The talk schedule is viewable in this Google sheet.
An Offensive Perspective of Ransomware Operations (PG)
Ransomware an a threat that all organisations have to face today. Instead of talking about trends as a whole, this talk is going to analyse the offensive security tactics, tools, and procedures that are used by ransomware groups. Not only this, but we will also be publishing code to a public repository that re-creates the tooling used by ransomware groups. These tools are based off of open-source reports documenting the internal tools ransomware groups utilise. Once this talk is over, attendees will have an understanding of the tactics utilised by ransomware groups, how they try to propagate internally, along wiht the source code for our re-creations of their tooling.
Adversaries Have it Easy: Live FAFO Pwning a Network (18)
Picking up where last year’s talk left off, here we have a live demo of an actual adversarial attack path, stepping through a view from an external perspective and elevating through trusts on a domain. This talk will take you, the audience, through an attack path similar to what we have seen in the wild; the aim is to perform several attack paths as live demos(we’ll record some ahead of time in case the demo gods hate us! or the world burns down during our talk).
Andy and Neil will show some of the beautiful paths that can be taken when attacking networks combining modern tools with some custom paths we’ve found over the years. Similar to last year’s part one, we’ll do this all in a live hack scenario environment simulating an insider threat within a fictional network of a fictional corp.
“We’re in… jail”. A collection of firsthand stories of cyber criminals failing to crime
You’ve been hit by, you’ve been struck by a smooth… okay, you’ve been almost hit by a shoddy criminal. And there are a lot of them.
Join me to have a laugh at the expense of those trying to make it in the criminal underworld but just not having what it takes.
Disclaimer: Crime is bad, don’t do it. And definitely don’t do it like these guys.
“You missed a period Don’t panic” — why words matters
Just because we’re both speaking English doesn’t mean we’re speaking the same language. This is a talk about everything you say, write, and think — from talking with non-technical clients to writing reports to interpreting someone’s support request — and why words matter.
Kubernetes RBAC – Mitigating Privilege Escalation Attacks in Microservice Environments
Kubernetes RBAC – Mitigating Privilege Escalation Attacks in Microservice Environments”
Kubernetes has become the de facto standard for container orchestration in the cloud and on-premise environments. However, with its widespread adoption, Kubernetes has also become an attractive target for attackers seeking to exploit its vulnerabilities. In our previous talk, “Deep Dive Into Kubernetes Attack Surface,” we explored the various attack vectors that can be used to compromise Kubernetes clusters.
In this talk, we will dive deeper into one of the most important security mechanisms in Kubernetes, Role-Based Access Control (RBAC). RBAC allows cluster administrators to define fine-grained permissions for users and service accounts, enabling them to access specific resources within a cluster. We will discuss the RBAC authorization mechanism, how it works, and how attackers can leverage a simple RBAC misconfiguration to gain complete privilege escalation in cloud environments such as AKS Azure Kubernetes Services and on-premise.
We will also discuss how to mitigate RBAC abuses in microservice environments. Microservices-based architectures introduce new security challenges, such as the need to manage permissions and access control across multiple services. We will explore best practices for implementing RBAC in microservice architectures, including RBAC policies, service accounts, and the use of tools like Istio to manage traffic and enforce security policies.
By attending this talk, you will gain a deeper understanding of Kubernetes RBAC and how to secure your microservices-based applications against RBAC abuses. You will also learn about practical solutions for managing RBAC policies in complex microservice architectures
Detecting And Blocking With BPF Via YAML
BPF allows us to do great things – from hooking practically any kernel function, to blocking actions and killing processes – but it can be quite difficult to use! Wouldn’t it be amazing if you could just write some YAML and a pre-existing, mature, open source, BPF engine did all the hard work? And sent events to your logs? And your email? And maybe even to your phone as a SMS text message, and to your Slack channel? With OSS Tetragon you can! In this talk I will show you how to monitor and block actions with BPF, without actually writing any BPF.
Tetragon is an open source BPF tool that can be configured with YAML to hook almost any kernel function, and any syscall and any tracepoint; interpret the input arguments, make pre-defined decisions based on them, as well as the process instigating them; and then log, trigger or block as a result.
BPF is a revolutionary technology that can be used to run portable code in the kernel, safely, and with great reach. BPF programs can communicate with each other, and with user space, via maps – arrays, hashes, ring buffers, and various other data structures that can be used to store, check and pass data around. As a technology, it has existed for a number of years, and still underpins libpcap today, but it can be quite tricky to use. BPF implements its own virtual architecture, that is portable between different versions of kernel, and even different underlying processors.
The difficulties of programming BPF come partly from the language, but mostly from the verifier. BPF itself is an assembly language with a minimal library of helper functions – you can’t just call any kernel function! It can be compiled from C and rust, and probably other mid-to-low-level languages, and this can be a barrier to those who prefer the higher-level python and .Net. That said, BPF programs tend to be simple, and it is possible to learn enough C (and the special LLVM/Clang incantations) to get a BPF program compiled.
But then in steps the verifier – the gatekeeper that many novice (and even experienced) BPF programmers dread. In order to ensure safety, the verifier checks every BPF program as it is loaded into the kernel, and rejects those that it can’t vouch for. It checks for length and complexity, to ensure programs will always exit; it checks that memory access is bounded and restricted to that allowed; and it checks that only permitted helpers are used, which vary from program type to program type, and attachment point to attachment point.
Satisfying the verifier is the problem that many find the most troubling. To overcome this, the open source Tetragon can be used to abstract all the BPF into YAML, making it much easier to use. All the programming and verifier issues are hidden, and the user just has to specify where they want to hook, what they want to inspect at that point, and what action they want to take if their criteria is met. By default Tetragon can log events to user space, but it can also track file descriptors between programs, it can kill processes directly from the kernel, and it can also trigger web hooks, such as those provided by canary tokens and Thinkst Canaries.
If you want to detect and block on Linux, then you really need to do this from inside the kernel. BPF, and Tetragon, provide the tools to do just that. I will demonstrate typical use cases with simple YAML files that audience members can take away and try for themselves.
Secure Container Deployment Pipelines
How we built a platform for securely deploying containerised applications of your choosing.
Raiders of the Lost Arts
Vintage clothing, computers from the 80s, vinyl and retro-games are all the rage: everything that was once old and outdated is making a comeback. Surely we infosec folk are unaffected by such trends. Aren’t we at the bleeding edge of the future, protecting our assets with expensive vendors solution that declare their effectiveness with proper buzzwords; Real-Time, Cloud Based and Always On?
Unfortunately, this does not seem to be the case. Sure, some modern problems have been addressed, but old and sometimes even ancient attacks persist. Some of them don’t show up in your logs, and some are difficult to defend against, assuming you are even looking for them.
Can you DDoS a company by sending letters? How much revenue will you lose if the neighboring building receives an unexpected package? Who really gets into trouble when you drop a few USB sticks in the parking lot?
Lean back and enjoy an overview of the dangers of unencrypted, unauthenticated protocols, exploitation of human expectations, sabotage and how to spot if someone on the inside is trying to ruin your day without even touching their computer.
Beyond Microsoft IIS Short File Name Disclosure
The IIS Short File Name disclosure issue is a security vulnerability that has plagued Microsoft’s web server for years which has led to many simple success stories for penetration testers and bug bounty hunters by finding hidden sensitive files. This presentation will delve into techniques for disclosing short and long filenames were possible, even in the most protected folders on IIS. We will also discuss how to obtain internal information about how a web application has been set up on IIS by leveraging IIS and .NET features. Finally, we will outline some practices that can help organisations protect themselves from some of these issues without abandoning IIS!
Hunting for bugs that Scanners miss, and WAFs fail to detect
Most web applications today are protected by WAFs, making it challenging for pentesters to test for payload-based vulnerabilities like SQL Injection and XSS. Additionally, automated tools and scanners can easily identify some of these vulnerabilities, making it even more challenging for bug bounty hunters to find such issues.
In this talk, we will discuss a different class of vulnerabilities that can still be exploited even under these restrictions. These vulnerabilities have a high-security impact and arise from abusing the application logic or exploiting misconfigurations. We will only showcase advanced and undocumented techniques used by bug bounty hunters to identify these types of issues, including Account Takeover Attacks, Insecure Direct Object References (IDOR), and others.
Decoding the Maze of Malware Detection: Unleashing the Potency of Convolutional Neural Networks with Transfer Learning
This talk will be of interest to anyone interested in malware classification and the use of neural networks in this area. The presenter will provide insights into the challenges faced when creating RGB images and the effectiveness of using transfer learning to train a convolutional neural network. Attendees will come away with a better understanding of the importance of image segmentation in malware classification and the benefits of using convolutional neural networks.
Thoughts Of A Dying Atheist
My physical presence has deteriorated over recent years, through declining health and other things we all experienced, such as the pandemic, the bullshit economics and whatnot.
One thing that hasn’t been jaded is my involvement in cyber, and if anything it’s been super activated. Working from your arm chair perhaps gives you that focus.
In this presentation, I’ll spin us back through time (my time) and also spin us forward to not just now, but next year, the year after and the years after that.
This will be my own take on cyber, unfettered by my life in The Beer Farmers and will look at everything about the people, process and technology triad. The things done well, and things we continue to do horribly wrong.
Where does the talk title come from? It’s an album track by Muse, a tattoo I have on my back and a reflection on the idea that belief is merely a human construct.
Reality is what matters.
No whisky, please.
Through the EDR Lens
Building a PoC-EDR to see what kind of information is being generated at the OS level. With this info we can look at things we should either avoid, or implement into implants.
The non-tech stuff I wasn’t prepared for
I moved from managing a technical infrastructure team to working in infosec, I expected it to be all pentests and red teams but the reality was far from that and I wasn’t prepared for what came next. I’d like to share with you some experiences and the non-technical skills that became just as important to successful program delivery as was understanding the latest exploit and techniques.
“Good, Better & The Best Security!”
Ian Thornton-Trump CD
“What does “good” look like?” It’s likely you have no idea, because sadly many organisations have never seen “good”. I’ve been in the security industry for thirty years and I’ve never seen what “Good”is. We use the word “good” a lot in cyber security and IT service management.
Quite frankly, I’m not feeling it useful as a description for achieving some self-imposed, arbitrary maturity scale model against a set of arduous security controls which have little business risk context.
I think the term we are looking for is “What does an effective security programme look like?” And the way to be effective is to improve the organisation’s security posture by focusing on outcomes which reduce organisational risk. The only “KPI” that matters is whether or not you have been breached. What my life does not need now is yet another security controls spreadsheet to fill out.
A classic founding member of the Beer Farmers “Phat Hobbit” rant.
Protecting Kubernetes Clusters with Object Validation & Admission Controllers
In recent years, usage of Kubernetes and other cloud-related orchestration tech has tremendously increased and every other organization is either using it or planning to migrate to container environment in the near future. Even though there is a lot of research focused on attacking and pentesting Kubernetes clusters, there are few on how to securely configure and deploy resources to the cluster. It becomes a tedious job for the DevOps team to configure the cluster with as minimal risk as possible due to the complexity and entanglement of different objects and resources in the ecosystem, multiple teams operating from the same cluster with different configuration and deployment needs.
The objective of the presentation is to discuss some of the capabilities provided by Kubernetes to prevent malicious objects from entering the cluster by the usage of in-built admission controllers and the powerful validation engine which gets executed during the time of admission of an object and well before the resource is registered in the ETCD cluster. Writing new mutating webhook entry logic to detect rogue containers and terminate the corresponding object creation if it does not conform to the organization’s security policy, creating an alerting system to report any anomalies, usage of secure defaults across the ecosystem and also on how to scale the detection logic for enterprise-grade deployments.
In a nutshell, this talk will introduce the attendees’ various ways to defend production-ready Kubernetes clusters with a main focus on writing admission and validation/webhook controllers, secure defaults and configurations, namespace and network isolation. In turn, allowing an organization to have better policy enforcement, resource validation and secure cloud ecosystem and monitoring.
Delivering The Fail, The Post Office IT Scandal
Computers never lie, so there is no reason to not believe their transactional and log output? Legally that may well be the case.
For nearly 25 years, the largest miscarriage of Justice in civil and criminal legal history took place largely unnoticed as the first, and the oldest Government agency, the Post Office, sought to cover up the numerous failings of its IT system, Horizon. Instead they chose to censure, prosecute, and in some cases imprison hard working innocent people, and demanded many thousands of pounds from thousands of others to cover losses that Horizon incorrectly reported was missing.
Lives have been destroyed, families broken up, homes lost and people’s long gained respected and well earned reputations destroyed.
The Post Office Horizon IT scandal is a story you won’t be able to believe was possible or even happened, but it was, and it did, and all because ‘professional’ people within the IT and legal communities felt their employers reputation was more important then admitting issues existed. Four Suicides have been attributed to this scandal, and a further 27 people have died without hearing their names cleared, more may do so.
And it’s not over yet…
Nuclear hack simulation with Airbus Protects CyberRange
An interactive talk on OT cyber security with live 3D virtualisations of attacks carried out on a nuclear site.