BSides is a community driven event and all talks have been voted on to ensure a day of technical geekery and passion - without the sales pitches. When you come to a talk a BSides Liverpool be assured they will be informative and entertaining.
Keynote Opening - Omri Segev Moyal - Private Consultant
Focus on your malware, Not Infrastructure!
Malware analysis is one of the most exciting yet daunting tasks in the security research world. A typical researcher spends countless hours and sometimes days to dissect malware and exploits. To keep up the pace (and sanity) many automation tools have been built to help with different kind of tasks. Usage of such tools brings a massive problem of maintaining working and secure infrastructure. An infrastructure often operated in very hostile environments. This problem causes researchers to spend too much of their time and resources on the infrastructure instead of spending it on their target goal. In this talk, we will learn how every malware analyst can start rapidly using serverless technology to make their life easier. We will dive into a serverless open source project called MalScanBot. Learn how it was built and how it can be used as a template for many other interesting project. Because as a researcher you should always Focus on your malware, Not Infrastructure.
Keynote Closing - Finux Machiavelli's guide to InfoSec!
So security is difficult. We know this. Governance of security isn't easy either. This talks looks at how security governance of company/organisation is a lot like managing a city state during Niccolo Machiavelli's time. What lessons can we learn from The Prince, one of the first amoral guides to governance? As anyone who has attended any of my other history inspired infosec/hacking talks, this won't be what you were expecting 😉
Deception Technology - A maturing threat intelligence solution that adds real value
The Beer Farmers
In this talk, we discuss the lengths some organisations go to, in order to protect personal data, as opposed to those that say they do, once the personal data they were responsible for has been flooded onto the Web.
It's a tale of breach after breach after breach, laced with some hope that certain firms are at least trying to do the right things. We all make mistakes, but we should at least give it our best shot at avoiding doing so.
There'll be humour and music, as well as a very clear message that while many firms are doing the right things, there's a long way to go. Ian and I will combine to deliver something hopefully entertaining, as well as current and educational.
Ian Davies - Grafton PLC
My total exposure to Information Security or Cyber Security between 2003 and 2013 was the occasional jolly to listen to James Lyne when he was at Sophos or attend a one-off freebie workshop with a company who were trying to sell their wares. I thought that to be part of Cyber Security you had to be the best of the best, able to write code blindfolded whilst juggling USB Drives and reading assembly language like you were reading a book. To be fair, that’s what most of my colleagues thought I was doing when I went to do EC Council’s Certified Ethical Hacker… (waits for giggles and groans)
We have to change the way we engage with and deal with corporate IT staff whether they are our customers, or our colleagues. We have to get rid of the elitism that permeates the domain and the subject. I was so excited about doing CEH and when I came back and decided to announce my success, I was pretty much ridiculed… a less confident person could have been completely dejected and consequently rejected this field out of hand as a career choice.
Yes, it’s a misleading course title with some fairly erroneous content, but I now know much more about the subject than I did before I took that course and I chose to go on and learn more. Rather than ridicule, should we not encourage – if someone has taken the time to do that, or done some self-study, or asked a question, however misguided you think they are, should we not be encouraging them, helping them and driving them to look in more detail at the stuff they just learned or are trying to learn? I came back from that course and demonstrated some simple things, the use of a simple RAT, AV Bypass, a reverse TCP session using Metasploit. I’d learnt that from the course that had been so ridiculed. None of the people I showed had seen anything like it or would have believed you if you told them it was possible. None of them knew that all the software required to repeat the demos was available online for free with tutorials. How can we possibly be doing a good job if a large portion of the people protecting our infrastructure don't know about this stuff? If all we are doing is writing, implementing (and forcing) technical controls we are fighting a losing battle – I believe that we need to change attitudes.
Dungeons and Datacentres: Dilemmas and Thoughts in Social Engineering
Talk covering some of the recent work I've been doing to develop SE approaches, sources/methods I've used and key things to bare in mind when approaching SE engagements. Intended to build upon the Basics/SE 101 that have been covered in-depth by others. Key topics:
- OSINT Foundations - Down the Rabbit Hole
- Preparedness vs Spontaneity Dilemma and building your pretext.
- Suspicion Boundaries/Too Good To Be True Dilemma
- Flow & Rapport - some lessons from Improv
- SE to leverage more than just human vulns.
Martin King - The Football Pools
This is not the career you are looking for
A career in IT; the pathways available, how to find yourself a mentor and what personal traits you can use without having to be a jedi or a ninja.
Kashish Mittal - MileIQ, Microsoft
One Man Army
Playbook on how to be the first Security Engineer at a company How often have you heard that 'Early stage startups don't care much about Security because if there is no product, there is nothing to secure?' Although there is merit in the argument that startups need to build product so as to sustain and grow, it often puts the person in charge of securing them in a tricky position. For most startups, this person is the first Security Engineer who can be somewhere between the 10th to 300th employee. By the time the first Security Engineer is on-boarded the attack surface has usually become quite large and he or she faces an uphill battle to go about securing the organization. In such cases, the Security Engineer needs to perform as a 'one-man army' keeping the attackers at bay. In this talk, i will present a playbook on how to perform as one.
Ian Murphy - LMNTRIX
The logs don’t work they just make it worse
Talk will lay the foundation of what most SIEM and SOC implementations have been sold on “the needle in a haystack” technique and why this is no longer viable to detect attackers and known malware that regularly bypasses controls. It will address the double edged sword of the human element and also where most organizations current thinking is when it comes to protecting the business.
Saher Naumaan - BAE
An APT Revenge: How attackers respond to disclosure.
Government and industry bodies have invested significant effort in understanding the threat landscape in order to defend their interests in cyberspace, but the issue of how defensive action can influence attacker behavior is poorly understood. This presentation seeks to explore the question: how do attackers respond to investigation into their operations? We will review the ‘spectrum’ of response options and changes that attackers have made to their operations following incident response cases and public reporting (and attribution) of specific groups. Responses range from defensive (‘go quiet’) to aggressive (threats or targeting of researchers), and include a multitude of change-ups in tactics, techniques, and procedures in between. This analysis will draw on evidence from numerous examples both from our investigations and cases from open sources to cover high priority threat groups faced by the public and private sectors as well as unintended consequences of disclosure.
Jan Fajfer - Stratosphere
Emergency VPN - Analyzing Mobile Network Traffic to Detect Digital Threats.
Abstract: Journalists, human rights defenders and activists rely on mobile phones for their security and safety more than most others. They need to communicate highly valuable information, report news, and stay in touch with their families and news sources while in areas of conflict. Since governments and attackers know that, they constantly attack their phones. Any security issues in their phones put them in real danger.
In this session we will present the Emergency VPN service, a free service from the CivilSphere Project that provides a free security analysis of mobile devices network traffic to determine if the phone is infected, under attack, or compromised. We will explain how the Emergency VPN works, what type of data do we capture, the analysis workflow and show examples of the final report sent back to the users. We will also show a list of vulnerabilities and security problems identified in the last year of work, and try to show how malware is not, in most cases, the biggest risk users are exposed to. We expect that at the end of this talk attendees leave with a more clear vision of how digital threats work on mobile environments.
Chrissi Robertson - I'm not a fraud, I promise - Navigating imposter syndrome as an industry newcomer
Imposter syndrome is something that strikes the heart of many across several industries. That overwhelming feeling of doubt, that inexplicable sensation that somehow you're not good enough. That fear that one day, someday, someone is going to find you out. It's heartbreaking and terrifying all in one. But how can we combat it, especially when we're new to the industry we want to be in? This talk looks at imposter syndrome and the mental health behind it, and coping strategies to help deal with that feeling of dread.
An expansion of this blog post: https://frootware.co.uk/post/170348709765/im-not-really-a-fraud-i-promise
Andrew Costis - Carbon Black
LoL-bins behaving badly
Living off the Land binaries aka “LOL bins” have been an integral part of various operating systems, but when malware strikes, common LOL bins are often exploited in order to carry out attack techniques such as persistence or exfiltration in order to advance the attack. This talk aims to discuss the purpose of LOL bins, and will walk through some examples of recently observed commodity malware campaigns that leverage LOL bins, their associated MITRE ATT&CK ID and behavior, and why ATT&CK is relevant in the context of LOL bins and malware, as well as in a more broader context.
Workshop - 4hrs (AM)
Having created a CTI service from a greenfield and led multiple CTI teams, I have experienced the pain of the BUZZWORD known as CTI. Many contacts of varying experience and skill have inquisitively asked me WTF is CTI? Cyber Threat Intelligence is a fusion of the art of intelligence and that of a cyber security analyst. The role of a CTI analyst is fantastic in that an individual from a 'n00b' off the street to a senior malware reverse engineer can become a CTI analyst and should be considered a step backwards. The CTI team spans other teams from level 1 SOC to CISO (And beyond) and acts as a transit route to many other fantastic roles within Cyber Security.
The workshop is aimed at introducing those not in the CTI field or who are still trying to grasp it's capabilities. During the workshop we will go over the components of a CTI team, it's I/O, methodologies, tools and more. The workshop will span non-technical and technical tasks; for those with little to no cyber background it will push their capabilities but allow them to gain insight in to the potential. For those more technical it will allow them to understand the data flows of information (Info != Intel) and be better SOC analysts, Malware RE, Forensic Investigators' etc
How can we be private in an age of convenience?
How does the digital space impact real life?
How to become a rational cypherpunk
My talk will cover many conversational topics and thought-provoking ideas about how we treat digital privacy in an age where our entire lives have been seemingly taken over. I aim not only to educate the people in my talk, but to get them really thinking about this often controversial topic and to provide the base (and resources) for further research. Simply because of the nature surrounding privacy, I hope to leave listeners with a new perspective regarding tech in their daily lives.
Workshop - 4hrs (PM)
The Cyber Security Bootcamp is for the interested IT professional with a passion for cyber security as well as seasoned security experts who are looking to to get their hands dirty on various offensive and analysis tasks.
We will do:
- Reverse engineering of binary applications and proprietary network protocols with tools like radare2, objdump, strings, strace, tshark/wireshark and using malware sandboxes
- Attacking web-stacks build on ruby, php, sql-dbs, redis, nginx (websockets) by hand , supported with burp
- Write scripts in your preferred language (shell, python, perl, ...) in order to aid the offensive and analysis activities outlined above
- Every topic will be addressed with one or more short challenges/tasks. The trainer will provide brief introductions for each topic/task. Participants are encouraged to collaborate and the trainer will provide support, tips and tricks.
The ultimate goal is to have fun while learning and sharing knowledge.
Bring along a laptop with a Kali VM. A USB version will be available for those who can't/don't bring a copy.
Peter Bleksley was a founder member of Scotland Yard's undercover unit in the 1980s and part of the hit TV show "Hunted".
Join us for a very special talk.
The journey to the stage
Advice and insights from the organisers, speakers of Bsides from CFP to giving a talk
Jamie Hankins @2sec4u - Kryptos Logic
"New talk who dis"
Wannacry & Threat Intelligence.