09:05 - 09:45
Filipi Pires - Dissecting and Comparing Different Binaries to Malware Analysis
Demonstrate different kind of structures in the binaries as a PE (header and your sessions), ELF (header and your sessions), PDF(header/ body/cross-reference table/trailer), explaining how each session works within a binary and where it would be possible to “include” a malicious code.
09:50 - 10:10
László Erdődi - Hacking Arena: an Innovative Learning Platform for Ethical Hackers & Hacker Robots
The Hacking Arena project is an advanced offensive security-learning platform that has been established to support the ethical hacking education at the University of Oslo. As it has now become an open platform, the number of users from around the world is continuously increasing. The arena provides numerous hacking challenges of various topics such as e.g. web hacking or binary exploitation from beginner to professional level.
As machine learning develops, some types of cyber attacks are getting more and more autonomous and also the complexity of the attacks in general is increasing nowadays. The main research aim of the arena regarding machine learning is to prepare for such future attacks by studying and analyzing different possibilities to make attacks automatic. The idea behind the machine learning approach is to process the human attacker’s (users) data continuously to train the robot hackers.
The presentation will introduce the Hacking Arena, with live demos of challenges and their solutions and the principals of the robot hacker training part will be discussed as well.
10:15 - 10:55
Zénó Amtmann - The Art of CISO
While corporations historically tended to outsource their IT operations, companies were reorganized and established to fulfill this demand by creating shared service centers, centralized and specialized teams focusing on specific segments of the computing environment, the amount of individuals who retained the ability to appropriately oversight a corporations' information systems environment had significantly dropped. As the business relied more and more on the IT infrastructure and this foundation was targeted by cyber criminals at an increasing rate, C-level executives had to realize that financial threats no longer occur only as a result of a financial mis-statement or fraud, it can be the result of an ineffectively or inadequately managed IT infrastructure. In addition, governmental and regulatory scrutiny mandated and mandates these corporations to ensure that the outsourced service provider(s) is(are) acting based on the corporation's best interest and that the corporation has control over the activities that they had outsourced. Consequently, the companies are facing these requirements at times when the amount of individuals who have an accurate knowledge of the topology and the infrastructure of the company is very limited.
That is why the role of a CI(S)O is an art - to understand the big picture, and to communicate the risks and needs of the company to all stakeholders at their level.
10:55 - 11:15
Break (10 mins)
11:15 - 11:55
Tamás Kocsis & László Kőszegi - "Elmentem Én a Vásárba Schneider Fánival" - Avagy a Hazai ICS/OT Biztonság Testközelből (HUN)
12:00 - 12:40
Philipp Krenn - Seccomp - Your Next Layer of Defense
Why should you allow all possible system calls from your application when you know that you only need some? If you have ever wondered the same then this is the right talk for you. We are covering:
* What is seccomp in a nutshell and where could you use it.
* Practical example with Elasticsearch and Beats.
* How to collect seccomp violations with Auditd.
Because your security approach can always use an additional layer of protection.
12:40 - 13:25
Lunch break (45 mins)
13:25 - 14:05
Saurabh Chaudhary - YARA Rules on Steroids
Whenever we want to proactively hunt for malware of interest for threat intelligence purposes, YARA is the swiss-army knife that makes the work of malware researchers and threat intelligence Researchers easier.
Malware developers work just like legitimate software developers, aiming to reduce the time wasted on repetitive tasks wherever possible. That means they create and reuse code across their malware. This has a pay-off for malware hunters we can learn how to create search rules to detect this kind of code reuse, Traditional Yara rules are written on strings, but if we implement code leveraging YARA code reuse rules in addition with the strings rule the rule will last decades.
for successful and long-term hits, we have to combine both string-based and code-based coverage. The key to efficient YARA rules depends on simple and clear rulesets utilizing both.
14:10 - 14:30
István Németh - 0day/APT Defense Strategies at Perimeter
Regardless of the size of the network, perimeter defense strategies are critical nowadays. In this deep technical presentations I'll focus on different attack vectors and defense strategies against those different vectors. After the short presentation, I'll focus on hands-on demonstration, where I'll detonate few "file-based" attack targeting the infrastructure different ways.
14:35 - 15:25
Albert Zsigovits - Hunting for Malware: Dissecting DarkRATv2 Through OSINT
In the summer of 2019, a new malware family started to appear in the wild, identifying itself as the new version of the old DarkRAT.
In a short period of time, the developer of DarkRATv2 made a significant number of improvements and updates to his creation.
In this talk, I would like to give you a demonstration how mistakes can lead to more discoveries, how to leverage OSINT means and techniques to learn more about the malware: and ultimately picking this specimen apart from a RE point of view.
I am planning to give you an end-to-end approach on malware hunting, specifically on how to gather everything about a certain malware family.
In the end, we’ll learn more about how script kiddies and up-and-coming security researchers make a quick buck by copying entire functions from other malware families.
15:25 - 15:40
Break (15 mins)
15:40 - 16:20
Mutaz Alsallal - Threat Hunting in Kubernetes
While organizations are utilizing containers and microservices architecture, the threat landscape has been evolved. Security Operation Centres needs to extend their detection and prevention capabilities to hunt for the threats in such an environment.
The talk will go deeply into this new landscape, and to detect the related security threats at multiple layers, at the container, underlying host OS, and the whole kubernetes cluster.
16:25 - 17:05
Márk Modly - A Nem Unalmas XML Támadások - Elfelejtett Módszerek (HUN)
Az elmúlt években egyre gyakoribb, hogy XML-lel kapcsolatos problémák felszínre kerülnek. Ez annak (is) köszönhető nagy részben hogy az aktuális OWASP TOP 10 listáján megjelent az XXE (XML eXternal Entity) attack. Ez üdvözölendő, azonban az XML világában nem csupán az external entity-k jelentenek problémát, látni fogjuk, hogy más támadási felület is akad. Sajnos legtöbb esetben amikor valaki egy XML sérülékenységet talál, akkor a legkisebb dologgal meg is elégszik, annak ellenére, hogy rengeteg hasznos információt lehetne a sérülékeny rendszerből a szokásos adatokon kívül megszerezni. Beszélni fogunk nem csupán az elterjedt XML támadási technikákról, de egy kicsit újra felfedezzük a spanyol viaszt és remélhetőleg beépítünk repertoárunkba olyan technikákat melyek rég elfeledettnek tűnnek, azonban a rendszerek nagyon is sérülékenyek velük kapcsolatban.