Agenda
Join the conference chat and discussions over the Discord channel:
https://discord.gg/wAMrUPB3Nj
Ask questions to the speakers withn the Discord chat or through YouTube
live-stream!
All times are in Eastern European Summer time (UTC+3)
6 OCT
14:00 - 14:05 -> Opening remarks, Dr. Bernhards 'BB'
Blumbergs
(CERT.LV);
14:05 - 14:55 -> Using Honeypots in ICS training
environments,
Mikael
Vingaard (DK),
A technical presentation on high interaction honeypots in an Red/Blue
training
environment. The presentation will describe ICS honeypots, the benefits and real life
practical use,
both in real industrial environments and in learning networks;
15:05 - 15:55 -> Data mining TLS network traffic, Markus
Kont
(EE),
Finding malware callback beacons to C2 servers in modern network traffic has
many
challenges. Most traffic is encrypted and traditional IoC signatures can only find known
threats.
This talk presents how simple data mining and statistics can be applied on Suricata TLS
and
Flow
events to reveal infrequent TLS servers, connections with periodic patterns, and how TLS
JA3S
enables it all;
16:05 - 16:55 -> Get started with OT Network Security
Monitoring,
Martin Scheu (CH),
A walk through of how to monitor OT networks with the open source software
ntopng,
covering OT protocol nuances and what to look for in your network in a hands-on manner;
17:05 - 17:55 -> Cloud Security and IAM for Developers and DevOps
- How
can IAM
be exploited and how you can minimize the risks, David Hendri (IL),
How often do you define permissions for new cloud-native applications and do
you
use the pre-defined vendor suggestion for them or use wildcards? IAM (Identity and
Access
Management) is an important factor in determining how secured your product will be.
Doing it right requires an understanding of how it works and why it is important, which
is the purpose of this session.
We will talk about what is IAM, how do you use it, what are the risks of an
overly permissive configuration - and show a demo of ways to exploit it and
how you can minimize the exposure;
17:55 - 18:00 -> Closure of day one, (CERT.LV).
7 OCT
14:00 - 14:05 -> Opening remarks, Dr. Bernhards 'BB'
Blumbergs
(CERT.LV);
14:05 - 14:55 -> Ransomware: Tales from the Deep Web, Jose
Miguel
Esparza (ES) && Artūrs Filatovs (LV);
Cybercriminals are dynamic by nature and they are always trying to find easy
money.
Once a threat actor finds an easy way to make money, this spreads from forum to forum,
from
chat to
chat, gaining more and more “followers” of the technique. This happened with the
targeted
ransomware
attacks and they are here to stay. In this talk we will show examples about how tracking
the
Deep
Web can gather valuable insights about those ransomware groups and their activities, in
order to be
up-to-date with their latest movements. Knowing the enemies is key to defend against
this
threat.
The talk will start with a short intro in the dark web analytics services, OSINT and use
of
such
services in daily security risk management.
15:05 - 15:55 -> Spoof! It’s Gone! Exploiting Kerberos and LDAP
to
Bypass
Security Products, Dor Segal (IL);
Active Directory environments rely on Kerberos as their main authentication
protocol
as a superior
alternative to NTLM and plain text LDAP. But guess what? There is nothing that partial
implementation
cannot screw up and Kerberos is no exception – and we’ve spotted such implementation at
four
leading
security products exposing them to easy takeover (Cisco, IBM, F5 and Palo Alto Networks
–
but no
worries
all disclosed, reported and fixed).
When correctly implemented, Kerberos involves three exchanges: an Authentication Service
exchange,
followed
by a Ticket Granting Service exchange, and concluded with a Client/Server exchange.
However,
the
four
products we’ve analyzed featured a partial implementation in which the Client/Server
exchange
(number three)
was not present at all. While it seems as if the authentication works properly even
without
this
exchange,
its absence creates a huge gap that can be easily exploited in a spoofing attack.
In this session we’ll deep dive into the details of this spoofing attack and demonstrate
how
it can
use to either bypass security controls or gain full admin
privileges in Cisco ASA, IBM QRadar, F5 Big-IP APM, and Palo Alto Networks PAN-OS.
16:05 - 16:55 -> Scaling up offensive pipelines, Gil Biton
(IL);
Evolving endpoint protection software with enhanced detection capabilities
and
greater visibility
coverage have been taking red team and purple team operation’s complexity to a higher
level.
The current situation forces adversaries to take precautions and invest much more time
in
the
weaponization phase to overcome prevention and detection mechanisms. Our framework
leverages
Infrastructure as Code (IaC) to fully automate the deployment of our offensive CI/CD
pipeline
framework with built in recipes for evading host and network detections. The framework
leverages
Gitlab CI/CD in conjunction with Kubernetes cluster to automate and manage the process
of
building
and deploying offensive tools at scale.
17:05 - 17:55 -> fu*gewithmeyouknowigotit, Mohammed
Makhlouf
(AE);
The in-depth tech demo will focus on a swiss-army knife for fabricating and
generating
events in the form of logs, metrics, traces, and transactions to stress test the
performance
and
correctness of your XDR/SIEM solution @ scale.
17:55 - 18:00 -> Closure of day two and CTF winner
announcement,
(CERT.LV
&& CyberCircle).
Speakers
Mikael Vingaard == {IT & OT industrial specialist, En Garde
Security, DK;
Mikael Vingaard have been working within the IT/OT
security
for 20+ years. He runs one of the largest global deployed OT/ICS centric honeypot
network and
have been credited for many vulnerabilities found in products used within critical
infrastructure.
}
Markus Kont == {Threat researcher, Stamus Networks, EE;
Markus is a threat researcher and software engineer at
Stamus
Networks. In this role, he is focused on threat intelligence, data science and
engineering, and
backend research and development. Before joining Stamus Networks, Markus spent over 5
years as a
technology researcher in the NATO Cooperative Cyber Defense Center of Excellence, where
he
specialized in monitoring and intrusion detection, and conducted classroom trainings for
Suricata and Moloch. Markus holds a Master of Science degree in Cyber Security and has
published
several academic papers while pursuing a PhD.
}
Martin Scheu == {OT security engineer, SWITCH CERT, CH;
Martin is a ICS security engineer at SWITCH CERT. His
primary
role is
supporting organizations running ICS/OT equipment. Recent work has been
focused on ramping up network security monitoring of industrial networks.
}
David 'dudi' Hendri == {CTO, Solvo, IL;
David has over 15 years of experience in delivering
enterprise software and
leading development teams, with a heavy focus on cloud security and
infrastructure in the past 6 years. Prior to co-founding Solvo in 2020,
David was one of the first R&D employees at Dome9 Security (acq. by
CheckPoint in 2018), leading the development of key features and helping
users uphold compliance in the cloud. David is a graduate of "MAMRAM", the
elite military programming training.
}
Jose Miguel Esparza == {Head of threat intelligence,
Blueliv, ES;
His work is focused on researching and providing
threat
intelligence around botnets, malware and threat actors. He is a security researcher who
has been
working analyzing Internet threats since 2007 and has taken part as speaker/trainer in
several
local and international conferences like RootedCon, INCIBE Cybersecurity Summer
BootCamp,
Source, Black Hat, Troopers and Botconf, among others.
}
Artūrs Filatovs == {Head of B2B cybersecurity services, Tet
Group,
LV;
Arturs is an experienced and passionate cybersecurity
solutions
professional, working more than 12 years in the field of business cybersecurity and
innovations,
analysing cybersecurity risk causes and consequences. During last 4 four years Arturs
focuses on
Security operations center as a service and cybersecurity crisis management.
}
Dor Segal == {Security researcher, Silverfort, IL;
Dor has been practicing security since 2012. He
served for 7
years in 8200 cyber security intelligence
unit as a Security Researcher. In the last 2 years he works at Silverfort as a Security
Researcher
specializing in authentication protocols. In Silverfort, Dor is doing vulnerability
research,
attack
simulation, and develops solutions for protecting authentication in enterprise
environments.
}
Gil Biton == {Offensive security engineer, Sygnia, IL;
Gil has over 5 years of experience in the Cyber
Security
industry,
specializing in Red Team operations, phishing campaigns, and network infrastructure
assessments.
He has been involved in numerous security engagements with Fortune 100-500 clients,
where he
brought
his extensive experience in the development and research domains to implement complex
techniques
and automate offensive security processes. Gil is a member of the Adversarial Research
team,
the offensive security team, within Sygnia's Enterprise Security division.
}
Mohammed 'Mak' Makhlouf == {Cofounder & CTO, Ronin
Technologies,
AE;
Mak identifies himself as a reverse time travelling
systems
and security engineer. He has a strong practical background in distributed systems,
software and
security engineering, threat intelligence, and machine learning.
}
Aftershock
The conference is over, but here are all the awesome talks:
CTF
CTF status Game over!
First position EVOSEC
Second position WESHOWEDUP
Third position NCSC-FI
CTF style Jeopardy &&
infrastructure takeover
CTF Leader board access (observer
mode, password -
cybershock2021) https://isa.cs.cybexer.io/
CTF start 06OCT 09:00
(UTC+3)
CTF end 07OCT 17:00
(UTC+3)
Accepted team count
31
Maximum members per
team 5
Team formation and
coordination https://discord.gg/wAMrUPB3Nj
Awards
Top three teams based on the points scored
CTF
provided by CybExer Technologies &&
CTF Tech (EE)
Infrastructure provided
by TET Group (LV)
Awards provided
by Cyber Circle (LV)