Program Overview

When it comes to APTs, you're most likely to think of the common nations involved in espionage activity. Depending on your worldview this might be China, Russia or North Korea, or maybe the USA or Iran. However, it's not just the major players in world geopolitics that use network intrusions to gain an advantage - for example, Volexity is one of several companies that have previously documented the activities of OceanLotus, a Vietnamese APT.

In fact, there are APTs from an increasingly wide spectrum of nations, and in this talk, Volexity will introduce another such threat actor, "WASHEDUP", which Volexity assesses originates from a Russian-speaking country but not from Russia itself. While WASHEDUP may not be the most sophisticated threat actor, Volexity has uncovered evidence that they have a great deal of success in compromising their near neighbors.

In this talk, Volexity will present an overview of the different tools used by WASHEDUP, their targets throughout Asia and Europe, as well as some of the more commercially oriented targeting the group has conducted surrounding Energy companies operating in Central Asia and Eastern Europe.

Finally, Volexity will give examples of how the attackers operate after compromising a target.

Robert Jan Mora is a principal threat investigator at Volexity. He used to manage the Threat and Analytics team at Shell. He also performed malware forensics in high-profile breach investigations and security assessments for governments and corporations in previous roles. In addition, he tracks nation-state threat actors for fun and assesses digital forensic candidates who apply as digital forensic expert witnesses for the Netherlands Register of Court Experts (NRGD). He is also a long-time member of the program committee of the Digital Forensic Research Workshop (DFRWS) EU conference.

The term “threat-informed defense” has gained recent popularity, but what does it actually look like in practice? This session will detail practical, repeatable workflows – relevant for adversary emulation & detection engineers, threat hunters, and analysts across skill levels – enabling them to kickstart (or advance) their efforts to apply threat intelligence in an operational setting.

We will first review the processes and publicly available sources & tools that we used to conduct a broad threat assessment covering 16 major infostealer families, and present evidence that demonstrates why infostealers remain an underrated threat relative to the rising risks they pose to higher-value targets like business. Next, we’ll detail the steps that Tidal’s Adversary Intelligence team used to identify relevant coverage gaps in the primary public behavioral analytic resource (the Sigma repository), and close those gaps by building & validating new detections directly in line with several top stealer techniques, ultimately sharing them back with the community. By going beyond straightforward 1:1 simulation of adversary procedures from individual CTI reports, we’ll also show how our approach encourages more resilient and proactive detection development and validation planning, as stealers (and many other notable malware) appear to be increasingly evolving their TTPs. The host anticipates attendees will take away renewed appreciation for the “threat-informed” mindset, as well as inspiration for their next work sprint (or side project)!

Scott Small is a security & intelligence practitioner and expert in cyber threat intelligence & threat modeling, open source research & investigations, and data analysis & automation. He currently serves as Director of Cyber Threat Intelligence at Tidal Cyber. Scott has advised enterprise and public sector security teams across maturity levels on technical and strategic applications of intelligence and on using technology to help identify and mitigate organizational risk. Throughout his career, he has briefed and trained large and small audiences and has presented original content at major security conferences, including DEFCON, FIRSTCON, MITRE ATT&CKcon, & BSides, and ISAC & other industry events.

Scott is an active member of the professional security and intelligence communities and a proponent of open-source information for upskilling and strengthening our collective security. In addition to contributing to community projects, he has published independent projects that aggregate and streamline publicly accessible security resources, as well as his own original tools & resources.

Incident response tabletop simulation exercises allow training people in skills related to reactions and processes in crisis situations. This paper analyzes several experiences of tabletop simulations that resulted in learning of practical utility for the participants. After applying the traditional approach based on conversational interaction, and the modern approach based on interaction through virtual platforms, a new, more accessible, and scalable modality was proposed, developed in free software, which allows taking this practice to any environment. In addition, it was found that the exercises carried out in educational environments improve the learning of the topics for both participants and observers.

Federico Pacheco - Cybersecurity professional with background in electronics engineering and several industry renowned certifications. 20+ years of teaching experience at the most prestigious universities in Argentina. Published four books and several research whitepapers. Has worked for the public and private sector, including regional roles in global companies.

Contributor/Package reputation is the main criterion used by developers when choosing what open-source package to ingrate into their application.

The widespread use of open source sparked a new wave of attackers on ways to spoof the Contributor/Package reputation. In this talk, we will share some of the TTP we have seen and researched that can easily be used to fool developers into choosing malicious packages; we will do a live demo of some of that techniques and share some best practices to detect and avoid those techniques.

Tzachi Zorenshtain is the Head of SCS, Checkmarx. Prior to Checkmarx, Tzachi was the Co-Founder and CEO of Dustico, a SaaS-based solution that detects malicious attacks and backdoors in open-source software supply chains, which was acquired by Checkmarx in August 2021. Tzachi is armed with more than a decade’s worth of experience in cyber-security, specializing in building advanced malware research systems. Prior to Dustico, Tzachi’s tenure at Palo Alto Networks, Symantec and McAfee deepened his passion towards contributing to the developer and cybersecurity space and saw him building custom security architectures and hunting for advanced Cyber-attack groups.

Ransomware actors continue to evolve their tools and TTPs; innovation by cybercriminals in response to global and local events is nothing new. However, recently we have observed several interesting innovations - some very successful for the threat actors, some not so much. We will present case studies, including technical deep-dives on a few of these, including: ALPHV’s Morph AV-evasion tool, usage of an access token to prevent chat hijacking, ARM locker and blog of indexed victim files, LockBit’s adoption of the BlackMatter code, PLAY ransomware’s evolution to use ROP, and multiple actors’ implementations of intermittent file encryption. We will also discuss what made some of these new TTPs effective for the threat actors’ business, and what made them less successful, both at the technical and human intelligence levels. During the talk, we will highlight particular areas that created the most trouble for threat actors, and often made them easier to track. Finally, we will discuss how defenders can adapt to these changing TTPs, and how we expect the ransomware landscape to continue to evolve in the future.

Lindsay Kaye is the Director of Operational Outcomes for Insikt Group at Recorded Future. Her primary focus is driving the creation of actionable technical intelligence - providing endpoint, network and other detections that can be used to detect technical threats to organizational systems. Lindsay’s technical specialty and passion is malware analysis and reverse engineering. She received a BS in Engineering with a Concentration in Computing from Olin College of Engineering and an MBA from Babson College.

The Internet has long served as the Web's communications substrate, and historically that has meant TCP/IP. TCP is a clear text reliable stream protocol which predates the Web by about two decades and is usually implemented in the operating system's kernel. Starting in 2013, the Web community has reconsidered the use of clear text protocols and kernel resident protocols. The result is QUIC, a fully encrypted protocol intended to be implementable at the application layer. Adoption of QUIC will radically alter the security profile and performance characteristics of managed private edge networks including home and enterprise, for both Web servers and Web clients. Let's discuss.

Paul Vixie serves as VP and Distinguished Engineer at AWS Security, and is a Director at SIE Europe U.G. He was previously the founder and CEO of Farsight Security (2013-2021). In addition, he founded and operated the first anti-spam company (MAPS, 1996), the first non-profit Internet infrastructure software company (ISC, 1994), and the first neutral and commercial Internet exchange (PAIX, 1991). Vixie was inducted into the Internet Hall of Fame in 2014 for work related to DNS, and is a prolific author of open source Internet software including Cron and BIND, and of many Internet standards concerning DNS and DNSSEC. He was CTO at Abovenet/MFN (1999-2001) and worked at DEC Western Research Lab (1988-1993) after dropping out of school in 1980. Vixie earned his Ph.D. in Computer Science from Keio University in 2011.

We have been monitoring the cyber aspects of Russia’s war on Ukraine since January 2022, when the conflict was brewing up, and systematically analysed the conflict-related cyberattacks that came to our knowledge. We observed the global cyber landscape, to anticipate if and how cyber operations would target our constituents, the EU institutions, bodies, and agencies (EUIBAs), or organisations in Ukraine and EU countries.

We created a dedicated report to showcase this work. It is our attempt at taking a step back from the day-to-day events, trying to pierce through the fog of war’s veil to make a bigger picture materialise. A picture that could help us see how the conflict shaped the cyber threat landscape in Ukraine and elsewhere.

We don’t have a first-hand knowledge of cyberattacks in Ukraine, except for a handful of EUIBAs that have operations in the country. As a consequence, what you will read here largely relies on the reporting of, and information verification by public and private sources we deem trustworthy.

For each cyberattack we describe in this product, we analyse the context (timing, objectives, impact), victimology (targeted sectors, countries), main tactics, techniques and procedures (TTPs), and, when applicable, attribution made by third parties.

George Koutepas is an IT Security engineer with career-long experience in the field. He holds a PhD. in IT Security and Network Management from the National Technical University of Athens. He is also an ISACA Certified Information Security Manager. He is currently a member of the Cyber Threat Intelligence team at CERT-EU, the Cyber Security and Incident Response Team for EU institutions, bodies, and agencies.

If you’ve been impacted by a large-scale cyber incident, you know the chaos that ensues. After the threat is contained and the responders go home, how do you rebuild & harden your org for the future? Join two cyber crisis veterans to discuss strategies and lessons in hardening and resiliency learned the hard way. Our presentation will be based on lessons learned from the largest and most complex incidents, including:

• Conducting an agile assessment of root cause and systemic issues
• Creating an actionable and tangible remediation plan
• Rapid risk reduction and improved security posture
• Enhancing long term resiliency by minimizing likelihood and impact of future business disruptions
• Transforming the culture of the enterprise to deal with threats of the future

Jake Norwood is a senior executive advisor, coach, and consultant who helps CISOs and Cyber Defense Leaders transform their organizations into intelligence-led, risk-focused, and crisis-resilient cyber security operations. Jake has served as the Global Head for Citi’s Cyber Security Fusion Centers in New York, Budapest, and Singapore and was the Director of Citi’s Cyber Intelligence Center. Prior to joining Citi, Jake managed commercial and US government-facing cybersecurity intelligence efforts for Booz Allen Hamilton. He is also a former U.S. Army Intelligence Officer and two-time Iraq war veteran. Jake returned to Booz Allen in 2021 as a senior cybersecurity delivery executive based in the Hague, Netherlands.

Tony Gaidhane is a Vice President in Booz Allen’s Commercial business, based in The Hague, Netherlands, where he leads Booz Allen’s Commercial cybersecurity practice in the UK and EU, including all aspects of client delivery, business development, operations and hiring. Prior to his current role, he led Booz Allen’s flagship Commercial Cyber Fusion Centre (CFC) practice globally. As an experienced leader in security consulting, he has built both cyber security capability teams as well as market/account teams, to work with industry-leading clients to understand, prioritize, and manage cyber security in the context of their business and mission goals, addressing the issues of today and preparing them for the challenges of tomorrow.

ChatGPT 3.0 made waves across almost every industry when it hit the market in late November last year.

Far from a silver bullet for the cyber-security industry, ChatGPT, and more specifically the GPT-3 model, do have many practical uses, namely the automation of highly repetitive tasks. Ask any threat intelligence analyst and they will concur; extraction and dissemination of threat intelligence often requires many hours of ctrl+c, ctrl+v.

Earlier this year I set out to use ChatGPT to create structured knowledge graphs from a variety of intelligence reports in my inbox.

In this session I will explain the trial and error that went into generating prompts that accurately extract artefacts and their relationships from unstructured intelligence reports (including: PDFs, emails, and Slack messages).

Taking it a step further, I will also talk you through my attempts at using Chat-GPT to model the intelligence as rich STIX 2.1 Objects for easy dissemination into existing security tooling.

Rest easy, the content covered in this talk will not replace your job.

David Greenwood helps early stage cyber-security companies to build products that make users go; "Wow! That's what I need!".

During his career he has worked with great minds at Splunk and Anomali. David currently works at EclecticIQ building world-class threat intelligence solutions.

The mobile ad industry continues to grow, yet few security researchers have focused on the threats posed by adware. These types of crimes, often referred to as "victimless," have flown under the radar for some time. However, recent crackdowns on traditional methods of making money have led to an explosion of adware activity, with some actors raking in serious cash through the use of simple bots. In this talk, we will explore the motivations behind the creation of adware, the techniques used by modern actors to commit ad fraud on a massive scale, and the complex landscape of the mobile ad industry. With an emphasis on mobile adware, we will delve into the largely undocumented methods used by fraudsters, including device farms made from hijacked residential devices and sophisticated money laundering operations that generate millions each day. By examining the mechanisms employed by these modern criminals, we aim to shed light on a largely hidden aspect of the tech industry and help attendees stay one step ahead of a fraudster.

Gabriel Cirlig - Software developer turned rogue, went from developing apps for small businesses to 2M+ DAU Facebook games while keeping an eye for everything shiny and new. For a couple of years I’ve shifted gears and started my career as a security researcher while speaking at various conferences (SAS, AVAR, PHDays) in my free time showcasing whatever random stuff I hacked. With a background in electronics engineering and various programming languages, I like to dismantle and hopefully put back whatever I get my hands on.

Inna will present on how the HUMAN Satori Threat and Research Team uncovered and took down a sophisticated ad fraud operation VASTFLUX. Which was a malvertising attack that injected malicious JavaScript code into digital ad creatives, allowing the fraudsters to stack numerous invisible video ad players behind one another and register ad views. At its peak, VASTFLUX accounted for more than 12 billion bid requests a day. More than 1,700 apps and 120 publishers were spoofed, and the scheme ran inside apps on nearly 11 million devices. She will go into technical details on research and further disruption of the fraud operation.

Inna Vasilyeva is a senior reverse engineer and technical threat intelligence researcher at HUMAN, helping to detect and prevent advanced bots, malware fraud, and protecting the Internet. She specializes in malware analysis, reverse engineering, threat intelligence, network analysis, threat hunting, ethical hacking and cryptography. She also engages in a broad spectrum of activities including global cybersecurity conferences, hackathons, cybercamps, malware analysis workshops/talks, cyber competitions and mentoring. In her spare time, she is progressing her martial arts skills, learning foreign languages, making art and exploring wild nature around the world.

Gavin Reid is VP of Threat Intelligence for HUMAN, HUMAN is a cybersecurity company that protects enterprises from bot attacks to keep digital experiences human. Previous to this, he was the CSO for Recorded Future. Recorded Future delivers advanced security intelligence to disrupt adversaries, empower defenders, and protect organizations. Reid had global responsibility for ensuring the protection, integrity, confidentiality, and availability of all customer-facing services, internal operational systems, and related information assets. Gavin has 20 years of experience in managing all aspects of security for large enterprises. He was the creator of Cisco's Security Incident Response Team (CSIRT), Cisco's Threat Research and Communications (TRAC), and Fidelity's Cyber Information Group (CIG). Gavin started doing information security at NASA's Johnson Space Centre.

Jeff Bollinger has over twenty years of information security experience, and has worked as security architect, incident responder, and people manager for both academic and enterprise networks. Specializing in investigations, network security monitoring, detection engineering, log analysis, and intrusion detection, Jeff Bollinger is the Director of LinkedIn's incident response team (SEEK). Prior to LinkedIn, Jeff helped build and operate one of the world's largest corporate security monitoring infrastructures at Cisco Systems. Jeff regularly speaks at international FIRST conferences, blogs about security topics. He is also the co-author of "Crafting the InfoSec Playbook". Jeff's recent work includes log mining, search optimization, cloud threat research, and security investigations.

Matt Valites has spent the past 15+ years in various security roles spanning leadership, operations, investigations, field sales, and research. Currently leading Threat Detection Operations and Operational Strategy at SAP's Global Security Operations, he's spent most of his career in the Enterprise Software-as-a-Service space. He's a co-author of O'Reilly's Crafting the Infosec Playbook and a longtime active member of the FIRST organization.

On-prem or in the cloud, securing large Active Directory environments can be challenging. Without proper insights, it is almost impossible to keep track of the existing attack paths in a given environment.

Originally designed for red teamers, BloodHound has quickly been adopted on the blue side and became the de-facto tool for mapping Active Directory attack paths, as it offers a unique visibility onto these.

In this workshop, participants will gain a solid understanding of the tool and the possibilities it offers for Reds and Blues, and learn how to take their BloodHound knowledge to the next level by mastering the underlying neo4j cypher query language, and automating data collection, analysis and reporting.

This workshop is highly interactive and contains various hands-on exercises, in which students get to work in a dedicated lab environment and learn the secrets of thinking in graphs and become a true dog whisperer…

JD – better known as SadProcessor or Walter Legowski – has over 10 years of experience in digital security, specialized in security operations and detection engineering. He loves automation, visualizing attack paths and regularly releases open-source tools for the infosec community. Knowledgeable in BloodHound, PowerShell and Windows internals. Presenter at various editions of PSConfEU, BRUcon, DerbyCon, and Troopers.

When Solorigate occurred, we witnessed a nation-state actor gaining initial access using a software vendor’s supply chain culminating with an attack utilizing Golden SAML to gain access to Office 365 cloud resources. At the time, I was developing an adversary emulation activity in support of a blue team capture the flag event and the unique attack piqued my interest.

If you are like me, you may have spent at least some portion of your career working with events generated from on-premise systems. With the move toward cloud, I noticed that logs that I just took for granted and expected to have available were no longer. This realization spurred me to use Golden SAML as a case study around what could be identified and detected within the Microsoft Graph.

Because workloads and solutions continue to migrate to the cloud and the pervasiveness of Active Directory in nearly every organization’s environment, the idea of setting up a federation with on premise active directory servers and Azure Active Directory is not an uncommon configuration which is why it is important to understand this attack within this context.

While there has been a lot of good content created about the Golden SAML attack, less focus has been paid to the visibility that a defender has from the extraction of a token through its forgery to its application against Microsoft’s Graph API. The intent of this talk is to contextualize and drive a greater awareness of what the defender will see (and more importantly what they will not see) when a Golden SAML token is extracted and forged and utilized in an Azure AD / M365 environment.

Attendees will come away with

• A better understanding of what a Golden SAML attack looks like
• A greater awareness of what they will have available for analysis within the Microsoft Cloud, specifically from Azure and M365 logging
• Ideas for detections that can be applied to monitor for this kind of activity

John Stoner is a Principal Security Strategist at Google Cloud and leverages his experience to improve users' capabilities in Security Operations, Threat Hunting, Incident Response and Threat Intelligence. He blogs on threat hunting and security operations and has built multiple APT threat emulations for blue team capture the flag events. John has presented and led workshops at various industry symposia including FIRST, BSides, SANS Summits and DefCon Packet Hacking Village. He also enjoys listening to what his former teammates referred to as "80s sad-timey music."