Program Overview

Pompilus (aka Lazarus) is responsible for some high-profile attacks targeting security researchers, the pharmaceutical sector and more recently, against the chemical industry and collaborating organisations operating with this sector. Pompilus aims to build trust with its victims before launching their attacks, leveraging social engineering techniques and supply chain attacks to infiltrate targets for the purpose of espionage. Join me for a walk-through of some of their attacks, the TTPs and examples of post-compromise activity we have observed.

• Alan Neville is a principal threat research analyst on the Threat Hunter team in Symantec, a division of Broadcom. Alan's main responsibilities include hunting and tracking high profile attacks against Symantec customers

We uncovered the attacks carried out by Hancitor operators on a European company. Learn how Group-IB identified the attack, discovered the threat actor’s infrastructure, and finally prevented an incident by interrupting encryption with Cuba ransomware of the organization’s systems and network. Find out how Group-IB’s Threat Intel & Attribution team detected the attack as it was underway and kicked the threat actors out before any damage was done.

We will walk you through all the stages of the attack - from gaining initial access to lateral movement. We’ll reveal our methods of investigating these stages, and the analysis of the tools that hackers employed. We will also share our top recommendations on how corporate cybersecurity teams can immediately prevent similar incidents.

• Artem Artemov has 15 years in digital forensics. He has been involved in several high-profile incident response engagements and investigations into Anunak/Carbanak, Buhtrap, Lurk, Cobalt, Fin7, and other groups worldwide. He has held 100+ training programs and workshops for universities, law enforcement agencies, and private companies all around the world.

• Rustam Mirkasymov has 8+ years in cyber threat research and threat intelligence. He has strong skills in reverse engineering, knowledge in exploit development, and an understanding of softwares' vulnerabilities mechanisms. Rustam is an author/co-author of numerous APT threat reports (including Lazarus, Silence, Cobalt, Moneytaker, RedCurl, TA505). He is an experienced speaker at key cyber security media & events.

The Banque de France ran an experiment to see if a specialist data analytics team and machine learning technology could help the CERT detect malicious actions on Windows systems. We built a model, trained it, and then sat back and waited for the true positives to come in.

ML technologies such as Natural Language Processing and Isolation Forest seemed to offer a powerful tool when combined with large datasets composed of SYSMON events. Although our model achieved some success with identifying anomalous commands run on Windows systems, issues such as the need for algorithm Diagnostics limited the real-world application. Turning the technology into a useful everyday detection tool will require more work."

• James Atack has been Head of CERT-BDF at the Banque de France since 2019, and was the team deputy before that. He has been working in IT for over 20 years with previous roles including solutions architect, IT security consultant and sysadmin. James first got involved in cyber security in 1998 as an intern doing (mostly authorised) ad-hoc pentests at an industrial chemical plant. Originally from the United Kingdom, he has lived and worked in and around Paris since 2001.

Using the same protocols for mobile devices which accounted for most human-centric endpoint growth since 2010 as we do for fixed devices on networks controlled by families and businesses is disrupting our limited ability to secure the latter in order to defend against worst case outcomes for the former. Several decades of unapologetic abuse by the powerful have led the IETF to reform the basic Internet protocol suite around TLS 1.3 with Encrypted Client Hello, DNS over HTTPS, and the replacement of TCP by the UDP-based QUIC protocol.

In this new configuration, network operators will not be able to detect endpoint behaviour changes corresponding to infection, takeover, poisoned software update, latent design dangers, predaceous grooming, insider corruption, or hundreds of other well understood digital harms. Many such operators have not been warned about this ""rules change"" and deserve to have their expectations explicitly and immediately reset so that they can make new plans which will be practical in the next era. It is the goal of this presentation to enumerate those alarms.

• Paul Vixie was inducted into the Internet Hall of Fame in 2014 for work related to DNS. Vixie is a prolific author of open source Internet software including BIND, and of many Internet standards documents concerning DNS and DNSSEC. In addition, he founded the first anti-spam company (MAPS, 1996), the first non-profit Internet infrastructure software company (ISC, 1994), and the first neutral and commercial Internet exchange (PAIX, 1991). He earned his Ph.D. from Keio University for work related to DNS and DNSSEC in 2010.

At a time when disinformation and manipulation of opinion are spreading through social networks, it is necessary to be equipped to spot fake identities, especially via their profile pictures which are the hardest elements to fake. During this talk, you will discover a method to detect images generated via ThisPersonDoesNotExist.com, with 100% reliability and even a way to know the exact time the photo was produced.

During this beginner-friendly conference, we'll also cover the basic machine learning concepts needed to make GANs work, and a technique to generate almost undetectable fake faces yourself.

• Mathis Hammel is a tech evangelist at CodinGame, a website specialized in mini-games to learn programming. He is a specialist and technical advisor in cybersecurity, machine learning, and algorithms. Mathis is passionate about technical challenges such as programming competitions and Capture The Flag, and holds several titles from national and international championships.

Data acquisition during incident response engagements is always a big exercise, both for us and our clients. Fox-IT’s current approach to enterprise scale incident response is to collect small forensic artefact packages using our internal data collection utility, “acquire”, usually deployed using the clients’ preferred method of software deployment. While this method works fine in most cases, we often encounter scenarios where deploying our software is tricky or downright impossible. For example, the client may not have appropriate software deployment methods or has fallen victim to ransomware, leaving the infrastructure in a state where mass software deployment has become impossible.

While a lot of businesses have moved to the cloud, most of our clients still have an on-premises infrastructure, usually in the form of virtual environments. The entire on-premises infrastructure might be running on a handful of physical machines, yet still restricted by the software deployment methods available within the virtual network. It feels like that should be easier, right? The entire infrastructure is running on one or two physical machines, can’t we just collect data straight from there?

We will talk about how we achieved this and the challenges that we had to overcome. We will show you how easy it now is to perform forensic data acquisition at true enterprise scale by leveraging the hypervisor. The kicker? The technical implementation is deeply embedded in the exact same toolset that we use for all our engagements. Several abstraction layers away, our analysts don’t need to know what a hypervisor is or how it works. They can simply collect and process their artefacts the way they’ve always done.

• Erik Schamper is a security researcher at Fox-IT working on various topics. These range from threat intelligence and reverse engineering nation state malware to diving deep into the trenches of complex incident response engagements. He also has an interest in advancing the field of digital forensics, being one of the key authors of Fox-IT’s internal enterprise investigation framework, dissect. He helped shape the tooling and methods of how Fox-IT approaches enterprise investigations today.

One of the major challenges when doing Incident Response in AWS is identifying all services present and used in an environment. This challenge can create blind spots in the incident response (IR) process, which increases the difficulty to remediate an incident and to acquire and analyse the needed data. Furthermore, each client’s cloud environments are separated and different from each other, which means that they need to be handled individually and require multiple steps to map and extract relevant evidence.

In this talk I'll share and propose a set of tools that will help to automatically enumerate, acquire and process the above information from each AWS environment using native solutions without the need of an agent installation. The provided techniques follow the NIST Incident Response lifecycle.

• Korstiaan Stam is the founder of Invictus Incident Response an organization that is supporting organizations with incident response related services. Before that he was responsible for leading the incident response team at PwC. He's also teaching for SANS and the University of Applied Sciences in Amsterdam

Kubernetes Goat is a “vulnerable by design” Kubernetes Cluster environment to practice and learn about Kubernetes Security.

In this session, Madhu Akula will present the latest version of the Kubernetes Goat by exploring different vulnerabilities in Kubernetes Cluster and Containerised environments. Also, he demonstrates the real-world vulnerabilities and maps the Kubernetes Goat scenarios with them. As a defender you will see how we can learn these attacks, misconfigurations to understand and improve your cloud native infrastructure security posture.

• Madhu Akula is a pragmatic security leader and creator of Kubernetes Goat, an intentionally vulnerable by design Kubernetes Cluster to learn and practice Kubernetes Security. Also published author and Cloud Native Security Architect with extensive experience. Also, he is an active member of the international security, DevOps, and Cloud Native communities (null, DevSecOps, AllDayDevOps, AWS, CNCF, USENIX, etc). He holds industry certifications like CKA (Certified Kubernetes Administrator), OSCP (Offensive Security Certified Professional), etc. Madhu frequently speaks and runs training sessions at security events and conferences around the world including DEFCON (24, 26,27 & 29), BlackHat USA (2018, 19 & 21), USENIX LISA (2018, 19 & 21), SANS Cloud Security Summit 2021, O’Reilly Velocity EU 2019, Github Satellite 2020, Appsec EU (2018 & 19), All Day DevOps (2016, 17, 18, 19, 20 & 21), DevSecCon (London, Singapore, Boston), DevOpsDays India, c0c0n(2017, 18), Nullcon (2018, 19, 21), SACON, Serverless Summit, null and multiple others. His research has identified vulnerabilities in over 200+ companies and organizations including; Google, Microsoft, LinkedIn, eBay, AT&T, WordPress, NTOP, Adobe, etc. and is credited with multiple CVE’s, Acknowledgements, and rewards. He is co-author of Security Automation with Ansible2 (ISBN-13: 978-1788394512), which is listed as a technical resource by Red Hat Ansible. He is the technical reviewer for Learn Kubernetes Security, Practical Ansible2 books by Packt Pub. Also won 1st prize for building an Infrastructure Security Monitoring solution at InMobi flagship hackathon among 100+ engineering teams.

In this session, we will take you through our discovery of the BlackMatter ransomware group and its evolution through the shutdown as well as provide a technical deep dive on the Windows, PowerShell and Linux ransomware itself. We will also address how this evolution trend shows up in the larger ransomware operator landscape, especially among sophisticated actors.

• James Niven is a Principal Threat Researcher at Recorded Future that researches Russian based ransomware.

• Lindsay Kaye is the Director of Operational Outcomes for Insikt Group at Recorded Future. Her primary focus is driving the creation of actionable technical intelligence - providing endpoint, network and other detections that can be used to detect technical threats to organizational systems. Lindsay’s technical specialty and passion is malware analysis and reverse engineering. She received a BS in Engineering with a Concentration in Computing from Olin College of Engineering and an MBA from Babson College.

Cyber threat intelligence for industrial control systems (ICS) / operational technologies (OT) is still a young discipline. In spite of its relevance to organizations defending physical processes across various industries, there is still little consensus over how it should look. ICS/OT threat intelligence is a particularly complicated domain given that there are only a handful of well-documented incidents where cyber attacks have impacted control systems and resulted in physical impacts. As such, relying on the analysis of previous events provides only limited value.

In this talk we will focus on describing the current state of ICS/OT threat intelligence. In particular we will point out small details that defenders can use to filter different intelligence feeds and identify information that may impact physical processes via control systems. Based on the learnings from the untold origins of ICS/OT threat intelligence and how it was shaped by vulnerability advisories, we will present real examples of how an ICS/OT threat intelligence team identifies and prioritizes threat activity to help defenders stay on top of the game.

• Senior Technical Analysis Manager for Mandiant, Daniel Kapellmann Zafra oversees the strategic coverage of cyber physical threat intelligence and coordinates the development of tools and solutions to collect and analyze data. He is a frequent speaker on industrial control systems (ICS) / operational technology (OT) topics at international conferences such as RSA Security Conference (USA), Virus Bulletin (UK), CyCon (Estonia), BRUCON (Belgium) or CS3STHLM (Sweden). Additionally, Daniel collaborates as international liaison for the ICS Joint Working Group Steering Team from the US Cybersecurity Infrastructure and Security Agency (CISA). His background is multidisciplinary with work experience across various industries. As a former Fulbright scholar, he holds an Information Management master’s degree from the University of Washington specialized in Information Security and Risk Management. In 2017, he was awarded first place at Kaspersky Academy Talent Lab's competition for designing an application to address security beyond anti-virus.

In August 2021, a person established contact with Gemini’s intelligence analysts in Ukraine, claiming to have been recruited by a ransomware syndicate and looking for an opportunity to share valuable information with the intelligence community. During several follow-up discussions, the actor confirmed their identity and provided an extensive archive of screenshots, data files, and general details of their engagement with this ransomware operation. Further analysis revealed that the provided artifacts belonged to the notorious FIN7 gang, which ran a large-scale IT recruitment operation by leveraging a fake and previously unknown cybersecurity company named Bastion Secure. As a result of the individual’s two-month-long engagement, our analysts gained an unprecedented view into the operations of FIN7.

In this session, we’ll share previously undisclosed technical indicators, malicious software, and recruitment methods that FIN7 employed. We’ll also provide evidence of the gang’s pivot away from its characteristic attacks on Western point-of-sale networks and towards ransomware operations, culminating in evidence linking FIN7 to the DarkSide/BlackMatter ransomware groups.

• Andrei Barysevich is the VP of Fraud Solutions at Recorded Future. Previously, Andrei built a leading Fraud Intelligence company Gemini Advisory, now a Recorded Future company, supporting Top-3 Card Networks, largest financial institutions, and federal and international law enforcement agencies. Leveraging Gemini's fraud intelligence tools, Andrei's team identified thousands of payment card data breaches, discovered novel attack techniques, and dismantled numerous Magecart campaigns operated by the financially-motivated threat groups. For the past 15 years, he has been involved in multiple high-profile international cases resulting in successful convictions of members of crime syndicates operating global reshipping, money laundering, and bank fraud schemes.

• Gavin Reid is VP of Threat Intelligence for HUMAN, HUMAN is a cybersecurity company that protects enterprises from bot attacks to keep digital experiences human. Previous to this, he was the CSO for Recorded Future. Recorded Future delivers advanced security intelligence to disrupt adversaries, empower defenders, and protect organizations. Reid had global responsibility for ensuring the protection, integrity, confidentiality, and availability of all customer-facing services, internal operational systems, and related information assets. Gavin has 20 years of experience in managing all aspects of security for large enterprises. He was the creator of Cisco's Security Incident Response Team (CSIRT), Cisco's Threat Research and Communications (TRAC), and Fidelity's Cyber Information Group (CIG). Gavin started doing information security at NASA's Johnson Space Centre.

• With over twenty years of information security experience, Jeff Bollinger has worked as security architect, incident responder, and people manager for both academic and enterprise networks. Specializing in investigations, network security monitoring, detection engineering, log analysis, and intrusion detection, Jeff Bollinger is the Director of LinkedIn's incident response team (SEEK). Prior to LinkedIn, Jeff helped build and operate one of the world's largest corporate security monitoring infrastructures at Cisco Systems. Jeff regularly speaks at international FIRST conferences, blogs about security topics. He is also the co-author of "Crafting the InfoSec Playbook". Jeff's recent work includes log mining, search optimization, cloud threat research, and security investigations.

Chris brings a wealth of relevant and up-to-date experience in setting up and managing CERTs at the very highest levels of the worldwide Information and Cyber Security community.

Chris spent over 12 years working in the Computer Emergency Response Team (CERT) whilst at Citigroup and, for 10 years, was part of the leadership of the Forum of Incident Response and Security Teams (FIRST); 2 as Chair. Within FIRST he implemented the Fellowship program. This was created to fund CERTs from UN-designated “Least Developed Nations” (LDCs) allowing them both to join FIRST and attend conferences and training.

Chris joined the UK Government's CERT-UK team in November 2013 to build and launch the UK’s first formally chartered national CERT, joined Close Brothers as Chief Information Security Officer in November 2016, moved to Orwell Group as CISO in Jul 2018 and joined FIRST as it’s Executive Director in May 2019.

Chris’ experience has allowed him to work with colleagues from both inside some of the world’s largest global financial institutions with the complexities that brings and also with colleagues from the incident response community, with members ranging from Microsoft and Oracle through to the national CERTs of Azerbaijan and Indonesia.

Python is a wonderful language, easy to learn, powerful and integrates perfectly with any operating system. Yes, who said that Python was only popular in UNIX environments? (read: Linux, macOS, etc). Today, there are more and more malicious Python scripts in the wild that work on Windows. They can interact with the webcam, keyboard to steal your data, they are able to interact with all Microsoft API calls and, therefore, preform more low-level action like process injection. Even ransomware can be developed in Python. You feel safe because Python is not installed on your workstations? No problem, Python can be installed easily from stage 0! In this talk, I'll present some findings that I collected for a while around Python malicious code in the Windows ecosystem.

• Xavier Mertens is a freelance security consultant based in Belgium. With 15+ years of experience in information security, his job focuses on protecting his customers' assets by providing services like incident handling, investigations, log management, security visualization, OSINT). Xavier is also a Senior Handler at the SANS Internet Storm Center, SANS FOR610 instructor, a security blogger and co-organizer of the BruCON security conference.

Supply chain attacks are gaining popularity and we wanted to examine, from an attacker’s point of view, the difficulty of poising OSS packages. We found many alarming practices that hold back the security community from detecting those attackers.

• Tzachi Zorenshtain is the Head of SCS, Checkmarx. Prior to Checkmarx, Tzachi was the Co-Founder and CEO of Dustico, a SaaS-based solution that detects malicious attacks and backdoors in open-source software supply chains, which was acquired by Checkmarx in August 2021. Tzachi is armed with more than a decade’s worth of experience in cyber-security, specializing in building advanced malware research systems. Prior to Dustico, Tzachi’s tenure at Palo Alto Networks, Symantec and McAfee deepened his passion towards contributing to the developer and cybersecurity space and saw him building custom security architectures and hunting for advanced Cyber-attack groups.