Speakers (preliminary) - DeepSec IDSC 2021 Europe

Advanced Deployment and Architecture for Network Traffic Analysis

Peter Manev, Eric Leblond & Josh Stroschein (Open Information Security Foundation)

Network-based threat detection is crucial for developing a comprehensive security strategy, whether it is on-premise or in the cloud. In Advanced Deployment and Architecture for Network Traffic Analysis, you will learn how to maximize the visibility that Suricata can provide in your network. You will gain deep technical understanding and hands on experience with Suricata’s versatile arsenal of features and capabilities for a variety of deployment, usage and integration scenarios. Tuning and optimizing Suricata for threat/anomaly detection, file extraction, and/or protocol detection are critical for a successful deployment. You will also learn traditional and non-traditional tips, tricks and techniques to implement Suricata and its newest features, based on real-world deployment experiences to include cloud-based deployments. This class also offers a unique opportunity to bring in-depth use cases, questions, and challenges directly to the Suricata team. By the end of this course you will be able to successfully design, deploy, implement, optimize and hunt with your high-performance Suricata deployment.

Peter Manev: Peter has been involved with Suricata IDS/IPS/NSM from its very early days in 2009 as QA lead, currently a Suricata executive council member. Peter has 15 years experience in the IT industry, including enterprise and government level IT security practice. As an adamant admirer and explorer of innovative open source security software he is also one of the creators of SELKS - an open source threat detection security distro. He is also one of the founders of Stamus Networks, a company providing security solutions based on Suricata.

Eric Leblond: Eric is an active member of the security and open source communities. He is a Netfilter Core Team member working mainly on communications between kernel and userland. He works on the development of Suricata, the open source IDS/IPS since 2009 and he is currently one of the Suricata core developers. He is also one of the founders of Stamus Networks, a company providing security solutions based on Suricata.

Josh Stroschein is an experienced malware analyst and reverse engineer and has a passion for sharing his knowledge with others. He is the Director of Training for OISF, where he leads all training activities for the foundation and is also responsible for academic outreach and developing research initiatives. Josh is an accomplished trainer, providing training in the aforementioned subject areas at BlackHat, DerbyCon, Toorcon, Hack-In-The-Box, Suricon, and other public and private venues. Josh is an Assistant Professor of Cyber Security at Dakota State University where he teaches malware analysis and reverse engineering, an author on Pluralsight and a threat researcher for Bromium.

Advanced Whiteboard Hacking – aka Hands-on Threat Modeling

Sebastien Deleersnyder (Toreon)

First released at Black Hat USA trainings 2021, we release our latest threat modeling training with a new threat modeling war game with red and blue threat modeling teams. Engaged in capture the flag style threat modeling challenges your team will battle for control over an offshore windmill park. Based on our experience in securing real-world Operational Technology (OT) infrastructure we released this war game in première at Black Hat USA 2021. Also, in this edition we enhanced the sections on agile and DevOps threat modeling, threat modeling and compliance, added a section on "threat modeling at scale" and all participants get our Threat Modeling Playbook plus one-year access to our online threat modeling coaching subscription.

As highly skilled professionals with years of experience under our belts, we know that there is a gap between academic knowledge of threat modeling and the real world. In order to minimize that gap, we have developed practical Use Cases, based on real-life projects. Each use case includes a description of the environment, together with questions and templates to build a threat model.

Using this methodology for our hands-on workshops we provide our students with a challenging training experience and the templates to incorporate threat modeling best practices into their daily work. Students will be challenged in groups of 3 to 4 people to perform the different stages of threat modeling on the following:
• Diagramming web and mobile applications, sharing the same REST backend
• Threat modeling an IoT gateway with a cloud-based update service
• Get into the defender's head – modeling points of attack against a nuclear facility
• Threat mitigations of OAuth scenarios for an HR application
• Privacy analysis of a new face recognition system in an airport
• Battle for control over "Zwarte Wind", an offshore windmill park

After each hands-on workshop, the results are discussed, and students receive a documented solution. Based on our successful trainings in the last years and the great and positive feedback, we released this updated advanced threat modeling training at Black Hat USA 2021.



Course topics

Threat modeling introduction
• Threat modeling in a secure development lifecycle
• What is threat modeling?
• Why perform threat modeling?
• Threat modeling stages
• Different threat modeling methodologies
• Document a threat model
Diagrams – what are you building?
• Understanding context
• Doomsday scenarios
• Data flow diagrams
• Trust boundaries
• Sequence and state diagrams
• Advanced diagrams
• Hands-on: diagramming web and mobile applications, sharing the same REST backend
Identifying threats – what can go wrong?
• STRIDE introduction
• Spoofing threats
• Tampering threats
• Repudiation threats
• Information disclosure threats
• Denial of service threats
• Elevation of privilege threats
• Attack trees
• Attack libraries
• Hands-on: STRIDE analysis of an Internet of Things (IoT) gateway and cloud update service
Addressing each threat
• Mitigation patterns
• Authentication: mitigating spoofing
• Integrity: mitigating tampering
• Non-repudiation: mitigating repudiation
• Confidentiality: mitigating information disclosure
• Availability: mitigating denial of service
• Authorization: mitigating elevation of privilege
• Specialist mitigations
• Hands-on: threat mitigations OAuth scenarios for web and mobile applications
Threat modeling and compliance
• How to marry threat modeling with compliance
• Mapping threat modeling on compliance frameworks
• GDPR and Privacy by design
• Privacy threats
• LINDUNN and Mitigating privacy threats
• Hands-on: privacy threat modeling of a face recognition system in an airport
Penetration testing based on offensive threat models
• Create pentest cases for threat mitigation features
• Pentest planning to exploit security design flaws
• Vulnerabilities as input to plan and scope security testing
• Prioritization of pentesting based on risk rating
• Hands-on: get into the defender's head – modeling points of attack of a nuclear facility.
Advanced threat modeling
• Typical steps and variations
• Validation threat models
• Effective threat model workshops
• Communicating threat models
• Agile and DevOps threat modeling
• Improving your practice with the Threat Modeling Playbook
• Scaling up threat modeling
• Threat models examples: automotive, industrial control systems, IoT and Cloud
Threat modeling resources
• Open-Source tools
• Commercial tools
• General tools
• Threat modeling tools compared
Battle for control over "Zwarte Wind", an offshore windmill park
In our 5th edition of Black Hat trainings, we release our latest threat modeling training with a new threat modeling war game with red and blue threat modeling teams. Engaged in capture the flag style threat modeling challenges your team will battle for control over an offshore windmill park. Based on our experience in securing real-world Operational Technology (OT) infrastructure we release this war game in première at Black Hat USA 2021.
Examination
• Hands-on examination
• Grading and certification

Seba (https://twitter.com/Sebadele) is co-founder, CTO of Toreon and a proponent of application security as a holistic endeavor. He started the Belgian OWASP chapter, was a member of the OWASP Foundation Board and performed several public presentations on Application Security. Seba also co-organized the yearly security & hacker BruCON conference and trainings in Belgium.

With a background in development and many years of experience in security, he has trained countless developers to create software more securely. He has led OWASP projects such as OWASP SAMM, thereby truly making the world a little bit safer. Now he is adapting application security models to the evolving field of DevOps and is also focused on bringing Threat Modeling to a wider audience.

Defending Enterprises

Will Hunt, Owen Shearing (In.security)

Overview:
New for 2021, our immersive 2-day Defending Enterprises training is the natural counterpart to our popular Hacking Enterprises course.
From SIEM monitoring, alerting and threat hunting, you’ll play a SOC analyst in our cloud-based lab and try to rapidly locate IOA’s and IOC’s from an enterprise breach executed by the trainers.
You’ll use a combination of Microsoft Azure Sentinel and Elastic platforms to perform practical exercises, creating your own queries to detect potential compromises and highlight interesting activity.


Agenda
Day 1
• MITRE ATT&CK framework
• Defensive OSINT
• Linux/Windows auditing and logging
• Using Logstash as a data forwarder
• Overview of the Kibana Query Language
• Overview of the Kusto Query Language
• Identifying Indicators of Attack (IOA) and Indicators of Compromise (IOC)
• Detecting phishing attacks (Office macros, HTA’s and suspicious links)
• Detecting credential exploitation (Kerberoasting, PtH, PtT, DCSync)

Day 2
• Creating alerts/rules in Azure Sentinel
• Detecting lateral movement within a network (WinRM, WMI, SMB, DCOM, MSSQL)
• Detecting data exfiltration (HTTP/S, DNS, ICMP)
• Detecting persistence activities (userland methods, WMI Event Subscriptions)
• C2 Communications


Also included:
We realise that training courses are limited for time and therefore students are also provided with the following:
• Completion certificate
• 14-day extended lab access after the course finishes
• Discord support channel access where our security consultants are available

Will (@Stealthsploit) co-founded In.security in 2018. He’s been in infosec for over a decade and has helped secure many organisations through technical security services and training. Will’s delivered hacking courses globally at several conferences including Black Hat and has spoken at various conferences and events. Will also assists the UK government in various technical, educational and advisory capacities. Before Will was a security consultant he was an experienced digital forensics consultant and trainer.

Owen (@rebootuser) is a co-founder of In.security, a specialist cyber security consultancy offering technical and training services based in the UK. He has a strong background in networking and IT infrastructure, with well over a decade of experience in technical security roles. Owen has provided technical training to a variety of audiences at bespoke events as well as Black Hat, Wild West Hackin' Fest, NolaCon, 44CON and BruCON. He keeps projects at https://github.com/rebootuser.

Hacking Modern Desktop Apps: Master the Future of Attack Vectors

Abraham Aranguren & Anirudh Anand (7ASecurity LLLP)

This course is a 100% hands-on deep dive into the OWASP Security Testing
Guide and relevant items of the OWASP Application Security Verification
Standard (ASVS), so this course covers and goes beyond the OWASP Top Ten.
Long gone are the days since desktop apps were written in Delphi. What have
Microsoft Teams, Skype, Bitwarden, Slack and Discord in common? All of them are
written in Electron: JavaScript on the client.

Modern desktop apps share traditional attack vectors and also introduce new
opportunities to threat actors. This course will teach you how to review modern
desktop apps, showcasing Node.js and Electron but using techniques that will
also work with any other desktop app platform. Ideal for Penetration Testers,
Desktop App Developers as well as everybody interested in
JavaScript/Node.js/Electron app security.

All action, no fluff, improve your security analysis workflow and immediately apply these gained skills in your workplace. Packed with exercises, extra mile challenges and CTF, self-paced and suitable for all skill levels, with continued education via unlimited email support and lifetime access to our training portal with step-by-step video recordings and interesting apps to practice, including all future updates for free.

Get a FREE taste for this training, including access to video recording, slides and vulnerable apps to play with: 1.5 hour workshop - https://7asecurity.com/free-workshop-desktop-apps

Abraham Aranguren: After 13 years in ITsec and 20 in IT Abraham is now the CEO of 7ASecurity (​7asecurity.com​), a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews and training. Security Trainer at Blackhat USA, HITB,
OWASP Global AppSec and many other events. Former senior penetration tester / team
lead at Cure53 (​cure53.de​) and Version 1 (​www.version1.com​). Creator of “Practical
Web Defense” - a hands-on eLearnSecurity attack / defense course
(​www.elearnsecurity.com/PWD​), OWASP OWTF project leader, an OWASP flagship
project (​owtf.org​), Major degree and Diploma in Computer Science, some certs: CISSP,
OSCP, GWEB, OSWP, CPTS, CEH, MCSE:Security, MCSA:Security, Security+. As a
shell scripting fan trained by unix dinosaurs, Abraham wears a proud manly beard. He
writes on Twitter as ​ @7asecurity​ ​ @7a_​ ​ @owtfp​ or ​ https://7asecurity.com/blog​ . Multiple
presentations, pentest reports and recordings can be found at
https://7asecurity.com/publications

Anirudh Anand:
Anirudh Anand is a security researcher with a primary focus on Web and Mobile
Application Security. He is currently working as a Senior Security Engineer at ​CRED​ and
also as a Security Trainer at ​7asecurity​. He has been submitting bugs and contributing to
security tools for over 7 years. In his free time, he participates in CTF competitions along
with ​Team bi0s​ (#1 security team in India according to CTFtime). His bounties involve
vulnerabilities in Google, Microsoft, LinkedIn, Zendesk, Sendgrid, Gitlab, Gratipay and
Flipboard.
Anirudh is an open source enthusiast and has contributed to several OWASP projects
with notable contributions being in OWTF and Hackademic Challenges Project. He has
presented/trained at a multitude of conferences including c0c0n 2019, BlackHat Arsenal
2019, BlackHat Europe Arsenal 2018, HITB Dubai 2018, Offzone Moscow 2018, Ground
Zero Summit Delhi 2015 and Xorconf 2015.

How to Break and Secure Single Sign-On (OAuth and OpenID Connect)

Karsten Meyer zu Selhausen (Hackmanit GmbH)

Single sign-on protocols are one of the most important Internet technologies and are used by countless applications. Security plays a critical role when using systems based on standards such as OAuth and OpenID Connect. Successful attacks allow hackers to bypass authentication or to access confidential user data. In this training, you will learn all security aspects relevant to single sign-on based on OAuth and OpenID Connect. You will learn which serious attacks exist and get the chance to try them yourself in our test environment. Finally, you will learn how to test and defend your own systems against these attacks.

Karsten Meyer zu Selhausen has several years of experience in the fields of secure deployment and secure use of well-known single sign-on standards, such as OAuth, OpenID Connect and SAML.

He works as an IT security consultant, penetration tester and trainer for Hackmanit GmbH since 2016. During his master degree in IT Security at the Ruhr-University Bochum, he specialized on the security of protocols for delegated authorization and authentication, as well as data description languages, such as XML and PDF. He gained profound expertise in the security of single sign-on procedures, such as OAuth, OpenID Connect and SAML, during numerous consulting projects and penetration tests. Karsten frequently shares his knowledge and experience with customers from various industry fields in IT security training courses.

Mobile Network Operations and Security

David Burgess (-)

This workshop describes basic functions and security shortcomings in mobile
networks, both in the core network and in radio network, for GSM, UMTS, LTE
and 5GNR. The material is intended for individuals in the areas of
journalism, international aid, corporate security, and the law, who have or
who work with people who have specific security concerns and want to
better understand what is really happening in their phones and in the
mobile networks that serve those phones.

The workshop will start with an overview of cellular technology in general
and types of security flaws common to all mobile networks, and then
proceed to specific examples for different network segments and technology
types. The workshop will include demonstrations of some security failures
and deeper analysis of specific events reported in the popular press. The
goal of the workshop is to give attendees a good grasp of key concepts in
mobile network operation and the security implications, while avoiding
unnecessary technical details. Questions and discussion are welcome and
encouraged.

This workshop covers the mobile network, handset baseband, and SIM only,
and does not address Android, iOS or application-layer security.

David Burgess has worked in telecommunications since 1998, first in signals
intelligence and then in commercial network equipment. He is probably best
known as the primary author of OpenBTS, but has written complete stacks for
other cellular radio protocols as well. David’s company, Legba, provides
mobile network equipment and test equipment for small network operators,
embedded systems developers, and special applications. David also writes
about telecommunications and does occasional work as an expert in legal
cases.

Mobile Security Testing Guide Hands-On

Sven Schleier (-)

LIVE ONLINE TRAINING

[Note: This training will be completely remote. This allows you to better plan your workshop commitments when booking tickets.You can also by a ticket for just attending this training (without access to the conference). In that case please write an e-mail to speaker@deepsec.net]

This course teaches you how to analyse Android and iOS apps for security vulnerabilities, by going through the different phases of testing, including dynamic testing, static analysis and reverse engineering. Sven will share his experience and many small tips and tricks to attack mobile apps that he collected throughout his career and bug hunting adventures.

If you just entered the domain of mobile app penetration testing, or have only experience in Web App Testing and would like to make the switch to mobile, this session is a perfect starting point for you. Nevertheless, there are also some more advanced topics that will also be of interest for more experienced testers.

At the beginning of the first day we start by giving an overview of the Android Platform and it’s Security Architecture. It is no longer mandatory for students to bring their own Android device, instead a cloud-based virtualized Android device will be provided for each student by using Corellium. These are some of the topics that will be covered during the course:

●    Frida crash course to kick-start with dynamic instrumentation on Android apps
●    Intercepting network traffic of apps written in mobile app frameworks such as Google’s Flutter
●    Identifying and exploiting a real word Deep-link vulnerability
●    Explore the differences and effectiveness of Reverse Engineering Android Apps through patching Smali, Xposed and Dynamic Instrumentation with Frida
●    Analyze Local Storage of an Android App
●    Usage of dynamic Instrumentation with Frida to:
  ○      bypass Frida detection mechanisms
  ○      bypass multiple root detection mechanisms

On day 2 we are focusing on iOS and will begin with an overview of the iOS Platform and Security Architecture (Hardware Security, Code Signing, Sandbox, Secure Boot, Security Enclave etc.). After explaining what an IPA container is and the iOS file system structure, we start creating an iOS testing environment with Corellium and deep dive into various topics and techniques, including:

●    Analyzing iOS applications that use non-HTTP traffic including ways of intercepting the traffic
●    Frida crash course to kick-start with dynamic instrumentation for iOS apps
●    Bypassing SSL Pinning with SSL Kill Switch and Objection
●    Testing methodology with a non-jailbroken device by repackaging an IPA with the Frida Gadget
●    Testing stateless authentication mechanisms such as JWT in an iOS Application
●    Using Frida for Runtime Instrumentation of iOS Apps to bypass:
  ○      Anti-Jailbreaking mechanisms
  ○      Frida detection mechanism
  ○      and other client-side security controls

The course consists of many different labs developed by the instructor and the course is roughly 50% hands-on and 50% lecture.

At the end of each day a small CTF will be played to investigate an app with the newly learned skills and you will have the chance to win a price!

After successful completion of this course, students will have a better understanding of how to test for vulnerabilities in mobile apps, how to mitigate them and how to execute tests consistently. The course is based on the OWASP Mobile Security Testing Guide (MSTG) and is conducted by one of the authors himself. The OWASP MSTG is a comprehensive and open source guide about mobile security testing for both iOS and Android.


Attendees will be provided with the following content:

- All slides in PDF format used for Day 1 and Day 2
- Virtual Machine that includes all tools needed
- Several iOS and Android Apps that are used for the exercises


Prerequisites:

The following prerequisites need to be fulfilled by the students in order to be able to follow all exercises and fully participate:
 
●    Laptop (Windows/Linux/macOS) with at least 8 GB Ram and 40GB of free disk space
●    Full administrative access, in case of any issues with the laptop environment (e.g. deactivate AV or Firewall)
●    Virtualization software (e.g. VMware, VirtualBox); A VM will be provided as OVA with all tools needed for the training
●    Stable internet connection with at least 50 Mbps

An Android hardware device is not needed by the participants. The Android hands-on exercises of the training will instead be executed in Corelium, a cloud-based virtualized environment that allows attendees to access a rooted Android device during the training. One Android instance will be provided for each participant.

An iOS device is also not needed, as an emulated and jailbroken iOS instance will be provided for each student that is hosted in Corellium.

I will offer support 1 week before the training for all students, to make sure that the setup is up and working prior to the training.

Students will enjoy the training the most, if they have a basic understanding of mobile apps and the command line, interest in security and learning new things!

Sven is the Technical Director of F-Secure Singapore and has hands-on experience in attacking and defending web and mobile apps for the last 10+ years. He became specialised in Application Security and has supported and guided software development projects for Mobile and Web Applications during the whole SDLC.

Besides his day job Sven is since 2016 one of the core project leaders and authors of the OWASP Mobile Security Testing Guide (MSTG) and OWASP Mobile Application Security Verification Standard (MASVS) and has created the OWASP Mobile Hacking Playground. Sven is giving talks and workshops about Mobile Security worldwide to different audiences, ranging from developers to students and penetration testers.

Pentesting Industrial Control Systems

Arnaud Soullié (RS formation et conseil)

In this intense 2-day training, you will learn everything you need to start pentesting Industrial Control Networks. We will cover the basics to help you understand the most common ICS vulnerabilities. We will then spend some time learning and exploiting Windows & Active Directory weaknesses, as most ICS are controlled by Windows systems.
We will cover the most common ICS protocols (Modbus, S7, OPC…), analyze packet captures and learn how to use these protocols to talk to Programmable Logic Controllers (PLCs). You will learn how to program a PLC, to better understand how to exploit them.
The training will end with a challenging hands-on exercise: The first CTF in which you capture a real flag! Using your newly acquired skills, you will try to compromise a Windows Active Directory, pivot to an ICS setup to take control of a model train and robotic arms.
Moreover, the training doesn’t stop on the last day! Each participant will receive a 30-day access to an elearning portal, which allows to watch the training content on video, as well as to perform all the exercises on a cloud platform.

Arnaud Soullié (@arnaudsoullie) is a manager at Wavestone. For 10 years he has been performing security audits and pentests on all type of targets. He specializes in Industrial Control Systems and Active Directory security. He has spoken at numerous security conferences on ICS topics : BlackHat Europe, BruCon, 4SICS, BSides Las Vegas, DEFCON... He is also the creator of the DYODE project, an open­source data diode aimed at ICS.

Intelligence? Smartness? Emotion? What do We Expect from Future Computing Machinery?

Univ. Prof. Mag. Dr. Gabriele Kotsis (Johannes Kepler University Linz)

Artificial intelligence (AI) is one of the key technologies for dramatic change processes in the next 30 years. Research on the development of AI is driven by scientific and political ambitions, accompanied by great hopes and fears. What does it mean to live and work with such a form of intelligence? How will computing machinery evolve within the next decades? What can and should computer societies consider to ensure a positive development from both, a technological as well as societal point of view? These are some of the questions that will be addressed in this keynote.

Gabriele Kotsis is Full Professor in Computer Science and President of the ACM. She has received her PhD from the University of Vienna in 1995, honored with the Heinz Zemanek PhD award. After visiting professor positions at the Business Schools in Vienna and Copenhagen in 2001/2002, she joined Johannes Kepler University Linz as head of the Department of Telecooperation. Her scientific contributions include seminal work in the field of workload characterisation for parallel and distributed systems and in performance management of computer systems with a specific focus on ubiquitous computing environments and cooperative systems. In 2014, Kotsis has been recognized as ACM Distinguished Scientist for her scientific contributions. From 2003 to 2007 she was President of the Austrian Computer Society, from 2007 to 2015 Vice-Rector for Research at JKU. Gabriele has been JKU´s representative (2016-2018) and National Coordinator (since 2019) for Austria in the ASEA-UNINET academic research network.

How to Choose your Best API Protection Tool? Comparison of AI Based API Protection Solutions

Vitaly Davidoff (JFrog)

As the world becomes more and more connected, Application Security becomes an important concern. Especially regarding the Internet of Things (IoT), Application Programming Interface
(API), and Microservices spaces. In addition, the proper access management needs to be seriously addressed to ensure company assets are securely distributed and deployed.


There are many tools on the market providing AI based API protection and anomaly detection but what really works? How to choose the best solution? During my talk, I will share results from the research of reviewing different architecture approaches and AI solutions introduced by different favorite tools on the market, from WAF to workload protection systems.

Vitaly has about 15 + years’ experience as a developer and more than 8 years in the application security field. Applications Products Security lead at JFrog TLV Israel. In this position he's responsible to provide Application Security solutions for many products, including analyzing security risks in multidisciplinary systems according to the customer system characterization, defining required security controls to handle identified security threats, perform code and design reviews, threat modeling and many other activities.
He holds CISSP and CSSLP certificates.

Those Among Us - The Insider Threat facing Organizations

Robert Sell (Trace Labs)

The cost of insider threats is rising, with a 31% increase from $8.76 million in 2018 to $11.45 million in 2020. In addition, the number of incidents has increased by a staggering 47% in just two years, from 3,200 in 2018 to 4,716 in 2020. This data shows that insider threats are a growing risk that is still often under-addressed within cybersecurity of organizations (especially when compared with external threats). Perhaps this is because it is hard to imagine that a trusted coworker could be siphoning corporate secrets from the company you both work for. Yet, this act is more common than you think. There are many levels of insider threats and some much more harmful than others. Robert takes us on a journey that first outlines the many different kinds of insider threats: everything from accidental to espionage. He then discusses how to detect it and what companies can do about it. Having worked in the Information Security industry for 20 years in various fields and positions, Robert has seen many insider threat incidents and the damage this can have on a company. Today more than ever, companies are susceptible to this risk however few seem able to detect and mitigate. In this talk, Robert draws upon his experiences to outline some of the tell tale signs of insider threats and some of the many ways this can be detected early. He also discusses company culture and how to prevent the damage that insider threats can have. Robert also integrates some great industry examples as learning to help show the audience the damage insider threats have. The talk finishes with a check list of mitigation strategies that companies can do to greatly improve their position and safeguard their secrets. There are many great talks out there on social engineering, however, all of these are focussed on an outside entity tricking the employees to get access. This talk looks at those amongst us who are already trusted employees and how to manage that risk.

Robert is the founder and president of the Trace Labs non profit organization that crowd sources open source intelligence (OSINT) to help locate missing persons. He has spoken at conferences and podcasts around the world on subjects such as social engineering, open source intelligence, physical security and other topics. Robert primarily works in the aerospace industry where he assists newly acquired organizations to secure their environments. This includes all aspects of security in regions around the world. In 2017 and 2018 he competed at the Social Engineering Village Capture the Flag contest. He placed third in this contest (both years). In 2018, he actually ran his own Trace Labs OSINT CTF while participating (and placing 3rd) in the SECTF at Defcon Vegas. Robert is also a ten year volunteer with Search and Rescue in British Columbia, Canada. In his search & rescue capacity, Robert specializes in tracking lost persons and teaching first responders how to leverage OSINT.

Releasing The Cracken – A Data Driven Approach for Password Generation

Or Safran / Shmuel Amar (Proofpoint)

By now, it should be well known that passwords are like underwear, they should be changed often, the longer the better and it’s better not to leave them lying around.
While the big players advocating for passwordless authentication, passwords are still the most common authentication method. In the wild, we’ve seen thousands of organizations experiencing password spraying and bruteforce attacks on their users. Although MFA should mitigate some of the threat, it's still not implemented on all protocols and in some cases was bypassed by security flaws in the IDP.
In this talk, we’ll present a new concept for password security – smartlists, built on a new data driven approach that utilize recent advancements in NLP. Together with this talk, we are proud to release a new FOSS tool that makes these new concepts practical and easy to use by generating 200M+ password candidates per second written in Rust.

Or Safran is an experienced and passionate security researcher working for Proofpoint at the Israel R&D site as a security researcher for cloud applications and enjoys publishing his findings in blogs and technical talks. Prior to Proofpoint, Or worked as a malware researcher and reverse engineer for IBM cybercrime research labs. In his free time, he likes to break stuff while trying to dump their firmware, tinkers with hardware projects and plays online games.

Shmuel Amar is an experienced software architect working for Proofpoint at the Israel R&D site. During his free time, Shmuel likes to crack passwords for fun. Shmuel is part of the BIU NLP research lab completing his MSc.

Building a Cybersecurity Workforce: Challenges for Organizations

Matthieu J. Guitton, PhD, FRAI (CERVO Research Center)

The shift of human activities from offline to online spaces has major impacts on organizations – either public or corporate – in terms of security, therefore creating a constantly growing need for cybersecurity experts. Although for small companies, expertise can come from external providers, large organizations need to build their own cybersecurity workforce. For companies the limited number of higher education formations lead to tension in the employment market, and in the recruitment of people whose expertise is not primarily on cybersecurity. Furthermore, cybersecurity often focuses on technical aspects, and does not always deal enough with the human factor – while the human factor is critical for companies and other large organizations.

This presentation will explore the challenges related to building a workforce in cybersecurity from the point of view of organizations. We will discuss how to build a workforce that can take on both the mission of first line defenders, and the mission of education of the other company members, ranging from its higher operatives to the basic workers, and how cybersecurity can be operationally articulated between security services and IT professionals.

Matthieu J. Guitton is Secretary (Vice-Dean) of the Faculty of Medicine, Full Professor at the Faculty of Medicine and at the Graduate School of International Studies at Université Laval (Quebec City, QC, Canada), Fellow of the Royal Anthropological Institute, and Senior Researcher/Group Leader at the CERVO Brain Research Center (Quebec City, QC, Canada). He is the Editor-in-Chief of Computers in Human Behavior (Elsevier's leading journal in the field of cyberpsychology), and of Computers in Human Behavior Reports, and serves on several other editorial boards, such as Current Opinion in Behavioral Sciences. A graduate from the University of Rouen and Université Pierre et Marie Curie - Paris VI, he obtained his PhD from the University of Montpellier (France) and was a Koshland Scholar/Postdoctoral Fellow of Excellence at the Weizmann Institute of Science (Israel). He has published over 120 research papers, book chapters, or editorials on subjects ranging from neuropharmacology and health sciences to cyberpsychology, cyberbehavior, or security issues. His most recent works have appeared in journals such as Computers in Human Behavior, the International Journal of Intelligence and CounterIntelligence, or the International Journal of Intelligence, Security, and Public Affairs.

Running an AppSec Program in an Agile Environment

Mert Coskuner (Amazon)

Application security in an enterprise is a challenge. We can see this when we look at the statistics; There have been 16648 security vulnerabilities (CVEs) published so far in 2020 and the average severity is 7.1 out of 10.

In this talk, you will find various solutions such as;
- Development team risk scoring based on maturity and business aspect,
- SAST/DAST at CI/CD pipeline without blocking the pipeline itself,
- How to leverage bug bounty program,
- When to employ penetration testing,
- When to employ code review,
- Platform developments to remove dependency for developers’ to implement features i.e. internal authorization.

The most important of all, you will see the solutions lead to minimal friction within the team, which creates a fine-tuned security program.

Mert Coskuner, MSc is a Security Engineer at Amazon. He is maintaining a Penetration Testing and Malware Analysis blog at medium.com/@mcoskuner. In his free time Mert Can is performing mobile malware research and threat intelligence.

Staatstrojaner

Andre Meister (netzpolitik.org)

T.B.A. / W.I.P. ("Wir sind besonders an den Themen staatliche Hintertüren und rechtliche Angriffe auf Verschlüsselung interessiert.")

Andre ist investigativer Journalist bei netzpolitik.org und verfolgt Staatstrojaner seit vielen Jahren.

Master of Puppets - How to Tamper the Edr?

Daniel Feichter

In my last talk at DeepSec2020 we had a closer look on protection mechanisms which can be used by epp/edr products under Windows. We had a look on, how can we bypass mechanisms like user-mode api hooking and kernel callbacks and use that to dump credentials from lsass without creating an alert in the epp/edr product.

This year we will also have a look at epp/edr systems and on the used mechanisms. But in this talk we are more interested in, how can we tamper edr products without knowing a password, without using edr uninstallation software etc. We are more interested in, understanding the user-space and kernel-space components of the edr. Which possibilities do we have from a red team perspective to tamper with user-space and kernel-space components and knockout necessary edr components.

Daniel Feichter studied industrial engineering and management at MCI in Innsbruck. After successful completion, however, he decided to work in the field of IT security.
His focus is on Windows Environment Red Teaming with focus on defense evasions and IT-Sec Research. Among other things, he is intensively engaged in EPP/EDR systems under Windows OS.

On Breaking Virtual Shareholder Meetings: How Secure is Corporate Germany?

Andreas Mayer (Heilbronn University of Applied Sciences)

The Covid-19 pandemic has had a major impact on annual general meetings (AGMs) of shareholders worldwide. Due to existing gathering restrictions the vast majority of AGMs shifted from physical to online voting events. Therefore, purely virtual AGMs emerged to the new normal where shareholders approve critical company decisions. But how secure are those virtual events really?

In this talk, I will present a systematic large-scale study on the security of 623 virtual AGMs held by German companies in 2020 including corporations listed in stock indices such as DAX and MDAX. In 72% of all virtual AGMs analyzed, at least one of the three CIA triad security goals was compromised. Join my talk and I will take you on an enthralling journey through the nitty gritty details and pitfalls that lead to the severe vulnerabilities found in real-world online voting portals. All issues were responsibly disclosed and fixed.

Andreas Mayer is professor for IT security at Heilbronn University of Applied Sciences with more than 15 years working experience in planing, implementing, and operating secure systems and networks in large environments. His mission is to make the world more secure by finding/fixing vulnerabilities and educating students. In his free time, he is a passionate buy and hold investor since 1998.

ApoMacroSploit : Apocalyptical FUD Race

Daniel Alima (Check Point Software Technologies)

In this talk, we will share our latest research work about an office malware builder that was involved in multiple attacks across the globe from November 2020 to February 2021.
In our presentation we will describe the tool's features to bypass security solutions and the efforts from its developers to make it fully undetected (FUD) by using techniques for WD exclusion and UAC bypass. We will show the resources that the threat actors used to validate miss detection of their malware.
We will also present an example of attack flow that used this office malware builder by one of the attackers that bought this tool.
Our intelligence efforts revealed the real identity of office malware builder's main developer as well as the malicious intentions of ApoMacroSploits staff.
We will show, how, consecutively to our publication and reporting this information to the relevant law enforcement authorities, the amount of cyber-attacks related to this campaign dropped significantly.

Daniel is malware analysts at Check Point Software Technologies.
He monitors everyday hundreds of suspicious files, performs analysis on some of them with the help of dedicated tools, sandbox emulation, to identify suspicious campaigns and unique malwares. He also write static and behavioral signatures in order to detect new threats.

Large-scale Security Analysis Of IoT Firmware

Daniel Nussko (Freelancer)

Today, the number of IoT devices in both the private and corporate sectors are steadily increasing. IoT devices like IP cameras, routers, printers, and IP phones have become ubiquitous in our modern homes and enterprises. To evaluate the security of these devices, a security analysis has to be performed for every single device. Since manual analysis of a device and reverse engineering of a firmware image is very time-consuming, this is not practicable for large-scale analysis.

To be able to conduct a large-scale study on the security of embedded network devices, an approach was applied that allows a high number of firmware images to be statically analyzed. For data acquisition, a crawler was used to identify and retrieve publicly available firmware images from the Internet. In this way, more than 10,000 individual firmware images have been collected. The firmware was then automatically unpacked and analyzed regarding security-relevant aspects.

For the first time, this research provides insights into the distribution of outdated and vulnerable software components used in IoT firmware. Furthermore, a comprehensive picture of the use of compiler-based exploit mitigation mechanisms in applications and libraries is given. Factory default accounts were identified, and their passwords recovered as far as possible. Also, a large amount of cryptographic material was extracted and analyzed. Besides, a backdoor has been discovered in the firmware of several products that allows remote access to the devices via SSH after triggering the functionality. The backdoor has been verified and confirmed by the vendor and two official CVE numbers have been assigned.

The results of this large-scale analysis provide an interesting overview of the security of IoT devices from 20 different manufacturers. IoT firmware was analyzed regardless of device type or architecture and a broad picture of their security level was obtained.

Daniel Nussko is an independent security researcher and information security professional with years of progressive experience in cyber security. His main expertise lies with the penetration testing of enterprise networks and web applications. He holds a Master's degree in IT Security from University of Offenburg in Germany. When not involved in customer projects, he enjoys doing research in the field of IoT security.

SSH spoofing attack on FIDO2 Devices in Combination with Agent Forwarding

Manfred Kaiser (Bundesministerium für Landesverteidigung)

With OpenSSH 8.5 agent forwarding was implemented for SFTP and SCP to allow remote copy operations. Agent forwarding has already been considered a security risk for years, but in some special use cases it seems to be more secure than stored private keys on an exposed server.

Since OpenSSH 8.2 a private key can be protected with a fido2 token. With a fido2 secured key, each usage has to be confirmed with a press on a hardware button. This should prevent an attacker to abuse the key, when agent forwarding is used.

In this talk a spoofing attack is presented, which allows an attacker to abuse a fido2 protected key to login to another server. Also a patch for OpenSSH and PuTTY, which mitigates this spoofing attack is shown.

PuTTY has accepted our patch, which enhances the existing spoofing attack mitigation. Many SFTP clients like WinSCP are using PuTTY as a library and our patch allows other applications to use the new spoofing mitigation.

OpenSSH considers spoofing attacks not as a vulnerability which has to be mitigated by the client. This is the reason why this spoofing attack is not mitigated by OpenSSH's client. We are presenting some mitigation strategies how to mitigate this kind of spoofing attack with OpenSSH.

Manfred Kaiser works for the BMLV. He is responsible for creating security software.

On Breaking Virtual Shareholder Meetings: How Secure is Corporate Germany?

Andreas Mayer (Heilbronn University of Applied Sciences)

The Covid-19 pandemic has had a major impact on annual general meetings (AGMs) of shareholders worldwide. Due to existing gathering restrictions the vast majority of AGMs shifted from physical to online voting events. Therefore, purely virtual AGMs emerged to the new normal where shareholders approve critical company decisions. But how secure are those virtual events really?

In this talk, I will present a systematic large-scale study on the security of 623 virtual AGMs held by German companies in 2020 including corporations listed in stock indices such as DAX and MDAX. In 72% of all virtual AGMs analyzed, at least one of the three CIA triad security goals was compromised. Join my talk and I will take you on an enthralling journey through the nitty gritty details and pitfalls that lead to the severe vulnerabilities found in real-world online voting portals. All issues were responsibly disclosed and fixed.

Andreas Mayer is professor for IT security at Heilbronn University of Applied Sciences with more than 15 years working experience in planing, implementing, and operating secure systems and networks in large environments. His mission is to make the world more secure by finding/fixing vulnerabilities and educating students. In his free time, he is a passionate buy and hold investor since 1998.

How to Protect the Protectors? Musings about Security in Security

Tim Berghoff (G DATA CyberDefense)

Attacks on service providers and software vendors are starting to become a huge problem for society.
Which begs the question: Why is that and is there anything we can do about it?
The fact of the matter is: We have been building a house of cards higher, more complex and faster than ever before - sometimes blissfully unaware that the foundation has started to give.
And our answer so far has been: "Build faster".
Therefore, IT in general and security in particular, has a problem. Can we turn that around? Maybe. Let's talk.
We will look at some of the fundamental issues that have been years in the making and that will take the most work to get right.

Tim has been working for G DATA since 2009 and gathered experience in support, consulting and public relations work.

The Black Box in your Data Center

Philipp Deppenwiese (immune GmbH)

Proprietary BIOS/UEFI firmware has been the de-facto standard for most DC devices in the last three decades. Firmware and platform technologies these days are still closed-source and lack transparency. We will show what kind of attack surfaces your firmware exposes and how supply chain security plays a huge role in this scenario.

We will give you a good understanding of how firmware and platform security work in-depth and what tremendous impact firmware security has on threats like ransomware.

In the end, we will present solutions for getting back control on the firmware level and show how you can contribute to change the industry of hardware development.

Philipp Deppenwiese is co-founder of immune GmbH and has been working in IT security for the last 12 years. He specialized himself in the areas of trusted computing and firmware security. Over the years, he founded the 9elements Cyber ​​Security, Open Source Firmware Conference, and Foundation.

Firmware Surgery: Cutting, Patching and Instrumenting Firmware for Debugging the Undebuggable

Henrik Ferdinand Nölscher (Noelscher Consulting GmbH)

Embedded systems can be challenging to analyze. Especially on automotive systems, many things that we take for granted on other software such as debugging and tracing do not always work. This is further complicated by watchdogs and peripheral processors, that go haywire when strict timing and communication requirements are violated. On some systems, debugging is even impossible because debugging resources such as pins are either used for something else or they don’t exist at all!
Assuming that code can be dumped, the solution for this can be emulation, however emulating a rich automotive system can be painful and many times, only few aspects of the system can be sufficiently modeled.
What if there was an in-between? How can we debug, fuzz and tamper embedded firmware without access to real-time debugging or emulation?
In this talk, I will show a tool that uses a simple but smart binary instrumentation method and a new, pythonic assembler to automatically patch large firmware binaries, enhancing them with interactive backdoors, as well as function- or basic-block trace capabilities.
Along the way, I share some tricks that can be used to make targets easier to work with (regardless of whether they’re being instrumented) and explore further applications outside of the automotive realm for the tool, which is released specifically for DeepSec.

Ferdinand has been very passionate about information security ever since he was young. He is specialized in hardware security and reverse engineering techniques and enjoys spending his time analyzing the most challenging security aspects of embedded systems. In the past, he has spoken at Usenix WOOT, Blackhat Arsenal and, along with his great colleagues, he completed numerous embedded security projects involving secure boot audits, fault injection attacks and binary reverse engineering. In the past, he worked at companies such as Nio and Code White while right now, he's busy finding bugs and securing embedded systems at Noelscher Consulting GmbH.

Hunting for LoLs (a ML Living of the Land Classifier)

Tiberiu Boros, Andrei Cotaie (Adobe)

Living of the Land is not a brand-new concept. The knowledge and resources have been out there for several years now. Still, LoL is one of the preferred approaches when we are speaking about highly skilled attackers or security professionals. There are two main reasons for this:

  • Experts tend not to reinvent the wheel
  • Attackers like to keep a low profile/footprint (no random binaries/scripts on the disk)

The talk focuses on detecting attacker activity/Living of the Land commands using Machine Learning, for both Linux and Windows systems.
Most of the AV vendors do not treat the command itself (from a syntax and vocabulary perspective) as an attack vector. And most of the log-based alerts are static, have a limited specter and are hard to update.
Furthermore, classic LoL detection mechanisms are noisy and somewhat unreliable:

(a) they are dependent on the experience of the SME (Subject Matter Expertise) that creates them;

(b) they generate a high number of False Positives (because of the thin line in terms of tools and syntax between sysadmin operations and attacker operations);

(c) their rules grow organically, to the point where it is easier to retire and rewrite rather than maintain and update.


So, we made a robust, dynamic, high confidence project to fix this! We used Open-Source data, real incident data, a handful of Adobe's SME and a lot of research and engineering.
The presentation covers why it is hard to detect LoLs, the feature engineering used in our approach, comparison between different classifiers as well as hands-on experience using our library and integration into one of our previous open-source projects called One-Stop-Anomaly Shop (OSAS - https://github.com/adobe/OSAS). Additionally, we also discuss why OSAS and the LoL classifier are complementary solutions and how evading one will lead to being detected by the other.


*This project is scheduled to be open-sourced in August 2021.

Tiberiu Boros is a Ph.D. in computer science, specifically in the field of Text-to-Speech (TTS) Synthesis. He is currently working for Adobe Systems Romania and is a former associate of the Research Institute for Artificial Intelligence of the Romanian Academy. Additionally, he maintains three Machine Learning open source projects (Stringlifier, OSAS, NLP-Cube). His research is focused on machine learning applied to security.

Andrei Cotaie is a Security Engineer specialized in Incident Response. Currently working for Adobe’s Security Coordination Center, Andrei made the transition from the public to the private sector almost 7 years ago. A big fan of automation and machine learning enthusiast, Andrei spends most of his time involved in monitoring and threat hunting projects, always trying to identify the latest unconventional attacks.

Real-Time Deep Packet Inspection Intrusion Detection System for Software Defined 5G Networks

Dr. Razvan Bocu (Transilvania University of Brasov, Romania, Department of Mathematics and Computer Science)

The philosophy that founds the world of the Internet of Things apparently becomes essential for the projected permanently connected world. The 5G data networks are supposed to dramatically improve the actual 4G networks’ real world significance, which makes them fundamental for the next generation networks of IoT devices. The academic and industrial effort to improve the 5G technological standards and security mechanisms considers various routes. Thus, this proposed talk aims to present the state-of-the-art concerning the development of the standards that model the 5G networks. It values the author's experience that was gathered during the implementation of the Vodafone Romania 5G networked services. It puts this acquired experience in context by reviewing the relevant similar contributions, the relevant technologies, and it describes the research directions and difficulties that will probably influence the design and implementation of secure large 5G data networks.

Consequently, this talk presents a machine learning-based real time intrusion detection system that is based on the deep inspection of the data packets, which has been effectively tested in the context of a 5G data network. The intelligent intrusion detection system considers the creation of software defined networks, and it uses artificial intelligence based models. It is able to proactively detect unknown intrusions patterns through the usage of machine learning-based software components. The system has been assessed and the results prove that it achieves superior performance with a lower overhead in comparison to similar approaches, which allows it to be effectively deployed on real-time 5G networks.

Dr. Razvan Bocu, Transilvania University of Brasov, Department of Mathematics and Computer Science, 500091, Romania (razvan.bocu@unitbv.ro). Dr. Bocu is a Research and Teaching Staff Member in the Department of Mathematics and Computer Science, the Transilvania University of Brasov, Romania. He received a B.S. degree in Computer Science from the Transilvania University of Brasov in 2005, a B.S. degree in Sociology from the Transilvania University of Brasov in 2007, an M.S. degree in Computer Science from the Transilvania University of Brasov in 2006, and a Ph.D. degree from the National University of Ireland, Cork, in 2010. He is the author or coauthor of 33 technical papers, together with four books and book chapters. Dr. Bocu is an editorial reviewing board member of seven high-profile technical journals in the field of Information Technology and Biotechnology.

Intercepting Mobile App Network Traffic aka “The Squirrel in the Middle”

Sven Schleier (OWASP Project Leader of Mobile Security Testing Guide (MSTG) and Mobile AppSec Verification Standard)

Sven want's to make a deep dive into intercepting network communication of mobile apps and it's API's and tries to cover all different kind of challenges you might be facing when doing the same.

You might think now: What’s the problem here? I configure Burp Suite, install the Burp Certificate Authority (CA) on the mobile device and set the system proxy to point to Burp and case closed.

This is definitely true, but this will only cover the „ideal“ case! But what about the following use cases:

- The app is being build in Flutter or Xamarin. If that’s the case the app will not be using the system proxy, but bypass it. So the Proxy you are setting in iOS and/or Android will be ignored by the app.
- Not every app is relying on HTTP; especially to overcome the overhead of HTTP, TCP might be used. You can also see sometimes XMPP or other protocols. As the system proxy that you are setting in iOS and/or Android will only be covering HTTP(S), other protocols will never be sent to Burp and even if you find a way to route them to Burp, Burp will not be able to process and display them as Burp can only understand HTTP.
- You might not be able to use a jailbroken or rooted device in the client’s network.

These are only same of the challenges you might be facing when trying to intercept the communication of a mobile app to become a Man-in-the-Middle.

This talk will present and follow a methodology for intercepting the network communication between a mobile app and it’s API’s and want's to enable the audience to tackle all potential use cases described above. In order to this the talk will give detailed technical demos to overcome the challenges and allow you to master them.

Why "Squirrel-in-the-middle"? You will find out in the talk :-)

Sven made several stops at big consultant companies and small boutique firms in Germany and Singapore and became specialised in Application Security and has supported and guided software development projects for Mobile and Web Applications during the whole SDLC.

Besides his day job Sven is one of the core project leaders and authors of the OWASP Mobile Security Testing Guide (MSTG) and OWASP Mobile AppSec Security Verification Standard (MASVS) and has created the OWASP Mobile Hacking Playground. Sven is giving talks and workshops about Mobile Security worldwide to different audiences, ranging from developers to students and penetration testers.

Exploitation with Shell Reverse and Infection with PowerShell using VBS file

Filipi Pires (Hacking Is NOT a Crime Advocate | RedTeam Village | DCG 5511 - Sao Paulo)

The purpose of this presentation was to execute several efficiency and detection tests in our lab environment protected with an endpoint solution, provided by CrowdStrike. This talk shows the result of the defensive security analysis with an offensive mindset using reverse shell techniques to gain access to the victim's machine and after that performing a malware in VBS to infect the victim's machine through the use of some scripts in PowerShell to call this malware, in our environment bypassing some components and engines, such as: Malware Protection - Associated IOC (Command entered in script), Suspicious Processes, File System Access, Suspicious Processes, Suspicious Scripts and Commands, Intelligence-Sourced Threats, among others.


Regarding the test performed, the first objective was to simulate targeted attacks using a python script to obtain a panoramic view of the resilience presented by the solution, with regard to the efficiency in its detection by Signatures, NGAV and Machine Learning. Running this script, the idea is to use the reverse shell technique to gain access to the victim's machine. After the execution of this attack, the second objective consists in perfoming the PowerShell Script to run this script, to download a VBS malicious file on the victim's machine and execute itself, calling this malware provided through Malwares Bazaar by API request.


I've been working as a Principal Security Engineer at Talkdesk, Security Researcher at senhasegura...I'm a Hacking is NOT a Crime Advocate and RedTeam Village Contributor. I'm part of the team of DEFCON São Paulo-Brazil, speaker at Security and New Technologies events in many countries such as the US, Canada, Germany, Poland and others, teaching as a University Professor at Graduation and MBA courses at Brazilian colleges, and, in addition, I'm the creator and instructor of the course Malware Attack Types with Kill Chain Methodology (PentestMagazine) and Malware Analysis - Fundamentals (HackerSec ).

I Will Hide, You Come And Seek - Discovering The Unknown in Known Malwares using Memory Forensics

Shyam Sundar Ramaswami (Senior Research Scientist - Research and Efficacy Team - Cisco)

Malware analysis is a key phase to extract IOCs like domains, ip, mutex and other signatures. What if malware knows what online sandboxes look for and what tools look for, decides to "showcase only 90%" and hide the rest? Well, Memory forensics comes to our rescue. This was tried and tested with a lot of samples during the pandemic phase and was aided in extracting a lot of hidden process, domains, urls and even ip. This is what the talk covers:

1. Talk about the traditional malware analysis process
2. Introduction to memory forensics and why
3. Introducing tools like Volatility and Rekall
4. Running Orcus RAT, Agent Tesla and Sodinobki Ransomware malwares using traditional methods like Any.run online sandbox and malware runs
5. Playing a game by capturing memory of the infected machine by invoking WMI module and suspending the machine
6. Tracking malware, bypassing malware hooks and executing wmic command to hibernate the machine
7. Obtaining the hyb.sys file and performing memory forensics
8. Extracting hidden process, spotting dll injection, dumping process memory and extracting IOCs like ip and urls
9. Voilá, we win !

Shyam Sundar Ramaswami is a Lead Threat Researcher with the Cisco Umbrella Threat Intelligence team. Shyam is a two-time TEDx speaker and a teacher of cybersecurity. He held talks at several conferences such as Black Hat (Las Vegas), Qubit Forensics (Serbia), Nullcon 2020 (Goa), Cisco Live (Barcelona), HackFest (Canada), DeepSec (Vienna) several universities, and IEEE forums in India. Shyam has also taught an “Advanced malware attacks and defenses” class at Stanford University’s cybersecurity program and runs a mentoring program called “Being Robin” where he mentors students all over the globe on cybersecurity. Interviews with him have been published on leading websites like ZDNet and CISO MAG.His twitter tag is @hackerbat.

Assessing and Exploiting ICS

Etizaz Mohsin (Saudi Telecom Company)

All modern control systems have brought a greater security risk for the whole society. While adding value to the business, one must accept  the compromise attached to it. The talk here is going to highlight all the security assessment types needed to perform to minimize the vulnerabilities that attackers can use to exploit the ICS environment across the globe. We will talk about ICS components (Control systems, PLC, RTOS, IEDs) and ICS attack surfaces (network Protocols, Maintenance interfaces, Radio frequency communication, Field devices) and outline the methods to mitigate the threats.

Etizaz Mohsin is an information security researcher and enthusiast. His core interest lies in low level software exploitation both in user and kernel mode, vulnerability research and reverse engineering. He is an active speaker at international security conferences including DEFCON, HITCON, HACTIVITY, DEEPSEC, SECTOR, GREHACK, ARAB SECURITY CONFERENCE, BSIDES etc. He has achieved industry certifications, the most prominent are OSCP, OSCE, OSWP, OSWE, OSEE, CREST CRT, CPSA.

Kubernetes Security - Challenge or Chance?

Marc Nimmerrichter (Certitude Consulting GmbH)

For anyone in IT and IT-security, there seems to be no way around Kubernetes. Containerization has changed the way software is developed, deployed, and operated. Microservices is the new paradigm. Many information security teams around the world, who see the adoption of Kubernetes and microservice-architectures in their organization, discuss just now: What does containerization and Kubernetes mean to security and how to fit this technology into our existing architectures and processes?

In this talk we will dissect the various components of Kubernetes and how they work technically under the hood. We will investigate common pitfalls and how they could be exploited to gain privileges, take over components or compromise the whole cluster and learn how to avoid these issues.

But let’s not only talk about the risks. There are also new chances for more security with containers and Kubernetes in contrast to previous deployment models and technologies. But only when it’s done right!

Marc Nimmerrichter started specialising in information security during his studies in IT and information security. He has worked for many years as pentester and IT-security consultant and currently he works as Managing Partner at Certitude Consulting GmbH. He has advised well-known IT service providers, software developers, banks and federal authorities in Europe.

He specialized in Kubernetes security early - At a time when Kubernetes security guides were scarce. Marc has performed Kubernetes security audits for various clients in software development, telecommunications, health care and the public sector.

When Ransomware fails

Sreenidhi Ramadurgam (Cisco Talos)

Ransomware is a piece of code that is written by an attacker to encrypt the victim’s files.
Even though they have been around for many years, the popularity has increased since the outbreak of Wannacry which shook the whole cyber world.

When the logic of the ransomware code is observed we can see a common pattern here. It is similar to how humans interact with the system. I.e, to access the files, the code has to access the Logical drive first. Here each logical drive is assigned a letter by the operating system. For example, when a code has to access the files in D drive, it has to access the drive ‘D’ first.

What if there is a logical drive in the system which doesn’t have any letter assigned to it.
Well, now it is harder to access the files, because the ransomware code is written to access the drive with the assigned letter. This is where most of the ransomwares fail to encrypt the data.

Guess what? The audience will witness what ransomware can not encrypt. Yes you heard it right! Can not!
Can this be a solution for the basic users to backup important files from being encrypted ?
We will see what an attacker might do in the future when ransomware encounters this situation.

I am a Security Researcher at Cisco. I have conducted cybersecurity and malware analysis workshops at universities across India and have delivered talks at Cisco SecCon packet village, 2019 and at BSides Munich/ELBSides 2021.

I actively work on threat hunting, reverse engineering various malware samples and build honeypots to catch threats in the wild. My arsenal includes malware reversing and analysis skills, Metasploit skills, and I also have a strong interest in memory forensics.
I have published blog posts related to interesting findings that I have come across in this domain:
1. https://umbrella.cisco.com/blog/inadequate-security-makes-wordpress-sites-a-land-of-opportunity-for-hackers
2. https://umbrella.cisco.com/blog/cyber-attackers-use-seo-to-spread-malware-through-torrent-files”
3. https://umbrella.cisco.com/blog/obfuscation-the-abracadabra-of-malware-authors

Certifications: GREM, CEH, Cisco BlackBelt.

Information Security Assurance – The Capital C in PDCA

Frank Ackermann (Deutsche Börse AG)

In some organizations 2nd Line of Defense functions are kept in the ivory tower, far away from the machine room and the real security issues the company faces. These functions and their deliverables, e.g. the developed and maintained policy and framework, might be used to manage compliance and feed regulators. But are these outcomes valuable? Is their implementation design- and operationally effective? Do they support the security organization to thrive and prosper?


After Deutsche Börse Group revised their security organization, the 2nd LoD function IS Assurance was established. The function, its framework, the grading approach, the assessment plans, and the validation methods for evidences were developed from scratch – with the holistic target to further improve the security organization.
Within a short period of time the function was able to assess the first security process and generated an overview over the design- and operational effectiveness of the verified subject. Here IS Assurance became a trustworthy partner for the 1st and the 3rd Lines of Defense.
This talk introduces the implemented IS Assurance function of the Deutsche Börse Group, gives insights into lessons-learned and challenges, and demonstrates a model to grade the operational effectiveness with practical details.

Frank Ackermann has longstanding experience in cyber security and technology. He held diverse expert and lead functions in all three Lines of Defense and willingly challenged the status quo to improve the respective security organizations.
His credo “Security is not my job – it is my passion.” comes along with the strong desire to support further development in the area of Information Security.

Do You Have a PlugX?

Artem Artemov, Rustam Mirkasymov (Group-IB Europe B.V.)

Deep overview of a tool used by the Chinese nation-state APTs based on a real-life Incident Response case with a big industrial company. Investigation yielded the presence of PlugX in the infrastructure. This presentation gives a full overview of the tools functionality, its past versions, and nowadays usage (Thor is a new version of plugX). We show why it is hard to find and why it's important for big industrial companies. And also we talk about our assumption that all recent big attacks - first Sunburst and then Exchange exploits (proxylogon related to Hafnium) are links of one chain.

Artem Artemov: Head of DFIR Lab Group-IB Europe. More than 14 years in DF, last 10 years in Group-IB. Incident responses all over the world, I take part in investigations and arrest of cybercrime groups like Carberp, Buhtrap, Corcow, Cobalt, Cron, Moneytaker and others. Also I provide tailored DF courses at several universities.

Rustam Mirkasymov: Head of Cyber Threat Research, Group-IB Europe. 8 years in cyber threat research and threat intelligence. Strong skills in reverse engineering, knowledge in exploit development and understanding software vulnerabilities mechanisms. Author / co-author of numerous APT threat reports (including Lazarus, Silence, Cobalt, MoneyTaker, RedCurl). Experienced speaker at key cyber security media & events.

Web Cache Tunneling

Justin Ohneiser (Booz Allen Hamilton, Inc)

By using cache poisoning to store arbitrary data, public web caches can be utilized as open ephemeral storage to facilitate anonymous and evasive communication between network clients.

Justin Ohneiser, following a Bachelor's Degree in Mechanical Engineering from the University of Maryland, worked various roles in enterprise software development and computer forensics before spending the last 4 years at Booz Allen Hamilton bringing clients an offensive perspective to information security.

Don't get hacked, get AMiner! Smart log data analytics for incident detection

Florian Skopik (Austrian Institute of Technology (AIT))

Monitoring log data for traces of malicious activities has proven to be an effective method for incident detection in cyber security. State-of-the-art detectors thereby frequently apply signature-based detection, meaning that these tools search for specific strings or tokens from threat intelligence databases that are known to correspond to particular attacks. Unfortunately, signature-based detection is vulnerable to already simple forms of evasion techniques, and certainly insufficient to disclose previously unknown attack techniques. As a consequence, tools such as the AMiner provide a complementary line of defense by leveraging anomaly detection techniques that make use of machine learning to automatically learn a baseline of normal behavior and detect deviations from the generated models as suspicious activities that possibly relate to attacks. The log processing pipeline of the AMiner consists of several configurable modules. First, light-weight parser models extract relevant information, such as timestamps, IP addresses, and usernames, from all kinds of logs, including access logs, audit logs, application logs, and more. The AMiner subsequently applies analysis techniques on the parsed data to learn a baseline of normal system events and their properties. On top of that, configurable detectors discover any deviations from this baseline, including detection of new values and value combinations, unusual character distributions of values, changes of event frequencies such as spikes or missing events, violations of expected correlation and sequence rules, as well as detection based on statistical distributions of values and event occurrences, among many others. All disclosed anomalies are eventually reported to security analysts for review and remediation through several interfaces, including message queues to store anomalies in databases or visualize them in SIEM dashboards. In our talk we will present a broad overview of the AMiner and explain its modules with the aid of several use-cases and hands-on examples.

Florian Skopik, Markus Wurzenberger and Max Landauer are with the Austrian Institute of Technology (AIT) where they develop new concepts, models and algorithms in the field of computer log data analysis and anomaly detection in national and international security research projects. The solution is available on github: https://github.com/ait-aecid/logdata-anomaly-miner Their new book "Smart Log Data Analytics" describes their work in detail: https://www.springer.com/gp/book/9783030744496

Revenge is Best Served over IOT

Chris Kubecka (Middle East Institute)

Welcome to the new Cold War in the Middle East. In 2012, Iran’s first Shamoon attacks almost crashed every world economy, nearly bringing the world to its knees. Since then, the game of spy vs. spy has intensified digitally with the pandemic accelerating connectivity. Join Chris on a 2.5 year Iranian espionage campaign attempting to recruit her for the most innocent of jobs: teaching critical infrastructure hacking with a focus on nuclear facilities. A journey of old school espionage with a cyber twist. Bribery, sockpuppets, recruitment handlers, propaganda VVIP luxury trip mixed with a little IOT camera revenge and 2021 police protection.

Chris is the Distinguished Chair of the Middle East Institute’s Cyber Program and CEO of HypaSec. She has practical and strategic hands-on experience in several cyber warfare and cyber terrorism incidents. Previous USAF aviator and USAF Space Command. Detecting and helping to halt the July 2009 Second Wave attacks from the DPKR against South Korea and helping to recover and reestablish international business operations after the world’s most devastating cyber warfare attack, Shamoon in 2012. Leading the incident management when the Saudi Arabian Embassy in The Netherlands was hacked in 2014 which involved the ISIS terrorist group, The city of The Hague, all embassies in the city, negotiating and discovery of evidence of a diplomatic insider that saved over 400 dignitaries lives.