Get Registered!

Eleanor Saitta leads Systems Structure Ltd. (https://structures.systems), a security architecture and strategy consultancy with media, finance, healthcare, infrastructure, and software clients across the US and Europe. She's worked in security since 2003, covering everything from core security engineering and architecture work for Fortune 50 software firms to cross-domain security for news organizations and NGOs targeted by nation states.

This diversity of experience has led Saitta to combine two threads in her security guidance.  The first approach looks at security outcomes for humans and organizations, with an emphasis on culture design for resilience, security-appropriate frames for thinking about risk, and how operational changes can shift the balance of power away from adversaries.  The second approach looks to modern infrastructure-as-code systems to be able support harder security guarantees, rather than statistical mitigations, and a pragmatic but principle-centric architectural approach.

Saitta was previously the security architect for Etsy.com and has worked for a number of commercial consultancies (Bishop Fox, IOACtive, and others). She is a co-founder and developer for Trike (http://octotrike.org/), an open source security ecosystem modeling methodology and tool which partially automates the art of security analysis, and has contributed to the Briar (https://briarproject.org) and Mailpile (https://mailpile.is) secure messaging projects.  She's on the advisory boards of the Freedom of the Press Foundation (https://pressfreedomfoundation.org) and the Calyx Institute (https://calyxinstitute.org), both organizations that look at freedom in the media and security online.  She is also a regular speaker at industry conferences; past venues include O'Reilly Velocity, KiwiCon, ToorCon, CCC, Hack in The Box, and HOPE, among others.  You can find her on twitter as @dymaxion, and at https://dymaxion.org.

Talk: Autonomy, Slack, and Resilience in Secure Systems

Security is a process; this much is dogma.  From a systems perspective, security is one emergent property among many that a dynamic, joint-cognitive system is attempting to optimize for — which is to say that security is an outcome of people, software, and hardware working together in ways that change over time, and that it's one outcome among many, all of which the team is trying to improve on.  Security is similar to reliability, in that the state of the system is primarily inferred from incidents, as opposed to directly observed.  Unlike reliability (but like market competition), it's also an adversarial property.  In real organizations, there are always competing interests, but this combination still puts security in a unique position.  In this keynote, we'll look at some of the ways that the resilience engineering mindset can inform how we think about security as a whole system, both at the human and technical levels.

Noushin is a senior security researcher at Kaspersky's GReAT team specialising in threat intelligence, reverse engineering and analysis of targeted attack.

Prior to joining Kaspersky, Noushin used to work as a senior malware analyst and software developer with first hand knowledge of rootkit analysis, detection techniques and APT attack investigations.

Noushin is an active speaker at different local and international conferences, some examples are INTERPOL World, MRE, Ruxcon, BSides Conferences, Security Analyst Summit (SAS), AusCERT and Kawaiicon Conferences.

Workshop: Reverse Engineering Malwares Targeting Top Routinely Exploited Vulnerabilities

In the world of cyber attacks, exploiting a vulnerability on a system is one of the most common ways to gain a foothold on a victim’s machine or to elevate the level of access to the resources of a machine which an attacker has already compromised.

However understanding how a piece of exploit code takes advantage of a vulnerability, is not always straightforward, even for experienced malware analysts.

In this workshop, we will look at different examples of exploit codes used in targeted attacks with a focus on the most exploited vulnerabilities in the past few years. We are aiming at showing how different exploit codes work in order to upskill the audience and educate them for their future malware analysis jobs.

Negar is a security researcher from Microsoft.

She has worked in different offensive and defensive roles in cyber security over the past 8 years, from malware analysis and security software development to application security consulting and penetration testing.

Negar is an active member of the Australian Women in Security Network (AWSN) which aims to support and inspire women in the Australian security industry. She is also a regular speaker at security conferences and delivers technical workshops.

Workshop: Reverse Engineering Malwares Targeting Top Routinely Exploited Vulnerabilities

In the world of cyber-attacks, exploiting a vulnerability on a system is one of the most common ways to gain a foothold on a victim’s machine or to elevate the level of access to the resources of a machine which an attacker has already compromised.

However, understanding how a piece of exploit code takes advantage of a vulnerability, is not always straightforward, even for experienced malware analysts.

In this workshop, we will look at different examples of exploit codes used in targeted attacks with a focus on the most exploited vulnerabilities in the past few years. We are aiming at showing how different exploit codes work in order to upskill the audience and educate them for their future malware analysis jobs.

Ashwathi is a 20-year-old Reverse Engineer interested in dissecting executables. She is one of the members of the leading women-only CTF team – TeamShakti in India. She is also a member of India’s No. 1 CTF team - Team bi0s. She participates in various CTFs conducted at both national and international level. She has also been to Nullcon Cyber Security conference and was also granted a student scholarship to attend Blackhat Asia 2019, an elite Cybersecurity conference in Singapore. Currently, Ashwathi is pursuing her final year undergraduate studies in Computer Science Engineering at Amrita Vishwa Vidyapeetham, India.

Workshop: Introduction to Malware Reverse Engineering

This workshop will introduce the participants to the world of Windows reversing and basics of Malware Analysis. It will consist of virtual sessions to help participants get familiarised with the approaches undertaken for Malware Analysis, both static and dynamic analysis techniques, including fingerprint analysis and detections of obfuscations. Getting familiarised with PE file structure and its components. The session will deal with concepts of Windows application reversing, Packing/unpacking executables and DLL injection. The attendees will get to learn the usage of Ghidra and x64dbg for static and dynamic analysis.

Joshua Jebaraj is undergrad Student Currently pursuing his undergrad at Vellore Institute of Technology Chennai He is an active member of many open-source communities like Null, Ansible and Hashicorp He frequently speaks at null Chennai chapter and OWASP Vit Chennai He also Spoken at conferences like Owasp-Seasides and Open-Security-Summit He also holds a certification for CDP.

Workshop: Defending Docker Implementations

Docker is one of the trending technologies that rules the IT ecosystem.

Many companies have started to adapt the usage of docker in their companies. However, docker like many other technologies is not safe by default. We have to take certain steps to make sure that the docker deployment is safe and secure.

This workshop introduces the attendees to docker basics, discuss various security problems in the default configurations and also discuss the various Defense mechanisms.

Target Audience

• Developers
• Blue team
• Anyone who is interested in Docker security

Key takeaways

• Understand the Basics of Docker
• Know the real-world threat and mitigation against the Docker container
• Ability to find the security vulnerabilities in the Docker Ecosystem before an attacker does

Prerequisite

• Laptop with admin privilege of 4 GB ram and 20 GB free space
• Virtual Machine Installed

Attendees will be provided with

• Virtual box images used in the Lab
• Lab Guide used in training

Topics Covered:

• Introduction to Docker
• Hands-on: Getting started with Docker
• Pulling an image
• Running the container
• Building a Docker image
• Docker security
• Hands-on: Writing secure Dockerfiles
• Hands-on: Securing Docker containers
• Hands-on: Docker runtime security
• Seccomp
• Apparmor
• Resource management
• Hands-on : Securing Docker configuration & the host machine

Hands-on: Auditing Docker images

Manish is a Red Team Security Engineer at Citrix in India where he specializes in Offensive Security and Red Teaming Activities on enterprise Environment. A part-time Bug Bounty Hunter and CTF Player. His Research interest includes Real World Cyber Attack Simulation and Advanced persistent Threat (APT). Previously he has spoken at reputed conferences like Blackhat USA 19 [https://www.blackhat.com/us-19/presenters/Manish-Gupta.html], DEFCON 19 [https://www.defcon.org/html/defcon-27/dc-27-demolabs.html#PivotSuite], where he showcased his red teaming toolkit "PivotSuite". He is currently working on developing Open-Source Offensive Security Toolkit which helps Red Teamers/ Penetration Testers.

Workshop: CyberWarOps Training: Red and Blue Team Joint Operations

"CyberWarOps: Red and Blue Team Joint Operations" aims to provide the trainees with the insights of the offensive techniques used by the red team and defensive techniques employed by the blue teams in an enterprise. From the Red Team perspective, trainees will not only understand the advanced Real-World Cyber Attacks but also simulate Tactics, Techniques and Procedures (TTP's) widely used by APT groups. However, from a Blue Team perspective, trainees will understand how to Monitor, Detect, Analyse and then Respond against the real-time attacks performed by the red team.

CyberWarOps Red Team Highlights:

• Extensive OSINT activities
• Custom Web Exploitation
• Remote Access services exploitation
• Multiple segregated networks with updated linux & Windows operating servers/workstations
• Exploiting combination of Linux & Windows machines under Active Directory environment
• Abusing mis-configurations of enterprise security solutions etc.
• Exploitation of widely used enterprise automation softwares
• Manipulating active users browsing (User Simulation)
• Red Teaming in Hybrid Cloud Environment (AWS, Azure)
• Breaking/Escaping secure containerized Environment (Docker, Kubernetes etc.)
• Bypassing Enterprise Security Solutions

CyberWarOps Blue Team Highlights:

• Real Time Attack monitoring
• Host and Network based security solution
• Real Time Network Traffic Analysis
• Endpoint Detection and Response solution
• Digital Forensics and Incident Response

Lab Access

To make the training hands-on in the real sense all the trainees will be provided with VPN access to the Lab. Lab Architecture is designed to cover all the attacks from both aspects that are demonstrated during the training sessions. Moreover, attendees will have dedicated access to the environment for 3 full days after completing the workshop.

Attendee should bring

• System with at least 8GB RAM having Virtualization support.
• Open VPN Client [Windows: https://swupdate.openvpn.org/community/releases/openvpn-install-2.4.6-I602.exe]
• Updated Web Browser.

Attendees Takeaway

• Soft Copy of the Course Content.
• Great Knowledge about the Offensive Techniques used by adversaries.
• Defence Tactics & Techniques against the discussed offensive techniques.
• 3-Day dedicated based lab access to try the offensive attacks in the lab environment.  

Yash is currently working as Red Team Security Researcher at CyberWarFare Labs [https://cyberwarfare.live]. He is highly attentive towards finding, learning and discovering new TTP’s used during offensive engagements. His area of interest includes (but not limited to) evading Antivirus, Securing Active Directory infrastructure and Advance Windows & cloud-based attacks. Previously he has delivered hands-on red team workshop at BSIDES Ahmedabad, OWASP Seasides 2019. You can reach out to him on Twitter @flopyash

Workshop: CyberWarOps Training: Red and Blue Team Joint Operations

"CyberWarOps: Red and Blue Team Joint Operations" aims to provide the trainees with the insights of the offensive techniques used by the red team and defensive techniques employed by the blue teams in an enterprise. From the Red Team perspective, trainees will not only understand the advanced Real-World Cyber Attacks but also simulate Tactics, Techniques and Procedures (TTP's) widely used by APT groups. However, from a Blue Team perspective, trainees will understand how to Monitor, Detect, Analyse and then Respond against the real-time attacks performed by the red team.

CyberWarOps Red Team Highlights:

• Extensive OSINT activities
• Custom Web Exploitation
• Remote Access services exploitation
• Multiple segregated networks with updated linux & Windows operating servers/workstations
• Exploiting combination of Linux & Windows machines under Active Directory environment
• Abusing mis-configurations of enterprise security solutions etc.
• Exploitation of widely used enterprise automation softwares
• Manipulating active users browsing (User Simulation)
• Red Teaming in Hybrid Cloud Environment (AWS, Azure)
• Breaking/Escaping secure containerized Environment (Docker, Kubernetes etc.)
• Bypassing Enterprise Security Solutions

CyberWarOps Blue Team Highlights:

• Real Time Attack monitoring
• Host and Network based security solution
• Real Time Network Traffic Analysis
• Endpoint Detection and Response solution
• Digital Forensics and Incident Response

Lab Access

To make the training hands-on in the real sense all the trainees will be provided with VPN access to the Lab. Lab Architecture is designed to cover all the attacks from both aspects that are demonstrated during the training sessions. Moreover, attendees will have dedicated access to the environment for 3 full days after completing the workshop.

Attendee should bring

• System with at least 8GB RAM having Virtualization support.
• Open VPN Client [Windows: https://swupdate.openvpn.org/community/releases/openvpn-install-2.4.6-I602.exe]
• Updated Web Browser.

Attendees Takeaway

• Soft Copy of the Course Content.
• Great Knowledge about the Offensive Techniques used by adversaries.
• Defence Tactics & Techniques against the discussed offensive techniques.
• 3-Day dedicated based lab access to try the offensive attacks in the lab environment.  

Hardik Shah is an experienced security researcher and technology evangelist. Hardik currently works with McAfee as a vulnerability researcher. Hardik has found many vulnerabilities in windows and open source softwares.

Workshop: Finding Security Vulnerabilities with Fuzzing

Many people are interested in finding vulnerabilities but don't know where to start. This workshop is aimed at providing details on how to use fuzzing to find software vulnerabilities. We will discuss what is fuzzing, different types of fuzzers and how to use them. This training will start with a basic introduction to different types of vulnerabilities which are very common in softwares. Later on during the training we will first start with fuzzing a simple C program which contains these vulnerabilities. After that we will see how we fuzz real world open source softwares using fuzzers like AFL and honggfuzz.

This workshop will also provide details on how does AFL works, what are the different mutation strategies it uses. basics of compile time instrumentation, how to collect corpus for fuzzing and how to minimize it,crash triage and finding root cause.

Tom Czayka is a security researcher who works at Quarkslab. He is interested in everything related to the Android operating system, especially internals. He is keen on reverse engineering, instrumentation, fuzzing and low-level programming. As well, he is into developing tools which assist reverse engineers and make their daily work easier.

Workshop: Analysing programs through dynamic instrumentation with QBDI

Reverse engineering is considered as a threat for today’s computer programs. Indeed, an adversary could gather the intellectual property or look for vulnerabilities in there. As a result, developers put significant effort into protecting their applications from being inspected. Since using debuggers remains one of the most common approaches, techniques for detecting the presence of a debugger are often in place – it hence makes reverse engineers’ work harder. In this context, making use of a Dynamic Binary Instrumentation (usually shortened DBI) framework such as QBDI, may be a great option. This workshop is an overview of how QBDI works and how it can be used through diving into several hands-on exercises on both Linux and Android. Attendees will learn what’s different between using a regular debugger and a DBI tool, how to generate execution traces at runtime and how to speed up the reverse engineering process at most. They will be given the methodology for being able to take advantage of what QBDI offers whenever facing such scenarios.

Prerequisites:

Familiarity with Android/Linux x86 ecosystems, Debugging and Python/JavaScript

Nicolas Surbayrole is a security engineer and developer. During his studies, he is interested in computer security and reverse engineering. He contributed to the organization of two CTFs in Toulouse (France). After his studies, he joined Quarkslab and became a core developer of QBDI, a DBI based on LLVM oriented to reverse engineering.

Workshop: Analysing programs through dynamic instrumentation with QBDI

Reverse engineering is considered as a threat for today’s computer programs. Indeed, an adversary could gather the intellectual property or look for vulnerabilities in there. As a result, developers put significant effort into protecting their applications from being inspected. Since using debuggers remains one of the most common approaches, techniques for detecting the presence of a debugger are often in place – it hence makes reverse engineers’ work harder. In this context, making use of a Dynamic Binary Instrumentation (usually shortened DBI) framework such as QBDI, may be a great option. This workshop is an overview of how QBDI works and how it can be used through diving into several hands-on exercises on both Linux and Android. Attendees will learn what’s different between using a regular debugger and a DBI tool, how to generate execution traces at runtime and how to speed up the reverse engineering process at most. They will be given the methodology for being able to take advantage of what QBDI offers whenever facing such scenarios.

Prerequisites:

Familiarity with Android/Linux x86 ecosystems, Debugging and Python/JavaScript

Greg Conti is a Co-Founder and Principal at Kopidion, a cyber security training and professional services firm. He is a former U.S. Army cyber operations and military intelligence officer and ran West Point’s information security research and education programs for about ten years. A long-time Black Hat Trainer, he teaches their Information Operations and Military Strategy and Tactics for Cyber Security courses. He holds a PhD in computer science, is co-author of the recent book “On Cyber: Towards an Operational Art for Cyber Conflict” and has written more than 100 articles and research papers covering information security. He is a frequent speaker at conferences like Black Hat, DEF CON, ShmooCon, RSA, Google Ideas, USENIX Enigma, BSides, and HOPE.

Talk: Comprehensive Cross-Domain Enterprise Threat Exposure Analysis

The modern organization has a massive, highly complex, and often poorly-understood exposure footprint in both cyberspace and physical space. Some portions of this footprint are reasonably well protected, such as the data center and endpoints.

Other aspects are less well defended, misunderstood, or even completely unconsidered as part of the cybersecurity problem. Examples include acoustic and electromagnetic emanations of workplaces and technology, transport across satellite and undersea links, social media presences, and the dozens third-party cloud applications modern businesses employ for ease of operations. Even when identified, protecting this entire footprint quickly exceeds the capabilities of any single organization. Attackers thrive on this complexity and probe this constantly changing region looking for points of vulnerability, often exploiting seams between system and unchallenged assumptions about trust, connectivity, and interdependence.

In this talk, we provide a framework for comprehensive analysis of the multi-domain exposure footprint of organizations of all sizes. Using this framework provides a more complete picture for defenders while also abstracting less important details to cope with complexity. By using a case study we’ll demonstrate the utility of the framework, and how to use it to deeply analyze an organization, better understand potential threats, allocate threat intelligence assets, and deploy security controls to best protect the organization. You will leave this talk with a much deeper understanding of the complete attack surface of a company, how attackers use unanticipated attack vectors, and techniques to avoid the failures in understanding and imagination that enable successful attacks.

Robert L. Fanelli is a Principal at Kopidion, a cyber security training and professional services firm. He has provided cybersecurity capability research and development, consulting, and educational services in government and the private sector. He served as a U.S. Army colonel, most recently at U.S. Cyber Command in roles that included controlling U.S. Department of Defense global cyberspace operations, leading the USCYBERCOM/NSA Combined Action Group, and conducting research and development activities. He has published, presented, and taught security topics in multiple venues, including the United States Military Academy at West Point and the National Cryptologic School. He holds a Ph.D. in Computer Science from the University of Hawaii and a number of industry credentials, including the designation as a GIAC Security Expert.

Talk: Comprehensive Cross-Domain Enterprise Threat Exposure Analysis

The modern organization has a massive, highly complex, and often poorly-understood exposure footprint in both cyberspace and physical space. Some portions of this footprint are reasonably well protected, such as the data center and endpoints.

Other aspects are less well defended, misunderstood, or even completely unconsidered as part of the cybersecurity problem. Examples include acoustic and electromagnetic emanations of workplaces and technology, transport across satellite and undersea links, social media presences, and the dozens third-party cloud applications modern businesses employ for ease of operations. Even when identified, protecting this entire footprint quickly exceeds the capabilities of any single organization. Attackers thrive on this complexity and probe this constantly changing region looking for points of vulnerability, often exploiting seams between system and unchallenged assumptions about trust, connectivity, and interdependence.

In this talk, we provide a framework for comprehensive analysis of the multi-domain exposure footprint of organizations of all sizes. Using this framework provides a more complete picture for defenders while also abstracting less important details to cope with complexity. By using a case study we’ll demonstrate the utility of the framework, and how to use it to deeply analyze an organization, better understand potential threats, allocate threat intelligence assets, and deploy security controls to best protect the organization. You will leave this talk with a much deeper understanding of the complete attack surface of a company, how attackers use unanticipated attack vectors, and techniques to avoid the failures in understanding and imagination that enable successful attacks.

Yarden Shafir started dancing at the age of 7, and later joined a rhythmic gymnastics team and competed during her teenage years. After her military service, she practiced pole dancing and fell in love with acrobatics. In recent years she performs aerial arts for the circus, trains whenever possible, and teaches lyra and silks in Israel, while also having a rich background of Windows Internals research originally at Sentinel One, followed by her current role as a Software Engineer at CrowdStrike working on various EDR capabilities and EPP features.

Talk: Callback objects - Everything you didn’t know you wanted to hook in the kernel

Whether you’re an attacker, trying to persist and gather information while avoiding detection, or a defender, trying to monitor everything that’s running on a box and staying a step ahead of the attackers, everyone wants to know what’s happening on a machine. Windows has a mechanism that can fulfill all these needs and isn’t getting the attention it deserves – callback objects.

Used by many kernel components and easy to access for 3rd-party drivers, these objects can supply valuable information about various kernel events, internal AV communication, and more.

Even Patch Guard has its own callback!

As helpful as they are, they are mostly ignored by security solutions, making them a great place for rootkits to hide in, where no one is looking.

Etizaz Mohsin is an information security researcher and enthusiast. His core interest lies in low level software exploitation both in user and kernel mode, vulnerability research, reverse engineering. He holds a Bachelors in Software Engineering and started his career in Penetration Testing. He is an active speaker at international security conferences. He has achieved industry certifications, the prominent of which are OSCP, OSCE, OSWP, OSWE, OSEE, CREST CRT, CPSA, EWPTX, CEH.

Talk: The Great Hotel Hack: Adventures in attacking hospitality industry

Ever wondered your presence exposed to an unknown entity even when you are promised for full security and discretion in a hotel? Well, it would be scary to know that the hospitality industry is a prime board nowadays for cyber threats as hotels offer many opportunities for hackers and other cybercriminals to target them and therefore resulting in data breaches. Not just important credit card details are a prime reason, but also an overload of guest data, including emails, passport details, home addresses and more. Marriott International where 500 million guests' private information was compromised sets for one of the best examples. Besides data compromise, surgical strikes have been conducted by threat actors against targeted guests at luxury hotels in Asia and the United States. The advanced persistent threat campaign called Darkhotel infected wifi-networks at luxury hotels, prompted the victim to download the malware and thus, succeeded in specifically targeting traveling business executives in a variety of industries and all its prevalence seems to have no end yet.

For a broader look, this time a popular internet gateway device for visitor based networks commonly installed in hotels, malls and other places that provides guests temporary access Wi-Fi was examined. To see, how the guests and the hotels both have a serious stake in this, we will discourse about the working of guest Wi-Fi systems, different use cases and their attack surfaces: device exploitation, network traffic hi-jacking, accessing guest's details and more. Common attacks and their corresponding defenses will be discussed. This talk will contain demos of attacks to reveal how the remote exploitation of such a device puts millions of guests at risk.

Gopika is a 19-year old Web Application Exploitation and Security enthusiast.

She is the member of team bi0s, a CTF (Capture The Flag) team ranked number-1 in India for the past 4 consecutive years. Gopika is pursuing her third year undergraduate in Computer Science and Engineering at Amrita Vishwa Vidyapeetham and is also a part of TeamShakti -the leading women-only CTF team from India. TeamShakti got into the arena of capturing flags last year and is one among the 3 only women-only CTF teams worldwide. She was also granted student scholarship for attending elite Cybersecurity conferences like BHEUROPE 2019, Troopers20, BHUSA 2020.

Talk: Quines: A Self Producing Syndrome

SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution. Injection has made a constant appearance in the OWASP Top 10 Web Application Security vulnerabilities for over 10 years. There are a variety of SQL injections ranging from Error-based, Time-based, Union-based SQLi and Quine SQL injection, a subset of it which is not as popular but way powerful when used. Quine means a program that returns the source code as it is. Even without any access to physical source files in the filesystem, using a Quine, we could produce the source code which might seem unrealistic.

To print its own listing, when a program is run, it must print out precisely those instructions which the programmer wrote as part of the program and it tends to seek the source file on the disk, open it, and print its contents. Quines does not depend on delimiting factors like the process of being able to read a source file itself. In scenarios where the verification logic that checks whether the user input and query result values are the same even if the database is empty (Ghost tables), it will be possible to bypass the verification checks using Quine SQL Injection.

Ritvik is a third year BTech student at Amrita Vishwa Vidyapeetham, Amritapuri. He is an active CTF player with Team bi0s currently ranked No 1 in India and among the top 20 teams in the world by CTFtime.org. He is an application and system security enthusiast. He particularly focuses on Linux based exploitation and is interested in memory corruption and vulnerability research. Ritvik has also authored challenges on exploitation for InCTFi, BSides and Cisco CTF organised on a yearly basis.

Talk: FPAnalyze : Aiding Exploitation With Automated Analysis

With the advancements in security measures taken in recent versions of GNU’s standard C library, it is becoming increasingly difficult to abuse debugging hooks like __malloc_hook and __free_hook . At times,we have arbitrary read/write but hijacking control flow can be a fairly strenuous task with the modern exploitation mitigations in place and thus, we have to look out for other function pointers being called during the course of execution of the program.In large applications, there are sure to be function pointers within the application itself which are easy targets to overwrite and attain control flow. But in large applications, these are hard to identify. Our tool aims to solve this by automatically identifying function pointers dynamically .Hence we take this opportunity to introduce you to FPAnalyzer which will act as an aid for an ardent exploit writer, thus making the final stages of exploitation relatively simple.

During the course of the presentation, we intend to take you through a journey wherein you’ll explore the scenarios which pave the way for our tool to come into the picture. We’ll also delve into some internal workings of the tool and give you an insight into what functionalities have been implemented during the course of designing of the tool.

Sourag C is a third year BTech student at Amrita Vishwa Vidyapeetham, Amritapuri. He is a member of Team bi0s which is the number 1 CTF team in India. He mainly focuses on Linux based exploitation. Sourag has also been invited for the onsite ISITDTU CTF finals conducted in Vietnam wherein teambi0s secured second position worldwide.

Talk: FPAnalyze : Aiding Exploitation With Automated Analysis

With the advancements in security measures taken in recent versions of GNU’s standard C library, it is becoming increasingly difficult to abuse debugging hooks like __malloc_hook and __free_hook . At times,we have arbitrary read/write but hijacking control flow can be a fairly strenuous task with the modern exploitation mitigations in place and thus, we have to look out for other function pointers being called during the course of execution of the program.In large applications, there are sure to be function pointers within the application itself which are easy targets to overwrite and attain control flow. But in large applications, these are hard to identify. Our tool aims to solve this by automatically identifying function pointers dynamically. Hence we take this opportunity to introduce you to FPAnalyzer which will act as an aid for an ardent exploit writer, thus making the final stages of exploitation relatively simple.

During the course of the presentation, we intend to take you through a journey wherein you’ll explore the scenarios which pave the way for our tool to come into the picture. We’ll also delve into some internal workings of the tool and give you an insight into what functionalities have been implemented during the course of designing of the tool.

Kuldeep Saini is a cybersecurity professional with 16 years of cybersecurity experience in different domains like automotive, energy, payments and PKI. He is working with Thales Group, world leader in digital security. He is holding prominent cybersecurity certifications like CISSP, CEH and CDPSE.

Talk: Fasten your seatbelt - Automotive cybersecurity disruption on its way!

These days car manufacturers are luring new customers through attractive connectivity features e.g. having all car alerts on their mobile phones, controlling some car functions using mobile apps remotely, etc. The connected cars having high exposure to remote attacks through different channels. Are OEMs giving enough weightage to the cybersecurity needs to support such a state of the art features?

Daniel is a Security Consultant, a bachelor’s in arts of Representation, an Actor and a Scenic Communicator. With more than 10 years of experience as an academic in Acting classes in several Universities. Since 2015, Daniel is leading Fr1endly RATs, the Social Engineering unit at Dreamlab Technologies Chile.

He Specializes and develops techniques and methodologies for simulations of Phishing attacks, Vishing, Pretexting, Physical Intrusions and Red Team.

Certifications / Competencies:

Advanced Practical Social Engineering, Orlando, FL, USA.

Physical Red Team Operations, Saint Paul, MN, USA.

OSINT Crash Course, The OSINTion, USA.

Usable Security, University of Maryland, USA.

Improvisation Summer School, Keith Johnstone Workshop Inc. Calgary, Canada.

Talk: Old Still Cool

Obtaining access and sensitive information from critical areas in three cases of merging classic Social Engineering formats under the concepts Physical Spear Phishing and Vishing Web Scam. The physical-digital tools and techniques used for the realization of the objectives will be explained.

Controls and filters advance according to market demands and it is becoming increasingly difficult to perform generic phishing simulations with a considerable scope, without these being rejected by security systems, reaching the spam mailbox or alerting security filters and preventing the integrated display of malicious mail.

How to bypass an antivirus in a service under a black box format? How to bypass firewalls so that systems can be accessed without being stopped? Is it necessary to go unnoticed?

As a unit we have specialized in the last five years in the development of pretexting, persuasion techniques and extremely particular and effective simulation scenarios.

This paper presents 3 cases of mergers of classic Social Engineering formats united under concepts that we call Physical Spear Phishing and Vishing Web Scam. The physical-digital tools and techniques used for the realization of objectives will be explained.

One of the first difficulties we have in SE services is the short time we have in relation to an organized criminal band. They manage to carry out effective attacks after periods of six to twelve months of research and testing. We only have 5 to 10 days for the entire project: Information gathering, execution and reporting.

So, trying to replicate the real-time flow of an attack's entirety is unworkable and trying to emulate it in such a narrow time only yields results that are not close to reality, thus generating false security in the collaborators involved in the simulation.

For this we were obliged to look for processes and techniques that would place us in a realistic scenario of high reach.

Phillip Wylie is a Lead Curriculum Developer at Point3 Federal, Adjunct Instructor at Richland College, and The Pwn School Project founder. Phillip has over 23 years of experience with the last 8.5 years spent as a pentester. Phillip has a passion for mentoring and education. His passion motivated him to start teaching and founding The Pwn School Project. The Pwn School Project is a monthly educational meetup focusing on ethical hacking. Phillip teaches Ethical Hacking and Web Application Pentesting at Dallas College in Dallas, TX. Phillip holds the following certifications; CISSP, NSA-IAM, OSCP, GWAPT.

Talk: The Pentester Blueprint: A Guide to Becoming a Pentester

Pentesting or ethical hacking as it is more commonly known has become a much sought-after job by people in IT, InfoSec, or those just trying to get into the industry. In this presentation, Phillip Wylie shares the blueprint for becoming a pentester. The presentation combines Phillip’s experience as a pentester and ethical hacking instructor to give attendees a guide on how to pursue a career as a pentester. Phillip shares what has worked for his students and people that he has mentored over his years as a pentester. This presentation covers the knowledge and skills needed to become a pentester as well as the steps to achieve them.

Venkatraman K is a passionate Information Security enthusiast from India who is working as a Security Analyst in a Cyber Security Startup.With over 3 years working in the different subdomains of cyber security, Venkatraman is constantly find myself engaged with learning, reading, discussing info-sec, participate in the CTF Challenges, conducting workshops and webinars on cybersecurity, participating in bug bounty programs, writing blogs and spent my weekend nights solving Hackthebox Challenges. Follow his blog (https://r3dw0lfsec.in/) for awesome Infosec Articles.

Task - Demystifying Common Active Directory Attacks

Active Directory is used by more than 90% of Fortune 1000 companies, the all-pervasive AD is the focal point for adversaries. This paper would demonstrate the common attack scenarios in an Active Directory environment that can be witnessed in an Infrastructure Assessment. Some of the attacks would be briefed along with wireshark, to understand the packet flow.The presentation begins with briefing basics of Kerberos Authentication such Key Distribution Center, Ticket Granting Ticket , Ticket Granting Service etc. and their role in authentication flow. This presentation would give insights about the active directory attacks which include:

• AS-REP Roasting attack
• Kerberoasting attack
• Kerberos Golden Ticket attack
• Kerberos Silver Ticket attack
• DCSync Attack
• DCShadow Attack

Aniketh is a First-year doctoral student at IMDEA Networks Institute and University Carlos III de Madrid(uc3m), Madrid, Spain. His research interests lie in the intersection of systems and networks in the broadest sense with a particular focus on QoE, security, privacy, measurement and deployment of Internet protocols. Prior to joining IMDEA, he completed his Bachelors in Technology(B.Tech) from Amrita Vishwa Vidyapeetham, India. During his bachelors, he interned at Rochester Institute of Technology, USA and also was a Research Associate Intern at the IIJ Innovation Institute (IIJ-II). His work focused on Email and DNS Security extensions, and Process-based Isolation with Linux Unikernels respectively during these internships. Aniketh has also published his research in International peer-reviewed conferences such as USENIX Security’20. Further, Aniketh has also been selected as a Google Summer of Code student twice to work with open source organisations like KDE in 2017 and GNU Linux in 2018. As a Google Summer of Code project in 2018, He worked on implementing DNS over HTTPS into GNU Wget2 resolvers. Previously he has been invited to speak at conf.KDE.in ’17 in India, Randa meetings'18 in Switzerland, Akademy'18 in Austria, LGM'18 in Spain, Akademy'19 in Italy, DevConf'19 in Czech, FOSSdem'19 in Belgium, Apricot'20 in Australia.

Talk: Email security with DANE: Empirical Analysis of DANE for SMTP in the wild.

At the initial design of SMTP as well as DNS, these protocols didn’t have a security mechanism or an extension to encrypt the messages and for authentic conversation. Particularly with SMTP, the STARTTLS extension was introduced, which initiates a TLS handshake for encrypted SMTP communication. Due to its opportunistic nature, attackers could always force STARTTLS to fallback to non-TLS exchange. Opportunistic STARTTLS is vulnerable towards active attacks such as BGP Hijacking, DNS forging, STRIPTLS and much more. Hence, a recent evolution of the security prospects of Internet protocols introduces a new protocol called DANE which could be coupled with SMTP to mitigate the risk by providing secure TLS support.

In the case of authentication for DNS, DNS-based Authentication of Named Entities (DANE) standard was introduced, which establishes a chain of trust rather than relying on trusted third parties like CAs by publishing a DNS TLSA(Transport Layer Security Authentication) record. DANE establishes a TLS connection between the client and servers using the Domain Name System’s Security Extensions (DNSSEC) PKI to achieve integrity and authenticity.

Therefore, DANE can only work correctly if each of the principals in its PKI performs duly: through their DNSSEC-aware DNS servers, DANE servers (e.g., SMTP servers) must publish their TLSA records, which are consistent with their certificates. Similarly, DANE clients (e.g., SMTP clients) must verify the DANE servers’ TLSA records, which are also used to validate the fetched certificates.

There is increasing growth in the DANE supported mail providers like Comcast, GMX, mail.com and much more. We conducted an evaluative study on popular 30 email service providers, and four popular MTA and 10 DNS software programs. Our study reveals the prevalent mismanagement in the DANE ecosystem. The talk dives deep on the above-mentioned concepts of Risks of STARTTLS, DNSSEC and DANE. Further, Aniketh will also be speaking about the large-scale, longitudinal, and comprehensive measurement study he did along with his research group and discovered many results such as 36% of TLSA records cannot be validated due to missing or incorrect DNSSEC records, and 14.17% of them are inconsistent with their certificates and much more within the Email ecosystem using DANE and it’s sister protocols. Moreover, he will be speaking about how well the DANE standard is and its relevant protocols are deployed and managed.

Roberto Rodriquez is a Threat Researcher and Security engineer at the Microsoft Threat Intelligence Center (MSTIC) R&D team.

He is also the author of several open source projects, such as the Threat Hunter Playbook, Mordor and HELK, to aid the community development of techniques and tooling for threat research.

Blog at https://medium.com/@Cyb3rWard0g 

Follow Roberto Rodriguez on Twitter (@cyb3rward0g)

Talk: Sharing Open Datasets with the World to Develop Detections from Home

As a defensive security practitioner, researching a new technique used by real threat actors to compromise an environment is not as simple as copying, pasting, and running a query. Besides learning about the internals of a technique and ways how it can be executed, eventually, one would need to simulate it. As you may already know, the simulation process takes time and preparation, and usually, the time spent trying to generate data is higher than actually analyzing data. What if we can share the data we generate after simulating an adversary? How many teams can we help out there that might be struggling simulating adversaries or that might not have much time to do it? What if we can centralize the efforts to collect and share data with the community? Enter Mordor!

Vishal is a Director and head of Technology & Security Assurance vertical at Adobe. He has diversified experience leading and delivering on Risk Management, Tech & Security compliance & Cybersecurity related initiatives. He has been working on the “Continuous Security Compliance” strategy to bring in operational efficiencies by reducing the compliance fatigue augmented with automated monitoring to detect (and predict with use of AI & ML) non-compliance in real time. Along with being a speaker at some of the renowned international conferences like RSA & ISACA North America, he has been an avid security researcher and author of numerous security articles.

Talk: Meet the Bots our new Security Auditors

Robotic Process Automation (RPA) brings in the new category of workforce i.e. the bot work force which will augment the current human workforce and help drive the scalability, excellence and growth in a cost-efficient manner. Bots are our next-gen security compliance professionals. They will be performing security testing, configuration checks, compliance validations across cloud and on premise setup; real time round the clock i.e. “Continuous Security Compliance”. These checks and compliance testing could be customized based on leading security standards like ISO 27001/SOC 2/NIST & others. With the help of these automated bot workflows we can not only detect but also predict non-compliance before it actually happens. Foundation has been laid, bots are out there; it’s time to unleash and use them to their full potential.

Ravi is a Project Manager for Technology Audit & Operations at Adobe. He leads the “Continuous Security Compliance” strategy for Risk Advisory and Assurance Services team which aims to build a framework that enables to continually review the security and compliance posture of business processes w.r.t adherence to and deviations from baseline levels of effectiveness, and to gather data that would improve the quality of audits, detect risk issues and provide greater management visibility.

Talk: Meet the Bots our new Security Auditors

Robotic Process Automation (RPA) brings in the new category of workforce i.e. the bot work force which will augment the current human workforce and help drive the scalability, excellence and growth in a cost-efficient manner. Bots are our next-gen security compliance professionals. They will be performing security testing, configuration checks, compliance validations across cloud and on premise setup; real time round the clock i.e. “Continuous Security Compliance”. These checks and compliance testing could be customized based on leading security standards like ISO 27001/SOC 2/NIST & others. With the help of these automated bot workflows we can not only detect but also predict non-compliance before it actually happens. Foundation has been laid, bots are out there; it’s time to unleash and use them to their full potential.

Abhijith also known by the pseudonym Abx, has more than a decade of experience in the Information and Cyber Security domain. Currently Leading offensive security operations for a global FinTech company. Formerly the Deputy Manager - Cyber Security at Nissan Motor Corporation, previously employed with EY as a Senior security analyst.

He is the founder and organizer of https://RedTeamVillage.org, a red teaming community which actively organizes hacking villages and CTF competitions, also acts as the Lead Organizer of an official DEFCON Group (https://dc0471.org/) He has recently started running https://tacticaladversary.io/ blog.

Abhijith has spoken at various cyber security conferences such as Nullcon, c0c0n, BSides Delhi, OWASP Seasides, DEFCON 28 safemode - DCG Village, The Diana Initiative, Opensource India, Kerala Police CodeSec etc

Talk: Five phases of IRTOF: Kickstarting your organization's Red Team Operations programme

This talk is about building a practical internal red team. This is not an easy task. For organizations, it is essential to have an internal offensive team to continuously perform adversarial simulation to strengthen the security posture and enhance blue team capabilities. Many variables needs to be taken care of before going forward with such an initiative. Most important thing would be assessing the progress and maturity of the red team building process.

Explains various steps to create an internal offensive team/red team from scratch and increasing the capabilities gradually on different phases. This talk introduces a proven way of building internal offensive teams, Internal Red Team Operations Framework. (IRTOF)

CCSP, CISA, CRISC, CISSP, CISM, ex-PCI QSA, ISO 27001

An Information Security professional by choice and Trainer/teacher at heart. She has over 12 years of experience in Cloud Security, Financial & Regulatory Compliance, IT Audit, Payment Security, HIPAA, Information Security, PCI DSS and Privacy and Risk Management and has handled many Information system audits. Has lead Compliance Program at leading payment gateways, Banks, Third Party Processors, IT companies, and BPOs in different geographical locations including India, US, Dubai, Abu Dhabi, Kuwait, Morocco, Singapore, Philippines and UK She has been Invited Speaker for many international forums including

PCI SSC community meeting ISACA, Delhi Chapter and CISO Platform. Ex- Director SSO (ISC)2 Bangalore Chapter and has been featured on PenTest cover magazine. She has been contributing to various security magazines and blogs on a regular basis.

Currently Leading FSI compliance for India region with AWS.

Talk: Cloud for Financial and Payments Regulated data

• Common Cloud Security and Compliance FUDs(Fear, Uncertainty and Doubts )
• ‘Security of the Cloud’ & ‘Security of the Cloud’
• India Financial Regulatory  Compliance requirements for Cloud
• AWS Security and Compliance Best Practices
• Why and How: Compliance on AWS
• Resources

Rushikesh Nandedkar is an engineer at FireEye Inc. His assignments have always been pointed towards reducing the state of insecurity for information. His research papers were accepted at NCACNS 2013, nullcon '14,'18 & '20, HITCON '14, Defcamp '14, BruCON '15 '16 '17 '18,'19 DEFCON 24, x33fcon '17, '18, '20, c0c0n-X '17, BSides Delhi '17, BlackHat USA '18, DEFCON 26, DEFCON 27, BlackHat USA 2019 + Co-author of DECEPTICON, an intelligent evil-twin, DARWIN (A parasite covert wireless network) and SASTRI: Plug and Play VM for SAST/*Static Application Security Testing Realtime Integration*/ . Being an avid CTF player, for him, solace is messing up with packets, frames, and shellcodes.

Talk: Operational Tech binaries and the tale of deductions !

The proposal speaks of the tactics used to solve various problems while deducing the behaviour of binaries for Cyber Physical System's functional aspect. In this endeavour traits considered are: Strings, symbolic buffer/strings in memory, yara rules, functions of interest, import hashing, API call sequence, device probe, network probe etc. While the shallow approach explains strings in static form and symbolic buffers, we tried reach the depths of formal methods and symbolic execution to carve out inputs consumed by the functions of interest and deducing the behavioural traits out of it.

Munawwar Hussain Shelia works as an IoT Security Researcher at Payatu, where his full-time responsibility involves looking for bugs in customers IoT Devices and developing tools for pen-testing. He has a background in Computer Science and descent software development experience, having a development background helps him to think how products are designed and created which help him to break them viciously. He has delivered "Practical IoT Hacking" Training in Nullcon 2019, and a workshop on the same topic in CPX 360 (2019). He has also delivered a talk in c0c0n conference in 2020. His main focus areas are Reverse engineering, Binary Analysis, Malware Analysis and Software Exploitation, he also writes about this on his blog taintedbits.com. He has also delivered training to numerous private organizations around the globe. He has discovered and reported vulnerability (CVE-2020-12763) in IoT Device and has also published a paper on Android Malware.

Talk : Firmware Reverse Engineering - a pragmatic approach