This course is a 100% hands-on deep dive into the OWASP Security Testing Guide and relevant items of the OWASP Application Security Verification Standard (ASVS), so this course covers and goes beyond the OWASP Top Ten.
Anirudh Anand Security Trainer at 7ASecurity, Security Engineer at CRED, 7asecurity
Anirudh Anand is a security researcher with a primary focus on Web and Mobile Application Security. He is currently working as a Senior Security Engineer at CRED and also Security Trainer at 7asecurity. He has been submitting bugs and contributing to security tools for over 7 years. In his free time, he participates in CTF competitions along with Team bi0s (#1 security team in India according to CTFtime). His bounties involve vulnerabilities in Google, Microsoft, LinkedIn, Zendesk, Sendgrid, Gitlab, Gratipay and Flipboard.
This course is a 100% hands-on deep dive into the OWASP Security Testing Guide and relevant items of the OWASP Application Security Verification Standard (ASVS), so this course covers and goes beyond the OWASP Top Ten.
Abraham Aranguren CEO, Security Trainer, Director of Penetration Testing, 7asecurity
After 13 years in itsec and 20 in IT Abraham is now the CEO of 7ASecurity (7asecurity.com), a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews and training. Co-Author of the Mobile, Web and Desktop (Electron) app 7ASecurity courses. Security Trainer at Blackhat USA, HITB, OWASP Global AppSec and many other events. Former senior penetration tester / team lead at Cure53 and Version 1. Creator of “Practical Web Defense”, a hands-on eLearnSecurity attack / defense course, OWASP OWTF project leader, an OWASP flagship project (owtf.org), Major degree and Diploma in Computer Science, some certs: CISSP, OSCP, GWEB, OSWP, CPTS, CEH, MCSE:Security, MCSA:Security, Security+. As a shell scripting fan trained by unix dinosaurs, Abraham wears a proud manly beard. He writes on Twitter as @7asecurity @7a_ @owtfp or https://7asecurity.com/blog. Multiple presentations, pentest reports and recordings can be found at https://7asecurity.com/publications
Students will be immersed in the mysteries of PACS tokens, RFID credentials, readers, alarm contacts, tamper switches, door controllers, and backhaul protocols that underpin Physical Access Control Systems (PACS) across the globe.
Babak Javadi Senior instructor, Red Team Alliance
Babak is a noted member of the physical security community, well-recognized among both professional circles (due to the work The CORE Group) as well as in the hacker world (as the President of TOOOL, The Open Organisation Of Lockpickers.) His first foray into the world of physical security was in the third grade, where he was sent to detention for showing another student how to disassemble the doorknob on the classroom supply closet. Babak is an integral part of the numerous lockpicking workshops, training sessions, and games that are seen at annual events like DEFCON, ShmooCon, DeepSec, NotACon, QuahogCon, HOPE, and Maker Faires across the country. He likes spicy food and lead-free small arms ammunition.
This 4-day course cuts through the mystery of Cloud Services (including AWS, Azure, and G-Cloud) to uncover the vulnerabilities that lie beneath. We will cover a number of popular services and delve into both what makes them different, and what makes them the same, as compared to hacking and securing traditional network infrastructure.
Anthony Webb Associate Director and Trainer, NotSoSecure
Ant is one of NotSoSecure’s Infrastructure Security Experts working from the UK. He manages a small team performing Penetration Testing for internal, external and cloud network infrastructure and web applications, as well as delivering Cyber Security Training from entry level through to Advanced Hacking courses for audiences from small classroom groups up to large global conferences such as Black Hat. Research projects include areas such as Cloud Infrastructure Security, Windows Domains and Unix networking security, and he Is looking forward to beginning work on a new open-source pen testing toolkit in the near future – watch this space!
The Intrusion Operations class provides students a unique opportunity to learn and implement real-world techniques used by advanced adversaries. An attacker can easily break into an organization by abusing misconfigurations, but the inverse also applies - defenders can easily detect red teams and malicious actors using commodity malware, default indicators, and more. You will learn how to overcome enterprise defenses and hardened infrastructure. You will leverage custom tooling and advanced configurations to break into a simulated corporate network and develop targeted malware profiles to remain undetected. You will leave this class with the skills and tools to develop custom tradecraft for long term persistence.
Joseph Leon Offensive Security Engineer, FortyNorth
Joseph Leon is an Offensive Security Engineer on FortyNorth Security’s offensive security team. Joseph leads web application and penetration testing assessments for a multitude of clients and works internally to build open-source and private tools, as well as to develop curricula for FortyNorth Security’s training programs. Prior to joining FortyNorth Security, Joseph founded and sold two companies: a data cleansing SaaS application that he led full stack development for as CTO and a sales consulting and lead generation firm that he led as CEO. Joseph holds a Masters in Cybersecurity Risk and Strategy for the New York University Law and Engineering schools.
Xavier is a managing security consultant at NCC Group, with experience in both academia and the private sector. He has worked as a developer, security researcher and consultant. Xavier currently spends most of his time focusing on application and cloud security, as well as driving the development of Scout Suite (https://github.com/nccgroup/ScoutSuite/), an open source multi-cloud security-auditing tool.
Xavier holds the AWS Certified Security – Specialty, Offensive Security Certified Professional (OSCP), Offensive Security Certified Expert (OSCE) and Offensive Security Wireless Professional (OSWP) certifications.
Veronica Valeros , Czech Technical University
Veronica is a researcher and intelligence analyst from Argentina. Her research strongly focuses on helping people. A jack of all trades, she currently specializes in threat intelligence, malware traffic analysis, and data analysis. She has presented her research at international conferences such as BlackHat, EkoParty, Botconf, Virus Bulletin, Deepsec, and others. She is the co-founder of the MatesLab hackerspace based in Argentina and co-founder of the Independent Fund for Women in Tech. She is currently the director of the Civilsphere project at the Czech Technical University, dedicated to protecting civil organizations and individuals from targeted attacks. She's also the project leader at the Stratosphere Laboratory, a research group in the Czech Technical University dedicated to study and research in cybersecurity and machine learning.
Sebastian Garcia , Czech Technical University
Sebastian is a malware researcher and security teacher with extensive machine learning experience applied to network traffic. He created the Stratosphere IPS project, a machine learning-based, free software IPS to protect civil society. He likes to analyze network patterns and attacks with machine learning. As a researcher in the AIC group of Czech Technical University in Prague, he believes that free software and machine learning tools can help better protect users from abuse of their digital rights. He has been teaching in several countries and Universities and working on penetration testing for both corporations and governments. He was lucky enough to talk in Ekoparty, DeepSec, Hacktivity, Botconf, Hacklu, InBot, SecuritySessions, ECAI, CitizenLab, ArgenCor, Free Software Foundation Europe, Virus Bulletin, BSides Vienna, HITB Singapore, CACIC, etc. As a co-founder of the MatesLab hackspace, he is a free software advocate that worked on honeypots, malware detection, distributed scanning (dnmap) keystroke dynamics, Bluetooth analysis, privacy protection, intruder detection, robotics, microphone detection with SDR (Salamandra), and biohacking.
The purpose of the Red Team Training is to understand the underlying concept of red teaming. The training will cover payloads generation, lateral movement techniques, initial foothold and internal reconnaissance. The training is aiming to provide a deep understanding of all the previously described aspects of a red team.
Charles Hamilton Director, Egyde-KPMG
Charles Hamilton is a Red Teamer, who holds the OSCE, OSCP, and SLAE64 certifications. He has more than ten years of experience delivering offensive testing services for various government clients and commercial verticals. In recent years, Charles has focused on covert Red Team operations against complex and secured environments. These operations have allowed him to hone his craft at quietly navigating a client's network without detection. Since 2014, he is the founder and operator of the RingZer0 Team website, a platform focused on teaching hacking fundamentals. The RingZer0 community currently has more than 36,000 members worldwide. Charles is also a prolific toolsmith and speaker in the InfoSec industry under the handle of Mr.Un1k0d3r. Some of Charles Hamilton trade craft can be found in his github repository.
Olaf Hartong Co-Founder & Defensive Specialist, FalconForce
Olaf Hartong is a Defensive Specialist and security researcher at FalconForce. He specialises in understanding the attacker tradecraft and thereby improving detection. He has a varied background in blue and purple team operations, network engineering, and security transformation projects.
Olaf has presented at many industry conferences including Black Hat, DEF CON, DerbyCon, Splunk .conf, FIRST, MITRE ATT&CKcon, and various other conferences. Olaf is the author of various tools including ThreatHunting for Splunk, ATTACKdatamap and Sysmon-modular.
Gijs Hollestelle Co-Founder & Security Specialist, FalconForce
Gijs Hollestelle is specialized in advanced offensive and defensive capabilities. Gijs spent the last 15 years working in various technical security related roles related to ethical hacking, red teaming, cryptography, blue teaming and secure coding. Apart from solving technical challenges in the cyber security area he also enjoys teaching others to do the same. He is also an avid CTF player, competing at the highest level with multiple CTF teams including Eindbazen and Hack.ERS.
Henri Hambartsumyan Co-Founder & Red Teamer, FalconForce
Henri Hambartsumyan is an experienced technical security professional, with 10 years of technical security experience. Henri started his career as pentester and moved to the more advanced pentesting projects. Later he started executing "covert operations", which the industry later dubbed to "red teaming". In the recent years, Henri has performed countless red team operations amongst which 4 TIBER exercises. Next to projects, Henri spent most off-time in developing AV bypasses for future ops. The last year, Henri has taken an interest in blue teaming, especially in detecting more advanced tradecraft in a realistic way. Due to his in-depth understanding of the tradecraft, he currently develops detection rules for advanced attacks as part of blog series FalconFriday and for clients. Next to this, he is still active in performing red teams.
The Intrusion Operations class provides students a unique opportunity to learn and implement real-world techniques used by advanced adversaries. An attacker can easily break into an organization by abusing misconfigurations, but the inverse also applies - defenders can easily detect red teams and malicious actors using commodity malware, default indicators, and more. You will learn how to overcome enterprise defenses and hardened infrastructure. You will leverage custom tooling and advanced configurations to break into a simulated corporate network and develop targeted malware profiles to remain undetected. You will leave this class with the skills and tools to develop custom tradecraft for long term persistence.
Chris Truncer Red Team Lead, FortyNorth
Christopher has extensive experience performing red team assessments, but also regularly performs external and internal penetration tests, web application assessments, and social engineering tests. He has led red team assessments in a wide range of industries: from public to private, banking, health care, insurance, retail, and more. Chris has spoken at variety of conferences around the world and has taught courses on penetration testing and red teaming at conferences such as Black Hat and SteelCon. He is also an active open source developer, contributing to a large number of security tools such as the Veil-Framework, EyeWitness, WMImplant and more.
Matt Grandy Sr. Offensive Security Engineer, FortyNorth
Matthew Grandy is a senior offensive security engineer with extensive experience leading penetration testing and red team engagements across various industries. He is an offensive security certified expert (OSCE) as well as an offensive security certified professional (OSCP) and contributes regularly to the open source community, as he believes very strongly in elevating the security industry as a whole. Most notably, Matthew has contributed to the C# EyeWitness project as well as created MiddleOut, a C# compression utility. Matthew is also a previous Black Hat and Wild West Hackin' Fest instructor.
Brian King Penetration Tester, Black Hills Information Security
Brian King has been pentesting webapps since 2008. He was the second hire into his employer's application security team at a time when "PCI" was brand new and long before bug bounty programs - when experienced webapp pentesters had to be made, not found. His internal training and coaching efforts built a successful team of 30 testers, few of whom had significant security experience before joining the team. Brian believes that webapps are the best targets for pentesting because although they all look familiar on the surface, they're all different and often in surprising ways. Each webapp is a collection of puzzles for a pentester and the first puzzle is figuring out where the other puzzles are! Once you get started, each test can be an engaging chance to practice your problem-solving skills and dive into new technologies.
Red team operators enjoyed robust community and commercial tooling to simulate advanced adversary tradecraft in traditional enterprise environments. As organizations have increasingly moved to hybrid, or non-Windows, environments our red team community knowledge has not kept pace. This course focuses on bridging that gap, highlighting the latest macOS security enhancements, and arming red teamers with the foundational knowledge to operate against macOS endpoints.
Your organization has just implemented the leading detection and response products. Are they configured with default configuration? How much faith should you have in your ability to detect sophisticated attacks? How would you simulate attacks to ensure robust detections are in place? This course will teach the importance of understanding the inner workings of attack techniques and telemetry availability and provide a workflow for developing robust detection analytics or data driven evasion decisions. Focusing on various Windows components and attacker TTPs, you will dive deep into how software abstracts underlying capabilities and how attackers can interact with deeper layers to bypass superficial detection capabilities.
Workshops are first-come, first-serve and have limited capacity. Some workshops may be streamed for additional passive participation.
Web Application Firewalls usage is controversial in the field of application security. Some consider them useless since they are imperfect. Others consider them an interesting ally for virtual patching and for defense in depth. Beyond this debate, firewalls are a reality in several organizations to defend edge services.
Testers may find the presence of such protection to be a drag on their security assessment. As these firewalls cannot always be disabled for testing, it is important to be able to quickly assess whether a circumvention method is possible. We have designed a workshop featuring different scenarios where a firewall is used to block certain attacks or features.
The workshop will consist of 4 main bypass categories: - Encoding (URL, Unicode, case mapping) - SQLi bypass (for mod_security and libinjection) - Switching protocol (WebSocket, H2C) - Syntax alternatives for table names, keywords and URLs.
For each of the exercises, an in-depth explanation of the technique will be discussed. Then a demonstration application will be available to participants to apply their new knowledge.
The participants should have the following software to save some time. - Docker - Burp Suite Pro / OWASP ZAP - Python
The participants should have the following software to save some time. - Docker - Burp Suite Pro / OWASP ZAP - Python
Philippe Arteau Security Researcher, GoSecure
Philippe is a security researcher working for GoSecure. His research is focused on Web application security. His past work experience includes pentesting, secure code review and software development. He is the author of the widely used Java static analysis tool OWASP Find Security Bugs (FSB). He is also a contributor to the static analysis tool for .NET called Security Code Scan. He built many plugins for Burp and ZAP proxy tools: Retire.js, Reissue Request Scripter, CSP Auditor and many others. Philippe has presented at several conferences including Black Hat Arsenal, SecTor, AppSec USA, ATLSecCon, NorthSec, and 44CON.
This is a remote workshop. Workshops are first-come, first-serve and have limited capacity. Some workshops may be streamed for additional passive participation.
"Advanced Process Injection Techniques" is a hands-on workshop focused on providing candidates insights about the APT tactics & techniques on the privilege escalation & persistence phase. This workshop is a quick deep-dive into the Microsoft windows world of process, memory and internals. There are 7 hands-on labs focused on host-level injection techniques, the candidates will learn how to develop custom trade-craft that stealthily input implants and escalate privileges.
The workshop outline are as follows :
1) PE Basics (10 minutes) 2) 7 Process Injection Labs (2 hr : 50 minutes) - APC Code Injection (25 min) - Module Stomping (25 min) - Process Hollowing (15 min) - Process Doppelganging (30 min) - Transacted Hollowing (20 min) - Process Herpaderping (20 min) - Process Ghosting (10 min)
The lab content / lab material are listed here : https://github.com/RedTeamOperations/Advanced-Process-Injection-Workshop
For any feedback / clarifications please contact yashb@cyberwarfare.live
Intermediate to Advanced level knowledge is required.
1) Familiarity with windows internals (but not mandatory) 2) PE basics (but now mandatory)
The details are mentioned here : https://docs.google.com/document/d/1bNrSDWy-Yc3as2ZlvB_X3XOICUjbGUaKkw9PHDvxNAo/edit
The details are mentioned here : https://docs.google.com/document/d/1bNrSDWy-Yc3as2ZlvB_X3XOICUjbGUaKkw9PHDvxNAo/edit
Yash Bharadwaj Chief Technical Architect, CyberWarFare R&D Pvt. Ltd
Yash Bharadwaj, CTO and Senior Security Researcher at CyberWarFare Labs [Incubated by IIT Kanpur]. With his expertise of 4+ years in Red Teaming, he is highly attentive towards finding, learning and discovering new TTP’s used during offensive engagements, he is a Subject Matter Expert on Active Directory Attacks. His area of interest includes (but not limited to) evading AVs, EDRs, Active Directory infrastructure and Advance Windows & cloud-based attacks. He has done various on-site / remote Red Team engagements in MNCs, government agencies etc. Previously he has delivered hands-on red team trainings at BSIDES Ahmedabad, OWASP Seasides 19, Red & Blue Team Training at BSIDES Delhi and BSIDES Connecticut (USA), OWASP APPSEC Indonesia 20, CISO Platform 21. He has delivered Cyber Security Trainings in Asia’s largest Information Security Conference Nullcon 21. You can reach out to him on Twitter @flopyash
Workshops are first-come, first-serve and have limited capacity. Some workshops may be streamed for additional passive participation.
The objective of this workshop is to dive into Capture-The-Flag (CTF) competitions. First, by introducing participants to the basic concepts. Then, by helping them prepare for the upcoming NorthSec CTF, and, finally, evolve in their practice of applied cybersecurity.
We will have easy and medium CTF challenges in several categories (binaries, Web, exploitation, forensics) and we will give hints and solutions during the workshop.
This is meant to be for CTF first timers. Seasoned players should play NorthSec's official CTF.
Requirements
None
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Hosted panel discussion and Q&A.
Talks will be streamed on YouTube and Twitch for free.
Remote Desktop Protocol (RDP) is the de facto standard for remoting in Windows environments. It grew in popularity over the last couple of years due to the pandemic. Many remote workers are now relying on it to perform duties on remote systems. RDP is secure when well deployed but, unfortunately, that’s rarely the case and thus clicking through warnings is common. We have spent the last 3 years working on and reimplementing parts of RDP in PyRDP, our open-source RDP library. This presentation is about what we have learned and can be applied to attack and defend against RDP attacks.
From an attacker’s perspective, we will cover conventional RDP attacks such as Monster-in-the-Middle (MITM) of RDP connections, capture of NetNTLMv2 hashes and techniques to bypass conventional defense mechanisms such as Network Level Authentication (NLA). Case in point: Did you know that by default all clients allow server-side NLA downgrades right now? This will enable us to understand and identify the risks with RDP.
From the Blue Team’s perspective, we will provide techniques and tools to detect attacks showcased previously. Finally, we will provide step-by-step instructions to deploy an accessible RDP server that is both secure and functional.
Olivier Bilodeau Cybersecurity Research Lead, GoSecure
Olivier Bilodeau is leading the Cybersecurity Research team at GoSecure. With more than 10 years of infosec experience, he enjoys luring malware operators into his traps, writing tools for malware research and vulnerability research. Olivier is a passionate communicator having spoken at several conferences including BlackHat, Defcon, Botconf, NorthSec, Derbycon, and HackFest. Invested in his community, he co-organizes MontréHack, a monthly workshop focused on hands-on CTF problem solving, and NorthSec, a large non-profit conference and CTF based in Montreal.
Workshops are first-come, first-serve and have limited capacity. Some workshops may be streamed for additional passive participation.
Important : This workshop is french speaking
Aujourd'hui, l'audit d'application Android protégées contre la rétro-conception par des outils commerciaux modernes (essentiellement les RASPs) peut se révéler fastidieuse. Même si certaines astuces fonctionnent toujours, il existe de nombreuses façons de ralentir la découverte de l'application et son instrumentation. Pendant cet atelier, nous reverserons avec Ghidra et contournerons dynamiquement avec Frida certaines implémentations modernes de mécanismes tels que : packer, anti-frida, anti-debugger, detection de magisk, ...
L'atelier se déroulera selon le plan suivant :
Pré-requis :
Today, reverse engineering of Android application protected by modern & industrial-grade Runtime Application Security Protection (RASP) is challenging and time consuming. Even if some old tricks are still working, there is numerous ways to slow down the RE and to detect hooking. In this workshop, an hands-on case will introduce static deobfuscation thank to Ghidra p-code emulation, and continue by writing of universal bypasses using advanced hooking with Frida and Interruptor. You will deobfuscate string hook instructions with Frida into several contexts as multi-thread, multi-process, isolated process or at different early stages.
Workshop should go as follows:
Requirements:
This workshop is best suited for intermediate to advanced reverse engineers/researchers on Android/arm64. Basically, you need to be at ease in a Unix environment, able to write JavaScript code, to read/write Frida hooks and to understand basic arm64 assembly.
A laptop with Android Studio and a working android emulator able to emulate arm64 device (or a rooted physical device). Linux OS / MacOS are prefered, no support will be provided for Windows (if issue is specific to this OS).
A laptop with Android Studio and a working android emulator able to emulate arm64 device (or a rooted physical device). Linux OS / MacOS are prefered, no support will be provided for Windows (if issue is specific to this OS).
Georges-Bastien Michel Reverse Engineer / Security Researcher, Reversense
Georges-B Michel is the founder and principal security researcher at Reversense. He worked on many security topics including deobfuscation, DBI, Android RASPs bypass, TEE/TA reversing, web application security, and secure coding. Since 2018, he develops several public OSS and private projects such as Interruptor (a Frida library to improve syscall hooking) and Dexcalibur (a mobile reverse engineering and instrumentation automation software). He talked at several security conferences including Insomni'hack, SSTIC, THC, and PassTheSalt.
Workshops are first-come, first-serve and have limited capacity. Some workshops may be streamed for additional passive participation.
Fleet is an open source management system for osquery, the cross-platform agent that allows you to ask anything of your endpoints, from laptops to servers and containers.
In this workshop we will:
Familiarity with virtualization tools and Linux or macOS
A laptop with a Linux VM with Docker to run Fleet, and enough capacity to run a few other VMs as clients. We recommend that participants bring at least 4 VMs in total:
1 Linux VM to use as the server 1 Linux VM to use as a client 2 other VMs of your choice (macOS, Windows, Linux)
A laptop with a Linux VM with Docker to run Fleet, and enough capacity to run a few other VMs as clients. We recommend that participants bring at least 4 VMs in total:
1 Linux VM to use as the server 1 Linux VM to use as a client 2 other VMs of your choice (macOS, Windows, Linux)
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Hosted panel discussion and Q&A.
Guillaume Ross Head of Security, Fleet Device Management
Guillaume is Head of Security at Fleet Device Management, the company behind the open source Fleet management platform for managing and using osquery. While he prefers working in startups, he’s been working in security forever in organizations of all types, and prefers looking at the bright side of things and things that WORK instead of repeating 30 year old « best practices » that never have!
This workshop is in partnership with the BlackHoodie organization and is intended to be presented by and for women. We hope that all attendees respect this requirement. For further information, the organization's mission is available here.
See day 1 description.
This workshop is in partnership with the BlackHoodie organization and is intended to be presented by and for women. We hope that all attendees respect this requirement. For further information, the organization's mission is available here.
This training is free and for women only as per Blackhoodie standards. It will be held in two 2 hour sessions on consecutive days and has a cap of 10 participants. Registration: Reach out to outreach@nsec.io.
Following Blackhoodie's guidelines regarding COVID, we require proof of vaccination and attendees to wear masks during the workshop
Topics that will be covered: - Understanding the PE file format - Using disassemblers like Ghidra or IDA - Recognizing some common malware routines (tricks used to stay persistent, obfuscation, etc)
If time permits, there will be a chance to learn how to use scripts to augment and make the experience of static analysis easier.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Hosted panel discussion and Q&A.
Talks will be streamed on YouTube and Twitch for free.
The Canadian government has recently reversed years of Internet regulation policy, shifting from a pro-innovation approach to one that emphasizes regulation, taxation, and government engagement in Internet streaming, speech, and the availability of news. Professor Michael Geist will unpack the latest developments and discuss what lies behind the government plans.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Hosted panel discussion and Q&A.
Michael Geist Canada Research Chair in Internet and E-commerce Law, University of Ottawa, Faculty of Law
Dr. Michael Geist is a law professor at the University of Ottawa where he holds the Canada Research Chair in Internet and E-commerce Law and is a member of the Centre for Law, Technology and Society. He regularly appears in the Globe and Mail, is the editor of several monthly technology law publications, and the author of a popular blog on Internet and intellectual property law issues. Dr. Geist serves on many boards, including Ingenium, Internet Archive Canada, and the EFF Advisory Board. He was appointed to the Order of Ontario in 2018 and has received numerous awards for his work including the Kroeger Award for Policy Leadership and the Public Knowledge IP3 Award in 2010, the Les Fowlie Award for Intellectual Freedom from the Ontario Library Association in 2009, the EFF’s Pioneer Award in 2008, and Canarie’s IWAY Public Leadership Award for his contribution to the development of the Internet in Canada.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Hosted panel discussion and Q&A.
Talks will be streamed on YouTube and Twitch for free.
Remote Desktop Protocol (RDP) is the de facto standard for remoting in Windows environments. It grew in popularity over the last couple of years due to the pandemic. Many remote workers are now relying on it to perform duties on remote systems. RDP is secure when well deployed but, unfortunately, that’s rarely the case and thus clicking through warnings is common. We have spent the last 3 years working on and reimplementing parts of RDP in PyRDP, our open-source RDP library. This presentation is about what we have learned and can be applied to attack and defend against RDP attacks.
From an attacker’s perspective, we will cover conventional RDP attacks such as Monster-in-the-Middle (MITM) of RDP connections, capture of NetNTLMv2 hashes and techniques to bypass conventional defense mechanisms such as Network Level Authentication (NLA). Case in point: Did you know that by default all clients allow server-side NLA downgrades right now? This will enable us to understand and identify the risks with RDP.
From the Blue Team’s perspective, we will provide techniques and tools to detect attacks showcased previously. Finally, we will provide step-by-step instructions to deploy an accessible RDP server that is both secure and functional.
Lisandro Ubiedo Security Researcher, GoSecure
Lisandro Ubiedo is part of the Cybersecurity Research team at GoSecure. Passionate about all things malware – from reverse-engineering to catching them on-the-go – and doing DevOps to keep attackers entertained. Lisandro also works on programming tools to aid malware analysis and cybersecurity research. He was part of the Aposemat team at Stratosphere Labs doing IoT malware research and as a DevSecOps engineer in multiple companies, while also enjoying CTF challenge solving.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Hosted panel discussion and Q&A.
Talks will be streamed on YouTube and Twitch for free.
Domain squatting presents the creative attacker with low cost, and extremely effective ways to passively gather large amounts of useful data & intelligence. These techniques can be highly targeted, or they can be used by cyber criminals to cast a wide net, taking advantage of victims as the opportunities present themselves.
For our research, we are using "catch-all" email inboxes on squatted variants of a very popular public email service. Our intention for this data is to analyse & demonstrate the diversity of information obtainable using this technique. A single typo or bitflip in the domain name of an email address will result in our inboxes receiving email intended for someone else! Using roughly a dozen domain names, we are currently capturing thousands of emails each week. Are you curious to know what we've found, and how you can defend your organisation about this type of attack? See you at the talk!
Rolland Winters Cyber Operator (Canadian Forces) & SOC Analyst (Commissionnaires), Canadian Armed Forces & Commissionnaires du Quebec
Rolland Winters is an army reservist and team lead for the cyber protection team at 34 Signal Regiment in Montreal. He is also a full-time SOC analyst for the Commissionnaires du Québec in their cyber security department (VYGL). He has a diverse background, with professional experience in military radio and satellite systems, IOT, smart home automation, CCT/security systems, web application development, and information security. He is currently working on his OSCP and GCIA certifications.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Hosted panel discussion and Q&A.
Passionate about hacking for 15 years, Martin has developed a strong interest in technical challenges: development of malware, evasion of defense controls and process automation. For seven years he was involved as a designer of capture the flag challenges for Hackfest and for one year for the NorthSec (Remember Neurosoft Windows track?). During the day, Martin lead a large team of ethical hackers, one meeting at a time. His goal? Follow the innovation path so that offensive security talents are better used in businesses.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Hosted panel discussion and Q&A.
Talks will be streamed on YouTube and Twitch for free.
We all love technical blogs and books. Many people dream about writing one too.
I had no idea what I was getting myself into security blogging, and before I wrote my web application hacking book “Bug Bounty Bootcamp”. A lot of the work that goes into writing and publishing a technical book goes beyond coming up with technical information and code samples.
In this talk, I am going to dive into my experience writing and publishing a security book and writing technical content. How does one write good technical content like security writeups and blog posts? What goes into writing one of these 400-page technical textbooks? How does one make sure that everything in the book is technically correct? What are the pros and cons of working with a publisher?
In this talk, we dive into the realities from idea to tech blog / book and discuss how you can write one too.
Vickie Li is an experienced web developer with an avid interest in security research. She is also the author of Bug Bounty Bootcamp. She can be found on https://vickieli.dev, where she blogs about security news, techniques, and her latest bug bounty findings. She also hosts “Security Simplified”, a developer education series focusing on web security: https://www.youtube.com/channel/UCjQHiY2JeOkBamHSg_6UeFw.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Hosted panel discussion and Q&A.
Joëlle-Alexandra Desmarais-Lauzon is a graduate of HEC Montreal in business administration and holds a master's degree in software engineering from the Université de Sherbrooke.
Formerly with Deloitte, she has made her mark by holding numerous positions as an IT security consultant for several large Canadian institutions. She worked for Ubisoft as a security manager and led many topics such as IAM, business continuity, disaster recovery and security awareness. Joëlle now works as a Security Director, implementing security practices from the ground up, for a Montreal-based fin-tech disrupting the mortgage market.
Alongside her professional career, she is involved in various initiatives to promote women's leadership in IT.
She is also the co-founder of a small balcony optimization company, Demain Dimanche, whose products are proudly made in Montreal.
With companies moving and operating extensively on the AWS Cloud, security remains a key challenge for professionals and organizations everywhere. This training is an extensive deep-dive into Attack, Detect and Defense implementations within AWS. The training is dedicated to cookbook-style “Attack, Detect and Defence” cyber-ranges.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Hosted panel discussion and Q&A.
Talks will be streamed on YouTube and Twitch for free.
Webhooks are an important part of modern web services and event-driven applications. They are defined as “user-defined HTTP callbacks”, and are triggered by some events, such as pushing code to a repo or adding a new customer entry in a CRM tool. Webhooks are ubiquitous and gaining in popularity owing to their asynchronous nature and the integration possibilities that they engender.
Webhooks are seen as “harmless”, owing to their “one-way” orientation. They are perceived as such, because they typically post some event information to a URL and they are done once they receive an HTTP response.
In this talk, I will demonstrate a series of attacks that we dub “Webhook Boomerang flaws”. These flaws allow attackers to leverage webhooks to create a boomerang effect that ends up attacking the originating web service itself. The techniques showcased in this talk will highlight a unique set of attack vectors that piggyback on nothing more than the standard HTTP and DNS protocols, which allow us to to perform Server-side Request Forgery style attacks that can lead to cloud-metadata compromise even with security protections like Metadata Headers. In our research, we’ve discovered this across multiple cloud providers and found that these attacks can be used in more conventional SSRF compromises of internal web-services.
The talk starts with a detailing of webhooks and typical webhook functionality that are provided by popular CI, CRM, Project Management, Payment Gateways and other applications. Subsequently, I'll be showcasing demos of multiple techniques that can be used in this attack approach, with special emphasis on evasive payloads as well.
Next, I will showcase the success of this attack against several popular bug-bounty targets to highlight the impact of these attacks at scale.
Finally, I will present multiple approaches to defending against these vulnerabilities and developer best practices that should be applied when defining webhook functionality.
Abhay Bhargav CEO, AppSecEngineer
bhay Bhargav is the Founder of we45 and Chief Research Officer at AppSecEngineer, a focused Application Security Company. Abhay is a builder and breaker of applications.
He is the Chief Architect of "Orchestron", a leading Application Vulnerability Correlation and Orchestration Framework.
He has created some pioneering works in the area of DevSecOps and AppSec Automation, including the world’s first hands-on training program on DevSecOps, focused on Application Security Automation. In addition to this, Abhay is active in his research of new technologies and their impact on Application Security, namely Containers, Orchestration and Serverless Architectures. Abhay is a speaker and trainer at major industry events including DEF CON, BlackHat, OWASP AppSecUSA, EU and AppSecCali. His trainings have been sold-out events at conferences like AppSecUSA, EU, AppSecDay Melbourne, CodeBlue (Japan), BlackHat USA, SHACK and so on.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Hosted panel discussion and Q&A.
Talks will be streamed on YouTube and Twitch for free.
In this session we will take a deep dive into Kubernetes lateral movements. We will elaborate about the different identity types used by Kubernetes and how attackers use those identities to escalate their privileges in the cluster and move laterally to external cloud resources. We will explain the various cluster-to-cloud authentication methods in the various cloud providers (AKS, EKS and GKE) and the risks that each one poses. We will show real-world examples of misconfigurations that led to cluster takeovers and explain how they could be prevented.
Yossi Weizman Senior Security Researcher, Microsoft
Yossi Weizman is a Senior Security Researcher in the Cloud Security Research team at Microsoft. He has 10 years of experience in the security research field, starting in the Israeli military. In his current role, Yossi’s main focus is container security. Yossi holds a B.Sc. in Computer Science from Bar-Ilan University.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Hosted panel discussion and Q&A.
Talks will be streamed on YouTube and Twitch for free.
In the last few years, a slew of high-profile, critical remote code execution vulnerabilities have been found, disclosed and then promptly exploited en-masse against the category of networking hardware known as load balancers. These devices primarily serve to distribute traffic across server farms & offload SSL processing; they cost between $40k-$250k per device and are largely viewed as black box systems due to restrictive licensing, proprietary hardware and a lack of transparency from the vendors into the guts of the systems. They run at the borders and cores of most cell carriers, banks, Fortune 500 companies, ISPs and some cloud providers.
Since many of these devices function not only to balance traffic, but as VPN concentrators, WAFs and SSL proxies, they are generally installed in high-access parts of the network. Due to their mission criticality, they also frequently run outdated vendor code and, even worse, the Linux/BSD based operating systems they use are generally numerous versions behind current and due to the proprietary nature of their code, one does not simply 'apt get upgrade -y'. Since they all run Linux/BSD as the management OS, once you've breached one with an 'exploit that fits in a tweet' the environment is ripe for lateral movement, persistence and further exploitation using commonly available open source tools.
In this talk, I will lean on a decade of experience working for one of the most prominent load balancing vendors and teach you the architecture, how the devices operate, how they're deployed, what their management plane looks like and the access it affords you post-breach. You will also learn how to avoid common mistakes which can interrupt traffic processing, trigger device failures and otherwise give away your presence on the system. While this talk will focus on a specific architecture, all vendors use essentially the same design concepts so the information is applicable across most platforms. Additionally, armed with an understanding of the designs you'll be able to use freely available vendor documentation to hone & tune your post-exploitation shenanigans across other load balancing products.
While this talk is primary aimed at offensive operations, the information provided can also be leveraged by defenders to harden their environments and provide guidance on DFIR operations post-breach.
Nate has been a hacker since he first laid hands on a 2400 baud modem. After his first hack of a dial-up BBS at 12, he was hooked and over the following 25 years he sharpened his skills through jobs in network engineering, vulnerability response, endpoint research and side projects - hacking phones & researching network attack surface. After a record-setting 4.5 years shipping Windows patches for the Microsoft Security Response Center and a brief stint in Windows Defender ATP, he is currently the Chief Technology Officer of Prevailion. He was featured in WIRED magazines’ “25 people doing good in 2020” for his role in starting CTI League, a volunteer group of InfoSec professions who provided threat intelligence to hospitals during COVID-19.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Hosted panel discussion and Q&A.
Émilio works in a blue team at a large Canadian organization. He loves to participate in CTFs and create challenges to introduce people to some defensive aspects of CyberSecurity. He's a co-organizer for MontréHack, a monthly CTF workshop in Montréal (duh). If you see him in a bar someday, do not approach him or he'll probably start a rant about tabs being the superior indentation character or about how cars ruin cities.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Hosted panel discussion and Q&A.
Talks will be streamed on YouTube and Twitch for free.
The Zero Trust mandate is nigh and with it, debates of industry readiness, product pitches, and the question as old as time: what is a BeyondCorp? Is it time to re-architect our infrastructure from the ground up or start buying the latest security tools?
BeyondCorp is Google’s initial implementation of a zero trust architecture, and is still the guiding star for many organizations. In a zero trust architecture, every request to access an application is a policy decision, based on the user, device, and application. The BeyondCorp whitepapers explain what Google built, and some of the organizational challenges, but don’t lay out a step by step guide to getting there, or how you know you’re on the right track.
In this talk, Maya and Eric will fill in the gaps. They will provide insight into BeyondCorp fundamentals, including requirements for user identities, controls and measurements for devices across platforms, and how to construct access policies. Then, they’ll get into common misconceptions and what you might need to tackle as you continue your journey. You’ll come away with a roadmap for your organization to get to a mature zero trust architecture, and what the industry can do better to support zero trust principles.
Maya Kaczorowski Product Manager, Tailscale
Maya is a Product Manager at Tailscale, providing secure networking for the long tail. She was previously at GitHub in software supply chain security, and before that at Google working on container security and encryption key management. Prior to Google, Maya worked at McKinsey, and studied mathematics at McGill University.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Hosted panel discussion and Q&A.
Talks will be streamed on YouTube and Twitch for free.
Client-side protection is one of the key pillars on Imperva’s quest to protect its customers from attackers. Obfuscation is one of the ubiquitous methods to hide malicious code. Being able to distinguish between cleartext JavaScript documents and obfuscated ones is a first but crucial step in this endeavor.
In this work we first survey the variety of methods and techniques used to obfuscate JavaScript code. We analyze 10+ open-source JavaScript obfuscators and show their similarities and differences. For example, all obfuscators employ variable renaming, but the output distributions differ across obfuscators (e.g., in terms of the lengths of the renamed variables).
This allows us to extract several families of features. Some of them require careful feature engineering, while others are more general and follow well-known NLP techniques. Next, we survey prior art from the literature and discuss several natural approaches to this problem.
Finally, we suggest obfuscator-agnostic methods to build state-of-the-art machine learning classifier for this problem.
Although we used JavaScript as a starting point of our research, our techniques generalize nicely to additional programming languages. In other languages, as opposed to JavaScript, obfuscation is a much stronger evidence for maliciousness. Therefore our techniques there are of special interest.
Yuriy Arbitman Data Scientist, Imperva
As a data scientist in Imperva, I develop machine learning solutions for various cyber security projects. I'm fascinated by the wonders that data science and machine learning bring to the world. The wealth of open-source frameworks enable us to build systems today at scale and ease unthinkable just several years ago. In the last 20+ years I've been working in the hi-tech industry in Israel. I am lucky to have worked for several great companies in engineering, management and research positions. I hold an M.Sc. in Computer Science from the Weizmann Institute in Israel.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Hosted panel discussion and Q&A.
Talks will be streamed on YouTube and Twitch for free.
The Zero Trust mandate is nigh and with it, debates of industry readiness, product pitches, and the question as old as time: what is a BeyondCorp? Is it time to re-architect our infrastructure from the ground up or start buying the latest security tools?
BeyondCorp is Google’s initial implementation of a zero trust architecture, and is still the guiding star for many organizations. In a zero trust architecture, every request to access an application is a policy decision, based on the user, device, and application. The BeyondCorp whitepapers explain what Google built, and some of the organizational challenges, but don’t lay out a step by step guide to getting there, or how you know you’re on the right track.
In this talk, Maya and Eric will fill in the gaps. They will provide insight into BeyondCorp fundamentals, including requirements for user identities, controls and measurements for devices across platforms, and how to construct access policies. Then, they’ll get into common misconceptions and what you might need to tackle as you continue your journey. You’ll come away with a roadmap for your organization to get to a mature zero trust architecture, and what the industry can do better to support zero trust principles.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Hosted panel discussion and Q&A.
Talks will be streamed on YouTube and Twitch for free.
The first major incident response I was involved in was a nightmare. Why? Because I didn’t know what we didn’t know. Sixteen years and too many incidents to count later, I’ve come up with a list of 10 (or more) things that I wished I had known then. In this talk, we’ll cover what those 10 things are, some adjacent questions to those, and some war stories to show you why you should care.
This isn't your dad's IR plan....
Caspian Kilkelly Senior Consultant, Services, CrowdStrike
Caspian Kilkelly is a senior consultant with CrowdStrike's Canadian services team. Caspian's career highlights include a variety of roles over 20 years that usually end in the word "security" or the word "consultant". Caspian has worked with the security teams of a variety of different companies across North America and Europe as an incident responder, advisor and exercise lead. In his spare time, Caspian helps organize cybersecurity conferences you've probably never heard of.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Hosted panel discussion and Q&A.
Talks will be streamed on YouTube and Twitch for free.
The “right to be forgotten” is a concept that confers individuals more control over their digital data. This right has been codified as regulations or case law in a few famous examples. However, laws are by their very nature vague and open to interpretation. To address this ambiguity, researchers began to frame privacy laws in the formal language of cryptography to facilitate compliance. In this talk, we will review recent results in this young line of research. We will introduce the concept of deletion-compliance of Garg, Goldwasser and Vasudevan (Eurocrypt 2020). We will highlight some issues with this concept that were later addressed by Godin & Lamontagne (PST 2022) and independently by Gao, Garg, Mahmoody & Vasudevan (PETS 2022) using a different approach. We will highlight some of the difficulties that arise when formalizing broadly-defined notions of privacy.
Philippe Lamontagne Research Officer, National Research Council Canada
Philippe Lamontagne is a research officer in the cyber security team of the National Research Council. He received his PhD from Université de Montréal in 2018. His areas of expertise are cryptography and quantum information. He studies the use of quantum information for cryptographic tasks from lesser assumptions and the provable security of cryptographic protocols against quantum adversaries. He also has interest in the security of classical cryptography against quantum adversaries, also known as post-quantum cryptography, and in cryptographic solutions to privacy.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Hosted panel discussion and Q&A.
Lex Gill is a lawyer at a groundbreaking Montreal firm known for class actions and public interest litigation in areas like human rights, environmental law, and corporate accountability. She is also an affiliate at the Citizen Lab, where she supports the organization’s work on issues like freedom of expression, equality, and surveillance. Lex teaches part-time at McGill University’s Faculty of Law, and has worked for organizations that include the Supreme Court of Canada (as clerk to the Chief Justice), the Canadian Civil Liberties Association, and the Canadian Internet Policy and Public Interest Clinic.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Hosted panel discussion and Q&A.
Talks will be streamed on YouTube and Twitch for free.
The results reveal that a higher literacy level is associated with higher passwords’ quality. Also, the number of Internet users is inversely associated with password quality which indicates that living in a highly connected country is not a factor that increase information’s protection. The study participates in the understanding of macrosocial protection’s factors in order to adapt password lists.
Andreanne Bergeron Cybersecurity Researcher, GoSecure
Andréanne Bergeron is a cybersecurity researcher at GoSecure. She is also a Ph.D. candidate at the School of Criminology of the Université de Montréal and recipient of the prestigious Vanier scholarship. She also specialized in other types of cybercrime as she worked as the coordinator of the Darkweb and Anonymity Research Center.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Hosted panel discussion and Q&A.
Pierre-David has more than 15 years of experience in cybersecurity, with a strong technical background in software engineering for security products, payment, smart cards and cryptographic key management systems.
He is also known as one of the key original NorthSec members, where he created the infamous Smart Card track for three consecutive years, including some very unique cryptographic challenges. He is also the founder of the conference part of the event and acted as a VP Conference until he assumed the presidency of NorthSec in 2018 and 2019.
In his professional life, after multiple years of working in security architecture, he joined a local security product startup in 2016 named Delve where he led the product management effort, and today continues to work at the intersection of product, vision and cybersecurity, at SecureWorks on the Taegis platform.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Hosted panel discussion and Q&A.
Talks will be streamed on YouTube and Twitch for free.
In this talk, we will walk through what's randomness, and why it matters. We will discover the different "flavours" of randomness, from the "private" to the "public" one, including the "verifiable", the "distributed" and the infamous "lack of" randomness.
We will discover a few use-cases for each of these, discuss the problems lurking behind each, and existing solutions to avoid them.
Finally we will (re)discover "drand", a distributed randomness open-source software that allows you to run your own, join an existing network or just query good quality public, verifiable, distributed randomness. We will briefly cover the existing League of Entropy behind the main existing drand network, what it's being used for and why public randomness should be treated as a public service.
Yolan Romailler , Protocol Labs
Yolan is an applied cryptographer delving into (and dwelling on) cryptography, secure coding, blockchains technologies and other fun things such as self-sovereign identities or digital currencies. He has previously spoken at Black Hat USA, BSidesLV, Cryptovillage, NorthSec, GopherConEU and DEF CON on topics including automation in cryptography, public keys vulnerabilities, elliptic curves, post-quantum cryptography, functional encryption, open source security, and more! He notably presented at FDTC the first known practical fault attack against the EdDSA signature scheme.
Yolan tweets as @anomalroil.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Hosted panel discussion and Q&A.
Talks will be streamed on YouTube and Twitch for free.
Outline of the presentation:
Christian Paquin Principal Program Manager, Microsoft Research
Christian is a Principal Program Manager in Microsoft Research’s Security and Cryptography team. For the last 20 years, Christian has been living at the edge of academic research and industry, with a focus on privacy-preserving identity technologies (notably, U-Prove). Christian joined the COVID response effort, and helped with the design of the SMART Health Card framework; he contributed to the specification, and co-implemented the developer tools to validate SHC implementations. Post-quantum cryptography and zero-knowledge proofs otherwise keep him busy. Based in DC, Christian is always happy to visit his native Montreal.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Hosted panel discussion and Q&A.
Marc-Etienne is a malware researcher at ESET since 2012. He specializes in malware attacking unusual platforms, whether it’s fruity hardware or software from south pole birds. Marc-Etienne focused his research on the reverse engineering of server-side malware to discover their inner working and operation strategy. His research led to the publication of the Operation Windigo white paper that won Virus Bulletin’s Peter Szor Award for best research paper in 2014. He presented at multiple conferences including RSAC, FIRST, 44con, CARO, SecTor and Linuxcon Europe. When he’s not one of the organizers, he loves participating in CTF competitions like a partying gentleman. Outside the cyberspace, Marc-Etienne plays the clarinet and read comics. He tweets randomly from @marc_etienne_.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Hosted panel discussion and Q&A.
Talks will be streamed on YouTube and Twitch for free.
Air-gapping is used to protect the most sensitive of networks: ICSes running pipelines and power grids, voting systems, or SCADA systems operating nuclear centrifuges just to name a few. In the last 24 months, four malicious frameworks devised to breach air-gapped networks emerged, bringing the total to 17, by our count. This prompted us to step back and reanalyze all those frameworks from the vantage point of having discovered and analyzed three of these in the past six years. We put the frameworks in perspective to see what history could teach us in order to improve air-gapped network security and our abilities to detect and mitigate future attacks.
This exhaustive analysis allowed us to isolate several major similarities in all of them, even those 15 years apart. We pinpoint the specific areas of air-gapped networks that are consistently leveraged by malware in order to operate, and provide objective advice on how best to prioritize the deployment of resources to increase security.
Specifically, this presentation covers the similarities in execution vectors used on the connected and air-gapped sides of targeted networks, the air-gap-crossing mechanisms and communication protocols used to control the components running on the isolated networks, the information stealing techniques, and, finally, the propagation and lateral movement capabilities.
Our analysis shows how most frameworks differ only from an implementation perspective in so many aspects, mostly due to the severe constraints imposed in air-gapped environments. Armed with this information, we cover techniques that can be implemented to harden specific areas that have been repeatedly abused by air-gap-aware frameworks and strategies to detect their presence, such as how to prevent removable drive abuse and detect host- and network-based reconnaissance activity often observable within the isolated network under attack.
Our aim is to convince the audience of the importance of having all the proper defense mechanisms to mitigate the techniques used by virtually all of these frameworks observed in the wild, before starting to look into the many theoretical air-gap bypass techniques that have gotten most of the spotlight in recent years despite none of them ever being used in a real attack.
This is a must-see session for anyone responsible for the security of an air-gapped network, but also for anyone interested in the history and evolution of these fascinating attacks.
Alexis Dorais-Joncas Head of ESET's R&D office in Montreal, ESET
Hired by ESET in 2010, Alexis Dorais-Joncas worked as a Malware Researcher, then as Security Intelligence Team Lead. In 2015, Alexis Dorais-Joncas was appointed head of ESET’s R&D branch office located in Montreal. He and his team focus on cutting edge malware research, network security and targeted attacks tracking in order to shed light on the latest trends and developments in the malware ecosystem and implement efficient and innovative countermeasures to allow ESET customers to be safer online.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Hosted panel discussion and Q&A.
Talks will be streamed on YouTube and Twitch for free.
Doplik is an Unwanted Software based on NW.js, which is an open-source way of writing native desktop applications using web technologies. What makes Doplik especially interesting is that instead of opting to use plaintext JavaScript, Doplik ships with binary V8 snapshots that contain serialized bytecode representation of Doplik’s source code, preventing static analysis without specialized tooling.
In this talk, we will share a deep dive on some of the reverse engineering challenges we faced and how we were able to overcome them and release an open-source Ghidra plugin to disassemble V8 snapshots.
Léanne is a security engineer at Google focusing on reverse engineering and threat intelligence. Recently graduated from ÉTS, she participated in multiple CTF and security related events with the DCIÉTS group. She has experimented with tooling, pentesting and threat hunting during her years as a student. Now focusing on reverse engineering, she is always happy to share her expertise and insight.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Hosted panel discussion and Q&A.
Talks will be streamed on YouTube and Twitch for free.
Since late 2021 through 2022, Iranian based threat actor Muddywater has been conducting several operations using different methods of operation targeting victims in different geographies including Europe, the Middle East and Asia- culminating into the attribution by the U.S. Cyber Command of the group to Iran’s Ministry of Intelligence Services (MOIS) instead of the IRGC like it was previously believed.These campaigns show the flexibility and capability of this group when it comes to employing different methods of operation to achieve their goals. We will start by describing three very distinct MuddyWater campaigns which are linked together by methods of operation and tools. The campaigns consisted of highly targeted attacks on Turkish governmental organizations. This was the first campaign that we saw using Canarytokens to signal payload activation. Our analysis of this method led us to create different hypotheses for the usage of this novel method. * Bypass URL analyses - If the Canary token is not activated then the C2 would not deliver the payload. This thwarts an isolated analysis of the C2 payload url. * Determination of the C2 URL blocking. - Several requests to the token without any requests to the C2 indicate blocking of the C2 by a victim’s organization. * Anti-Analysis checks - Canary token requests followed immediately by a request for the payload within a reasonable timeframe may also be used to determine automated analysis such as a sandbox based analysis - This is essentially a timing check or sorts.
This campaign also had a mixed stage payload delivery - on one side it uses the common malicious VBA macros via Office documents; on the other it used double extension executables that seem to have been created with a builder. This builder was also used in other campaigns, targeting Armenia and Pakistan. This builder seems to be a recent addition - first seen in the wild around mid 2021 - to MuddyWater’s arsenal and can expedite the creation of new campaigns with little to no effort. Interestingly, the Pakistani wave was the first observed instance of the group’s use of the token system. In this attack instance, the group used their own servers/remote-locations to record infection tokens. This technique was then migrated into Canary tokens - observed in the previous campaign targeting Turkey.
In the meanwhile a third campaign using yet another method of infection has been also uncovered by us. This time Muddywater used a WSF based RAT to execute remote commands, which usually culminates with the installation of a commercial remote administration tool such as remote viewers. This seems to be the method of operation preferred to target countries in the Arabian peninsula. Finally, our presentation will end with a review of the timeline of the campaigns and tool capabilities, describing their evolution over the course of 2021, covering the three different campaigns that MuddyWater has carried out. We will demonstrate that the group tested some techniques in some campaigns and adopted them in later campaigns as a definitive modus operandi. The mix and match of some campaigns raises the possibility that Muddywater is in fact a collective of groups working together and sharing tools, where each group focuses on specific regions of the world, while sharing techniques and procedures across the teams. With this presentation the audience will have a better understanding of the Muddywater APT group, their methods of operation and the tools, all put into their evolution context and usage.
Asheer Malhotra is a threat researcher specializing in malware analysis, reversing, detection technologies and threat disclosures within Talos. He has been researching malware threats for about a decade now at FireEye, Intel, McAfee and now at Talos. His key focus is tracking nation state attacks (APTs) across the world. Asheer holds an M.S in Computer Science with a focus on Cyber Security.
Talks will be streamed on YouTube and Twitch for free.
Since late 2021 through 2022, Iranian based threat actor Muddywater has been conducting several operations using different methods of operation targeting victims in different geographies including Europe, the Middle East and Asia- culminating into the attribution by the U.S. Cyber Command of the group to Iran’s Ministry of Intelligence Services (MOIS) instead of the IRGC like it was previously believed.These campaigns show the flexibility and capability of this group when it comes to employing different methods of operation to achieve their goals. We will start by describing three very distinct MuddyWater campaigns which are linked together by methods of operation and tools. The campaigns consisted of highly targeted attacks on Turkish governmental organizations. This was the first campaign that we saw using Canarytokens to signal payload activation. Our analysis of this method led us to create different hypotheses for the usage of this novel method. * Bypass URL analyses - If the Canary token is not activated then the C2 would not deliver the payload. This thwarts an isolated analysis of the C2 payload url. * Determination of the C2 URL blocking. - Several requests to the token without any requests to the C2 indicate blocking of the C2 by a victim’s organization. * Anti-Analysis checks - Canary token requests followed immediately by a request for the payload within a reasonable timeframe may also be used to determine automated analysis such as a sandbox based analysis - This is essentially a timing check or sorts.
This campaign also had a mixed stage payload delivery - on one side it uses the common malicious VBA macros via Office documents; on the other it used double extension executables that seem to have been created with a builder. This builder was also used in other campaigns, targeting Armenia and Pakistan. This builder seems to be a recent addition - first seen in the wild around mid 2021 - to MuddyWater’s arsenal and can expedite the creation of new campaigns with little to no effort. Interestingly, the Pakistani wave was the first observed instance of the group’s use of the token system. In this attack instance, the group used their own servers/remote-locations to record infection tokens. This technique was then migrated into Canary tokens - observed in the previous campaign targeting Turkey.
In the meanwhile a third campaign using yet another method of infection has been also uncovered by us. This time Muddywater used a WSF based RAT to execute remote commands, which usually culminates with the installation of a commercial remote administration tool such as remote viewers. This seems to be the method of operation preferred to target countries in the Arabian peninsula. Finally, our presentation will end with a review of the timeline of the campaigns and tool capabilities, describing their evolution over the course of 2021, covering the three different campaigns that MuddyWater has carried out. We will demonstrate that the group tested some techniques in some campaigns and adopted them in later campaigns as a definitive modus operandi. The mix and match of some campaigns raises the possibility that Muddywater is in fact a collective of groups working together and sharing tools, where each group focuses on specific regions of the world, while sharing techniques and procedures across the teams. With this presentation the audience will have a better understanding of the Muddywater APT group, their methods of operation and the tools, all put into their evolution context and usage.
Vitor Ventura Senior security/threat researcher, Cisco Talos
Vitor Ventura is a Cisco Talos security researcher and manager of the EMEA and Asia Outreach team. As a researcher, he investigated and published various articles on emerging threats. Most of the day Vitor is hunting for threats, reversing code but also looking for the geopolitical and/or economic context that better suits them. Vitor has been a speaker in conferences, like VirusBulletin, NorthSec, Recon, Defcon’s Crypto and Privacy Village, among others. Prior to that he was IBM X-Force IRIS European manager where he was lead responder on several high profile organizations affected by the WannaCry and NotPetya infections. Before that he did penetration testing at IBM X-Force Red, where Vitor led flagship projects like Connected Car assessments and ICS security assessments, custom mobile devices among other IoT security projects. Vitor holds a Bsc in Computer Science and multiple security related certifications like GREM (GIAC Reverse Engineer Malware), CISM (Certified Information Security Manager).
Talks will be streamed on YouTube and Twitch for free.
Air-gapping is used to protect the most sensitive of networks: ICSes running pipelines and power grids, voting systems, or SCADA systems operating nuclear centrifuges just to name a few. In the last 24 months, four malicious frameworks devised to breach air-gapped networks emerged, bringing the total to 17, by our count. This prompted us to step back and reanalyze all those frameworks from the vantage point of having discovered and analyzed three of these in the past six years. We put the frameworks in perspective to see what history could teach us in order to improve air-gapped network security and our abilities to detect and mitigate future attacks.
This exhaustive analysis allowed us to isolate several major similarities in all of them, even those 15 years apart. We pinpoint the specific areas of air-gapped networks that are consistently leveraged by malware in order to operate, and provide objective advice on how best to prioritize the deployment of resources to increase security.
Specifically, this presentation covers the similarities in execution vectors used on the connected and air-gapped sides of targeted networks, the air-gap-crossing mechanisms and communication protocols used to control the components running on the isolated networks, the information stealing techniques, and, finally, the propagation and lateral movement capabilities.
Our analysis shows how most frameworks differ only from an implementation perspective in so many aspects, mostly due to the severe constraints imposed in air-gapped environments. Armed with this information, we cover techniques that can be implemented to harden specific areas that have been repeatedly abused by air-gap-aware frameworks and strategies to detect their presence, such as how to prevent removable drive abuse and detect host- and network-based reconnaissance activity often observable within the isolated network under attack.
Our aim is to convince the audience of the importance of having all the proper defense mechanisms to mitigate the techniques used by virtually all of these frameworks observed in the wild, before starting to look into the many theoretical air-gap bypass techniques that have gotten most of the spotlight in recent years despite none of them ever being used in a real attack.
This is a must-see session for anyone responsible for the security of an air-gapped network, but also for anyone interested in the history and evolution of these fascinating attacks.