Agenda

Join the conference chat and discussions over the Discord channel: https://discord.gg/wAMrUPB3Nj
Ask questions to the speakers withn the Discord chat or through YouTube live-stream!
All times are in Eastern European Summer time (UTC+3)

6 OCT

14:00 - 14:05 -> Opening remarks, Dr. Bernhards 'BB' Blumbergs (CERT.LV);
14:05 - 14:55 -> Using Honeypots in ICS training environments, Mikael Vingaard (DK),
A technical presentation on high interaction honeypots in an Red/Blue training environment. The presentation will describe ICS honeypots, the benefits and real life practical use, both in real industrial environments and in learning networks;
15:05 - 15:55 -> Data mining TLS network traffic, Markus Kont (EE),
Finding malware callback beacons to C2 servers in modern network traffic has many challenges. Most traffic is encrypted and traditional IoC signatures can only find known threats. This talk presents how simple data mining and statistics can be applied on Suricata TLS and Flow events to reveal infrequent TLS servers, connections with periodic patterns, and how TLS JA3S enables it all;
16:05 - 16:55 -> Get started with OT Network Security Monitoring, Martin Scheu (CH),
A walk through of how to monitor OT networks with the open source software ntopng, covering OT protocol nuances and what to look for in your network in a hands-on manner;
17:05 - 17:55 -> Cloud Security and IAM for Developers and DevOps - How can IAM be exploited and how you can minimize the risks, David Hendri (IL),
How often do you define permissions for new cloud-native applications and do you use the pre-defined vendor suggestion for them or use wildcards? IAM (Identity and Access Management) is an important factor in determining how secured your product will be. Doing it right requires an understanding of how it works and why it is important, which is the purpose of this session. We will talk about what is IAM, how do you use it, what are the risks of an overly permissive configuration - and show a demo of ways to exploit it and how you can minimize the exposure;
17:55 - 18:00 -> Closure of day one, (CERT.LV).

7 OCT

14:00 - 14:05 -> Opening remarks, Dr. Bernhards 'BB' Blumbergs (CERT.LV);
14:05 - 14:55 -> Ransomware: Tales from the Deep Web, Jose Miguel Esparza (ES) && Artūrs Filatovs (LV);
Cybercriminals are dynamic by nature and they are always trying to find easy money. Once a threat actor finds an easy way to make money, this spreads from forum to forum, from chat to chat, gaining more and more “followers” of the technique. This happened with the targeted ransomware attacks and they are here to stay. In this talk we will show examples about how tracking the Deep Web can gather valuable insights about those ransomware groups and their activities, in order to be up-to-date with their latest movements. Knowing the enemies is key to defend against this threat. The talk will start with a short intro in the dark web analytics services, OSINT and use of such services in daily security risk management.
15:05 - 15:55 -> Spoof! It’s Gone! Exploiting Kerberos and LDAP to Bypass Security Products, Dor Segal (IL);
Active Directory environments rely on Kerberos as their main authentication protocol as a superior alternative to NTLM and plain text LDAP. But guess what? There is nothing that partial implementation cannot screw up and Kerberos is no exception – and we’ve spotted such implementation at four leading security products exposing them to easy takeover (Cisco, IBM, F5 and Palo Alto Networks – but no worries all disclosed, reported and fixed). When correctly implemented, Kerberos involves three exchanges: an Authentication Service exchange, followed by a Ticket Granting Service exchange, and concluded with a Client/Server exchange. However, the four products we’ve analyzed featured a partial implementation in which the Client/Server exchange (number three) was not present at all. While it seems as if the authentication works properly even without this exchange, its absence creates a huge gap that can be easily exploited in a spoofing attack. In this session we’ll deep dive into the details of this spoofing attack and demonstrate how it can use to either bypass security controls or gain full admin privileges in Cisco ASA, IBM QRadar, F5 Big-IP APM, and Palo Alto Networks PAN-OS.
16:05 - 16:55 -> Scaling up offensive pipelines, Gil Biton (IL);
Evolving endpoint protection software with enhanced detection capabilities and greater visibility coverage have been taking red team and purple team operation’s complexity to a higher level. The current situation forces adversaries to take precautions and invest much more time in the weaponization phase to overcome prevention and detection mechanisms. Our framework leverages Infrastructure as Code (IaC) to fully automate the deployment of our offensive CI/CD pipeline framework with built in recipes for evading host and network detections. The framework leverages Gitlab CI/CD in conjunction with Kubernetes cluster to automate and manage the process of building and deploying offensive tools at scale.
17:05 - 17:55 -> fu*gewithmeyouknowigotit, Mohammed Makhlouf (AE);
The in-depth tech demo will focus on a swiss-army knife for fabricating and generating events in the form of logs, metrics, traces, and transactions to stress test the performance and correctness of your XDR/SIEM solution @ scale.
17:55 - 18:00 -> Closure of day two and CTF winner announcement, (CERT.LV && CyberCircle).

Speakers

Mikael Vingaard == {IT & OT industrial specialist, En Garde Security, DK;
Mikael Vingaard have been working within the IT/OT security for 20+ years. He runs one of the largest global deployed OT/ICS centric honeypot network and have been credited for many vulnerabilities found in products used within critical infrastructure.
}
Markus Kont == {Threat researcher, Stamus Networks, EE;
Markus is a threat researcher and software engineer at Stamus Networks. In this role, he is focused on threat intelligence, data science and engineering, and backend research and development. Before joining Stamus Networks, Markus spent over 5 years as a technology researcher in the NATO Cooperative Cyber Defense Center of Excellence, where he specialized in monitoring and intrusion detection, and conducted classroom trainings for Suricata and Moloch. Markus holds a Master of Science degree in Cyber Security and has published several academic papers while pursuing a PhD.
}
Martin Scheu == {OT security engineer, SWITCH CERT, CH;
Martin is a ICS security engineer at SWITCH CERT. His primary role is supporting organizations running ICS/OT equipment. Recent work has been focused on ramping up network security monitoring of industrial networks.
}
David 'dudi' Hendri == {CTO, Solvo, IL;
David has over 15 years of experience in delivering enterprise software and leading development teams, with a heavy focus on cloud security and infrastructure in the past 6 years. Prior to co-founding Solvo in 2020, David was one of the first R&D employees at Dome9 Security (acq. by CheckPoint in 2018), leading the development of key features and helping users uphold compliance in the cloud. David is a graduate of "MAMRAM", the elite military programming training.
}
Jose Miguel Esparza == {Head of threat intelligence, Blueliv, ES;
His work is focused on researching and providing threat intelligence around botnets, malware and threat actors. He is a security researcher who has been working analyzing Internet threats since 2007 and has taken part as speaker/trainer in several local and international conferences like RootedCon, INCIBE Cybersecurity Summer BootCamp, Source, Black Hat, Troopers and Botconf, among others.
}
Artūrs Filatovs == {Head of B2B cybersecurity services, Tet Group, LV;
Arturs is an experienced and passionate cybersecurity solutions professional, working more than 12 years in the field of business cybersecurity and innovations, analysing cybersecurity risk causes and consequences. During last 4 four years Arturs focuses on Security operations center as a service and cybersecurity crisis management.
}
Dor Segal == {Security researcher, Silverfort, IL;
Dor has been practicing security since 2012. He served for 7 years in 8200 cyber security intelligence unit as a Security Researcher. In the last 2 years he works at Silverfort as a Security Researcher specializing in authentication protocols. In Silverfort, Dor is doing vulnerability research, attack simulation, and develops solutions for protecting authentication in enterprise environments.
}
Gil Biton == {Offensive security engineer, Sygnia, IL;
Gil has over 5 years of experience in the Cyber Security industry, specializing in Red Team operations, phishing campaigns, and network infrastructure assessments. He has been involved in numerous security engagements with Fortune 100-500 clients, where he brought his extensive experience in the development and research domains to implement complex techniques and automate offensive security processes. Gil is a member of the Adversarial Research team, the offensive security team, within Sygnia's Enterprise Security division.
}
Mohammed 'Mak' Makhlouf == {Cofounder & CTO, Ronin Technologies, AE;
Mak identifies himself as a reverse time travelling systems and security engineer. He has a strong practical background in distributed systems, software and security engineering, threat intelligence, and machine learning.
}

Aftershock

The conference is over, but here are all the awesome talks:

Using Honeypots in ICS training environments, Mikael Vingaard
Data mining TLS network traffic, Markus Kont
Get started with OT Network Security Monitoring, Martin Scheu
Cloud Security and IAM for Developers and DevOps - How can IAM be exploited and how you can minimize the risks, David Hendri
Ransomware: Tales from the Deep Web, Jose Miguel Esparza && Artūrs Filatovs
Spoof! It’s Gone! Exploiting Kerberos and LDAP to Bypass Security Products, Dor Segal
Scaling up offensive pipelines, Gil Biton
fu*gewithmeyouknowigotit, Mohammed Makhlouf

CTF

CTF status Game over!
First position EVOSEC
Second position WESHOWEDUP
Third position NCSC-FI
CTF style Jeopardy && infrastructure takeover
CTF Leader board access (observer mode, password - cybershock2021) https://isa.cs.cybexer.io/
CTF start 06OCT 09:00 (UTC+3)
CTF end 07OCT 17:00 (UTC+3)
Accepted team count 31
Maximum members per team 5
Team formation and coordination https://discord.gg/wAMrUPB3Nj
Awards Top three teams based on the points scored
CTF provided by CybExer Technologies && CTF Tech (EE)
Infrastructure provided by TET Group (LV)
Awards provided by Cyber Circle (LV)