This workshop intends to assist the understanding of mostly used DDoS techniques against performing live attacks against test platforms by using basic tools found in GNU/Linux systems.

Forensic Fundamentals of Electronic Control Units

An Automotive Electronic Control Units (ECU) becomes, once installed in a vehicle, essentially a black box. Certain aftermarket endeavours, such as retrieving crash data for insurance purposes, providing access for independent repair shops, forensic analysis of mileage correction bugs used by aftermarket tools, or reprogramming the ECU to a blank slate in order to give it a new life on the second-hand market, are impossible without authenticated access to the ECU. In this workshop, we delve into the secret waters of ECU reverse engineering. Firstly, we look into firmware retrieval methodology. Therefore we introduce various frequently occuring hardware interfaces and their respective communication protocols with the ECU. Next, we touch upon two easily accessible hardware fault-injection techniques (voltage - and electromagnetic fault injection) which can assist in accessing the ECUs internal workings. Secondly, we apply these techniques to real-world targets in order to access their firmware. Analysing existing diagnostic tools and MCU debuggers, we show practical ways to ease the forensic process. We discuss which algorithms to target and how to locate them in what initially seems like a cluttered binary desert.

The software security industry is shifting left. Traditional security tools have failed to address the challenges of modern engineering teams as they often are too slow, overwhelm users with false positives, and do not provide sufficient remediation help. As a result, they do not ultimately raise a company’s security bar.

In this workshop we will focus on hands-on exercises, supported by research results to teach participants how to use Semgrep by taking a different approach to security, called paved road or secure defaults.

Bluetooth is an ubiquitous protocol nowadays, embedded in almost every modern cell phone and generally used for low consumption embedded devices and IOT. In this workshop we will learn the basics about the protocol and how to automate reconnaissance of devices, services and characteristics. The workshop is based on an open source CTF.

The mobile galaxy is dominated by two solar systems: Android and iOS. Grab your towel and embark on a journey through the intricacies of mobile operating systems. Uncover the secrets and vulnerabilities of mobile app planets through static analysis. Ignite the infinite improbability drive and delve deeper with dynamic analysis to gain the skills and knowledge to outwit the Vogons. Establish a Man-in-the-Middle to glide through the network traffic of mobile applications and see them phone home.

In this workshop, not only the Ultimate Question of Life, the Universe, and Everything will be answered but also most of your questions regarding mobile security. Join us on this galactic adventure of becoming a mobile security expert!

This workshop addresses the (critical) challenge of discerning accurate information from misinformation and fake news in the vast digital landscape.
Therefore it will provide an overview and hands-on experience in modern OSINT tools and demonstrate their practical application in real-life scenarios. To achieve this, a real life example will be conducted where the dissemination of misinformation had significant implications on both journalism and IT security.

It can take months after a malicious attacker gains access to your system to even know they were there. Next comes months of painful work, analyzing logs, changing credentials, notifying customers, reviewing source code, and we haven’t even talked about the cost of the breach itself. So how can you know when an attacker has infiltrated your systems and bypassed your security? Honey tokens are a great way to know when an attacker has breached your systems. Honeytokens are credentials that don't actually grant any access but instead trigger alerts that report the intruder's activity.

When attackers gain access to a system, they immediately look for ways to gain more control. One of the easiest ways to expand their presence is to find plaintext credentials lying around in code, config files, or logs, this makes Honey Tokens the perfect trap. In this workshop, we will walk through exactly how to create real Honey Tokens you can put in your own infrastructure to trip attackers in their stride using open-source tools and your own cloud infrastructure.

If you are working to detect and stop intruders in their tracks, then this session is for you.

In order to ensure efficient and timely responses to cyber security incidents, it is of utmost importance to consistently practice their management. This typically entails substantial effort in terms of organizing and conducting exercises. In this workshop, I will present an innovative and engaging gamified approach to address this challenge, employing the "Backdoors and Breaches" framework.

In this early morning sermon, our dear Reverend will shed light on
ancient truths about sin and virtue, and take those present on a
refreshingly content-free journey from the ancient and glorious past to
the present, the age of glitz and glitter, cloud and no more Twitter,
drawing lines between dots that might better have been left undrawn.

Over the last 2-3 years, detection of in-memory malware by EDRs has improved. Depending on the EDR, they use different defenses such as user mode hooks, callbacks, or Event Viewer for Windows (ETW) to detect in-memory threats. Therefore, among others or depending on the EDR, from an attacker's (red team's) perspective, we must use different types of techniques such as direct sycalls, indirect sycalls, or call stack spoofing to avoid being detected by EDRs.

The goal of this talk is to give a brief, logical overview of syscalls in general on Windows, direct syscalls, indirect syscalls, etc. We will take a step-by-step look at how to develop a Win32 API shellcode loader into an indirect syscall shellcode loader. We will go through Win32 APIs, Native APIs, direct syscalls, and indirect syscalls. We will look at when direct syscalls fail to bypass EDRs and why indirect syscalls are an evolution of direct syscalls and can be used to bypass them, depending on the EDR. We will also do some call stack analysis and look at the limitations of indirect syscalls in the context of EDR evasion, when they fail, and why it may be necessary to spoof the entire call stack of your shellcode loader to evade an EDR in 2023.

DNS4EU is a European DNS resolver project designed to enhance online privacy and security for EU internet users. Led by Whalebone and consortium members consisting of cybersecurity experts, it aims to protect 100 million users from global and local cyber threats while complying with EU data protection laws. This presentation explores DNS4EU's architecture, deployment, threat intelligence sharing, and community involvement.

In the last few years, many organizations have suffered from ransomware attacks. Recovering from a ransomware attack usually requires backups, but in some cases there are other ways. In this session, Alexander will showcase his team's latest research in ransomware decryption capabilities. The research breaks an entire family of ransomware variants and allows victims to restore encrypted data without obtaining the private keys.

In the ever-evolving landscape of cybersecurity threats, SOC analysts play a vital role in detecting, investigating, and responding to incidents. To excel in their mission, SOC analysts need to leverage a comprehensive arsenal of tools, along with proven tips and tricks, to conduct efficient and effective investigations.

In this talk, we will dive deep into the SOC analyst's world, exploring the essential tools, invaluable tips, and time-saving tricks that can supercharge investigations. Join us for an engaging session that will empower SOC analysts of all skill levels with the tools, tips, and tricks necessary for effective investigations.

Even if Web3 usage is still tiny compared with the Web 2.0, that has not stopped bad actors from misusing some of its technology stack. Without the clear client-server architecture we are used to, the peer-to-peer nature of the storage layer of Web3 is able to fly under the radar and prevent normal methods of content filtering. We will dive into IPFS as a technology to understand the idiosyncrasies of it and the ways in which it can be abused. Along the way, we have statistics that document the mounting dangers we have identified and finally discuss how we can mitigate these.

In the areas of offensive and defensive security, valuable information and insights derived from OSINT and reconnaissance are the backbone of success. But gathering the needed data is not easy, it demands immense effort. In this talk I want to share some insights on how you can develop capabilities to automate a lot of the work involved in data collection. With the power of automation, you'll free up valuable time for in-depth intelligence analysis.

DNA cryptography is one of the few solutions to encryption as quantum cryptography comes into the fold. What are the pros on terms of its use as storage and what are the concerns as we ultimately begin using it personally

This study presents a qualitative content analysis of public job advertisements for the position of Chief Information Security Officer (CISO) in both the DACH area (Germany, Austria, and Switzerland) and the United States of America. The analysis comprises a representative sample of recent public job advertisements collected over a period of three months. The primary objectives of the research are twofold.

Firstly, the study compares the roles, responsibilities, resources, and duties outlined in the job advertisements with the actual requirements derived from contemporary security best practices, such as ISO/IEC 27001. By evaluating this alignment, we aim to ascertain any potential discrepancies between the advertised expectations and the industry's current security standards.

Secondly, we investigate potential regional variations in CISO job descriptions, taking into account cultural, legal, and organizational differences between the DACH region and the United States. Understanding these distinctions could provide insights into the specific demands and preferences of each region concerning information security management.

The ultimate goal of this research is to identify any adverse impact that might arise from discrepancies between the requirements set forth by organizations in job advertisements and the actual best practices. By shedding light on these potential mismatches, we hope to contribute to the enhancement of information security recruitment and practices, thereby fortifying companies' security management efforts.

The Cradlepoint IBR600C is a semi ruggedized router with LTE connectivity as well as Ethernet and Wi-Fi for mission critical IoT and is mainly used in the US. In this talk we have a deeper look at some security issues we found in the device and its cloud connectivity.

Container security issues are an ongoing topic in organizations. Containers often remain a “black box” and vulnerabilities can often not easily be resolved by simply updating base images. Security scanners typically do detect a lot of findings in a container and even for critical issues updates are not always readily available which creates lot of effort for security and development teams. We explore different options and best practices to reduce the attack surface in your containers and will take you down the full path of removing all unnecessary components to go fully distroless. We explore whether the concept of "distroless" is the solution to your security nightmares, what are expectations, challenges and potential disappointments.

Security teams are tasked with defending their organization from incoming attacks, but in the rapidly changing environments how can they stay ahead of threat actors?

During the height of the pandemic, almost all countries introduced restrictions, limiting many day-to-day activities. Many aspects of public life and work were put on hold. But that didn't apply to hackers. As businesses moved to remote working there was a surge in hacker activity targeting vulnerable VPN servers and publicly available RDP services.

We uncover the attacks carried out by Hancitor operators on a European company. Revealing how we identified the attack, discovered the threat actor’s infrastructure and finally prevented an incident from occurring by interrupting encryption of the organization’s systems and network. We share how Group-IB’s Threat Intel & Attribution team detected an attack as it took place and kicked out the threat actors before damage was done.

We reveal all the stages of hacker activity - from gaining initial access to lateral movement, methods of investigating these stages, and the hacker’s tools. We also share our top recommendations that teams can immediately action to help prevent cyber threats.

Finally, and most importantly, we will share how security teams can utilize timely and accurate threat intelligence to stay ahead of threat actors to identify attacks and prevent incidents from happening.

Ransomware is the most present threat in Cyber Security today, making the headlines almost every week. This talk will give an overview of the current ransomware landscape. We will look at the history, recent developments and give an preview of what might come. To round up the talk, I will share some (sad and funny) stories from Incident Response in over 80 Ransomware Cases over nearly 10 years solved by Corporate Trust, as well as practical measures for everyone to take home and secure in your infrastructure(s).

Usually, a forensic investigation of a breach involves a lot of data conversions, loose files and the investigator's personal collection of favorite tools. This leads to issues when it comes to scaling the investigation to many hosts and also lacks consistency of results when sharing the analysis work in a team.

Over the last years, we have wrapped all our tools into a common interface, defined the data flow between them and built comprehensive workflows out of these building blocks. We can now automatically process collected forensics data from the raw image into a plethora of useful reports, all in a single click.

Additionally, our platform offers a sleek interface to view the reports and the raw data, search the timeline and document our findings.

Using this approach, we have improved our ability to quickly adapt to big investigations and to keeping track of the progress throughout the collection, processing and documentation phases while also making forensics more accessible to colleagues from IR.

During a recent security assessment of Storebrand's modern environment hosted on Azure, the offensive team identified several attack vectors from the Internet that could compromise the organization's assets. Specifically, vulnerabilities were discovered in Atlassian products exposed on the Internet, which could allow attackers to gain unauthorized access to sensitive data. To mitigate these vulnerabilities, the Web Application Firewall (WAF) was re-evaluated and reconfigured to protect Atlassian products. Overall, the offensive team's identification of these attack vectors and recommendation to implement a WAF helped Storebrand's security team improve their security posture and better protect their modern environment.

During a recent incident response engagement, I was assigned to reverse engineer the RAT that the threat actor had deployed in the environment. When analyzing the malware to unpack it, a suspicious string was found in the memory - and ip number with a list.txt . The list contained a not only a complete inventory that the threat actor had, but also a link to the full repository of all their tools, almost 5 GB / over 100 files and scripts of content covering every part for an intrusion -from reconnaissance to impact and everything in between. This led to an interesting labyrinth of research on all the aspects of this tooling.

• let's review the whole DevSecOps concept together.
• Then see what are its benefit for the development/operation team.
• How we can establish it by spending less cost and time.
• And see how it can help us to have a more secure and reliable development environment and process.

Breaches continue happening at unprecedented levels with huge financial impact to the global economy year after year.

Our traditional approach to breach detection that is focused on triaging alerts generated by massive amounts of data from disparate sources is not working. Adversaries know this fact and regularly benefit from it.

The average breach goes unnoticed for 212 days. That’s an ample amount of time for anyone to surreptitiously run off with the crown jewels and inflict significant damage with ramifications that include consumer privacy violations, loss of trust, steep financial penalties, and irreversible reputational damage.

We need a new approach if we’re ever going to stop the madness. Hackers also deserve a better opponent.

This talk discusses a different way of thinking about breach detection that is intended to reduce the number of false positives, improve alert fidelity, reduce time-to-detection, and prevent the massive level of burnout affecting our industry.

We will cover the history of breach detection, the current state of affairs, the paradigm shift to new ways of thinking about the problem, and many practical examples of how to deploy effective breach detection technology.

Tools are helpful to enable DevSecOps, many challenges and pitfalls highlight the need for a cultural shift. Explore issues such as security resistance, conflicting KPIs and organizational silos. Real-world examples and best practices will provide actionable insights to overcome these obstacles.

Can a system ever truly be considered reliable if we didn't do the diligence of making it fundamentally secure?
In a world where most products are connected to the internet, especially as cloud technologies and machine learning become more prevalent, the forethought of enabling security by default is increasingly important.
Ana Oprea provides insights, advice, and strategies for mindfully baking security into your systems.