One Day Left! Get an iPad, Tab A, or $250 Off with your OnDemand registration

Berlin, Germany | Mon, Jul 22 - Sun, Jul 28, 2019
This event is over,
but there are more training opportunities.

Summit Agenda

We strive to present the most relevant, timely and valuable content. As a result, this agenda is subject to change. Please check back frequently for changes and updates.

Sunday 21st July 2019

Pre-Summit Meet and Greet
This optional session offers the opportunity to meet and network with your fellow attendees the night before the Summit kicks off. We highly recommend you attend if possible.

Monday 22nd July 2019
08:30-09:30 Registration and Coffee
This is another great opportunity to meet, greet and interact with your peers so come down early.

Welcome and Introduction by Summit Chair
Erik Van Buggenhout, Certified Instructor & Author, SANS


Keynote Speech
James Lyne, CTO, SANS

The Close Relationship: Exploitation & Penetration Testing
In our role of adversary emulation and flaw demonstration, we have more systems than ever before to attack -- different architectures, operating systems, languages, design patterns and a plethora of wonderful tools. Many of the technology changes in our industry are enhancing security, whilst some are causing regression or exposing new flaws. Exploitation and discovering new flaws are crucial to the tools that much of the offensive industry rely upon, yet many use them without getting to the detail of how they function. In this talk @jameslyne will review some exploitation fundamentals, tools you can use and techniques in a talk packed with live demonstrations (hopefully).


Blame Wars - How to Attribute Responsibility
In November 2018, Austrian security consultancy SEC Consult published a security advisory concerning a vendor of ID solutions using the German national ID card. Authenticating with a real ID card, the researchers had been able to trick a web app into believing they were Johann Wolfgang von Goethe. Technically the bug leading to the vulnerability is easy to describe and reproduce (it is a well-known mishandling of the complex SAML authentication mechanism). Still, a fierce debate between researchers, vendor and circles of German government contractors erupted - not so much about the impact of the vulnerability itself, but more about where to place blame. Since the bug was contained in an accompanying SDK, it could be both the vendor's as well as users' fault. Others blamed SAML itself - and therefore either the standards authors or the German government for picking the standard. In the presentation, I will track the origin of the bug both technically and historically/"politically" to generate some insights into the question who should be to blame for vulnerabilities and security incidents: a sketch for a theory of attribution.
David Fuhr, Head of Research, HiSolutions AG

11:05-11:35 Networking Break: Drinks and snacks will be served
11:35-12:10 Why it's easy being a hacker
20 years and SQL Injection is still a thing. Why is it so hard getting things right? What seems to be the root cause of things, and are we getting any better? What if we simply copy-paste code from Stackoverflow? Using Google as aid? What about the techie books that teach us how to develop, and all the courses and institutions that promise us to code like a pro? In this talk we will zoom in on how mistakes are made, and why it can be so crazy hard to get things right.
Chris Dale, Head of Cyber Security at Netsecurity AS
12:10-12:45 A Journey Through Adversary Emulation
During this talk, NVISO will take you on a journey through adversary emulation, from its inception to its adoption and application. They will show you how they integrated adversary emulation into their red teaming approach using MITRE's ATT&CK framework. Next to the more classic red teaming assessments, other adversary emulation flavors such as purple teaming and integration with the TIBER framework will be covered as well. To top things off, concrete examples from recent assessments and lessons learned will be shared. After this talk, you will have a structured overview of everything adversary emulation and enough inspiration to tackle every adversary emulation challenge coming your way.
Jonas Bauters, Senior Security Consultant, NVISO
12:45-13:45 Networking Luncheon
Lunch is served onsite to maximize interaction and networking among attendees.
13:45-14:20 Well, that escalated quickly! - A Local Privilege Escalation Approach
Companies engage security experts to penetrate their infrastructures and systems in order to find vulnerabilities before malicious users do. During these penetration tests, security experts often encounter Windows endpoints or systems and gain low privileged access to these. To fully compromise the system, privileges have to be escalated. Windows contains a great number of security concepts and mechanisms. These render privilege escalation attacks difficult. Penetration testers should have a sound knowledge base about Windows components and security mechanisms in order to understand privilege escalation concepts profoundly and apply these. This talk imparts knowledge on Windows required to understand privilege escalation attacks. It describes the most relevant privilege escalation methods, techniques and names suitable tools and commands. These methods and techniques have been categorised, included into an attack tree and were tested and verified in a realistic lab environment. Based upon these results, a systematic and practical approach for security experts on how to escalate privileges was developed.
Khalil Bijjou, Senior Security Consultant, SEC Consult
14:20-14:55 Pentesting Cars
Given the increasing popularity of automotive hacking, more and more bug bounty programs are setup by vehicle manufacturers, enabling researchers to collect a nice reward for reporting new vulnerabilities they find in their cars. A car pentesting apprentice will inevitably raise the question: How can I be part of this and how do I start doing some research on my own car? In this presentation, we will provide a quick walk-through of our penetration testing methodology for embedded systems, specifically tailored to automobiles. The interested audience will get to know a framework they can utilize to perform a full blown penetration test, starting on individual control units, i.e. the computers that are the basic building blocks of a car's electronics system, and from there work the way up to analysing the car as a whole. The methodology, will of course touch on the vehicle's backend communication, as connected features are an integral and - especially from a pentester's perspective - very attractive part of the modern vehicle's extras. Practical examples will be used to demonstrate how the methodology can be put to work in real life scenarios. With the framework at hand, attendees will have the necessary tool to get started with car security research in a structured and comprehensive manner.
Oliver Nettinger, R&D, NVISO
14:55-15:30 With Just a Search Engine & Cup of Coffee: Hunting Vulnerabilities on the Web
Our security team conducted several security studies in 2018, intended to discover vulnerabilities and weaknesses in web servers in the Czech Republic (or in the .CZ ccTLD and on IPs located in Czech Republic, to be more specific). Two of these studies (1. Identification of servers with open/ browsable directories and sensitive files and 2. Search for open redirection vulnerabilities) were conducted with not much more than a search engine. Given how simple it is (at least in theory) to identify and remove these vulnerabilities, one might assume they wouldn't be too common. Yet the results proved otherwise - in a quite interesting turn, we've managed to identify sensitive data and open redirection vulnerabilities on more that 250 servers, number of which were running fairly high-profile sites or belonged to a critical service providers. In the end, although we weren't looking for them, we found some interesting vulnerable servers outside the Czech Republic as well. The presentation would cover our methodology for conducting both of the studies, discussion of what we found/what was the impact of what we found, and how well (or less so) things went when we informed the subjects responsible for the impacted servers.
Jan Kopriva, CSIRT Team Leader, Alef Nula a.s.
15:30-16:00 Networking Break: Drinks and snacks will be served

Automated adversary emulation using Caldera
MITRE ATT&CK is quickly gaining traction and is becoming an important standard to use to assess the overall cyber security posture of an organization. Tools like ATT&CK Navigator and Caldera facilitate corporate adoption and allow for a holistic overview on attack techniques and how the organization is preventing and detecting them. Furthermore, many vendors, technologies and open-source initiatives are aligning with ATT&CK. Some more information on Caldera from the official documentation (

"CALDERA is an automated adversary emulation system that performs post-compromise adversarial behaviour within Windows Enterprise networks. It generates plans during operation using a planning system and a pre-configured adversary model based on the Adversarial Tactics, Techniques & Common Knowledge (ATT&CK™) project. These features allow CALDERA to dynamically operate over a set of systems using variable behaviour, which better represents how human adversaries perform operations than systems that follow prescribed sequences of actions."

During this talk, Erik will demonstrate some Caldera strong points and weaknesses and how it can be further improved (e.g. how can we build additional steps to increase our ATT&CK coverage or how can we adapt steps to handle new Windows 10 security features such as ExploitGuard and AMSI).
Erik Van Buggenhout, Certified Instructor & Author, SANS

16:40-17:00 Closing Remarks by Summit Chair
Erik Van Buggenhout, Certified Instructor & Author, SANS
Social events and informal networking activities are hosted after the Summit.