Network-based threat detection is crucial for developing a comprehensive security strategy, whether it is on-premise or in the cloud. In Advanced Deployment and Architecture for Network Traffic Analysis, you will learn how to maximize the visibility that Suricata can provide in your network. You will gain deep technical understanding and hands on experience with Suricata’s versatile arsenal of features and capabilities for a variety of deployment, usage and integration scenarios. Tuning and optimizing Suricata for threat/anomaly detection, file extraction, and/or protocol detection are critical for a successful deployment. You will also learn traditional and non-traditional tips, tricks and techniques to implement Suricata and its newest features, based on real-world deployment experiences to include cloud-based deployments. This class also offers a unique opportunity to bring in-depth use cases, questions, and challenges directly to the Suricata team. By the end of this course you will be able to successfully design, deploy, implement, optimize and hunt with your high-performance Suricata deployment.

First released at Black Hat USA trainings 2021, we release our latest threat modeling training with a new threat modeling war game with red and blue threat modeling teams. Engaged in capture the flag style threat modeling challenges your team will battle for control over an offshore windmill park. Based on our experience in securing real-world Operational Technology (OT) infrastructure we released this war game in première at Black Hat USA 2021. Also, in this edition we enhanced the sections on agile and DevOps threat modeling, threat modeling and compliance, added a section on "threat modeling at scale" and all participants get our Threat Modeling Playbook plus one-year access to our online threat modeling coaching subscription.

As highly skilled professionals with years of experience under our belts, we know that there is a gap between academic knowledge of threat modeling and the real world. In order to minimize that gap, we have developed practical Use Cases, based on real-life projects. Each use case includes a description of the environment, together with questions and templates to build a threat model.

Using this methodology for our hands-on workshops we provide our students with a challenging training experience and the templates to incorporate threat modeling best practices into their daily work. Students will be challenged in groups of 3 to 4 people to perform the different stages of threat modeling on the following:
• Diagramming web and mobile applications, sharing the same REST backend
• Threat modeling an IoT gateway with a cloud-based update service
• Get into the defender's head – modeling points of attack against a nuclear facility
• Threat mitigations of OAuth scenarios for an HR application
• Privacy analysis of a new face recognition system in an airport
• Battle for control over "Zwarte Wind", an offshore windmill park

After each hands-on workshop, the results are discussed, and students receive a documented solution. Based on our successful trainings in the last years and the great and positive feedback, we released this updated advanced threat modeling training at Black Hat USA 2021.


 
Course topics

Threat modeling introduction
• Threat modeling in a secure development lifecycle
• What is threat modeling?
• Why perform threat modeling?
• Threat modeling stages
• Different threat modeling methodologies
• Document a threat model
Diagrams – what are you building?
• Understanding context
• Doomsday scenarios
• Data flow diagrams
• Trust boundaries
• Sequence and state diagrams
• Advanced diagrams
• Hands-on: diagramming web and mobile applications, sharing the same REST backend
Identifying threats – what can go wrong?
• STRIDE introduction
• Spoofing threats
• Tampering threats
• Repudiation threats
• Information disclosure threats
• Denial of service threats
• Elevation of privilege threats
• Attack trees
• Attack libraries
• Hands-on: STRIDE analysis of an Internet of Things (IoT) gateway and cloud update service
Addressing each threat
• Mitigation patterns
• Authentication: mitigating spoofing
• Integrity: mitigating tampering
• Non-repudiation: mitigating repudiation
• Confidentiality: mitigating information disclosure
• Availability: mitigating denial of service
• Authorization: mitigating elevation of privilege
• Specialist mitigations
• Hands-on: threat mitigations OAuth scenarios for web and mobile applications
Threat modeling and compliance
• How to marry threat modeling with compliance
• Mapping threat modeling on compliance frameworks
• GDPR and Privacy by design
• Privacy threats
• LINDUNN and Mitigating privacy threats
• Hands-on: privacy threat modeling of a face recognition system in an airport
Penetration testing based on offensive threat models
• Create pentest cases for threat mitigation features
• Pentest planning to exploit security design flaws
• Vulnerabilities as input to plan and scope security testing
• Prioritization of pentesting based on risk rating
• Hands-on: get into the defender's head – modeling points of attack of a nuclear facility.
Advanced threat modeling
• Typical steps and variations
• Validation threat models
• Effective threat model workshops
• Communicating threat models
• Agile and DevOps threat modeling
• Improving your practice with the Threat Modeling Playbook
• Scaling up threat modeling
• Threat models examples: automotive, industrial control systems, IoT and Cloud
Threat modeling resources
• Open-Source tools
• Commercial tools
• General tools
• Threat modeling tools compared
Battle for control over "Zwarte Wind", an offshore windmill park
In our 5th edition of Black Hat trainings, we release our latest threat modeling training with a new threat modeling war game with red and blue threat modeling teams. Engaged in capture the flag style threat modeling challenges your team will battle for control over an offshore windmill park. Based on our experience in securing real-world Operational Technology (OT) infrastructure we release this war game in première at Black Hat USA 2021.
Examination
• Hands-on examination
• Grading and certification

LIVE ONLINE TRAINING

[Note: This training will be completely remote. This allows you to better plan your workshop commitments when booking tickets.You can also by a ticket for just attending this training (without access to the conference). In that case please write an e-mail to speaker@deepsec.net]



Overview:
New for 2021, our immersive 2-day Defending Enterprises training is the natural counterpart to our popular Hacking Enterprises course.
From SIEM monitoring, alerting and threat hunting, you’ll play a SOC analyst in our cloud-based lab and try to rapidly locate IOA’s and IOC’s from an enterprise breach executed by the trainers.
You’ll use a combination of Microsoft Azure Sentinel and Elastic platforms to perform practical exercises, creating your own queries to detect potential compromises and highlight interesting activity.

Agenda
Day 1
• MITRE ATT&CK framework
• Defensive OSINT
• Linux/Windows auditing and logging
• Using Logstash as a data forwarder
• Overview of the Kibana Query Language
• Overview of the Kusto Query Language
• Identifying Indicators of Attack (IOA) and Indicators of Compromise (IOC)
• Detecting phishing attacks (Office macros, HTA’s and suspicious links)
• Detecting credential exploitation (Kerberoasting, PtH, PtT, DCSync)

Day 2
• Creating alerts/rules in Azure Sentinel
• Detecting lateral movement within a network (WinRM, WMI, SMB, DCOM, MSSQL)
• Detecting data exfiltration (HTTP/S, DNS, ICMP)
• Detecting persistence activities (userland methods, WMI Event Subscriptions)
• C2 Communications


Also included:
We realise that training courses are limited for time and therefore students are also provided with the following:
• Completion certificate
• 14-day extended lab access after the course finishes
• Discord support channel access where our security consultants are available

This course is a 100% hands-on deep dive into the OWASP Security Testing
Guide and relevant items of the OWASP Application Security Verification
Standard (ASVS), so this course covers and goes beyond the OWASP Top Ten.
Long gone are the days since desktop apps were written in Delphi. What have
Microsoft Teams, Skype, Bitwarden, Slack and Discord in common? All of them are
written in Electron: JavaScript on the client.

Modern desktop apps share traditional attack vectors and also introduce new
opportunities to threat actors. This course will teach you how to review modern
desktop apps, showcasing Node.js and Electron but using techniques that will
also work with any other desktop app platform. Ideal for Penetration Testers,
Desktop App Developers as well as everybody interested in
JavaScript/Node.js/Electron app security.

All action, no fluff, improve your security analysis workflow and immediately apply these gained skills in your workplace. Packed with exercises, extra mile challenges and CTF, self-paced and suitable for all skill levels, with continued education via unlimited email support and lifetime access to our training portal with step-by-step video recordings and interesting apps to practice, including all future updates for free.

Get a FREE taste for this training, including access to video recording, slides and vulnerable apps to play with: 1.5 hour workshop - https://7asecurity.com/free-workshop-desktop-apps

## Course Content (ToC) ##

### Section 1: Hacking Modern Desktop apps by Example ###

Part 0 - Modern Desktop App Security Crash Course
- The state of Modern Desktop App Security
- Modern app security architecture and its components
- Modern Desktop apps and the filesystem
- Recommended lab setup tips

Part 1 - Static Analysis and Tools
- Tools and techniques to reverse and review Modern apps
- Finding vulnerabilities in Modern app dependencies
- Identification of the attack surface of Modern apps & information gathering
- Static modification of Modern apps for analysis and debugging
- Identification of common vulnerability patterns in Modern apps:
+ Common misconfigurations
+ Hardcoded secrets
+ Logic bugs
+ Access control flaws
+ URL handlers
+ XSS, Injection attacks and more
- Modifying Modern apps to alter behaviour and debug issues

Part 2 - Dynamic Analysis
- Monitoring data: caching, logs, app files, insecure file storage, unsafe storage of app secrets, etc.
- Crypto flaws
- The art of MitM: Intercepting Network Communications
- Defeating certificate pinning at runtime
- The art of Instrumentation: Introduction to Frida
- App behaviour monitoring at runtime
- Modifying app behaviour at runtime

Part 3 - Test your Skills
- CTF time

### Section 2: Advanced Instrumentation & Attacks on Modern Desktop apps ###

Part 0 - Advanced Instrumentation on Modern Desktop apps
- Introduction to Frida on Desktop apps
- Advanced usage of Frida against Modern Desktop apps
- Writing custom Frida scripts to assist with common challenges
- Reviewing app behavior at runtime
- Modifying app behavior at runtime
- Modifying app behavior at rest

Part 1 - Advanced attacks on Modern Desktop apps
- UI manipulation with XSS
- Interesting attack vectors with XSS
- Coverage of Multiple edge case scenarios to gain RCE
- Dumping memory
- Prototype pollution
- Defeating crypto
- Gaining RCE via IPC
- Attacking WebSockets
- Local Attacks and Privilege Escalation
- Remote Attacks when Desktop Apps are deployed on the server
- Bypassing Pining
- And more

Part 2 - Advanced Modern Desktop Apps CTF
- Challenges to practice advanced attacks and instrumentation on Modern Desktop apps

Single sign-on protocols are one of the most important Internet technologies and are used by countless applications. Security plays a critical role when using systems based on standards such as OAuth and OpenID Connect. Successful attacks allow hackers to bypass authentication or to access confidential user data. In this training, you will learn all security aspects relevant to single sign-on based on OAuth and OpenID Connect. You will learn which serious attacks exist and get the chance to try them yourself in our test environment. Finally, you will learn how to test and defend your own systems against these attacks.

This workshop describes basic functions and security shortcomings in mobile
networks, both in the core network and in radio network, for GSM, UMTS, LTE
and 5GNR. The material is intended for individuals in the areas of
journalism, international aid, corporate security, and the law, who have or
who work with people who have specific security concerns and want to
better understand what is really happening in their phones and in the
mobile networks that serve those phones.

The workshop will start with an overview of cellular technology in general
and types of security flaws common to all mobile networks, and then
proceed to specific examples for different network segments and technology
types. The workshop will include demonstrations of some security failures
and deeper analysis of specific events reported in the popular press. The
goal of the workshop is to give attendees a good grasp of key concepts in
mobile network operation and the security implications, while avoiding
unnecessary technical details. Questions and discussion are welcome and
encouraged.

This workshop covers the mobile network, handset baseband, and SIM only,
and does not address Android, iOS or application-layer security.

LIVE ONLINE TRAINING

[Note: This training will be completely remote. This allows you to better plan your workshop commitments when booking tickets.You can also by a ticket for just attending this training (without access to the conference). In that case please write an e-mail to speaker@deepsec.net]

This course teaches you how to analyse Android and iOS apps for security vulnerabilities, by going through the different phases of testing, including dynamic testing, static analysis and reverse engineering. Sven will share his experience and many small tips and tricks to attack mobile apps that he collected throughout his career and bug hunting adventures.

If you just entered the domain of mobile app penetration testing, or have only experience in Web App Testing and would like to make the switch to mobile, this session is a perfect starting point for you. Nevertheless, there are also some more advanced topics that will also be of interest for more experienced testers.

At the beginning of the first day we start by giving an overview of the Android Platform and it’s Security Architecture. It is no longer mandatory for students to bring their own Android device, instead a cloud-based virtualized Android device will be provided for each student by using Corellium. These are some of the topics that will be covered during the course:

●    Frida crash course to kick-start with dynamic instrumentation on Android apps
●    Intercepting network traffic of apps written in mobile app frameworks such as Google’s Flutter
●    Identifying and exploiting a real word Deep-link vulnerability
●    Explore the differences and effectiveness of Reverse Engineering Android Apps through patching Smali, Xposed and Dynamic Instrumentation with Frida
●    Analyze Local Storage of an Android App
●    Usage of dynamic Instrumentation with Frida to:
  ○      bypass Frida detection mechanisms
  ○      bypass multiple root detection mechanisms

On day 2 we are focusing on iOS and will begin with an overview of the iOS Platform and Security Architecture (Hardware Security, Code Signing, Sandbox, Secure Boot, Security Enclave etc.). After explaining what an IPA container is and the iOS file system structure, we start creating an iOS testing environment with Corellium and deep dive into various topics and techniques, including:

●    Analyzing iOS applications that use non-HTTP traffic including ways of intercepting the traffic
●    Frida crash course to kick-start with dynamic instrumentation for iOS apps
●    Bypassing SSL Pinning with SSL Kill Switch and Objection
●    Testing methodology with a non-jailbroken device by repackaging an IPA with the Frida Gadget
●    Testing stateless authentication mechanisms such as JWT in an iOS Application
●    Using Frida for Runtime Instrumentation of iOS Apps to bypass:
  ○      Anti-Jailbreaking mechanisms
  ○      Frida detection mechanism
  ○      and other client-side security controls

The course consists of many different labs developed by the instructor and the course is roughly 50% hands-on and 50% lecture.

At the end of each day a small CTF will be played to investigate an app with the newly learned skills and you will have the chance to win a price!

After successful completion of this course, students will have a better understanding of how to test for vulnerabilities in mobile apps, how to mitigate them and how to execute tests consistently. The course is based on the OWASP Mobile Security Testing Guide (MSTG) and is conducted by one of the authors himself. The OWASP MSTG is a comprehensive and open source guide about mobile security testing for both iOS and Android.


Attendees will be provided with the following content:

- All slides in PDF format used for Day 1 and Day 2
- Virtual Machine that includes all tools needed
- Several iOS and Android Apps that are used for the exercises


Prerequisites:

The following prerequisites need to be fulfilled by the students in order to be able to follow all exercises and fully participate:
 
●    Laptop (Windows/Linux/macOS) with at least 8 GB Ram and 40GB of free disk space
●    Full administrative access, in case of any issues with the laptop environment (e.g. deactivate AV or Firewall)
●    Virtualization software (e.g. VMware, VirtualBox); A VM will be provided as OVA with all tools needed for the training
●    Stable internet connection with at least 50 Mbps

An Android hardware device is not needed by the participants. The Android hands-on exercises of the training will instead be executed in Corelium, a cloud-based virtualized environment that allows attendees to access a rooted Android device during the training. One Android instance will be provided for each participant.

An iOS device is also not needed, as an emulated and jailbroken iOS instance will be provided for each student that is hosted in Corellium.

I will offer support 1 week before the training for all students, to make sure that the setup is up and working prior to the training.

Students will enjoy the training the most, if they have a basic understanding of mobile apps and the command line, interest in security and learning new things!

In this intense 2-day training, you will learn everything you need to start pentesting Industrial Control Networks. We will cover the basics to help you understand the most common ICS vulnerabilities. We will then spend some time learning and exploiting Windows & Active Directory weaknesses, as most ICS are controlled by Windows systems.
We will cover the most common ICS protocols (Modbus, S7, OPC…), analyze packet captures and learn how to use these protocols to talk to Programmable Logic Controllers (PLCs). You will learn how to program a PLC, to better understand how to exploit them.
The training will end with a challenging hands-on exercise: The first CTF in which you capture a real flag! Using your newly acquired skills, you will try to compromise a Windows Active Directory, pivot to an ICS setup to take control of a model train and robotic arms.
Moreover, the training doesn’t stop on the last day! Each participant will receive a 30-day access to an elearning portal, which allows to watch the training content on video, as well as to perform all the exercises on a cloud platform.

This is your welcome to the second DeepSec conference during a global pandemic. Since the beginning of 2020, a lot of issues known from information technology have crossed over to the real world – even without the Metaverse. The opening is just a short recapitulation of what happened so far and why we should put our efforts into defending networks and computer systems.

Artificial intelligence (AI) is one of the key technologies for dramatic change processes in the next 30 years. Research on the development of AI is driven by scientific and political ambitions, accompanied by great hopes and fears. What does it mean to live and work with such a form of intelligence? How will computing machinery evolve within the next decades? What can and should computer societies consider to ensure a positive development from both, a technological as well as societal point of view? These are some of the questions that will be addressed in this keynote.

As the world becomes more and more connected, Application Security becomes an important concern. Especially regarding the Internet of Things (IoT), Application Programming Interface
(API), and Microservices spaces. In addition, the proper access management needs to be seriously addressed to ensure company assets are securely distributed and deployed.

There are many tools on the market providing AI based API protection and anomaly detection but what really works? How to choose the best solution? During my talk, I will share results from the research of reviewing different architecture approaches and AI solutions introduced by different favorite tools on the market, from WAF to workload protection systems.

The cost of insider threats is rising, with a 31% increase from $8.76 million in 2018 to $11.45 million in 2020. In addition, the number of incidents has increased by a staggering 47% in just two years, from 3,200 in 2018 to 4,716 in 2020. This data shows that insider threats are a growing risk that is still often under-addressed within cybersecurity of organizations (especially when compared with external threats). Perhaps this is because it is hard to imagine that a trusted coworker could be siphoning corporate secrets from the company you both work for. Yet, this act is more common than you think. There are many levels of insider threats and some much more harmful than others. Robert takes us on a journey that first outlines the many different kinds of insider threats: everything from accidental to espionage. He then discusses how to detect it and what companies can do about it. Having worked in the Information Security industry for 20 years in various fields and positions, Robert has seen many insider threat incidents and the damage this can have on a company. Today more than ever, companies are susceptible to this risk however few seem able to detect and mitigate. In this talk, Robert draws upon his experiences to outline some of the tell tale signs of insider threats and some of the many ways this can be detected early. He also discusses company culture and how to prevent the damage that insider threats can have. Robert also integrates some great industry examples as learning to help show the audience the damage insider threats have. The talk finishes with a check list of mitigation strategies that companies can do to greatly improve their position and safeguard their secrets. There are many great talks out there on social engineering, however, all of these are focussed on an outside entity tricking the employees to get access. This talk looks at those amongst us who are already trusted employees and how to manage that risk.

In recent years, the top security conferences have started to add ethics statements to their call for papers. It has become common practice to obtain ethics votes for human subjects studies in security research. But what about everything else, such as offensive security research, large scale measurement studies or adversarial machine learning? In this talk, I discuss good, bad and ugly examples of how ethics are handled in security & privacy research. I will also present actionable recommendations to ensure ethical and responsible research practices that are essential to build and break systems without causing harm.

By now, it should be well known that passwords are like underwear, they should be changed often, the longer the better and it’s better not to leave them lying around.
While the big players advocating for passwordless authentication, passwords are still the most common authentication method. In the wild, we’ve seen thousands of organizations experiencing password spraying and bruteforce attacks on their users. Although MFA should mitigate some of the threats, it's still not implemented on all protocols and in some cases was bypassed by security flaws in the IDP.

In this talk, we’ll present a new concept for password security – smartlists, built on a new data driven approach that utilizes recent advancements in NLP. Together with this talk, we are proud to release a new FOSS tool that makes these new concepts practical and easy to use by generating 200M+ password candidates per second written in Rust.



The shift of human activities from offline to online spaces has major impacts on organizations – either public or corporate – in terms of security, therefore creating a constantly growing need for cybersecurity experts. Although for small companies, expertise can come from external providers, large organizations need to build their own cybersecurity workforce. For companies the limited number of higher education formations lead to tension in the employment market, and in the recruitment of people whose expertise is not primarily on cybersecurity. Furthermore, cybersecurity often focuses on technical aspects, and does not always deal enough with the human factor – while the human factor is critical for companies and other large organizations.

This presentation will explore the challenges related to building a workforce in cybersecurity from the point of view of organizations. We will discuss how to build a workforce that can take on both the mission of first line defenders, and the mission of education of the other company members, ranging from its higher operatives to the basic workers, and how cybersecurity can be operationally articulated between security services and IT professionals.

Google recently introduced a secure chip called Titan M in its Pixel smartphones, allowing the implementation of a Trusted Execution Environment (TEE) in Tamper Resistant Hardware. TEEs have been proven effective in reducing the attack surface exposed by smartphones, by protecting specific security-sensitive operations. However, studies have shown that TEE code and execution can also be targeted and exploited by attackers, therefore studying their security lays the basis of the trust we have in the features that they bring.

In this paper, we provide the first security analysis of the Titan M. We start by reverse engineering the firmware and reviewing the open source code in the Android OS responsible for the communication with the chip. By exploiting a known vulnerability, we then dynamically examine the memory and the internals of the chip. Finally, leveraging the acquired knowledge, we design and implement a structure-aware black-box fuzzer.

Using our fuzzer, we rediscover several known vulnerabilities after a few seconds of testing, proving the effectiveness of our solution. In addition, we find and report a new vulnerability in the latest version of the firmware.

Nowadays, many leading scientists and experts are actively working on the creation of quantum computers. On October 23 2019, Google announced that it has achieved quantum supremacy. This means the great speedup of the quantum processors compared to the fastest classic computer. On December 06 2020, scientists in China also announced that they also achieved quantum supremacy. Quantum computers will probably destroy most cryptosystems that are widely used in practice. A variety of "resistant to quantum attacks," alternatives are developed. These alternatives are hash-based, code-based, lattice-based and multivariate crypto schemes. However, to date a number of successful attacks is recorded on the given system. It is also shown that these schemes have efficiency problems.

The amount of traffic carried over wireless networks and the number of mobile devices (including IoT) are growing rapidly and are being driven by many factors. The telecoms industry is undergoing a major transformation towards 5G networks in order to fulfill the needs of existing and emerging use cases. So the vision of 5G wireless networks lies in providing very high data rates and higher coverage through dense base station deployment with increased capacity, significantly better Quality of Service (QoS), and extremely low latency. To provide the necessary services envisioned by 5G, novel networking, service deployment, storage and processing technologies will be required. These technologies will bring new challenges for the 5G cybersecurity systems and its functionality. The 3rd Generation Partnership Project (3GPP) offers a standard for 5G networks. It contains the identity protection scheme, which addresses the important privacy problem of permanent subscriber-identity disclosure. This offer contains two stages: the identification stage, which is followed by providing the security context between service providers and mobile subscribers using the authenticated key agreement with the symmetric key. 3GPP offers to protect the identification stage by means of a public-key scheme. They offer to use Elliptic Curve Integrated Encryption Scheme (ECIES). The offered scheme is not secure against the attacks of quantum computers. It is important to integrate the quantum resistant scheme to 5G networks.

At DeepSec, the post-quantum encryption system, which will be secure against the attacks of quantum computers will be presented and analyzed. The methodology of integration of the encryption system into the identification stage of 5G will be shown. The implementation of the scheme will be explained.



The ongoing public interest in blockchains and smart contracts has brought a rise to a magnitude of different blockchain implementations.
The rate at which new concepts are envisioned and implemented makes it hard to vet their security.
Still, people put their trust and money into chains that may lack proper testing.
However, smart contract platforms, executing untrusted code, are complex by design.
A behavior deviation for edge cases of single op-codes is a critical bug class in this brave new world.
It can be abused for Denial of Service against the blockchain, chain splits for double-spending, or direct attacks on applications operating on the blockchain.
In this paper, we propose an automated methodology to uncover such differences.
Through coverage-guided, and state-guided fuzzing, we explore smart contract virtual machine behavior against multiple VMs in parallel.
We develop NeoDiff, the first framework for feedback-guided differential fuzzing of smart contract VMs.
We discuss real, monetary, consequences our tool prevents.
NeoDiff can be ported to new smart contract platforms with ease.
Apart from fuzzing Ethereum VMs, NeoDiff found a range of critical differentials in VMs for the Neo blockchain.
Moreover, through a higher-layer semantics mutator, we uncovered semantic discrepancies between Neo smart contracts, written in Python and classic CPython.
Along the way, NeoDiff uncovered memory corruptions in the C# Neo VM.

Critical infrastructures are slowly but continuously being globalized and digitized. You
are using more and more IT components in production environments where previously
only operational technologies and mechanical processes were intended.
What are the effects of actions and legislation in cyberspace in relation to KRITIS? What
are the risks and side effects to watch out for? And are these also observed? Which solutions assure us that we will still be able to drink a digitally supported glass of water
tomorrow?

Application security in an enterprise is a challenge. We can see this when we look at the statistics: There have been 16648 security vulnerabilities (CVEs) published so far in 2020 and the average severity is 7.1 out of 10.

In this talk, you will find various solutions such as
- Development team risk scoring based on maturity and business aspect,
- SAST/DAST at CI/CD pipeline without blocking the pipeline itself,
- How to leverage bug bounty program,
- When to employ penetration testing,
- When to employ code review,
- Platform developments to remove dependency for developers’ to implement features i.e. internal authorization.

Most important of all, you will see these solutions lead to minimal friction within the team, which creates a fine-tuned security program.



WebAssembly, the open standard for binary code, is quickly gaining adoption on the web and beyond. As the binaries are often written in low-level languages, like C and C++, they are riddled with the same bugs as their traditional counterparts. Minimal tooling to uncover these bugs on Wasm binaries exists. In this paper we present WAFL, a fuzzer for Wasm binaries. WAFL adds a set of patches to the WAVM WebAssembly runtime to generate coverage data for the popular AFL++ fuzzer. Thanks to the underlying JITing WAVM, WAFL is already very performant. WAFL adds lightweight VM snapshots. By replacing forks, traditionally used in AFL++ harnesses, with WAFL’s snapshots, WAFL harnesses can even outperform native harnesses with compile-time instrumentation in raw fuzzing performance. To the best of our knowledge, WAFL is the first coverage-guided fuzzer for binary-only Wasm, without the need for source.

Sven want's to make a deep dive into intercepting network communication of mobile apps and it's API's and tries to cover all different kind of challenges you might be facing when doing the same.

You might think now: What’s the problem here? I configure Burp Suite, install the Burp Certificate Authority (CA) on the mobile device and set the system proxy to point to Burp and case closed.

This is definitely true, but this will only cover the „ideal“ case! But what about the following use cases:

- The app is being build in Flutter or Xamarin. If that’s the case the app will not be using the system proxy, but bypass it. So the Proxy you are setting in iOS and/or Android will be ignored by the app.
- Not every app is relying on HTTP; especially to overcome the overhead of HTTP, TCP might be used. You can also see sometimes XMPP or other protocols. As the system proxy that you are setting in iOS and/or Android will only be covering HTTP(S), other protocols will never be sent to Burp and even if you find a way to route them to Burp, Burp will not be able to process and display them as Burp can only understand HTTP.
- You might not be able to use a jailbroken or rooted device in the client’s network.

These are only same of the challenges you might be facing when trying to intercept the communication of a mobile app to become a Man-in-the-Middle.

This talk will present and follow a methodology for intercepting the network communication between a mobile app and it’s API’s and want's to enable the audience to tackle all potential use cases described above. In order to this the talk will give detailed technical demos to overcome the challenges and allow you to master them.

Why "Squirrel-in-the-middle"? You will find out in the talk :-)

Today, the number of IoT devices in both the private and corporate sectors are steadily increasing. IoT devices like IP cameras, routers, printers, and IP phones have become ubiquitous in our modern homes and enterprises. To evaluate the security of these devices, a security analysis has to be performed for every single device. Since manual analysis of a device and reverse engineering of a firmware image is very time-consuming, this is not practicable for large-scale analysis.

To be able to conduct a large-scale study on the security of embedded network devices, an approach was applied that allows a high number of firmware images to be statically analyzed. For data acquisition, a crawler was used to identify and retrieve publicly available firmware images from the Internet. In this way, more than 10,000 individual firmware images have been collected. The firmware was then automatically unpacked and analyzed regarding security-relevant aspects.

For the first time, this research provides insights into the distribution of outdated and vulnerable software components used in IoT firmware. Furthermore, a comprehensive picture of the use of compiler-based exploit mitigation mechanisms in applications and libraries is given. Factory default accounts were identified, and their passwords recovered as far as possible. Also, a large amount of cryptographic material was extracted and analyzed. Besides, a backdoor has been discovered in the firmware of several products that allows remote access to the devices via SSH after triggering the functionality. The backdoor has been verified and confirmed by the vendor and two official CVE numbers have been assigned.

The results of this large-scale analysis provide an interesting overview of the security of IoT devices from 20 different manufacturers. IoT firmware was analyzed regardless of device type or architecture and a broad picture of their security level was obtained.

With OpenSSH 8.5 agent forwarding was implemented for SFTP and SCP to allow remote copy operations. Agent forwarding has already been considered a security risk for years, but in some special use cases it seems to be more secure than stored private keys on an exposed server.

Since OpenSSH 8.2 a private key can be protected with a fido2 token. With a fido2 secured key, each usage has to be confirmed with a press on a hardware button. This should prevent an attacker to abuse the key, when agent forwarding is used.

In this talk a spoofing attack is presented, which allows an attacker to abuse a fido2 protected key to login to another server. Also a patch for OpenSSH and PuTTY, which mitigates this spoofing attack is shown.

PuTTY has accepted our patch, which enhances the existing spoofing attack mitigation. Many SFTP clients like WinSCP are using PuTTY as a library and our patch allows other applications to use the new spoofing mitigation.

OpenSSH considers spoofing attacks not as a vulnerability which has to be mitigated by the client. This is the reason why this spoofing attack is not mitigated by OpenSSH's client. We are presenting some mitigation strategies how to mitigate this kind of spoofing attack with OpenSSH.



IT security is hard. But while many institutions try to improve security, some government institutions are actively working to weaken IT security. This takes many forms: government backdoors, legal attacks on encryption, and offensive hacking with exploits and 0-days. This talk gives an overview over the most important developments, and tries to escape the German perspective of the speaker.


Modern information and communication technologies (ICT) implementation in all spheres of human activity, as well as increasing the number and power of cyber-attacks on them make the cyber security of the developed digital state vulnerable and weak. Cyber-attacks become targeted (so-called APT-attacks) and attackers carefully prepare them, analyzing the identified vulnerabilities and all possible ways of attack. The security and defense capabilities of the state are considered in an additional fifth domain titled cyberspace (after land, air, water and space), world`s leading states develop strategies to protect cyberspace, create cyber troops, develop and test cyber weapons. A significant number of cyber-attacks today are aimed at critical infrastructures and government organizations.

Traditional security methods (in particular, cryptographic algorithms) do not fully protect against all currently known attacks, they are potentially vulnerable to attacks based on quantum algorithms (Shore`s, Grover`s, Deutsch-Jozsa etc). These methods are based on the fundamental impossibility of an attacker to solve some complex mathematical problem (unordered database search, factorization, logarithm in large discrete fields etc.) in polynomial time. But increase in the computational power of advanced ICT as well as potential “quantum computer in the hands of an attacker” is the security and privacy threat and it encourages the search for alternative security methods. which will be secured the post-quantum period. Such alternative approaches can be methods of quantum and post-quantum cryptography. Quantum Cryptography (Quantum Key Distribution, QKD) does not depend on the computational power of an attacker, uses the specific unique properties of quantum particles and is based on the inviolability of the laws of quantum physics. The main advantages of QKD are the ability to define an attacker and ensure information and theoretical security. QKD includes the following protocols: protocols using single (non-entangled) qubits and qudits (d-level quantum systems, d>2); protocols using phase coding; protocols using entangled states; decoy states protocols and others.

World`s leading QKD company ID Quantique has developed many QKD systems, QRNGs, Quantum-Safe security devices as well as implemented these systems in 5G deployment projects with SK Telekom, British Telecom, Deutsche Telecom and other cellular operators. Today QKD is important part of 5G and next generation networks.

At DeepSec, QKD-based security system post-quantum period will be presented and analyzed. Impact of Quantum computing on cryptography (secret key cryptography, public key cryptography, hash functions) will be assessed and analyzed. Author`s QKD / QSDC protocols and additional security procedures will be presented. The methods of QKD integration into different 5G network slices will be shown and explained.

The philosophy that founds the world of the Internet of Things apparently becomes essential for the projected permanently connected world. The 5G data networks are supposed to dramatically improve the actual 4G networks’ real world significance, which makes them fundamental for the next generation networks of IoT devices. The academic and industrial effort to improve the 5G technological standards and security mechanisms considers various routes. Thus, this proposed talk aims to present the state-of-the-art concerning the development of the standards that model the 5G networks. It values the author's experience that was gathered during the implementation of the Vodafone Romania 5G networked services. It puts this acquired experience in context by reviewing the relevant similar contributions, the relevant technologies, and it describes the research directions and difficulties that will probably influence the design and implementation of secure large 5G data networks.

Consequently, this talk presents a machine learning-based real time intrusion detection system that is based on the deep inspection of the data packets, which has been effectively tested in the context of a 5G data network. The intelligent intrusion detection system considers the creation of software defined networks, and it uses artificial intelligence based models. It is able to proactively detect unknown intrusions patterns through the usage of machine learning-based software components. The system has been assessed and the results prove that it achieves superior performance with a lower overhead in comparison to similar approaches, which allows it to be effectively deployed on real-time 5G networks.

Proprietary BIOS/UEFI firmware has been the de-facto standard for most DC devices in the last three decades. Firmware and platform technologies these days are still closed-source and lack transparency. We will show what kind of attack surfaces your firmware exposes and how supply chain security plays a huge role in this scenario.

We will give you a good understanding of how firmware and platform security work in-depth and what tremendous impact firmware security has on threats like ransomware.

In the end, we will present solutions for getting back control on the firmware level and show how you can contribute to change the industry of hardware development.

Kai Michaelis is co-founder and CTO of immune GmbH set out to build a solution for platform and supply chain security. He’s also a co-founder of the Open Source Firmware Foundation. He earned a Masters degree in computer security in 2018 from Ruhr University Bochum and has previously worked on GnuPG and Sequoia PGP.

Embedded systems can be challenging to analyze. Especially on automotive systems, many things that we take for granted on other software such as debugging and tracing do not always work. This is further complicated by watchdogs and peripheral processors, that go haywire when strict timing and communication requirements are violated. On some systems, debugging is even impossible because debugging resources such as pins are either used for something else or they don’t exist at all!
Assuming that code can be dumped, the solution for this can be emulation, however emulating a rich automotive system can be painful and many times, only few aspects of the system can be sufficiently modeled.
What if there was an in-between? How can we debug, fuzz and tamper embedded firmware without access to real-time debugging or emulation?
In this talk, I will show a tool that uses a simple but smart binary instrumentation method and a new, pythonic assembler to automatically patch large firmware binaries, enhancing them with interactive backdoors, as well as function- or basic-block trace capabilities.
Along the way, I share some tricks that can be used to make targets easier to work with (regardless of whether they’re being instrumented) and explore further applications outside of the automotive realm for the tool, which is released specifically for DeepSec.

The talk focuses on detecting attacker activity/Living of the Land commands using Machine Learning, for both Linux and Windows systems.
Classic LoL detection mechanisms are noisy and somewhat unreliable, since the high number of False Positives makes it hard to keep track of what is of interest from the perspective of security analysists. So, we made a robust, dynamic, high confidence open source project to fix this!

Living of the Land is not a brand-new concept. The knowledge and resources have been out there for several years now. Still, LoL is one of the preferred approaches when we are speaking about highly skilled attackers or security professionals. There are two main reasons for this:

• Experts tend not to reinvent the wheel

• Attackers like to keep a low profile/footprint (no random binaries/scripts on the disk)

The talk focuses on detecting attacker activity/Living of the Land commands using Machine Learning, for both Linux and Windows systems.
Most of the AV vendors do not treat the command itself (from a syntax and vocabulary perspective) as an attack vector. And most of the log-based alerts are static, have a limited specter and are hard to update.
Furthermore, classic LoL detection mechanisms are noisy and somewhat unreliable:

(a) they are dependent on the experience of the SME (Subject Matter Expertise) that creates them;

(b) they generate a high number of False Positives (because of the thin line in terms of tools and syntax between sysadmin operations and attacker operations);

(c) their rules grow organically, to the point where it is easier to retire and rewrite rather than maintain and update.

So, we made a robust, dynamic, high confidence project to fix this! We used Open-Source data, real incident data, a handful of Adobe's SME and a lot of research and engineering.
The presentation covers why it is hard to detect LoLs, the feature engineering used in our approach, comparison between different classifiers as well as hands-on experience using our library and integration into one of our previous open-source projects called One-Stop-Anomaly Shop (OSAS - https://github.com/adobe/OSAS). Additionally, we also discuss why OSAS and the LoL classifier are complementary solutions and how evading one will lead to being detected by the other.

*This project is scheduled to be open-sourced in August 2021.

Monitoring log data for traces of malicious activities has proven to be an effective method for incident detection in cyber security. State-of-the-art detectors thereby frequently apply signature-based detection, meaning that these tools search for specific strings or tokens from threat intelligence databases that are known to correspond to particular attacks.

Unfortunately, signature-based detection is vulnerable to already simple forms of evasion techniques, and certainly insufficient to disclose previously unknown attack techniques. As a consequence, tools such as the AMiner provide a complementary line of defense by leveraging anomaly detection techniques that make use of machine learning to automatically learn a baseline of normal behavior and detect deviations from the generated models as suspicious activities that possibly relate to attacks.

The log processing pipeline of the AMiner consists of several configurable modules. First, light-weight parser models extract relevant information, such as timestamps, IP addresses, and usernames, from all kinds of logs, including access logs, audit logs, application logs, and more. The AMiner subsequently applies analysis techniques on the parsed data to learn a baseline of normal system events and their properties. On top of that, configurable detectors discover any deviations from this baseline, including detection of new values and value combinations, unusual character distributions of values, changes of event frequencies such as spikes or missing events, violations of expected correlation and sequence rules, as well as detection based on statistical distributions of values and event occurrences, among many others. All disclosed anomalies are eventually reported to security analysts for review and remediation through several interfaces, including message queues to store anomalies in databases or visualize them in SIEM dashboards.

In our talk we will present a broad overview of the AMiner and explain its modules with the aid of several use-cases and hands-on examples.

If you are the kind of person who enjoys talks with practical information that you can immediately apply when you go back to work, this one is for you, all action, no fluff :)

“Hacking Modern Desktop apps: Master the Future of Attack Vectors” is a desktop app security talk that provides you with case studies from real-world vulnerable applications as well as know-how and techniques to take your desktop app security auditing kung-fu to the next level. It covers attacks and mitigation against desktop apps on Linux, Windows and Mac OS X. The talk focuses on Electron but the techniques covered will be helpful against other desktop platforms, as well as CSP bypasses and other web security techniques. In this talk we will cover the following topics:
● Essential techniques to audit Electron applications
● What XSS means in a desktop application
● How to turn XSS into RCE in Modern apps
● Attacking preload scripts
● RCE via IPC

Come and join us for this 50-minute hacking session, we’re sure you’ll leave with a thirst for more!

Welcome to the new Cold War in the Middle East. In 2012, Iran’s first Shamoon attacks almost crashed every world economy, nearly bringing the world to its knees. Since then, the game of spy vs. spy has intensified digitally with the pandemic accelerating connectivity. Join Chris on a 2.5 year Iranian espionage campaign attempting to recruit her for the most innocent of jobs: teaching critical infrastructure hacking with a focus on nuclear facilities. A journey of old school espionage with a cyber twist. Bribery, sockpuppets, recruitment handlers, propaganda VVIP luxury trip mixed with a little IOT camera revenge and 2021 police protection.

All modern control systems have brought a greater security risk for the whole society. While adding value to the business, one must accept  the compromise attached to it. The talk here is going to highlight all the security assessment types needed to perform to minimize the vulnerabilities that attackers can use to exploit the ICS environment across the globe. We will talk about ICS components (Control systems, PLC, RTOS, IEDs) and ICS attack surfaces (network Protocols, Maintenance interfaces, Radio frequency communication, Field devices) and outline the methods to mitigate the threats.

For anyone in IT and IT-security, there seems to be no way around Kubernetes. Containerization has changed the way software is developed, deployed, and operated. Microservices is the new paradigm. Many information security teams around the world, who see the adoption of Kubernetes and microservice-architectures in their organization, discuss just now: What does containerization and Kubernetes mean to security and how to fit this technology into our existing architectures and processes?

In this talk we will dissect the various components of Kubernetes and how they work technically under the hood. We will investigate common pitfalls and how they could be exploited to gain privileges, take over components or compromise the whole cluster and learn how to avoid these issues.

But let’s not only talk about the risks. There are also new chances for more security with containers and Kubernetes in contrast to previous deployment models and technologies. But only when it’s done right!

Ransomware is a piece of code that is written by an attacker to encrypt the victim’s files.
Even though they have been around for many years, the popularity has increased since the outbreak of Wannacry which shook the whole cyber world.

When the logic of the ransomware code is observed we can see a common pattern here. It is similar to how humans interact with the system. I.e, to access the files, the code has to access the Logical drive first. Here each logical drive is assigned a letter by the operating system. For example, when a code has to access the files in D drive, it has to access the drive ‘D’ first.

What if there is a logical drive in the system which doesn’t have any letter assigned to it.
Well, now it is harder to access the files, because the ransomware code is written to access the drive with the assigned letter. This is where most of the ransomwares fail to encrypt the data.

Guess what? The audience will witness what ransomware can not encrypt. Yes you heard it right! Can not!
Can this be a solution for the basic users to backup important files from being encrypted ?
We will see what an attacker might do in the future when ransomware encounters this situation.

Deep overview of a tool used by the Chinese nation-state APTs based on a real-life Incident Response case with a big industrial company. Investigation yielded the presence of PlugX in the infrastructure. This presentation gives a full overview of the tools functionality, its past versions, and nowadays usage (Thor is a new version of plugX). We show why it is hard to find and why it's important for big industrial companies. And also we talk about our assumption that all recent big attacks - first Sunburst and then Exchange exploits (proxylogon related to Hafnium) are links of one chain.

In some organizations 2nd Line of Defense functions are kept in the ivory tower, far away from the machine room and the real security issues the company faces. These functions and their deliverables, e.g. the developed and maintained policy and framework, might be used to manage compliance and feed regulators. But are these outcomes valuable? Is their implementation design- and operationally effective? Do they support the security organization to thrive and prosper?

After Deutsche Börse Group revised their security organization, the 2nd LoD function IS Assurance was established. The function, its framework, the grading approach, the assessment plans, and the validation methods for evidences were developed from scratch – with the holistic target to further improve the security organization.
Within a short period of time the function was able to assess the first security process and generated an overview over the design- and operational effectiveness of the verified subject. Here IS Assurance became a trustworthy partner for the 1st and the 3rd Lines of Defense.
This talk introduces the implemented IS Assurance function of the Deutsche Börse Group, gives insights into lessons-learned and challenges, and demonstrates a model to grade the operational effectiveness with practical details.

By using cache poisoning to store arbitrary data, public web caches can be utilized as open ephemeral storage to facilitate anonymous and evasive communication between network clients.

Malware analysis is a key phase to extract IOCs like domains, ip, mutex and other signatures. What if malware knows what online sandboxes look for and what tools look for, decides to "showcase only 90%" and hide the rest? Well, Memory forensics comes to our rescue. This was tried and tested with a lot of samples during the pandemic phase and was aided in extracting a lot of hidden process, domains, urls and even ip. This is what the talk covers:

1. Talk about the traditional malware analysis process
2. Introduction to memory forensics and why
3. Introducing tools like Volatility and Rekall
4. Running Orcus RAT, Agent Tesla and Sodinobki Ransomware malwares using traditional methods like Any.run online sandbox and malware runs
5. Playing a game by capturing memory of the infected machine by invoking WMI module and suspending the machine
6. Tracking malware, bypassing malware hooks and executing wmic command to hibernate the machine
7. Obtaining the hyb.sys file and performing memory forensics
8. Extracting hidden process, spotting dll injection, dumping process memory and extracting IOCs like ip and urls
9. Voilá, we win !

Incitement, radicalization, and terror are the buzzwords that currently concern us the most. Right-wing and left-wing extremist groups or religious fundamentalists act as fire accelerators for extremist tendencies, even leading to the use of political violence. In this way, they can also endanger the value-based foundations of democracy in the medium and long term.

Although much discussed, the role of the media, especially social media, in radicalization within society remains conceptually and empirically unclear. While there are several case analyses based on violent events, systematic studies have yet to be conducted. To fill this gap, the COMRAD project is dedicated to researching radicalization tendencies in cyberspace, focusing on psychosocial, ideological, and communicative conditioning factors. The focus is on the "open space" of politically left-wing, right-wing, or Islamic Facebook groups, in which recruitment strategies and camouflage techniques of extremist actors overlap. In addition, the project pursued as a methodological goal the development of a category system with the help of which conventional content analyses can be carried out on the net and used to optimize automatic content analyses.

The presentation will introduce the methodological concept RADIX, which operationalizes push and pull factors of radicalization such as segregation, worldview, moral outrage, and hostile language. Using RADIX, a total of 11,500 posts were analyzed with human coders and compared to results from automated analyses. Using structural equation modeling, it is possible to quantify the strength of the relationship between radicalization factors and use it to predict radicalization processes in defined Internet samples. Methodological and substantive consequences for radicalization research are discussed.



Attacks on service providers and software vendors are starting to become a huge problem for society.
Which begs the question: Why is that and is there anything we can do about it?
The fact of the matter is: We have been building a house of cards higher, more complex and faster than ever before - sometimes blissfully unaware that the foundation has started to give.
And our answer so far has been: "Build faster".
Therefore, IT in general and security in particular, has a problem. Can we turn that around? Maybe. Let's talk.
We will look at some of the fundamental issues that have been years in the making and that will take the most work to get right.

The information technology community changes fast. Life-cycles of code and hardware are short. Sometimes the way we work also changes. Enter the wonderful world of manifestos and trends. Sitting in silos doesn’t work for the modern full stack developer and administrator. This presentation intends to illustrate how changes in infrastructure management and software development affect the field of information security.

The purpose of this presentation, it was to execute several efficiency and detection tests in our lab environment protected with an endpoint solution, provided by CrowdStrike, this document brings the result of the defensive security analysis with an offensive mindset using reverse shell techniques to gain the access inside the victim's machine and after that performing a Malware in VBS to infected the victim machine through use some scripts in PowerShell to call this malware, in our environment.
Regarding the test performed, the first objective it’s to simulate targeted attacks using a python script to obtain a panoramic view of the resilience presented by the solution, with regard to the efficiency in its detection by Signatures, NGAV and Machine Learning, running this script, the idea is to use the reverse shell technique to gain access on the victim's machine. After the execute this attack, the the second objective consists in perfoming the PowerShell Script to run this script, to download a VBS Malicious file on the victim's machine and execute itself, calling this malware provided through Malwares Bazaar by API request.

The purpose of this presentation, it was to execute several efficiency and detection tests in our lab environment protected with an endpoint solution, provided by CrowdStrike, this presentation brings the result of the defensive security analysis with an offensive mindset using reverse shell techniques to gain the access inside the victim's machine and after that performing a Malware in VBS to infected the victim machine through use some scripts in PowerShell to call this malware, in our environment bypassing some components and engines, such as: Malware Protection - Associated IOC (Command entered in script), Suspicious Processes, File System Access, Suspicious Processes, Suspicious Scripts and Commands, Intelligence-Sourced Threats, among others..