F-Secure Consulting Event

The Briefing, London

Thursday, October 21 2021

09:00 - 19:00 BST

County Hall, London, UK

Join us for our first in-person, UK Briefing in nearly two years - Register your interest to attend.

At this full-day event, you can expect: 

  • Technical and business-related insights
  • Practical 'how-to-tips'
  • Guidance from cyber-security experts
  • The opportunity to network with your peers and discuss the latest industry trends with our consultants

We'll provide refreshments throughout the day, as well as a sit-down lunch. The event will be followed by a drinks reception. 

Please complete the registration form. As there are limited spaces, your registration will be confirmed by a member of the team. 

Agenda

Emulating Ransomware Attacks Safely, presented by Tim Carrington 

Ransomware attacks have long been a thorn in the side of every organization. In recent years a number of prolific attacks have taken place that have put the criminals behind them to the forefront of the blue team’s minds, causing many a sleepless night. How can information security professionals effectively, and safely, determine the impact that a ransomware attack would have on their organization? This talk will address just that. Through a worked example Tim will demonstrate how a ransomware simulation assessment can be performed safely, whilst maximising elevation in prevention, detection, and response capabilities.

The audience will learn:

  • The importance of testing resilience to ransomware attacks
  • Approaches to planning and performing ransomware-based assessments
  • Selling it to the business
  • Ensuring a risk-averse approach
  • The value and outcomes organizations can expect from ransomware simulation assessments 

FIghting Back Against Cobalt Strike, presented by Callum Roxan and James Dorgan 

Cobalt Strike remains one of the most prevalent attack frameworks used by threat actors and has continued to grow in popularity. Regardless of the attacker’s motive, Cobalt Strike continues to play a reoccurring role in intrusions due to its wide availability, flexibility, and its ability to remain undetected on most victim networks.

In this talk Callum and James will discuss proven and effective strategies for detecting Cobalt Strike. This talk is built from insights gained over years of threat detection research, incident response cases, and managed detection and response investigations. They will break down recent real-world incidents, identifying and explaining the key detection opportunities in each incident and revealing the detection logic and strategies that have continually allowed them to stay one step ahead. Callum and James will provide insight into how attackers are leveraging Cobalt Strike in their attacks, and what can be learnt from their patterns of behaviour to help to develop robust detection capability.

What people will learn:

  • How threat actors are using Cobalt Strike in the wild 
  • Insight into recent real-world incidents involving Cobalt Strike, and the detection logic that allowed these incidents to be detected
  • How to build powerful detection strategy to identify the use of Cobalt Strike on compromised endpoints 

APF Authorized DSA Overflow, presented by Jake Labelle

Mainframes run the world, literally. If you have ever paid for something, a mainframe was involved! Booked a flight? Used a bank? Gone to college? A mainframe was involved. Do you live in a country with a government? Mainframes! The current (and really only) mainframe Operating System is z/OS from IBM.  Finding exploits on z/OS is no different than any other platform. This talk will walk through how you too can become a mainframe exploit researcher!  Starting with an intro to mainframes, then discussing a native z/OS program TSO TEST, to debug and reverse engineer authorized (APF) programs. The talk will conclude with a demo of a local privilege exploit getting key zero (mainframes use keys instead of rings).

Attendees to this talk will come away knowing more about mainframes and how they too can go about finding their own exploitable binaries.

Attack Detection in SaaS, presented by Christian Philipov

Organizations struggle with building meaningful attack detection for the Software-as-a-Service (SaaS) offerings they use. This usually leads to either too many low fidelity alerts that exhaust your analysts, or too little to adequately detect malicious and anomalous activities.

In this talk attendees will learn: 

  • How to approach gathering useful security information from popular SaaS products such as Google Workspace, GitHub Enterprise and Microsoft 365
  • How looking at log events in a holistic fashion yields better results 
  • How to develop detection use cases for SaaS tools that are tailored to your environment

Has Anyone Seen the Principal?, presented by Emilian Cebuc

Azure allows for privilege escalation via third-party service principals, if not carefully monitored. Depending on a user's assigned privileges on Azure Active Directory (AAD), a password or certificate can be assigned to O365 applications, allowing it to perform AAD actions as that application. This attack avenue is augmented by the fact that over 200 applications, with varying permissions assigned by default, are onboarded when integrating an O365 E3 or E5 license into a tenant. Microsoft does not view this as a security vulnerability or concern, leaving consumers to configure it in their Azure environment.

In this talk, Emilian will cover using new cypher queries that can be used to graphically display third-party service principals integrated with Azure and their dependent relationships, together with other useful reporting information. These queries can be used in insolation or as building blocks to map more complex relationships. This will enable security professionals to identify possible attack avenues and empower defenders to prioritize line of defense strategies. Where possible, we have implemented a few exploitation-attempting scripts, that would report back on the effectiveness.

Esoteric C2, presented by Alfie Champion and James Coote  

This talk will explore the weaponization of esoteric internal command and control (C2) channels and their use for lateral movement. Attendees will see demonstrations of novel and reimagined techniques for breaking out of heavily-segregated environments, focusing on the services commonly observed to be bridging these environments, for example Active Directory and VMWare. For each of the C2 channels shown, attendees can also expect insight into the actionable detection artefacts that these channels will produce.

What people will learn: 

  • How sophisticated threat actors may establish C2 in segregated environments, such as SWIFT or CNI networks 
  • How shared services such as Active Directory, or even printers, can be used as a C2 medium
  • What detection artefacts these C2 channels may produce 

 

Register

We process the personal data you share with us in accordance with our Corporate Business Privacy Policy.

Can't attend? Subscribe to our latest insights and upcoming events in your country.

Accreditations & Certificates

F-Secure Consulting (F-Secure Cyber Security (Pty) Ltd) is a level 4 contributor to B-BBEE with a procurement recognition level of 100%. Learn more and download our B-BBEE certificate. Click here to read the press release.

Follow us
@fsecure_consult F-Secure-Consulting f-secure-foundry fsecurelabs