F-Secure Consulting Event

The Briefing, London

Thursday, October 21 2021

09:00 - 19:00 BST

County Hall, London, UK

Our first in-person UK Briefing in nearly two years took place in October. 

Given the situation with COVID-19, we know a lot of people couldn't join us on the day. To ensure you don't miss out, we wanted to share the presentations publicly. If you would like any furhter information on any of these topics, please do get in touch.

The purpose of this event was to provide:

  • Technical and business-related insights
  • Practical 'how-to-tips'
  • Guidance from cyber-security experts
  • The opportunity to network with your peers and discuss the latest industry trends with our consultants
Presentation recordings:

Emulating Ransomware Attacks Safely, presented by Tim Carrington

Ransomware attacks have long been a thorn in the side of every organization. In recent years, a number of prolific attacks have taken place, putting the criminals responsible at the forefront of the blue team’s mind and causing many a sleepless night. How can information security professionals effectively—and safely—determine the potential impact of ransomware attack on their organization? This talk addresses just that. Through a live example, Tim demonstrates how a ransomware simulation assessment can be performed safely, whilst maximizing the elevation in your prevention, detection, and response capabilities.

Fighting back against Cobalt Strike, presented by Callum Roxan and James Dorgan

Cobalt Strike remains one of the most prevalent attack frameworks used by threat actors and has even grown in popularity. Regardless of the attacker’s motive, it continues to play a reoccurring role in intrusions, due to its wide availability, flexibility, and ability to remain undetected on most victim networks. In this talk, Callum and James discuss proven and effective strategies for detecting Cobalt Strike. This talk is built from insights gained over years of threat detection research, incident response cases, and managed detection and response investigations. They break down recent real-world incidents, identifying and explaining the key detection opportunities in each, and revealing the detection logic and strategies that have continually allowed them to stay one step ahead. They also provide insight into how attackers are leveraging Cobalt Strike, and what can be learnt from their patterns of behavior, to help to develop a robust detection capability.

Buffer overflow on the mainframe, presented by Jake Labelle

Mainframes run the world. When you pay for something, a mainframe is involved. Booking a flight? Using a bank? A mainframe was involved. Have you been to university? Mainframes. The current (and really only) mainframe Operating System is z/OS from IBM. Finding exploits on z/OS is no different than with any other platform. This talk familiarizes you with z/OS and walks through how to become a mainframe exploit researcher: starting with an introduction to mainframes, then discussing a native z/ OS program TSO TEST to debug and reverse engineer authorized (APF) programs. The talk concludes with a demo of a local privilege exploit getting key zero (mainframes use keys instead of rings). Attendees come away knowing more about mainframes and how they too can go about finding their own exploitable binaries.

Attack detection in SaaS, presented by Christian Philopov

Some organizations struggle to build effective attack detection for the software-as-a-service (SaaS) offerings they use. This usually leads to either too many low fidelity alerts, exhausting analysts, or too little to adequately detect malicious and anomalous activities.

In this talk, viewers will learn:

  • How to gather useful security information from popular SaaS products such as Google Workspace, GitHub Enterprise, and Microsoft 365
  • How looking at log events holistically yields better results
  • How to develop detection use cases for SaaS tools that are tailored to your environment

Has anyone Seen the Principal?, presented by Emilian Cebuc

If not carefully monitored, Azure allows privilege escalation via third-party service principals. Depending on a user's assigned privileges in Azure Active Directory (AAD), a password or certificate can be assigned to O365 applications, allowing it to perform AAD actions as that application. This attack avenue is further enabled by the 200 applications, whose varying permissions are assigned by default, are onboarded when integrating an O365 E3 or E5 license into a tenant. Microsoft does not view this as a security vulnerability or concern, leaving customer to configure it independently in their Azure environment.

In this talk, Emilian discusses using new cypher queries to graphically display the third-party service principals integrated with Azure and their dependent relationships, in addition to other useful reporting information. These queries can be used in insolation or as building blocks to map more complex relationships, enabling security professionals to identify possible attack avenues and empower defenders to prioritize line of defense strategies. Where possible, we have implemented a few exploitation-attempting scripts that would report back on the effectiveness.

You can find the related Microsoft Azure Security Framework white paper here.

Breaking network segregation with esoteric C2, presented by Alfie Champion and James Coote

This talk explores the weaponization of esoteric internal command and control (C2) channels (C2 channels with uncommonly used protocols) and their use for lateral movement. Attendees are able to experience demonstrations of novel and reimagined techniques for breaking out of heavily-segregated environments, focusing on the services frequently observed to bridge these environments, for example Active Directory and VMWare. For each of the C2 channels shown, attendees can also expect insights into the actionable detection artefacts that these channels produce.

You can find the related article on this topic here.

If you’d like to attend future events in your country, or keep up to date with our latest research and guidance

Accreditations & Certificates

F-Secure Consulting (F-Secure Cyber Security (Pty) Ltd) is a level 4 contributor to B-BBEE with a procurement recognition level of 100%. Learn more and download our B-BBEE certificate. Click here to read the press release.

Follow us
@fsecure_consult F-Secure-Consulting f-secure-foundry fsecurelabs