Speakers (preliminary) - DeepSec IDSC 2021 Europe

Advanced Deployment and Architecture for Network Traffic Analysis

Peter Manev, Eric Leblond & Josh Stroschein (Open Information Security Foundation)

Network-based threat detection is crucial for developing a comprehensive security strategy, whether it is on-premise or in the cloud. In Advanced Deployment and Architecture for Network Traffic Analysis, you will learn how to maximize the visibility that Suricata can provide in your network. You will gain deep technical understanding and hands on experience with Suricata’s versatile arsenal of features and capabilities for a variety of deployment, usage and integration scenarios. Tuning and optimizing Suricata for threat/anomaly detection, file extraction, and/or protocol detection are critical for a successful deployment. You will also learn traditional and non-traditional tips, tricks and techniques to implement Suricata and its newest features, based on real-world deployment experiences to include cloud-based deployments. This class also offers a unique opportunity to bring in-depth use cases, questions, and challenges directly to the Suricata team. By the end of this course you will be able to successfully design, deploy, implement, optimize and hunt with your high-performance Suricata deployment.

Peter Manev: Peter has been involved with Suricata IDS/IPS/NSM from its very early days in 2009 as QA lead, currently a Suricata executive council member. Peter has 15 years experience in the IT industry, including enterprise and government level IT security practice. As an adamant admirer and explorer of innovative open source security software he is also one of the creators of SELKS - an open source threat detection security distro. He is also one of the founders of Stamus Networks, a company providing security solutions based on Suricata.

Eric Leblond: Eric is an active member of the security and open source communities. He is a Netfilter Core Team member working mainly on communications between kernel and userland. He works on the development of Suricata, the open source IDS/IPS since 2009 and he is currently one of the Suricata core developers. He is also one of the founders of Stamus Networks, a company providing security solutions based on Suricata.

Josh Stroschein is an experienced malware analyst and reverse engineer and has a passion for sharing his knowledge with others. He is the Director of Training for OISF, where he leads all training activities for the foundation and is also responsible for academic outreach and developing research initiatives. Josh is an accomplished trainer, providing training in the aforementioned subject areas at BlackHat, DerbyCon, Toorcon, Hack-In-The-Box, Suricon, and other public and private venues. Josh is an Assistant Professor of Cyber Security at Dakota State University where he teaches malware analysis and reverse engineering, an author on Pluralsight and a threat researcher for Bromium.

Hacking Modern Desktop Apps: Master the Future of Attack Vectors

Abraham Aranguren & Anirudh Anand (7ASecurity LLLP)

This course is a 100% hands-on deep dive into the OWASP Security Testing
Guide and relevant items of the OWASP Application Security Verification
Standard (ASVS), so this course covers and goes beyond the OWASP Top Ten.
Long gone are the days since desktop apps were written in Delphi. What have
Microsoft Teams, Skype, Bitwarden, Slack and Discord in common? All of them are
written in Electron: JavaScript on the client.

Modern desktop apps share traditional attack vectors and also introduce new
opportunities to threat actors. This course will teach you how to review modern
desktop apps, showcasing Node.js and Electron but using techniques that will
also work with any other desktop app platform. Ideal for Penetration Testers,
Desktop App Developers as well as everybody interested in
JavaScript/Node.js/Electron app security.

Get a FREE taste for this training, including access to video recording, slides and vulnerable apps to play with: 1.5 hour workshop - https://7asecurity.com/free-workshop-desktop-apps

All action, no fluff, improve your security analysis workflow and immediately apply
these gained skills in your workplace. Packed with exercises, extra mile
challenges and CTF, self-paced and suitable for all skill levels, with continued
education via unlimited email support and lifetime access to our training portal with
step-by-step video recordings and interesting apps to practice, including all future
updates for free.

Abraham Aranguren: After 13 years in ITsec and 20 in IT Abraham is now the CEO of 7ASecurity (​7asecurity.com​), a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews and training. Security Trainer at Blackhat USA, HITB,
OWASP Global AppSec and many other events. Former senior penetration tester / team
lead at Cure53 (​cure53.de​) and Version 1 (​www.version1.com​). Creator of “Practical
Web Defense” - a hands-on eLearnSecurity attack / defense course
(​www.elearnsecurity.com/PWD​), OWASP OWTF project leader, an OWASP flagship
project (​owtf.org​), Major degree and Diploma in Computer Science, some certs: CISSP,
OSCP, GWEB, OSWP, CPTS, CEH, MCSE:Security, MCSA:Security, Security+. As a
shell scripting fan trained by unix dinosaurs, Abraham wears a proud manly beard. He
writes on Twitter as ​ @7asecurity​ ​ @7a_​ ​ @owtfp​ or ​ https://7asecurity.com/blog​ . Multiple
presentations, pentest reports and recordings can be found at

Anirudh Anand:
Anirudh Anand is a security researcher with a primary focus on Web and Mobile
Application Security. He is currently working as a Senior Security Engineer at ​CRED​ and
also as a Security Trainer at ​7asecurity​. He has been submitting bugs and contributing to
security tools for over 7 years. In his free time, he participates in CTF competitions along
with ​Team bi0s​ (#1 security team in India according to CTFtime). His bounties involve
vulnerabilities in Google, Microsoft, LinkedIn, Zendesk, Sendgrid, Gitlab, Gratipay and
Anirudh is an open source enthusiast and has contributed to several OWASP projects
with notable contributions being in OWTF and Hackademic Challenges Project. He has
presented/trained at a multitude of conferences including c0c0n 2019, BlackHat Arsenal
2019, BlackHat Europe Arsenal 2018, HITB Dubai 2018, Offzone Moscow 2018, Ground
Zero Summit Delhi 2015 and Xorconf 2015.

How to Break and Secure Single Sign-On (OAuth and OpenID Connect)

Karsten Meyer zu Selhausen (Hackmanit GmbH)

Single sign-on protocols are one of the most important Internet technologies and are used by countless applications. Security plays a critical role when using systems based on standards such as OAuth and OpenID Connect. Successful attacks allow hackers to bypass authentication or to access confidential user data. In this training, you will learn all security aspects relevant to single sign-on based on OAuth and OpenID Connect. You will learn which serious attacks exist and get the chance to try them yourself in our test environment. Finally, you will learn how to test and defend your own systems against these attacks.

Karsten Meyer zu Selhausen has several years of experience in the fields of secure deployment and secure use of well-known single sign-on standards, such as OAuth, OpenID Connect and SAML.

He works as an IT security consultant, penetration tester and trainer for Hackmanit GmbH since 2016. During his master degree in IT Security at the Ruhr-University Bochum, he specialized on the security of protocols for delegated authorization and authentication, as well as data description languages, such as XML and PDF. He gained profound expertise in the security of single sign-on procedures, such as OAuth, OpenID Connect and SAML, during numerous consulting projects and penetration tests. Karsten frequently shares his knowledge and experience with customers from various industry fields in IT security training courses.

Mobile Network Operations and Security

David Burgess (-)

This workshop describes basic functions and security shortcomings in mobile
networks, both in the core network and in radio network, for GSM, UMTS, LTE
and 5GNR. The material is intended for individuals in the areas of
journalism, international aid, corporate security, and the law, who have or
who work with people who have specific security concerns and want to
better understand what is really happening in their phones and in the
mobile networks that serve those phones.

The workshop will start with an overview of cellular technology in general
and types of security flaws common to all mobile networks, and then
proceed to specific examples for different network segments and technology
types. The workshop will include demonstrations of some security failures
and deeper analysis of specific events reported in the popular press. The
goal of the workshop is to give attendees a good grasp of key concepts in
mobile network operation and the security implications, while avoiding
unnecessary technical details. Questions and discussion are welcome and

This workshop covers the mobile network, handset baseband, and SIM only,
and does not address Android, iOS or application-layer security.

David Burgess has worked in telecommunications since 1998, first in signals
intelligence and then in commercial network equipment. He is probably best
known as the primary author of OpenBTS, but has written complete stacks for
other cellular radio protocols as well. David’s company, Legba, provides
mobile network equipment and test equipment for small network operators,
embedded systems developers, and special applications. David also writes
about telecommunications and does occasional work as an expert in legal

Pentesting Industrial Control Systems

Arnaud Soullié (RS formation et conseil)

In this intense 2-day training, you will learn everything you need to start pentesting Industrial Control Networks. We will cover the basics to help you understand the most common ICS vulnerabilities. We will then spend some time learning and exploiting Windows & Active Directory weaknesses, as most ICS are controlled by Windows systems.
We will cover the most common ICS protocols (Modbus, S7, OPC…), analyze packet captures and learn how to use these protocols to talk to Programmable Logic Controllers (PLCs). You will learn how to program a PLC, to better understand how to exploit them.
The training will end with a challenging hands-on exercise: The first CTF in which you capture a real flag! Using your newly acquired skills, you will try to compromise a Windows Active Directory, pivot to an ICS setup to take control of a model train and robotic arms.
Moreover, the training doesn’t stop on the last day! Each participant will receive a 30-day access to an elearning portal, which allows to watch the training content on video, as well as to perform all the exercises on a cloud platform.

Arnaud Soullié (@arnaudsoullie) is a manager at Wavestone. For 10 years he has been performing security audits and pentests on all type of targets. He specializes in Industrial Control Systems and Active Directory security. He has spoken at numerous security conferences on ICS topics : BlackHat Europe, BruCon, 4SICS, BSides Las Vegas, DEFCON... He is also the creator of the DYODE project, an open­source data diode aimed at ICS.

Advanced Whiteboard Hacking – aka Hands-on Threat Modeling

Sebastien Deleersnyder (Toreon)

First released at Black Hat USA trainings 2021, we release our latest threat modeling training with a new threat modeling war game with red and blue threat modeling teams. Engaged in capture the flag style threat modeling challenges your team will battle for control over an offshore windmill park. Based on our experience in securing real-world Operational Technology (OT) infrastructure we released this war game in première at Black Hat USA 2021. Also, in this edition we enhanced the sections on agile and DevOps threat modeling, threat modeling and compliance, added a section on "threat modeling at scale" and all participants get our Threat Modeling Playbook plus one-year access to our online threat modeling coaching subscription.

As highly skilled professionals with years of experience under our belts, we know that there is a gap between academic knowledge of threat modeling and the real world. In order to minimize that gap, we have developed practical Use Cases, based on real-life projects. Each use case includes a description of the environment, together with questions and templates to build a threat model.

Using this methodology for our hands-on workshops we provide our students with a challenging training experience and the templates to incorporate threat modeling best practices into their daily work. Students will be challenged in groups of 3 to 4 people to perform the different stages of threat modeling on the following:
• Diagramming web and mobile applications, sharing the same REST backend
• Threat modeling an IoT gateway with a cloud-based update service
• Get into the defender's head – modeling points of attack against a nuclear facility
• Threat mitigations of OAuth scenarios for an HR application
• Privacy analysis of a new face recognition system in an airport
• Battle for control over "Zwarte Wind", an offshore windmill park

After each hands-on workshop, the results are discussed, and students receive a documented solution. Based on our successful trainings in the last years and the great and positive feedback, we released this updated advanced threat modeling training at Black Hat USA 2021.

Course topics

Threat modeling introduction
• Threat modeling in a secure development lifecycle
• What is threat modeling?
• Why perform threat modeling?
• Threat modeling stages
• Different threat modeling methodologies
• Document a threat model
Diagrams – what are you building?
• Understanding context
• Doomsday scenarios
• Data flow diagrams
• Trust boundaries
• Sequence and state diagrams
• Advanced diagrams
• Hands-on: diagramming web and mobile applications, sharing the same REST backend
Identifying threats – what can go wrong?
• STRIDE introduction
• Spoofing threats
• Tampering threats
• Repudiation threats
• Information disclosure threats
• Denial of service threats
• Elevation of privilege threats
• Attack trees
• Attack libraries
• Hands-on: STRIDE analysis of an Internet of Things (IoT) gateway and cloud update service
Addressing each threat
• Mitigation patterns
• Authentication: mitigating spoofing
• Integrity: mitigating tampering
• Non-repudiation: mitigating repudiation
• Confidentiality: mitigating information disclosure
• Availability: mitigating denial of service
• Authorization: mitigating elevation of privilege
• Specialist mitigations
• Hands-on: threat mitigations OAuth scenarios for web and mobile applications
Threat modeling and compliance
• How to marry threat modeling with compliance
• Mapping threat modeling on compliance frameworks
• GDPR and Privacy by design
• Privacy threats
• LINDUNN and Mitigating privacy threats
• Hands-on: privacy threat modeling of a face recognition system in an airport
Penetration testing based on offensive threat models
• Create pentest cases for threat mitigation features
• Pentest planning to exploit security design flaws
• Vulnerabilities as input to plan and scope security testing
• Prioritization of pentesting based on risk rating
• Hands-on: get into the defender's head – modeling points of attack of a nuclear facility.
Advanced threat modeling
• Typical steps and variations
• Validation threat models
• Effective threat model workshops
• Communicating threat models
• Agile and DevOps threat modeling
• Improving your practice with the Threat Modeling Playbook
• Scaling up threat modeling
• Threat models examples: automotive, industrial control systems, IoT and Cloud
Threat modeling resources
• Open-Source tools
• Commercial tools
• General tools
• Threat modeling tools compared
Battle for control over "Zwarte Wind", an offshore windmill park
In our 5th edition of Black Hat trainings, we release our latest threat modeling training with a new threat modeling war game with red and blue threat modeling teams. Engaged in capture the flag style threat modeling challenges your team will battle for control over an offshore windmill park. Based on our experience in securing real-world Operational Technology (OT) infrastructure we release this war game in première at Black Hat USA 2021.
• Hands-on examination
• Grading and certification

Seba (https://twitter.com/Sebadele) is co-founder, CTO of Toreon and a proponent of application security as a holistic endeavor. He started the Belgian OWASP chapter, was a member of the OWASP Foundation Board and performed several public presentations on Application Security. Seba also co-organized the yearly security & hacker BruCON conference and trainings in Belgium.

With a background in development and many years of experience in security, he has trained countless developers to create software more securely. He has led OWASP projects such as OWASP SAMM, thereby truly making the world a little bit safer. Now he is adapting application security models to the evolving field of DevOps and is also focused on bringing Threat Modeling to a wider audience.