshop aims to provide a guide for attendees to setup up a organisation like macOS playground (lab environment) along with AD integration to replicated organisational setup, for red teamer to get started.
This hands-on workshop aims to give you an understanding of the security features and pitfalls of modern containerization tools like Docker and Kubernetes. We’ll cover a range of topics to build up a picture of the security options available and show practical examples of attack and defence on containerized systems.
There will be hands-on labs covering common attacks on Docker, Docker containers and Kubernetes clusters.
Prerequisites – Familiarity with basic Docker commands and Linux command line use will be helpful, but we’ll provide step-by-step instructions for people who are less familiar with them.
Email remains the #1 initial access vector for commodity malware and nation state actors. Historically, tackling email-based threats has been considered the purview of black-box vendor solutions, with defenders having limited scope (or tooling!) to swiftly and effectively respond to novel offensive tradecraft.
In this training, attendees will be given detailed insight into the latest techniques used to deliver prevalent malware strains, including QakBot and Emotet, and will hunt through email data to identify this malicious activity, developing rules to detect and block these attacks.
Initially attendees will be introduced to the foundational technologies that enable threat hunting and detection engineering in the email domain, before being given access to the email data of a fictitious company seeded with benign and real-world attack data.
Attendees will be guided through the rule creation process, utilizing free and open detection engines including Sublime and Yara, and will be introduced to the signals that can be used to craft high-fidelity rules, including sentiment analysis, domain age, and attachment analysis. Having completed the training, attendees will have a strong understanding of the tools and techniques at their disposal to defend their organizations from all manor of email threats.
This workshop covers payment vulnerability research, issues, and attacks related to payments. We help our audience gain a better understanding of how to find vulnerabilities in payment systems while staying within the law, what are necessary skills and equipment and how to get both.
The software security industry is shifting left. Traditional security tools have failed to address the challenges of modern engineering teams as they often are too slow, overwhelm users with false positives, and do not provide sufficient remediation help. As a result, they do not ultimately raise a company’s security bar.
In this workshop we will focus on hands-on exercises, supported by research results to teach participants how to use Semgrep by taking a different approach to security, called paved road or secure defaults.
It’s 2023 and we are still talking about equal opportunities and inclusion. For the best part of 12 months, I have been actively seeking my first Sales role in Cybersecurity with little success. The sector is frequently self proclaimed to be under-skilled with a talent gap in addition to it being an ever rapidly evolving industry. Despite having almost 8 years experience working in sales as an Estate Agent and a passion for InfoSec, a prejudice still exists in the industry against myself and those with no prior Cyber experience. I talk about my journey from self learning the fundamentals of Cyber at home in my own time (and expense), sitting numerous calls and interviews to recently attending the International Cyber Expo in London.
Bring Your Own Vulnerable Driver (BYOVD) has become an extremely popular attack technique seen in the wild. Even ransomware groups are using it to blind Endpoint Detection & Response (EDR), dump protected credentials from memory, erase their own traces, and all sorts of other juicy things you can do in the Windows kernel. But why bring your own vulnerable driver when you can use those already installed?
In this talk we’ll share our journey of exploiting a critical zero-day vulnerability that we found VPN software, used by more than 40.000 organisations world-wide. After a recap on kernel drivers, we’ll reveal how anyone in the audience can find vulnerabilities like these on live systems. Furthermore, we’ll share our abuse path to exploit the vulnerability. We'll reveal several techniques you can use to overcome typical restrictions when exploiting kernel drivers. We’ll show you how we applied these techniques to build an exploit that we use in red teaming engagements. Lastly, we demo the exploitation of the vulnerability on a target system, resulting in SYSTEM privileges.
The talk is accompanied by the first-hand public release of the exploit, in the form of a Cobalt Strike (CS) Beacon Object File (BOF). Additionally, we’ll publish a blog post that includes all technical details.
A golden goose of Microsoft and a secret weapon in a defenders world... Yet what is it, and how does it work? How can we use it to detect evil when my EDR does not? This talk aims to look at the practical (ab)uses, drawbacks, and considerations presented within the Microsoft Threat Intelligence Event Tracing for Windows Log provider, contextualized to a SOC environment running on Microsoft's Defender for Endpoint.
Being a similar age to the WWW, I've grown up using it and freely providing it my personal data without knowing any better. In this session we’ll jump into the field of Open Source Intelligence (OSINT) and explain how it can be leveraged to understand your digital footprint on the internet. As part of the session we’ll discuss the various sites, tools and learning resources that can be used when investigating the spider web of information that is publicly available about people and explore what sort of data I found in my own personal investigation. Ultimately, I hope this talk will provide a potent example of the old adage ‘the internet never forgets’.
The following 15-minute presentation will discuss retail’s threat landscape, taking into consideration the top cyber crime trends for 2023 (AI, ecommerce fraud, and synthetic identity manipulation for example), threat actor campaigns, and a roundup of 2024 predictions for security professionals.
A Cyber Threat Intelligence (CTI) focussed look at the game-hacking community and their forums, gleaning insight into how both sides of the infosec and hacking community can gain vital knowledge from sometimes toxic places.
PE files have interesting properties that can be manipulated to achieve a variety of goals during an offensive security exercise. In particular, manipulating the 'S' bit of a section enables memory regions to be shared among processes dynamically - serving as an effective covert channel. This session aims to introduce a homegrown tool to illustrate this concept in action.
Threat Actors employ anti-forensics techniques that obscure some of their activity and make it more difficult to determine what actions their have performed on compromised systems. Investigators need to be aware of these techniques, and be equipped with solutions (or detection ideas) to defeat the anti-forensics measures they take.
It would be a surprise if most people in 2023 are either already working or about to work on securing applications hosted on Public/Private cloud providers. However, a lot are primarily working on putting CIS Benchmark, NIST mapping, NCSC Cyber Essentials mapping,etc to their Cloud to secure them. This leaves a gap for how a malicious actor is working their way through a cloud account once compromised and how can a blue team detect them in their environment. The best way to do this is to learn from what's already happened aka cloud breaches.
This talk will start with a walkthrough of how malicious actors approach a cloud environment that has gaps which can lead to. Followed by what are the low hanging fruits that malicious attackers check for in your cloud environments for and how a lot of organisations are managing security risk in a multi-cloud world along with where the security gaps that is the responsibility of the cloud customer to manage.
"I am about to do something very bold in this job that I’ve never done before: try." - Jim Halpert
Over the years, Team Cymru has tracked down the activities of numerous malicious actors, from low-level cybercriminals and bulletproof hosting providers to nation-state and human exploitation activities. In this talk we would like to discuss a common enabler to these activities: virtual office abuse.
The proliferation of virtual offices, a concept initially designed to provide flexible workspace solutions for businesses, has inadvertently become a double-edged sword, offering a cloak of legitimacy for malicious actors, and those who provide / sell services to them.
In this presentation we will present several different cases, covering a diverse range of threats, where the threat actors have benefited from the usage of virtual offices / post boxes to enable malicious activities. In doing so we will also cover how to identify and track suspect companies, who utilise virtual office spaces, across the globe (including in London!).
Using Microsoft Sentinel and LogicApps to improve manageability of Windows ASR rules
What is cyber deception? Is it simply lying on the internet, or is it something far more sophisticated? Find out the answer to these questions and more, and by the end you might be able to deceive your attackers too!
Swiper, No Swiping! Utilising OSINT Tools and Techniques before you swipe right.
In 15 minutes, you'll walk away with tips for uncovering your match before the first date.
Think your access control system is top-notch? You might be surprised to learn that many state-of-the-art systems harbor significant vulnerabilities. This talk delves into how these weaknesses, when combined with savvy social engineering tactics, can enable attackers to infiltrate buildings, penetrate sensitive, high-risk areas, and exit undetected.
We'll expose critical issues in system integration and compliance that leave businesses dangerously exposed. Our presentation includes live demonstrations of these tactics and case studies illustrating how such vulnerabilities can be exploited in coordinated attacks. Most importantly, we'll explore effective strategies to educate businesses about these often-overlooked threats, emphasizing the role of technology and heightened awareness in thwarting low-risk but high-impact security breaches
Help! We’ve bought the latest tools, we’ve got all our logs in a SIEM, we’ve tuned and tweaked our detection rules, we’ve even built investigation playbooks… but we still don’t have enough time to investigate all of these alerts!
With modern blue teams investigating more alerts from a wider variety of data sources than ever before, a common reason for being overwhelmed is that it just takes too long per alert for an analyst to perform a meaningful investigation. This inevitably leads to alert fatigue, lower quality investigations, missed true positives and to a detection and response service that can’t scale. So, how do we combat this problem?
In this talk I’ll be discussing a recent case-study of ideas and tools that were implemented in a global detection and response team to:
- Empower analysts to quickly identify important contextual information during investigations
- Establish shared investigative baselines between different levels of analyst experience
- Automate common tasks to allow analysts to perform meaningful investigations
If you’re looking for actionable takeaways that you can build into your blue team’s tooling and processes to help scale your operations, then this is the talk for you!
The Salesforce platform allows a platform-specific vulnerability, known as SOSL injection. While conceptually similar to SQL injection, testing and exploitation requires different payloads and different approaches.
In light of the lack of online documentation, and a distinct lack of online examples or tutorials, this talk will explain the issue and its consequences. It will illustrate some working methods for detecting and confirming the existence of the vulnerability within a website, showing different payloads useful payloads for detection and exploitation, before explaining the consequences for a vulnerable site and how to fix occurrences of the issue.
Briefly covering the essential ethical and moral elements of ethical hacking and its importance, this short presentation will provide an insight to navigating the aforemntioned aspects.
With Industry 4.0's emergence, cyber threats against Critical National Infrastructure (CNI) have surged. This includes ransomware attacks, exposing technical and policy vulnerabilities. It's time to explore how standards and other existing frameworks contribute to this and how we can reduce our threat landscape with more stringent regulations to reflect our commitment to cyber resilience as a country.
With chemical plant contributing $5.4 trillion to the global economy annually, and the control systems having an average age of 20 years, the prospect of a full or partial breach by threat actors is of great concern to owners, customers and wider stakeholders (the latter including anyone downwind).
We cover the development of chemical plant and their control systems, some historical attacks and incidents involving chemical plant and their impacts, and what existing Laws already cover how plant safety and cybersecurity should be considered. We then delve into using Adversarial Reinforcement Learning to both develop new ways for the Red Team to attack, modelling both different threat actor capabilities and intents - with the Blue Team attempting to identify, respond to and recover from attacks. With the plant we tested, the Red Team enjoyed a decided advantage at forcing plant shutdown - particularly if given fine-grained control - leaving operators with just under three minutes to respond.
In 2013, I presented Security Awareness: Making Your Staff the STRONGEST Link, on the first ever rookie track, mentored by the legend that was ClappyMonkey (Mike Kemp) RIP.
This talk is an instrospective look at the industry with insight and experience gained from on the ground and in the weeds over the last 10 years. What's changed, what hasn't and how I think we need to mature this area of cyber security.
There might be some spicy takes but none of them will be fakes!
Supply Chain security is the new buzzword of the town and everyone is gaga about it. After the executive order and SSDF / SLSA documents being released, every single vendor has added SBOM capabilities and declared the problem solved. The problem is its not solved, Supply chain security is not a new problem and sbom is not the final solution. This talk wants to throw lights on supply chain security overview and then address following points.
1. How supply chain security is a age old concept.
2. What has changed in last few year and how that affects this problem space
3. At a broader level how SLSA / SSDF are trying to address the problem.
4. What is still missing in market and what is needed to be done beyond buying tools.
In this talk I walk the audience through reverse engineering how the flipper zero decodes microchip data with the help of some fluffy friends. At the end of the talk, viewers will have gained an idea of the processes and as well as tactics for overcoming the dead ends that can come with reverse engineering.
A fully fledged DevSecOps pipeline can be expensive! But it doesn’t need to be….
In today’s cost-conscious environment we don’t all have the luxury of a bottomless security budget to drop on the top of the line SaaS solutions. Join me for this talk as I take you through the process of building a robust, scaleable, and secure pipeline to bring security to the heart of your software development process. Discover practical strategies, open-source tools, and cost-effective approaches that empower your organisation to achieve DevSecOps excellence without compromising your financial health.