Our 2019 speakers…
Attack – Detect – Evade: Getting Splunky with Kerberos
Ross Bingham & Tom MacDonald
Kerberos and Splunk are both complex beasts which present plenty of opportunities for both red and blue teams. In this talk we aim to cover both sides by looking at how to attack and defend Kerberos, along with how to evade detection and also what to do when you do get a detection! Hopefully leaving everyone with a better understanding and appreciation of their impact on an environment as a red team operator and providing blue team operators with insight into the weird and wonderful world of Splunk detections and how to categorise and act on certain events.
The underlying message being, understand what you are doing, what Indicators of Compromise (IOC) you will set off, and what to do when there is a detection.
The following areas will be covered throughout this talk:
Kerberos – How it works, Different Attacks, Tooling, Environment Footprint / OpSec, Evasive Maneuvers.
Splunk – How it works, Deployment, Plugins, Detecting Kerberos Attacks, Threat Response & Threat Hunting off the back of an alert, Deploying Honey SPNs
Evasion – Attacking Intelligently (not just smashing all the things), Using Splunk Against itself, compromise through the Splunk Dashboard and through Splunk forwarders.
Ross (@PwnDexter) – Red Teamer @ Nettitude
Ross is a Senior Security Consultant working within Nettitude’s red team, the bulk of his time is spent delivering red team engagements, fighting EDR products, or reporting! Otherwise working on research, tool development and our detection lab.
Mac (@BaffledJimmy) – Red Teamer @ Nettitude:
Mac is a Senior Security Consultant at Nettitude, working on large internal infrastructure and red team engagements. He is never happier than when abusing sysadmin tools to compromise environments, as it reminds him of his younger days as a systems administrator before he saw the light and became focused on security. He is also the company expert on password cracking inefficiency
Built-In Application Whitelisting with Windows Defender Application Control
Today’s attackers can relatively easily gain access to an environment by phishing employees and compromising their workstation. This is usually done through some form of custom or public code that the attacker modifies to fit their need. A recommendation we commonly make is to have our customers investigate some form of application whitelisting. An effective application whitelisting deployment can prevent these types of attacks from beginning, provide telemetry for blocked events, and make an attackers job significantly harder. What if there was already an application whitelisting solution built right into Windows, for free? Welcome to Windows Defender Application Control (WDAC). This talk will discuss what WDAC is and how can be deployed. We’ll look into building custom policies that allow you to define how your environment is protected and what you trust. We’ll also look at common configurations for WDAC along with their strengths and weaknesses. Finally, this wouldn’t be a talk without discussing and demonstrating how an attacker could attempt to circumvent WDAC, and live within its confines.
The goal for this talk is for attendees to walk away with the knowledge of an application whitelisting solution that is already built into Windows and is available for free.
Christopher Truncer (@ChrisTruncer) is a red teamer with FortyNorth Security. He is a co-founder and current developer of the Veil-Framework, a project aimed to bridge the gap between advanced red team and penetration testing toolsets. Chris began developing toolsets that are not only designed for the offensive community, but can enhance the defensive community’s ability to defend their network as well.
Defend the indefensible – “WordPress isn’t a security dumpster fire, Fight Me!”
Tim Nash & Glenn Pegden
Tim believes that common wisdom is wrong and WordPress CAN form part of a Secure Enterprise ecosystem, Glenn, on the other hand, likes to sleep at night.
By taking on the role of attacker and defender, Glenn and Tim will walk you through an escalating series of Attack vs Defence scenarios with real-world examples; Tim will attempt to convince you that for most reasonable threat models, WordPress can easily defeat a skilled and determined attacker and Glenn will attempt to prove him wrong.
The talk aims to give something to both Red Team and Blue Team, covering some common (and not so common) techniques to both compromise and harden WordPress. Failing that, come watch two middle-aged blokes bicker about whether WordPress deserves its place as an industry joke, or is unfairly maligned because of misuse and unnecessary risk-taking.
Tim is the platform lead at 34SP.com for their Managed WordPress product in addition to being the companies developer advocate. One day he will work out what either of those job titles means. Until he does he spends his day in a mix of dev, security, ops and project management as well as speaking at user groups and conferences. He is responsible for the security of the 34SP.com WordPress platform, keeping thousands of WordPress sites from falling prey to bad actors. Tim has spoken on topics as varied as acoustic variations in heated elements, too (perhaps more relevant) talks on WordPress security and building security into developer pipelines. He also has done a couple of talks about how to rob banks.
For BSides Leeds Glenn wrote “Despite being an old school hacker who has done almost every job in IT during his career, Glenn decided that he wouldn’t just join the unsexy Blue Side of InfoSec, but he’d then specialize in the least cool part he could find (at least, without needing the CISSP qualification) Vulnerability Management. By day he does Vulnerability Management and Security Risk Management for SkyBet, by night, well, he tends to post on twitter a bit and then has an early night as he’s getting on a bit.” and frankly he’s unlikely to ever write a better bio again, though he has since got roped into helping run the Leeds DC151 group.
In my own time, I have been beavering away, working on an idea about offensive automation. The concept is quite simple, can you 100% compromise a targeted organisation from a single click.
Think about data breaches of recent, could any of them been achieved without a remote shell? I believe they could, I think, most exploitation techniques can be automated into a single command including exfiltration of targeted data and triggered from a single person’s response to an email.
The talk will contain the why’s, how’s and demo my research. During this process, I have created a few scripts to help automate sections of the weaponization, I never spoke about coding before, as I don’t consider myself to be one, but will address this also during the talk and will be releasing them to the world.
This talk has never been given before, my talks are always different per conference, but this talk is particularly personal and important to me, and as such I want it at Steelcon.
As always, my slides, will be 100% bespoke artwork, (I take months on creating my slides alone) presented in an original way, I just like things to look nice.
Senior security consultant working for Pen Test Partners with over ten years’ experience, specialising in red teaming, physical and remote social engineering, infrastructure and application testing.
Dynamic Callbacks For Persistence
Maintaining persistence and communication between C2 infrastructure and compromised hosts is a fundamental element for successful red team campaigns. This is well understood by defenders, and so effort and time is invested by SOCs in improving their detection and blocking capabilities to reduce the time that persistence and communication can be maintained. But what if the communication and persistence can be re-established dynamically after it is blocked?
Different techniques will be described and combined to obtain the new address of the C2 infrastructure and changes on persistence. It will show how stagers and payloads can heal themselves after being blocked including how communication can be re-established via dynamic parametric data. The techniques and methods described are code agnostic and can be used as a baseline to provide extremely flexible methods which can be combined to culminate in a robust C2 persistant communication channel.
The talk is focused on dynamic callbacks for re-establishing communication with C2 infrastructure and for achieving persistence by using different methods incorporating communication with popular websites, domain fronting and multiple protocols.
xtr4nge is a security consultant and researcher with more than 15 years experience in cyber security within large companies. He is continuously engaged in researching the security aspects of new technologies and using as a platform to drive security forward. He has a passion for developing open source software for fun, learning and research such as FruityWiFi and FruityC2. He is interested on breaking stuff and then understanding how to fix them.
Great Expectations – On InfoSec Careers, Skills, Roles, and How We Can and Must Do Better!
This talk is not technical. Is is safe to say that in reality, this talk is not a talk. It is a rant about the current state of infosec hiring – the practices, the misinformation, the assumptions, and the lack of clear communication between those in the community, and those wishing to enter the field. The rant will begin with problems, but will end with proposed fixes – including the author’s ‘Infosec Skills Matrix’.
What is the Skills Matrix? It is a spreadsheet. Yes, this is a not-talk about a spreadsheet. But one that has been road tested, and is a living document that defines the connections between infosec roles, and the necessary and desirable skills with which to carry out that work – first proposed by the author in a blog post titled We need to kill the security analyst! (though no SecAnalysts were harmed in the making of this spreadsheet).
Students get a better idea of what they should prepare and learn in order to do the job they want. Educators get a better idea of what they should be teaching to their students to keep their courses up to date and relevant. HR managers get better data, and can better formulate the right job specs. Everybody wins.
This talk will officially launch the Skills Matrix, and we promise a heady mix of Scouse humour, ranty swearing, terrible puns, rounded off with optimism about how things really can, and possibly are, changing. Yes, it’s a bit sh*t; but we can, and must, do better!
Mark is currently completing his PhD in mathematics – the only rule is; we don’t mention the thesis. He has been in infosec for long enough to have shaken off his former life as a violinist, and until recently, did a load of research and consultancy for Security Research Labs. He organises BSides Leeds, and can be heard from up to 250m away on a clear day.
Hunting Sh*T Up – Red Teaming with A Bug Hunter’s Mindset
Red teaming, testing pens and bug bounties all align to the side of offensive security in the modern day. One thing I have learned from transitioning pentesting and bug bounties and now red teaming is that the mindset is the same. This talk will investigate the mindset and techniques that can be applied to all three and how each varies in the level of noise a tester will cause on a network depending on the engagement type, it will also explore how tooling written for one area can be applied to all three.
TL;DR Pentesting != Bounties != Red Teaming
As his day job, Andy works as a senior penetration tester and red teamer in training who is enjoys hacking all the things. For those that don’t know Andy, he is a strong believer in passing knowledge on and supporting the infosec community he does this by providing tutorials on his blog (https://blog.zsec.uk), running his local DEF CON Chapter & has also published a book Breaking into Information Security: Learning the Ropes 101.
Killsuit – How the equation group remained out of sight over the years
When the ShadowBrokers leaked a large number of Equation Group exploits and tools in 2017, many researchers jumped on the analysis of EternalBlue, FuzzBunch etc. The exploits of the leak have now been thoroughly analysed and mostly patched, but some elements of the associated framework (Danderspritz) are still widely unknown.
Today Killsuit (KiSu) is known as a modular post-exploitation persistence and capability mechanism employed in various hacker frameworks including Danderspritz (DdSz). KiSu is used for two reasons, it enables persistence on a host and it works as a sort of catalyst allowing specific exploitative functions to take place. It is used as part of a hands-on-keyboard attack and supports the PeddleCheap (PC) payload which allows for highly tuned interaction with a compromised host(s)
There are multiple KiSu instance types and each KiSu instance is installed into an encrypted database (DB) within the registry along with associated modules. These instances each have their own specialised functionality with specific tools such as “StrangeLand” (StLa) which is used for covert keylogging using the Strangeland keylogger; “MagicBean” (MaBe) which is used for WiFi MITM attacks by installing necessary drivers for packet injections and many others.
When Kisu is installed, 3 different mechanisms are used depending on the OS version. The mechanism that applies to later windows version was known as Solartime (SOTI) which affects the BIOS boot records. In the presentation, we will go deep into discussion about how the legacy BIOS boot works and how Solartime modifies the boot records to load its malicious bootpack using custom encryption keys and modifying the NTFS records, and how the UEFI boot prevents it. We will also be analyzing some of the complexities associated with analyzing the framework and KiSu component, basics on how to utilize the framework as an operator and the general detection methods for KiSu modules such as API function calls that they make during installation and the registries that they store encrypted data in.
Connor Morley is a Threat Hunter at Countercept, a 24/7 managed Threat hunting service by MWR Infosecurity. A keen investigator of malicious TTP’s, he enjoys experimenting and dissecting malicious tools to determine functionality and developing detection methodology. As a threat hunter, as well as holding OSCP accreditation, he is experienced with traditional and “in the wild” malicious actors behavior.
Our Mental Health Matters
Mental health and burn out – we all know about it, we all talk about it so what does it mean, and how can it affect you?
1/4 of us in the uk have a long term acute to severe mental health problem and 1/6 of us will experience a mental health issue every week.
My talk explores the signs and symptoms of burn out and mental distress & how to self care as well as an industry how we can work towards preventing more people leaving cyber security due to mental ill health and burnout.
Lizzy, 32, originally from Liverpool area, grew up in South Africa – even my accent doesn’t know where it’s from. Likes beer, OSINT and the psychology behind cyber security. Mental health ambassador for Time to Change and hoping to go into cyber behaviour analytics (hacking the human essentially). currently doing my masters in psychology and working as a SOC analyst to pay my bills.
Owning an enterprise with three lines of code
Achim D. Brucker
Today, Software is rarely developed on the green field: software developers are composers that build new system by combining existing (Open Source) solutions. Custom code is, in many development projects, a curiosity.
As a result, all software depends on open source projects, which, sometimes, are as small as three lines of code or as large as several millions lines of code. One the one hand, these projects speed up the development. On the other hand, their use requires trust and care: with a few lines of code in an installation script, your development system can be powned or a small vulnerability in a dependency can be the root cause of one of the largest data leaks of the last years.
In this talk, I will discuss, using real world examples, the security threats of using software dependencies carelessly and provide recommendations that help to minimise this risk.
From June 2019, Achim D. Brucker (www.brucker.uk) is a Professor (Chair for Cybersecurity) at the University of Exeter, UK. Prior to that, he was a Senior Lecturer at the Computer Science Department of The University of Sheffield, UK. He leads the research in software assurance and security (https://logicalhacking.com).
Until December 2015, he was the global Security Testing Strategist at SAP SE, were, among others, he defined and implemented the security testing strategy for over 27000 developers world-wide. SAP’s risk-based security testing strategy of SAP that combines static, dynamic, and interactive security testing methods and integrates them deeply into SAP’s Secure Software Development Lifecycle. He also was involved in the security checks for SAP’s outbound and inbound Open Source process.
PARASITE: Can An Open Internet Fight Extremism?
It’s no secret that people are more interconnected than ever: not only is it incredibly convenient to contact old friends and distant family, but thanks to the open internet we can engage with strangers all over the world at the press of a button. A single tweet can gain thousands of interactions from strangers seemingly at random: what could possibly go wrong?
In this talk, I touch on a wide variety of subjects related to the complex relationship between extremism & the internet: among these, I will be exploring the various “stages” of how extremism manifests itself online and the methods that they will employ to achieve their goal: whether that be recruitment, intimidation or simply to organise amongst themselves.
Can we combat this threat while still keeping the internet open? Is the burden too much for service providers like Google & Facebook alone? What is the role of governments, and how do we collaborate? What is censorship? When does it become negligence? And most importantly, will I have to talk about machine learning?
Expect a healthy mix of technical and soft content. This talk is beginner friendly and no prior knowledge will be assumed, so strap in!
Dan is a security engineer with a love for malware who spends his time looking into why we’ve ended up in this mess: he loves public speaking, capture-the-flags and lie ins.
Pouring salt into the crypto wound: How not to be as stupid as ransomware authors
This talk discusses various ransomware families that have been prevalent in the past 5 years, exploring the common and often hilarious mistakes that were made when it comes to the encryption, as well as some mocking the authors who made such mistakes. Some advice in regards to best practices when it comes to implementing cryptography is also discussed.
I am a malware analyst working at Emsisoft, a fully remote antivirus company, for the part 3 years. I focus mostly on ransomware.
I am looking to discuss how to use concepts from network investigation, and vulnerability assessment to use from an organisational and social perspective to get closer to the organisation and people for whom you’d want to work, better organisations, better jobs.
- Network Mapping
- Triangulation, links-finding
- Network Build-out
- What does the “Tender Say”
- Questions from the floor
I used to be a network engineer 10 years ago, ran own company, and then retrained into cyber by doing a masters, (which I am still finishing the project on), and I am now working at university of Sunderland as a cyber analyst (since November last year), introducing a vulnerability management programme. I like management systems and working on nudging people’s thinking, attitudes and behaviours. you can find me at https://www.linkedin.com/in/stuartsmiles/
Rage Against The FUD
The Beer Farmers
FUD you, I won’t do what you tell me.
In this talk, we reveal some of the worst examples of organisations delivering fear, uncertainty and doubt (FUD), why it’s a terrible move and how to avoid it as a responsible organisation.
Be it CrowdStrike claiming APT28 will pwn your network inside two hours, to allegations of Huawei backdooring all your data back to Beijing, we’ll lay down the facts and give you the information to make your own judgements.
We’ll tackle the press, excitable researchers and even nation states.
As ever, there’ll be music and fun, but the underlying messages will be serious in nature.
The Beer Farmers is a parody project, who’s aim in life is to help the InfoSec community take itself less seriously, bring some fun, while at the same time help us focus on the important things in what we do.
There are five members: Mike Thompson, John Opdenakker, Ian Thornton-Trump, Sean Wright and Andy Gill. All members are from a diverse professional background (and indeed different countries!)
State of Cybersecurity Report – Extended Play
Last year Infosecurity Magazine conducted industry research to determine the driving trends in cybersecurity. “Sure there are lots of reports” you may ask, “so why should I be interested in this one?” How many reports are ultimately vendor-sponsored, pushing the problem that their product or service resolves? With this research, we independently interviewed some of the main names in cybersecurity, and in 2019, we did this again with a larger sample set, and precedent to compare against.
We will look at the findings from this report, compare against last year’s results and other industry research, and get an understanding of what this industry’s researchers, CEOs, practitioners and analysts actually think is driving cybersecurity now, and will drive it in the coming years.
How compliance was the leading driver in 2018, and how it stands post GDPR deadline
How much the human factor is a driver
What the business can do to be more secure, and embrace security
Where the opportunities are for jobs, both for new people and those seeking a career change
Dan Raywood is a journalist with more than 18 years experience, including 10 years covering cybersecurity including covering ground-breaking stories such as Stuxnet, Flame and Conficker, the online hacktivist campaigns of Anonymous and LulzSec, and broke the news on the EU’s mandatory data breach disclosure law (now a major part of the GDPR).
In his day job at Infosecurity Magazine, he looks after the official webinar channel and contributes to the twice-annual Virtual Conference and writes articles for the print magazine and website. He has spoken at events including 44CON, SteelCon, Infosecurity Europe, SecuriTay and BSides Scotland.
Steal These Ideas
Sometimes people think the mistakes they keep making since 30 years are experience.
This famous quote by Mullah Nasruddin expresses one of the major problems of most blue teams. Many allegedly tried-and-true strategies are surprisingly mediocre when examined closely, but are rarely challenged or changed. With a bit of work and determination those approaches can be improved upon for an overall better level of security. Creativity and unusual thinking aren’t just valuable tools for red teamers and attackers; questioning what you have at you disposal and how to improve it is also a good exercise for any person on the defence.
Whether you’re a newcomer to infosec or a seasoned veteran, this talk should give you some insights into technical, organisational and other challenges and present some ideas on how to overcome those.
Be prepared to slaughter a few holy cows of infosec and emerge with fresh ideas!
Stefan works for the Internet Security Team at German company DATEV eG. He started messing with computers in the 80s and turned it into a job as a programmer in the early 90s. Since 2000 he has been securing networks and computers for various enterprises in Germany and Scotland. His main focus nowadays is security research, raising security awareness, coming up with creative solutions to security problems and discussing new ideas concerning threat mitigation. When not trying to do any of the stuff mentioned above, he is either travelling, procrastinating or trying to beat some hacking challenge. Stefan also sometimes writes blog posts (in English and German) on his site https://cyberstuff.org.
The Internet is Broken and so are We
Saskia Coplans & Alastair O’Neill
Ever lie awake at night sweating over the next vuln? Thats because we all do. In short security is not good for us.
Whilst we agonise about the skills shortage are we considering the people who hold the skills we do have. How do we explain that there’s always a skills shortage but never a shortage of new entrants. Why can’t we retain the skills and the people we have and develop them.
It’s time to accept that the skills shortage is a skills mismatch and for too long we’ve been trying to fit security in to the mould of Pen Testers rather than fix security. Thats not good for security and its not good for us.
Saskia is Security Consultant and Director at Digital Interruption. She a registered Data Protection Officer (DPO) and a privacy specialist with over ten years experience in information security and governance. Along with standards and policy development, she has developed risk based defensive security strategies across Europe and Central Asia for Governments, NGO’s, Regulators and the Private Sector.
Alastair is Head of Defensive Security at Digital interruption. He has more than a decade of experience in information security, both as a security consultant and as a researcher. His skills range from embedded device exploitation to mainframe hacking, along with a significant grounding in all shapes of UNIX. He regularly presents in the UK and abroad on topics ranging from cutting-edge malware research to innovative offensive techniques, and has a strong passion for offensive and defensive hacking.
The LANs that time forgot.
The IT industry is moving more and more emphasis of security to client and server side security applications, agents, and to cloud server deployments. Nevertheless, whether a computer environment is ‘on- prem’, hosted, or even in a domestic setting, they all have one thing in common, a network.
This talk is a blue team based talk focused only on network security to highlight methods and technologies already present in routers and switches, often unused or unknown, that can be employed for the cost of a little time and can be implemented to greatly reduce the threat surface, and improve the detection of issues to any environment hosted on them.
Brian is a network guy with 20 years’ experience, and is the Director of Whelton Network Solutions, a consultancy primarily focused on networking, security audits and incident response.
Outside of professional commitments he is a self-proclaimed certification junkie, InfoSec conference attendee and speaker, as well as a multi Bsides ‘Goon’.
TLS 1.3 for Penetration Testers
TLS 1.3 was released by the IETF last year and is a major step forward in transport security. Unlike the move from TLS 1.1 to 1.2 there are major changes that penetration testers need to be aware of – common testing tools like sslscan do not detect if it is supported, indeed in some cases they cannot connect at all. TLS 1.3 changes both the concept of cipher suites and the version negotiation mechanism, and completely eliminates the ability to decrypt traffic using just the server’s private key. New features in the protocol include encrypted extensions, a future proofing mechanism called GREASE and 0 Round Trip Time support. This talk will describe the changes in the protocol and their implications for testing, making clear the limitations of some common tools and approaches for ensuring TLS 1.3 is tested with practical examples. Firefox, Chrome, OpenSSL, Cloudflare and even Java support TLS 1.3, do you?
Richard Moore is a Principal Security Consultant at MWR, and formerly the CTO of Westpoint Ltd. He has worked extensively with SSL/TLS both as a tester and as a developer. He has found security problems in the SSL/TLS implementations of major browsers and written tools such as a TLS server fingerprinter (released at BSides Manchester in 2015). For several years he maintained the network stack of the Qt development framework, particularly the SSL/TLS support. A long time ago, he was one of the original developers who created KHTML which you’ll probably know as WebKit (or Blink if you’re using Chrome).
We have a firewall, right? War stories from the front line of security management
Carl Gottlieb and Paul Heffernan
With a combined 26 years of working in security, Carl works as a DPO and Paul as a CISO. In this talk, we’ll talk about the difficult job of security management in the age of (ir)responsible disclosures, mega data breaches, and privacy savvy customers and employees. We will discuss some of our own war stories that have tested the relationship between security, management, and what we’ve learnt along the way. Whether you’re looking to get into security or want some tips on keeping your boss happy, come along to this session and question our poor life choices.
Carl needs no introduction…
Paul is the CISO at Revolut and has enjoyed attending SteelCon for the past 3 years, so it’s about time he gave something back.
Weaknesses in Software Supply Chains
Software development today is a far cry from software development from yesteryear. Gone are the days of developing something from the ground up. Software development now involves “stitching together” numerous libraries and frameworks together to develop the desired system/application. We are now dependent on 3rd party vendors and providers now, more than ever before. This has greatly help to aid the generation of rapid development. However, this helped to introduce a new, and often overlooked problem, weakness introduced by these libraries. Why would an attacker spend significant effort and time trying to break through the front door of an organisation, when they can instead open a backdoor for themselves?
The purpose of this talk is to raise awareness for the potential problem, with some recommendations of tools and approaches which could help. Discussing past examples where backdoors have been placed into libraries, as well as discussing some of the difficulties to keeping libraries up to date.
Lead Software Security Engineer and OWASP chapter leader, with special interest in web based security as well as TLS security.