Upgrade your red team tradecraft with cutting-edge Tactics, Techniques, and Procedures (TTPs) used by attackers in real-world breaches. This course will teach participants how to infiltrate networks, gather intelligence, and covertly persist to simulate advanced adversaries. Participants will use the skillsets taught in this course to go up against incident response in a complex lab environment designed to mimic an enterprise network. You'll learn to adapt and overcome active response operations through collaborative feedback as the course progresses.
Nick Powers Operator and Red Teamer, SpecterOps
Nick is an operator and red teamer at SpecterOps. He has experience with providing, as well as leading, pentest and red team service offerings for a large number of fortune 500 companies. Prior to offensive security, Nick gained security and consulting experience while offering compliance-based gap assessments and vulnerability audits. With a career focused on offensive security, his interests and prior research focuses have included initial access techniques, evasive Windows code execution, and the application of alternate C2 and data exfiltration channels.
Upgrade your red team tradecraft with cutting-edge Tactics, Techniques, and Procedures (TTPs) used by attackers in real-world breaches. This course will teach participants how to infiltrate networks, gather intelligence, and covertly persist to simulate advanced adversaries. Participants will use the skillsets taught in this course to go up against incident response in a complex lab environment designed to mimic an enterprise network. You'll learn to adapt and overcome active response operations through collaborative feedback as the course progresses.
Hope Walker Senior Consultant, SpecterOps
Hope is a consultant at SpecterOps with experience in conducting and leading red team operations. Prior to joining SpecterOps, she conducted research, led red team process improvement efforts, trained new operators, and managed the operations floor for a DoD Red Team. Hope holds four degrees from the University of Alabama in Huntsville including a master's in cyber security and was a recipient of the National Science Foundation Cyber Corps scholarship.
THIS TRAINING IS ONLY IN FRENCH De nos jours, les applications mobiles modernes Android sont souvent protégées contre la rétro-conception par des outils de protection industriels.
Georges-Bastien Michel Reverse Engineer / Security Researcher, Reversense
Georges-B Michel is the founder and principal security researcher at Reversense. He worked on many security topics including deobfuscation, DBI, Android RASPs bypass, TEE/TA reversing, web application security, and secure coding. Since 2018, he develops several public OSS and private projects such as Interruptor (a Frida library to improve syscall hooking) and Dexcalibur (a mobile reverse engineering and instrumentation automation software). He talked at several security conferences including Insomni'hack, SSTIC, THC, and PassTheSalt.
This highly-practical course will teach attendees not only the fundamentals on how to pentest and secure SAP systems, but also the latest techniques and procedures.
Yvan Genuer Security Researcher at Onapsis.,
Yvan Genuer is a Security Researcher at Onapsis. He has over 20 years of SAP experience. He has been delivering consultancy services around SAP Security as well as researching for vulnerabilities into SAP products, resulting in SAP AG official acknowledgements he has received, for several vulnerabilities he originally reported. Furthermore, he has also conducted both training and talks about this topic in conferences.
This highly-practical course will teach attendees not only the fundamentals on how to pentest and secure SAP systems, but also the latest techniques and procedures.
Ignacio D. Favro Security Researcher at Onapsis.,
Ignacio Favro is Security Research at Onapsis. He loves researching and exploring new technologies, and thinking about potential new vulnerabilities and exploitation vectors. Always with a curious spirit, Ignacio enjoys jumping between projects involving different programming languages, network protocols or research methodologies. Before joining Onapsis, he worked as a security consultant with activities such as pentesting, which he began to specialize in SAP when he joined the company, as well as teaching the SAP security course.
Do you want to level up your cloud penetration testing skills? The attack surface of many organizations has changed to include third-party hosted services such as Amazon Web Services, Microsoft Azure, and Google Cloud Platform. In this training course, hacking concepts will be introduced for each of those services.
Beau Bullock Security Analyst,
Beau Bullock is a Senior Security Analyst and Penetration Tester and has been with Black Hills Information Security since 2014. Beau has a multitude of security certifications (OSCP, OSWP, GXPN, GPEN, GWAPT, GCIH, GCIA, GCFA, GSEC) and maintains his extensive skills by routinely taking training, learning as much as he can from his peers, and researching topics that he lacks knowledge in. He is a constant contributor to the infosec community by authoring open-source tools, writing blogs, and frequently speaking at conferences and on webcasts.
This class takes you through the initial steps of engineering and architecting to become a Cloud Security Engineer and architect. Over two days, we will get our hands dirty in cloud environments and learn about architectural patterns. The class goes into the details of Microsoft Azure and Amazon Web Services from a security perspective.
Karim Elmelhaoui Security Analyst,
Karim is a seasoned and renowned thought leader within cloud security. At O3 Cyber, he conducts research and development and works with our clients, primarily in Financial Industry. Karim has a background in building and operating platform services for security on private and public clouds, developing and executing a cyber security strategy for the world's largest sovereign wealth fund, and overseeing the execution of adapting a traditional security organization to a 'cloud operating model.'
Code obfuscation has become a vital tool to protect, for example, intellectual property against competitors. In general, it attempts to impede program understanding by making the to-be-protected program more complex. As a consequence, a human analyst reasoning about the obfuscated code has to overcome this barrier by transforming it into a representation that is easier to understand. In this training, we get to know state-of-the-art code obfuscation techniques, look at how these complicate reverse engineering and learn how to break them.
Tim Blazytko Chief Scientist, emproof,
Tim Blazytko is a well-known binary security researcher and co-founder of emproof. After working on novel methods for code deobfuscation, fuzzing and root cause analysis during his PhD, Tim now builds code obfuscation schemes tailored to embedded devices. Moreover, he gives trainings on reverse engineering & code deobfuscation, analyzes malware and performs security audits.
Containers and Kubernetes are everywhere. The adoption of Kubernetes use in production has increased to 83% from a survey by CNCF. Still, most security teams struggle to understand these modern technologies.
Madhu Akula is a pragmatic security leader and creator of Kubernetes Goat, an intentionally vulnerable by design Kubernetes Cluster to learn and practice Kubernetes Security. Also published author and Cloud-Native Security Architect with extensive experience. Also, he is an active member of the international security, DevOps, and Cloud-Native communities (null, DevSecOps, AllDayDevOps, AWS, CNCF, USENIX, etc). He holds industry certifications like CKA (Certified Kubernetes Administrator), OSCP (Offensive Security Certified Professional), etc. Madhu frequently speaks and runs training sessions at security events and conferences around the world including DEFCON 24, 26, 27, 29 & 30, BlackHat EU, Asia, USA 2018, 19, 21 & 22, USENIX LISA 2018, 19 & 21, SANS Cloud Security Summit 21 & 22, O'Reilly Velocity EU 2019, Github Satellite 2020, OWASP AppSec EU 2018 & 19, 22, All Day DevOps 2016, 17, 18, 19, 20, 21 & 22, DevSecCon (London, Singapore, Boston), DevOpsDays India, c0c0n 2017, 18, 20, Nullcon 2018, 19, 21 & 22, SACON, Serverless Summit, null and multiple others. His research has identified vulnerabilities in over 200+ companies and organizations including; Google, Microsoft, LinkedIn, eBay, AT&T, WordPress, NTOP, Adobe, etc. and is credited with multiple CVEs, Acknowledgements, and rewards. He is co-author of Security Automation with Ansible2, which is listed as a technical resource by Red Hat Ansible. He is the technical reviewer for Learn Kubernetes Security, Practical Ansible2 books by Packt Pub. Also won 1st prize for building an Infrastructure Security Monitoring solution at InMobi flagship hackathon among 100+ engineering teams.
Workshops are first-come, first-serve and have limited capacity. Some workshops may be streamed for additional passive participation.
The whole Microsoft cloud offering, including Azure AD and Microsoft 365, is based on the use of OAuth bearer tokens. The purpose of the token is simple: it proves the identity and the access rights of its bearer.
This workshop is a hands-on deep-dive to technical details of Azure AD’s implementation of OAuth standard. We’ll cover the JWT standard, different token types (access, identity, and refresh) and various ways of obtaining them, peculiarities of Family of Client Id (FOCI) tokens, and of course, different attack scenarios.
Attendees will learn the technical details of Azure AD OAuth implementation, helping them to secure their environments better and detect abuse of tokens.
Familiarity with Burp or Fiddler, http traffic, general web technologies
A computer (VM will do) with Burp or Fiddler + ability to run AADInternals (or script language of their choise)
Dr Nestori Syynimaa Senior Principal Security Researcher, Secureworks CTU
Dr Nestori Syynimaa is one of the leading Azure AD / M365 experts in the world and the developer of the AADInternals toolkit. He has worked with Microsoft cloud services for over a decade and has been MCT since 2013, MVP since 2020, and awarded Microsoft Most Valuable Security Researcher for 2021. Currently, Dr Syynimaa works as a Senior Principal Security Researcher for Secureworks Counter Threat Unit. Before moving to his current position, Dr Syynimaa worked as a CIO, consultant, trainer, researcher, and university lecturer for almost 20 years.
Dr Syynimaa has spoken in many international scientific and professional conferences, including IEEE TrustCom 2018, Black Hat Arsenal USA 2019, Black Hat Arsenal Europe 2019 and 2021, and RSA Conference 2022
Workshops are first-come, first-serve and have limited capacity. Some workshops may be streamed for additional passive participation.
L'objectif principal est de montrer que la recherche de vulnérabilités dans les modules de kernel Windows est à la portée de toute personne enthousiaste équipée d'un laptop capable d'exécuter deux machines virtuelles.
De plus, l'atelier cherche a démontrer que certains modules de kernel Windows, pourtant dûment signés numériquement, peuvent présenter des vulnérabilités relativement facile à trouver .
L'atelier couvrira les points suivants:
Laptop with at least 16GB of ram and 100GB of free storage space to host 2 Windows virtual machines.
Marc-andre Labonte was a system administrator for more than a decade at the McGill Genome Center while it was known as the McGill University and Genome Quebec Innovation Center. There, he took part in the design, deployment, operation and maintenance of the data center as it went through multiple upgrade cycles to accommodate ever powerful high throughput genome sequencers coming to market.
Then, he joined the ETTIC team at Desjardins in 2016 as infrastructure penetration tester. Currently doing research and testing on IOT devices, he also presented "Automated contact tracing experiment on ESP Vroom32" workshop at NSEC in 2021. His work is motivated by curiosity and a strong sense of personal privacy in a world of connected devices and data hungry organizations.
Workshops are first-come, first-serve and have limited capacity. Some workshops may be streamed for additional passive participation.
Our defenses are crucial in protecting us against security threats. But how can we be sure they're working as intended in our real environment? We do this by asking questions. Everywhere. Continuously. With the returning intelligence, we’re able to make decisions that will better harden our defenses.
These questions we need to be asking come in the form of Verified Security Tests (VSTs). VSTs are a more structured, scale-ready format of the TTP. These questions, such as "Will your computer quarantine a malicious Office document?", provide a single piece of intelligence to help fuel a decision.
In this workshop, attendees will: - Get a brief introduction to VSTs and understand why they are designed for security testing at scale, in production environments - Use Prelude Build, an open source IDE for security engineers to author VSTs, to create their own VST - Learn about probes and how to deploy them on endpoints in order to accept, execute, and respond with the results of a VST - Create a continuous security testing schedule
Experience with offensive security and/or purple teaming is helpful, but absolutely not required.
VMs welcome.
Workshops are first-come, first-serve and have limited capacity. Some workshops may be streamed for additional passive participation.
Our defenses are crucial in protecting us against security threats. But how can we be sure they're working as intended in our real environment? We do this by asking questions. Everywhere. Continuously. With the returning intelligence, we’re able to make decisions that will better harden our defenses.
These questions we need to be asking come in the form of Verified Security Tests (VSTs). VSTs are a more structured, scale-ready format of the TTP. These questions, such as "Will your computer quarantine a malicious Office document?", provide a single piece of intelligence to help fuel a decision.
In this workshop, attendees will: - Get a brief introduction to VSTs and understand why they are designed for security testing at scale, in production environments - Use Prelude Build, an open source IDE for security engineers to author VSTs, to create their own VST - Learn about probes and how to deploy them on endpoints in order to accept, execute, and respond with the results of a VST - Create a continuous security testing schedule
Experience with offensive security and/or purple teaming is helpful, but absolutely not required.
VMs welcome.
Workshops are first-come, first-serve and have limited capacity. Some workshops may be streamed for additional passive participation.
An introduction to Capture-The-Flag (CTF) with easy challenges and tips on how to approach them.
The objective of this workshop is to dive into Capture-The-Flag (CTF) competitions. First, by introducing participants to the basic concepts. Then, by helping them prepare for the upcoming NorthSec CTF, and, finally, evolve in their practice of applied cybersecurity.
We will have easy and medium CTF challenges in several categories (binaries, Web, exploitation, forensics) and we will give hints and solutions during the workshop.
This is meant to be for CTF first-timers. Seasoned players should play NorthSec's official CTF.
Requirements * a laptop * a programming language of choice (it's usually Python) * wireshark * a web assessment security tool (Burp, ZAP, mitmproxy) * a disassembler / decompiler (Radare2, Binary Ninja, IDA Pro)
No prerequisites, see requirements.
Can you believe that NorthSec already has 11 years? In this guest-filled session, we will take a look back at these 11 years and highlight NorthSec's rich history.
Olivier Bilodeau Cybersecurity Research Lead, GoSecure
Olivier Bilodeau is leading the Cybersecurity Research team at GoSecure. With more than 13 years of infosec experience, he enjoys luring malware operators into his traps, writing tools for malware research and vulnerability research. Olivier is a passionate communicator having spoken at several conferences including BlackHat, Defcon, Botconf, NorthSec, Derbycon, and HackFest. Invested in his community, he co-founded MontréHack, a monthly workshop focused on hands-on CTF problem solving, and NorthSec, a large non-profit conference and CTF based in Montreal which you may have heard of.
Workshops are first-come, first-serve and have limited capacity. Some workshops may be streamed for additional passive participation.
Using cryptography is often a subtle practice and mistakes can result in significant vulnerabilities. This workshop will cover many of these vulnerabilities which have shown up in the real world, including CVE-2020-0601. This will be a hands-on workshop where you will implement the attacks after each one is explained. I will provide a VM with a tool I developed called cryptosploit. A good way to determine if this workshop is for you is to look at the challenges at cryptopals.com and see if those look interesting, but you could use in person help understanding the attacks. While not a strict subset of those challenges, there is significant overlap.
Students should be comfortable with concepts like modular arithmetic and XOR.
A laptop will be useful as I will bring a VM for students to follow along and practice running attacks.
Matt Cheung Application Security Consultant, Veracode
Matt Cheung started developing his interest in cryptography during an internship in 2011. He worked on implementation of a secure multi-party protocol by adding elliptic curve support to an existing secure text pattern matching protocol. Implementation weaknesses were not a priority and this concerned Matt. This concern prompted him to learn about cryptographic attacks from Dan Boneh's crypto 1 course offered on Coursera and the Matasano/cryptopals challenges. From this experience he has given workshops at the Boston Application Security Conference, BSidesLV, DEF CON, and the Crypto and Privacy Village.
Workshops are first-come, first-serve and have limited capacity. Some workshops may be streamed for additional passive participation.
After an introduction to theory and tooling, we will be reverse engineering malware techniques including API hashing and string encryption. Once reverse engineering of these components is completed, we will be writing scripts to automate extraction of intelligence and analysis of future variants.
Basic Programming Knowledge
While I may not have Alphabet Soup for a headline, let me show you what I can do based on my community contributions! I started my career after I hit rock bottom being a single mom who moved back to live with my parents. This was after dropping out of computer science in university, my professors told me I would not be good enough to get a job in computers. I had lost all passion for what I loved and hoped for the future. I worked with my case worker (social assistance program) and they helped me gain the confidence to try computers again. I was able to tech myself programming and other computer science concepts on my own time (online courses). With this, I was able to regain my confidence regarding computers. I then became really interested in offensive security and applied to work at a cyber security company. I started as an entry-level analyst and worked my way up to starting my own threat research and detection department. I taught myself how to reverse engineer malware from scratch along the way and have not looked back since. If I can train an English teacher to reverse engineer malware, I have the confidence I can train anyone to get the task done. If you are looking for someone to lead your threat research and detection team who has done each job on the way up to the top, I might be the one you are looking for. Since then, I've presented research all across North America, appeared on TV as an expert twice and have not looked back. I love reverse engineering, malware analysis, detecting threat actors, the thrill of the hunt, mentoring other women who want to get into cyber security and most importantly, my family and the wonderful people on my team who have grown so much in their careers
Workshops are first-come, first-serve and have limited capacity. Some workshops may be streamed for additional passive participation.
As Defenders it is easy to view attacker behavior through a Technique lens, but this perspective often causes us to forget about the diversity of implementation, morphology, that exists within a Technique. This often leads to detection rules that are more narrowly focused on specific tools instead of on the underlying behavior(s) themselves. MITRE ATT&CK provides a schema for evaluating inter-technique differences between tools, such as the differences between Kerberoasting and DCSync, but we currently do not have an industry-wide model for evaluating intra-technique differences, such as the how two tools performing LSASS Dumping might differ in approach and thus lead to evasion opportunities.
In this workshop, attendees will be presented with various tools that implement the same Technique, but use different approaches, or Procedures, to do so. We will then walk participants through the process of analyzing these tools to understand exactly where and by how much they differ. Participants will then learn how to model different Procedures to evaluate their similarity and determine the optimal events or logs to serve as a foundation for building resilient detection rules.
Familiarity with Windows Internals basics, programming experience is helpful but not necessary
A Windows laptop preinstalled with IDA 8.2 Free.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Q&A Panel for the detection block
Jared Atkinson Chief Strategist, SpecterOps
Jared is a security researcher who specializes in Digital Forensics and Incident Response. Recently, he has been building and leading private sector Hunt Operations capabilities. In his previous life, Jared lead incident response missions for the U.S. Air Force Hunt Team, detecting and removing Advanced Persistent Threats on Air Force and DoD networks. Passionate about PowerShell and the open source community, Jared is the lead developer of PowerForensics, Uproot, and maintains a Detection Engineering focused blog at https://posts.specterops.io/on-detection/home.
Workshops are first-come, first-serve and have limited capacity. Some workshops may be streamed for additional passive participation.
As Defenders it is easy to view attacker behavior through a Technique lens, but this perspective often causes us to forget about the diversity of implementation, morphology, that exists within a Technique. This often leads to detection rules that are more narrowly focused on specific tools instead of on the underlying behavior(s) themselves. MITRE ATT&CK provides a schema for evaluating inter-technique differences between tools, such as the differences between Kerberoasting and DCSync, but we currently do not have an industry-wide model for evaluating intra-technique differences, such as the how two tools performing LSASS Dumping might differ in approach and thus lead to evasion opportunities.
In this workshop, attendees will be presented with various tools that implement the same Technique, but use different approaches, or Procedures, to do so. We will then walk participants through the process of analyzing these tools to understand exactly where and by how much they differ. Participants will then learn how to model different Procedures to evaluate their similarity and determine the optimal events or logs to serve as a foundation for building resilient detection rules.
Familiarity with Windows Internals basics, programming experience is helpful but not necessary
A Windows laptop preinstalled with IDA 8.2 Free.
Jonathan Johnson Senior Consultant, SpecterOps
Jonny is a security enthusiast who loves spending time with all things related to Windows Internals, reverse engineering, and data analysis. Jonny applies threat research and low-level knowledge to defensive capabilities, arming defenders with the information and tools needed to cover defensive gaps. Jonny loves to share his actionable findings in blogs (https://jsecurity101.medium.com/) and is committed to helping defenders be effective, independent, and efficient.
Workshops are first-come, first-serve and have limited capacity. Some workshops may be streamed for additional passive participation.
Go is becoming more and more prevalent in offensive security tooling. And while the analysis of most programs can be approached using the same methods, binaries generated by this language are different enough from what compilers generally produce that they require developing a special skillset.
Short, unscientific surveys conducted in my professional circle indicate that Go is reverse-engineers’ most dreaded language. It doesn’t have to be this way. In this workshop, I would like to share the knowledge I have built up reverse-engineering Go malware as well as the methodology I follow during my day-to-day work and useful disassembler plugins.
This workshop is intended for people who have experience with reverse-engineering and know their way around a disassembler and a debugger. They should already be familiar with x86 and x64 ASM and reversing C / C++ programs.
A laptop with all the necessary analysis tools: disassembler + debugger.
Ivan Kwiatkowski Senior Security Researcher, Kaspersky
An OSCP and OSCE-certified penetration tester and malware analyst working as a Senior Security Researcher in the Global Research and Analysis Team (GReAT) at Kaspersky Lab since 2018. Also delivers Kaspersky’s reverse-engineering trainings in Europe. Ivan maintains an open-source dissection tool for Windows executables and his research was presented during several cybersecurity conferences. As a digital privacy activist, he also operates an exit node of the Tor network.
Talks will be streamed on YouTube and Twitch for free.
In this talk, I will provide a high-level overview of the fundamentals of large language models, with a focus on GPT models. My goal is to share insights from a security research perspective and inspire researchers to explore the potential of GPT models in their own labs. Specifically, I will cover topics such as semantic searching, few-shot learning, and code generation and provide basic examples and experiments to illustrate these concepts. Whether you're new to GPT models or have experience working with them, this talk aims to provide a fresh perspective on how they can be leveraged to empower security teams and spark new ideas for research.
Roberto Rodriquez is a Principal Security Researcher at the Microsoft Security Research organization. He is the founder of the Open Threat Research (OTR) community and author of several open-source projects, such as the Threat Hunter Playbook, OSSEM, SimuLand, ATT&CK Python Client, Security Datasets, and more. You can find all his contributions to the InfoSec community in the open OTR GitHub repository and can follow him in Twitter @Cyb3rWard0g.
Talks will be streamed on YouTube and Twitch for free.
There is alot of hype (and alot of anxiety) surrounding publicly available generative AI tools, such as ChatGPT, Midjourney and Stable Diffusion. Whether these tools will replace jobs or cause a disinformation meltdown, one thing is certain: they are already optimised for scams. We'll look at a few pratical implications and go over one specific case study.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Q&A panel for the Criminology block.
Talks will be streamed on YouTube and Twitch for free.
One of the characteristics of system security is that attackers do not need any special and/or expensive tools to perform the most powerful attacks. Brute force authentication attacks on Remote Desktop Protocol (RDP) can be automated and shared between malicious actors. However, when a human or an organization behind an automated attack shows more motivation, the danger increases as it is no longer an opportunistic “spraying and praying” strategy but rather a strategy that is closer to a targeted attack.
The objective of this study is to measure the level of human engagement behind the attacks targeting Remote Desktop Protocol (RDP). To do so, we launched high-interaction honeypots on the Internet. We collected and analyzed over 3.4 million connections attempts that supplied hashed credentials over a period of 3 months. With over 95% success rate in cracking these hashes, our team was able to identify different attack strategies.
The indicators of human intervention in the attacks will be presented and includes (1) the number of attacks; (2) the use of credential leak lists; (3) the constant presence of the machine over the observation period; and (4) the use of several attacks per second. The indicators of machine-like behavior will also be presented and includes (1) presence of pause before launching an attack; (2) the attack is customized for its target; (3) slowing down of attack rhythm by imposing a delay between attempt login. A score of engagement is given based on those indicators to visualized the level of human engagement behind attacks. Then, a Pearson correlation coefficient was computed to assess the linear relationship between automated attacks and the other variables associated with human and machine behaviors.
Showing the series of actions conducted on exposed RDP systems gives us an eye-opening understanding of threat actors’ strategies. Characterizing attackers allows us to get closer to revealing their identity. This will hopefully contribute to give them cold feet as they will have to change their practices. The ultimate objective of our work is to increase the cost of attackers and knowing who they are and how they proceed is one step further in this direction.
Andreanne Bergeron Cybersecurity Researcher, GoSecure
Andréanne Bergeron has a Ph.D. in criminology from Montreal University and works as a cybersecurity researcher at GoSecure. Acting as the social scientist of the team, she is interested in online attackers’ behaviors. She is an experienced presenter with over 38 academic conferences and is now focusing on the infosec field. She has presented at BSides Montreal, NorthSec and Human Factor in Cybercrime.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Q&A panel for the Criminology block.
Talks will be streamed on YouTube and Twitch for free.
Ransomware has changed and adapted over time to survive. Unfortunately, this evolution has led to a grim reality. From a defender's perspective, the sheer number of new strains coming out regularly makes it impossible to defend their infrastructure against every new threat. For attackers, technological advancement created a playground filled with criminal opportunities waiting to be exploited. Game theory perspective is a way to analyze conflicting parties' behaviours to see how each will behave towards their endgames. Zero-sum games are when a player's win causes a direct loss to the other; ransomware is a good example. Traditional game theory research focuses on one attacker vs. one defender during a game. However, this is not the reality defenders face daily. Defenders must defend themselves against multiple attacks during multiple games simultaneously. This means it is far easier for attackers to win than defenders in a zero-sum game. So how can the odds be balanced out? The answer might be reducing the asymmetric information gap between the two parties. This research aims to find the recurring techniques and tactics used over time. Even though ransomware is constantly evolving, specific aspects should remain the same or at least this is what I will find out. I studied over eighty ransomwares over five years (2017-2022). This presentation will cover the evolution of the TTPs over the set period, the stable behaviours and present the observations from the findings.
Vicky Desjardins Cyber Threat Intelligence analyst and Doctoral candidate, Hitachi systems security and University of Montreal
I am an English lit major turned criminologist turned cyber threat intelligence analyst. I'm an eternal optimist that research can make the world a better and safer place for all so that is what I do. I get crazy ideas, turn them into research projects and figure out later if it's actually possible. Let's see if this one will work out.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Q&A panel for the Criminology block.
Talks will be streamed on YouTube and Twitch for free.
Mobile phones have become ubiquitous in our daily lives. They are in many cases the devices we spend the most time on, and the devices that keep us connected to our friends, loved ones and colleagues. While useful in many ways, mobile phones pose a significant threat to offenders. Indeed, mobile phones monitor location through GPS and can have spyware installed to monitor written, audio and video communications. For law enforcement, mobile phones represent a treasure throve of information that can lead to arrests and convictions. In response to this threat, offenders have adopted shadow phones also known as ghost phones, encrypted phones or PGP phones. These come in a variety of ways, and offer in most cases a hardware package stripped of microphones, cameras and GPS chips to prevent any kind of spying. They also come with encrypted messaging services, and many security features such as remote wipes based on time delays, secret PINs or remote triggers. Canada appears to be a central player in the underground economy for shadow phones as some of the main distributors of these phones have been living (and arrested) in Canada. The aim of this presentation is first to survey the current state of the art on shadow phones. We reviewed court decisions, news reports and scientific articles on shadow phones, and researched companies that are currently advertising shadow phones for sales. Through this survey, we aim to present how the latest technologies are being used to protect offenders, and how law enforcement has attacked these encrypted communication services in the past. An important part of the services is the software that comes installed on the phones. The lessons learned here are extremely valuable for all communication services that are trying to offer end to end encryption, and a higher level of privacy to their users. The second part of this presentation is an analysis of interviews that we have conducted with various actors involved in the prosecution and defense of offenders who use shadow phones. We present their perception of the effectiveness of these phones, and the challenges that they pose for the judicial system. There are here again many lessons to be learned about how the judicial system can handle emerging technologies, encryption, and the targeting of offenders both online and offline who use encryption.
David Décary-Hétu Associate Professor, Université de Montréal
Prof. David Décary-Hétu has a Ph.D. in criminology from the Université de Montréal (2013). He first started as a Senior Scientist at the School of Criminal Sciences of the Université de Lausanne before moving to his current position as an Associate Professor at the School of Criminology of the Université de Montréal. The main research interests of Prof. Décary-Hétu focus on the impacts of technology on crime. Through his innovative approach based on big and small data, as well as social network analysis, Prof. Décary-Hétu studies how offenders adopt and use technologies, and how that shapes the regulation of offenses, as well as how researchers can study offenders and offenses. Prof. Décary-Hétu is the Chair of the Darknet and Anonymity Research Centre (DARC) that was funded by the John R. Evans Leaders Funds from the Canada Foundation for Innovation. His team collects and studies data from all types of offenders who use anonymity technologies such as the darkweb, cryptocurrencies and encryption. Prof. Décary-Hétu has received funding from both public and private grantors operating at the local, provincial, federal and international level. He has published in leading academic journals and is invited regularly in the news media to comment on recent events. Prof. Décary-Hétu is involved in many partnerships and initiatives including Open Criminology, the revue Criminologie, the Division of Cybercrime of the American Society of Criminology and the Human-Centric Cybersecurity Partnership. Prof. Décary-Hétu has presented at CanSecWest, H.O.P.E., ThotCon and Hackfest, and is a co-organizer of the BSides Montreal conference.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Q&A panel for the Criminology block.
Masarah Paquet-Clouston , Université de Montréal
Masarah Paquet-Clouston is a professor at Université of Montréal and a collaborator at the Stratosphere Laboratory. She holds a Ph.D. in criminology from Simon Fraser University and is specialized in the study of profit-driven crime enabled by technologies. In the past, she worked five years as a researcher at the private cybersecurity firm GoSecure. She presented the results of her research at various international conferences including NorthSec, Black Hat USA, DEF CON, CERT-EU, RSA, HackFest, and Virus Bulletin.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Q&A Panel for the malware block.
Talks will be streamed on YouTube and Twitch for free.
Asylum Ambuscade is a threat group that came under research scrutiny after it targeted European government personnel in late February 2022, just after the beginning of the Russia-Ukraine war. During the intervening months, dozens of different threat actors have been caught by the security community attacking Ukrainian institutions and their allies. So what makes Asylum Ambuscade different from the others?
First, our investigation reveals that the group is engaged in both espionage and crimeware-related activities. Since March 2022, it has been spying on European diplomats, probably in order to steal confidential information related to the Russia-Ukraine war. At the same time, it has been compromising bank customers and cryptocurrency traders all around the world, including Canada and the United States. We noticed that the group is particularly interested in accessing cryptocurrency wallets stored on common coin exchanges.
Second, since the beginning of the war, not only did Asylum Ambuscade target Ukrainian institutions and their allies, but also individuals and local officials in Russia. Note that we believe that some members of the group are Russian speakers.
Third, the group goes after high-value espionage targets using a custom crimeware-like toolkit. This is very different from other groups operating in the same region such as the Dukes, Sandworm, or Turla, which run only cyberespionage campaigns.
In this presentation, we will describe the whole compromise chain, allowing us to link the group to past crimeware activities from 2020. We will also present an overview of the victimology and the TTPs of the group. Finally, we will discuss why a crimeware group could be engaged in espionage activities.
Matthieu Faou Senior Malware Researcher, ESET
Matthieu Faou is a senior malware researcher at ESET where he specializes in researching targeted attacks. His main duties include threat hunting and reverse engineering of APTs. He finished his Master’s degree in computer science at École Polytechnique de Montréal and at École des Mines de Nancy in 2016. In the past, he has spoken at multiple conferences including BlueHat, Botconf, CYBERWARCON, RECON and Virus Bulletin.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Q&A Panel for the malware block.
Talks will be streamed on YouTube and Twitch for free.
In March 2022, a new buzz called Bumblebee appeared in the eCrime scene. This loader is built to execute tasks from its command-and-control (C2), and deliver payloads such as CobaltStrike. But its development doesn’t stop there. In the span of less than a year, Bumblebee has been through several incremental updates, to such an extent, that this malware may be one of the most actively maintained malware families out there.
This presentation aims to get a sense of the operator’s development process behind Bumbleebee – how it changes and adapts in response to current endpoint defense efforts– and how its techniques compare to other botnet families.
This presentation will touch on the following areas of the malware: 1. A brief overview of Bumblebee's execution on a system - the importance of its loader, how it executes, communicates with the C2 and the role of the hook module. 2. A chronological view of the development cycle of the malware showing features introduced in response to public reporting, testing new code implementations and refactoring. 3. Comparing Bumblebee’s choice of techniques to that of other known botnet families - the overlaps seen and assessing each techniques’ pros and cons.
Suweera De Souza Senior Security Researcher, CrowdStrike
Suweera has over a decade of experience in reversing malware and botnet analysis. She previously volunteered giving a BlackHoodie workshop at NorthSec and workshops for CyberAegis, a local community in Montreal. Currently Suweera is employed as a Senior Security Researcher at CrowdStrike where she focuses on botnets such as Bumblebee and BokBot.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Q&A Panel for the malware block.
Pierre-Marc Bureau est responsable de la sous équipe de TAG qui se concentre sur les attaques informatiques motivées financièrement. Son équipe et lui sont basés à Montréal, ils se spécialisent en rétro ingénierie et analyse de codes malveillants.
Pierre-Marc compte plus de 15 ans d’expertise en sécurité informatique. Avant de se joindre à Google, Pierre-Marc a travaillé chez Dell SecureWorks et à ESET. Il a été présentateur dans plusieurs événements internationaux incluant BlackHat, Recon et Virus Bulletin.
The purpose of the Red Team Training is to understand the underlying concept of red teaming. The training will cover payloads generation, lateral movement techniques, initial foothold and internal reconnaissance. The training is aiming to provide a deep understanding of all the previously described aspects of a red team.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Q&A Panel for the Red Team block.
Talks will be streamed on YouTube and Twitch for free.
This talk is going to cover some of the techniques used to successfully deploy your code or agent during a red team engagement without getting detected by EDR solutions. I will be presenting some of my techniques and tricks that successfully defeated the detection in place which include modern EDRs.
Charles F. Hamilton (Mr.Un1k0d3r) Director, KPMG Canada
Charles Hamilton is a Red Teamer, with more than ten years of experience delivering offensive testing services for various government clients and commercial verticals. In recent years, Charles has focused on covert Red Team operations against complex and secured environments. These operations have allowed him to hone his craft at quietly navigating a client's network without detection. Since 2014, he is the founder and operator of the RingZer0 Team website, a platform focused on teaching hacking fundamentals. The RingZer0 community currently has more than 40,000 members worldwide. Charles is also a prolific toolsmith and speaker in the Infosec industry under the handle of Mr.Un1k0d3r.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Q&A Panel for the Red Team block.
Talks will be streamed on YouTube and Twitch for free.
Magicians are the most versed at lying and deceptions and pentesters can learn from these years of experience at lying, cheating and misdirection. Suggestion is the original exploit (CVE-000-0001) and, by the end of this talk, attendees should be more comfortable planning and engaging in social engineering.
This 30 minute talk will present key SE concepts, such as suggestion, exploiting cognitive biases, double talk, framing, creating trust and the anatomy of a lie (what works, what doesn't, why less is more), while focusing on practical tips for phishing, social phone engineering and physical intrusion.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Q&A Panel for the Red Team block.
Martin spends his day meeting in the day and in his basement in the evening. Passionate about the field of Hacking for 15 years, he has an interest in technical challenges, in particular malware development, evasion of defense controls and process automation. He was involved as a Challenge Designer in the CTF of Hackfest for 7 years and NorthSec for 1 year. Currently, Martin leads a large Ethical Hacker department where he strives to innovate every day so that offensive security talents are better used today.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Q&A Panel for the Red Team block.
Talks will be streamed on YouTube and Twitch for free.
An important part of red teaming is developing custom payloads, since using anything public without in-depth customization will get your operation burned in a second. After spending countless hours crafting those precious master pieces, one of the main priorities of the red team and threat actors is to protect them from prying eyes (SOC analysts, forensic investigators or security researchers)
This talk will go over established techniques used to prevent analysis. In addition, three anti-copy techniques used by OKIOK’s red team in real engagement will be covered with proof-of-concept releases and detection opportunities. These techniques propose new ways of circumventing the weaknesses of the established ones.
Guillaume Caillé Team Lead - Penetration Testing, OKIOK
Guillaume Caillé is leading the penetration testing team at OKIOK. He also holds a bachelor's degree in Information Technology Engineering from the École de Technologie Supérieure (ÉTS) with a specialization in security. A true passionate of offensive security, Guillaume specializes in malware development, red teaming and incident response. This experience has enabled him to develop and maintain bleeding edge techniques and tools to stay ahead of all aspects of a company's defense mechanisms.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Q&A panel for the Vulnerability Research block.
Talks will be streamed on YouTube and Twitch for free.
We're always seeing vulnerability reports in the news, but how much do you know about finding and reporting these bugs? In this talk, we're going to look at a series of critical security vulnerabilities in an RPC service developed for mainframes, ported to modern operating systems, and used by most large companies. We'll cover the full process:
Basically, this will be an end-to-end vulnerability research bonanza!
Ron Bowes Lead Security Researcher, Rapid7
During the day, Ron Bowes is a lead vulnerability researcher at Rapid7, where his job is to perform deep-dive analyses of publicly disclosed vulnerabilities, as well as to find (and report) his own. His previous role at Counter Hack Security was combo pentester / CTF developer.
In his free time, he runs (and writes challenges for) the BSides San Francisco CTF and is a lead organizer for The Long Con security conference in Winnipeg. When he's not doing infosec work, his biggest hobbies are rockclimbing and video games (current game: Slay the Spire!)
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Q&A panel for the Vulnerability Research block.
Talks will be streamed on YouTube and Twitch for free.
Windows Hello for Business is a passwordless authentication feature that uses a combination of device identity and biometrics or PIN to authenticate to Windows and (Azure) Active Directory. It is advertised as a strong multi-factor authentication method with hardware protected keys. In this talk we will dive into the internal workings of Windows Hello in Azure AD and hybrid scenarios. We will look into the protection of keys, the usage of hardware protection, the provisioning and storage of those keys and how attackers could interact with them. During the research into the protocols and externals, various vulnerabilities were discovered that could allow attackers to abuse Windows Hello to persist access to accounts, move laterally between identities and bypass Multi Factor Authentication. Vulnerabilities were also discovered that enable attackers to bypass the hardware protection of secrets which allow the Windows Hello credentials to be used on different devices than they were provisioned on. The talk will show why these flaws were present, how they could be abused and provide tools to interact with Windows Hello and Azure AD.
Dirk-jan Mollema Security Researcher, Outsider Security
Dirk-jan Mollema is a hacker and researcher of Active Directory and Azure AD security. In 2022 he started his own company, Outsider Security, where he performs penetration tests and reviews of enterprise networks and cloud environments. He blogs at dirkjanm.io, where he publishes his research, and shares updates on the many open source security tools he has written over the years. He presented previously at TROOPERS, DEF CON, Black Hat and BlueHat and has been awarded as one of Microsoft’s Most Valuable Researchers multiple times.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Q&A panel for the Vulnerability Research block.
Philippe Pépos Petitclerc Ph.D. Candidate,
After particularly enjoying his master's degree on symbolic execution of binary software, Philippe is now a PhD Candidate obsessing over automatic antivirus evasion. He spent a few years working as a Pentester, Red Teamer, Blue Teamer and more recently University Lecturer. He is a founding member of Résilience Coop, a newly born cooperative striving to help industries re-appropriate and comprehend their detection frameworks. Last but not least, he is a member of the Eternal Seconds, Hubert Hackin' CTF team.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Q&A Panel for the detection block
Talks will be streamed on YouTube and Twitch for free.
This is the story of three organizations: EvilKittens (a criminal group), YOLO Corp (a new company that don't have any security staff) and CoolSec (a company that goes above security compliance). We will see how two corporations fret against EvilCats during various attack scenarios that all involve passwords.
Mathieu Saulnier Director Threat Research & Security Content, Sumo Logic
Bio Mathieu Saulnier is a “Security Enthusiast” and a Core Mentor for Defcon's Blue Team Village. He is currently "Director Threat Research" at Sumo Logic where he focuses on research, threat hunting and adversary detection. In the last 2 decades, he worked for one of the largest carrier in Canada as Sr Security Architect and held numerous positions as a consultant within several of Quebec’s largest institutions. Since 2020 he took his mentoring engagement to the next level by joining the Blue Team Village Mentor Program. He loves to give talks and has had the honor to do so at Derbycon, SANS DFIR Summit, Defcon’s BTV, NorthSec, GrayHat, GoSec and some BSides.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Q&A Panel for the detection block
Talks will be streamed on YouTube and Twitch for free.
"Surely we can make a detection for when the whoami command is executed, right? Nobody ever runs whoami but threat actors." - Someone with no experience in detection engineering
In this talk, we'll discuss how we addressed the dilemma between detection coverage and alert fatigue in a SOC by correlating minor or noisy detection logics. We'll go through our journey to build a custom platform that leverages the concept of indicators. We'll share the toolset and some implementation details and show how we use it to monitor tens of thousands of endpoints. It has become one of our main tools for threat hunting and is used by our SOC analysts to assist them in their investigations.
Émilio Gonzalez Threat Hunter & SOAR Automation Specialist,
Émilio works in a blue team at a large Canadian organization. He loves to participate in CTFs and create challenges to introduce people to some defensive aspects of cybersecurity. He's a co-organizer for MontréHack, a monthly CTF workshop in Montréal (duh). If you see him in a bar someday, do not approach him or he'll probably start a rant about tabs being the superior indentation character or about how cars ruin cities.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Q&A Panel for the detection block
Talks will be streamed on YouTube and Twitch for free.
Modern security teams have been engineering solid detections for a while now. All this great output also needs to be managed well. * How can we make sure that the detections we have spent a lot of time developing are deployed and are running in production in the same way as they were designed? * How can we assure our detection and prevention controls are still working and are detecting the attacks they have been designed to cover?
In this talk, we will discuss how security teams can reap the benefits of using detection-as-code, and how this can help achieving a single source of truth for their detection logic. We will explore how this approach enables teams to use automation and unit testing to manage and validate their detection controls across multiple environments. We will also discuss the importance of being in control of your detection systems, and how detection-as-code can help you maintain control, quality and ensure proper documentation. By adopting a detection-as-code approach, teams can improve the effectiveness, quality and efficiency of their detection systems and gain the confidence that comes from knowing that their detections and mitigations work as intended.
We will show how we have built a robust and flexible development and deployment process using Azure DevOps, Microsoft Sentinel, the Microsoft Defender suite, Azure Logic-Apps and Functions. This process allows us to quickly and easily implement new detection controls, test them across multiple environments, and deploy them in a controlled and consistent manner. We will also show how these tools integrate with each other to provide a single source of truth for our detection logic, and how they can be used to automate various aspects of the development and deployment process. Overall, our approach allows us to build and maintain a highly effective and scalable detection system that is well-suited to the needs of any enterprise or service provider.
Olaf Hartong Security researcher, FalconForce
Olaf Hartong is a security researcher at FalconForce and a Microsoft Security MVP. He specialises in understanding the attacker tradecraft and thereby improving detection capabilities. He has a varied background in blue and purple team operations, network engineering, and security transformation projects.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Q&A Panel for the detection block
Talks will be streamed on YouTube and Twitch for free.
"Surely we can make a detection for when the whoami command is executed, right? Nobody ever runs whoami but threat actors." - Someone with no experience in detection engineering
In this talk, we'll discuss how we addressed the dilemma between detection coverage and alert fatigue in a SOC by correlating minor or noisy detection logics. We'll go through our journey to build a custom platform that leverages the concept of indicators. We'll share the toolset and some implementation details and show how we use it to monitor tens of thousands of endpoints. It has become one of our main tools for threat hunting and is used by our SOC analysts to assist them in their investigations.
Talks will be streamed on YouTube and Twitch for free.
This presentation will examine the security exposures in GitHub Actions and GitHub Codespaces, two popular features of the widely used code-hosting platform GitHub. In 2019, GitHub released its own CI tool called GitHub Actions (GHA). GitHub Actions help you automate tasks within your software development life cycle, and it has been gaining a lot of adoption from developers. In addition, GitHub Codespaces, initially in preview for specific users, became widely available for free in November 2022. This cloud-based IDE (Integrated Developer Environments) allows developers and organizations to customize projects via configuring dev-container files, easing earlier pain points in project development.
The talk will explore how attackers can abuse these cloud services to achieve their malicious goals, either for crypto mining, delivering malware, or using it to attack other targets inside or outside Azure. The audience will learn about real-world exploitation scenarios from cybercriminals and proof of concepts from our threat modeling analysis and be provided with practical tips to detect, avoid or prevent attacks and secure their codebases and pipelines. The presentation aims to raise awareness of the potential abuses associated with attackers using GitHub Actions and Codespaces and to encourage best practices in protecting your software supply chain platform.
Magno Logan Senior Threat Researcher, Trend Micro
Magno Logan works as an Information Security Specialist for Trend Micro. He specializes in Cloud, Container, and Application Security Research, Threat Modelling, and DevSecOps. In addition, he has been tapped as a resource speaker for numerous security conferences around the globe.
Talks will be streamed on YouTube and Twitch for free.
So-called “Supply Chain” attacks are all over the news as several high profile breaches highlight CI/CD pipelines as a prime target. While AppSec focuses on writing secure code (SAST), managing risks from Open Source dependencies (SCA) and more generally finding vulnerabilities in apps and APIs, a large attack surface is often overlooked. The supply chain links the developer’s laptop, via the SCM, through CI/CD and finally the running application in production.
We’ve all heard about the SolarWinds breach, but what can be done to prevent such an attack? In this talk, we dive behind the scenes of similar attacks through the lens of SLSA (Supply chain Levels for Software Artifacts), a threat model designed to tackle these emergent threats.
Most importantly, we will discuss new technologies and approaches that are available today (or are under active development) to address these threats.
François Proulx Senior Product Security Engineer, BoostSecurity
François is a Senior Product Security Engineer for BoostSecurity, where he leads the Supply Chain research team. With over 10 years of experience in building AppSec programs for large corporations (such as Intel) and small startups he has been in the heat of the action as the DevSecOps movement took shape. François is one of founders of NorthSec and was a challenge designer for the NorthSec CTF.
Talks will be streamed on YouTube and Twitch for free.
We’ve heard for years about the looming quantum threat: how a sufficiently powerful quantum computer could break the cryptography we use today. Many things happened during the last year forcing us to pay close attention to the situation: NIST selected their first post-quantum cryptography (PQC) algorithms for standardization, some government agencies have set rapid transition goals, industry groups started to discuss PQC integration. Will you be ready for the post-quantum transition?
In this talk, I’ll cover the emerging PQC algorithms (paying close attention to the lattice-based Kyber), give an intuitive overview of how they work, and explain how they integrate into TLS, SSH, X.509, etc. I’ll present open-source tools that can be used to prepare for the PQC migrations, to create a migration plan and to start experimenting with PQC.
Christian Paquin Principal Program Manager, Microsoft Research
I am a crypto/security specialist in MSR’s Security and Cryptography team. I’m currently involved in projects related to post-quantum cryptography, such as the Open Quantum Safe project. I’m also leading the development of the U-Prove technology. I’m mostly interested in identity and access management, privacy-enhancing technologies, smart cloud encryption (e.g., searchable and homomorphic encryption), and the intersection of AI and security.
Prior to joining Microsoft in 2008, I was the Chief Security Engineer at Credentica, a crypto developer at Silanis Technology working on digital signature systems, and a security engineer at Zero-Knowledge Systems working on TOR-like systems.
Talks will be streamed on YouTube and Twitch for free.
gRPC/gRPC-web even as a newer protocol can offer a greater attack surface than regular HTTP1.1 REST through applicative services misconfigurations. During this talk, we will enumerate the new attack vectors through misconfigurations such as HTTP2 downgrade allowing request smuggling, disabling reflection. We want to present an entire code configuration for a secure generic gRPC service leveraging an automatically generated Kubernetes authentication service with an interceptor to an authorization engine to simplify complex delegation of access with open source Ory engines. Finally in-depth applicative problems with currency, math and conversions to watch out for.
Ashley Manraj Chief Technology Officer, Pvotal Technologies Inc.
Spearheading the technology and development methodology at Pvotal Technologies centered around event driven asynchronous go gRPC microservices in the backend. In the front-end, we are developing with Flutter cross-platform using the BloC pattern to interact with our backends in gRPC and gRPC-web. Everything orchestrated strictly in infrastructure as code in GKE or locally using K3d.
Talks will be streamed on YouTube and Twitch for free.
Evading detection by modern AV & EDR can seem daunting and near impossible to the uninitiated. If the idea of trying to get a payload past these defenses seems unattainable and too “l337,” then this talk is for you! I’ll discuss what entropy is and how AV & EDR use entropy to detect payloads. I’ll cover some basic concepts and tools you can use to start evading detection and get your payloads running. Stick around to the end learn about a new tool for hiding shellcode and defeating entropy checks!
Mike Saunders Principal Consultant, Red Siege
Mike Saunders has over 25 years of experience in IT and security and has worked in the ISP, financial, insurance, and agribusiness industries. He has held a variety of roles in his career including system and network administration, development, and security architect. Mike has been performing penetration tests for a decade. Mike is an experienced speaker and has spoken at DerbyCon, Wild West Hackin’ Fest, regional BSides conferences, the NDSU Cyber Security Conference, and SANS and Red Siege webcasts.
Talks will be streamed on YouTube and Twitch for free.
The SAP landscape is complex and highly customized, with numerous systems such as SAP HANA, SAP Solman, SAP Cloud Connector, and SAP ME. Many companies use cloud solutions provided by SAP, such as Cloud SAP HANA and SAP BTP. Those can exchange data with on-premise solutions. The vulnerabilities or misconfigurations in any of these systems can potentially lead to a compromisation of the entire landscape.
In this research, we will discuss the various combinations of security issues and misconfigurations that we discovered last year, which can be exploited by remote attackers or insider users to fully compromise the SAP landscape, both on-premises and in the cloud. We will examine how vulnerabilities and misconfigurations in areas such as password storage and access controls can be exploited to gain unauthorized access to systems and sensitive data. By understanding these vulnerabilities and misconfigurations, companies can take action to improve their security and protect against successful attacks on their SAP landscape.
Vahagn Vardanyan is the CTO of RedRays.
His expertise includes protecting vital business applications, including ERP, CRM, SRM, banking, and processing software. He is a well-known authority on enterprise application security, including SAP and Oracle. He published many vulnerabilities, and SAP routinely thanks him for them.
The author of numerous whitepapers and surveys on SAP security research is Vahagn. He has received invitations to present at many conferences worldwide, including Troopers, Owasp, and others.
Talks will be streamed on YouTube and Twitch for free.
The SAP landscape is complex and highly customized, with numerous systems such as SAP HANA, SAP Solman, SAP Cloud Connector, and SAP ME. Many companies use cloud solutions provided by SAP, such as Cloud SAP HANA and SAP BTP. Those can exchange data with on-premise solutions. The vulnerabilities or misconfigurations in any of these systems can potentially lead to a compromisation of the entire landscape.
In this research, we will discuss the various combinations of security issues and misconfigurations that we discovered last year, which can be exploited by remote attackers or insider users to fully compromise the SAP landscape, both on-premises and in the cloud. We will examine how vulnerabilities and misconfigurations in areas such as password storage and access controls can be exploited to gain unauthorized access to systems and sensitive data. By understanding these vulnerabilities and misconfigurations, companies can take action to improve their security and protect against successful attacks on their SAP landscape.
Talks will be streamed on YouTube and Twitch for free.
We've often had the opportunity to hear about bug hunting & bug bounty programs from the researcher perspective, or in the form of sales pitches from companies that help build them, but less often do we hear from the folks who work on those programs as their main focus.
In this talk we'll explore the ins and outs of GitHub's Bug Bounty program, along with advice for those working in or building BB/VDP programs, or submitting bounty reports. GitHub was an early adopter of bug bounties, with our program dating back to January 2014. Since then, the program has been recognized as a leading bug bounty program consistently offering generous awards with clear scoping. In addition to having a dedicated team to work with researchers, we’ve paid out over $3,500,000 USD in bounties to date.
I'll cover: - GitHub's Bug Bounty program, including payouts and key milestones - How GitHub handles report triage & severity assignment - How GitHub’s bounty team interacts with researchers and aims to more deeply understand and analyze reports - Operational considerations of working with both a SaaS & on-prem product - Report/vulnerability disclosure - Bug bounty triage as a job & career stepping stone - Tips for researchers and bounty staff
Attendees will walk away having a better understanding of how GitHub's Bug Bounty team and program has grown over the past 8 years, the nuances and challenges that triagers/engineers face working with bounty reports, and also how to improve their ROI when working on/with programs.
Talks will be streamed on YouTube and Twitch for free.
The onus of data security and privacy till now has always been dumped on consumers - they have to navigate myriads of privacy policies and "Yes, I consent" clicks. Apps keep on leaking data, but hardly are the apps themselves questioned! Some laws (GDPR/CCPA) do outline what data can be collected and how it is supposed to be processed in the software - but this seldom creates actionable engineering directives that developers need to follow to build privacy respecting apps. We always see the privacy protection function from the lens of data collected and stored in DBs. What if we actually dug deeper and started looking not just at what data is collected, but at the exact lines of code responsible for collection and generation of data itself? Imagine a world where privacy is baked in the app itself and is not an afterthought. This talk explores how we can leverage static analysis techniques to find and fix privacy bug, early on in the game - before they ever manifest.
Suchakra Sharma Chief Scientist, Privado Inc.
Suchakra Sharma is the Chief Scientist at Privado where he helps build code analysis tools for data privacy and data security. He completed his Ph.D. in computer engineering from Polytechnique Montréal where he worked on eBPF technology and hardware-assisted tracing techniques for OS analysis. For the last six years, Suchakra has been working on enhancing static analysis tooling for fixing security bugs at scale. He has delivered talks and trainings at venues such as USENIX LISA, Enigma, SCALE, RSA, BlackHat Arsenal, Papers We Love, NorthSec etc. When not playing with computers, he develops film photographs and writes poems.
This training is focused on experienced Web hackers who want to master their toolbox. The goal is to ease automation and to increase the ROI of the time spent testing Web targets.
Talks will be streamed on YouTube and Twitch for free.
Based on my in-depth knowledge of both Burp Suite and its extensions, this talk aims to provide bug hunters and pentesters with a set of useful strategies. The underlying goal is to increase the efficiency of the testing workflow (in terms of both capabilities and speed). I presented a similar talk in 2013, but the tool and its ecosystem changed significantly since then.
Among the topics to be covered: - Improved usage the Burp Suite GUI, from modifying default settings to increasing the speed of interaction (including hotkeys) - Automation of recurrent tasks, mainly the transparent management of sessions (via both cookies and headers like JWT) and CSRF tokens - Essential extensions like Hackvertor, Piper and Burp Bounty - Efficiently find authorization bugs, on both APIs and web apps - Niche knowledge about Collaborator (correlation) and Intruder (placeholders in wordlists) - Poor-man automation pipeline, from a list of domains to findings - Evergreen pieces of advice (on performances and live monitoring) - How to stay up to date (a list of relevant online resources)
The talk includes self-hosted demos illustrating its most critical points.
Nicolas Grégoire Pwner, AGARRI
Nicolas Grégoire has been auditing web apps for 20 years. He is an official Burp Suite Pro trainer since 2015, and has trained nearly a thousand people since then, either privately or at public events. Other of that, he runs Agarri, a one-man business where he looks for security vulnerabilities for clients and for fun. His public talks (covering SSRF, XSLT, Burp Suite, ...) have been presented at numerous conferences around the world.
Talks will be streamed on YouTube and Twitch for free.
Ce talk a pour but d’expliquer comment fonctionne la segmentation réseau chez les grands acteurs d’internet. Nous ferons un focus sur la technologie VxLan qui a remplacé les Vlan dans les datencenters qui hébergent nos données. Nous ferons le point sur les surfaces d'attaques de ces « réseaux overlay », les faiblesses intrinsèques aux protocoles, les vulnérabilités exploitées ou restant à exploiter. On pourra sans doute observer que, chose étonnante, les bonnes vieilles recettes marchent encore et que des 0Days utilisent des concepts simplistes ! Nous présenterons les architectures réseau overlay des grands opérateurs puis nous utiliserons la bibliothèse SCAPY afin de forger des trames réseaux en mettre à l'épreuve les infrastructures cible.
Talks will be streamed on YouTube and Twitch for free.
Kerberos, dans son intégration à Active Directory, propose quelques extensions telles que S4U et U2U qui embarquent des mécanismes à l'origine de quelques attaques (e.g. spn-less-rbcd, unpac-the-hash, sapphire ticket). L'objectif de ce talk est de comprendre, une bonne fois pour toutes, comment ces protocoles fonctionnent. Nous ferons le tour des particulirités de Service-for-User et User-to-User. Nous verrons leur implémentation technique, comment abuser de leur comportement, voire comment les combiner. Nous comprendrons alors le fonctionnement des attaques mentionnées plus haut, en particulier sapphire ticket, une variante très difficile à détecter du golden ticket.
Charlie Bromberg (Shutdown) Pentest manager, Capgemini
Shutdown (Charlie BROMBERG, @_nwodtuhs) is a penetration testing team leader in the South of France at Capgemini. He specializes in Active Directory. Author of The Hacker Recipes, creator of Exegol, and many other open-source projects and tools (pyWhisker, targetedKerberoast, etc.).
Talks will be streamed on YouTube and Twitch for free.
Mobile phones have become ubiquitous in our daily lives. They are in many cases the devices we spend the most time on, and the devices that keep us connected to our friends, loved ones and colleagues. While useful in many ways, mobile phones pose a significant threat to offenders. Indeed, mobile phones monitor location through GPS and can have spyware installed to monitor written, audio and video communications. For law enforcement, mobile phones represent a treasure throve of information that can lead to arrests and convictions. In response to this threat, offenders have adopted shadow phones also known as ghost phones, encrypted phones or PGP phones. These come in a variety of ways, and offer in most cases a hardware package stripped of microphones, cameras and GPS chips to prevent any kind of spying. They also come with encrypted messaging services, and many security features such as remote wipes based on time delays, secret PINs or remote triggers. Canada appears to be a central player in the underground economy for shadow phones as some of the main distributors of these phones have been living (and arrested) in Canada. The aim of this presentation is first to survey the current state of the art on shadow phones. We reviewed court decisions, news reports and scientific articles on shadow phones, and researched companies that are currently advertising shadow phones for sales. Through this survey, we aim to present how the latest technologies are being used to protect offenders, and how law enforcement has attacked these encrypted communication services in the past. An important part of the services is the software that comes installed on the phones. The lessons learned here are extremely valuable for all communication services that are trying to offer end to end encryption, and a higher level of privacy to their users. The second part of this presentation is an analysis of interviews that we have conducted with various actors involved in the prosecution and defense of offenders who use shadow phones. We present their perception of the effectiveness of these phones, and the challenges that they pose for the judicial system. There are here again many lessons to be learned about how the judicial system can handle emerging technologies, encryption, and the targeting of offenders both online and offline who use encryption.
Mélanie Théorêt is a bachelor's student in Criminology at the University of Montreal. She is currently a research assistant at the School of Criminology at the University of Montreal and an intern for the Research Chair in Cybercrime Prevention. Mélanie is working on various research projects focused on cybercrime, online fraud, and the impacts of technology on crime.
Talks will be streamed on YouTube and Twitch for free.
This study explores the application of machine learning (ML) for detecting security vulnerabilities in source code. The research aims to assist organizations with large application portfolios and limited security testing capabilities in prioritizing security activities. ML-based approaches offer benefits such as increased confidence scores, false positives and negatives tuning, and automated feedback.
The initial approach using natural language processing techniques to extract features achieved 86% accuracy during the training phase but suffered from overfitting and performed poorly on unseen datasets during testing. To address these issues, the study proposes using the abstract syntax tree (AST) for Java and C++ codebases to capture code semantics and structure and generate path-context representations for each function.
The Code2Vec model architecture is used to learn distributed representations of source code snippets for training a machine learning classifier for vulnerability prediction. The study evaluates the performance of the proposed methodology using two datasets and compares the results with existing approaches. The Devign dataset yielded 60% accuracy in predicting vulnerable code snippets and helped resist overfitting, while the Juliet Test Suite predicted specific vulnerabilities such as OS-Command Injection, Cryptographic, and Cross-Site Scripting vulnerabilities. The Code2Vec model achieved 75% accuracy and 98% recall rate in predicting OS-Command Injection vulnerabilities.
The study concludes that even partial AST representations of source code can be useful for vulnerability prediction. The approach has potential for automated intelligent analysis on source code, including vulnerability prediction on unseen source code. State-of-the-art models using natural language processing techniques and CNN models with ensemble modelling techniques did not generalize well on unseen data and faced overfitting issues. However, predicting vulnerabilities in source code using machine learning poses challenges such as high dimensionality and complexity of source code, imbalanced datasets, and identifying specific types of vulnerabilities. Future work will address these challenges and expand the scope of the research.
zunaira zaman Research Engineer, Synopsys Inc
Zunaira Zaman is a Research Engineer at Synopsys Inc. with a keen interest in utilizing Machine Learning for automating software security. With a Joint Master's degree from Maynooth University, Ireland, and the University of Lorraine, France, and prior experience as a research intern at Inria, France, Zunaira brings a diverse skillset to her work. Her focus on leveraging ML to drive business growth and enhance user experiences is matched by her dedication to staying up-to-date with the latest industry trends through continuous professional development.
Talks will be streamed on YouTube and Twitch for free.
Learning about the tools, techniques and methods being used can not only benefit security professionals in the private sector; nation-states who are seriously lacking in talent and resources should take detailed notes on what is happening in Ukraine currently. Could they defend against such attacks, and if needed, could they deploy resources to effectively fight a hybrid conflict.
The Ukrainian conflict can help us understand the future of warfare, and the evolving security landscape, though most of all, it gives us on the offensive side, some new tricks of the trade to add to our toolboxes; and most frightening are the nation-state threat actors taking notes.
Sarah Kraynick BA, CISSP
Sarah Kraynick is a long-time hacker. She spent her youth hacking electronics, well really any system she could get her hands on. She later would graduate University and go onto work in the tech industry. She spent the better part of 10 years as a software engineer with a keen interest in security engineering. She had a foray into tech entrepreneurship and learned much about privacy and security of PHI. For the last 5 or so years her main focus has been on cyber security; she primarily worked on the offensive side of the house. Her research interests include cryptography, malware, reverse engineering and apparently cyber warfare. Sarah is currently working towards her CISSP-ISSEP… in the future she hopes to finally get her masters.
Talks will be streamed on YouTube and Twitch for free.
In their first Patch Tuesday of January 2020, Microsoft patched CVE-2020-0601, aka CurveBall, a flaw in their root CA trust store that allowed anybody to forge certificates that would be recognized as trusted by Windows 10 and Windows Server 2016/2019. The flaw was first discovered by the NSA and patched without fully disclosing its details. Back then, we "reversed" it and released a POC within 48 hours of its non-disclosure. We'll see how.
More recently, a second flaw,CVE-2022-34689, was disclosed by the NSA in Windows CryptoAPI. It was patched in August 2022, but was only publicly announced in the October 2022 Patch Tuesday.
In this talk we will discover how to leverage such cryptographic flaws in order to create trusted, signed binaries or how they enable us to perform MITM attacks against unpatched Windows machines and servers! We will also address how one can defend against these and why non-disclosure is not a great idea, especially for cryptographic flaws.
Yolan Romailler Applied Cryptographer, Protocol Labs
Yolan is an applied cryptographer at Protocol Labs delving into (and mostly dwelling on) cryptography, secure coding, and other fun things. He has previously spoken at Black Hat USA, BSidesLV, Cryptovillage, NorthSec, GopherConEU, and DEF CON on topics including automation in cryptography, public keys vulnerabilities, elliptic curves, post-quantum cryptography, functional encryption, open source security, distributed randomness, and more! He introduced the first practical fault attack against the EdDSA signature scheme and orchestrated the full disclosure with the code of the CurveBall vulnerability. Nowadays he's working on the distributed randomness project, drand, studying pairing-based cryptography, distributed key generation, and threshold systems. His most recent work was focused around Timelock Encryption.
Talks will be streamed on YouTube and Twitch for free.
In their first Patch Tuesday of January 2020, Microsoft patched CVE-2020-0601, aka CurveBall, a flaw in their root CA trust store that allowed anybody to forge certificates that would be recognized as trusted by Windows 10 and Windows Server 2016/2019. The flaw was first discovered by the NSA and patched without fully disclosing its details. Back then, we "reversed" it and released a POC within 48 hours of its non-disclosure. We'll see how.
More recently, a second flaw,CVE-2022-34689, was disclosed by the NSA in Windows CryptoAPI. It was patched in August 2022, but was only publicly announced in the October 2022 Patch Tuesday.
In this talk we will discover how to leverage such cryptographic flaws in order to create trusted, signed binaries or how they enable us to perform MITM attacks against unpatched Windows machines and servers! We will also address how one can defend against these and why non-disclosure is not a great idea, especially for cryptographic flaws.
Sylvain Pelissier , Kudelski Security
Cryptography expert in the research team at Kudelski Security. His favorite topics are Cryptography, Hardware attacks and vulnerability research in general. He worked on security of Cryptography algorithms implementations on different platforms as well as on critical code security audits. He like playing and organizing CTFs.