Loading…
BruCON 0x0E has ended

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Thursday, September 29
 

08:30 CEST

Registration
Thursday September 29, 2022 08:30 - 10:00 CEST
00. Lounge

09:45 CEST

BruCON Opening
Thursday September 29, 2022 09:45 - 10:00 CEST
01. Gouden Carolus

10:00 CEST

Adaptive Adversaries
The industry has come a long ways in a short time in regards to understanding attack patterns and the ability to defend organizations. In 2011, David gave a talk on Adaptive Penetration Testing at DerbyCon and how we needed to understand an organization and craft our attacks based on the defenses of the organization for high levels of success. This talk went into how attacker methodologies would evolve over time and focus more on targeted attack vs. mass commodity In 2011, organized crime really hadn’t kicked off or had the high level of success it does today. When we look at the defenses we have – its through crowd sourcing breach data, various TTPs, and building defenses against known attacks. In this talk, we’ll dive into how adversaries capabilities ranging from novice to some of the most advanced that have adapted their techniques and what to expect on the horizon. This talk will dive into what we need to do to evolve to our next level, and most importantly how to build better defenses that aren’t heavily reliant on previously identified attacks.

Speakers
avatar for David Kennedy

David Kennedy

David Kennedy is founder of Binary Defense and TrustedSec.  Both organizations focus on the betterment of the security industry.  David also served as a board of director for the ISC2 organization. David was the former CSO for a Diebold Incorporated where he ran the entire INFOSEC... Read More →


Thursday September 29, 2022 10:00 - 11:00 CEST
01. Gouden Carolus

10:00 CEST

ICS and IoT Village
Thursday September 29, 2022 10:00 - 18:00 CEST
03. Maneblusser

10:30 CEST

Embrace Secure Defaults, Block Anti-patterns, and Kill Bug Classes
Limited Capacity filling up

Between Agile, DevOps, and infrastructure as code, development is happening faster than ever. As a security team, it can be tough to keep up. How can you help empower your engineering counterparts to ship software quickly and securely?

An increasingly popular answer is secure defaults - make it easy to do the secure thing, and hard to do the insecure thing, whether that’s parsing XML files, interacting with the database, authorization, or any other security-relevant functionality.

Done properly, secure defaults (also called “guardrails” or building a “paved path”) can effectively eliminate classes of vulnerabilities from ever occurring in the first place, effectively scaling your security team. The power of secure defaults have been praised by established companies like Netflix, Google, Facebook, and Microsoft as well as rapidly growing mid-sized companies and even start-ups.

Security maturity frameworks such as BSIMM, OWASP SAMM and NIST SSDF indicate that the most mature and efficient security programs will tailor these secure defaults to their organization. Many security tools allow such customization, but they are not all created equally. With Semgrep creating custom rules is done in a simple YAML format and the first rule can be written within several minutes.

This workshop will teach you:
• Why the current approach to software security is not working to reduce vulnerabilities
• Why developers should be considered early and often in the SDLC
• How a paved security path for developers can create a higher standard of secure code, without compromising speed of delivery
• How to enforce security best practices unique to your organization (for the workshop we will be using the open source static analysis tool Semgrep)

This workshop will be part big picture ideas and best practices, and a lot of hands on examples and demos. You’ll leave with some insights, open source tools, and actionable tips to get started immediately.

Speakers
avatar for Claudio Merloni

Claudio Merloni

Claudio is a veteran security expert. After completing his Master in Computer Engineering at the Politecnico di Milano University, he started a now more than 15 years long journey in the security space. Security consultant first, then moving through different roles, from technical... Read More →
avatar for Pieter de Cremer

Pieter de Cremer

Pieter De Cremer is a long-time security enthusiast. He joined Secure Code Warrior as part of an internship in 2015. During his master he continued to work at this company and wrote more than 100 rules for Sensei, their IDE security plugin. During this time he was closely involved... Read More →


Thursday September 29, 2022 10:30 - 12:30 CEST
05. Boscoli

10:30 CEST

Strings: An In-Depth Look
Limited Capacity filling up

Strings analysis consists of extracting readable strings from binary files. It's a simple reverse-engineering technique, applicable to malware analysis too.
And although a lot of malware is obfuscated, strings analysis can still be valuable.
For example with sophisticated Excel 4 macros, that employ complex string obfuscation to hide the URL from which they download their payload. In these documents, the cleartext URL can be cached and easily retrieved.

Didier Stevens has developed several tools to help with strings analysis, because it is a simple technique that everyone can learn.
That's the advantage of strings analysis: it's a simple technique, that can easily be explained and understood.
The disadvantage: if the strings are obfuscated, we can try some simple tricks to deobfuscate them (like with tool xorsearch), but that's as far as it goes.
There is a lot to learn about strings analysis. For example, how to Pascal strings in malware written in Delphi.

In his typical style hands-on no BS-style, Didier Stevens will lead the participants through many exercises, learning to discern meaningful strings. Because with strings analysis, the problem is not extracting strings, but detecting the strings that are meaningful in the context of the analysis.

For this workshop, Didier Stevens is also working on new and updated tools to facilitate strings analysis.

As usual, this workshop is 100% hands-on. Just a few slides, many exercises.

Speakers
avatar for Didier Stevens

Didier Stevens

Didier Stevens (Microsoft MVP, SANS ISC Handler, ...) is a Senior Analyst working at NVISO (https://www.nviso.be). Didier has developed and published more than 100 tools, several of them popular in the security community.You can find his open source security tools on his IT security... Read More →


Thursday September 29, 2022 10:30 - 12:30 CEST
04. Het Anker

11:00 CEST

I am become loadbalancer, owner of your network
In the last few years, a slew of high-profile, most critical remote code execution vulnerabilities have been found, disclosed and then promptly exploited en-masse against the category of networking hardware known as load balancers. These devices primarily serve to distribute traffic across server farms & offload SSL processing; they cost between $40k-$250k per device and are largely viewed as black box systems due to restrictive licensing, proprietary hardware and a lack of transparency from the vendors into the guts of the systems. They run at the borders and cores of most cell carriers, banks, Fortune 500 companies, ISPs and some cloud providers.

Since many of these devices function not only to balance traffic, but as VPN concentrators, WAFs and SSL proxies, they are generally installed in high-access parts of the network. Due to their mission criticality, they also frequently run outdated vendor code and, even worse, the Linux/BSD based operating systems they use are generally numerous versions behind current and due to the proprietary nature of their code, one does not simply 'apt get upgrade -y'. Since they all run Linux/BSD as the management OS, once you've breached one with an 'exploit that fits in a tweet' the environment is ripe for lateral movement, persistence and further exploitation using commonly available open source tools.

In this talk, I will lean on a decade of experience working for one of the most prominent load balancing vendors and teach you the architecture, how the devices operate, how they're deployed, what their management plane looks like and the access it affords you post-breach. You will also learn how to avoid common mistakes which can interrupt traffic processing, trigger device failures and otherwise give away your presence on the system. While this talk will focus on a specific architecture, all vendors use essentially the same design concepts so the information is applicable across most platforms. Additionally, armed with an understanding of the designs you'll be able to use freely available vendor documentation to hone & tune your post-exploitation shenanigans across other load balancing products.

While this talk is primary aimed at offensive operations, the information provided can also be leveraged by defenders to harden their environments and provide guidance on DFIR operations post-breach.

Speakers
avatar for Nate Warfield

Nate Warfield

Nate has been a hacker since he first laid hands on a 2400 baud modem. After his first hack of a dial-up BBS at 12, he was hooked and over the following 25 years he sharpened his skills through jobs in network engineering, vulnerability response, endpoint research and side projects... Read More →


Thursday September 29, 2022 11:00 - 12:00 CEST
01. Gouden Carolus

12:00 CEST

Lunch
Thursday September 29, 2022 12:00 - 13:30 CEST
00. Lounge

13:30 CEST

DNS as Criticial Infrastructure - do youknow where your domain is ?
The domain name system, or DNS, is a critical component of the Internet ecosystem we use. Almost every single transaction and connection from email to online commerce makes use of DNS as an initial  a fundamental step. While the primary purpose in the eyes of the public is to mask the complexities of host addressing, it’s use has evolved to be critical for a whole lot more – one of the oldest and arguably the second most important component being its foundation for email delivery though the use of MX records.  In recent years we have seen the introduction and gradual adoption of several security measures rooted within and implemented by extending the DNS protocol.  These include DNSSEC, SPF, and more recently CAA. In essence the global domain Domain Name Systems should be regarded as critical infrastructure. However, for many organisations, especially those reliant on hosting providers, ISPs or MSPs, despite the requirement for functional DNS, the deployment and operation of the servers (as outlined in RFC 2182) and associated domain zones, are often neglected. This may be due to the ‘care and feeding’ been seen as 'too complex', mundane or unexciting in comparison to more exciting areas with ‘Cyber operations’ such as Threat Intelligence, Malware Analysis and ML/AI based security solutions.  The irony is these all have a strong dependence on DNS!

This talk has a dual focus initially presents an overview of the state of DNS operations for several ccTLD’s and in comparison, with top domains globally. A concern worth raising particularly considering the Global sanctions on the Russian Federation is to consider – where is ones DNS hosted physically and logically, and who has control? An evaluation of risk, particularly the dependency on key providers (for example about a third of the .no domains surveyed are hosted by a single provider), as well as adherence to good practice is presented.

The secondary part of the talk presents several short case studies of the adoption rate of security functionality (primarily the adoption of DNSSEC and CAA records) within and offered by DNS for ccTLDs investigated. As appropriate these are compared with adoption rates in neighbouring ccTLDs.
From the research undertaken a number of key operational and risk management principles and associated tests are offered with a specific focus on smaller organisations to enable better compliance with current best practice.

The research was undertaken using domain lists constructed and gathered from various public sources. These were then queried over a period in March to May 2022.

Speakers
avatar for Barry Irwin

Barry Irwin

Barry Irwin started off as a Systems and Network administrator at the dawn of the millennium and tripped and fell into the security field. Finding nothing on the market that met the operational needs, he led the development and deployment of an open-source derived firewalling system... Read More →


Thursday September 29, 2022 13:30 - 14:30 CEST
01. Gouden Carolus

14:00 CEST

Securing Industrial Control Systems from the core: PLC secure coding practices
Limited Capacity full

Securing Industrial Control Systems from cyberattacks often starts by properly segmenting the network, securing remote accesses and overall focusing on traditional  “IT” cybersecurity measures. However, we can also leverage existing technology to detect and protect from cyberattacks.
The Top 20 Secure PLC Coding Practices (www.plc-security.com) is a community-led effort to identify best practices in Programmable Logic Controllers (PLC) code development that improve cybersecurity.
In this workshop, you will learn how to program a PLC and connect it to a SCADA system. You will then perform attacks on this system and finally implement a sample of the TOP20 coding practices to block or detect such attacks.
You will be provided with access to cloud VMs preconfigured with a SCADA software as well as a PLC simulator. Some demonstrations will also be performed on-site on real hardware PLCs.

The workshop is accessible to anyone, even with no prior ICS experience.

Speakers
avatar for Arnaud Soullie

Arnaud Soullie

Arnaud Soullié (@arnaudsoullie) is a Senior Manager at Wavestone, a global consulting company. For 12 years, he has been performing security assessments and pentests on all types of targets. He started specializing in ICS cybersecurity 10 years ago. He spoke and taught workshops... Read More →


Thursday September 29, 2022 14:00 - 18:00 CEST
04. Het Anker

14:30 CEST

Glitched on Earth by humans: A Black-Box Security Evaluation of the SpaceX Starlink User Terminal
The SpaceX operated Starlink low Earth orbit satellite constellation aims to provide satellite internet coverage to the whole world. The widespread availability of Starlink User Terminals (UT) exposes them to hardware hackers and opens the door for an attacker to freely explore the network.
The recent Viasat attack demonstrates a need for satellite communication security and the impact security vulnerabilities can have on UTs that are often deployed in isolated locations.

This presentation covers the first black-box hardware security evaluation of the SpaceX Starlink UT. The UT uses a custom quad-core Cortex-A53 System-on-Chip (SoC) that implements verified boot based on the ARM trusted firmware (TF-A) project. The early stage TF-A bootloaders, and in particular the immutable ROM bootloader include custom fault injection countermeasures. Despite the black-box nature of our evaluation we were able to bypass firmware signature verification during execution of the ROM bootloader using voltage fault injection.

Using a modified second stage bootloader we could extract the ROM bootloader and eFuse memory. Our emulation based analysis demonstrates that the fault model used during countermeasure development does not hold in practice. Our voltage fault injection attack was first performed in a laboratory setting and later implemented as a custom printed circuit board or 'modchip'. Our attack results in an unfixable compromise of the Starlink UT and allows us to execute arbitrary code.

The ability to obtain root access on the Starlink UT is a prerequisite to freely explore the Starlink network. This presentation will cover an initial exploration of the Starlink network and provides some details on the communication links. Other researchers should be able to build on our work to further explore the Starlink ecosystem.

The documented attacks were performed within the scope of the SpaceX Bug Bounty program and were responsibly disclosed.

Speakers

Thursday September 29, 2022 14:30 - 15:30 CEST
01. Gouden Carolus

15:30 CEST

Coffee Break
Thursday September 29, 2022 15:30 - 16:00 CEST
00. Lounge

16:00 CEST

0wn-premises: Bypassing Microsoft Defender for Identity
Microsoft Defender for Identity (MDI) is a service that protects on-premises Active Directory identities. MDI analyses network traffic, Windows events, SIEM/Syslog and ETW data on DCs and/or AD FS servers to create user profiles and behaviour baselines that used to detect deviations from baseline and anomalies. MDI can generate alerts across phases of an attack "kill chain" - Reconnaissance, Compromised credentials, Lateral Movements, Domain Dominance and Exfiltration.

MDI detects popular attacks like Kerberoasting, AS-REP roasting, Pass-the-hash, Pass-the-ticket, Overpass-the-hash, Brute Force, DCSync, DCShadow, Golden Ticket, Remote code execution and more.

This talk focuses on TTPs that Red Teams can use to avoid generating anomalies that trigger detections. We will execute high impact attacks across the kill chain with precision to bypass or avoid MDI instance that has sensors configured and enriched in our target environment. Behold the 0wning of on-premises identities!

Speakers
avatar for Nikhil Mittal

Nikhil Mittal

Nikhil Mittal is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes red teaming, Azure and active directory security, attack research, defense strategies and post exploitation research. He has 13+ years of experience in red teaming.He specializes in... Read More →


Thursday September 29, 2022 16:00 - 17:00 CEST
01. Gouden Carolus

17:00 CEST

LOLDocs: Sideloading in Signed Office files
In recent years companies and Microsoft have increased hardening against malicious Office documents. Hence, we started a quest for unexplored Office features that could be abused for phishing. After various research directions, we identified “code side-loading in signed documents” as an innovative approach for phishing.

We identified vulnerabilities in various Microsoft signed Office add-in’s and believe that there are many more unidentified. For example, the MS Office installation comes with signed Microsoft Analysis ToolPak Excel add-ins (.XLAM file type) which are vulnerable to multiple code injections (CVE-2021-28449). An attacker can abuse the provided file (LOLFile) and embed malicious code without invalidating the signature for use in phishing scenarios.

This presentation will cover the process of finding, exploiting and weaponising this class of vulnerabilities and the complexities in mitigations.

Speakers
avatar for Pieter Ceelen

Pieter Ceelen

Pieter Ceelen is Red Teamer and Wizard with Word at Outflank.
avatar for Dima van de Wouw

Dima van de Wouw

Dima van de Wouw is Red Teamer and Offensive Developer at Outflank.


Thursday September 29, 2022 17:00 - 18:00 CEST
01. Gouden Carolus

21:00 CEST

BruCON Party
Thursday September 29, 2022 21:00 - Friday September 30, 2022 02:00 CEST
T'ile Malines
 
Friday, September 30
 

07:30 CEST

Hacker Run (10K)
Friday September 30, 2022 07:30 - 08:30 CEST
Novotel

08:30 CEST

Registration
Friday September 30, 2022 08:30 - 10:00 CEST
00. Lounge

10:00 CEST

Being a cyberdefender: behind the curtains
What does it mean to be a cyberdefender ?
What’s the true nature of the job ?

We’re going to talk about how we deal with cyberattacks in an organization, how do we manage all their impacts, and what it means to you and me as cyberprofessionnals.

Speakers
avatar for Sabine d’Argoeuves

Sabine d’Argoeuves

Sabine d’Argoeuves is currently leading the cyberdefense activities at Danone, through the CERT and SOC teams. She has around 20 years of infosec background working in securing infrastructures, PCI DSS compliance, penetration tests, and digital forensics and Incident response.


Friday September 30, 2022 10:00 - 11:00 CEST
01. Gouden Carolus

10:00 CEST

ICS and IoT Village
Friday September 30, 2022 10:00 - 18:00 CEST
03. Maneblusser

10:30 CEST

Domain Admin before lunch - A workshop on compromising organizations from the inside
Limited Capacity full

In this workshop, SANS instructor Jean-Francois Maes is going to walk over several tactics on how to compromise organizations from the inside.
Let Jean-Francois guide you on how AD authentication works and how an inside threat can abuse the flow to establish a foothold and potentially escalate privileges.
This workshop will use 3 virtual machines, which cannot be deployed to the cloud so make sure to bring a beefy enough laptop that is able to run three VMS in tandem!

This workshop will cover:
- Introduction to AD authentication (NTLM + Kerberos)
- using responder and impacket to capture credentials and relay them
- Active Directory Certificate Services
- Shadow Credentials

Speakers
avatar for Jean-Francois Maes

Jean-Francois Maes

Jean-Francois is a SANS instructor and author, primarily focused on red teaming and internal penetration testing, he teaches SANS purple and red teaming courses.Jean-Francois is also a senior researcher at HelpSystems and helps define Cobalt-Strike's roadmap.On top of his work at... Read More →


Friday September 30, 2022 10:30 - 12:30 CEST
04. Het Anker

10:30 CEST

Strings: An In-Depth Look
Limited Capacity full

Strings analysis consists of extracting readable strings from binary files. It's a simple reverse-engineering technique, applicable to malware analysis too.
And although a lot of malware is obfuscated, strings analysis can still be valuable.
For example with sophisticated Excel 4 macros, that employ complex string obfuscation to hide the URL from which they download their payload. In these documents, the cleartext URL can be cached and easily retrieved.

Didier Stevens has developed several tools to help with strings analysis, because it is a simple technique that everyone can learn.
That's the advantage of strings analysis: it's a simple technique, that can easily be explained and understood.
The disadvantage: if the strings are obfuscated, we can try some simple tricks to deobfuscate them (like with tool xorsearch), but that's as far as it goes.
There is a lot to learn about strings analysis. For example, how to Pascal strings in malware written in Delphi.

In his typical style hands-on no BS-style, Didier Stevens will lead the participants through many exercises, learning to discern meaningful strings. Because with strings analysis, the problem is not extracting strings, but detecting the strings that are meaningful in the context of the analysis.

For this workshop, Didier Stevens is also working on new and updated tools to facilitate strings analysis.

As usual, this workshop is 100% hands-on. Just a few slides, many exercises.

Speakers
avatar for Didier Stevens

Didier Stevens

Didier Stevens (Microsoft MVP, SANS ISC Handler, ...) is a Senior Analyst working at NVISO (https://www.nviso.be). Didier has developed and published more than 100 tools, several of them popular in the security community.You can find his open source security tools on his IT security... Read More →


Friday September 30, 2022 10:30 - 12:30 CEST
05. Boscoli

11:00 CEST

INCONTROLLER: New Malware Developed to Target Industrial Control Systems
Only a few times in history we have seen publicly documented malware developed to target industrial control systems (ICS). Over ten years ago STUXNET impacted Iranian nuclear centrifuges. Then INDUSTROYER turned off electric power in Ukraine and TRITON targeted the safety systems from a critical infrastructure organization. Today, a couple years later, we ran into INCONTROLLER.

INCONTROLLER is a set of novel ICS- oriented attack tools built to target specific Schneider Electric and Omron devices that are embedded in different types of machinery leveraged across multiple industries. The tools – which are very likely state-sponsored – represent an exceptionally rare and dangerous cyber-attack that contains capabilities related to disruption, sabotage, and potentially physical destruction. In this talk I will present our analysis of INCONTROLLER, its components, attack scenarios, and the implications for defenders.

Speakers
avatar for Daniel Kapellmann Zafra

Daniel Kapellmann Zafra

Daniel is senior Analysis Manager for Mandiant where he oversees the strategic coverage of cyber physical threat intelligence and coordinates the development of solutions to collect and analyze data. He is a frequent speaker on ICS/OT topics at international conferences and collaborates... Read More →
avatar for Ken Proska

Ken Proska

Ken Proska is a Senior Technical Analyst on the Mandiant threat intelligence cyber-physical team, where he leads the collection and analysis of threat detections. Prior to working with Mandiant, Ken has worked in the ICS/OT environment helping to protect and defend critical infrastructure... Read More →


Friday September 30, 2022 11:00 - 12:00 CEST
01. Gouden Carolus

12:00 CEST

Lunch
Friday September 30, 2022 12:00 - 13:30 CEST
00. Lounge

13:30 CEST

The Story Continues: Hacking Some More "Secure" Portable Storage Devices
Encrypting sensitive data at rest has always been a good idea, especially when storing it on small, portable devices like external hard drives or USB flash drives. Because in case of loss or theft of such a storage device, you want to be quite sure that unauthorized access to your confidential data is not possible. Unfortunately, even in 2022, "secure" portable storage devices with 256-bit AES hardware encryption and sometimes also biometric technology are sold that are actually not secure when taking a closer look.

In this presentation, I will talk about how a customer request led to further research resulting in several cryptographically broken "secure" portable storage devices. This research continues the long story of insecure portable storage devices with hardware AES encryption that goes back many years. With this presentation, I want to raise the awareness of security issues and practical attacks against vulnerable "secure" portable USB storage devices, and tell an interesting story.

Speakers
avatar for Matthias Deeg

Matthias Deeg

Matthias Deeg is interested in information technology - especially IT security - since his early days and has a great interest in seeing whether security assumptions in soft-, firm- or hardware hold true when taking a closer look. Since 2007 he works as IT security consultant for... Read More →


Friday September 30, 2022 13:30 - 14:30 CEST
01. Gouden Carolus

14:00 CEST

Automated Debugging Under The Hood - Building A Programmable Windows Debugger From Scratch (In Python)
Limited Capacity full

How do anti-debug tricks actually work? Is there a way to automate tedious debugging tasks like unpacking malware? Have you ever wondered what is happening under the hood of a debugger?

In this workshop you will build your own programmable Windows debugger from scratch (using Python). Each component in the debugger will be built as a separate module with an accompanying lab used to explain the concepts and Windows internals that support the component. In the final lab you will have the chance to test your new debugger against various malware samples and attempt to automatically unpack them, and extract IOCs.

This workshop is aimed at malware analysts and reverse engineers who are interested in learning more about debuggers and how programmable debuggers can be used to automate some reverse engineering workflows. Students must be able to write basic Python scripts, and have a working knowledge of the Windows OS.

You will be provided with a VirtualMachine to use during the workshop. Please make sure to bring a laptop that meets the following requirements.
- Your laptop must have VirtualBox or VMWare installed and working prior to the start of the course.
- Your laptop must have at least 60GB of disk space free.
- Your laptop must also be able to mount USB storage devices. (Make sure you have the appropriate dongle if you need one.)

Speakers
avatar for Sergei Frankoff

Sergei Frankoff

Sergei is a co-founder of Open Analysis. When he is not reverse engineering malware Sergei is focused on building automation tools for malware analysis. Sergei is a strong believer in taking an open, community approach to combating cyber crime and is an active contributor to multiple... Read More →
avatar for Sean Wilson

Sean Wilson

Sean is a co-founder of Open Analysis. He splits his time between reverse engineering malware and building automation tools for incident response. He is an active contributor to open source security tools focused on incident response and analysis. Sean brings over a decade of experience... Read More →


Friday September 30, 2022 14:00 - 18:00 CEST
05. Boscoli

14:30 CEST

Cyber Threat Intelligence Analysts and You: Understanding the Discipline to Optimize Cyber Defense Collaboration
The cyber threat intelligence (CTI) analyst role is arguably the most recent entrant to emerge under the cyber security career tracks with the job role, responsibilities, and skill requirements wide ranging and not well understood by organization leadership or cyber security peers. During this talk, we use the newly developed, open sourced, Mandiant Cyber Threat Intelligence (CTI) Analyst Core Competencies Framework, which outlines the predicate knowledge, skills, and abilities requirements for analysts to aptly support organizational risk exposure reduction initiatives.

We unpack the significant overlaps that exist between those in a cyber threat analyst's role and the other cyber security disciplines defined by NIST SP 800-181 to provide the groundwork for threat hunters, incident responders, red teamers, and others to understand how to optimize collaboration and support received from cyber threat intelligence analysts. We highlight the overlaps by examining the Framework's identifies 4 underpinning pillars--Problem Solving, Professional Effectiveness, Technical Literacy, and Cyber Threat Proficiency--with a distinct focus on how acute knowledge of cyber adversary operations can empower hunters and red teams to properly perform adversary emulation when testing the security posture of an organization.

We conclude by discussing how organizations can use this framework as a guidepost to grow and shape their CTI programs; ensure proper knowledge, skills, and ability coverage commensurate to support organizational cyber security elements; and to inform future training and hiring decisions.

Speakers
avatar for John Doyle

John Doyle

Mr. Doyle has over fifteen years of experience working in Cyber Threat Intelligence, Digital Forensics, Cyber Policy, and Security Awareness and Education. He has spent over a decade tracking multiple state-sponsored cyber actors (APTs) to support strategic, operational, and tactical... Read More →


Friday September 30, 2022 14:30 - 15:30 CEST
01. Gouden Carolus

15:30 CEST

Coffee Break
Friday September 30, 2022 15:30 - 16:00 CEST
00. Lounge

16:00 CEST

In Curation We Trust: Generating Contextual & Actionable Threat Intelligence
Just like many organizations, we are ingesting Threat Intelligence from a number of different sources. Very frequently however, we notice that the data received is lacking context or generates a lot of false positives (which in turn causes alert fatigue). In this talk we would like to demonstrate how we achieved to get around this problem by setting up a MISP ecosystem backed by a number of automation scripts and processes that support us in the curation and contextualization of individual events.

This dedicated MISP ecosystem consists of multiple MISP instance and ZeroMQ scripts. In conjunction with the extensive use of the MISP tagging features and workflow procedures, we were able to set up a curation process that not only saves us a lot of time, but also provides a clean feed of directly actionable threat intelligence. A happy side effect of this setup was that it allowed us to instill a full TI feedback loop between the SOC, Incident response team and our malware analysts.

Attendees will learn how we at NVISO have set up a functional MISP architecture and operational curation process. The attendees will then be able to duplicate this setup in their own organization to ensure an optimal threat intelligence feedback loop and workflow.

Speakers
avatar for Michel Coene

Michel Coene

Michel is a senior manager at NVISO where he is responsible for the Incident Response and Threat Intelligence services. As an incident responder, Michel has been (and still is) involved in large scale incidents and forensic investigations. Additionally, Michel is a certified instructor... Read More →
avatar for Robert Nixon

Robert Nixon

Robert Nixon is a seasoned cybersecurity veteran with more than 13 years of experience in the realm of information technology and cybersecurity. He currently leads the Cyber Threat Intelligence services at NVISO as a part of the larger CSIRT Team. He specializes in Cyber Threat Intelligence... Read More →


Friday September 30, 2022 16:00 - 17:00 CEST
01. Gouden Carolus

17:00 CEST

Your Own Personal Panda: Inside the CVE-2022-1040 attack
In a series of events that began in March, 2022, Sophos learned of the bug designated CVE-2022-1040, and discovered that two different APT groups were exploiting the devices to install malware, and exfiltrate sensitive information. It's unclear whether the two groups were coordinating their efforts.

The exploit combined two separate vulnerabilities - an authentication bypass bug, and a command injection bug - that would have required the attacker to have deep knowledge of not-publicly-disclosed APIs and opcodes that are integral to the functioning of the devices. Using these bugs, the attackers launched a chain of commands that resulted in a few different malware families being introduced into the devices.

One APT group deployed two common malware families onto the exploited devices - GoMet and Gh0st RAT - while the other opted to create a bespoke ELF executable malware specifically for the purpose of conducting espionage on the owners' networks. The attackers also hijacked system services and processes running on the devices to listen for, and respond to, specially crafted PING packets, which do not occur "in nature" and, if received by an infected device, would open a reverse shell back-connection to an IP address of the attacker's choosing.

In this talk we will discuss the technical details of the exploit, the technical details about the common and uncommon malware they deployed, and the techniques and procedures used by the APT actors to evade detection and blend in to their network surroundings.

Speakers
avatar for Craig Jones

Craig Jones

Craig leads Sophos’ Global Security Operations Center, focussing on automation and sophisticated detection to protect Sophos Infrastructure, Applications and Users. He leads a world class team of Security engineers and incident responders tackling cyberthreats to Sophos and cus... Read More →


Friday September 30, 2022 17:00 - 17:30 CEST
01. Gouden Carolus

17:30 CEST

BruCON Closing
Friday September 30, 2022 17:30 - 18:00 CEST
01. Gouden Carolus
 
  • Timezone
  • Filter By Date BruCON 0x0E Sep 29 -30, 2022
  • Filter By Venue Mechelen, Belgique
  • Filter By Type
  • Lounge
  • Social Event
  • Talk
  • Village
  • Workshop


Filter sessions
Apply filters to sessions.