Network-based threat detection is crucial for developing a comprehensive security strategy, whether it is on-premise or in the cloud. In Advanced Deployment and Architecture for Network Traffic Analysis, you will learn how to maximize the visibility that Suricata can provide in your network. You will gain deep technical understanding and hands on experience with Suricata’s versatile arsenal of features and capabilities for a variety of deployment, usage and integration scenarios. Tuning and optimizing Suricata for threat/anomaly detection, file extraction, and/or protocol detection are critical for a successful deployment. You will also learn traditional and non-traditional tips, tricks and techniques to implement Suricata and its newest features, based on real-world deployment experiences to include cloud-based deployments. This class also offers a unique opportunity to bring in-depth use cases, questions, and challenges directly to the Suricata team. By the end of this course you will be able to successfully design, deploy, implement, optimize and hunt with your high-performance Suricata deployment.

First released at Black Hat USA trainings 2021, we release our latest threat modeling training with a new threat modeling war game with red and blue threat modeling teams. Engaged in capture the flag style threat modeling challenges your team will battle for control over an offshore windmill park. Based on our experience in securing real-world Operational Technology (OT) infrastructure we released this war game in première at Black Hat USA 2021. Also, in this edition we enhanced the sections on agile and DevOps threat modeling, threat modeling and compliance, added a section on "threat modeling at scale" and all participants get our Threat Modeling Playbook plus one-year access to our online threat modeling coaching subscription.

As highly skilled professionals with years of experience under our belts, we know that there is a gap between academic knowledge of threat modeling and the real world. In order to minimize that gap, we have developed practical Use Cases, based on real-life projects. Each use case includes a description of the environment, together with questions and templates to build a threat model.

Using this methodology for our hands-on workshops we provide our students with a challenging training experience and the templates to incorporate threat modeling best practices into their daily work. Students will be challenged in groups of 3 to 4 people to perform the different stages of threat modeling on the following:
• Diagramming web and mobile applications, sharing the same REST backend
• Threat modeling an IoT gateway with a cloud-based update service
• Get into the defender's head – modeling points of attack against a nuclear facility
• Threat mitigations of OAuth scenarios for an HR application
• Privacy analysis of a new face recognition system in an airport
• Battle for control over "Zwarte Wind", an offshore windmill park

After each hands-on workshop, the results are discussed, and students receive a documented solution. Based on our successful trainings in the last years and the great and positive feedback, we released this updated advanced threat modeling training at Black Hat USA 2021.


 
Course topics

Threat modeling introduction
• Threat modeling in a secure development lifecycle
• What is threat modeling?
• Why perform threat modeling?
• Threat modeling stages
• Different threat modeling methodologies
• Document a threat model
Diagrams – what are you building?
• Understanding context
• Doomsday scenarios
• Data flow diagrams
• Trust boundaries
• Sequence and state diagrams
• Advanced diagrams
• Hands-on: diagramming web and mobile applications, sharing the same REST backend
Identifying threats – what can go wrong?
• STRIDE introduction
• Spoofing threats
• Tampering threats
• Repudiation threats
• Information disclosure threats
• Denial of service threats
• Elevation of privilege threats
• Attack trees
• Attack libraries
• Hands-on: STRIDE analysis of an Internet of Things (IoT) gateway and cloud update service
Addressing each threat
• Mitigation patterns
• Authentication: mitigating spoofing
• Integrity: mitigating tampering
• Non-repudiation: mitigating repudiation
• Confidentiality: mitigating information disclosure
• Availability: mitigating denial of service
• Authorization: mitigating elevation of privilege
• Specialist mitigations
• Hands-on: threat mitigations OAuth scenarios for web and mobile applications
Threat modeling and compliance
• How to marry threat modeling with compliance
• Mapping threat modeling on compliance frameworks
• GDPR and Privacy by design
• Privacy threats
• LINDUNN and Mitigating privacy threats
• Hands-on: privacy threat modeling of a face recognition system in an airport
Penetration testing based on offensive threat models
• Create pentest cases for threat mitigation features
• Pentest planning to exploit security design flaws
• Vulnerabilities as input to plan and scope security testing
• Prioritization of pentesting based on risk rating
• Hands-on: get into the defender's head – modeling points of attack of a nuclear facility.
Advanced threat modeling
• Typical steps and variations
• Validation threat models
• Effective threat model workshops
• Communicating threat models
• Agile and DevOps threat modeling
• Improving your practice with the Threat Modeling Playbook
• Scaling up threat modeling
• Threat models examples: automotive, industrial control systems, IoT and Cloud
Threat modeling resources
• Open-Source tools
• Commercial tools
• General tools
• Threat modeling tools compared
Battle for control over "Zwarte Wind", an offshore windmill park
In our 5th edition of Black Hat trainings, we release our latest threat modeling training with a new threat modeling war game with red and blue threat modeling teams. Engaged in capture the flag style threat modeling challenges your team will battle for control over an offshore windmill park. Based on our experience in securing real-world Operational Technology (OT) infrastructure we release this war game in première at Black Hat USA 2021.
Examination
• Hands-on examination
• Grading and certification

Overview:
New for 2021, our immersive 2-day Defending Enterprises training is the natural counterpart to our popular Hacking Enterprises course.
From SIEM monitoring, alerting and threat hunting, you’ll play a SOC analyst in our cloud-based lab and try to rapidly locate IOA’s and IOC’s from an enterprise breach executed by the trainers.
You’ll use a combination of Microsoft Azure Sentinel and Elastic platforms to perform practical exercises, creating your own queries to detect potential compromises and highlight interesting activity.

Agenda
Day 1
• MITRE ATT&CK framework
• Defensive OSINT
• Linux/Windows auditing and logging
• Using Logstash as a data forwarder
• Overview of the Kibana Query Language
• Overview of the Kusto Query Language
• Identifying Indicators of Attack (IOA) and Indicators of Compromise (IOC)
• Detecting phishing attacks (Office macros, HTA’s and suspicious links)
• Detecting credential exploitation (Kerberoasting, PtH, PtT, DCSync)

Day 2
• Creating alerts/rules in Azure Sentinel
• Detecting lateral movement within a network (WinRM, WMI, SMB, DCOM, MSSQL)
• Detecting data exfiltration (HTTP/S, DNS, ICMP)
• Detecting persistence activities (userland methods, WMI Event Subscriptions)
• C2 Communications


Also included:
We realise that training courses are limited for time and therefore students are also provided with the following:
• Completion certificate
• 14-day extended lab access after the course finishes
• Discord support channel access where our security consultants are available

This course is a 100% hands-on deep dive into the OWASP Security Testing
Guide and relevant items of the OWASP Application Security Verification
Standard (ASVS), so this course covers and goes beyond the OWASP Top Ten.
Long gone are the days since desktop apps were written in Delphi. What have
Microsoft Teams, Skype, Bitwarden, Slack and Discord in common? All of them are
written in Electron: JavaScript on the client.

Modern desktop apps share traditional attack vectors and also introduce new
opportunities to threat actors. This course will teach you how to review modern
desktop apps, showcasing Node.js and Electron but using techniques that will
also work with any other desktop app platform. Ideal for Penetration Testers,
Desktop App Developers as well as everybody interested in
JavaScript/Node.js/Electron app security.

All action, no fluff, improve your security analysis workflow and immediately apply these gained skills in your workplace. Packed with exercises, extra mile challenges and CTF, self-paced and suitable for all skill levels, with continued education via unlimited email support and lifetime access to our training portal with step-by-step video recordings and interesting apps to practice, including all future updates for free.

Get a FREE taste for this training, including access to video recording, slides and vulnerable apps to play with: 1.5 hour workshop - https://7asecurity.com/free-workshop-desktop-apps

Single sign-on protocols are one of the most important Internet technologies and are used by countless applications. Security plays a critical role when using systems based on standards such as OAuth and OpenID Connect. Successful attacks allow hackers to bypass authentication or to access confidential user data. In this training, you will learn all security aspects relevant to single sign-on based on OAuth and OpenID Connect. You will learn which serious attacks exist and get the chance to try them yourself in our test environment. Finally, you will learn how to test and defend your own systems against these attacks.

This workshop describes basic functions and security shortcomings in mobile
networks, both in the core network and in radio network, for GSM, UMTS, LTE
and 5GNR. The material is intended for individuals in the areas of
journalism, international aid, corporate security, and the law, who have or
who work with people who have specific security concerns and want to
better understand what is really happening in their phones and in the
mobile networks that serve those phones.

The workshop will start with an overview of cellular technology in general
and types of security flaws common to all mobile networks, and then
proceed to specific examples for different network segments and technology
types. The workshop will include demonstrations of some security failures
and deeper analysis of specific events reported in the popular press. The
goal of the workshop is to give attendees a good grasp of key concepts in
mobile network operation and the security implications, while avoiding
unnecessary technical details. Questions and discussion are welcome and
encouraged.

This workshop covers the mobile network, handset baseband, and SIM only,
and does not address Android, iOS or application-layer security.

LIVE ONLINE TRAINING

[Note: This training will be completely remote. This allows you to better plan your workshop commitments when booking tickets.You can also by a ticket for just attending this training (without access to the conference). In that case please write an e-mail to speaker@deepsec.net]

This course teaches you how to analyse Android and iOS apps for security vulnerabilities, by going through the different phases of testing, including dynamic testing, static analysis and reverse engineering. Sven will share his experience and many small tips and tricks to attack mobile apps that he collected throughout his career and bug hunting adventures.

If you just entered the domain of mobile app penetration testing, or have only experience in Web App Testing and would like to make the switch to mobile, this session is a perfect starting point for you. Nevertheless, there are also some more advanced topics that will also be of interest for more experienced testers.

At the beginning of the first day we start by giving an overview of the Android Platform and it’s Security Architecture. It is no longer mandatory for students to bring their own Android device, instead a cloud-based virtualized Android device will be provided for each student by using Corellium. These are some of the topics that will be covered during the course:

●    Frida crash course to kick-start with dynamic instrumentation on Android apps
●    Intercepting network traffic of apps written in mobile app frameworks such as Google’s Flutter
●    Identifying and exploiting a real word Deep-link vulnerability
●    Explore the differences and effectiveness of Reverse Engineering Android Apps through patching Smali, Xposed and Dynamic Instrumentation with Frida
●    Analyze Local Storage of an Android App
●    Usage of dynamic Instrumentation with Frida to:
  ○      bypass Frida detection mechanisms
  ○      bypass multiple root detection mechanisms

On day 2 we are focusing on iOS and will begin with an overview of the iOS Platform and Security Architecture (Hardware Security, Code Signing, Sandbox, Secure Boot, Security Enclave etc.). After explaining what an IPA container is and the iOS file system structure, we start creating an iOS testing environment with Corellium and deep dive into various topics and techniques, including:

●    Analyzing iOS applications that use non-HTTP traffic including ways of intercepting the traffic
●    Frida crash course to kick-start with dynamic instrumentation for iOS apps
●    Bypassing SSL Pinning with SSL Kill Switch and Objection
●    Testing methodology with a non-jailbroken device by repackaging an IPA with the Frida Gadget
●    Testing stateless authentication mechanisms such as JWT in an iOS Application
●    Using Frida for Runtime Instrumentation of iOS Apps to bypass:
  ○      Anti-Jailbreaking mechanisms
  ○      Frida detection mechanism
  ○      and other client-side security controls

The course consists of many different labs developed by the instructor and the course is roughly 50% hands-on and 50% lecture.

At the end of each day a small CTF will be played to investigate an app with the newly learned skills and you will have the chance to win a price!

After successful completion of this course, students will have a better understanding of how to test for vulnerabilities in mobile apps, how to mitigate them and how to execute tests consistently. The course is based on the OWASP Mobile Security Testing Guide (MSTG) and is conducted by one of the authors himself. The OWASP MSTG is a comprehensive and open source guide about mobile security testing for both iOS and Android.


Attendees will be provided with the following content:

- All slides in PDF format used for Day 1 and Day 2
- Virtual Machine that includes all tools needed
- Several iOS and Android Apps that are used for the exercises


Prerequisites:

The following prerequisites need to be fulfilled by the students in order to be able to follow all exercises and fully participate:
 
●    Laptop (Windows/Linux/macOS) with at least 8 GB Ram and 40GB of free disk space
●    Full administrative access, in case of any issues with the laptop environment (e.g. deactivate AV or Firewall)
●    Virtualization software (e.g. VMware, VirtualBox); A VM will be provided as OVA with all tools needed for the training
●    Stable internet connection with at least 50 Mbps

An Android hardware device is not needed by the participants. The Android hands-on exercises of the training will instead be executed in Corelium, a cloud-based virtualized environment that allows attendees to access a rooted Android device during the training. One Android instance will be provided for each participant.

An iOS device is also not needed, as an emulated and jailbroken iOS instance will be provided for each student that is hosted in Corellium.

I will offer support 1 week before the training for all students, to make sure that the setup is up and working prior to the training.

Students will enjoy the training the most, if they have a basic understanding of mobile apps and the command line, interest in security and learning new things!

In this intense 2-day training, you will learn everything you need to start pentesting Industrial Control Networks. We will cover the basics to help you understand the most common ICS vulnerabilities. We will then spend some time learning and exploiting Windows & Active Directory weaknesses, as most ICS are controlled by Windows systems.
We will cover the most common ICS protocols (Modbus, S7, OPC…), analyze packet captures and learn how to use these protocols to talk to Programmable Logic Controllers (PLCs). You will learn how to program a PLC, to better understand how to exploit them.
The training will end with a challenging hands-on exercise: The first CTF in which you capture a real flag! Using your newly acquired skills, you will try to compromise a Windows Active Directory, pivot to an ICS setup to take control of a model train and robotic arms.
Moreover, the training doesn’t stop on the last day! Each participant will receive a 30-day access to an elearning portal, which allows to watch the training content on video, as well as to perform all the exercises on a cloud platform.

Artificial intelligence (AI) is one of the key technologies for dramatic change processes in the next 30 years. Research on the development of AI is driven by scientific and political ambitions, accompanied by great hopes and fears. What does it mean to live and work with such a form of intelligence? How will computing machinery evolve within the next decades? What can and should computer societies consider to ensure a positive development from both, a technological as well as societal point of view? These are some of the questions that will be addressed in this keynote.

As the world becomes more and more connected, Application Security becomes an important concern. Especially regarding the Internet of Things (IoT), Application Programming Interface
(API), and Microservices spaces. In addition, the proper access management needs to be seriously addressed to ensure company assets are securely distributed and deployed.

There are many tools on the market providing AI based API protection and anomaly detection but what really works? How to choose the best solution? During my talk, I will share results from the research of reviewing different architecture approaches and AI solutions introduced by different favorite tools on the market, from WAF to workload protection systems.

The cost of insider threats is rising, with a 31% increase from $8.76 million in 2018 to $11.45 million in 2020. In addition, the number of incidents has increased by a staggering 47% in just two years, from 3,200 in 2018 to 4,716 in 2020. This data shows that insider threats are a growing risk that is still often under-addressed within cybersecurity of organizations (especially when compared with external threats). Perhaps this is because it is hard to imagine that a trusted coworker could be siphoning corporate secrets from the company you both work for. Yet, this act is more common than you think. There are many levels of insider threats and some much more harmful than others. Robert takes us on a journey that first outlines the many different kinds of insider threats: everything from accidental to espionage. He then discusses how to detect it and what companies can do about it. Having worked in the Information Security industry for 20 years in various fields and positions, Robert has seen many insider threat incidents and the damage this can have on a company. Today more than ever, companies are susceptible to this risk however few seem able to detect and mitigate. In this talk, Robert draws upon his experiences to outline some of the tell tale signs of insider threats and some of the many ways this can be detected early. He also discusses company culture and how to prevent the damage that insider threats can have. Robert also integrates some great industry examples as learning to help show the audience the damage insider threats have. The talk finishes with a check list of mitigation strategies that companies can do to greatly improve their position and safeguard their secrets. There are many great talks out there on social engineering, however, all of these are focussed on an outside entity tricking the employees to get access. This talk looks at those amongst us who are already trusted employees and how to manage that risk.

By now, it should be well known that passwords are like underwear, they should be changed often, the longer the better and it’s better not to leave them lying around.
While the big players advocating for passwordless authentication, passwords are still the most common authentication method. In the wild, we’ve seen thousands of organizations experiencing password spraying and bruteforce attacks on their users. Although MFA should mitigate some of the threat, it's still not implemented on all protocols and in some cases was bypassed by security flaws in the IDP.
In this talk, we’ll present a new concept for password security – smartlists, built on a new data driven approach that utilize recent advancements in NLP. Together with this talk, we are proud to release a new FOSS tool that makes these new concepts practical and easy to use by generating 200M+ password candidates per second written in Rust.

The shift of human activities from offline to online spaces has major impacts on organizations – either public or corporate – in terms of security, therefore creating a constantly growing need for cybersecurity experts. Although for small companies, expertise can come from external providers, large organizations need to build their own cybersecurity workforce. For companies the limited number of higher education formations lead to tension in the employment market, and in the recruitment of people whose expertise is not primarily on cybersecurity. Furthermore, cybersecurity often focuses on technical aspects, and does not always deal enough with the human factor – while the human factor is critical for companies and other large organizations.

This presentation will explore the challenges related to building a workforce in cybersecurity from the point of view of organizations. We will discuss how to build a workforce that can take on both the mission of first line defenders, and the mission of education of the other company members, ranging from its higher operatives to the basic workers, and how cybersecurity can be operationally articulated between security services and IT professionals.

Application security in an enterprise is a challenge. We can see this when we look at the statistics; There have been 16648 security vulnerabilities (CVEs) published so far in 2020 and the average severity is 7.1 out of 10.

In this talk, you will find various solutions such as;
- Development team risk scoring based on maturity and business aspect,
- SAST/DAST at CI/CD pipeline without blocking the pipeline itself,
- How to leverage bug bounty program,
- When to employ penetration testing,
- When to employ code review,
- Platform developments to remove dependency for developers’ to implement features i.e. internal authorization.

The most important of all, you will see the solutions lead to minimal friction within the team, which creates a fine-tuned security program.

T.B.A. / W.I.P. ("Wir sind besonders an den Themen staatliche Hintertüren und rechtliche Angriffe auf Verschlüsselung interessiert.")

In my last talk at DeepSec2020 we had a closer look on protection mechanisms which can be used by epp/edr products under Windows. We had a look on, how can we bypass mechanisms like user-mode api hooking and kernel callbacks and use that to dump credentials from lsass without creating an alert in the epp/edr product.

This year we will also have a look at epp/edr systems and on the used mechanisms. But in this talk we are more interested in, how can we tamper edr products without knowing a password, without using edr uninstallation software etc. We are more interested in, understanding the user-space and kernel-space components of the edr. Which possibilities do we have from a red team perspective to tamper with user-space and kernel-space components and knockout necessary edr components.

The Covid-19 pandemic has had a major impact on annual general meetings (AGMs) of shareholders worldwide. Due to existing gathering restrictions the vast majority of AGMs shifted from physical to online voting events. Therefore, purely virtual AGMs emerged to the new normal where shareholders approve critical company decisions. But how secure are those virtual events really?

In this talk, I will present a systematic large-scale study on the security of 623 virtual AGMs held by German companies in 2020 including corporations listed in stock indices such as DAX and MDAX. In 72% of all virtual AGMs analyzed, at least one of the three CIA triad security goals was compromised. Join my talk and I will take you on an enthralling journey through the nitty gritty details and pitfalls that lead to the severe vulnerabilities found in real-world online voting portals. All issues were responsibly disclosed and fixed.

In this talk, we will share our latest research work about an office malware builder that was involved in multiple attacks across the globe from November 2020 to February 2021.
In our presentation we will describe the tool's features to bypass security solutions and the efforts from its developers to make it fully undetected (FUD) by using techniques for WD exclusion and UAC bypass. We will show the resources that the threat actors used to validate miss detection of their malware.
We will also present an example of attack flow that used this office malware builder by one of the attackers that bought this tool.
Our intelligence efforts revealed the real identity of office malware builder's main developer as well as the malicious intentions of ApoMacroSploits staff.
We will show, how, consecutively to our publication and reporting this information to the relevant law enforcement authorities, the amount of cyber-attacks related to this campaign dropped significantly.

Today, the number of IoT devices in both the private and corporate sectors are steadily increasing. IoT devices like IP cameras, routers, printers, and IP phones have become ubiquitous in our modern homes and enterprises. To evaluate the security of these devices, a security analysis has to be performed for every single device. Since manual analysis of a device and reverse engineering of a firmware image is very time-consuming, this is not practicable for large-scale analysis.

To be able to conduct a large-scale study on the security of embedded network devices, an approach was applied that allows a high number of firmware images to be statically analyzed. For data acquisition, a crawler was used to identify and retrieve publicly available firmware images from the Internet. In this way, more than 10,000 individual firmware images have been collected. The firmware was then automatically unpacked and analyzed regarding security-relevant aspects.

For the first time, this research provides insights into the distribution of outdated and vulnerable software components used in IoT firmware. Furthermore, a comprehensive picture of the use of compiler-based exploit mitigation mechanisms in applications and libraries is given. Factory default accounts were identified, and their passwords recovered as far as possible. Also, a large amount of cryptographic material was extracted and analyzed. Besides, a backdoor has been discovered in the firmware of several products that allows remote access to the devices via SSH after triggering the functionality. The backdoor has been verified and confirmed by the vendor and two official CVE numbers have been assigned.

The results of this large-scale analysis provide an interesting overview of the security of IoT devices from 20 different manufacturers. IoT firmware was analyzed regardless of device type or architecture and a broad picture of their security level was obtained.

With OpenSSH 8.5 agent forwarding was implemented for SFTP and SCP to allow remote copy operations. Agent forwarding has already been considered a security risk for years, but in some special use cases it seems to be more secure than stored private keys on an exposed server.

Since OpenSSH 8.2 a private key can be protected with a fido2 token. With a fido2 secured key, each usage has to be confirmed with a press on a hardware button. This should prevent an attacker to abuse the key, when agent forwarding is used.

In this talk a spoofing attack is presented, which allows an attacker to abuse a fido2 protected key to login to another server. Also a patch for OpenSSH and PuTTY, which mitigates this spoofing attack is shown.

PuTTY has accepted our patch, which enhances the existing spoofing attack mitigation. Many SFTP clients like WinSCP are using PuTTY as a library and our patch allows other applications to use the new spoofing mitigation.

OpenSSH considers spoofing attacks not as a vulnerability which has to be mitigated by the client. This is the reason why this spoofing attack is not mitigated by OpenSSH's client. We are presenting some mitigation strategies how to mitigate this kind of spoofing attack with OpenSSH.

The Covid-19 pandemic has had a major impact on annual general meetings (AGMs) of shareholders worldwide. Due to existing gathering restrictions the vast majority of AGMs shifted from physical to online voting events. Therefore, purely virtual AGMs emerged to the new normal where shareholders approve critical company decisions. But how secure are those virtual events really?

In this talk, I will present a systematic large-scale study on the security of 623 virtual AGMs held by German companies in 2020 including corporations listed in stock indices such as DAX and MDAX. In 72% of all virtual AGMs analyzed, at least one of the three CIA triad security goals was compromised. Join my talk and I will take you on an enthralling journey through the nitty gritty details and pitfalls that lead to the severe vulnerabilities found in real-world online voting portals. All issues were responsibly disclosed and fixed.

Attacks on service providers and software vendors are starting to become a huge problem for society.
Which begs the question: Why is that and is there anything we can do about it?
The fact of the matter is: We have been building a house of cards higher, more complex and faster than ever before - sometimes blissfully unaware that the foundation has started to give.
And our answer so far has been: "Build faster".
Therefore, IT in general and security in particular, has a problem. Can we turn that around? Maybe. Let's talk.
We will look at some of the fundamental issues that have been years in the making and that will take the most work to get right.

Proprietary BIOS/UEFI firmware has been the de-facto standard for most DC devices in the last three decades. Firmware and platform technologies these days are still closed-source and lack transparency. We will show what kind of attack surfaces your firmware exposes and how supply chain security plays a huge role in this scenario.

We will give you a good understanding of how firmware and platform security work in-depth and what tremendous impact firmware security has on threats like ransomware.

In the end, we will present solutions for getting back control on the firmware level and show how you can contribute to change the industry of hardware development.

Embedded systems can be challenging to analyze. Especially on automotive systems, many things that we take for granted on other software such as debugging and tracing do not always work. This is further complicated by watchdogs and peripheral processors, that go haywire when strict timing and communication requirements are violated. On some systems, debugging is even impossible because debugging resources such as pins are either used for something else or they don’t exist at all!
Assuming that code can be dumped, the solution for this can be emulation, however emulating a rich automotive system can be painful and many times, only few aspects of the system can be sufficiently modeled.
What if there was an in-between? How can we debug, fuzz and tamper embedded firmware without access to real-time debugging or emulation?
In this talk, I will show a tool that uses a simple but smart binary instrumentation method and a new, pythonic assembler to automatically patch large firmware binaries, enhancing them with interactive backdoors, as well as function- or basic-block trace capabilities.
Along the way, I share some tricks that can be used to make targets easier to work with (regardless of whether they’re being instrumented) and explore further applications outside of the automotive realm for the tool, which is released specifically for DeepSec.

Living of the Land is not a brand-new concept. The knowledge and resources have been out there for several years now. Still, LoL is one of the preferred approaches when we are speaking about highly skilled attackers or security professionals. There are two main reasons for this:

• Experts tend not to reinvent the wheel

• Attackers like to keep a low profile/footprint (no random binaries/scripts on the disk)

The talk focuses on detecting attacker activity/Living of the Land commands using Machine Learning, for both Linux and Windows systems.
Most of the AV vendors do not treat the command itself (from a syntax and vocabulary perspective) as an attack vector. And most of the log-based alerts are static, have a limited specter and are hard to update.
Furthermore, classic LoL detection mechanisms are noisy and somewhat unreliable:

(a) they are dependent on the experience of the SME (Subject Matter Expertise) that creates them;

(b) they generate a high number of False Positives (because of the thin line in terms of tools and syntax between sysadmin operations and attacker operations);

(c) their rules grow organically, to the point where it is easier to retire and rewrite rather than maintain and update.

So, we made a robust, dynamic, high confidence project to fix this! We used Open-Source data, real incident data, a handful of Adobe's SME and a lot of research and engineering.
The presentation covers why it is hard to detect LoLs, the feature engineering used in our approach, comparison between different classifiers as well as hands-on experience using our library and integration into one of our previous open-source projects called One-Stop-Anomaly Shop (OSAS - https://github.com/adobe/OSAS). Additionally, we also discuss why OSAS and the LoL classifier are complementary solutions and how evading one will lead to being detected by the other.

*This project is scheduled to be open-sourced in August 2021.

The philosophy that founds the world of the Internet of Things apparently becomes essential for the projected permanently connected world. The 5G data networks are supposed to dramatically improve the actual 4G networks’ real world significance, which makes them fundamental for the next generation networks of IoT devices. The academic and industrial effort to improve the 5G technological standards and security mechanisms considers various routes. Thus, this proposed talk aims to present the state-of-the-art concerning the development of the standards that model the 5G networks. It values the author's experience that was gathered during the implementation of the Vodafone Romania 5G networked services. It puts this acquired experience in context by reviewing the relevant similar contributions, the relevant technologies, and it describes the research directions and difficulties that will probably influence the design and implementation of secure large 5G data networks.

Consequently, this talk presents a machine learning-based real time intrusion detection system that is based on the deep inspection of the data packets, which has been effectively tested in the context of a 5G data network. The intelligent intrusion detection system considers the creation of software defined networks, and it uses artificial intelligence based models. It is able to proactively detect unknown intrusions patterns through the usage of machine learning-based software components. The system has been assessed and the results prove that it achieves superior performance with a lower overhead in comparison to similar approaches, which allows it to be effectively deployed on real-time 5G networks.

Sven want's to make a deep dive into intercepting network communication of mobile apps and it's API's and tries to cover all different kind of challenges you might be facing when doing the same.

You might think now: What’s the problem here? I configure Burp Suite, install the Burp Certificate Authority (CA) on the mobile device and set the system proxy to point to Burp and case closed.

This is definitely true, but this will only cover the „ideal“ case! But what about the following use cases:

- The app is being build in Flutter or Xamarin. If that’s the case the app will not be using the system proxy, but bypass it. So the Proxy you are setting in iOS and/or Android will be ignored by the app.
- Not every app is relying on HTTP; especially to overcome the overhead of HTTP, TCP might be used. You can also see sometimes XMPP or other protocols. As the system proxy that you are setting in iOS and/or Android will only be covering HTTP(S), other protocols will never be sent to Burp and even if you find a way to route them to Burp, Burp will not be able to process and display them as Burp can only understand HTTP.
- You might not be able to use a jailbroken or rooted device in the client’s network.

These are only same of the challenges you might be facing when trying to intercept the communication of a mobile app to become a Man-in-the-Middle.

This talk will present and follow a methodology for intercepting the network communication between a mobile app and it’s API’s and want's to enable the audience to tackle all potential use cases described above. In order to this the talk will give detailed technical demos to overcome the challenges and allow you to master them.

Why "Squirrel-in-the-middle"? You will find out in the talk :-)

The purpose of this presentation was to execute several efficiency and detection tests in our lab environment protected with an endpoint solution, provided by CrowdStrike. This talk shows the result of the defensive security analysis with an offensive mindset using reverse shell techniques to gain access to the victim's machine and after that performing a malware in VBS to infect the victim's machine through the use of some scripts in PowerShell to call this malware, in our environment bypassing some components and engines, such as: Malware Protection - Associated IOC (Command entered in script), Suspicious Processes, File System Access, Suspicious Processes, Suspicious Scripts and Commands, Intelligence-Sourced Threats, among others.

Regarding the test performed, the first objective was to simulate targeted attacks using a python script to obtain a panoramic view of the resilience presented by the solution, with regard to the efficiency in its detection by Signatures, NGAV and Machine Learning. Running this script, the idea is to use the reverse shell technique to gain access to the victim's machine. After the execution of this attack, the second objective consists in perfoming the PowerShell Script to run this script, to download a VBS malicious file on the victim's machine and execute itself, calling this malware provided through Malwares Bazaar by API request.

Malware analysis is a key phase to extract IOCs like domains, ip, mutex and other signatures. What if malware knows what online sandboxes look for and what tools look for, decides to "showcase only 90%" and hide the rest? Well, Memory forensics comes to our rescue. This was tried and tested with a lot of samples during the pandemic phase and was aided in extracting a lot of hidden process, domains, urls and even ip. This is what the talk covers:

1. Talk about the traditional malware analysis process
2. Introduction to memory forensics and why
3. Introducing tools like Volatility and Rekall
4. Running Orcus RAT, Agent Tesla and Sodinobki Ransomware malwares using traditional methods like Any.run online sandbox and malware runs
5. Playing a game by capturing memory of the infected machine by invoking WMI module and suspending the machine
6. Tracking malware, bypassing malware hooks and executing wmic command to hibernate the machine
7. Obtaining the hyb.sys file and performing memory forensics
8. Extracting hidden process, spotting dll injection, dumping process memory and extracting IOCs like ip and urls
9. Voilá, we win !

All modern control systems have brought a greater security risk for the whole society. While adding value to the business, one must accept  the compromise attached to it. The talk here is going to highlight all the security assessment types needed to perform to minimize the vulnerabilities that attackers can use to exploit the ICS environment across the globe. We will talk about ICS components (Control systems, PLC, RTOS, IEDs) and ICS attack surfaces (network Protocols, Maintenance interfaces, Radio frequency communication, Field devices) and outline the methods to mitigate the threats.

For anyone in IT and IT-security, there seems to be no way around Kubernetes. Containerization has changed the way software is developed, deployed, and operated. Microservices is the new paradigm. Many information security teams around the world, who see the adoption of Kubernetes and microservice-architectures in their organization, discuss just now: What does containerization and Kubernetes mean to security and how to fit this technology into our existing architectures and processes?

In this talk we will dissect the various components of Kubernetes and how they work technically under the hood. We will investigate common pitfalls and how they could be exploited to gain privileges, take over components or compromise the whole cluster and learn how to avoid these issues.

But let’s not only talk about the risks. There are also new chances for more security with containers and Kubernetes in contrast to previous deployment models and technologies. But only when it’s done right!

Ransomware is a piece of code that is written by an attacker to encrypt the victim’s files.
Even though they have been around for many years, the popularity has increased since the outbreak of Wannacry which shook the whole cyber world.

When the logic of the ransomware code is observed we can see a common pattern here. It is similar to how humans interact with the system. I.e, to access the files, the code has to access the Logical drive first. Here each logical drive is assigned a letter by the operating system. For example, when a code has to access the files in D drive, it has to access the drive ‘D’ first.

What if there is a logical drive in the system which doesn’t have any letter assigned to it.
Well, now it is harder to access the files, because the ransomware code is written to access the drive with the assigned letter. This is where most of the ransomwares fail to encrypt the data.

Guess what? The audience will witness what ransomware can not encrypt. Yes you heard it right! Can not!
Can this be a solution for the basic users to backup important files from being encrypted ?
We will see what an attacker might do in the future when ransomware encounters this situation.

In some organizations 2nd Line of Defense functions are kept in the ivory tower, far away from the machine room and the real security issues the company faces. These functions and their deliverables, e.g. the developed and maintained policy and framework, might be used to manage compliance and feed regulators. But are these outcomes valuable? Is their implementation design- and operationally effective? Do they support the security organization to thrive and prosper?

After Deutsche Börse Group revised their security organization, the 2nd LoD function IS Assurance was established. The function, its framework, the grading approach, the assessment plans, and the validation methods for evidences were developed from scratch – with the holistic target to further improve the security organization.
Within a short period of time the function was able to assess the first security process and generated an overview over the design- and operational effectiveness of the verified subject. Here IS Assurance became a trustworthy partner for the 1st and the 3rd Lines of Defense.
This talk introduces the implemented IS Assurance function of the Deutsche Börse Group, gives insights into lessons-learned and challenges, and demonstrates a model to grade the operational effectiveness with practical details.

Deep overview of a tool used by the Chinese nation-state APTs based on a real-life Incident Response case with a big industrial company. Investigation yielded the presence of PlugX in the infrastructure. This presentation gives a full overview of the tools functionality, its past versions, and nowadays usage (Thor is a new version of plugX). We show why it is hard to find and why it's important for big industrial companies. And also we talk about our assumption that all recent big attacks - first Sunburst and then Exchange exploits (proxylogon related to Hafnium) are links of one chain.

By using cache poisoning to store arbitrary data, public web caches can be utilized as open ephemeral storage to facilitate anonymous and evasive communication between network clients.

Monitoring log data for traces of malicious activities has proven to be an effective method for incident detection in cyber security. State-of-the-art detectors thereby frequently apply signature-based detection, meaning that these tools search for specific strings or tokens from threat intelligence databases that are known to correspond to particular attacks. Unfortunately, signature-based detection is vulnerable to already simple forms of evasion techniques, and certainly insufficient to disclose previously unknown attack techniques. As a consequence, tools such as the AMiner provide a complementary line of defense by leveraging anomaly detection techniques that make use of machine learning to automatically learn a baseline of normal behavior and detect deviations from the generated models as suspicious activities that possibly relate to attacks. The log processing pipeline of the AMiner consists of several configurable modules. First, light-weight parser models extract relevant information, such as timestamps, IP addresses, and usernames, from all kinds of logs, including access logs, audit logs, application logs, and more. The AMiner subsequently applies analysis techniques on the parsed data to learn a baseline of normal system events and their properties. On top of that, configurable detectors discover any deviations from this baseline, including detection of new values and value combinations, unusual character distributions of values, changes of event frequencies such as spikes or missing events, violations of expected correlation and sequence rules, as well as detection based on statistical distributions of values and event occurrences, among many others. All disclosed anomalies are eventually reported to security analysts for review and remediation through several interfaces, including message queues to store anomalies in databases or visualize them in SIEM dashboards. In our talk we will present a broad overview of the AMiner and explain its modules with the aid of several use-cases and hands-on examples.

Welcome to the new Cold War in the Middle East. In 2012, Iran’s first Shamoon attacks almost crashed every world economy, nearly bringing the world to its knees. Since then, the game of spy vs. spy has intensified digitally with the pandemic accelerating connectivity. Join Chris on a 2.5 year Iranian espionage campaign attempting to recruit her for the most innocent of jobs: teaching critical infrastructure hacking with a focus on nuclear facilities. A journey of old school espionage with a cyber twist. Bribery, sockpuppets, recruitment handlers, propaganda VVIP luxury trip mixed with a little IOT camera revenge and 2021 police protection.