I had to deal with cancer in 2018-2019. I tried to keep working, do a little effort to keep my contacts and knowledge up to date. While sick, while fighting to keep smiling. I got better. I got fired for being sick and high risk for the company. Meanwhile the industry friends and contacts kept me sane and helped me keep the hope. One of the people with a lot of understanding for this situation was Mike. It is not fair some of us don't make it. But never lose the hope. Once I got fired I ended up at a better place, with people who are equally motivated to learn more and to have fun in their work. My talk invites the people in our industry to not be afraid to ask for help and not be afraid to be honest when there is need for a shoulder to cry.

Many have aspirations to get into the information security game. They wonder long and hard about how to do that. Many struggle to survive once in the information security game, for a variety of different reasons. And then ultimately, some people feel the need to call time on their career and they often face a different set of challenges entirely, once the game is no longer right for them. In this talk, the group discuss these three concepts, provide real-world examples and also some practical advice around succeeding in the game of... Win, Lose or Cyber. As ever, there’ll be music and humour, as well as a sensitive look at some of the issues people face regularly.

Having delivered security consultancy as part of Portcullis/Cisco for over 15 years, I've seen a variety of shades of broken. Since I recently spent some time on secondment to one of our customers to help them design, build and operationalise security as part of their digital transformation programme, I got to thinking: what would I do if I wanted to get projects delivered right? With apologies to grsec, Jericho Forum, BeyondCorp and Trusted Computing, what followed was part philosophy, part technical brain dump, the result being my take on security engineering and how to build defensible systems. This talk includes the following hits:

• Helping the blue team – a case study in 3 parts...
• Static passwords – why the hell are we still using them?
• Vulnerability management – didn't we say blacklists were bad?
• Forget about penetration testing – what are your controls?
• Is there another way to report – why don't businesses listen to us?
• Monetising MITRE – can we make money out of CVEs?

• Case studies of my approaches to enabling the blue team whilst doing offensive research
• Why these failed, looking at some obvious gaps in engineering and how we should change our approach
• How Cisco are using economic analytical models to deliver our message more effectively
• How we should be applying economic analytical models to communicate more effectively to the C-Suite
• What this means for offensive, technical practitioners
• How we might take this a step further and use data analytics to leverage existing data and build better threat intelligence
• Using quantitative risk analytics as a technical practitioner.

• Blue teams will continue to have a hard time
• We can only engineer better systems if we truly understand what's wrong with those we already build
• Justifying change is about more than technical impact
• FAIR is just a methodology, you need the maturity to apply it
• Don't stop testing and patching
• But…
• Consider both the cost and value of your efforts

ATT&CK is a game changer and where it works, it can enable both blue and red teams to co-exist and work effectively together. However, what happens when it falls short and the threat intelligence and hypotheses don't exist? How do you build threat intelligence and threat hunt hypotheses from first principles. What do attackers on UNIX do when bitcoin miners aren't their motivation? This talk looks at:

• Why we were interested in UNIX associated threat groups
• Our hypotheses
• How we validated our theoretical scenarios through the use of OSINT, binary analysis and an understanding of what living off the land might look like outside of Win32
• How we're leveraging this analysis on real world scenarios for our customers to help defend against the threat groups they face
• Developing telemetry and building SOC and IR playbooks to cope with obscure platforms

• The target I chose and why – we have ~40 years experience looking at UNIX from an offensive standpoint, why wouldn't attackers
• Building a collection worksheet and the information you'll need to track
• Figuring out what TTPs the bad guys are using to attack UNIX when no-one has documented them previously – faced with a lack of DFIR reports, how do you validate your hypotheses
• Working out whether your customer is exposed and why this matters
• Translating concepts we see in the wild into things our customer can consume
• What this means for users of ATT&CK

• Just because we're not looking for the bad guys, doesn't mean there not there
• Attackers will use the easiest TTP that gets them to a root prompt
• Here are some IOCs you ought to watch out for on UNIX
• If you're running adversary simulations, here are some non-WIndows TTPs you should consider
• If you're playing defence, this is how you develop behavioural IOCs and tools to leverage them

With thousands of new attacks occurring daily, impacting all aspects of our lives, ransomware has proven to be a major crime by itself. High profile attacks like WannaCry and NotPetya, as well as the hundreds of other ransomware families seen in the wild, have caused huge amounts of damage both financially and reputationally.

Yet with so many ransomware families out there, there has been very little research into the common traits of ransomware. A SOC would benefit not just from implementing rules but in understanding the TTP’s behind how the malware works, especially with those TTP’s aligned to MITRE ATT&CK.

This talk covers a methodology to use the MITRE ATT&CK framework for mapping ransomware and it’s TTP’s to produce easily comprehensible visual graphs and to give clarity to what ransomware is actually doing in real terms.

Cyber threats are all around us and some threats manifest in hours - malicious actors registering a typo-squatting domain, a certificate registration for that domain followed by the arrival of phishing emails - all can happen in a matter of minutes. This presentation explores the "cyber threat intelligence long game", the global trends of climate change, resource scarcity and criminal actors who are ready to exploit those trends. As the physical world moves closer to the digital world these long term trends could have cyber impacts, cyber consequences and potentially apocalyptical cyber results for unobservant and unprepared organisations.

Since 2015, I've been thinking about the physical changes in our world as a result of global climate change and the intersection of the physical world and cyber world. It's my belief and passion that IT security professionals need two exists in both worlds - the physical and the cyber. This existence is necessary to fully understand organisational risk to impactful threats. As our planet becomes more hostile to human and electronic "life" where organisations decide to move, how staff live and work and what accommodations are required for organisational resiliency become the domain of intelligence professionals educating risk professionals and the larger business.

Some of those accommodations manifest themselves in simple ways: Data centres that are located above flood plains, greater employee remote working capabilities (and the cyber threats that come along with that) and perhaps HVAC systems with greater capacity to deal with larger temperature capacity.

For IT security professionals understanding the exposure, the vulnerabilities and warning their organisations about threats is business as usual. What is not business as usual is applying the same analytical threat models we use against malicious cyber actors against an increasingly hostile physical world. The intention of this presentation is to build awareness of the long term threats, the cyber consequences of climate change including massive population migration and the strategic planning opportunities which IT security professionals can make for improvements to long-term planning, organisational resiliency and prosperity. The "long game" maybe the most malicious cyber actor an organisation has ever faced.

My talk will focus on the importance of DevSecOps and the art embedding security in to the software development lifecycle.I was a software developer for 8+ years in my past life and currently best described as a security researcher / ethical hacker so I have sat on “both sides of the fence”.

Software developers can accidentally leak sensitive information, particularly secret keys for third party services, across code hosting platforms such as GitHub, GitLab and BitBucket. These secrets — including the data they were protecting — end up in the hands of bad actors which ultimately leads to significant data breaches. Much like we saw with the Capital One data breach earlier last year, the Canadian banking giant Scotiabank screw-up, and the Uber 2016 data breach.

To realise this threat and bring it to life, I created an open source research tool called shhgit. It will watch real-time code commit stream’s from GitHub, GitLab, and BitBucket and pull out any accidentally committed secrets. These secrets include over 120 common patterns, such as usernames and passwords in URIs (e.g. https://username:password@database.com:5432), Amazon AWS API keys, Google OAuth keys, Slack Webhook URLs, SQLite databases – to name a few. After my research from running my tool over a 48 hour period I was able to identify 1,351 usernames and passwords in URIs which included sensitive database instances (e.g. Postgres, Mongo), 117 Amazon AWS API keys, 231 Google OAuth keys, 139 Slack Webhook URLs, 33 SQLite databases – to name but a few.

What I wasn't expecting to find was valid package manager API keys, i.e., npm for Node.js; PyPi for Python; and NuGet for C#. The total number of downloads for these packages is in the millions. And the majority of these keys had publishing permissions. Meaning a bad actor could embed malicious code into the packages, re-upload them without detection, and potentially infect millions of devices.

Leaking secrets across public code repositories is not a new threat. It has existed since the launch of GitHub and other services over 10 years ago. And from the recent data breaches the implications are clear: reputational damage and huge fines from regulators. But we — pen testers, software developers, team managers, and organisations as a whole — should be doing more to protect our systems and data.

1. Ensure secrets don't end up in your code base in the first place. They should be a part of your environment. At a minimum, config files should be encrypted with a environment-based key. The Travis CI docs have a great guide on this
2. Use automated tools such as git-secrets to prevent secrets being committed.
3. Provide training - and equally take the initiative to seek out training — on best practices and secure coding standards and guidelines
4. Make sure you are across your vendors who are developing code or apps for you. Ignorance isn't good enough. Ask the right questions.

Updated with new information since the last time presented this talk takes a look at how different OSINT sources can be used to learn more about a target or your own organization, with a look specifically at North Korea's public infrastructure. Starting out it will cover basic reconnaissance and how to discover servers, domains, open ports, and the services running on them. From there we start to dig deeper and take this information to further pivot and find more information. This includes user and contact information, leaked information, and even image analysis to examine whether or not what is posted online is really real.

We then take a further look at some potential North Korean malware, actual North Korean malware, their state sponsored operating system, and some other interesting software. Everything wraps up with a look at how users can leverage social media to find things they shouldn't and a look at a few misconfigurations that have been found on North Korean servers that provided some interesting information.

Majority of SIEMs are configured for analysis of 4624 and 4625 event codes to detect authentication issues such as account lockouts, brute forces, RDP abuse etc. But there is so much more that can be done to enrich the data from them! Detect password sprays, permission abuse, compromise detection, uncover user passwords and most importantly.... hunt the lateral movement of an attacker! Both from machine to machine and which accounts they are potentially abusing.

By the time the talk is done, you should be able to configure a Splunk dashboard to track a users lateral movement in an easy human readable format, list likely compromised accounts, and give your stakeholders the confidence that you know where an attacker has been..... and you can do all this from one or two dashboards.

Hundreds of vulnerabilities are getting disclosed each week and the number of CVE has just been exploding for the few years. When a new vulnerability comes out, the usual questions from the management are : "Are we impacted? If so, how many servers/apps are vulnerable to X?". We developed "ChopChop", an internal tool aimed at solving problematics around vulnerability detection/regression. Chopchop aims at providing a fully-featured scanner allowing you :

• to easily scan your webapps
• integrate new plugins (aka new vulnerability checks/signatures) without pain.
• get pragmatic results in term of security

Hacking for headlines is now an artform. Over the last few years, hackers of all stripes have grown their understanding of how the news media works, and how it can be co-opted in order to cause maximum reputational damage to a chosen target. Journalists, meanwhile, face tough questions about how they deal with information leaks in a world of anonymous source, who have the option of bypassing traditional media entirely and going direct to the public.

In this talk, an investigative journalist looks at key points in the development of journalist-hacker relations, maps out the different approaches taken by different players, and examines where it might go next.

This talk will discuss the issue of credential stuffing for both individuals and service providers. We explore how the credentials come into the hands of the attacker, and the methods and tools they use to identify valid credentials across a wide-range of services.

What is credential stuffing?

Credential stuffing is a method in which an “attacker” will take acquired credentials, such as an email and password, and then send those credentials to the login page of common online services, such as Facebook, Twitter, Gmail, JustEat etc. The attack relies on credential reuse, where someone has used the same email/username and password combination across multiple online services. Credential stuffing attacks will generally be scripted to orate at scale looking for valid and successful logins. This process can often leave tell-tale signs, which can be looked for and mitigated by the service provider, assuming logging is in place and searchable in a central location.

What are the issues with detection?

We will talk about some of the issues of being able to automate credential stuffing and scale, how might attackers be slipping through the radar undetected even at scale. Are they using large botnets or collections of proxies and user agents to iterate through to avoid being flagged? Or are they using a slower attack and testing over larger periods of time? What can we do to mitigate these attacks?

Who is responsible?

All providers of any services to customers should be aware of the issue, and how an attacker can compromise accounts on your service. Any acquired credentials may be for an end user buying or using a service, which you provide, or it could be an administrator's credentials for your organisation and lead to a compromise of your own security, being able to detect and reduce the risk of this attack surface is crucial for any organisation. Providers can work to enforce 2FA for end users, while reducing some of the inconvenience of additional factors, such as trusted devices. The users themselves need to be educated on the reason behind this “inconvenience”, and how to better protect their online accounts.

The talk will also discuss what individuals and service providers can do to combat the issue of credential stuffing, by looking at what these kind attacks look like from a service provider perspective and the common identifiers that can be used to identify these attacks in real time.

Conclusion:

Finally wrapping up by discussing how these validated accounts can be used by an attacker, what their motives may be and wrapping up with how users can help in the fight against credential stuffing and account take over in the war on Cyber attacks.

What are the TakeAways?

The talk will describe what a credential stuffing attack is, and how it differs from brute force attacks. It will also include stats on real credential stuffing attacks, information around detection methods & response, cleanup, customer care and advisory, the risks of no action by both service provider and end user, looking at some of the uses for validated accounts, this is not always about getting access to your JustEat account for a free takeaway.

Are my counterparts and I failing to get the CyberSecurity message across? As research finds only 15% of people Adequately know how to protect themselves Online.

Firstly, I believe that as IT Security professionals we should take a moment to reflect on past experiences and then challenge ourselves to think differently, about how and what we’re communicating if we want the CyberSecurity discussion to be a successful one to corporate and public audiences.

It's not about what you say, but how you say it – cliché, but true.

Let’s be clear, whilst the rise in CyberSecurity awareness has been exponential, no-thanks to the spate of data breaches, the high-profile penalties handed out for failure to adhere to regulation and Cyber-attacks making headlines, there’s still a lack of understanding into the topic and the risks associated with it.

As subject matter experts we need to constantly remember that we’re delivering sometimes complex and not so easy-to-understand content to non-technical audiences. While some things may appear obvious and a no-brainer, may in someone else’s case come across like complete gobbledygook, causing confusion and leading to disinterest – which is the last thing we want and defeats the purpose.

However, as we all know, to keep the data and systems secure, everyone needs to practice and or have some level of CyberSecurity knowledge in order to safeguard themselves and the systems they utilise. Meaning we need to find better ways to get the Cyber Security message across.

Challenge accepted.

Binary diffing is a popular mechanism used to reveal security vulnerabilities by analysing a pre and post-patch executable, often followed by proof-of-concept exploits being developed.

This talk will take the audience on an exciting journey through the process of binary diffing, while discussing state of the art tooling and the reasons why this technique is useful for both offensive and defensive teams. A real-world example of the bindiff process on a critical Microsoft security patch will be shown. The patch fixed a vulnerability in the Windows DHCP implementation that could prevent a vulnerable Operating System from successfully performing network operations.

Additionally, patch analysis and further research lead to the discovery of a new vulnerability due to an edge case in Microsoft's patch. The complete process that lead up to this discovery will be shown; from initial patch extraction to vulnerability discovery including different exploitation attempts. The result will be a new exploit that would cause a Denial-of-Service state. Aspects such as data flow analysis and the study of the DHCP protocol that was required to understand the flaw will also be covered.

The goal of this talk is to not only show the technical details of the DHCP vulnerability but also the complete process and learning curve that is required.

A company, regardless of its size and market power, may go out of business or lose a lot of value because of a security incident on its information system.

The number of vulnerabilities and the interest of cyber-attackers is only increasing. With the advent of the monetization of botnet cyber attacks or the installation of crypto-miners for example, the threats are going more varied and intensified, but less targeted. The vast majority of companies are digital and increasingly exposed on the Internet. The level of cyber exposure is also higher. The "Cyber" risk has become vital. Today, everything has changed and tomorrow everything will change even faster. Where manual analysis was sufficient, paradigms of risk assessment are moving towards more automation. But **we need intelligent automation**.

The technological offer is not lacking, but after more than 15 years of experience, our observation is indisputable:

1. The best tools are only satisfactory in part of their capacities
2. It remains difficult to have a realistic and continuous visibility on the risks borne by the assets exposed by an organization.
3. Business processes tend to adapt to the tool capabilities rather than using these tools to support their cyber surveillance strategy.

This automation strategy also tends to address the drastic lack of competent cyber security resources and retention of talents. The automation of recurrent, time-consuming and low-value-added tasks will allow teams to focus on more complex and therefore more motivating topics.

To efficiently support this strategy, we developed PatrOwl, an Open Source, Free and Scalable Security Operations Orchestration Platform. Technically, PatrOwl is a solution for automating calls to commercial or open source tools that perform checks. To date, more than 140 tools or online services are supported. Beyond centralizing the results (vulnerabilities, meta-data, asset metadata) obtained, the PatrOwl analysis engine compares these results with its knowledge base and other third-party services to determine scenarios of attacks (predictive analysis) or to trigger actions (alerting, program calls, ...). Largely customizable, PatrOwl is suitable for supporting penetration testing, vulnerability audit and compliance, static source audit, threat research (CTI) and security incident response activities (SOC / DFIR).

Bonus: Usage of open-source products will be highlighted and returns of experience will be shared about Vulnerability management and prioritization, Cyber threats monitoring, SAST and DAST automation (processes and tools) in a CI/CD pipeline

Solutions must be found to face the overall growing threat of attacks, talent shortage and cost optimization challenges in cybersecurity. The current trend is to rely on automation and orchestration of security operations.

The fact is automating SecOps activities leads to manage more security alerts. The downside is that potentially a bunch of new security alerts every day. By the way, with hundreds of vulnerabilities with critical or high severity to deal with, the daily security reports look like a shining Christmas tree. It could definitely lead to jaded teams or, even worse, bad decisions in vulnerability handling.

Obviously, it is not realistic to hope that all vulnerabilities will be fixed. A line have to be drawn by the business owners according with the security teams. Prioritization is an essential success factor for improving efficiency and continue to provide the highest quality and relevant service in security incident response and vulnerability management. Because the CVSS score is not enough, which are the relevant metrics ? How to collect them ? Which decision should be made ? How to review efficiency of this process and adapt it ?

This talk is about to share insights on a risk-based methodology in vulnerability management. This approach is enabled by a balanced usage of SecOps automation to keep us updated for vulnerabilities, exploits and other threat information, and prioritization using vulnerability metrics, threat topicality and asset criticality. Also, it will be discussed on examples of events that should conduct us to consider reprioritization of a vulnerability handling.

Supply chain attacks are becoming increasingly widespread as cyber criminals seek to access sensitive data and systems through less secure third parties. In such attacks, the victim is not the ultimate target of the attack, but rather a stepping stone to other larger networks.

In this talk, I will present an overview of supply chain attacks and delve into various attack patterns, specific cases, lessons learned, challenges and mitigations.

In “AWS vs Azure Security” in 2019, Security BSides London decided by vote that AWS had the best security services.

This year we look at how to combine the best of AWS and Azure security by integrating AWS with Azure AD, using on-premise Active Directory identities.

We’ll begin by discussing some of the security and manageability issues scaling multiple AWS accounts across a large organisation. You’ll then hear about the speaker’s experience integrating AWS Identity and Access Management with Azure AD, and practical issues encountered.

Finally, you’ll see a live demonstration of the end to end solution - what could possibly go wrong?

The IT attack surface continuously expands with new assets of different nature in today’s world. In addition to the classic IT network devices, we find a range of assets coming from IoT, wearables, virtualisation, BYOD policies, and Cloud services, among others. Vulnerability Management (VM) is increasingly required to accurately keep track of and prioritise the asset inventory in the network, as traditional approaches cannot cope with this ever-growing and ever-changing modern attack surface.

In this talk, we’ll discuss how we cope with all of this, from the perspective of a VM insider. In particular, we’ll describe general concepts and approaches for asset inventory, including remote vs credentialed inventory techniques, OS fingerprinting methods, stateful vs stateless inventory, and asset prioritisation. We’ll also talk about the main issues and challenges here, both from a VM development and user side. If any of this is of interest to you, you’re more than welcome to attend this session and join the discussion.

The Onion Router (TOR) has always been in the spotlight when new security vulnerabilities surfaced the cyber security world to threaten it's privacy promises. During the talk, we are going to embark on a journey into some of the most or less common attacks to the Tor's network.

The talk will be practical but also with a dose of theory and fundamentals.

At the end of it you should have the knowledge and the tools to:

Crypters have been one of the primary tools that adversaries have been using to hide their tools from antiviruses for many years. Despite this, they are relatively poorly understood in the security community. The truth is that they are very easy and fun to write, insanely effective and can be written in any programming language.

This talk is all about breaking down what a crypter is and a general strategy one can take to write one in any language. The talk provides practical examples in multiple languages of how to implement crypters in order to hopefully teach you how to write your own (and you should!) in as little as an afternoon to perform easy signature-based antivirus evasion.

Always on the edge of your seat when it comes to new exploits and tricks. From bug bounties, CTFs, live hacking events, simulations, and interactive educational modules, they have been proven to stimulate and enforce new tools and knowledge to become stronger red teamers, blue teamers, and purple teamers.

But how did gamification come into play and in infosec? And how does our brain process gamification and threats as hackers?

This gamified/interactive talk shares the history of gamification in infosec, how our brains are stimulated by them, and how it’s transforming lives.

In 2015 Facebook publicly released GraphQL, a data query and manipulation language that promises to solve the limitations of REST APIs.

GraphQL is becoming more prevalent in web and mobile applications and yet not many pentester are familiar with it.

The talk will cover GraphQL concepts such as schema, queries, mutations, subscriptions and introspection. It will describe the differences with REST, the peculiarities and pitfalls of GraphQL and how to exploit common security issues.

The aim is to bring attendees up to speed with the technology so that they can comfortably assess the security of GraphQL APIs.

Microsoft Office is the most used software for creating business documents and many of these documents are then circulated outside the organisation, leading to the potential for information disclosure if these documents are not properly sanitised. Several data breaches have been attributed to issues such as: leaving data in hidden spreadsheet columns, exposing source data through data visualisation tools or loss of data integrity leading to data mismatch in mail merge documents.

This research aimed to explore the information hidden within Microsoft Office documents and whether interface changes could reduce the probability of human error leading to data breaches. The objectives of the research were to: determine the issues leading to recent accidental data breaches, examine hidden metadata, test different techniques for resolving these issues, explore possible application configurations and test users’ knowledge of hidden metadata and the impact of customising the interface in an attempt to reduce human error.

Microsoft Office documents were examined by unpacking the XML building blocks contained in the file both before and after using various techniques to attempt to remove the hidden information. Documents saved in the older binary file format were also examined for comparison. The impact of interface changes was tested using an online simulation where user actions were captured using screenshots with overlaid HTML <div> elements.

The results show the participants exhibited a pessimistic bias when answering the questions about hidden information and interface customisations were found to have no statistically significant impact on reducing human error leading to issues such as failure to use BCC when sending bulk e-mail. Evidence of self-correction and ‘frequency-gambling’, where users selected potentially related application functions when unsure of the correct tool, was also collected.

Reverse Engineering is a term that can invoke many emotions: fear, self-loathing, awe, ennui, or maybe a sense of resignation that you may never understand anything ever again. In this talk, I hope to approach the complex and broad subject of RE at a high level to help others get started on a ladder that can take a lifetime to climb. We will talk through the basics of analysing scripts and basic obfuscation, all the way through to understanding something with representative source.

In essence, this is a canter through the variety of the different skills and techniques required to reverse engineer. We will cover what is reverse engineering, who does it and how does it fit into the industry, tackling the more approachable script analysis, the slightly obtuse Android binaries, PE and ELF analysis, all the way through to symbol-less firmware analysis and how to go about starting to understand something without any names.

Wouldn't it be great if we could predict the future of cybercrime? In this talk I will discuss on how we potentially can...

Achieving cyber situational awareness remains an ongoing battle in preparing ourselves to deal with emerging problems and threats within the cyber realm. In a recent project I undertook, the application of data fusion - namely the JDL model, can help us further understand problem realms and identify causations and trends that can allow us to forecast and speculate the future patterns of cybercrimes. In this talk I will namely detail what data fusion is and how the JDL model has been applied to analyse and predict the future of cryptojacking.

Sophos’ own senior security team discuss their strategy on how to get “risky” in the Board room. CISOs often come from a technical background and can struggle to communicate with Senior Executives and the Board. During this presentation, we will talk about this gap and share our lessons learned. We will demonstrate a number of techniques and visualizations to instill confidence, include them in the decision-making process and to understand the simple path to Risk Management. Let’s hold hands, secure funding and woo the Board over a candle-lit compensating control.

Forensics techniques aim at finding evidences to prove or disprove the guilt of someone being prosecuted. Antiforensics techniques aims at the contrary: building a wrong landscape to fool the forensics expert and drive the investigating judge into a wrong conclusion. While antiforensics techniques are very difficult in the physical sphere, it is far easier in the digital sphere. Indeed either a prosecuted one can hide his crime or an attacker can wrongfully incriminate an innocent people. Hence the concept of "digital evidence" must be taken with the greatest care.

The proposed talk aims at showing how digital antiforensics techniques can be used in this context when considering both the intelligence and technical aspects. The talk is illustrated with three realbut anonymized cases involving metadata, cryptography manipulation and data recovery manipulation. A final scenario combines all three techniques in a deadly antiforensics scheme

Nowadays organisations can leverage the SaaS delivery model of third party applications to manage their key corporate functions and sensitive data that are usually targeted by threat actors. Indeed employees, customers, suppliers or corporate data can be managed in Cloud Based ERP, CRM, Messaging, Ticketing and Travel Management solutions.

Understanding the SaaS responsibility model and how to leverage it to develop an efficient Incident Response Strategy for such applications is primordial to detect and respond efficiently to cybersecurity incidents affecting cloud based solutions used by an organisation.

Such strategy formalizes incident response activities, SaaS applications security baselines and responsibilities between the SaaS application provider and the organisation when it comes to respond to a cybersecurity incident.

We know criminal hacking is big business, over the past decade, we have seen criminal syndicates get creative with ways of generating revenue, through markets selling stolen credit cards, selling of tools and services and more recently ransomware.

With the rise of popularity in cryptocurrencies, there has been an increasing interest from those in the financial sector in the pseudo-anonymous currency as well as underground markets and sites sharing information via hidden services in the Tor network and other platforms. Financially savvy white collar criminals now have increased access to criminal hackers who can target, steal and share nonpublic data about companies, this paired with the anonymous nature of hidden services and Bitcoin reduces the risk of getting caught. Law enforcement is seeing an uptick in organizations being targeted for sensitive nonpublic information about publicly traded companies, in the right hands this information can provide traders with a significant advantage with a high rate of return with low risk.

In this presentation, we will review several cases that have been prosecuted and what we can learn from these cases to better defend and detect against this rising threat to organizations and our financial system as a whole.

IoT devices are changing the world in both good and bad ways. It is exciting and fascinating to see how technology keeps improving our lives, but it is also worth considering the security impact and the vulnerabilities being introduced in our lives by such connected devices.

This talk will explore the risks associated with them by sharing a personal research performed on a cloud (in)security camera. This talk will retrace all the steps that have been performed to go from hardware analysis and flash dumping, to zero-day discovery and exploitation.

Traditional security;

• Slow processes
• We'll tell you about issues tomorrow
• We'll slow you down
• We don't understand DevOps and cloud etc
• Standards that don't keep up
• Lack of engineering and organisational engagement...

• Out team is agile
• All our projects and processes are agile
• We integrate with pipelines and DevOps processes
• We engage with the engineers and wider org
• We work to make people care

I'll talk about organisation we are building, and the work we are doing to deliver truly fast and agile security that enables our business. And the punchline... This is the best way to deliver security regardless of your organisation!

There is a bunch of fundamental security engineering principles that span across various disciplines and allow us to build reliable systems. Yet we often fail to do it. Do we ignore those principles? From the standpoint of a long-term penetration tester, I strongly doubt that.

There is also plenty of so-called “security methodologies” that claim to provide us frameworks for building secure software. Yet we rarely use those methodologies properly or omit them for the sake of business priorities. Would they save our lower backs if applied before the cyberattack? As a retired social engineer, I doubt that too.
 We have principles, and we have textbooks that explain them, yet we fail to use them properly. For a long time, I wondered why? Are we arrogant? Are we stupid? Are we just bored? I couldn’t believe any of those explanations are complete. So I stepped on the road of learning more about human behavior and look at what I found.

The thing is: common sense and textbooks are bad security strategy. You don’t want an intern with a “methodology” to secure your critical infrastructure. You want to have an expert on that assignment. Someone who failed enough times to have an intuitive understanding of how to navigate the minefield. Someone who feels it in their guts.

For millions of years of evolution, the key to our safety was: reflexes. For the last 20+ thousand years, habits, not analytics, were responsible for human security in all aspects of life. For the previous 100 years, the life around us is getting complicated much, much faster than we are getting used to it. From security professionals, you could hear a lot how “common sense” and “critical thinking” could help you avoid emerging threats, such as cyber. I was adept at such thinking for long, until I took my time to figure out how our biological software works. And it turns out that higher brain activity is a wrong framework for security implementation.

So how do we build secure software for our systems? We have to start with rewriting the software for our brains. We have to develop security habits in individuals. We have to build security cultures around those habits to let them spread within the teams, organizations, and populations. Spread with the speed of internet memes or even faster. We have to put security where it belongs: to our mammal brain or deeper, simply because those parts of our hardware have been wired for that purpose over millennia of evolution.

We have to learn how to trust our habits, our instincts, our expert intuition. We have to stop giving a human the monkey job.

Everything that organization does must link directly or indirectly to value. Having this in mind let's see how value is expressed by business & security at the same time. Establishing right level of relations is critical to achieve business outcomes, and to ensure that business is secure.

Using VOCR model let's identify value in security services used in modern organization.

Real life stories from Vendor Risk Management, SOC & Security Awareness field.

I'm writing about my views about the information security industry future:

1) What are we going to do about the future of work for normal people (i.e. not thos working in InfoSec), and how they can upskill.

2) GDPR likely future : I predict that data for uk citizens is likely to get moved to US based privacy shield environment, or kept in UK, rather than being split up int uk/eu/usa citizen data

3) getting your identity There seems to be moves towards a "official identity" - i'd like to talk about what i think is coming, and ask what we should do about it (twitter no anonymous accounts)

4) skillz - there isn't a skills shortage -theres' a hiring location only in specific areas, outside of which there is talent not being picked up.

5) women and kids - as a parent of a toddler, the following things would make a massive difference in hiring - if only they were considered: - kids need dropping off at school and picking up ! - working from home - commuting to work over distance - using travel as a way to exclude parents from the workforce

6) future skills we need to do something for a tripadvisor for university courses - the variation is too great and the courses that are behind have not got method to catch up - what good looks like is too ill-defined

7) access to job roles - how can people get the start they need? - what should people do to get over the first job problem that doesn't involve moving and living in london

8) the alex ferguson problem. -completely reskilling your team, as skills required expire and get replaced

9) should we all be developers?

Have you ever wonder how the heck I should do dev-sec-ops? Are you sick of the usual tools being thrown at the development team? Are you a human being? Do you still breathe and code? Then this talk is definitely for you! The talk will present the Maturity matrix and the methodology to measure the performance of teams. The talk is focused on how to integrate and prioritize and ultimately manage vulnerability and what kind of metrics to use

Synopsis:

The talk will take the audience on a path to integrate security in development but instead of focusing on traditional tooling strategy the security phoenix project did focus more on the human aspect and the transformation aspect. We will be covering Design, Operation and Build/Test and how tools are driven by metrics and cultural change. People and Technology are a key blend on the security phoenix project. The Talk will focus on several aspects like:

• DEV-SEC-OPS Maturity matrix and Metrics
• Traceability issue from component to deployment and security at various stages
• Security operation and problematics – the vulnerability cycle
• The team metrics and target (Divide in quarter, Build vs Fix)
• The people metrics (education, licence to operate, build vs fix)
• Advanced concepts like breaking the build, license to operate

If time is available, the talk will explore some additional lesson learned and what kind of psychological aspect did and didn’t work during the transformation

• How to build a cybersecurity programme with people first and technology at the heart
• How and why to trace components and how they are glued together
• What kind of metrics to deploy and at what stage of the maturity matrix
• Why visibility in production and traceability is important
• How to set targets for product teams and what to measure in various phases
• How to involve risk assessment and where to apply governance
• Use cases to visualize vulnerabilities and tools/databases

The security Phoenix project is a methodology that pragmatically applies a programme of work and a set of technologies to bring security in the SDLC. The security phoenix does not focus solely on the Build & Test phase but considers wider organizational aspect like Design, Architecture, Governance, Education and cultural change. The technology focuses on aggregating vulnerability in single databases, with visualization techniques and The methodology also stresses the traceability and dependency problem and offers use cases and solutions on how to relate different components into what has been built into the production environment.

The goals of developing PrivacyTrail were threefold;

• Allow businesses of all size to assess their digital exposure
• Reduce the amount of time a Pentester spends on the 'reconnaissance' phase, optimising actual testing time.
• Provide a Business Development or Sales resource which will allow non-technical employees to have more valuable meetings.

This idea firstly stemmed from conversations with colleagues and friends who work in both Cyber Security, Cyber Insurance and Information Security. The conversations had were challenging the idea that it was difficult to know how secure a business was from an external perspective. The ways in which companies demonstrate security are with accreditation, compliance or pen-tests. While pentests are external, they are time-bound and often an investment too great for smaller businesses while accreditation and compliance are 'white-box' exercises.

One assumption I made before starting PrivacyTrail was that an organisations digital exposure was reflective of their internal security. Whilst that isn't always true, since using Privacytrail and talking to users, there is definite correlation.

PrivacyTrail is a Flask backend with a React frontend. With one click PrivacyTrail provides the following information in seconds which is invaluable for reconnaissance during pentesting as well as providing non-technical consultants with targeted information to shape sales meetings.

• Domains that have been purchased similar to your own to identify typo-squatting and potential phishing attacks
• Domains for sale which could be bought as an insurance policy against typo-squatting and phishing
• Exposed services on Shodan which may be insecure
• Emails available for domain
• Out of date WordPress plugins
• Compromising information on paste sites
• Technologies exposed on job sites
• I am planning on adding additional modules over time as well as having a beta 'human' version of the tool by June to assess personal digital exposure

• Shodan - Great resource but perhaps difficult to understand for non-technical people
• CTI vendors - Very valuable tools but out of reach for most SMEs
• Harvester - Great tool for capturing emails in open source but limited in scope and probably not easy to use for non-technical people
• WPSEC/Other wordpress tools - Limited in scope
• SSLLabs - Overly technical

Today when you browse the Internet a number of bits of information leak to anyone watching as DNS is still working in the way it was built in the ‘80s and there is a small bit of clear text SNI in new https sessions. The IETF and browser vendors are building new standards to encrypt this data. I’ll talk about the need for these standards and how they are being implemented differently by different browser vendors and show the advantages and limitations of these approaches.

While this talk will have technical bits in it (like Wireshark traces to show the data) there will be plenty in it for people who care about policy and security and who want to find out what the fuss is about behind the alarming headlines. There is also a whole ecosystem of security controls that depends on being able to see this data in the clear today.

We’ll see the impact on parental filtering, next generation firewalls, SIEMs and network level malware detection; we’ll look at how these work now and how we might need to implement these controls differently in the future. The current approach to DoH will lead to more centralisation of DNS services to large cloud providers, we’ll talk about why the current designs do that and what the privacy implications and trade-offs are.

Current status quo of cloud security data from the 3 major cloud vendors (AWS, AZ, GCP) brings significant challenges when trying to achieve a unified security posture.

This presentation addresses the challenge of normalizing data from the 3 major cloud vendors service/product implementations, establishing a set of security checks across multiple cloud providers.

This presentation provides a draft of 6 categories that guides cloud security posture across ALL 3 major cloud service providers. These cloud security categories intend to be vendor neutral and inclusive of all vendors based on common setup, operational and security value. This talk will present a unified framework within analytic tools that can be used for cloud monitoring, investigation, detection and response.

Learn how to hide payloads, malware and confidencial data in pictures, audio and even video files using steganography techniques

Application Security teams are often told to “shift left”, or to be involved earlier in the software development life cycle. The aim of this practice is to prevent vulnerabilities or defects as soon as possible in order to quickly provide high quality software. It is a lofty goal; however, it is often one that companies make difficult and sometimes impossible on their corporate application security teams. This talk will detail the ways that companies create their own roadblocks and how to help their application security team succeed.

Some of the challenges that an in-house Application Security team face are:

Did you know that an average of 14,600 vulnerabilities are disclosed each year? How are you handling your discovered vulnerabilities? Vulnerability management is a difficult task, especially at a large organization. In fact, it takes an average of 100 days until known security vulnerabilities are remediated. Often times vulnerability management is implemented in segments, without a big picture vision. It can be also arduous and cumbersome, costing employees valuable time and effort. However, vulnerability management is a necessity in today's cyber security landscape.

In this talk, we discuss where vulnerability management programs fall short and how we can avoid such pitfalls. We will walk through a typical program and the pain points. Once we understand the problem, we will enhance the process through automating asset inventory and daily vulnerability collection. We will also demonstrate how using automation to search asset inventory for newly discovered vulnerabilities increases speed and efficiency of the team and helps to more quickly create action items from discovered vulnerabilities. In addition, our process will help teams determine which vulnerabilities are the riskiest and organize them by remediation priority.

The vulnerability management program is built from the ground up across a complex work environment using Python3, Jenkins, SQL, and a few extra tips and tricks. Proof-of-concept code will be open sourced at the conclusion of the discussion and attendees will leave this talk with the ability to implement similar automated vulnerability management solutions in their environments.

You have heard all the popular sayings… from Marc Andreessen’s famous article, “software is eating the world” to Jeff Immelt’s “In the coming age, every company is becoming a software company”. What does that mean to the changing landscape of security? It means that application security is more important now than ever. Yet, often times application security is relegated to a tool with employees monitoring who have little to no real understanding of application security. In this presentation, we discuss the history of application security, from generic WAFs to SAST and DAST (and their failures) all the way to the future of application security IAST and RASP.

How do you instrument applications inside of IAST and RASP? What does it mean to track vulnerabilities from source to sink? In this talk we will discuss the benefits of modern application security techniques and how it can help developers see more (real vulnerabilities) and less (false positives). If you are interested in stopping the complaints about the speed of secure development and ready to supercharge your DevOps cycle, this is the talk for you!

With the increasing demand for Cyber Security and the well documented “skillset shortage”, there is a bigger demand for temporary or interim resources to support major projects and Cyber Transformations and fill these voids. The new IR35 legislation comes into play on 6th April 2020 and will have a major impact on the commercial sector. We will talk through those changes, what to expect and how contractors can prepare for them.

Explaining how to choose the right recruiter to support your job-search.

Tailoring your CV to ensure you get your foot in the door with a 1st stage interview and how to make sure you stand out and are remembered in a mass of applicants

What do 'Little Green Men' have to do with babuska's bath time?

As cyber heroes we defend against hacktivists, script kiddies, APT evils and more, but what does this have to do with anything BUT Cyber? While we are acutely aware of cybercriminal activity and the loss of money, how much of what happens in the Cyber domain relates to the geopolitical domain, and vice versa? What are ‘Little Green Men’ and what does it have to do with babuska’s (Mature woman from the old Soviet bloc) bath time?

This talk will highlight issues with defending the Cyber domain, the relationship between the cyber and geopolitical domains through known use cases, and how we as defenders can use each domain to better the other.

Be prepared for a non-technical, strategic, geopolitical talk that traverses the global and skips from the sandy shores of the Middle East, to the icy plains of Ukraine.

Cybercrime is big business. Traditional organised crime groups such as the Cosa Nostra, Yakuza, Chinese Triads, as well as Russian and Nigeria gangs have all opened “cyber” divisions. Additionally, new transnational syndicates like the Russian Business Network, ShadowCrew and Superzonda have risen to capture the opportunities in next generation crime.

The World Economic Forum estimates that transnational organised cybercrime gangs rake in more than $2 trillion a year in profits. To achieve this, they organise themselves like a business locating their headquarters in jurisdictional safe havens free with corrupt or weak governments free of extradition. They implement cutting-edge business practices straight out of Wharton or Harvard Business School textbooks to ensure a return for their shareholders formalising department heads, divisions of labour, product delivery and testing, sales, marketing, consultant and supply chain management through to customer feedback.

To understand the power and professionalism of today’s cybercriminal organisations, we need only take a good look at its org chart. This presentation deconstructs the modern cybercriminal organisation reviewing the roles, responsibilities and reporting lines associated with 12 key positions in an established CyberCrime.com business. Additionally, it presents the key roles in a cybercriminal “start-up” business to ensure its success. The content of this presentation is based on over 20 years of open-source and dark web available material along with publicly available law enforcement case documentation. The presentation is devoid of commercial content.

Why do we conduct security penetration testing? What’s the objective? What’s the right approach? Do we have the right supplier? Does the methodology matter? Is it worth it? What should we get for our investment? How can we prove it? More importantly, how can we improve it?

Very few businesses have answers to these straightforward, practical questions, yet continue to spend vast sums conducting security penetration testing year after year with little tangible return.

This session begins by presenting a quick, simple formula template for calculating the annual loss expectancy (ALE) and return on investment (ROI) required for establishing a business case for a security penetration testing program.

The presenter then discusses how to ensure the right testing approach, objective, scope, methodology, qualifications, reporting formats are used for your next test providing over 30 specific actions for improving the ROI for security penetration testing.

The session delivers simple, pragmatic, cost-effective actions attendees can take back to their businesses for implementation. Upon completion, attendees will receive a “take-away” list of these recommended actions for their reference. The content of this presentation is based on over 20 years of penetration testing case studies and is devoid of commercial content.

What if everything we’re doing to secure our data is for naught? Have you stopped and thought that perhaps this data has already been compromised and the efforts we continually make to protect it are - too little too late?

This presentation explores the idea that the vast majority of the sensitive data processed stored and transmitted every day by governments, NGO’s, businesses and private individuals has already been breached and we are wasting our time and money trying to protect it. Are the information technology systems we currently use even capable of this role? Will they ever be?

The presentation compares the data losses publicly acknowledged to date through mandatory disclosure laws against the widely held principle that they are only a small percentage of the actual losses incurred. If this is true then a new security paradigm is required but what would this look like? The primary objective of this presentation is to engage the participants to think through the actual premise and challenge their understanding of the current state of information security and sound a professional “call to arms”.

This talk aims at using real-life experiences to give a unique approach to understanding web application security. This talk can be attended by both management and developers. This talk will cover the following points:

• Facts and Statistics covering the web application threat landscape.
• Some common OWASP vulnerabilities and how to protect against them.
• Real-life scenarios, experienced by the web application team describing how specific vulnerabilities have been used to exploit organisations.
• A walkthrough showing how several lower-risk vulnerabilities, when used together can create a critical vulnerability.

After this talk you will:

• Have an overall understanding of the Web Application Threat Landscape
• Understand some common web application vulnerabilities and threats
• Understand how multiple vulnerabilities can be used alongside each other to create a critical vulnerability
• An understanding of what Web Application Penetration testers look for during an engagement.

Stalkerware is able to grab WhatsApp messages, Telegram messages, Instagram messages and more with ease as well as accessing the microphone and camera without any hint to the end-user.

Join us as we reverse engineer some of the latest variants of in-the-wild Android Stalkerware to understand the deployment process and the techniques they use to bypass the security and privacy frameworks in place.

We'll then demonstrate how certain modern and novel solutions can be used to effectively "spot and stop" Stalkerware's permission-abusive techniques.

Introducing a highly feasible phishing attack that can be executed to target massive numbers of users simultaneously or used to spear phish a selected number of users with high success rates.

This multiple stage attack is based on manipulating and abusing browsers and email clients which are some of our most used day to day life applications.

By bypassing email clients and browsers homograph mitigations using new attack vectors and by using our newly introduced phishing attack framework, we demonstrate end to end attacks that can bypass 2FA and that can run with zero-time execution after a short preliminary configuration.

The phishing e-mail and the information-stealing webpage both exhibit unmatched levels of authenticity, making them extremely hard to identify as fake, even for experienced security personnel, and with its ease of use and completeness of the solution, the potential impact can be devastating to businesses and individuals alike.

The information security industry faces a variety of challenges, including a widely recognized skill shortage, ill-defined career pathways, and a chronic lack of diversity.

Non-profit and volunteer initiatives play a vital role in addressing these challenges, yet their contribution is too often neglected. Non-profits are integral within the UK community, whether that be community-building initiatives (such as BSides and The Many Hats Club), online publications (such as SecJuice), or career development networks (including TechVets and the Ladies of London Hacking Society).

This talk will outline the unique contribution non-profits make (when compared to government and private sector efforts), explain why they are vital to the industry’s future growth, and identify the underexploited opportunities where non-profits can further contribute in the coming years.

From the researchers that brought to you "Don't Ruck Us Too Hard" comes new follow-up research. This summer comes new research that shows you that all of Ruckus Wireless "ZoneDirector" and the "Unleashed" are still vulnerable.

This follow-up research resulted in six new vulnerabilities, such as command injection, information leakage, credentials overwrite, and stack overflow and XSS. This finding allowed two new and different pre-auth RCEs — that five entirely different RCEs in total since the first research. This research also founded that Ruckus's patch did not fix some of the vulnerabilities from the first research correctly, and they are still exploitable with some very neat payloads :).

Other cool stuff about this research:
It shares some new Ghidra script that was used to map the critical sections in the webserver binary that later found vulnerable. We fingerprinted Universities and Organizations that were vulnerable from the internet. Ruckus Wireless provides the Wi-Fi solution to BlackHat.

DETAILED OUTLINE:
This talk will demonstrate two RCEs and the techniques used to find and exploit them.

• Demo #1 - RCE using a pre-auth stack buffer overflow
• Describe the webserver critical code sections using Ghidra decompiler and its scripting environment.
• Demo #2 - RCE using credentials overwrite and command injection.
• Show Ruckus patch did not really fix some of the vulnerabilities found in the previous research.

Wanna hear an accounting of a real life red team engagement from both red and blue team perspectives, with all the fuckups and successes? Then this is it!

We’ll tell a story about how awesome attacks and defenses can fail because of “reasons”. How good monitoring pipelines can silently fail. How your users can save the day by pinpointing beacons. When a phishing campaign brings shells from all the wrong places and where users feel left out about not being part of the campaign. When even the greatest and hardest learned IR skills can fail to find the C2. But above all we illustrate how a good red team helps a blue team and vice versa.

Nearly all organisations now use public cloud for their applications and systems, or are in the process of migrating, with security acknowledged as a critical issue. There’s currently a massive demand for professionals who can demonstrate their cloud security expertise through recognised certifications.

With contributions from a special guest speaker, you’ll hear about the most sought-after cloud security certifications in the world today:

• AWS Certified Security Specialty
• Azure Security Engineer Associate
• Google Professional Cloud Security Engineer
• ISC2 Certified Cloud Security Professional

You’ll see an overview of the topics covered, what to expect in the exam, example questions, learning resources and study tips based on personal experience and comments from other students.

Any of you can become cloud security certified if you’re sufficiently motivated, work hard, and choose the resources and support which best suit your learning.

Magento is one of the most popular e-commerce systems in use. It is written in PHP and the majority of it is open source. The company behind it was acquired by eBay in 2011 for over $180m, and subsequently by Adobe for $1.68b in 2018.

I found my first vulnerability in Magento almost 10 years ago, and it's a target I've continued to look at ever since. This talk will discuss some specific vulnerabilities I've discovered during that time. I will focus both on how my my approach to identifying issues and the process of disclosure have changed over time. The talk will also include live demonstrations of exploits against the vulnerabilities discussed (praise be to the demo gods).

Few people know anything about telecommunications, 5G or fixed-line systems. This presentation will be a brief discussion and overview of what 5G is, what it isn't, and what we currently have. And how everyday people may be affected if things go wrong.

I will begin with the humble SIM card, how it works and progress over the air interface and into the core. It covers topics such as how New Radio is attempting to mitigate IMSI catchers, the new vehicular interface PC5, and how 5G is web-ready with its modern RESTful architecture.

The talk will be brief but aims to provide a more coherent understanding for people that have never worked with telecommunications before.

For all of its complexities, bits of it are elegant, but will it change how we live? Come and find out.

Nudes, Dirties, Pics, whatever you call them, you’ve probably sent them or know someone who has. But how can we protect ourselves and our opsec when we’re sexting, producing sexual content of ourselves or even watching and buying sexual content online?

This talk will discuss how we can protect our physical bits online, how to practice safe sexting properly, how sex workers have better opsec than us all and looking into the weird and wonderful world of sex online.

Content Warning: This talk will contain sensitive topics such as sexual/domestic abuse and suicide.

With the promise of speed and scalability, more and more organizations are shifting part or all their DevOps to cloud. An on-premises data center that used to take weeks or months to build can now be created in a few minutes in the cloud. However, not only are organizations migrating their IT infrastructure to the cloud, but malicious actors are also turning their targets to the cloud. Research shows that insecure cloud configurations are the primary cause of security incidents in the cloud.

To better understand the problem, Unit 42 researchers analyzed 500,000 Infrastructure-as-Code (IaC) templates hosted on GitHub, looking for configurations errors, vulnerabilities, and potential policy violations. The templates included CloudFormation, TerraForm, and Kubernetes YAML files. The identified insecurities ranged from nearly half of all database instances not being encrypted to more than 60% of cloud instances not enabling logging. In an effort to correlate the data, researchers also analyzed the Events and Alerts which trigger inside an organization’s cloud platform. Researchers found strong correlations between the results from the public IaC templates and the alerts that were triggered within client environments around encryption and logging implementation.

In this talk, we will lead the audience through the details of our research, analysis, and conclusions. We will go over common insecure configuration examples within real IaC templates. We will then show how tools and vetting processes can be integrated into the DevOps pipeline to effectively remediate the demonstrated issues. The audience will learn the patterns, and anti-patterns, present when building a secure cloud infrastructure using IaC.

The last 5 years has seen a big push towards smart & green energy, from solar panels to electric vehicles chargers to other forms of micro generation. This talk will look in depth look at the security of “green” products and how they can be manipulated for fun and profit.

We will demonstrate attacks that could get a free charge for your electric vehicle, to stopping it charging at all, to unbalancing the power grid and causing blackouts. Governments have inadvertently made the problem worse, in the quest to manage future load on the grid from EVs. Oh, and wide scale leakage of personal data and privacy invasion.

Solar inverters are covered too; pwnage of millions of them. The Horus Scenario of 2016 touched on some of the potential; we will show just how much worse and wide spread it already is.

The root causes include vendor apathy or ignorance, but also cover the challenge of maintaining robust identity in embedded devices

A scary tale of how common errors, flaws and misconfigurations can lead to million of devices that control Gigawatts of power to be manipulated.

In this talk, the speaker will share how Cmd is using ML to address three well-defined security problems: Spam/Malware Detection, Intrusion Detection, and Vulnerability Management. He’ll present key findings of our research into these areas, describe the effects of biased data in these use cases, and how to mitigate those effects to achieve higher accuracy. Additionally, the speaker will discuss the effects of adversarial attacks, and potential solutions for safeguarding ML models.

The speaker will also outline a number of the tools used to develop these findings, including methods for analyzing and visualizing massive datasets over billions of Linux audit events. He’ll cover advances in machine learning (ML) that you can leverage to gain meaning out of the data you throw into the lake.

If you’re considering using ML for resolving security problems, want to build solutions that can help you win the race against cyber criminals, or need to learn more about options for building better ML models, then join Jake to learn how to build high value cyber-security solutions using machine learning.

Malicious documents (maldocs) often contain social engineering images that attempt to convince a user to run malicious code by disabling Microsoft Office’s read-only mode and enabling macros. These images are commonly designed to look like genuine program prompts by reusing software logos, fonts and styling associated with popular brands. Since maldocs are often used as the initial attack vector against organisations and users, it is crucial for security teams to detect and respond to the use of maldocs. However, identifying and tracking maldocs has proven challenging. Maldocs are often seen in bulk and threat actors tend to use them in campaigns in which large numbers of similar documents are used. Grouping maldocs into campaigns can be challenging because threat actors can easily vary document characteristics to evade detection, such as filenames, metadata, data padding and obfuscation types. We see threat actors often reusing or slightly tweaking social engineering images, likely due to their effectiveness over time and a lack of detection mechanisms that would force their change. Using perceptual hash algorithms, these images can be utilised as an effective maldoc characteristic that can improve the detection and correlation of maldoc campaigns.

Additional information about the image can also be extracted to attempt to derive the context of the social engineering attempt. Existing malware naming schemes often fail to meaningfully describe social engineering images when labelling threats because they tend to focus on malware type, platform and capabilities, ignoring any social engineering characteristics. This information can further enhance an understanding of adversarial tactics and techniques.

In this presentation, we describe, first, how to identify and correlate maldocs by applying perceptual hashing algorithms to social engineering images; and, second, propose a method for generating social engineering image indicators with labels that better describe the visual characteristics of maldocs, such as brand abuse, lure type and language. Where documents are known-bad to anti-virus scanners, we use this information to augment traditional malware detection labels by associating malware families with the indicators.

We argue that perceptual hash values are robust indicators because an attacker’s choice of lures is largely driven by those that have proven effective historically and that significant visual changes to social engineering images takes time to implement.

Although a similar approach using perceptual hash algorithms has been applied to detecting phishing websites, we argue that for maldocs they are currently underutilised by network defenders, particularly their use as indicators that provide context to social engineering attempts.

Anyone starting in the security industry gets quite overwhelmed on how to best obtain adequate training to perform their role. Novices need to understand what the best approach to security training is and how they can get enough to allow them to navigate through complicated paths of different courses provided by various vendors. Security managers and directors need to review and sign off on training budgets and get challenged by staff who wants the best and most expensive courses. There's really no one size fits all solution to this.

A suggested approach would be to assist everyone identify how to get the maximum out of any budget that might be in place. A combination of vendor courses along with self-studying, on the job training and free courses offered by a variety of MOOC online universities and vendors can greatly aid in providing everyone suitable training.

In fact, this can greatly aid anyone new to the security industry get their foot through the HR door and even experienced people to achieve their full potential.

Various paths can be followed and working with each individual makes all the difference. Someone might want to be the best security analyst or incident responder while other people may need to focus on legal issues or management roles. Examples of such paths and how to progress along each track will be analysed and concise approaches on how to customise training to each person's needs will be provided to ensure the best outcome is reached, while constantly remaining vigilant to budgetary concerns.

SSH does a whole bunch of cool things for us. It gives us a shell on another box. It has something to do with sftp and git. It, uh, does various and sundry nifty things documented in a manpage. Somewhere.

Turns out (Open)SSH is, in the speaker's opinion, a rock-solid RAT (with outstanding manpages, to boot). Aside from the customary shell and file transfer, SSH has loads more functionality which probably wasn't actually meant for hacking but which works out nicely for us anyway. Especially now in the days of Living off the Land (which the speaker was doing before it was cool), decades-old SSH continues to hold its own as an excellent way to gain and maintain access.

In this talk we'll dive into the ins and outs of using SSH as a RAT by roughly following the typical pattern of owning a Linux box, minus some of the boring bits. We'll start off with a quick detour for an overview of how SSH works under the hood and discuss how's and why's of using SSH as an offensive tool. Along the way, we'll also take a look at some of the less-commonly-known offensive-friendly features (read: cool tricks) SSH provides as well as a few of the lessons the speaker's learned the hard way. This talk isn't a discussion of which is the best Power Ranger nor is it meant to be a first intro to SSH, though there'll be few seconds of basic SSH usage. Showing up to the talk with a laptop and an accessible SSH server is encouraged but not necessary.

This is a story about a DevSecOps journey that evolved security practices at my organization. I'm sharing what worked, what did not and how I hacked the culture so that I could join the party.

1. I will provide a simplified version of conducting value stream mapping to define where to engage security organizations.
2. Examples of experiments to conduct culture changes within organization toward DevSecOps.
3. How to simplify feedback provided by tooling integrated into pipeline.

Not much is known about people’s hacking careers (at least among most academics!). Criminologists are getting more and more interested in cybercrime and malicious forms of hacking in particular, but there are A LOT of gaps. One big gap we want to address is to begin exploring how hacking careers change over time. In this 30-minute presentation we aim to do two things.

First, we will introduce you to a research project we’ve developed which explores why people stop engaging in criminalised forms of hacking and how their hacking practices change over time with moves in and out of illicit activity. Research into moves away from other illicit practices has often focused on ‘street’ or other traditional crimes. We think that this research doesn’t quite seem to fit, and that chances are, this paints a pretty skewed picture!

Our second aim is to start a discussion (with you!) about what hacking careers look like. We argue that current research isn’t good enough at capturing the myriad of different practices that fall under the ‘hacking’ umbrella. It isn’t sensitive to the variety of reasons why people engage with hacking, or the grey legal areas in which many practices reside. This makes it hard to even define what ‘desistance’ (i.e. the process of stopping committing crime) looks like. We want to make sure that we are asking the right questions in the right way.

We also want to talk about the ethics of hacking. Research into moves away from other forms of crime has suggested that in doing so, people redefine a new ‘ethical identity’ for themselves (Maruna, 2001; Ahmed et al. 2001) and that they need to achieve belonging within a ‘moral community’ (McNeill and Schinkel, 2016). This raises questions about what kinds of ‘moral communities’ already exist in hacker communities and how these might support or discourage engagement in different practices.

To us, both hacking and stopping hacking involve the daily practice of moral reasoning and engagement in moral questions. Perhaps desistance is just submission to the predominant moral order?

Large companies need constant monitoring of their infrastructure to spot intruders as early as possible. Being a major Russian software company with dozens of services that are used by 15+ millions of people daily, Yandex invests a lot of resources to keep its' infrastructure secure.

Yandex has a large fleet of Windows machines that generate GBs of logs per day.

Talk mainly covers Yandex experience with osquery: challenges we face on the daily basis, osquery issues and ways of solving them.

I'm going to talk about tips and tricks of how we cook osquery at Yandex - e.g. how to make the best use of osquery tables, what ATT&CK matrix can bring to your company and how to make it work with osquery. I will also share some ideas about thread hunting and live forensics with osquery.

Most ELF binaries load libraries. Some of those libraries load more libraries. Library loading turns out to be a really great place for code loading. Like, for example, in systemd. On boot. By flipping just one bit.

This talk will look at shared object files (i.e. libraries) and how they can be used to get code running in places it's not meant to be. We'll start by taking a look at the interesting bits of what really happens when an ELF file is linked at runtime, then we'll look at a few different known ways to take advantage of the linker's somewhat trusting behavior.

We'll also see a new(ish) take on the ancient technique of fiddling with the shared objects dynamically loaded in an ELF file to enable persistent monkey business. Near the end we'll have a look at a tool to automate backdooring ELF files like systemd, /bin/* `find / -name lib*.so*`, and so on.

More than a bit of snobbism by security professionals can be blamed for creating the divide between hacking headlines and what we actually need to worry about. The media sensationalizes breaches, painting attackers as a shadowy omnipotent cabal, meanwhile Equifax used admin/admin to protect sensitive data for hundreds of millions of its users.

So even though the cybersecurity "adults in the room" know not to click strange links to win a free iPad, log in to notg00gle.com or download the attachment from Lisa@FreePills, intel-driven red team attacks are increasingly demanded by regulators, because breaches keep happening to the largest organizations with the biggest budgets to keep themselves (and their customers) safe. This talks aims to examine how it is possible to combine information from open source intelligence, information available on the deep&dark web, and data for sale by ad-tech companies, so that anyone could end up getting phished (may it be a cybersecurity expert of Jeff Bezos).

Let's face it. Security is often being accused of being out of touch. We buy silver bullets and chase ghosts instead of addressing fundamental problems. Pen testers come back year after year and find the same bugs. The business looks at us as a blocker and IT thinks we are paranoid, at best. We keep burying our heads in the sand and ignoring the elephant in the room – what we are doing is not working.

Why does this keep happening? Drawing on almost two decades of multinational experience and community leadership, within the ivory tower of enterprise security and – more importantly – without, we analyse some of the challenges blue teams face. Why is it easier to buy a silver bullet solution or chase a new fad (AI?) instead of fixing a reflected XSS issue or patching regularly? Why can a supplier have a dedicated security team yet fail at handling vulnerability reports? We critically analyse the modern security organisation to look at where we have failed and why.

We then introduce recent approaches to devsecops – shifting left – and how they can work in high-performing engineering organisations to drive real improvement in security. We argue that this approach can be applied more widely and distil this into a set of patterns and anti-patterns that can be applied to improve anyone’s security practice, sole trader or enterprise, red or blue.

Security operations are the forgotten masses of infosec, dealing with impossible odds. Outside of the defensive community, few people realise the difference between SECOPs and SOCs and the challenges these teams face every day. I believe that security operations teams are the vital heart of our industry, and in this talk I aim to help new and experienced security professionals level up their ability to support and act as security operations team members.

In this talk I explore the similarities and differences between SECOPs and SOCs and why both are essential to have a successful security operations programme. I dive into the obstacles these teams face, offer possible solutions, and how both those on the blue and red teaming side of the industry need to work together to solve them.

By the end of this talk, as well as having practical tips to take away, you will have a new perspective on security operations and blue teaming from a veteran of ten years in information security and major incident management. Expect to hear some war stories too, and why information security is much like an MMORPG.

Internet users are constantly identified and tracked across the web, for purposes such as targeted advertising, gaining personal data, or analytics. This happens without their knowledge or consent, and only relies on standard Web APIs. While disabling cookies and JavaScript would solve most of these issues, it would also break most modern websites.

This talk will introduce browser fingerprinting, why it is a problem, how fingerprinting is performed, some misuse-cases (as well as use-cases), a few defense mechanisms and attempted solutions.

Despite the proliferation of security awareness training; organisations’ employees continue to create significant security risks. There’s lots of talk about security awareness, behaviour & culture in the industry – yet organisations are still struggling to move the needle on human security risks.

In this session we’ll look at the lessons learnt and insights gained from 6 years of building a security culture management system. We’ll look at what we’ve tried, what’s worked, what’s failed and more importantly, what we can learn from the failings.

If you’re in any way involved in security awareness, behaviour or culture improvement in your organisation this session aims to give you plenty of ideas you can take away and apply yourself – no matter the level of your technical ability. By the end of the session you’ll have some actionable steps you can take to start to build a security culture dashboard inside your organisation.

During the session we’ll give security culture a meaningful definition, look at some fundamental behaviour science and then get clever about how we can use data to profile, manage and improve a wide range of security behaviours whilst building a security culture dashboard. We’ll discuss how this can be done at scale and identify ways in which orchestration and automation can be used to drive genuine behaviour change throughout your organisation, whether it has 10 employees or 100,000.

The Linux Audit daemon is responsible for writing audit records to the disk, which you can then access with ausearch and aureport. However, it turned out that parsing and centralizing these records is not as easy as you would hope. Elastic's new Auditbeat fixes this by keeping the original configuration, but ships them to a centralized location where you can easily visualize all events. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.

This talk shows you what can you do to discover changes, events, and potential security breaches as soon as possible on interactive dashboards. Additionally, we are combining Auditd events with logs, which are security relevant, and explore them in Elastic's free SIEM.

Why should you allow all possible system calls from your application when you know that you only need some? If you have ever wondered the same then this is the right talk for you. We are covering:

• What is seccomp in a nutshell and where could you use it.
• Practical examples with Docker, Elasticsearch, and Beats.
• How to collect seccomp violations with Auditd.

While not having enough information in your SIEM is certainly bad, having too much can be equally problematic. Your searches might drown you in results. You could be encountering resource bottlenecks like CPU or disk I/O, or worse – licensing.

What actions can you take that will relieve the pressure, without losing crucial information that helps you keep your organisation secure? What are the most effective methods to achieve this end? This talk will show you how to rapidly identify excess that can be trimmed, and how to maintain control once you’ve achieved a sustainable level of usage. It will cover locating the best areas to focus your time on, prioritising data sources, types, and individual events, identifying the different stages at which data can be controlled and filtered, and where there might be alternatives more nuanced than the black and white of “store this in the SIEM” or “do not store this”.

For SOC engineers, this talk gives you ways to make your most central tool serve you more effectively. For managers/CISOs it is a list of opportunities to keep your costs in check and possibly even save some money.

This CyberRange project represents the first open-source Cyber Range blueprint in the world. This presentation provides a technical walk-through & demo of the bootstrap framework enabling users to build a complete offensive, defensive, reverse engineering, and security intelligence training lab in AWS.

This project contains vulnerable systems, open-source offensive/defensive tools, a reverse engineering / malware detection system, & an awesome conglomerate of supplemental open-source tools to create a comprehensive community solution.

It simply provides a researcher with a disposable AWS-based research environment in less than 10 minutes.