| Time | Speaker | Subject |
|---|---|---|
| 08:30 – 09:00 | Registration (drink and snacks) | |
| 09:00 – 09:15 | Opening Ceremony | |
| 09:15 – 10:00 | Mackenzie Jackson | The AI survival guide: Practical advice for stressed-out security workers |
| 10:00 – 10:45 | Bojan Ždrnja | QUIC and Furious |
| 11:05 – 11:50 | Zhassulan Zhussupov | Malware and Cryptography |
| 11:50 – 12:30 | Vlatko Kosturjak | Linux improvements in memory corruption based protections |
| 12:30 – 14:30 | Lunch Break (finger food lunch is organized or visit nearby lunch locations: (tinyurl.com/2p8uppaw) | |
| 14:30 – 15:15 | Michel de Crevoisier | SIEM vs EDR: the fight for a holistic and combined approach |
| 15:15 – 16:00 | Solar Designer | Linux kernel remote logging: approaches, challenges, implementation |
| 16:20 – 17:05 | Daniel Kapellmann Zafra | Showing Off Their SCILz: Sandworm Disrupts Power in Ukraine Using Novel Attack Against OT |
| 17:05 – 17:50 | Davor Frkat | Automotive Security Challenges: Supplier’s View |
| 17:50 – 17:55 | Closing Ceremony | |
| 17:55 – ∞ | Hangout at Trezor |
The AI survival guide: Practical advice for stressed-out security workers
Presentation: The AI Survival Guide – Mackenzie Jackson
In today’s fast-paced digital world, where technology evolves faster than memes go viral, the rise of Artificial Intelligence (AI) has left stressed security professionals feeling a bit like they’re playing catch-up in a never-ending game of cybersecurity whack-a-mole. In this presentation, we’re here to serve up the ultimate AI survival guide, complete with practical advice and live demos to help you stay one step ahead of the cyber chaos.
Section I: What is AI We are all familiar with the saying you are what you eat, if that is true then AI models are what they consume (or are trained on) which is mostly trash. In the first part, we will explore how AI models are trained, including looking at the most common training set, the ‘Common Crawl Database’ and why generative AI can consume trash and still sound so smart. We will also dive into the different types of AI such as LLMs vs generative AI, predictive AI, and contextual AI. Exploring how each brings with it security benefits and risks.
Section II: AI in the wrong hands AI is here to stay and malicious actors are just as excited about its possibilities as college students preparing their final essays. In this section, we will explore with demos how malicious actors can use AI tools for nefarious activities including abusing AI hallucinations, poisoning datasets and using prompt injection to get to the hidden treasures of an AI model.
Section III: Using AI During this section, we will discuss some of the many ways AI can help stressed-out security professionals including, providing context to alerts, improving our abilities to detect behavioral changes, predicting attack paths and even using it to improve security training.
Conclusion AI is neither good nor bad, but it is here to stay. By reviewing how malicious actors use AI, the risks that come with it, and the benefits it brings, this survival guide will help any stressed-out security personnel navigate the changing landscape.
About the speaker
Mackenzie is a developer and security advocate with a passion for DevOps and application security. As the co-founder and former CTO of the health tech company Conpago, he learned first-hand how critical it is to build secure applications with robust developer operations.
Today Mackenzie continues his passion for security by working with the GitGuardian research team to uncover the latest trends malicious actors are using. Mackenzie is also the host of The Security Repo podcast, an established security writer, an experienced global speaker, and appeared as an expert in documentaries and television broadcasts.
QUIC and Furious
Presentation: QUIC and Furious – Bojan Zdrnja
The QUIC protocol has slowly (pun intended) made its way into our networks. While most people are vaguely aware that QUIC is used with HTTP/3, the amount of supported protocols keeps increasing every day – today we can use DNS over QUIC (DoQ) as well as the dreaded SMB over QUIC (thanks Microsoft!).
As these new protocols are being pushed into our client applications (sometimes without us being even aware of the change), new attack vectors are being opened. The default encryption and complex nature of QUIC, while beneficial for privacy and data integrity, also provide a shield for malicious activities, making it harder for network administrators and security professionals to detect and mitigate threats.
In this presentation we will dive a bit deeper (as much as time allows) into the QUIC protocol to see why it is so interesting. We will also analyze the three most used cases with HTTP/3, DoQ and SMB over QUIC to see both how attackers can (ab)use these protocols, and what defenders can do to identify and perhaps prevent such misuse.
About the speaker
Bojan is the CTO of Infigo, where he also leads the offensive security team, which is one of the largest in the region.
He is also a Certified SANS Instructor, where he teaches the popular SEC542 (Web application penetration testing) course, of which he is also a co-author.
Besides this, he uses every opportunity to trade the routine of Outlook for the thrill of engaging with advanced offensive security tools.
Finally, he is also a senior SANS Internet Storm Center (ISC) handler, where he gets a chance to play with latest attacks.
SIEM vs EDR: the fight for a holistic and combined approach
Presentation: SIEM vs EDR – the fight for a holistic and combined approach – Michel de Crevoisier
Defenders mindset and detection technologies are bound to always evolve as attackers arsenal is continuously growing. De facto, the rise of security solutions like EDR initiated a new era in the fight between attackers and defenders. However, by becoming a new key player, EDR also become a first-rate prey.
In this talk we will investigate different EDR evasion operations perpetrated by attackers. We will demonstrate the necessity of a holistic and combined approach together with a SIEM solution in order to anticipate attacks which are becoming more and more sophisticated and cunning.
About the speaker
Michel is a Senior Security Analyst and Detection lead in the Cyber Defense Center of K-BusinessCom since 2022. Formerly, he worked during 5 years as a Security Analyst, developing threat detection solutions and investigating modern attacks. During his professional career, he handled several positions as a system and network administrator as well as a security architect in France, Spain and Austria. In addition to his practice, Michel contributes to the SOC Prime platform as a Threat Bounty Developer and regularly participates as a speaker on security conferences. He is also a guest contributor at Red Canary and the author of several threat detection projects available on its GitHub.
Linux improvements in memory corruption based protections
Presentation: Linux improvements in memory corruption based protections – Vlatko Kosturjak
In recent developments, advancements have emerged in the realm of safeguarding against memory corruption bugs, incorporating stack-based protections at both the hardware and software levels. Notably, Linux has recently implemented additional protective measures on the Intel platform, specifically through the introduction of a shadow stack. Therefore, it is a great time to delve into this topic.
About the speaker
Vlatko Kosturjak serves as the CTO at Diverto, boasting over two decades of dedicated experience in the realms of information security and cybersecurity. His diverse roles over the years have not only equipped him with a comprehensive understanding of security governance but also delved into the intricate technical facets of security. Regardless of the position, the overarching goal remains consistent: assisting clients in attaining their desired levels of security.
Vlatko finds joy in both breaking and building security controls. Beyond his commitment to security, he harbors a deep passion for open and free software. This passion has manifested in the creation of numerous popular open-source offensive tools and contributions to various renowned free security software projects.
Throughout his extensive career and in his continuous pursuit of knowledge in the dynamic field of cybersecurity, Vlatko has acquired a long array of certifications, including CISSP, OSCP, CISM, and many more.
Automotive Security Challenges: Supplier’s View
Security researchers often have more questions than answers in this domain. The aim of this talk is to give some insights from the supplier’s view. So get in and let me take you on a short road-trip through the current threat landscape. Let me show you how the industry picks up speed on vulnerability and incident management, puts the brakes on emerging threats and put the pedal to the metal on new security features and solutions. New standards and regulations are popping up as traffic signs to lead the way, but there are many other challenges suppliers have to navigate through with car manufacturers, such as holistic vehicle system security.
About the speaker
Security Engineer at Bosch Engineering, an automotive supplier. Currently he is assessing security risks, working on security concepts and is part of the product vulnerability and incident response team. So far, he has worked on security concepts for a wide range of products and also gathered experience as a software coordinator for security feature development. Based in Vienna. Also likes trains.
Linux kernel remote logging: approaches, challenges, implementation
Presentation: Linux kernel remote logging – Solar Designer
This talk is based on research conducted for our Linux Kernel Runtime Guard (LKRG) project, which is a Linux kernel module that performs runtime integrity checking of the kernel and detection of security vulnerability exploits against the kernel. Delivery, storage, and processing of LKRG security events to/on a remote system is a natural extension of LKRG’s functionality. Remote logging is also valuable on its own, including for troubleshooting and post-mortem analyses of (non-)security incidents, where the system’s local logs might be unavailable, incomplete, or tampered with. In this talk, I’ll start by briefly examining pre-existing remote logging solutions and their suitability. Then I’ll proceed to our own considerations and choices for transport and security protocols and software design, including many of the challenges and trade-offs encountered. Finally, I’ll introduce and demonstrate the initial implementation in LKRG, to be released in time for the talk, as well as its integration in Rocky Linux via the Security SIG package.
This research and initial implementation have been sponsored by Binarly software supply chain security platform, whereas the public release, Rocky Linux integration, and this talk are due to my work at CIQ, the primary corporate sponsor of Rocky Linux.
About the speaker
Alexander Peslyak, better known as Solar Designer, is the founder of Openwall, a community project and professional services company focused on security of Open Source software. He achieved a number of “firsts” in (anti-)exploitation of memory corruption vulnerabilities, co-authored much of Openwall’s software including John the Ripper and other password security tools, runs the oss-security and (linux-)distros mailing lists – among many other past and current activities. Alexander spoke at numerous international conferences.
Showing Off Their SCILz: Sandworm Disrupts Power in Ukraine Using Novel Attack Against OT
Presentation: Showing Off Their SCILz Sandworm Disrupts Power in Ukraine Using Novel Attack Against OT – Daniel Kapellmann Zafra
In late 2023, Mandiant released an investigation into an event where Russian-sponsored actor Sandworm targeted a Ukrainian critical infrastructure organization with a layered, disruptive attack that leveraged a novel technique for impacting operational technology (OT) environments. In this attack, Sandworm used OT-level living off the land (LotL) techniques to trip the victim’s substation circuit breakers, causing an unplanned power outage. Sandworm then conducted a second disruptive event by deploying wiper malware in the IT environment.
This attack represents the latest evolution in Russia’s disruptive playbook, which has been increasingly visible since the recent invasion of Ukraine. The techniques leveraged during the incident suggest a growing maturity of Russia’s offensive OT arsenal, including an ability to recognize novel OT threat vectors, develop new capabilities, and leverage different types of OT infrastructure to execute cyber physical attacks.
During this presentation, I will describe this operation and dive deep into the specific components of the attack from a perspective of OT security. I will also discuss what are its implications in terms of the tactical evolution of attacks against physical production systems during the war in Ukraine. Lastly, I will wrap up the presentation by looking at what defenders and researchers should expect from future cyber physical attacks based on our analysis of this and other OT events during the last couple years.
About the speaker
Technical Analysis Manager for Google Mandiant, where he oversees the strategic coverage of cyber physical threat intelligence and information operations. He also coordinates the development of solutions to collect and analyze data. He is a frequent speaker at international conferences discussing topics related to operational technology security. As a former Fulbright scholar from Mexico, he holds a master’s degree from the University of Washington specialized in Information Security and Risk Management. In 2017, he was awarded first place at Kaspersky Academy Talent Lab’s competition for designing an application to address security beyond anti-virus.
Malware and Cryptography
Presentation: Malware and Cryptography – Zhassulan Zhussupov
Research in the field of bypassing AV solutions and the role of cryptography in malware development. Application of classical cryptographic algorithms for payload and C2 communicate encryption. Practical research has been carried out: the results of using Skipjack, TEA, Madryga, RC5, A5/1, Z85, DES, mmb, Kuznechik, etc. encryption algorithms have been analysed.
The application of cryptography based on elliptic curves is also being researched. How does all this affect the VirusTotal detection score and how applicable is it for bypassing AV solutions (AV bypass). In some researched practical cases, we get FUD malware. Bypass AV Kaspersky, Windows Defender. ESET NOD32 in some practical cases. Reverse engineering and code reconstruction with malware development tricks from ransomware and malware like Conti, Snowyamber, Paradise Ransomware, CopyKittens, etc. Discover new tricks from Russian APT29 related malware.
Practical implementation and simulation of APT attack and Ransomware simulation with using non popular cryptography algorithms. Practical reimplementation of Ransomware Decryptors
About the speaker
Cybersecurity enthusiast, author, speaker and mathematician. Malpedia project contributor.
Author of https://cocomelonc.github.io/ blog.
Author of popular books: https://cocomelonc.github.io/book/2022/07/16/mybook.html https://cocomelonc.github.io/book/2023/12/13/malwild-book.html
Author and tech reviewer at Packt Co founder of MSSP LAB (research), author of many cybersecurity blogs, HVCK magazine Speaker at BlackHat, Arab Security Conference, hack.lu, Standoff, Offzone conferences
