The implementation and analysis of the code compiling different way each time it is downloaded. Regardless the solution itself (interesting as well) an analysis of the data collected server-side will be presented and discussed.
Bio:
Grzegorz Tworek – second Generation IT Professional. Since nineties, actively writing, blogging and speaking about security, especially when it comes to Microsoft solutions. During his career, built and managed different Security Teams, wrote dozens of tools, put some hackers to jail and got some others out of jail. More than ten times awarded with Microsoft Most Valuable Professional award.
Drivers have long been of interest to threat actors, whether they are exploiting vulnerable drivers or creating malicious ones. Malicious drivers are difficult to detect and successfully leveraging one can give an attacker full access to a system.
With the existence of malicious drivers, there is a need for those who can analyze identified samples. This analysis requires specific knowledge of the Windows operating system, which can be difficult to acquire. Windows drivers and the kernel can be overwhelming to learn about, as these topics are vast and highly complex. The documentation available on these subjects is daunting and difficult to navigate for newcomers, even for those with programming experience.
This initial hurdle and steep learning curve create a high barrier of entry into the subject. To many, the kernel space seems to be an arcane and hidden part of the operating system.
This presentation will be a high-level introduction into drivers, their usage by malicious actors and the Windows kernel. No previous experience of drivers is required.
Bio:
Vanja Svajcer works as a Threat Researcher at Cisco Talos. Vanja enjoys tinkering with automated analysis systems, reversing binaries and analysing mobile malware. He thinks time spent scraping telemetry data to find indicators of new attacks is well worth the effort. He presented his work at conferences such as FSec, Bsides, Virus Bulletin, RSA, CARO, AVAR, BalcCon and others.
Posted in talks | Comments Off on Exploring malicious Windows drivers (Vanja Svajcer)
Cloud incident response can be daunting, requiring a plethora of tools and skills, while most Cloud Based Startups can’t allocate budget for preventive controls, there is less space for them to understand what to do if they are hacked.
That’s why I created Dredge, an Open Source framework designed to streamline cloud incident investigations, by allowing Cloud Engineers and Incident Responders to execute non-trivial response tasks effortlessly, irrespective of your familiarity with specific cloud platforms nor incident response tactics.
The main idea is to empower Engineers to respond to attacks no matter what preparation they had before, taking advantage of most of the out-of-the box security features cloud providers offer but not everybody is aware, like being able to retrieve a forensic image from a running server or getting logs that they didn’t know they had.
Some Key Features that differentiate Dredge from existing tooling:
Python-based CLI
Retrieve logs seamlessly from Github, Kubernetes, AWS, GCP or Azure.
Take action: whether it’s blocking an IP in an AWS tenant, disabling an AccessKey, isolating an EC2 instance, or strategically extracting crucial post-compromise user data.
Identify tactical misconfigurations that can be exploited by an attacker.
Create an attack timeline based on IOCs.
Analyze retrieved data effortlessly within your terminal, utilizing built-in capabilities from VirusTotal and Shodan.
Cloud Incident Response Guidelines for companies to embrace and build their playbooks.
I am going to present two common Cloud Based Attacks based on real case scenarios, and show how I can execute incident response tasks to address them:
Admin Service Account Compromise and privilege elevation for account takeover
EC2 Server compromised with malware
I am going to create a demo lab for the session, the presentation will be mostly technical, going through the main complexities that incident response in cloud environments presents, like the non-trivial execution of a server network isolation and how Dredge takes care of the small steps required to achieve this. Always based on real examples that I had to overcome in the past.
Bio:
Santiago Abastante – Ex-Police Officer from Argentina, Cloud Incident Responder and Security Engineer with 10+ years of IT experience.
Posted in talks | Comments Off on Dredge: A Open Source Framework for Cloud Incident Response (Santiago Abastante)
The approach of this presentation will be to look at the layers in a Kubernetes cluster stack, including common add-on components and highlight places where attackers can bypass common detection mechanisms and use container features to hide their cluster access. Before we discuss specific attacks we’ll mention how common default configurations have led to a large number (1 million+) Kubernetes cluster nodes being directly connected to the Internet, making the job of attacker persistence easier.
We’ll then start looking at persistence at the container layer looking at Containerd and CRI-O to talk about how attackers can create containers that aren’t easily visible to cluster level tooling.
At the node level we will also discuss how it’s possible to use static containers and invalid namespaces to add workloads to a cluster without being visible to kubectl or similar tooling.
We’ll also cover how attackers can send traffic directly to the Kubelet API to bypass audit logging and admission control. The Kubelet API is a less well documented attack surface, but is accessible when certain rights are provided at a cluster level.
Then moving up to the cluster level the talk will focus on how attackers can create phantom privileged credentials to retain access to clusters for months/years, how those attacks could be detected and the importance of Kubernetes auditing/log retention.
Bio:
Rory has worked in the Information and IT Security arena for the last 23 years in a variety of roles in information security and penetration testing. These days he spends his work time on container and cloud native security. He is an active member of the container security community having delivered presentations at a variety of IT and Information security conferences. He has also presented at major containerization conferences and is an author of the CIS Benchmarks for Docker and Kubernetes and main author of the Mastering Container Security training course which has been delivered at numerous industry conferences including Blackhat USA. When he’s not working, Rory can generally be found out walking and enjoying the scenery of the Scottish highlands.
Video/recordings:
Posted in talks | Comments Off on Beyond the Surface: Exploring Attacker Persistence Strategies in Kubernetes (Rory McCune)
Cross-Site Scripting is no longer a new or hot topic, but as new technologies are introduced rapidly, and with the expansion of cloud solutions and containerisation, classic vulnerabilities may take on new forms. Server-Side XSS is an unusual method to execute malicious payloads on the server rather than the client.
The talk includes multiple demos that walk the audience through an attack chain utilizing multiple vulnerabilities and misconfigurations to escalate privileges, and to transform a seemingly benign vulnerability into a powerful tool for cloud account takeover. In addition to explaining the issue with Server-Side XSS, its limitations and capabilities will also be discussed. Recommendations will be provided to prevent others from making the same mistakes that are already widespread.
Bio:
Balazs Bucsay is the founder & CEO of Mantra Information Security that offers a variety of consultancy services in the field of IT Security. With decades of offensive security experience he is focusing his time mainly on research in various fields including red teaming, reverse engineering, embedded devices, firmware emulation and cloud. He gave multiple talks around the globe (Singapore, London, Melbourne, Honolulu) on different advanced topics and released several tools and papers about the latest techniques. He has multiple certifications (OSCE, OSCP, OSWP) related to penetration testing, exploit writing and other low-level topics and degrees in Mathematics and Computer Science. Balazs thinks that sharing knowledge is one of the most important things, so he always shares it with his peers. Because of his passion for technology he starts the second shift right after work to do some research to find new vulnerabilities.