To see our schedule with full functionality, like timezone conversion and personal scheduling, please enable JavaScript and go here.
09:00
09:00
120min
DDoS’ing with Basic GNU/Linux Tools
Cansu Topukçu

This workshop intends to assist the understanding of mostly used DDoS techniques against performing live attacks against test platforms by using basic tools found in GNU/Linux systems.

Workshops
Hochschule München - R0.010
09:00
240min
Forensic Fundamentals of Automotive Control Units
Dr. Jan Van den Herrewegen

Forensic Fundamentals of Electronic Control Units

An Automotive Electronic Control Units (ECU) becomes, once installed in a vehicle, essentially a black box. Certain aftermarket endeavours, such as retrieving crash data for insurance purposes, providing access for independent repair shops, forensic analysis of mileage correction bugs used by aftermarket tools, or reprogramming the ECU to a blank slate in order to give it a new life on the second-hand market, are impossible without authenticated access to the ECU. In this workshop, we delve into the secret waters of ECU reverse engineering. Firstly, we look into firmware retrieval methodology. Therefore we introduce various frequently occuring hardware interfaces and their respective communication protocols with the ECU. Next, we touch upon two easily accessible hardware fault-injection techniques (voltage - and electromagnetic fault injection) which can assist in accessing the ECUs internal workings. Secondly, we apply these techniques to real-world targets in order to access their firmware. Analysing existing diagnostic tools and MCU debuggers, we show practical ways to ease the forensic process. We discuss which algorithms to target and how to locate them in what initially seems like a cluttered binary desert.

Workshops
Hochschule München - R1.006
09:00
540min
How to scale software quality and security using the open source tool Semgrep
Pieter De Cremer

The software security industry is shifting left. Traditional security tools have failed to address the challenges of modern engineering teams as they often are too slow, overwhelm users with false positives, and do not provide sufficient remediation help. As a result, they do not ultimately raise a company’s security bar.

In this workshop we will focus on hands-on exercises, supported by research results to teach participants how to use Semgrep by taking a different approach to security, called paved road or secure defaults.

Workshops
Hochschule München - R1.007
09:00
240min
Introduction to BLE hacking
Diego, Daniel Schwendner

Bluetooth is an ubiquitous protocol nowadays, embedded in almost every modern cell phone and generally used for low consumption embedded devices and IOT. In this workshop we will learn the basics about the protocol and how to automate reconnaissance of devices, services and characteristics. The workshop is based on an open source CTF.

Workshops
Hochschule München - R0.009
09:00
540min
The Hitchhacker's Guide to the Mobile Galaxy
Claudia Ully

The mobile galaxy is dominated by two solar systems: Android and iOS. Grab your towel and embark on a journey through the intricacies of mobile operating systems. Uncover the secrets and vulnerabilities of mobile app planets through static analysis. Ignite the infinite improbability drive and delve deeper with dynamic analysis to gain the skills and knowledge to outwit the Vogons. Establish a Man-in-the-Middle to glide through the network traffic of mobile applications and see them phone home.

In this workshop, not only the Ultimate Question of Life, the Universe, and Everything will be answered but also most of your questions regarding mobile security. Join us on this galactic adventure of becoming a mobile security expert!

Workshops
Hochschule München - R1.008
13:00
13:00
60min
Lunch Break
Hochschule München - R0.009
13:00
60min
Lunch Break
Hochschule München - R1.006
14:00
14:00
240min
OSINT - Detecting facts and fakes
Maximilian Haselberger

This workshop addresses the (critical) challenge of discerning accurate information from misinformation and fake news in the vast digital landscape.
Therefore it will provide an overview and hands-on experience in modern OSINT tools and demonstrate their practical application in real-life scenarios. To achieve this, a real life example will be conducted where the dissemination of misinformation had significant implications on both journalism and IT security.

Workshops
Hochschule München - R0.009
14:00
120min
Set The Trap! Perimeter Defense with Honeytokens
Mackenzie Jackson

It can take months after a malicious attacker gains access to your system to even know they were there. Next comes months of painful work, analyzing logs, changing credentials, notifying customers, reviewing source code, and we haven’t even talked about the cost of the breach itself. So how can you know when an attacker has infiltrated your systems and bypassed your security? Honey tokens are a great way to know when an attacker has breached your systems. Honeytokens are credentials that don't actually grant any access but instead trigger alerts that report the intruder's activity.

When attackers gain access to a system, they immediately look for ways to gain more control. One of the easiest ways to expand their presence is to find plaintext credentials lying around in code, config files, or logs, this makes Honey Tokens the perfect trap. In this workshop, we will walk through exactly how to create real Honey Tokens you can put in your own infrastructure to trip attackers in their stride using open-source tools and your own cloud infrastructure.

If you are working to detect and stop intruders in their tracks, then this session is for you.

Workshops
Hochschule München - R1.006
16:00
16:00
120min
Gamified Cyber Incident Simulation
Klaus-E. Klingner

In order to ensure efficient and timely responses to cyber security incidents, it is of utmost importance to consistently practice their management. This typically entails substantial effort in terms of organizing and conducting exercises. In this workshop, I will present an innovative and engaging gamified approach to address this challenge, employing the "Backdoors and Breaches" framework.

Workshops
Hochschule München - R1.006
08:00
08:00
60min
Checkin
WestIn - Munich
09:00
09:00
10min
Welcome Note
WestIn - Munich
09:10
09:10
30min
The Seven Sins. And Virtues. Of IT Security. And how they affect our world.
Mario Heiderich

In this early morning sermon, our dear Reverend will shed light on
ancient truths about sin and virtue, and take those present on a
refreshingly content-free journey from the ancient and glorious past to
the present, the age of glitz and glitter, cloud and no more Twitter,
drawing lines between dots that might better have been left undrawn.

Talks
WestIn - Munich
09:50
09:50
10min
Short Break
WestIn - Munich
09:50
10min
Short Break
WestIn - Partenkirchen
10:00
10:00
30min
(In)direct Syscalls: A journey from high to low
Daniel Feichter

Over the last 2-3 years, detection of in-memory malware by EDRs has improved. Depending on the EDR, they use different defenses such as user mode hooks, callbacks, or Event Viewer for Windows (ETW) to detect in-memory threats. Therefore, among others or depending on the EDR, from an attacker's (red team's) perspective, we must use different types of techniques such as direct sycalls, indirect sycalls, or call stack spoofing to avoid being detected by EDRs.

The goal of this talk is to give a brief, logical overview of syscalls in general on Windows, direct syscalls, indirect syscalls, etc. We will take a step-by-step look at how to develop a Win32 API shellcode loader into an indirect syscall shellcode loader. We will go through Win32 APIs, Native APIs, direct syscalls, and indirect syscalls. We will look at when direct syscalls fail to bypass EDRs and why indirect syscalls are an evolution of direct syscalls and can be used to bypass them, depending on the EDR. We will also do some call stack analysis and look at the limitations of indirect syscalls in the context of EDR evasion, when they fail, and why it may be necessary to spoof the entire call stack of your shellcode loader to evade an EDR in 2023.

Talks
WestIn - Munich
10:00
30min
Shielding Europe: DNS4EU's Pan-European Protective DNS Service for 100 Million Users!
Andronikos Kyriakou, Tomas Vogel

DNS4EU is a European DNS resolver project designed to enhance online privacy and security for EU internet users. Led by Whalebone and consortium members consisting of cybersecurity experts, it aims to protect 100 million users from global and local cyber threats while complying with EU data protection laws. This presentation explores DNS4EU's architecture, deployment, threat intelligence sharing, and community involvement.

Talks
WestIn - Partenkirchen
10:30
10:30
30min
Cracking the chaos ransomware family
Alexander

In the last few years, many organizations have suffered from ransomware attacks. Recovering from a ransomware attack usually requires backups, but in some cases there are other ways. In this session, Alexander will showcase his team's latest research in ransomware decryption capabilities. The research breaks an entire family of ransomware variants and allows victims to restore encrypted data without obtaining the private keys.

Talks
WestIn - Partenkirchen
10:30
30min
SOC Analyst’s Arsenal: Essential Tools, Tips and Tricks for Effective Investigations
Samuel Kavaler

In the ever-evolving landscape of cybersecurity threats, SOC analysts play a vital role in detecting, investigating, and responding to incidents. To excel in their mission, SOC analysts need to leverage a comprehensive arsenal of tools, along with proven tips and tricks, to conduct efficient and effective investigations.

In this talk, we will dive deep into the SOC analyst's world, exploring the essential tools, invaluable tips, and time-saving tricks that can supercharge investigations. Join us for an engaging session that will empower SOC analysts of all skill levels with the tools, tips, and tricks necessary for effective investigations.

Talks
WestIn - Munich
11:00
11:00
30min
Coffee Break
WestIn - Munich
11:00
30min
Coffee Break
WestIn - Partenkirchen
11:30
11:30
30min
Exploring IPFS threats
Morton Swimmer

Even if Web3 usage is still tiny compared with the Web 2.0, that has not stopped bad actors from misusing some of its technology stack. Without the clear client-server architecture we are used to, the peer-to-peer nature of the storage layer of Web3 is able to fly under the radar and prevent normal methods of content filtering. We will dive into IPFS as a technology to understand the idiosyncrasies of it and the ways in which it can be abused. Along the way, we have statistics that document the mounting dangers we have identified and finally discuss how we can mitigate these.

Talks
WestIn - Munich
11:30
30min
Let me do it for you - Automating OSINT and Recon
Paul Zenker

In the areas of offensive and defensive security, valuable information and insights derived from OSINT and reconnaissance are the backbone of success. But gathering the needed data is not easy, it demands immense effort. In this talk I want to share some insights on how you can develop capabilities to automate a lot of the work involved in data collection. With the power of automation, you'll free up valuable time for in-depth intelligence analysis.

Talks
WestIn - Partenkirchen
12:00
12:00
30min
Bio-Lock The future and ethics around DNA Cryptography
Tayla Sellschop

DNA cryptography is one of the few solutions to encryption as quantum cryptography comes into the fold. What are the pros on terms of its use as storage and what are the concerns as we ultimately begin using it personally

Talks
WestIn - Partenkirchen
12:00
30min
Exploring Discrepancies in CISO Job Advertisements: A Comparative Content Analysis
Daniel Fall, Leonhard Kurthen

This study presents a qualitative content analysis of public job advertisements for the position of Chief Information Security Officer (CISO) in both the DACH area (Germany, Austria, and Switzerland) and the United States of America. The analysis comprises a representative sample of recent public job advertisements collected over a period of three months. The primary objectives of the research are twofold.

Firstly, the study compares the roles, responsibilities, resources, and duties outlined in the job advertisements with the actual requirements derived from contemporary security best practices, such as ISO/IEC 27001. By evaluating this alignment, we aim to ascertain any potential discrepancies between the advertised expectations and the industry's current security standards.

Secondly, we investigate potential regional variations in CISO job descriptions, taking into account cultural, legal, and organizational differences between the DACH region and the United States. Understanding these distinctions could provide insights into the specific demands and preferences of each region concerning information security management.

The ultimate goal of this research is to identify any adverse impact that might arise from discrepancies between the requirements set forth by organizations in job advertisements and the actual best practices. By shedding light on these potential mismatches, we hope to contribute to the enhancement of information security recruitment and practices, thereby fortifying companies' security management efforts.

Talks
WestIn - Munich
12:30
12:30
30min
Rooting the Cradlepoint IBR600 and other Stories
Sebastien Leger

The Cradlepoint IBR600C is a semi ruggedized router with LTE connectivity as well as Ethernet and Wi-Fi for mission critical IoT and is mainly used in the US. In this talk we have a deeper look at some security issues we found in the device and its cloud connectivity.

Talks
WestIn - Munich
12:30
30min
Secure containers - Do component reduction strategies fix your container security nightmares?
Michael Wager, Michael Helwig

Container security issues are an ongoing topic in organizations. Containers often remain a “black box” and vulnerabilities can often not easily be resolved by simply updating base images. Security scanners typically do detect a lot of findings in a container and even for critical issues updates are not always readily available which creates lot of effort for security and development teams. We explore different options and best practices to reduce the attack surface in your containers and will take you down the full path of removing all unnecessary components to go fully distroless. We explore whether the concept of "distroless" is the solution to your security nightmares, what are expectations, challenges and potential disappointments.

Talks
WestIn - Partenkirchen
13:00
13:00
60min
Lunch Break
WestIn - Munich
13:00
60min
Lunch Break
WestIn - Partenkirchen
14:00
14:00
30min
Christmas Hancitor Campaign
Artem Artemov

Security teams are tasked with defending their organization from incoming attacks, but in the rapidly changing environments how can they stay ahead of threat actors?

During the height of the pandemic, almost all countries introduced restrictions, limiting many day-to-day activities. Many aspects of public life and work were put on hold. But that didn't apply to hackers. As businesses moved to remote working there was a surge in hacker activity targeting vulnerable VPN servers and publicly available RDP services.

We uncover the attacks carried out by Hancitor operators on a European company. Revealing how we identified the attack, discovered the threat actor’s infrastructure and finally prevented an incident from occurring by interrupting encryption of the organization’s systems and network. We share how Group-IB’s Threat Intel & Attribution team detected an attack as it took place and kicked out the threat actors before damage was done.

We reveal all the stages of hacker activity - from gaining initial access to lateral movement, methods of investigating these stages, and the hacker’s tools. We also share our top recommendations that teams can immediately action to help prevent cyber threats.

Finally, and most importantly, we will share how security teams can utilize timely and accurate threat intelligence to stay ahead of threat actors to identify attacks and prevent incidents from happening.

Talks
WestIn - Munich
14:00
30min
The current state of ransomware
Sebastian Gebhard

Ransomware is the most present threat in Cyber Security today, making the headlines almost every week. This talk will give an overview of the current ransomware landscape. We will look at the history, recent developments and give an preview of what might come. To round up the talk, I will share some (sad and funny) stories from Incident Response in over 80 Ransomware Cases over nearly 10 years solved by Corporate Trust, as well as practical measures for everyone to take home and secure in your infrastructure(s).

Talks
WestIn - Partenkirchen
14:30
14:30
30min
SiERRA - Automating and scaling forensic investigations at Siemens CERT
Demian Kellermann

Usually, a forensic investigation of a breach involves a lot of data conversions, loose files and the investigator's personal collection of favorite tools. This leads to issues when it comes to scaling the investigation to many hosts and also lacks consistency of results when sharing the analysis work in a team.

Over the last years, we have wrapped all our tools into a common interface, defined the data flow between them and built comprehensive workflows out of these building blocks. We can now automatically process collected forensics data from the raw image into a plethora of useful reports, all in a single click.

Additionally, our platform offers a sleek interface to view the reports and the raw data, search the timeline and document our findings.

Using this approach, we have improved our ability to quickly adapt to big investigations and to keeping track of the progress throughout the collection, processing and documentation phases while also making forensics more accessible to colleagues from IR.

Talks
WestIn - Munich
14:30
30min
What We’ve Learned from Exposing Atlassian on the Internet: In-Depth Analysis from an Offensive Perspective
Oleksandr Kazymyrov

During a recent security assessment of Storebrand's modern environment hosted on Azure, the offensive team identified several attack vectors from the Internet that could compromise the organization's assets. Specifically, vulnerabilities were discovered in Atlassian products exposed on the Internet, which could allow attackers to gain unauthorized access to sensitive data. To mitigate these vulnerabilities, the Web Application Firewall (WAF) was re-evaluated and reconfigured to protect Atlassian products. Overall, the offensive team's identification of these attack vectors and recommendation to implement a WAF helped Storebrand's security team improve their security posture and better protect their modern environment.

Talks
WestIn - Partenkirchen
15:00
15:00
30min
Coffee Break
WestIn - Munich
15:00
30min
Coffee Break
WestIn - Partenkirchen
15:30
15:30
30min
Breaking the Ransomware Tool Set – When a Threat Actor Opsec Failure Became a Threat Intel Goldmine
Nicklas Keijser

During a recent incident response engagement, I was assigned to reverse engineer the RAT that the threat actor had deployed in the environment. When analyzing the malware to unpack it, a suspicious string was found in the memory - and ip number with a list.txt . The list contained a not only a complete inventory that the threat actor had, but also a link to the full repository of all their tools, almost 5 GB / over 100 files and scripts of content covering every part for an intrusion -from reconnaissance to impact and everything in between. This led to an interesting labyrinth of research on all the aspects of this tooling.

Talks
WestIn - Munich
15:30
30min
DevSecOps culture
Ali Yazdani
  • let's review the whole DevSecOps concept together.
  • Then see what are its benefit for the development/operation team.
  • How we can establish it by spending less cost and time.
  • And see how it can help us to have a more secure and reliable development environment and process.
Talks
WestIn - Partenkirchen
16:00
16:00
30min
Honeypot Boo Boo: Better Breach Detection with Deception Inception
Justin Varner

Breaches continue happening at unprecedented levels with huge financial impact to the global economy year after year.

Our traditional approach to breach detection that is focused on triaging alerts generated by massive amounts of data from disparate sources is not working. Adversaries know this fact and regularly benefit from it.

The average breach goes unnoticed for 212 days. That’s an ample amount of time for anyone to surreptitiously run off with the crown jewels and inflict significant damage with ramifications that include consumer privacy violations, loss of trust, steep financial penalties, and irreversible reputational damage.

We need a new approach if we’re ever going to stop the madness. Hackers also deserve a better opponent.

This talk discusses a different way of thinking about breach detection that is intended to reduce the number of false positives, improve alert fidelity, reduce time-to-detection, and prevent the massive level of burnout affecting our industry.

We will cover the history of breach detection, the current state of affairs, the paradigm shift to new ways of thinking about the problem, and many practical examples of how to deploy effective breach detection technology.

Talks
WestIn - Munich
16:00
30min
My CI/CD pipeline contains all security tools available! Now what...?
Jasmin Mair

Tools are helpful to enable DevSecOps, many challenges and pitfalls highlight the need for a cultural shift. Explore issues such as security resistance, conflicting KPIs and organizational silos. Real-world examples and best practices will provide actionable insights to overcome these obstacles.

Talks
WestIn - Partenkirchen
16:30
16:30
10min
Short Break
WestIn - Munich
16:30
10min
Short Break
WestIn - Partenkirchen
16:40
16:40
30min
Security by design
Ana Oprea

Can a system ever truly be considered reliable if we didn't do the diligence of making it fundamentally secure?
In a world where most products are connected to the internet, especially as cloud technologies and machine learning become more prevalent, the forethought of enabling security by default is increasingly important.
Ana Oprea provides insights, advice, and strategies for mindfully baking security into your systems.

Talks
WestIn - Munich
17:10
17:10
15min
Closing Ceremony
WestIn - Munich