Given the situation with COVID-19, we know a lot of people couldn't join us on the day. To ensure you don't miss out, we wanted to share the presentations publicly. If you would like any furhter information on any of these topics, please do get in touch.
Ransomware attacks have long been a thorn in the side of every organization. In recent years, a number of prolific attacks have taken place, putting the criminals responsible at the forefront of the blue team’s mind and causing many a sleepless night. How can information security professionals effectively—and safely—determine the potential impact of ransomware attack on their organization? This talk addresses just that. Through a live example, Tim demonstrates how a ransomware simulation assessment can be performed safely, whilst maximizing the elevation in your prevention, detection, and response capabilities.
Cobalt Strike remains one of the most prevalent attack frameworks used by threat actors and has even grown in popularity. Regardless of the attacker’s motive, it continues to play a reoccurring role in intrusions, due to its wide availability, flexibility, and ability to remain undetected on most victim networks. In this talk, Callum and James discuss proven and effective strategies for detecting Cobalt Strike. This talk is built from insights gained over years of threat detection research, incident response cases, and managed detection and response investigations. They break down recent real-world incidents, identifying and explaining the key detection opportunities in each, and revealing the detection logic and strategies that have continually allowed them to stay one step ahead. They also provide insight into how attackers are leveraging Cobalt Strike, and what can be learnt from their patterns of behavior, to help to develop a robust detection capability.
Mainframes run the world. When you pay for something, a mainframe is involved. Booking a flight? Using a bank? A mainframe was involved. Have you been to university? Mainframes. The current (and really only) mainframe Operating System is z/OS from IBM. Finding exploits on z/OS is no different than with any other platform. This talk familiarizes you with z/OS and walks through how to become a mainframe exploit researcher: starting with an introduction to mainframes, then discussing a native z/ OS program TSO TEST to debug and reverse engineer authorized (APF) programs. The talk concludes with a demo of a local privilege exploit getting key zero (mainframes use keys instead of rings). Attendees come away knowing more about mainframes and how they too can go about finding their own exploitable binaries.
Some organizations struggle to build effective attack detection for the software-as-a-service (SaaS) offerings they use. This usually leads to either too many low fidelity alerts, exhausting analysts, or too little to adequately detect malicious and anomalous activities.
In this talk, viewers will learn:
If not carefully monitored, Azure allows privilege escalation via third-party service principals. Depending on a user's assigned privileges in Azure Active Directory (AAD), a password or certificate can be assigned to O365 applications, allowing it to perform AAD actions as that application. This attack avenue is further enabled by the 200 applications, whose varying permissions are assigned by default, are onboarded when integrating an O365 E3 or E5 license into a tenant. Microsoft does not view this as a security vulnerability or concern, leaving customer to configure it independently in their Azure environment.
In this talk, Emilian discusses using new cypher queries to graphically display the third-party service principals integrated with Azure and their dependent relationships, in addition to other useful reporting information. These queries can be used in insolation or as building blocks to map more complex relationships, enabling security professionals to identify possible attack avenues and empower defenders to prioritize line of defense strategies. Where possible, we have implemented a few exploitation-attempting scripts that would report back on the effectiveness.
You can find the related Microsoft Azure Security Framework white paper here.
This talk explores the weaponization of esoteric internal command and control (C2) channels (C2 channels with uncommonly used protocols) and their use for lateral movement. Attendees are able to experience demonstrations of novel and reimagined techniques for breaking out of heavily-segregated environments, focusing on the services frequently observed to bridge these environments, for example Active Directory and VMWare. For each of the C2 channels shown, attendees can also expect insights into the actionable detection artefacts that these channels produce.
You can find the related article on this topic here.