Learn how to hack smart contracts written in solidity, and exploit DeFi protocols with this hands on security workshop.

This presentation examines how JSON Web Token (JWT) caching works in corporate settings with Azure Active Directory (Azure AD) integration, including Azure AD Joined and Hybrid environments. These tokens, accessible to local users, interface with a variety of authorized protected web services. Local attackers can leverage these tokens to access critical corporate resources, like Outlook, Drive, SharePoint, and Teams. While API access is interesting, its operational implications are not always ideal. On the IBM Adversary Services team, we have developed a few lightweight API clients that utilize these tokens to facilitate graphical access to resources. We will demonstrate some of these clients and expand on their limitations and practical use.

Abusing stolen credentials has been a critical part of the attacker lifecycle, assisting in persistence, privilege escalation, lateral movement, and information gathering. As Azure AD's prominence increases, it becomes crucial for defenders to understand how traditional attacks can take on new forms. This understanding will aid in developing more effective defense strategies in an increasingly cloud-focused environment.

Defend the blockchain using security tools made for smart contracts, to monitor and prevent exploitation.

In this live demo, intro to hardware hacking, we'll introduce you to PulseView - the 'Wireshark of hardware hacking' and we'll unveil a technique behind unlocking a keypad safe, relying solely on its user interface. 

Our approach? A Side-Channel Timing Attack. 

Using an affordable logic analyzer, we'll capture the nuances of response times tied to incorrect passcodes. By leveraging this side-channel data, we will then carefully decipher the true passcode of the safe. Join us in this intriguing journey where time reveals more than just seconds and minutes.

Session details to come.

On-premises to cloud lateral movement should be one of the top techniques in a red teamer’s arsenal. Difficult to detect and pervasive in nature, these techniques attract the likes of APT groups like Nobellium who have increased their focus on abusing identity federation. Techniques like Golden SAML and AD FS skeleton keys provide threat actors the double-edged sword of combining both lateral movement and privilege escalation into a single technique – with the added benefit of leaving little trace in the cloud logs for defenders. 

For a long time, compromise and detection has focused primarily on on-premises techniques, but the ecosystem has shifted, and the cloud is the new frontier. As most organizations utilise cloud services in one way or another – it’s only a matter of time before we see commodity threat groups and other nation states abusing these techniques. This talk aims to break down cloud lateral movement techniques like Golden SAML and AD FS skeleton keys to demonstrate the wide range of possibilities of cloud compromise, and to highlight the future of cloud attacks and the untapped research potential yet to be uncovered.  

Our current administration lists "Defend Critical Infrastructure" as the #1 item in the 2023 National Cybersecurity Strategy. In order to take on this challenging endeavor and provide complete security to our critical infrastructure we must be willing to go deeper than simple vulnerability scans and basic red teaming.  The product security testing methodology of deep enumeration which includes dissecting and understanding proprietary protocols is vital to our success in meeting our nation's objective.  Using a real proprietary protocol this presentation will demonstrate how to dissect, understand and leverage a proprietary protocol for offensive operations.  These skills will become instrumental for our ability as cyber security professionals to be able to discover vulnerabilities and subsequently protect our critical infrastructure.

Adversaries, red teamer's, and bug bounty hunters share some common TTPs, they all do extensive recon on their targets. 

Jason has over 17 years in the external and web space, and while he enjoys a good phish for initial access, he was forged in the fire of externals and bug bounties. Join Jason as he outlines MODERN tools and techniques when targeting an organization and its' people. Jason will cover email acquisition, technology profiling, external attack surface, cloud recon, recon with evasion, recon for speed, recon frameworks, and more!

Jason will walk through each tool and technique in the toolchain, while he reveals his own personal tips and tricks in each section. At the end of this session attendees will come away with a solid methodology to uplevel their external campaigns and find assets that they can leverage for initial access. 

HVCI, CET, Arbitrary Code Guard, Control Flow Guard. These words and acronyms, among others, strike a chord with most vulnerability researchers. Many of these mitigations have been seen in the community as the end of certain binary exploitation techniques. We know, however, that life has continued for vulnerability researchers — although there is now a significant cost associated with exploits. 

Although these “large” exploit mitigations, which came with heavy investment from Microsoft, are notorious — this talk aims to address the “smaller” or “more niche” mitigations, examining why Microsoft would invest in them, and how, when all of these smaller mitigations are put together, they also impose a significant cost to exploitation.

The recent rapid advancements in Artificial Intelligence (AI) and Machine Learning (ML) have prompted executive orders from the current United States administration regarding AI model development. The race for AI and ML models has clearly officially begun with over 60 percent of businesses today believing AI technology will improve customer relationships according to Forbes. Additionally, industry leaders such as Principal SANS instructor Jorge Orchilles have explored high level discussions of ChatGPT for offensive security. For red team operators in the trenches, it poses a unique challenge and a lucrative opportunity. Given the security application landscape, can offensive security professional stay ahead of AI and ML? This talk will holistically examine the integration of AI and ML to enhance Red Teaming methodologies, starting with a brief history of red teaming, including the evolution of various roles within the team. We will continue our journey by focusing on how the integrations of AI and ML into offensive strategies have enhanced the MITRE ATT&CK framework by using ML for target acquisition. The audience will get key practical takeaways of how to incorporate AI and ML technologies into the many attack vectors scene throughout an engagement. In conclusion, the presentation aims to deliver valuable insights into the evolution of red teaming and the transformative potential of AI and ML in this field. Attendees will gain a thorough understanding of the cutting-edge methodologies in red teaming and how they can harness AI and ML to bolster their cybersecurity strategies.

eBPF-based security solutions are taking the cloud by storm. Many vendors shifted from traditional kernel-module based agents to eBPF agents to provide runtime security for Linux workloads in the cloud. This talk begins with a basic introduction to eBPF and runtime cloud security. It then discusses inherent weaknesses in eBPF-based security solutions and presents several techniques such as resource consumption attacks, memory map attacks, eBPF verifier vulnerabilities, time of check time of use exploits, and agent tampering that all may be used to bypass defenses which rely on eBPF. Possible mitigations for these techniques are also discussed. Example C++ code or Bash scripts for the techniques are provided so audience members may experiment on their own. All code examples are open source and available for download. This talk will be technical, and attendees should come to this talk with a basic knowledge of the Linux operating system.

Over the past few years we've seen an expansion in both the variety of canaries and the locations to hide those canaries in the cyber deception realm. What we've yet to see is refinement in the implementation of those canaries to evade discovery from wary attackers.

For blue teams, properly tuned SIEM rules utilizing deception canaries are higher fidelity and lower volume alarms. This means that most of the time when the alarm fires it indicates a true positive. This is usually indicative of an interactive actor or insider threat in the environment.

A deception alarm firing often puts the blue team on edge and leads them to perform a proactive threat hunt rather than remaining reactive to their alarms. This often ruins the opportunity to further any red team engagements that test the SOC’s efficacy, based on their tools and rules, without the defenders having an unfair bias.

What is the solution for attackers? Detect the deception canary beforehand and avoid interacting with it at all!

In this presentation we'll talk about the methodology to detect deception canaries used by blue teamers followed by a deep dive on a couple of the most common deception canaries, how blue teams and open-source code are implementing those deception canaries on a technical level, and the weaknesses in those implementations that allows attackers to enumerate the canaries within seconds.