This optional session is for our speakers only and offers the opportunity for them to meet and network with their fellow speakers the night before the event kicks off. In addition, we will be hosting a dinner for all our speakers.

This talk will be dedicated to the overview of the current attacks on Ukrainian infrastructure in 2022 and incident responses carried out by CERT-UA. We will share tactics and instruments used by the attackers when targeting governmental institutions and infrastructure as well as challenges when conducting cyber investigations and interacting with affected organizations.

All registered teams to assemble in the designated pods.

CTF 101 - A chance for attendees new to Capture The Flag challenges to hear from the technical team that develop our challenges and to learn about the tools and approaches commonly used to solve them. A great preparation for tackling this year’s CTF.

Abstract: One major use case for SOAR, and orchestration in general, is to ease the burden of rote manual tasks that are required to investigate and respond to a threat. ThreatQuotient recently undertook market research in the UK around security automation yielding interesting results and some actionable information. In this talk, Leon Ward, VP of Product Management at ThreatQuotient will introduce those survey highlights, and the importance of moving from an orchestration-based reactive posture to an automation-based anticipatory posture. What is the difference between a sequential playbook vs. a continuous security operations activity. He will develop the following: 

• Data automation to best anticipate risks according to your maturity 
• How to protect yourself from future threats through automated retrospective analysis 
• How to improve the efficiency, time savings and coordination of CTI teams

Cyber attackers are crawling the Internet constantly, looking for any vulnerabilities to exploit within organizations’ Internet-facing and cloud assets. Organizations and their security teams implement cloud data protection solutions, but unknown — and unsecured — assets remain. How can companies prevent and protect from attacks in a comprehensive way? They need to think like an attacker.

Standing intelligence requirements are crucial for any organisation looking to adopt a forward-leaning security posture. However many organisations either haven’t developed requirements, or their existing requirements are so broad that security teams struggle to operationalise them. This talk outlines a few tactical steps organisations can take in order to develop requirements quickly and impactfully as a first step toward building a more robust intelligence apparatus.

We have a wealth of intelligence on some of our adversaries, but what happens when we’ve combined so much into the same threat group that it’s become unrecognizable? Many of us follow APT groups that have now been around for years or even decades, but like the Ship of Theseus a group might use no behaviors today in common with their activity a decade ago. We have a different but parallel problem with ransomware, affiliates of a group often act independently with few behaviors in common with each other. In both cases it’s typical to pull everything we know together and track it under a single threat group, but we’re losing information along the way that we could use for our defense. In this session, Adam will cover how we often combine wildly disparate intelligence related to threat groups and how that may be impacting defensive teams’ ability to leverage that intelligence. He’ll work though specific examples of threat groups that have undergone large changes over time and have many facets that have been commonly combined. Finally, Adam will share experiences from the MITRE ATT&CK team’s efforts to improve our publicly available threat group profiles through the introduction of “campaigns” and restore some of the context that’s been lost combining intelligence.

"Women and Allies in Cybersecurity"

All registered teams to assemble in the designated pods

Vulnerabilities will continue to appear, but we don't just have to react to them. We can predict their volume up to a year in advance +/8%. That's bound to get better, but we might be able to predict even more...how many will come from a specific vendor? How many will be CVSS > 7? How many will be network facing?Using these techniques we could make the blue team less reactive and more strategic. We could plan team sizes and simulate patching schedules. We can talk about how many vulnerabilities really matter, and how to get ahead of the problem.

At Fox-IT and NCC Group, we are always looking to push our incident response capabilities to the next level. Because no adversary, no matter how high-end, should be beyond our reach. This led to the development of "dissect", a proprietary enterprise investigation framework that we will now open source and share with the world.

Dissect supports us, the analysts, from the moment of acquisition of artifacts, to normalisation and processing.

Dissect frees us from limitations by data formats and platforms and takes away concerns about how to access investigation data. We can now focus on performing analysis, developing complex analysis plugins or performing research. You know, the cool stuff that we brag about on birthday parties.

With dissect, we can go from intake call to patient zero in a matter of hours, even in infrastructures with thousands of systems. For example: we created a method to plug directly into a hypervisor and can now collect forensic data from virtual systems with zero downtime and effort, eliminating traditional software deployment bottlenecks. We're quite proud of that. 

Attendees will learn about dissect, its capabilities and our methodology. And afterwards they can dive right in, because everything is now open source!

The security industry is awash with an overwhelming volume of threat reporting—both public and private. We commonly bemoan the confusing opaque proliferation of named threat groups, but we rarely take the time to think about how and why they’re created. In this talk, Katie will shine a light on the often-confusing world of threat groups, presenting real-life examples of how and why different teams classify and create threat groups. Katie will examine the inherent challenges of group creation, including how teams structure data, decide what constitutes “similar enough” activity, and evolve group definitions over time. Attendees will learn several strategies for classifying threats and creating groups so they can choose the methodology that works best for their team—and embrace the fun of clustering new threats!

The cyber threat landscape is constantly evolving. The need for up to date and accurate information on the current cyber threat landscape is growing and is becoming key for assessing risks.To respond to this need, the European Union Agency for Cybersecurity (ENISA) introduces an open and transparent methodological framework to develop targeted as well as general reports, recommendations, analyses and other actions on future cybersecurity scenarios and threat landscapes.

While increasing confidence in the services offered to attendees, with the present methodology the Agency aims to make available to all interested parties a method for generating their own cyber threat landscape by applying six principal steps. By adopting and adapting the proposed CTL approach, attendees can enhance their ability to build situational awareness, monitor and tackle existing and potential threats.

A practical example of how the methodology is applied is the Ransomware threat landscape.The Ransomware report aims at mapping and studying the ransowmare that were discoveredfrom May 2021 and April 2022it will present trends and patterns observed since ransomware attacks have shown an increase for Q4 of 2020 and Q1 of 2021.

From proactively hunting for attacker infrastructure, to placing the exploitation of vulnerabilities on a timeline often obscured by large spikes in activity. This talk will explore ways in which we can enrich our understanding of the threat landscape beyond that which is shared in threat feeds and reports.

BazarCall was a campaign by WIZARD SPIDER in 2021 to socially engineer the delivery of BazarLoader. The use of callbacks for data extortion is a novel technique and demonstrates how adversaries will adopt their initial access techniques to breach a network. In this presentation CrowdStrike will discuss a 2022 callback phishing campaign that was likely conducted by the same threat actor responsible for BazarCall and highlight the differences this time round.

Nation-state threat actors are often notorious for their evasive techniques and illusive trails that they leave behind. Among them, China stands out with innumerable successful operations, showcasing broad capabilities and novel approaches.

In this talk, we will go over the Chinese-linked Winnti Group, AKA APT41, in their recent operation, abusing Windows' Common Log File System (CLFS) mechanism in a unique way, to hide their malicious payloads.

We will start by walking down the history of this group, describing their motivation and evolution. Then, we will present our most recent tackle with the group; beginning with an innocent alert and progressing to a full Incident Response engagement, leading us to months of research. This research uncovered a multi-staged Cyber-espionage campaign that has stayed in the dark for years by leveraging the Windows CLFS mechanism as its hiding place.

The presentation offers a unique glimpse into the Wintti intrusion playbook, covering the techniques that were used by the group from initial compromise to data exfiltration, including their latest undocumented and newly discovered payloads.

Throughout this talk, we shall familiarize our audience with Winnti's TTPs, and present relevant ways to prevent such attacks in the future. We hope that by uncovering this story, blue teams will get more intimate with the group, to detect more operations like this in the future.

There is a problem of Nigerian youth increasing getting involved in social engineering attacks for financial gain. The victims of this problems loose millions of dollars, also of the victims are in the global north.The presentation cover the depth of the problem, and the effects, it also seek to present alternative means of curbing the problem by getting various stakeholders involved in the process this cybersecurity mitigation.

One of the greatest challenges for SOC and Incident Response teams is identifying advanced, unknown, highly evasive malware and targeted phishing quickly. Security teams are flooded daily with alerts from different sources and are expected to rapidly spot the “needles in a haystack” – the alerts that signal a real threat. Successful intervention depends on how fast an Analyst can determine which alerts are valid, and which alerts are time-wasting False Positives, only causing a drain on team resources.

With the right tools in place, advanced threats and alert fatigue don’t have to overwhelm your security teams.

Electronic Flight bags (EFBs) are typically tablet computers that the pilots use to work out how much power to use in order to safely and efficiently take off and land. We’ll demonstrate vulnerabilities in several popular EFBs, then show how these security flaws can be exploited to jeopardise the safety of a flight. Numerous incidents, some involving hull losses, have occurred over recent years as a result of mistakes or misinterpretation of EFB data. Real incidents involving miscalculation of weight and balance, runway ‘excursions’, tailstrikes and controlled flight in to terrain. What can we learn in ‘cyber’ from aviation safety culture, and how can we help improve cyber in aviation?

With an increasing number of macOS being adopted in enterprise endpoints, adversaries are beginning to adapt to a change in the threat landscape for endpoints. The introduction of the macOS shortcuts app released in 12.3 (Monterey) is designed to execute a series of bundled actions in a single triggered execution. Due to its ease of use and sharing capabilities, many app developers, as well as adversaries, have begun adopting it, blurring the line for us investigators. This presentation explores how the shortcuts app can be abused to get a reverse shell and perform various enumeration activities in addition to detecting them.

Iran-based threat actor Yellow Liderc, which is commonly known as Tortoiseshell or TA456, first gained public notoriety in 2019 for its specific interests in US military veterans and Middle East IT organisations. PwC has tracked this threat actor targeting a broad range of organisations throughout the US, the Middle East, and Europe, including one from this year that services multiple sectors from energy to aerospace.

Yellow Liderc is best known for its social engineering efforts, which include setting up fake social media accounts such as “Marcella Flores”. However, this talk will highlight Yellow Liderc’s adaptability and persistence, drawing out the threat actor’s use of off-the-shelf and custom malware such as PowerShell backdoors and infostealers. We will also present evolutions in Yellow Liderc’s tradecraft, discussing new obfuscation techniques and new command and control (C2) methods.

Furthermore, while open source has previously attributed Yellow Liderc to Iran’s Islamic Revolutionary Guards Corp (IRGC), we will touch on previously unreported associations to Emen Net Pasargad (a.k.a. Ilia Net Gostar) - an organisation most famously known for being sanctioned in late 2021, due to its involvement in an influence campaign targeting the 2020 US presidential election. Ultimately, we will leave attendees with a more comprehensive understanding of Yellow Liderc’s activity, by providing granular insights into its victimology, updated visibility into its tactics, and additional context into the threat actor’s real-world attribution.