BSides Perth Day 1 (Part 1)

BSides Perth · 20217:10:541.0K viewsPublished 2021-09Watch on YouTube ↗

Show transcript [en]

[Music] testing getting that getting the mic cool cool

[Music]

[Music] do

[Music]

[Music] so [Music]

[Music]

[Music] [Music]

[Music]

[Music] [Music]

[Music]

foreign

[Music]

so [Music]

[Music]

[Music] [Music]

[Music]

so [Music]

[Music]

[Music] do

[Music]

testing one two still working going out live testing one two still working

one two still working going out live test two one two still working going out

testing one two still working going out live testing

so maybe just um

crazy

just moving down

hello

cool come on in grab a seat welcome everybody to b-sides perth 2021 [Applause] wow we finally made it happen um a few housekeeping things everything that is going off in this room pretty much and background chatter and everything is all being streamed out live so we've got a whole heap of people that are watching from home um you can wave but the camera's pointing this way um a couple of things on that we've put a few chairs and stuff around here just to stop people wandering in front just so they don't get into the camera that's all cool uh but welcome um huge huge number of people um we released the batches of tickets and

everything went in no time at all and then we got some people obviously that couldn't make it from out of state and we're really sorry not to see those people this year um disappointing for everybody um those people are typically all jumped onto the discord chat now so get in there and kind of be part of the fun as everybody's watching what's happening and listening in um usual housekeeping things red shirt to your friend uh grab someone with a red volunteer shirt if you have any problems with anything at all we've got first aiders mental health first ladies on site emergency evacuation at the theater people at home you don't need to worry about this you're all good

out home head to the west meets up in the oval and we'll have a head count please use things like the safe wa qr codes and bits around the side there are also qr codes around if you are tagging into the ctf um if you are ctf in i think at start this morning there was a huge number of teams and people that had registered already there's also an incident response ctf that acsc guys have put together for us which is awesome you can find them upstairs straight above me in the meeting room and if you keep an eye on the slides you'll see the link for that if anybody needs anything just ping us on discord or tweets or something

a massive thank you to all of our sponsors as well kinetic i2 platinum sponsor again they have a space upstairs a bit of a breakout space they've got some cool stuff and giveaways and they're talking about things up there so have a wander around when you're ctf thing or aws training go say hi and all the other awesome sponsors we've got cyber cx telstra uh pwc are all taking gold sponsorship this year which is fantastic uh there are canva crowdstrike fortinet exoboom um huge huge numbers watch them all on the slides going around please please copy them in when you send tweets and photos around the place it's the sponsorship and the cash and everything that comes in from that that

makes this all happen gives you all the awesome speakers and the swag and bits that you get so please remember to say your thanks bathrooms and facilities out the door turn left down the stairs you'll find it there there's some at the other side of the building as well there's a door you can get through with more vending machines there's snacks and drinks over on that side um take a guard with you as well because the door shuts behind you and you can't get out we'll be setting up the kids room shortly there's a whole heap of hacker movies and kids movies and stuff that they can rotate through and watch if they get bored listening about app

development or something free coffee is here until about 11 30 lunch will be at uh yep lunch time and we have some laden treats that are um just warming up at the moment so they'll be good to go uh and then obviously after everything happens there was the after party drinks uh which has been again sponsored by um whole heap of sponsors all chipping in on that so that's awesome um what else do we need to know bear with us is all i'm going to say um we really wanted this to be an in-person conference for everybody particularly after last year and everything kind of falling on its face a little bit then um we've got some really really good talks

and some good speakers and we've been learning or for other dolls and sneaky sitting down the front here have been learning a lot of stuff about obs and streaming and everything so they'll be sitting here kind of guarding everything and we're going to be mixing it up so there'll be recorded talks that we're kind of building in and then we'll get live talks in here and all of that is all being streamed straight out to youtube so that's all really really good to see um we hope it works bear with us hit us up if anything's not quite working uh we've got a few people who are a bit of a specialist in that massive thanks to all the volleys most

people got up at about half past five this morning to come and start setting things up here and we had all the usual fun of not being able to get into the building and then forgetting we were here again uh but it's awesome the security comes down to help us out um so i think i'm just looking for a bit of a thumbs up we might be ready to kick things off yeah so let's just run through all of those

yeah cool so yeah there we go rotating through now so we've got a bit of a lag as it uh pops up on my screen so uwa obviously the venue sponsor again they are really really good to us they give us the whole business school uh every year that we have one of these so we get heaps of space to fit everybody in just looking around the lecture theater now it's got a max capacity of 350 and again there are people kind of sitting on the stairs filling it out which is just really really good to see uh as i've said kinetic i.t platinum sponsor again uh that's really really good to see thanks again guys for the ongoing

support uh much appreciated um gold sponsors who's going to come up first i think it's going to be yeah cyber cx will come up there thanks guys really good to see cyber cx are doing a huge amount of stuff around australia at the moment um telstra i've mentioned uh pwc i've mentioned as well be sure to say thank you to everybody cool so just fixing a few bits at this end um yeah on top of that it's all right we've got a slight delay so yeah ctf stuff um if you haven't registered a team click on the link there are some qr codes around here in the building we'll flick a qr code up into the discord

channels as well fifth domain have been awesome this year they're doing some huge and amazing things over in canberra and they've put together a whole set of ctf challenges for us there's a public scoreboard the link for which i will share soon i got it this morning and like i say hundreds of people have already registered for that and it looks pretty interesting so go with that uh silver sponsors just popping up canva crowdstrike west australian innovation hub as well so we've got um oswest cyber i've got a uh standard they're doing some podcasts and bits outside here today that they will also be streaming so stop in say hi uh trustwave cybersec people es2

bronze sponsors this year uh great to see trustworthy coming back ricky at cybersec he's probably listening in now thanks again you've been with us every year it's really good to get recurring revenue shall we say but it's massively appreciated uh rapid seven forty net extra beam um these guys have been fantastic 49er have been with us uh for many years as well now we've got some cool prizes coming from these people as well incident response challenge jump on there now acsc.ctfd.io um get on there do the challenges i've been informed that it will take a reasonably experienced and proficient person probably an hour and a half to get it all smashed so there'll be a usual mix

of swag and bits coming around for the winners um aws they're doing some training kicks off over here at 10 o'clock pentester lab louie if you're listening out there thanks again mate always comes good with vouchers and bits for pantester lab and swag and stuff as well

so for the aws session this morning it is the spaces are extremely limited it's at 10 o'clock it's upstairs in one of the rooms um yep i'll tell you what to remember shortly the toppest floor so on the top of this floor the rope up there the aws training will be unfortunate there's only 30 spaces i know there's probably a lot more people injured so just bear that in mind um we can't record it unfortunately but um yeah hopefully it goes it's going to go for two and a half hours we put some stuff up what's needed there but yeah 30 people just after 10. thanks thank you yeah and dolls have just said uh we've got a huge amount of

the usual space for ctf players upstairs if you haven't grabbed one as well we've got some um individual codes and bits for the high speed wi-fi over here so if you're struggling or you don't want to tether or you just want people to keep de-offing you for the entire weekend uh grab one of those and have some fun knock your socks off there's a heap of seating and stuff up there like i say we've been sponsored this year um v energy drinks we've got those in here uh we've got a heap of water and bits there are snacks and stuff lying around we've got pretty much everything if we've not got it shout out and we'll

sort it out so it's all good discord channel discord.gg forward slash lowercase p lowercase f uppercase y t uppercase all right read it off the screen uh at besides perth if you want to find us on twitter besides per for anything related and please tag those sponsors in all right i'm gonna hand over to dolls now he's gonna do a quick intro and then we'll get on with the first talk i think you're not really an intro the slide that's just come up we're gonna be running some like quizzes and q and a's and like polls throughout the whole weekend so that is the qr code to scan everyone i can see phones coming out

everywhere um just bookmark it because we won't be doing it all in one session that'll just be running throughout and we'll show the results at some stage through the uh the weekend

cool i think we're about there guys everyone listening in so we're just kicking it up so the first talk of today is going to be father and he is very seasoned red teamer he's spoken at defcon uh spoken a black hat he's done tools around usa does a heap of this stuff and he's gonna be talking about adversarial kind of tradecraft so if the cutovers and the transitions and everything work we're good to go see you on the other side

hi uh thank you for joining me today

actually for giving me this opportunity and hosting this great event

specialized on adversary simulations so i provided different types of research tools and activities to the community and i presented in different conferences including black hat

hi you for joining me today for the adversarial phrase craft development in a nutshell thank you besides pert actually for giving me this opportunity and hosting this great event thank you for that you will talk about the accessory simulations intelligence reports and how we can start our development journey so different types of experiences will be discussed my name is fatih zalji i'm a managing security consultant also a security researcher specialized on adversary simulations so i provided different types of research tools and activities to the community and i presented in different conferences including black hat defcone and some other major conferences as well firstly we need to talk about the adversary simulations probably you hear about them a lot but the colors mean

almost nothing we need to understand the context of them rate team exercises are generally covert operations and defense has no idea about that operation runs only some executives and the white team members will know that actually eliminates the performance of the defense improvements on the other hand it is good representation of the trade actor targeting the organization purple team-like exercises they are collaborative exercises and they provide more benefits for example improving the defense overall simulating certain character and understanding the defense and proactive approach of the defense teams that's why purple team has more collaboration that gives more opportunities to different types of engineers not only offensive engineers but also defensive engineers such as incident response or forensics or trade

hunting or maybe threat intelligence teams as well there is also automated approach for this automated approach actually focuses on the breach and threat emulations specifically demonstrating the trade actor behaviors sometimes this automated approach is quite beneficial if the exercise is targeting certain organization units for certain cyber analytics components when we talk about cyber analytics we need to elaborate that part as well cyber analytics is a new actually approach we see in the defense and large organizations generally it is designed to identify the malicious behaviors on end points clouds networks and different types of services so simply the organization will collect data from all units so always will work efficiently and they will ingest the data to a centralized data

store then this data will be actually processed by machine learning algorithms artificial intelligence deep learning techniques in the end we will see how they work and what could actually go wrong there what type of activities would be malicious who is targeting us those are the questions to be answered by cyber analytics of course it has cyber security involvement but also only data analytics uh actually specialists working on the data interpretation or ingestion or making it efficient as well for the algorithms it is important for us to demonstrate reductive behaviors to improve cyber analytics in the environment as well that's why we need to provide safer examples of the tools for them our development journey actually starts

exactly that point because we need to understand its reactor behaviors and we need to replicate them and that's why we need to actually open read and actually understand the trade intelligence reports trade intelligence reports provide indicators of compromise and also some samples of the command and control domains ctos protocols or maybe malware samples or some of the code of the exercise as well so simply we see some of the details of the campaign running for target organization trade intelligence reports are generally limited or restricted because of the confidentiality requirements or the commercial exercises that's why we need to actually work on different types of repositories to find the right data for us and then we need to find examples

vx underground for example provides a lot of malware samples coming from different campaigns also some other exercise uh components and some malicious code as well if you combine those two we can understand how distractor try to run this exercise or try to achieve their objectives then we can develop our own safe trade craft to simulate this in the wild finding examples sometimes come from trusted or maybe semi-trusted researchers as well and we can actually understand their code and we can customize it all this journey requires actually development capabilities that's why we need to understand the trade intelligence first trade intelligence is simply understanding the trajectory behaviors and then collecting the data to make them meaningful

and trying to avoid the future compromises that's why trading er3 intelligence has different components sometimes it is day-to-day attack prevention for example iocs of domains or hashes of malware or some certain features of the attacks they are for daily uh actions but if you have for example long-term goals such as what trade actor targets us how they change their game what are they after if an exercise is too long for example a year of exercise such as nobelium targeting and solaris orion that's a different story and that's why we need to pay more attention to the details in that case so we need to understand the tradecraft what tools they used what techniques they use and how we can simulate them

in this case emulating the xa actually trade actor and simulating there are different terms emulation is simply replicating the behaviors of the trade actor simulations are more like building some similarities and using some approximation for the techniques and tactics so different terms help us to find the right path and right solution for us offensive security leverages this trading tell and the other services to find the right approach for the adversary simulations offensive engineers read the thread intelligence data understand their actually samples techniques tactics and then implementations and build their own actually adversary simulation or adversary emulation if it is fully emulation they try to use the exact malware used by the thread actor almost maybe 99

matching with the email or domain or the c2 software trying to make it accurate as much as possible or we can actually add this with different layers and we can use similarities for example we can use the same city but we can use additional tools or we can change the approach if the thread actor is using for example excel 4 macros we can use excel dds as a replacement so this type of activity is actually diverting the route and trying to achieve same objectives in a different path and also there is ioc generators and they are generally automated tools to actually generate the similar iocs for you yes it is the md5 hash of the binary

but if the source code could be compiled in your environment the md5 hash will be different so you need to focus on maybe fuzzy hashes or you need to focus on the text of the file and you need to build some sigma or your signatures for it so you need to actually understand what iocs you need to generate than using this technique unity generator examples but the problem there is where do you start you need to understand i think firstly the trade actor because if you work on trade actor you need to understand what campaigns they have performed against different organizations and what are they after some of those are ransomware gangs and chasing some money

and trying to get more money from different organizations sometimes encrypting their disks sometimes threatening them to release the data sometimes just extortion on the other hand some of the trade actors have no interest in ransomware and they are working for cyber espionage and they are generally nation state actors there there are also another types of actors for example initial uh footholder sellers so they are actually reselling the organization they compromised they don't have any interest to accelerate data or perform or run a ransomware operation instead they compromise organization and sell the success and do not involve any other initial activities so different types of actors provide different types of tradecraft tools and tactics for us so we can work on them

this is an example of attack a very popular attack solaris has been compromised by a trade uh named as nobelium and microsoft fireeye have been also involved in this case and some of the government organizations in the u.s have been compromised this exercise is a long-term exercise and this timeline is extracted from microsoft's trade intelligence report as can uh as seen in this diagram the attack takes almost a year to design the attack to plant a kind of malware to this environment and seeing this environment for a short period then understanding whether it is a target or not densely building a sleeping cell for a long term and then initiating the attack a certain point

against old targets already compromised and not targets in scope because sorry not against the targets not in scope because those targets were compromised but they are there for another reason if they could be compromised by the same trade actor again that will be a kind of problem for the objectives on the other hand we need to understand how they approach this problem because they need to compromise the software solaris orion and they need to stay under radar but also they need to verify the target and then they need to build a kind of sleeping sound when the time arrives only for the in scope targets they use a second c2 to deploy a payload which is the beacon of the kabul strike

which is the malicious software that starts uh actually interactive activities on the target system all of these require actually three different cities one situ is based on dns for this exercise and second city was a kind of web component and interactive c2 is a cobalt strike profile and cobalt strike itself to simulate this activity we need to understand these details very same report but this is actually this makes much more sense for us if we pay more details sorry if we pay attention uh to details and we uh dive more we can see some additional artifacts there and we can start actually building a kind of map for us this is a kind of mitral attack map

and some sections are extracted and trying to understand what type of ct uh or exfiltration channels we can use and how we can build our own tradecraft this is how i approach the problem because we have trade intelligence data we have samples and we have miter attacks so let's combine them to understand what we are exactly trying to simulate tradecraft details in the same document will also give actually will give examples for us or maybe more precise content that can be simulated the volume trade actor also tried to compromise additional units using an email campaign a phishing campaign and that's why there was another trade intelligence report released by microsoft for this trade actor in this

exercise and this campaign transactor used html smuggling to drop an iso file to the victim system and then mounting it and opening this link to load the malware it's the kind of content but it does not make sense a lot because we know and we understand html can be used we understand the iso but how this happens what are the details how this link actually runs the dll and why and how these are actually questions you need to seek ask first while reading this trade intelligence report when i pay attention i see the content of the iso file so it simply says that there is a dll generated and there is a pdf file there and there

is also a link and link points out the reports however it is not a link going to reports the image looks like a shortcut and for directory which is explorer in this case but the content is calling the conversion and open which is the exported function truly that way the malicious software actually is not identified because exported functions are there and the um the entry point of the data is not visible that's the kind of problem for the antivirus to identify the malware so edrs can track this down now we have some details but how this html smuggling work what domains have been used how does c2 communicate about see we are just actually digging more and more and more to find

more iocs for us to simulate if we read the sales of the exercise we can see html uh smuggling attacks details we can see some code we can see domain and we can actually make this sense and question appears that where should we start because we have three options here one option is we can go to a kind of full simulation pack we can go to our c2 and implant case and fire up the exercise or we can develop some partial trade craft the benefits and actually constant cancers will be so different in simulation pack we have a heel chain and we have some automation there and lots of examples for the different stages of the exercise

because the exercise has full stack in command and control and implant exercise we develop or we repurpose an existing c2 for this exercise try to make it relevant for example cobalt strike is heavily used by trade actors which is fine but they don't use cobalt strike as is they actually modify things for example profile components or sometimes even they change the beacon code recently this has been done by a trade actor as well and they use a different type of beaker so the containers will change if you want to develop your c2 you need to pay attention to different type of fundamentals and features of the inflatant cities another thing is we can develop actually

partial tradecraft for example initial compromise of it execution evasion tactic because the rest of the exercise will be so generic but that part will give us a good attribution opportunity or maybe that is going under rotara we need to make it relevant we need to automate this until our application cyber analytics learn from that if that is the case we can work on that partial tradecraft we can work on that specific tactic so let's work on finding examples because now we know that we use trade intelligence data we read that we understand it reactor and we know how to simulate it but now where can we find some examples because initial ones were coming from

predictor right one of those is understanding the actually impact of the trade intelligence report if the report is so detailed you can actually make it a kind of to-do list just like this one javascript that can actually because base64 data to dump a file and this file will be an iso file and you know that the iso file should include a data should also include some additional link files and maybe a pdf as well and then you need to encode this as base64 copy the content to your javascript and you make it an html content to be delivered to the client that could be hda file normal compiled html whatever it is whatever you prefer or whatever you see in the

trade intelligence report some good researchers actually provide examples for different portions of the exercises for example jorge or chiles has provided the valium iso example to the red canary so you can review it and you can see that how it is generated also generated html smuggling and ice images for trade hunting to generate the similar iocs but you can see the difference between those two examples one is prepared using a c2 one has different purpose so you can see the differences between examples based on the same trade intelligence data also jean francois provided the emulation there as well so it gives you additional examples how you can make actually a dll or some additional content for a specific

content if you are working on c sharp like me you may need edm chester's research uh c sharp dna exports in this blog as well so you are armed to develop some certain components for this partial example or if you want to go to your own city here is your own starting point but tax c2 and implant is malware developed easily because they had no intention to make it a production exercise a production tool that's why it has a lot of code mistakes but it has also a good start for the initial developers and it is coming with mit license that means you can repurpose it and make it your own it comes with different protocols such

as web circuit http https sami name party cpu udp implant to implant linking support on the implants also additional components so you can use this as a baseline for your own ct or your own exercise or you want to use your own malware using another city for example mytek meeting supports custom implants custom malware so you can develop your own malware and you can use patek actually as a malware instead of his c2 if that is the case you can leverage some features of it that means it can execute commands it can execute it can run processes it can run a powershell or cmd commands using this new create process it can upload it can download it can actually run some

dot net assemblies in memory it can compile them in memory and run it can actually use that net direct to compile the content and give you just like powershell or maybe python like interactive shell it can use actually powershell in system management automation it can execute shell code using process injection it has little moment example for wmi so you have almost everything as a baseline though it can automate things like that as well because automation was the key for my exercises i don't want to repeat myself again again instead i provided an automation support for attack and make it a scenario these are instructions and the commas for it but if you are looking for more details

there is also a for uh 40 minutes demonstration for you if you like in that link that demonstration i try to use patek implant to run on padme which is a user running on mandalar which is a windows 10 and connecting to the patak service then we compromise correspond which is another server in the back and we link it using assembly name pipe using patek then also we compromise geonosis and this time we'll link it using tcp 8000. the compromise is happening on wmi lateral movement techniques in genesis we also generate another implant because we need multiple options and that's why we use internal mapping of smb name pipe and also we have another server naboo

and we actually compromise it through geonosis and then link it to genesis as well so as you see there's a tree branching here and we can actually run this as well so if you like to get some graphical user interface patek is not your answer you need something supporting a ui in this case i developed tessa malverg traffic generator which is a defensive tool for cyber analytics to generate malware traffic i mentioned this here because it is a part of my development effort for the adversary simulations as well sometimes we need friendly application that generates that malicious or simulated traffic because we don't get approvals from everywhere because of this compliance requirements that's why we need friendly interfaces

friendly applications the set has a graphical user interface as you can see here blazer ui has been used for it it generates the source code for you and it is a kind of bare bone for a c2 so you can add more protocols or you can actually change the implant and make it interactive for yourself so it is another starting point if you like but if you are simulating an exercise that makes it a bit complicated because you need to deploy passat in a certain location and you need to deploy some redirectors to simulate some traffic like this i have also a talk for malware traffic simulation in distributed networks you can see details in that talk but not

here we focus on development now ta 505 adversary simulation pack is a kind of end-to-end aspect for you so you see you have seen examples of partial development and now you have also c2 and implant examples you are looking for a full path for yourself ta 505 adversary simulation pack is there uh an asphalt for the ta 505 trade group if they upgrade their techniques against the cutting edge systems what happens that was the motivation not just of this exercise it was based on windows 10 up to date it was based on windows defender up to date also office 2019 with exile sandbox enabled it repurposed some of the uac bypass guest system token stealing or

some additional registry manipulations and mc bypass as well mcc can buffer uh patching actually those are repurposed well-known attacks in the wild the six decides also used uh some additional tools such as patak i tried to use this exercise to inform everyone but also providing and to an example this is the kill chain of the exercise we simply provide a kill chain for the simulations and the skill chain actually explains the levels of the complexity of the exercise in this exercise i try to develop some examples for different layers so it provides you partial examples but also it gives you a solid c to and implant as well but of course i made mistakes i made

mistakes by the design or by the decision so simply i had some different priorities to complete this exercise you may not actually follow this one but also there is a 50 pages report as well as details of the exercise so you can divert your path and you can see the improvement points i put there and you can improve your exercise using the suggestions i developed those six tools during the exercise and when issues excel file i actually used excellent donut to generate this file but simply this file uses patek dropper which is a dropper to actually load the additional components it gets the empty patcher to patch the windows defender then it loads the patek implant it actually

loads after that method operator metasploit framework it performs ransomware activities using ground swapping which is another custom application so there's uh more than four hours video set for it if you want to dive in that is your path how it can be developed from beginning to the end is available in this video it is live recorded so i made a lot of mistakes so you can see my mistakes they are not hidden so learn through my mistakes instead of making it your own again again just make your own mistakes not repeat myself okay so simply uh read this content and after that watch the videos and make your own decisions to develop your own environment

let's talk about the development effort now so we now we know that we have different types of adversary simulations we have thread intelligence to combine we know that trade intelligence can be used to develop exercises that's why we find some examples for different layers of the exercise maybe some certain tools or a full c2 and implant or a full exercise at the end now if we want to develop our own um we need to follow a couple of decisions if we are going to the designing c2 and implant patch we need to understand the essentials of this one firstly you need bare bone implant bare bones c2 bare bone protocols for you so you can actually customize this if you

start from beginning that would be so difficult that's why i provided actually a trade craft development trainings and in my training and github repository you can find this training as well i provide some code samples that i will demonstrate shortly so you can build your implant to download some content from remote such as social media and run instructions or you can make it more complicated for example you can download the instructions to connect the c2 or you can actually make it way more complicated you can get this data from a c2 for example a payload server and establishing an interactive communication with another c2 which could be a web circuit as well so this type of communications are

important for the implant side but if you are designing also a c2 you need to focus on some backbone features such as pluggable protocols for the services profile support credentials storage data loot storage logging reporting those are the core components of the cth so you can work on it and also you need to choose what abilities you expect from the implant if you are developing an implant of course that net tradecraft is very popular these days so if you want to follow a path for development you need to go with whatever you are comfortable sometimes this is go or rust or nim but sometimes it is.net net is good for some cases because it is so

integrated to windows in several different layers and it is very very uh mixed in so simply it is well preferred but it comes with drawbacks for example mc is attached to that net after 4.8 that means if you see the clr 4.0 and then that net running on it for example 4.8 then you are dealing with mc in real time loading assemblies will be monitored but for that net 3.5 on clr2 uh would be great for you to run the code with an omc integration but this doesn't mean that edr is not monitoring you so lots of components are there but net gives you platform invokes direct integration and also safer implementation if you are not in hostile

body you can easily use dotnet for purple team exercises if you don't have any concerns to hide your malware from elsewhere or any other parties such as real trade actors i have development repositories for all of those so simply ta 505 repositories there we have ct and implant and we have tessat as well and now you have also an offensive development training trade craft development in adversary simulations from beginning to end so simply ground sky you can easily develop your implant with advanced features as well so i provide these examples for it for a reason for example this one is a simple demonstration of the simple components these exercises are split to four chapters and this video is for the

second chapter simply we have examples for example this one is check process it's a simple class you can add this to your code and this will give you an idea of if a process runs or not if it is running that's that's something for you let's make it offensive check the process running or not and the process name will be for example crosstracking those defender or something like that then you can see that there's an edr or antivirus running see it is easy vip client gives you the web communications and it accepts parameters and then it actually retrieves some data from remote and then parses this data and then gets it any actually instruction list

interactive menus are also provided for example register registry menu advanced is that file so you can see the interactive manager but in this example the web collide is actually getting the data and the data is parsed as input so the interactive menu turned to a non-interactive menu through that page asm helps us to load an assembly from uh local or remote it is up to us in this case we use dotnet so we use client download data and it is url that means we will use that web client if it would be a file we could download the file from the local pad what it does is simply executing the net assembly or compiling the source to make

it running and in this case everything happens in memory and you have examples of the content to write to the files you have also examples of uh compiling it at multiplication and you have examples of how to run a third party.net code with no information but in your process so examples are there but if you've gone to if you want to go back the chapter one there are way easier examples and it starts with hello so i don't know where you want to start from but this is a good example that actually gives you opportunity to customize your code for example this part is so easy to run.net called segments because it gives you only five lines to

run this and it is so easy to understand if you go to the web circuit implant the the the objective will be changing slightly because you make it interactive circuit so you can use this circuit as is in your environment and you can make it an interactive component so simply your malware will be connected to you using http or https but top of it hdb web socket just like the tcp stocks it will be in real time and it is a native http protocol so you don't need to justify your scenario it could be like an api or a kind of a web chat or something like that so it blends in very fast then

processing the instructions it is that easy it is not that complicated it is easy so simply your menu this time driven by a kind of web store case service i also provide web social service for you so it can be identified through that way and it can run and this service circuit is simply creating a new circuit for you and then listening to the implants connecting when the implants connects you have interactive menu again to run on it so it's up to you again what you want to do is really unlimited in this case instructions will be a kind of landing page for you and then you can add your other instructions for example inject payload

inject content run this command get this command check the process running but every part of it are actually split up to gadgets that's why while developing i use generally gadgets and make them actually working just like legos this is the chapter 2 content so we can actually compile the content using mono or the native windows in that training you can see the details of various options how we can compile them and how we can run them this is an example of web client compiled and if we use uh the same repository you will understand that there is also a cq like text file there so you can use that text file as a c2 for example running

those commas will help you you can download the text or you can give that content to our web client directly so it's up to you our web client was downloading a file and running it right so if we give a url to our raw assembly file it should run it that's the scenario so that's what we expect so our malware initially has no malicious intentions but it goes internet downloads another actually executable another.net assembly loads the memory and runs this see it makes it malicious from now on because we have a third party call coming and in memory not on disk that's why antivirus doesn't understand this but edrs still monitor and that's another case that we discuss in that

trainings letter sections another example is uh web circuit is the interactive example for this one because in the web circuit we simply make it interactive in real time that's why it needs a service this time because initially the web itself is http file and it can be any file text or binary or regardless but in web circuit we need to host something and we need to wait for the connection in this case i use net web socket service and it will be running just like.netron so you can start actually modifying it and you can run it as that network it can work on that net 2.2 3.1 and that net 5 as service so you

could be quite flexible for the server component as seen you are actually on a shell and waiting for an implant to connect if the implant has the classes i pointed out the implant can connect to that url that url is a ws bodybuilder it can be http as well uh for executables you need to use mono on linux and mac because they are not native windows as we see it is connected to our web server environment which is web socket and the implant is there when we hit the commands we see the implant is actually running those instructions so you can take it from there and you can actually advance it now let's uh move on what we can do more

attack has individual capabilities it is coming with the same training as well and you can actually differentiate those components and you can actually focus on one of those or maybe a couple of those if you need and this what i did actually i will explain shortly these examples for example executing a.net sharp binary that net assembly simply another sharp code a kind of net source code c-sharp source code exec for the process or powershell automation they are features that you can take out as a kind of function but you also need to add evasion tactics because eventually your repository will be opened for example patek is out there for almost two years and it is

in different levels its name is binary its source code so you need to change things you need to hide some content you need to perform obvious cases or you need to add layers such as dropper then a loader then a shell code full implant and then adding additional modules on the implant this journey is a long path and if it is identified by a kind of malware reverse engineer the engineer will see only one of those or whatever you loaded in memory but not all the phases of the exercise that's why what we are trying to do is making things harder for them because adversaries already make it harder so we need to train our defense in that

manner we can also add detections for automated analysis as well we can force the analysts to take it in person we can detect the sandbox we can avoid virtualization we can refuse debugger environments so those are the things that we can leverage to make things harder for the analysts i developed a new project the blunt implantment and there is no documentation for it yet but the repository is there tbi so you can go to my github and you can find this one and i still have a limited understanding of what i will do next with that but currently it works just like in this one it actually grows in memory it has some functionalities the core

functionalities such as running instructions or loading your module or loading your module from an image in remote so if the module is for example sample module it looks for get instructions and operate and uh it actually get use get instructions to extend the menu and add the menu items and then operate to run those instructions in that new model so it doesn't know what modules are there and how it is developed what it is interested in is actually are get instructions and operate so it's a good example and i used a legitimate websites to actually drive this tool for example image website because i hide my content in image images those images are simply having the bytecode after the end of

file and they have actually or key as a part of it so xor key is the separation and after that the byte code is there actually not bytecode bytes simply byte array so byte array is a binary content that we don't know it is a text file such as config or an internal module for tbi modules or a shell code to inject and tbi actually loads these components from this image service and then adds additional stages or additional features to run some assembly to extend the features for example uh using assembly components it bypasses mc it a provides you interactive web socket it gives you a injection opportunity so you can use donut or cobalt strike injections

so it uses legitimate websites and you can drive this and the components are actually growing in memory so you don't need to shift everything at the same time and they are a part of the same environment and you can interactively grow them these are the sample commas such as load module from a remote location the type is image the type could be a local file as well that is also fine or azore file so it's up to you how to design this because there is a deployment uh script there that you can choose when you load the module that many features uh the instructions available in the module such as disable it available for antivirus bypass exec assembly image is

available for the assembly module or injector model has injector or inject xor inject image so you have multiple options so you can use it this is a simple example uh of this execution i have recorded this video in our internal the missing link event so simply uh it's a very short video deployment sh compiles everything for us and you have a compiler there as well but you need to customize it and it is not error-free believe me when i used the websocket as i previously demonstrated the service is running there i'm currently using process config and it will process the config file given so the tbi is running and it will look for the url and then extort key for

example kimi so it will download this png file which is an image and it will use kimi to actually decrypt this xor and then it will run the commands inside the commands are simply load assembly features load web socket and connect to the web circuit and give the content as you see it is connected to our websocket and that web circuit module is there but there are other modules and initially it didn't have any connect command but now it has because of this model and now we are using load model file kimi again the exal key simply and antivirus bypass mode and this module could be a remote model or local one in this case it is file xor

file instead of an image on the remote service as you see the module is loaded now antivirus bypass model is there and disable it is available now which is a new command that can disable the antivirus so we have multiple modules here but you also need some essential features such as swissy img test and xor inc and that helps you actually actually does help you to encode something encrypt something add some features and etc so they are serious iron knife uh and knives for you to develop additional cod segments so you can hide your activities uh in plain images just like stenography but in a poor way poor man's stenography simply after the end of file components and it will be a

part of the png jpeg or other files and you can use legitimate environments such as image share simply we need to remember always tradecraft development requires trade intelligence data we are not developing this in the wild uh and just without no information we are making it through the trade intelligence data because we hear something and we try to make it sense that's why we developed those tools adversary simulation packs provide actually examples for various components antivirus bypasses evasion tactics executions injections so seeing an adversary simulation pack is quite valuable so you can investigate every layer of it so find your favorite language and start developing that's what i'm suggesting otherwise from beginning or from in the middle of it just changing your

code segment or start with a hello it's up to you but development really helps for adversary simulations these are my references for this talk and uh the content so it will help you to understand how i develop my tools and my components i hope this can answer satisfy a couple of questions in your mind anyway and feel free to ask more questions um so this is a recording i'm not sure how i will get the answers but it will be honestly in the business part so i appreciate you if you ask questions and i will try to answer them live or through linkedin or github you can of course register your questions or issues as well tbi is still proof of concept i

haven't decided what to do with that so uh you can use tbi but don't don't expect any support yet i will uh decide what to do next and then i will inform you as well thank you for your time thank you for listening to me and thank you peace for hosting me for this presentation have a great one

okay if you can still hear we are just moving over from a recorded talk to a live talk so service will be resumed shortly just a reminder ctf and stuff is kicking off upstairs if you have any issues with the ctf drop a support ticket through to fifth domain um this is why we sent the email out like a couple of days ago just to get those user registrations in and make sure that they were all set up and as part of a team so fifth domain do have a couple of guys over east who are helping set things up so be patient drop your messages through and that should all come and work uh be sure to have a wander around if

you're here physically in sight at the moment uh kinetic i.t you've got some space upstairs and happy to take uh guests and things walking around they've got some cool swag some bits of giveaways uh we're running a couple of additional competitions that i didn't tell you about earlier on so not only are there prizes for the ctf and the incident response ctf and the other bits and pieces there are some prize drawers and stuff over here as well um best tweets best photos all of those things all good so get those out there um we will be picking one today and one tomorrow maybe more if there's some cool stuff but there will be the usual

baysides perth uh challenge coin and a bit of a surprise giveaway on that as well so get those out there okay we're just about ready to move over to the next talk

yeah testing testing cool looks like we're operational again so when it goes through youtube fine to get out here booming out here i just remind everyone after this talk it's gonna be morning coffee uh just for everybody that's over here on site as well if you can hear me coffee van has been extended uh so we've bought more coffee beans and water and everything else so help yourself that'll probably be here until lunchtime and then uh snacks and bits will arrive ready to move over

can i tell them yeah really sorry for everybody that's not here in person but mob donuts have done a delivery for us so we've got kilos of carbohydrates here on site

let's kick off with uh anthony jones

he's going to tell us all about his talk hell i just want to welcome you all to besides 2021 here in perth and thank you all for being here both in person and online i'd also really like to thank all the organisers the sponsors university of wa all the volunteers involved in putting this event on it's absolutely awesome to be able to present to you all so a little bit about myself i'm anthony jones i'm a security consultant with kinetic i.t protect plus and i've been in various risk management roles for the previous 10 years i'm obviously passionate about cyber hence why i'm here but i'm also very interested in history and what we can learn from it to help

guide us in the future and it was a combination of these two interests that provided the inspiration for my topic today and i hope you'll find it interesting

so my presentation today is spears enigmas and quantum computing the evolution of encryption and war so today we'll be taking a look at the role of cryptography through uh warfare throughout history including some of the key cryptographic moments in history that had ramifications not just for wars but for also greater society as we know it we're then going to take a look forward at quantum computing in the context of cryptography and what that might mean for the cyber wars of the future so first up we go all the way back to ancient spartan warfare

so from about 700 to 400 bc uh spartan military officers utilized an ancient encryption technique called the city cipher so the city cipher involved wrapping a piece of leather or cloth around a rod or a spear before writing a message and then to decrypt or read the message you had to re-wrap that leather or cloth around a rod or a spear of the same diameter this enables spartan military officers to send encrypted messages to one another via messengers with some protection against those messages being intercepted and the information being used against them

next up we move all the way forward to world war one so during world war one there was a plethora of encoding and encryption techniques utilized and one of the most popular was code books so code books would have hundreds or thousands of phrases written in them each with an associated number up to five digits so that when you wrote a message the phrases you used were simply replaced by the associated numbers in the code book there was also something called super encryption utilized which was when a message was first encoded using a code book and then encrypted using a simple uh substitution or transposition cipher now to paint the picture a little bit in

january 1917 world war one had been raging for about three years and was effectively in a stalemate both sides were engaged in horrible trench warfare with neither side gaining much ground without tremendous loss of life at this stage the united states had remained neutral in the war and had not engaged outside of selling suppliers so this all changed with the introduction of this innocuous looking telegram

so the zimmermann telegram was sent by arthur zimmerman who was a german foreign affairs official in world war one and the information it contained would arguably change the course of the war the telegram was sent across a two-part journey firstly from berlin to the german consulate in washington dc and secondly from washington dc to its ultimate destination in the german consulate in mexico unbeknownst to the us or anyone else at the time the british had actually tapped the us diplomatic lines that ran between europe and the north americas and had intercepted the zimmermann telegram on the first part of its journey however due to the telegram being encoded with codebook075 which had only been partly cracked at

the time they were only able to decode a small part of that message that small part though was enough for them to realize that what they had could potentially change the outcome of the war so the british were now in a conundrum they had partly decrypted a military intelligence that were gathered by a means that they needed to keep secret so they came up with a plan they bribed a telegram official in mexico for to obtain a copy of the encrypted zimmerman telegram and now by either luck or design when germany had transmitted the telegram they had effectively committed a downgrade attack on themselves this was due to the german consulate in mexico mexico not being able to decrypt

code0075 this led to the telegram being rewritten in the less secure code 13040 whilst it was in the us before being sent on to mexico so this meant that the new zimmerman telegram that the british had obtained was able to be fully decoded once decoded the british handed the telegram over to the us alongside with the cover story of having a spy in the german consulate in mexico who had obtained it this cover story was ultimately effective and the british continued to spy on the u.s diplomatic lines for another 25 years

so this is what the zimmerman telegram looks like decrypted or decoded germany were offering mexico the states of texas new mexico and arizona as part of an alliance in the event that the u.s joined the war as well as announcing that they were going to begin unrestricted submarine warfare including against u.s merchandise vessels now initially the us thought that this intelligence was fake until arthur zimmerman himself came out and admitted

so what were the consequences of this telegram

the u.s received the decoded zimmermann telegram in february 1917 and on april 2nd less than two months later they declared war in germany and officially entered into world war one by november 11 the following year world war one was over now i'm not claiming that the zimmermann telegram was the only reason for world war one's outcome or for the u.s entering the war but according to official war historians it played a pivotal role in both so to summarise the british performed a man-in-the-middle attack against the germans whilst the germans performed a downgrade attack on themselves the result of which arguably changed the outcome of world war one next up we have world war ii and the

enigma machine

so the enigma machine was originally invented in world war one by another german arthur uh arthur sherbius and it was used extensively by nazi germany and world war ii it was an electromechanical rotor substitution cipher where each rotor inside was effectively an alphabet the basic machine operation was you would press a key or a letter on a keyboard the rotors would move and complete an electrical circuit and it would appear a light would appear above another letter those illuminated letters were the ciphertext now what made the enigma machine so successful were the keys utilized so the keys were the different possible configurations of the enigma machine itself these included the order of the rotor the rotor starting position the plug

board settings and more and in total provided an estimated three times ten to the power of 114 possible machine configurations uh this made the option of manually brute forcing the machine or guessing the machine settings impossible this is just a photo of what the rotors inside the enigma machine look like and how they're effectively each in alphabet

so how was the enigma machine cracked well despite what movies like the imitation game would make have you believe it wasn't originally cracked by alan turing it was actually cracked by the polish cipher bureau in 1938 before world war ii had even begun the polish cipher bureau also invented the bomba cryptologist or cryptologic bomb that enabled them to trial enigma machine settings far quicker than was possible manually the bomba design was created with some help from french german spies at the time who had gotten their hands on an enigma machine manual just before the beginning of world war ii nazi germany made improvements to the enigma machine and the way it was used by adding additional rotors and changing

the keys more regularly this meant that the bomba machine was no longer effective at cracking them just before this happened however the polish intercepted and decrypted messages from nazi germany germany indicating the impending invasion of poland so in 1939 the polish cipher bureau fled the country and shared their knowledge of enigma machines and bombers with british and french intelligence which brings us to alan turing and the other code breakers at bletchley park

so utilizing the information provided by the polish cipher bureau the allied code breakers at bletchley park led by alan turing invented the bomb which was an upgraded version of the polish bomber the bomb would successfully crack the new enigma machine and calculate their settings before the keys were changed this marked the beginning of a cryptographic cast and mouse game before not between nazi germany who kept improving the enigma machine and increasing the key changes and alan turing led code breakers who kept improving the bomb machines in response at one point the naval enigma machines were enhanced with the introduction of a fourth active roto and for a time this proved uncrackable for the allied code

breakers however due to some key intelligence that was captured from a sinking german u-boat including one of the newly enhanced enigma machines the allied code breakers were able to enhance the bomb machine to such a level that it could both crack the most complex enigma machines and the even more complicated and recently introduced lorenz ciphers this is a photo of one of alan turing's bombs and by the end of world war ii there were several hundred of them so what were the consequences

well official war historians estimate that the allied force code breaking efforts cut two to three years after world war ii and saved an estimated 14 to 21 million lives also alan turing and other bletchley park alumni use what they had learnt inventing and improving the bomb to invent what was arguably the first programmable computer which has obviously had a massive impact on defining modern day society as we know it which brings us now to present day so the good news is that the current gold standard encryption algorithms that we use are pretty awesome they've all been around for a decent amount of time now and have had no or little susceptibility to various cryptographic attacks

to give you an example of the idea of their relative strength against brute forcing attacks of the algorithms on the screen rsa or reverse shamir adelman is the weakest per bit of key length however it would still take a current conventional computer about 300 trillion years to be able to brute force a 2048-bit key rsa algorithm seems pretty secure [Music] but what about these guys what about quantum computers are they a legitimate threat to our modern day cryptography

to answer that question we first need to understand how powerful they currently are and could be in the future this depends primarily on uh the number of quantum bits or qubits that they have and the stability and error rate of those qubits so to briefly explain what cubics are and what makes them special let's compare them to conventional computer bits so conventional computer bits are binary they can either be a zero or a one at any given time whereas qubits through the quantum mechanic of superposition have the ability to be both a one and a zero simultaneously what that means is that qubits have exponentially more processing power than bits and for every additional qubit you're

effectively doubling the computational power so for one qubit you have twice third two you have four times the amount three you have eight four 16 and so on so by the time you get to just 50 qubits which 50 cubic quantum computer already exists today it is already more powerful than the most powerful supercomputer in existence so how long do we have before a really powerful and stable quantum computer exists well there isn't a consensus uh at the moment but the common estimates are between five and twenty years from now to give you an example google is uh currently aiming to have a 1 000 stable qubit computer built by 2029 as far as who will have them first

that's a race between the tech giants of the world like microsoft ibm and google and the world's most powerful governments 15 of which at the time are at the present time have an active quantum computer program

so what does that mean for today's encryption well the good news is that aes256 is already quantum resistant and quantum computing would only be able to reduce the effective key size down to 128 which is still considered secure the bad news is all of the commonly used asymmetric encryption algorithms such as the ones on the screens will all be brute forceable to give you an example the 2040 bit key sr rsa encryption algorithm that took the conventional computer 300 trillion years will now take about 10 seconds for a 4 000 cubit uh quantum computer to brute force

so what are the consequences if all of our current asymmetric encryption is no longer secure

well in their current states tls would no longer be viable so there goes the most common secure communication method over the internet uh there'd also be no secure way to exchange symmetric keys online which would nullify much of the effectiveness of quantum resistance symmetric encryption like aes also digital signatures and certificates would no longer be reliable or trusted so there goes all of the public key infrastructure from a cyber warfare warfare perspective if an adversary was able to build a stable quantum computer they would effectively be able to decrypt any data in transit or that they had captured and impersonate a trusted source both of these would be a tremendous advantage in the context of war

so what can be done about it the good news is there's the hunt for post quantum cryptography is already well underway and several families of quantum resistant uh cryptography already exist in fact since 2016 uh the u.s national institute of standards and technology or nist has been working towards assessing and standardizing post-quantum asymmetric photography algorithms they're currently down to the final seven submissions and are estimated to have selected the new standards and published them by 2024 up there's just a link if you'd like to learn more about that

so to finish my presentation i wanted to leave you with some food for thought about some of the other possible cyber security implications of quantum computing things like what the password length requirements might need to be the compatibility and hardware issues that post quantum cryptography might introduce or what quantum malware might look like in the future

thank you all for listening to my presentation uh were there any questions awesome thank you very much

[Applause] thanks anthony thanks for the talk um so we're going to break now for probably 15 20 minutes we've brought the donuts forward so hopefully that makes everyone excited the coffee van's still here there's a fridge full of v head outside we'll let everyone know everyone know when we're going to come back in here shortly uh reminded the ctf is on and yeah thanks thanks for coming

[Music]

so [Music]

[Music] so

[Music]

[Music] you [Music] [Applause] [Music]

[Music]

hmm

[Music] [Applause] [Music]

[Music] [Music]

[Music]

they're testing one two

cool okay grab a seat we're ready to uh kick off for the rest of the morning session uh just while you're getting comfy and taking your seats i'm just going to hand over to byron from aws who's got a couple of words on the training g'day folks my name is byron i'm a solutions architect at aws so i'm running the aws workshop today which is all about protecting workloads from the instance to the edge we didn't have as many people as expected this this morning so what that means is we've got plenty of accounts left if you want to do it this afternoon so what i'll do is i'll rerun the workshop this afternoon for those that

um were unsure about if they wanted it was something they wanted to do or unsure if there's going to be enough space there's lots of space and what we'll be talking about is we'll be looking at if we're running a workload on aws how can we protect it on the instance itself in terms of scanning and automatically patching for cves right through to the edge how can we set up a web application firewall in front of our workload to protect from some of those obos top 10 vulnerabilities so i'll kick off as soon as lunch finishes we're not quite on the highest floor we've nabbed one of the rooms at the top of the stairs on the first floor so if

you want to get hands on with aws it's a really awesome opportunity we've got a bit of a dashboard so we can run a bit of a competition uh be great to see you there cool cheers oh thanks byron um somebody's asked if you can be on the discord as well i think they've got some questions and bits coming through so we'll hook you up with a link for discord and have a chat um i think now if these stragglers can jump in grab a seat we are ready to kick off so i will hand the mic over to cairo who will be talking about risk it for the biscuit thank you all right good morning

thank you for coming to my session i know there's no others running at the same time so i don't have a lot of competition but thank you anyway uh today i'm presenting riscott for the biscott which i think may be the best pun i've seen in the talk titles so far so i'm gonna self-appoint myself winner of that slightly disappointed they didn't serve biscuits at morning tea but anyway we'll move on so as a bit of an introduction hello i am cairo i used to work as a cyber security advisor at one of the world's largest mining companies up until july of this year and it was my job there to assess technology across both enterprise and

the industrial or operational parts of the business i'm currently working for octopus deploy so i have moved uh from digging into the dirt up into the cloud if you're interested in devops and code automation you can probably don't talk to me because i don't do the code automation stuff i'm in the cyber security team i also have a cis and a bachelor of arts and if i seem familiar it may be because i have been involved with a whole bunch of acronyms which you can see up on the screen there so to get into what i'm actually talking about today i'm going to start with some really basic definitions just to make sure we're all on the same page

then i'm going to talk you through the controls that my team would be interested in when we were doing risk assessments on operational technology and then i'll take you through a slightly vague not proprietary case study from my time at my previous employer so i'll start off what actually is operational technology this is hardware or software that controls or monitors physical processes so this is what we're talking about in terms of manufacturing mining utilities it's not you know logging onto your laptop on your corporate network sending some emails writing some word documents playing in excel we're actually talking about things that control big crushes conveyor belts um anything kind of in a factory setting those kinds of things

and also the safety and monitoring systems that surround them so there's a lot of quite dangerous things going on in these environments and there's people in there that need to interact with um that technology as well so there's monitoring and safety systems that look at things like air quality that look at seismic activity if you are drilling down into the earth and all of those kinds of things that are going to help keep people and keep the processes safe so this presents a slightly different challenge to traditional i.t generally speaking the systems are quite a lot older and they're also quite a lot harder to patch because they are usually ridiculously old and also you've got really small change

windows and you know if you want to take something offline for 10 minutes sometimes you're looking at 10 million dollars of lost production in that time so very very small change windows you're also heavily reliant on vendors in this space there's a lot of technology in this space that's basically built by two people in a shed who probably used to work for a mining company and thought i can solve this problem and they've built a little black box they've put their software on it and they stick that in your environment you probably don't really know what's on it and they're probably the only people that actually make that product so you don't actually have a competitor that

you can go to and finally and this is probably the most important one when we're talking about the impacts of cyber security incidents when it comes to operational networks and operational technologies the impact of those incidents is quite a lot greater than in a traditional enterprise environment we're talking about millions and millions of dollars lost very very quickly and even more important in terms of people and safety your impacts are looking at injury or possibly even death so for example i did a risk assessment on a mine in mongolia it's an underground mine it has a shaft with a lift in it that takes people underground there's 200 people in that lift at any one time and if something goes wrong

with that you've got 200 people who could possibly die if something goes wrong so there's a little bit more pressure to actually do things right in these kinds of environments so what is a risk please do not actually read the picture i'm not a mathematician but i don't think that checks out um so in really brief terms a risk has three components you have an asset which is anything of value uh you have a threat which is something that wants to have an impact on that asset and you need a vulnerability which is a weakness so to steal a metaphor from casey john ellis uh an asset is your face uh a threat is someone wanting to punch

you in the face and a vulnerability is your inability to actually block that and when we're assessing a risk we're also looking at both the likelihood of a threat occurring and the consequences so this is how likely is someone to punch you in the face and how much would actually hurt and obviously that's going to impact how you judge that situation and what you do to avoid it so performing a risk assessment in an operational environment these are the eight domains that my team would traditionally look at a bit of a disclaimer we don't we haven't actually based this on a specific framework or standard or anything like that it doesn't map strictly to anything it's just

what we put together and what we worked with and what we found was a good thing to do so a bit of a disclaimer there so i'm going to take you through the key controls for each of these domains and i'll kick off with network segregation and segmentation which is not a tongue twister at all so first up one of the major controls that we're looking at in an ot environment is actually having it segregated off from your enterprise environment and a big part of that is making sure and this sounds a little straightforward that all of your operational systems are actually on your operational network um it can be really easy to plug that

stuff into your corporate network and then you know there's there's different considerations that you need to have uh and a an enterprise network probably has less of a consideration of uptime it can go down without it being a big deal it's more of a big deal when something goes down that's an ot system so making sure your ot systems are on your ot network making sure your ot networks are not actually connected directly to the internet because then probably a whole bunch of you folks in this room would try and get to it usually you want to have access through a dmz or a data diode or a unidirectional gateway rather than having a direct connection

from your enterprise environment into your ot environment and going along with that nodes your home devices so don't go to all the trouble of segregating your networks and then plugging something into both networks and wondering why things go wrong uh the next step then is segmentation so within your operational network actually having segments within that network to separate things out that don't need to connect to each other um if you actually have that in place then if you have an incident with you know it's let's say you get malware on your truck um you don't want that malware to then get to your drill seems pretty straightforward um so segmenting that out with vlans having

things separated out rather than just all in one big mishmash of a network always a good idea and finally one thing that we would tend to look for if you've got low value assets so like little monitors that are looking at things that you don't necessarily need to have real-time data on or that's not high value data keeping those out of your actual internal network and pushing them onto public 3g or 4g even 5g now that we're all getting vaccinated it's going to make it a lot easier to keep those kinds of slightly dodgy maybe not the most secured sensors off your actual internal network and this is a big thing now also with a

lot of vendors when they create sensors and monitors they want to be streaming data out to their cloud service so it needs an internet connection you probably don't want that in your operational network so just push it out to the cloud stick a sim card in it let it send off to the vendors cloud and you're not going to have too much of a drama so domain two vendor and third party management um the first one is making sure you've actually got endorsed remote access solutions to have your vendors actually accessing your network you do want vendors getting into your network because nine times out of ten they're the ones providing the support for whatever black box it is that

they've sold you and you want them actually patching and updating that and doing support when they need it but you don't want them just logging in you don't want to have team viewer on all your engineering workstations that's not going to end well like a particular florida water treatment plant yeah yeah that was a good one again you don't want direct access to your operational operational networks um actually make sure your remote access solutions abide by your network segregation requirements don't have third-party devices connected to your operational network this is a really big one with vendors that want to come in and patch a piece of hardware they're going to bring in a usb that they've taken to

100 different mine sites that they've probably plugged into their laptop that they're on while they're perusing whatever websites they do in their spare time and then they're going to bring that into your operational environment and plug it into your hardware that you need to keep your trains running generally not a good idea and this also goes for your internal staff as well because a lot of them will have a mobile phone that at some point they're going to want to charge and they're going to plug it into any usb that they can find regardless of what that actually connects to and finally all vendor and third-party access is monitored and logged this also goes for physical access so if

you have people coming on site in person actually doing work making sure you have them sign in you have someone accompany them and it also goes for their logical access as well i think a uh a few hackers that i know often like to use the phrase no logs no crimes you want logs so you can tell when there's crimes so domain three identity management and infrastructure access now a lot of this does line up with enterprise access management so a lot of it's going to be pretty basic access management the stuff we all say is really easy and then none of us actually do very well uh so first up you want to restrict

physical access to your infrastructure take a look lock leave approach don't leave doors to data centers open don't have you know engineering workstations out in the middle of a workplace where people can just log in and start messing with your trains all that kind of stuff and then your basic access management so only grant access to those that need it remove it when it's not required review it on a regular basis and then things get a little bit trickier so shared accounts we all know we want to avoid them where possible in an operational environment there are often legitimate needs to actually have shared accounts one of the ones that you know i would see quite regularly is a lot of the

safety monitoring workstations where people are watching trains down the rail corridor it's not actually possible for those people to at the end of a shift log off and have someone else log on because that means there's that window where no one's actually monitoring that system so those people have a legitimate need to actually share an account so where you have those legitimate needs and make sure you double check them because people will say they need it and they probably don't but look at stuff like limiting the access of the shared accounts make sure those shared accounts are locked to that particular workstation so they don't have a dynamic login that can be used elsewhere make sure you have those shared

workstations in a physically separate part of the building and make sure you're actually logging staff who are on shift so that you can attribute any actions that are taken on that account at that time passwords i'm not going to go through basic password requirements because you folks should hopefully understand them but one of the big things is changing of default vendor passwords in a lot of operational technology contexts vendors won't actually let you do that and it will be a violation of your support contract if you change that default password because they're probably lazy and they want to be able to log in with the same password to all of their customers so double check if this is in fact a

requirement of your vendor if it is in a support contract try to get it taken out and be able to actually change that default password you also want to have separate identity management to your enterprise environment so don't go to all the trouble of segregating everything out and then have one active directory managing everything have a separate active directory for your enterprise environment use a centralized password management platform for your system and your infrastructure credentials and also make sure your service accounts are non-interactive because they should be for services and not for people so number four configuration management and hardening so this is kind of a mishmash of different things you want to be looking at limiting and

restricting removable media so that usbs people are plugging in you don't want those uh you want to make sure you've got version integrity monitoring for your plcs uh you want to disable services and components that you don't actually need again that's some basic hygiene stuff make sure you're not storing credentials in clear text particularly within config scripts and that kind of thing if you can have a standard operating environment that you use for everything in your environment that way it keeps it nice and consistent you know what's happening you don't have to actually think about what's switched on for each thing disabling insecure and legacy protocols and use secure alternatives where possible so we all know this ssh for

sftp not telnet and ftp this one's actually a really difficult one to do a lot of the time so if you can do it good job i envy you and finally where you do have exceptions to a lot of these things because you probably will particularly with those legacy protocols actually record them weird idea have some governance around it actually know where they are keep track of them if you can get rid of them down the track then do it but you're not going to be able to do that without actually having a record of where they are and why they're there so this is some pretty basic threat and vulnerability management stuff but it

can be quite difficult to do in operational environments because you are working around all of that segregation as well so have monitoring in place for your mission critical ot systems there's actually a bunch of vendors these days that sell appliances specifically designed for operational networks um so you've got nozomi clarity dragos are all selling that kind of thing so those are specifically designed for those environments which makes them a better product they're not designed for an enterprise environment then you just stick it in there and hope it picks something up patching again quite difficult when you are not connecting to the internet and you're trying not to implement too many changes and you have very small

change windows but patch everything that you can and also make sure that your vendors are patching the things that they're responsible for because a lot of the time they will try to get away with not doing it and also make sure you're in a lot of cases you will be reliant on vendors to actually test that whatever they sell you actually works on a new operating system make sure you're working with them to make sure they do it in a timely fashion and you're not sitting around waiting for them to do that testing before you can actually roll that patch out and finally actually deploy antivirus and make sure you do update it and have some central management within

your ot environment again not from your enterprise environment i'm going to keep hammering that point home so end of life systems actually identify them because i can guarantee you they are there they are 100 there they're hidden and in a lot of places you might not be able to actually upgrade them so actually identify them first to start with make sure you have plans to actually replace and upgrade and actually put those into the budget i know a lot of us don't like having to do the management side of things actually you know add the numbers up and see what you can afford to do but you need to do that for these end of

life systems because otherwise you're never going to be able to get away from them and finally where you can't and i can guarantee you there will be ones that you can't because that particular vendor only sells that product to run on windows 98 and they have no interest in upgrading it so you're stuck with it um actually look at what you can do to act to limit its exposure so have extra restricted access have targeted monitoring extra extra extra isolated and segmented away run it in a vlan whatever you can do to actually try to put some extra layers of protection around it so resilience and recovery here we are looking at single points of failure

there will be some try to make them not be very good advice make sure you actually have processes in place to perform and test backups and this should go for both data and for configuration so if you've got system logic or plc logic converter firmware make sure you're actually backing up the configs for those devices because if you have to configure them all from scratch you are not going to be having a good time so actually test that those backups will work make sure you've got bcp and dr for ot systems and actually test them which is the step that most people forget and actually run through those tests and then work any findings back into your

plan and finally make sure you actually know who to call which isn't ghostbusters in this context if there is actually an incident i mean maybe you've got ghosts in your ot network i don't know um but make sure you know who to call the thing with a lot of these ot networks is they are very physically isolated a lot of them are out in the middle of nowhere i don't know how many of you have been to the pilbara but it's a big red nothing with a mine in the middle so make sure when something goes wrong the people out in the middle of nowhere know who to call and if you're in the office looking out make sure you know

who's on site who can help you if you actually detect something because getting to talk to the right person is probably 90 of your battle in a lot of these situations and finally i know the governance piece is all of your favorite one so actually keep track of some stuff have an asset register have a vendor register make sure you have contracts in place include cyber security within your contracts include ongoing support and maintenance in your contracts make sure you actually tell your vendor that you have cyber security requirements before you engage with them and then make sure that they can meet them and then come back later and make sure they're still meeting them

and make sure you have processes to capture any exceptions so where things can't abide by the best things that you want to do keep a record of it come back to it fix them later if you can put extra protections where you can't and make sure people actually know about them because the worst thing is is not actually knowing where you have any of these vulnerabilities you can't secure what you can't see so my somewhat vague case study um i have taken a couple of different risk assessments that i and my team worked on while i was at my previous employer and i've combined them into something that's indicative of what we saw but isn't

giving away any commercially sensitive or proprietary information and there is someone from my former employer here and i can see him watching me so i will be careful but this is very common and this is what we were seeing in basically everything that we did so let's say hypothetically you had a drill a very very big drill in the middle of nowhere and this is a very fancy very expensive autonomous drilling system so there's a few things that go into an autonomous drilling system first of all you have your big big drill then you have a human operator who is controlling that drill and that human operator is probably thousands of kilometers away from the drill

is controlling it through a computer and is probably controlling six to ten drills at any one time so for them to be able to do that there's an on-board system on that drill that tells the drill what to do from the operator you've also got your control room where your operator is working and ideally you have a backup control room and then you've got connectivity between all of those things so what are we concerned about with this setup well first of all drills are very big and very scary the internet is also a very big and very scary place so if you have a drill that's controlled by the internet you can kind of see where i'm going with

that and there's some things you need to consider so for example when you stop drilling you stop making money and we're in wa i don't need to tell you how important mining is for our economy well i'm not going to get into that um but if you lose one week of production it's actually going to take you more than a month to make that up and that's actually millions of dollars i mean if you think of the price of iron ore and how many millions of tons of iron ore we are shipping out from wa every day it adds up pretty quick and those big big drills are also very expensive to repair if something goes

wrong so some of the parts on that drill cost three hundred thousand dollars just on their own and that doesn't include the cost it takes to fly a technician from perth out into the middle of nowhere probably drive a couple of thousand kilometers into the middle of nowhere and they're going to charge you quite a bit because they don't want to do it so that those dollars add up pretty quick as well so let's say you did a risk assessment on an autonomous drilling system these might be some of the things that you would find as part of that risk assessment so for example in the category of segregation you might find a stray corporate server

has direct access into your ot network and i'm pretty sure i've said 27 times already that that's not a great thing you might also find that some systems that are responsible for software configuration or change management or infrastructure management they're actually located in your corporate network and have been given direct access into your operational network you might also look at the firewall rules that you have and realize that some of them are quite permissive and they're not actually reviewed very regularly so moving on to segmentation you might look at your ot network and realize that there is a not a lot of segmentation actually going on there so any of your systems and devices can

communicate with each other even where they don't need to so as i think i mentioned earlier if you get malware on your truck it's very easy for it to spread to your drill and no one wants a malwared drill if you were to look at access management you might find that you have some backup workstations that are left logged on at all times they're always unlocked they're unattended a lot of the time so anyone could wander in you might have a physical estop switch which is your big red button that absolutely stops everything in the case of an emergency that might be left unattended and it's pretty easily accessible as well you might have a lot of vendor default

passwords in that environment uh you might have some service account cred stored in clear text i don't need to tell you folks what that can be used for and you might also find credentials written on whiteboards and on post-its within your control room and you get bonus points for that one if there's cctv pointed at those whiteboards and post-its as well so you're probably going to have some bad security hygiene you haven't been washing your hands for 20 seconds so you've still got some legacy and insecure communication protocols there's going to be some telnet some ftp some http um you've probably got a legacy ad integration method lurking in there somewhere you're probably not great in

patching and you probably don't have any antivirus on those servers and when it comes to actually looking at what's happened and what's been happening and what has happened you probably have no idea because you haven't been logging and you haven't centralized that so you don't amalgamate all of that data to give you the full picture and no one's really looking at it anyway so once you know all this what do you actually do the simple solution is to fix it and if you go to some stakeholders and tell them that they're probably not going to give you a very uh happy response um so it's not actually as easy to fix a lot of these things as we might think

and a big long list of to-do's for people who are already overworked and admittedly they're probably fairly well paid because i'm talking about the mining industry but they're very busy and they're just trying to keep the lights on so having these security folk roll in and go actually you suck here's some stuff to suck less isn't going to go down very well but you can actually do some things um so let's say we start off with the process side of things we can probably put in some processes for account reviews we can actually do some firewall rule reviews and actually fix them once you've you've reviewed them and pointed out what's wrong um you can change your process so that

you have password updates when you are commissioning new hardware you can start doing some patching within your ot network within those tiny change windows that you have you can go and mop up all of those default vendor passwords that you can you can roll out something like cyberark for password management you can get rid of that naughty legacy id integration module fix that one up you can deploy antivirus and you can start doing centralized logging and monitoring with one of those products that i mentioned earlier so you've done all of this stuff and things are actually looking a bit better but what's actually left network segregation enforcement very very very tricky that's why i keep

saying that you need to do it because it's actually really hard particularly if you haven't done it from the beginning going through and clearing out all of those connections and re-engineering existing solutions so that they don't need those connections is a very messy and expensive job so you've done some of it you're doing well but there's still a lot left to do and if you haven't done that segregation piece the chances of you actually getting to that segmentation piece are pretty low and removing all of those legolacy and insecure protocols you're out of luck on that one it's just not gonna happen um so this is what got done in three years and there's still probably another three

years of work left so what did we actually learn during this process well number one security is hard particularly in large and complex environments but there's really only one way to deal with that and a good friend of mine often says you just have to eat the elephant which is just start eating like bite by bite you'll get there eventually the second thing i learned was that getting to the right people in your organization is half the battle and when you have an organization that's about 50 000 people and you are spread across the world and you have a division between office people and site people it's even more difficult to actually find who you need to talk to

get them on board and actually start getting this work done but once you find that person and there's always the person they know where all the bodies are buried they know where all the connections are that don't need to be there once you find that person you get them on board happens and it does happen and finally sustainability really is the key to a lot of this stuff there's no point actually fixing a problem uh if you haven't gone and actually created a process behind it that will actually stop it happening again because unless you're a contractor who wants your one-year project to be renewed at the end of the year you don't want to get to the end of

fixing all this stuff and then realize you have to go and fix it in all the other places that it happened again so actually making sure you have those processes to stop it happening in the future drawing that line in the sand and saying we're not going to do it like that anymore and then we're going to mop up will actually mean that you have sustainably fixed that problem so that's the end i don't think i'm gonna have time for questions oh cool i do have time for questions remarkable that was a very quick quick hand up um

specifically for operational technology there is actually um if you're looking at mitre there's a specific mitre for operational environments which i find really handy um i'm not a huge fan of the stride stuff but i just kind of mash everything together to be honest i find that's what works for me um but mitre for the operational side of things is probably the best bet yep

yeah it's pretty much the same so operational technology and ics is industrial control systems um so operational technology is probably more of an umbrella term and under that you would have ics and then you know different other forms of technology but the terms generally are used fairly interchangeably um and there's a lot of other terms some places will call it industrial and operational technology some places call it production technology it just depends what vernacular you want to lean into yes

with not well to be honest um there's a lot of it's not a perfect solution um but it's better than not having absolutely anything to be honest um yeah yeah um but yeah there's things can go wrong but for the most part it if you've set it up correctly and you've done your testing you should be able to run it there's a guy over there who can talk to you a bit more about antivirus and operational technology okay all right lucky lost right down the back

i don't think there will be a move just because it i mean once it gets cheaper probably but what a lot of um those companies are doing is just building their own mobile networks at the moment so they'll have their own one they're they're not working through telstra or anything like that they'll build that out in the middle of nowhere and that's what they use and sometimes they won't even connect back to the internet it's basically just a lan that runs on 3g or 4g but hopefully you know if satellite i mean if elon musk brings us all the cheap satellite he's promised it might be a proper solution going forward but i don't see it happening anytime soon

cool all right thank you so much everyone i'll be around the rest of the weekend

thanks cairo yeah so um we've got a couple of minutes until the next speaker talks um i know that i know that um we're running a little bit behind schedule however we've got a talk that's not going to be happening this afternoon so we're going to catch up so we've got andre next if everyone just give us five minutes just to get set up so feel free to go for a bathroom break or if you want to go and um stretch your legs and then we'll grab jason as well who's gonna be the next talker after andre if he's around

[Music]

okay hopefully i'm back online grab a seat in-house people get yourself comfortable please cool we are just cutting over the slides now and i will hand the mic over to andres talking about social engineering cool 50 million dollars this is how much a group of attackers received in their offshore bank account after tricking a finance executive at toyota in 2019 how does this happen social engineering or human hacking is all about exploiting the flaws in humans building up trust with victims for manipulating them and giving you access to their confidential information and assets such as passwords credit card information money and even access to physical hardware like routers or computers this can lead to immense

financial and reputational loss for an individual or organization throughout this talk you might be wondering how do people still fall for these things in 2021 and the truth is these types of attacks can get a lot more advanced than your cliche nigerian prince scams if these companies can fall for it so can you in 2020 shark tank was victim to a spear phishing attack where one of their cast members lost 520 thousand dollars twitter in 2020 as well this story was all throughout the media where a teenager socially engineered a twitter employee got access to their slack workspace and then their internal testing tools which allowed them to post on accounts like barack obama joe biden

elon musk etc and they said if you send a thousand dollars to a certain bitcoin address that doublet uh which i mean sounds great but unfortunately was not true and they took off with 165 000 worth of bitcoin toyota in 2019 as i mentioned 50 million dollars this was the result of a business email compromise scam and finally in 2016 the democratic party this was a whole hillary clinton email scandal where a bunch of her private emails got leaked due to a phishing scam and a malicious excel spreadsheet which apparently was done by the russian intelligence agency but i'm not too sure how true those claims are perhaps the scariest thing about social engineering is that you need very

technical knowledge in order to perform one and this is evident in that 98 of all cyber crimes involved social engineering to some extent 75 percent of organizations were hit by phishing scams in 2020 and on average the cost of a social engineering attack is a hundred and thirty thousand dollars so what are the steps an attacker can take when trying to perform a social engineering attack on the scale of shark tank and toyota and there are three main phases the reconnaissance phase where an attacker gathers information on their target the pretext phase where the attacker crafts a credible narrative using that reconnaissance for finally the attack phase where the attacker will choose a vector to send that message to

the victim starting off with reconnaissance now as i mentioned this is all about gathering information on the desired target and one way in which this can be done is through open source intelligence or osint and this is all about collecting and analyzing information from publicly available sources so let's just say a random attacker has been given a task of performing a social engineering attack on a certain company every single company today will have a website which is a great place to start as it can serve information to attackers on a silver platter things such as emails phone numbers employee names suppliers what technology a company is using is all extremely valuable secondly platforms such as linkedin

where people love to post about their work life is another great source of information what an attacker can do is go to a company's linkedin page see a list of all employees who have said that they're working at that company and then if an attacker managed to even find one email on the company website they can apply that same format they found to every single other employee in the organization for example b.smith company.com applied to my name if an attacker saw me on the company's linkedin page could be something like a.demola company.com thirdly social media platforms are another great source of information so twitter facebook youtube instagram and this is where people like to post about

what they do or what they're interested in so liked posts pages who someone is following again is all great information for an attacker for example if someone has been liking many different binance related posts on twitter and it's following binance as a page on twitter they're likely going to be using binance as a cryptocurrency exchange likewise if they've liked the hpf page on facebook they're likely going to be using hpf as an insurance provider so far all of these methods have been manual however there are a plethora of tools an attacker can use that can greatly automate this process and find even more information a site called spiderfoot you only require a single domain for have i been

pwned only requires an email and sherlock only requires a username so looking at some examples of these here's a screenshot of have i been pwned from bob gmail.com and what this site does is return a list of sites that that email has been registered on that have recently suffered a data breach and again it shows this breach sites as well as tells the attacker if there's any plaintext information regarding that email floating around on the internet somewhere secondly we have sherlock which is a command line program where you can enter in a username and it returns a list of sites where that username is registered on which again is a great source of information for further reconnaissance

we can see here that bob123 is registered on duolingo fortnite tracker freelancer gitlab github a whole bunch of stuff and finally the perhaps the most craziest tool out of all of these is something called spiderfoot now this particular example was a screenshot i found that returned 80 000 different data points on a single company domain name so they just entered in the website name and it returned 80 000 data points and this is information like ssl certificates usernames employee contact details telephone numbers emails anything you can think of that would be out there regarding a certain company spiderfoot will be able to find it and it does this through passive reconnaissance so querying publicly available tools as well as

active reconnaissance such as network scanning and among other things so now that we've talked about how an attacker gathers this reconnaissance how can they actually use this to fool the victim and this is where they create a pretext or a credible narrative the more reconnaissance an attack performs the more authentic and personal they can make an email which would have a better chance of fooling their victim one other thing that attackers like to do is create a sense of urgency in the victims mind to make them not think properly and maybe miss things that might obviously look malicious when looking at them again some clever tactics that attackers may use are things like swapping out

characters in domain names and emails as well as creating legitimate looking social media profiles which can be easily done through copying someone's profile picture their cover photo their biography then again swapping out those characters in their username finally copying sites styles on legitimate emails and websites is extremely easy to do as well through just inspecting element and copying the html and css looking at an example of swapping out those characters this is a particularly obvious example where in google.com i've swapped out the o for a zero maybe in a sense of panic someone might not spot this but again it's pretty obvious where it does get scary is when there is no visual difference between these two

domain names so this particular attack is called an idn homograph attack or more broadly visual spoofing where an attacker will swap out an english character for a character in unicode that looks extremely similar on the secondnetflix.com this is using the russian cyrillic character ha which looks identical to the english x and can be used to create some pretty legitimate looking sites and emails so we've talked about reconnaissance we've talked about how an attacker can use this reconnaissance now how do they actually choose to attack the victim firstly you have email fishing or just your general fishing and this is often referred to as a spray and prey type of method because an attacker doesn't really need to perform any

reconnaissance beforehand in order to do this and although fairly primitive like your nigerian print scams or that you've won 100 000 scams they can be devastating if someone does fall for them for example links attached in these emails can lead to vulnerabilities on sites like reflected cross-site scripting or cross-site request forgery as well as just link to websites that aim to steal a user's credit card information like fake ecommerce sites on top of that these types of emails can house malware which again can include things like word files or docs files which contain word macros or pngs and pdfs again contain malicious code in them cryptocurrency miners as well is a really big thing that's a bit more passive but is still

exploiting the user's machine without their permission and can be hard to spot at times luckily for us these emails are generally filtered into spam by platforms like gmail and outlook for example here is my 12 year old self's junk folder and i get about five different phishing emails a day from people like sarah with love heart emojis uh crazy south american doctors offering me weird medicinal remedies um random casinos australia post i mean the list goes on if you were to click on these emails you'd see that the sender address is clearly malicious and gmail even flags this with a red insecure lock icon and the sender addresses as well is just complete garbage and not what you do

what not what you'd expect the new balance email to look like next up we have spearfishing which is a much more specialized form of your email phishing and this is where the reconnaissance the attacker performed in the past comes in handy so attackers know that organizations would have intrusion detection systems intrusion prevention systems and all types of block filters to try and block phishing emails so what an attacker does is i try to make the sender address look as legitimate as possible and this can be done through sending legitimate emails for a couple of months getting listed on sites etc an even more specialized form of spear phishing is something called whaling where instead of just targeting

employees you're trying to target your c-suite executives and high-level employees like your ceos your ctos your cfos etc and the pretext you'd see in this when compared to spear phishing or general email phishing is that it'd be more to do with the company so things like threatening to sue cut off client relations um and needing urgent bills to be paid and again these can contain malicious files maybe like malicious court case links and stuff like that and in the past five years whaling has actually cost organizations five billion twelve billion dollars which is nuts moving on from whaling we have business email compromise and this is what affected shark tank and toyota in those 2020 and 2019 attacks

respectively and the difference with whaling is that whaling is all about trying to trick the ceos and ctos whereas business email compromise is all about trying to impersonate them and trick other employees so in the shark tank example someone impersonated a cast member's assistant and was able to get them to send them 520 000 this attack cost companies 851 million in 2020 alone which again is pretty crazy and here's an example of a whaling attack you might see where you've got a spoofed sender address saying that an urgent bill needs to be paid again with a malicious pdf file being attached at the bottom moving on from wailing and business email compromise you have phishing

attacks that occur via the phone and this can be split into two main categories so you're smishing which is phishing through sms and wishing which is fishing through voice call and smishing attacks are particularly lucrative as gartner reported that 98 of all texts are actually read and 45 are responded to which when compared to emails is nuts because only six percent of emails are responded to and this might be because people always have their phones in them and it's more instant form of communication the kova 19 pandemic covert 19 pandemic gave rise to a lot of different smishing attacks for example people were getting messages saying that they'd recently tested positive for covert which again

creates that sense of panic in the user's mind as well as mandatory contract tracing smashing attacks where you get a text saying that you'd recently come in contact with someone covered positive again that's enough to cause panic in anyone other types of scams you see with smishing are ozpost ups and fedex scams and because more people were ordering things online from home during the covered 19 pandemic these again saw arise in popularity wishing attacks on the other hand often used to supplement other types of attacks like your general phishing scams as if a victim knows that there's a human on the other end of the phone they're much more likely to trust that person and here are some examples of those

smishing attacks i was talking about in the top left hand corner that was a red cross mission attack where they were apparently offering free masks and you'll see that the link is a dot ca and that's immediately a red flag because the red cross site is actually a dot org in the bottom left hand corner we can see that you've got a text saying someone had recently tested positive for covert 19 and gets you to click a link where it got you to fill out your details and on the far right is that oz post scam i was talking about and we can clearly see that that link is malicious as it's just complete garbage

next we have search engine phishing where attackers abuse something called search engine optimization or seo and one way in which they can do this is they try to get their sites as listed as highly as possible on indexes like google and bing and this can be done through making sure the website loads quick it works on phone and contains trendy and relevant topics for example during halloween an attacker might set up a halloween costume site make sure it's search engine optimized and get try to get victims to click on it as it appears higher up in search indexes and this can lead to things like credit card details being stolen on fake e-commerce sites the crazy thing about this attack is

that google detected and reported 25 billion of these pages a day which is a insane number finally we have phishing through social media otherwise known as angler fishing and this is where an attacker will try to mimic a customer support representative from a company and target disgruntled customers who might be unhappy with their product or service an example of this attack is the following where someone was impersonating paypal customer support on twitter a couple of red flags with this one is that paypal does not have a blue verified tick and there's grammar and spelling mistakes all over the place which is generally indicative of a social engineering attack in a scenario like this and you can see that that

customer is very unhappy by the emojis they're using so we've talked about how an attacker can use reconnaissance how they make a credible narrative and then how they choose to attack the victim so how do we defend against these types of attacks one method in which you can use is to always check the domain names your sender addresses of links you sent as these again can contain those unicode character attacks and just look clearly malicious you know if you see that red cross website with a ca the red cross website is actually a dot org which would clearly be a case of a phishing attack secondly always stepping back and putting the situation in context and not

panicking because that's what the attacker wants you to do in order to overlook details that again would look malicious otherwise you can also always just contact the legitimate company and confirm so for example if you're given an email from netflix saying that you owe them like a thousand dollars you can just call them up and confirm if that's the case because they'll be able to tell you that that's actually not the case and you can dismiss the social engineering attack entirely and finally in the context of organizations implementing administrative controls such as security training and drills so sending out fake phishing emails and then educating people who clicked on them on the different types of social engineering

attacks again is another effective strategy and finally just stepping back and putting the situation in context is extremely important would michael jackson realistically be messaging you for six hundred dollars saying that he's back from the dead to make more music the answer is probably not thank you

thanks andre any questions for andre great thank you very much thanks andre if you don't mind giving us a couple of minutes before the next talk we just need to set up again feel free to stretch your legs grab a drink anything you need to do and we'll be with you shortly

uh [Music]

[Music] um

[Music] good [Music] so

[Music]

do [Music] so [Music]

[Music]

[Music] [Applause] [Music] all right apologies for the slight delay as with any of these conferences we have some slight technical challenges we want to make sure that the people that are online can also see this talk uh just a quick reminder we'll be having lunch shortly and we were going to have another talk after jason but there's a slight delay as i said we've also got a um a talk that's missing this afternoon um so we will be we'll get back on time shortly [Music] i'm going to pass over to jason so jason's going to talk about dissecting apt attacks using mitre remembered um so pass over to jason awesome hello all right so later on my colleague

duncan is going to do a presentation and he's going to take the piss out of all of my animated slides so if you all just remember that for now that would be good um so i'm jason i i'm a director of pwc which means really nothing i just do thread intel my job is to track bad people on the internet and occasionally probably some of the people in this room who do all of the you know pen testing etc so that's really my job uh in a nutshell um so i've worked for pwc for about five years now before that i worked for crowdstrike for a bit and then before that for asd doing various things on the internet

um what i'm going to talk to you today is um so i go out and talk to a lot of people across australia across europe around kind of well how are you using mitre how are you actually implementing it and how can you make better use of intel to extract all the goodness out of it and what i find is a lot of the basics are being done wrong people aren't really maximizing the use case of you know using mitre to prioritize their detection capabilities and so what i'm hoping to go through some of the the methodologies that i i use in my team use so i've got a team of about 20 people to help me do this

because i'm a director i've got a fancy title and i get to go talk to people rather than actually do any work um so yeah so what i'll talk to you a little bit around okay so thread intel is actually more than just iocs the first talk today delved into this a little bit but there's actually a lot more there's if you read between some of the lines when intelligence reports come out there's a lot more context in there that you can get so it's really about making sure that you get all that data that meets the eye and kind of hides there we'll go on more flashy slides duncan when it starts to move in a second

oh got some lag all right anyway so intelligence looks a little bit like uh intelligence reporting so you'll see some examples in a second so usually it'll have a whodunit whom do they do it to in some cases you'll just get the sector or something like that very rarely you get an organization i think the chat before me mentioned somebody hacking the dnc that was russia so whom did they do it to they did the the democratic national commission or committee rather why did they do it when did they do it uh temporal stuff is very useful in threat intel um it can kind of give you a little bit more context as to you know

how you need to respond to stuff um how did they do it so what did the what did the attackers do and there's more the miter stuff and what did they do uh mitre so hopefully most people have heard of mida i'd be very surprised if anybody in the room hasn't but to give you the tldr it's essentially a framework that allows you to prioritize detection content well that's how i look at it it keeps getting expanded and you know the miter guys do a really good work on on i guess increasing the visibility of some of the techniques that they're seeing plus industry is seeing um we contribute to this whole bunch of other people add in and provide

context we contribute to a whole bunch of the mitre attack groups that they have as well but essentially it's a couple of matrixes they're broken down into tactics so things like recon lateral movement you know credential access all that kind of stuff and then they're broken down into further techniques so from a defender's standpoint it is super useful to be able to break all of that down and start to map it out when it comes to intelligence um it is not a silver bullet though there is stuff in here um or there's stuff that you know we see out in the real world that's not yet listed in here there's probably a couple of months

delay between what mitre tags uh or what it has in here and then what we're actually seeing in the real world but they do catch up quite quickly all right now certainly what do you grew up in the 90s hopefully you'll appreciate this so when you combine the two intel and mitre you get you know captain planet all good fun so what is the methodology so this is the kind of methodology we use um we have when the delay kicks in any second now so we have the first one um so we pull sources from open source from commercial from closed source intelligence all that kind of fun stuff and most people will have access to this

most big organizations will have at least some kind of vendor that provides them with threat intelligence they'll also have the internet which has a whole bunch of intelligence reports and the majority of people in blue team sit in some kind of sharing forum like slack or discord and they will talk about the things they are seeing so you've got your collection aspect here your analysis comes down to how do you go through and systematically map mitre to what you're getting and then does it impact my organization etc the third step is around production so can you take that to the next level and do campaign mappings active mappings and then can you do a consolidated mapping

of all of the things that you are seeing from an intelligence angle that is important to you and can you put them on a page that will help you work out how to do detection then the fourth step is uh defense implementation of tech of the tactics or detections for tactics mitigations etc um so the first one i'll talk to you guys is about solarwinds i'm not going to go into any of the juicy intel stuff on that i'm just going to talk about some of the reporting that was punched out in early december last year around kind of what was going on with that and what it looks like so sunburst is the primary um tool that

was deployed as part of this attack so some aliases um velik city call it dark halo microsoft call it uh nellibium um and we call it blue nova it's russia it's pretty much the svr it's good fun um it's espionage they go after europe nato the united states there are some other target sectors in here that are kind of every now and then people talk about them but education professional services security technology all those kind of fun things the first report that came out on this was so this report up here by mandiant really useful this is a good report in that it's kind of good guy vendor included a list of ttps at the bottom

but if you actually go through you can start to map some stuff out nicely so what i've done is on the next slide i go through the methodology that we used to do it and so cue slide change in 10 seconds you should have there we go so the methodology we use inside pwc's intel team is we sit down we grab all of these intelligence reports we get in um and we have a we have a role called robin analyst who we swap between all of our analysts um each week and they are tasked with going out and extracting the typical iocs domains hashes ips et cetera but also sitting there and going through and saying okay well from these

intelligence reports can i actually get more value than is just the atomic indicators we're used to and so what they do is they go through and map out and they'll we'll pull a pdf down and we will highlight each and every one of them we've got some other systems inside where we just first throw it through a processing engine natural language processor that pumps out all of this stuff in the first instance um mider themselves have released something cool called tram which does that so if you want to do this at scale you can and we'll go through and highlight which ones are interesting which ones are kind of really between the lines so if i take

a couple of these so trojani solarwinds orion.cor.business.dll component that's the actual supply chain compromise part of it later on they talk about using dormant dns so the malware attempt to resolve a subdomain of avsvm cloud um so we can map that directly to you know 1071.004 which is the application layer misuse of protocol dns so that's nice we can also talk around uh designed to mimic normal solarwinds api communications so essentially this is where the malware was looking like it was part of the normal comms of solarwinds um so you've got protocol impersonation and what we do is we build up this really nice picture of all of these uh ttps and i've got another slide as well

that covers some of them so in the next slide we'll talk a little bit around kind of virtual private service being used there we go all right so vpss so that's part of like the acquire infrastructure phase for this attack so we can kind of map some of these things out valid accounts you'll notice valid accounts was on the previous slide as well indicator removal on host so where they remove their tooling they remove files they remove evidence of where they were and then schedule tasks job creation and what we do on the on the once we finish kind of mapping out all of this and this is just a subset i think we ended up with a couple of

hundred for some of the reporting and not building anyway um we do defense time we sit there and we go okay well how do we stop this part of my team's job is to write intel reports and sell them to clients and we have to tell them how to defend themselves so we have a big database of all of this stuff so we've got you know for valid accounts new mitigations uh pam um and cairo talked about this as well when she was talking about some of the risk assessment aspect of her of her work so policy passwords sorry password policies rather um you know detection so talk about things like impossible logins so where i log in

from perth western australia but all of a sudden i log in from russia um you know libyanka place in moscow and all of a sudden i'm not where i'm supposed to be out of hours logins multiple logins and we kind of go through and map out all of our detection capability to some of these ttps we'll step through and maybe look at maybe in protocol impersonation um so really your best mitigation for that is intrusion detection prevention systems um i grew up on pcap so i'm a very big fan of looking at pcaps and working out what's not supposed to be there um so that's always my go-to but things other things in terms of detection for

protocol impersonation netflow analysis so if you have uh any cisco kit or anything like that that can do five tuple netflow that's very useful for working out where things are going excess data flows et cetera um scheduled tasks is pretty straightforward right windows event login will pick it up edr will pick it up but also you can lock it down you can force schedule tasks to run under the context of the authenticated user rather than running its system which is what most things run out for some reason when scheduled tasks are involved and then indicator removal on host there's a few things you can do there so what we've done is we've taken a report

this in public source as open source rather we've mapped it out pulled all the detections out of it and said these are the things we need to prioritize i'll go for another example now and then i'll show you what all this looks like when you combine it together so the next one is um a a trend micro nitro micro semantic report um on a thread after they call greyfly uh which is probably a subset of winte for those of you that are intel people winter is like this massive convoluted group of pretty much every chinese threat actor under the sun um so they're you know we call them red kelpie just because we have a bucket

name for them but uh crowdstrike calls them wickedpanda some people call them graf any case they have a malware family called sidewalk it's pretty fun uh they've also got a com another bit of malware called crosswalk which is very good at stealing text messages from um sms servers that's pretty interesting um they go after pretty much everybody under the sun a couple of years ago when the hong kong riots were happening they were pretty much across every single hong kong university and some of the utility services out there now if you're a chinese threat actor and you want to turn off the power it's a pretty nice place to be or you want to monitor some

students doing some um protests pretty nice place to be as well um in any case they did a really good report just recently um talking about you know some of the things that it was going after so in this case microsoft exchange sql servers etc so again we did the exact same process we did with the previous one we mapped it out and we said okay so when we look at this we've got exploiting public-facing applications if anybody hasn't patched uh confluence or anything like that you should probably go and do that now uh given the last few weeks have been very fun with that um so web shelves they were dropping some web shelves you know in this case

they were typically aspx type stuff your classic kind of web shells always credential dumping so using mimi cats to drop them um powershell if you haven't turned powershell log in on please the love of god do that it's a gold mine for detection and then dlp skating things so they were using base64 to go through and code up stuff they were also doing things like lateral tool tool transfer so moving web shells across to different machines and different exchange servers etc um uh you know we haven't tagged everything we could have gone through and tagged pretty much every like it would have just been yellow if we went for intact because there's some great commands that you can

go and map out to miter ttps as well um what else is interesting here so wmic so that's pretty interesting in terms of you know that is a tool that we see you know fairly frequently in terms of a standard operating environment um but there are some things you can do to kind of do detections on that so once we finished mapping out greyfly we had a quick look at it and said okay so these are kind of the four things we wanted to to prioritize in terms of what people should be doing so the first one's exploiting public-facing applications there we go um i've left the detection here blank purely because uh you know you actually do need to have

fairly good tech in here so i would say like an edr would be fairly useful um you know patching wife exploitation protection network segmentation's useful um if anybody has a confluence server that's posted to the internet like forward-facing out on the internet you should probably network segmentate that thing things like fortnite vpns those kind of things like um all those kind of things being targeted at the moment from an external public-facing applications so you know there's a whole bunch of stuff you can do there detection for that stuff usually comes later on when it comes to actual lateral movement post compromise exploitation type stuff web shell so patching and logging is pretty much the only mitigations you'll

get there acsc has a really good paper on how to detect web shells if you haven't read it i'd go and read that but um you know edr for ourselves we scan all of our web servers using yara with a whole bunch of kind of looking for things like eval statements et cetera that shouldn't be there and then looking for posts that and other things that shouldn't be on those web servers themselves um command powershell stuff like that so you know you should probably disable powershell if it's not uh on a server or you don't actually need to run it like there's absolutely no reason why this corporate laptop has powershell installed onto it but it does

so you know i can do a lot of stuff on there that i'm pretty sure pwc wouldn't be happy with me doing um if i jump through to some other things so we've gone through how we map it um thankfully vendors are starting to do this a lot more now so i'll quickly jump through some so operation harvest came out i think two days ago uh they've been super useful so when the slides catch up to me in a second here we go uh they've actually tagged in line all the miter attack frameworks uh or the techniques rather which really saves saves us having to do it for us so this is kind of nice we pulled out some more

out of here that we would just kind of assume um they had in the back end but didn't have confidence on um they also did some really nice stuff to overlap ttps to do attribution i won't go into that too much but from chat later i'm happy to um mitre itself does some really good mappings to threat groups um it's all community based so people can add into this so what's going to happen next is tailor's going to appear on screen one of my favorite sets we talked about encryption before they've used the same xor key 0x55 for at least 30 years so you know while we talk about you know encoding etc people are still using the

same stuff even though they know it's broken um mystic so microsoft's threat intelligence team uh they do really good mappings at the bottom of their reporting as well um they don't use 100 the same language as ttps or the mitre ttps but it's all there and they go through and kind of step through it they have the same tactics but some of the the wording underneath is slightly different but you can still get the general picture so what does this mean in terms of bigger picture stuff so you know typically when i rock up to somebody and they talk we talk about mitre and they're like yeah we've got all these ttps we just really don't know

what to do with them i talked to them around opera operationalizing that um so on our side we have a giant elasticstash database that just basically stores every single ttp in open source that we've seen and the reports that match with it so what we do is we kind of pull in all of our stuff from op from ir from our own intelligence from our own data sets and go from there combine it into a single picture um and then you know we can basically do some really cool things like say hey well what is the you know top 10 ttps we've seen this year so the r powers combined part two bit which is going to come up on the screen

in a second is really around how do you apply this so great we've got all this methodology around scraping the ttps but how do we actually make sure that that um is combined and used in a useful way um anybody who likes tractors that's a combine tractor um you know our powers combined thing so what we do is we have a look at this from a sector view we have a look at this from a threat activeview and then we also do most common ttps over period um and so this prioritization really helps us kind of map things out so if i take the previous one we're looking at which is the gray five which we call red

kelp internally um you start to you can do some really cool mapping so you end up with uh standard mapping apologies for the smallest text mida is really hard to put on a on a slide um and we can go through and say okay well these are all the all the ttps that are assigned to this particular thread actor who we know goes after you know if you're in the telecommunications sector you probably know about these guys and you want to block them so you could go through and prioritize um detections based on that what you could do though is if you had multiple thread actors that you knew were interested in say continuing the

theme of telecommunications so we know you know there's another thread actor apt-40 who goes after those people apt-15 we can start to do heat maps and prioritize a lot of this i haven't blended 41 and because 41 has a whole bunch of stuff in there but a couple of these thread actors you can start to weight what detections you need to prioritize um and that's really helpful uh because defenders have a limited amount of time um somebody said before that you know that you know we don't have all the time in the world to do these things and that's that's true right we've only got so many hours in the day so we go through and we talk to clients

about prioritizing the way they go through and detect some of these things um valid accounts is on here we mentioned it a couple of times and that's because it has about three or four entries on that particular reporting line so we can go through and wait and that allows us to invest time in the ones in detections we think are actually useful um we could also do things like i said before top 10 ttps so if you know a client comes to us and says hey well you know we want to know what ttps we should be blocked or should be putting detections in place for we do things like this uh so this is a three-month grab of our

reporting lines so the the most you know user user execution malicious file it's going to be pretty obviously up there uh if you turn on things like av if you turn on things like application whitelisting um turning off macros those kind of things are going to help with this um spearfishing attachments again is a lot of the same things so you can help to really prioritize your detection content and save yourself some time so some vital thoughts on this um so this is like a really basic way of doing this i think most organizations have probably heard about mitre but a lot of the ones i'm talking to don't really have the understanding of kind of

applica using it an application or or on a massive scale so there's a couple of different ways you can take this to the next level you can add in your own internal ir reporting a lot of people have their ti and detection teams very separate and siloed to their ir teams and you've got this massive intel source you may as well combine it um you can also start to measure the success if you've got things like proof point etcetera they'll tell you what ttps are hitting you and you can start to do defense against that you can also start to map your detection content so all of our yara rules or yara l rules for chronicle et cetera they all

have ttp mappings so we can kind of give you a quick you know see so xyz comes down and says what are we doing against this threat we can go okay well this is their techniques and here are the things we have against them from a detection standpoint um and the first talk this morning talked about intelligence lend pen testing so i do all of our corey sea best it's tiber star fs type stuff or all of our intel pen pen testing you can start to aggregate those and just shove them into those those frameworks and it's a really nice way of closing that off so there's kind of some things you can do with this

so i'm going to stop there and if there are any questions go from there

yeah so the question is if we've got nation state versus uh organized crime like who's better to try to prioritize detections against um jen from mystics from microsoft she tweeted a couple like years ago she says if you can stop an imitate attack or a trickbot attack then you can pretty much stop most nation states so the same detection stuff they're using like the same con like you know attacks and ttps they're using are going to be used by most nation states as well um so that would be my advice go for the go for the low hanging fruit first right most people are going to get targeted by ransomware at least some point so

stopping ransomware's probably the best place to start and then go from there nation state's going to get in whether you like it or not but it's just how difficult you make it okay thank you awesome thank you very much [Applause] we are just getting ready to break for lunch uh but before we do that just a quick update on the ctf uh wide sprite first place seven thousand one hundred points fighting one goose is second seven thousand mind gobbling third five thousand eight hundred and fifty the pizzas are here pizzas are here um please be kind let the volleys who've been here since really early let them get in first and get some uh pizzas as

well they will be served outside and now that's all uh we'll see you after lunch you've got about 45 minutes and then we'll kick off again thank you

[Music]

[Music] [Applause] [Music]

[Music] so [Music] do [Music]

[Music]

[Music] [Applause] [Music]

[Music] [Music] [Music]

[Music] [Music]

[Music]

[Music] um [Music]

[Music] [Applause] [Music]

so [Music] [Music]

[Music] [Music]

[Music]

foreign [Music]

[Music]

[Music] um

[Music] [Applause] [Music]

just turn it off

afternoon session starting in one two

discord channel can you hear us oh we're good we look live on coals

sweet ass right we are loud and clear to the world people right grab your seats we'll get ready to kick off the afternoon session a couple of things that my v infused body needs to run through before we hand over um i hope you all grabbed the pizza and that was good um a couple of things just the usual shout outs thanks to all of our sponsors if you are tweeting and sending pictures make sure you take those people in they love the engagement and it gets us a future for next year which is always good just a reminder for this afternoon after the sessions it will be steve's bar which is about a 900 meter walk away to

the south west um we have a bar tab which is interesting and there's a challenge to see how quickly we can consume it and it's usually pretty pretty quick so we will see how that works out so grab your seats get yourself comfortable and i will yes aws as well before i forget if you are interested in aws they are kicking off another training session upstairs in probably about 10 minutes so find byron give him a shout and get up there uh feedback on this morning session was it is really good and super useful so if you want to go and take part in that training do it now i think byron's got some goodies for you to use as well so

give them a shout and i will hand over to jacob who's going to talk us through blockchain attacks cool so i've got this mic on here hanging let's go let's get a test is that working that one's on good to go all right uh thanks everybody for um coming down to my talk about blockchain security uh yep yeah it's on yeah test test test test yep it's good all right i'll start again thanks everyone for attending my talk on blockchain security my name is jacob larson i work at cybersex in governance risk compliance and threat intelligence today i'll be walking through you guys through one of the most well-known ethereum smart contract flaws which is

called the reintrusty attack now this attack is also known as a race to empty attack as it intends to recursively loop a withdrawal until a smart contract balance is emptied so this is like withdrawing 50 from an atm over and over again until the atm runs out of money so this attack was first unveiled in 2016 when a hacker drained three and a half million ethereum from a smart contract which was known as a decentralized autonomous organization or a dao or the dao now at the time this three and a half million ethereum was worth 70 million dollars but today would be worth over 12 and a half billion all right so before we go into some more detail about

my talk today i'd just like to give a small warning um cryptocurrency is a hot topic but this talk is not about how you should spend your money on cryptocurrency or about how amazing the technology is or about how every business should implement a blockchain solution i don't agree with this and i'm not a preacher for all things crypto i'm not a moon boy so but as we can't deny that this technology has become much more mainstream in recent years as it evolves and grows exponentially it's very important that we as cyber security professionals understand it so that it can be protected and we can better serve our communities so as said on the slides we'll first

begin with some fundamentals of blockchain ethereum and smart contracts now you may already be aware of some of these concepts but it's very important that we all have a baseline understanding so that we understand the mechanics of the attack later on so to begin with i'll go into a little bit more about blockchain so blockchain is essentially a new way of maintaining agreements and tracking ownership through a decentralized ledger so in modern society it is not humanly possible to track ownership and agreements all in one place so this is currently solved using central registries so for example department of transport maintains a registrar of every vehicle in perth uh icann and domain registers maintain a

list of all domain names and who they belong to and the bank maintains a legitimate ledger of everyone's transactions so blockchain essentially challenges the idea of these centralized ledgers by tracking ownership in a distributed ledger the intent is not to rely on a central authority but rather rely on group consensus of who owns what so before a transaction can be added to the ledger there's a series of steps it must go through so each transaction is digitally signed by its creator using their private key to prove that it is legitimate at regular intervals transactions will be combined into blocks and the block creator will digitally sign the entire block before sending it to the rest of

the blockchain network so once consensus is achieved this block is added to a chain of other blocks using the hash of the previous block so this ties the blocks together as the collision resistance of the hash function makes it computationally infeasible for an attacker to generate a fake version of the values stored in a block after it so once this is done the blockchain is then added to the distributed ledger and communicated to other nodes using peer-to-peer networking each node will also store a copy of the ledger which is kept in sync using the group consensus algorithm so essentially once a transaction is added to the ledger it's very difficult to recover it and essentially

unreversible so cryptocurrency is an example of a technology which relies on a distributed or a decentralized ledger the cryptocurrency relevant for today's discussion is ethereum ethereum is a decentralized open source blockchain and it has it is the largest cryptocurrency after bitcoin with a market capitalization of 500 billion dollars so smart contracts are the simplest form of decentralized automation and they rely on rules triggered by predefined conditions smart contracts operate like normal binding agreements in the physical world however they remove the requirement to trust a third party for execution so for example if a group of investors wanted to get involved in a project they could use a website like kickstarter kickstarter would take the investors

deposit minus a fee and provide it to the project creators if the project was not able to be completed or encountered issues the investors would rely on kickstarter as a trusted third party to reimburse them so if the investors and the project creators came together originally and agreed on a set of interactions they could implement these interactions in a set of rules in a smart contract which is guaranteed to be enforced by the network so ethereum smart contracts essentially implement the capability to execute arbitrary code on the blockchain within something called the ethereum virtual machine or evm evm is essentially an interpreter for the evm assembly language as the interpreter runs it maintains a stack and memory by array

but an evm is very limited compared to other virtual machines there's no way to do input output make api calls or generate random numbers so as such it makes it a simple deterministic state machine now obviously writing smart contracts in assembly is not any kind of fun so an object orientated programming language called solidity was created to compile into mvm assembly so later today we'll start reviewing some smart contracts within solidity so due to the unique structure and architecture of smart contracts there are a variety of security considerations which must be accounted for so smart contracts are a part of the middle blockchain and as such they are permanent whilst a developer can build a

kill switch in the code it will be there forever even dormant smart contracts an attacker may find ways to bypass this kill switch mechanism and exploit it secondly the design of the blockchain means every node in the network will be regularly running untrusted code on their computers smart contracts are permitted to interact with other smart contracts this means that developers are essentially creating software to run any program which includes malicious smart contracts thirdly another major issue is that smart contracts allow external components to interact with the blockchain this means that these external components are a part of the blockchain security perimeter and its attack surface vulnerable external components will compromise smart contracts they're connected to and vice versa

finally smart contracts are designed to be turing complete so due to coda's law arbitration attacks arising from programming errors are unlikely to be reversed so now that we've considered some of the fundamentals we can move more on to understanding the dow and the eventually attack in more detail so the dao or dio is an acronym for a decentralized autonomous organization the term is used to describe a complex interacting set of smart contracts they aim to resemble an organization interacting with individuals and transacting an asset so the darwin question was released by a german startup called sloc it in 2016. the intention was to create an investment fund for ethereum projects similar to the example earlier for

kickstarter so at launch investors received 100 dow tokens for every one ethereum they deposited into the dao smart contract these dow tokens gave them governance over the douse month contract and represented their share of the dow similar to how like a hedge fund would work so token holders could submit proposals for investment so for example a proposal could be made to invest some of the dao's funds into an organization so once a proposal passed initial verification it could be voted on by other investors token holders could vote yes or no to support a proposal however obviously there still needed to be a way to protect the minority of investors what if a minority strongly disagreed

with a proposal that they can't out vote instead of voting no they could call a split function this would move their dow tokens from the main dow to their own child controlled dow so it was a standard procedure for anyone to call a split the new child dow would include the functionality which allowed them to withdraw the tokens to their ethereum in their wallet so it's very important that we understand this split function as we'll be referencing later on in our range the attack so let's go back more to the timeline of this event so the dow went live on the 30th of april 2016 and raised 11 million ethereum in its first two weeks

at the time this was almost 14 of all available ethereum so whilst the crowdfunding project was a success it became quite an attractive financial motivated target for threat actors so in less than two months being live the dow smart contract was attacked and drained of three and a half million ethereum so like i mentioned at the start at the time this was worth 70 million australian dollars but today would be worth 12 and a half billion so the dow was drained due to this reentry attack right it allowed the attacker to recursively call the split function which we just mentioned and withdraw tokens from the main dow into their child dow so before i walk through some more

technical details of this attack i want to go over a high level explanation so imagine you have 50 dollars in your bank account and you want to withdraw that from an atm you insert your card enter your pin number and request that 50 before the machine spits out the cash it checks its internal state which is your balance once it spits out the cash it debits 50 dollars from your balance the machine then asks you would you like to process another transaction you tap yes you try to take that 50 out again the atm sees your balance which has been updated it says zero dollars and it refuses the transaction it asks you again would you like to

process another transaction you say no and the session ends now imagine the atm didn't update the balance until the session ended you could keep requesting that fifty dollars again and again and again until you told the machine you didn't want to process any more transactions or the machine ran out of money so the dao smart contract relied on six key solidity files to perform its operations these files were responsible for a variety of tasks including automating organizational governance decision making checking token balances sending tokens approval processes managing rewards fallbacks and a variety more so the dow dot sol file which you can see on the far left was targeted because it had a vulnerable function called the split dow function

this function like we described earlier was responsible for withdrawing tokens from the main dow into their child dow so these tokens could eventually be exchanged for ethereum the attack was analyzing this function and notice it was vulnerable to recursive send or recursive withdrawal pattern so this is a screenshot of the actual split dow function in the dow code now the split down function is vulnerable because it doesn't update user balances and totals until the end which you can see in that red box if an attacker can get any of the function calls before this happens to call split dow again an infinite recursive loop is created they can then move as many tokens is available in the main dow smart contract

so when the main dow goes to withdraw the attackers tokens the attacker will call the function to execute a new split before the first withdrawal finishes so now looking at the withdrawal reward 4 function if the attacker could get the if statement on line two to evaluate to false the statement marked as vulnerable on line seven would run when this statement runs the payout function code would be called now on line five in this payout function code line 5 would send a message from the dow smart contract to the recipient this would contain a default function which would call split dow again so with the same parameters as the initial call the attacker started creating this infinite recursive loop

so i know this might be a little much to keep up with so i decided to recreate this reentry attack using simpler code in a test net environment so here we have two smart contracts which aim to mimic the vulnerable behaviour of the dow contract v is the victim and has a withdrawal function and contract a is the attacker and has a fallback and attack function the intent is for contract a to call back into contract v whilst contract v is still executing so let's say that contract v similar to like a bank would hold one ethereum for other users so in this case it holds one ethereum which belongs to contract a and it also holds a total of 9 ethereum

for other users therefore it has an overall balance of 10 ethereum so the first step of the reentrancy attack relates to the attack function inside contract a the intent is to have the attack function call the withdraw function inside contract v contract v would then check contract a's internal balance to see if it is greater than zero just like an atm would it has won ethereum it sends that one ethereum back to contract a and triggers the fallback function this means now contract v's overall balance is nine ethereum and contract a's overall balance is one ethereum so now the fullback function inside contract a calls back into the withdraw function inside contract v contract v again checks contracts a's

internal balance receives greater than zero like an atm would and as you can see above contract a's internal balance still appears as one ethereum this is because the internal balance has not yet updated because the draw function from the original call has not yet finished so as contract a's balance hasn't updated this check passes contract b sends another one ethereum to contract a and triggers the fallback function again so as the internal balance hasn't updated contract v will never update and will continue to recursively call until the balance is drained so this is essentially how the dow was being able to be drained by an attacker so to mitigate re-interested attacks future smart contract developers can

rely on a variety of techniques and tools which are displayed on this slide i won't go into too much detail now so one of the major issues of securing smart contracts is that the technology is so new it is expected that developers have a limited understanding of how it operates under the hood so whilst the number of solidity developers and experts are increasing it is still far behind traditional programming languages a change in mindset is ultimately required for defeating this type of attack so due to that decentralized encoder's law arbitration nature of the smart contract the creators of the dow could not interface with the smart contract as the attack was occurring they couldn't update it or fix the sender patch they

just had to watch on as the balance was draining that kind of sucks right so from this moment on the child dow which contained the stolen tokens would be known as the dark dow so whilst the main tower was being drained a team of white hack hackers came together to see if they could prevent the attacker from withdrawing all of the funds they initiated the same reentry attack this time with a larger recursive withdrawal amount they transferred the remaining 7.5 million ethereum to a safely controlled child dow so now with the remaining funds under control the ethereum community needed to determine what the next steps would be would they honor the decentralized nature of the smart contract and accept

the heist or would they attempt to find an alternative way to retrieve all of their stolen funds so ultimately the ethereum network decided that a hard fork was required so like i mentioned earlier once the transaction is made you can't just call up a bank and ask to be reversed a more difficult approach is required so when there is a lack of consensus in the network nodes may attempt to rewrite history with a new divergent blockchain this divergent blockchain is a duplicate of the original chain it can include upgrades to rewrite the ownership of funds so if enough nodes or miners agreed that the divergent blockchain was the new legitimate distributed ledger the original blockchain would be

abandoned however in this case only 85 of nodes agreed with the hard fork which means 15 of the remaining miners continued to mine and use the legacy blockchain after the attack had happened which is known today is ethereum classic so in summary once the hard fork occurred it included upgrades which allowed the stolen funds to be sent to a withdrawal contract this withdrawal contract was then accessed by the original investors and the dow tokens were exchanged for ethereum so if there was the choice to perform another hard fork today i'd really doubt that the ethereum community would progress with it so it's of paramount importance that smart contract developers use the mitigation provider today to prevent

this type of attack from occurring again in the future that's it for my talk is there any questions you've got a question on youtube um any thoughts on the taproot bitcoin i will say i know nothing about this so rather than embarrassing myself and trying to give an answer i don't know haven't had that case personally so

it's a good question i mean they did uh but before the dow smart contract was published live there was plenty of code audits that went through things like that but ultimately the time particularly 2016 so did solidity had only been around for probably about two years so even if you're hiring professional body to audit the smart contract you know they weren't able to find a lot of these things so they sort of uh yeah they discovered nothing right um it's actually funny because before this attack happened uh the dow smart con smart contract developers were talking about a similar vulnerability like this that affected another competitor a few days before this attack happened saying don't worry we fixed this it's all good

and then two days later they get hacked so that was the second question

so obviously because it was a recursive withdrawal right if the white hat hackers didn't step in that withdrawal would have kept going forever until the entire balance was gone so the attackers like timeline was only 48 hours um in terms of like actually withdrawing the funds um but if the white hacker has didn't step in it would have taken longer um prior to the hacker actually initiating that proposal to do the split from the main dow to the child dow they had to submit their proposal which included their like smart contract code with the uh like the vulnerability in it it has to be submitted to the jail smart contract wait one week for approval and

then is initiated right so whoever did the approval process after a week didn't review it initiated accepted it and then the attack was launched and you got yep

so essentially right that you know similar to an atm right if your balance in your account is only 50 let's say the attacker had 10 ethereum right and you can only do so many transactions per second you have to keep waiting until that recursive withdrawal goes on forever you can't just go oh i want to draw 100 million now right so three and a half million was what they got to before they ran out of funds because the other white hackers were withdrawing as well at the same time so until that balance was completely drained both hackers groups basically yeah they had the remaining funds but does that make sense ultimately you know you can only recursively withdraw what

you originally had in the dow smart contract yeah cool any other questions yep so what exactly happens yeah exactly so once once the balance runs out that's it it stops it can't send any more transactions so obviously when the smart contract the actual dow smart contract goes to send a transaction you know before it's uh before it signs the transaction with its private key it validates that itself has a balance to send first so obviously it has no balance so the transaction's just cancelled

there is a little bit it comes to down to there's another thing i didn't talk about today which is called gas which is essentially a fee for a transaction to be sent so if there is insufficient gas provided to the transaction then the transaction won't go ahead so there was a limit on how many transactions they could send in a certain period of time

so for the divergent block i mean the original blockchain which is ethereum classic so they kept with that that they they kept with it right after the dow smart trade smart contract was attacked so that dark dao still existed on that original blockchain but the divergent blockchain like allowed them to rewrite the transaction so that those funds were never sent to that contract in the first place it was sent to the investors right away does that make sense so technically the attacker still controlled those dark dow tokens on the ethereum classic network after the attack occurred yeah any other questions so is ethereum classic still a thing yes it is it's actually i think rank 30th

cryptocurrency at the moment um but in comparison right like ethereum classic it's about 50 usd and ethereum at the moment is about three and a half thousand usd so it's about 100 times difference yeah so obviously it comes down to the decentralized nature a lot of the like hard crypto nuts believe that when something is decentralized you can't intervene and change it so a lot of them disagreed with the approach to go with the new diversity of blockchain they continue to use that legacy chain regardless of the attack because they believe in that decentralized nature where you can't intervene yeah cool thanks guys

let's take this challenge that's awesome thank you let's grab my bag cool thanks very much um the mark yeah for anyone who's still hungry we do have a bit more pizza just turned up outside so the second batch is here we've had some lost property as well handed in so if anybody's lost some sunnies give us a shout uh if somebody lost some wireless headphones they'll have to describe them to me uh give me a shout they're in my pocket they're really good ones so if you don't that's also cool i've got alco wipes it's all good we're just going to do the transition now over to the next talk which is pre-recorded so guys talking about

ransomware will be up next after a very short break

uh [Music]

[Music]

[Music] to

[Music]

[Music] my [Music]

[Music]

[Music] so [Music]

[Music] [Music]

[Music]

[Music] [Music] um

[Music] [Applause] um i'll do that [Music]

give me a second

i'll give you a nod

testing all right thanks everyone for coming back in i hope um i hope everyone got some pizza uh we're just about to start the next talk so we've got guile um who's going to join us by virtual talk and she is talking about can we run somewhere away from ransomware so we're back on time back on schedule in terms of timing i know the timing's a little bit out with the uh schedule so i do apologize we're trying to get back on track we've just had a few late changes with the speaker so i do apologize but i am going to pass over to guile hopefully seamlessly uh cool speaking hi there thank you very much for tuning in or

watching this video stream for besides per 2021 my name is gail gail hi there thank you very much for tuning in or watching my videos [Music] thank you very much for tuning in this year's besides work mascot is a quaka so you can just imagine this quaka as a representation of my face for the rest of this presentation now this question that you see in front of you is something that i have been thinking about for quite a long time in this presentation represents the things that i've learned experience and the recommendations i've provided to my different clients through the years so let's start now i'll start with a brief introduction about myself so i shifted to the tech industry

during the early part of this sanctuary from a from a non-traditional background i have a degree in psychology and spent two years in law school and currently i am working as a senior security consultant with the i hi there thank you very much for tuning in or watching this video stream for besides birth 2021 my name is gail gail de la cruz and today i'll be presenting about ransomware but first off i'd like to apologize for not switching on my video because due to a minor operation half of my face look like aquaka's face so it's just fitting that this year's besides work mascot is a quaka so you can just imagine this quacka as a representation of my face

for the rest of this presentation now this question that you see in front of you is something that i have been thinking about for quite a long time and this presentation represents the things that i've learned experience and the recommendations i've provided to my different clients through the years so let's start now i'll start with a brief introduction about myself so i shifted to the tech industry uh during the early part of this century from a from a non-traditional background i have a degree in psychology and spent two years in law school and currently i am working as a senior security consultant with the ibm x-force ir team i deliver incident response and proactive services to our different

clients across the asia-pacific region so in terms of my cybersecurity educational background i received my graduate certificate in incident response from the science institute and my masters in cyber security with a specialization on digital forensics from the unsw canberra alpha i live in the beautiful norm in victoria and i'm an avid infosec community supporter and i volunteer with different organizations and i mentor people who are new to this field or those who are thinking of transitioning or shifting to cyber security and before i go to the official part of my presentation i'm going to be um i just want to make sure that i put this disclaimer here that the views and opinions i express here are my

personal they're my own and they don't necessarily represent uh the official policy or position of my employer or or of its clients another thing i need to give you a heads up on there will be a lot of references to old movies because let's face it due to the lack towns i haven't been to the cinema in ages

so this presentation will be composed of three parts the background evolution reaction and actions

so in 2013 that was the year that i first started hearing about this particular variant of malware called ransomware and this specific ransomware was cryptolocker i started hearing from my different clients about some of the computers showing up with this particular message stating that they need to pay for a private key in order to decrypt their files or if they don't pay it they won't be able to use their files anymore so that was quite interesting because they were asked to pay in bitcoin and the thing here was that uh the bit the the payment was around 400 usd or euro and in terms of the propagation this particular ransomware was propagated via email attachment and

users were tricked into opening it because the icon of the the attachment uh when they look at the icon it looks as if it was a pdf file but in fact it wasn't it was an executable file another way that this ransomware was propagated was through the use of this game over they use trojan and botnet now what happens is that once this particular file was opened um this uh the payload of this malware is installed in the user profile folder and a key was added to the registry that causes this payload to run on startup so upon starting up the payload connects the command and control server uh and once connected this server generated

a 2048 bit rsa key pair and the public key is sent back to the infected computer and then what happens is that the payload starts to encrypt the files across the local hard drives and if there's any map network drives in in that particular computer those files there were also encrypted now this particular process only encrypted data with certain extensions like microsoft office you know open document and other documents pictures and even autocad files and the thing here was that once you have paid the ransom the users are provided a decryption program this decryption program was pre-loaded with the user's private key unfortunately users who paid the ransom some of the users who paid the ransom

were not able to decrypt their files so that was my first you know experience with cryptolocker figuring out that doesn't matter whether you pay because there's no guarantee that your file will get decrypted now this particular ransomware was um disseminated it was like widely disseminated from september 2013 to may 2014 because in november 2013 what happened was that there was the operation tovar which was an operation composed of different law enforcement agencies together with different cyber security companies and they were able to take down the what the infrastructure used by the gang behind crypto locker and in august 2014 there was an online service launched by far i my former employer and fox id and this particular website was the

creep cryptolocker on the crypt cryptolocker.com i used to give away the name or this url to some of my clients and i told them that they they need to choose a particular file that's not that sensitive and this file that was infected that they uploaded to this site and then they're provided with the free keys based on the infrastructure but eventually this website was already was taken down because there were other ransomware gangs that set up their own different different infrastructure now you may think that ransomware is just a new you know type of malware it's just like something that's like just in the past 10 years or so but you're actually mistaken so what is interesting here is that

the first ransomware did not appear in this century to us in the previous century and that's why let's uh take to her down memory lane and the reason why i chose back to the future part two or the photo of that particular movie poster here was that a few weeks before back of the future part 2 was released in 1989 the first ransomware was actually a release so what was that so that particular ransomware was called or was called by the anti-virus vendors as pc cyborg or aids the propagation was quite interesting so what happened was that there was this dr joseph popp who got hold of the different distribution these are the real addresses like snail mail like the

home addresses of different um scientists and researchers and he mailed them a floppy disk and that floppy day supposedly contains a questionnaire or survey that will help determine whether a client uh has a high raise or lorries in terms of contracting aids but what happened here was that once it's in the system the malware uh did not immediately encrypt the files but rather it infected the c drive of the computer and hijacked the auto exec that but in the root directory and at the time that for the version of windows operating system auto accept that bot was the one that was the startup file used for that windows version so um what happened is that for the next 89

times that the computer was turned on everything was okay everything was normal but on the ninth boot there was this message that pops up so what happened was that the file names of all the files in the c drive was encrypted using symmetrical encryption and what was interesting here was that in terms of the payment scheme the victim was instructed to actually pay user banker's draft i don't even know what that is a cashier's check or an international money order pay a ball to the pc cyborg corporation that's why it was called pc cyborg and they were instructed to actually provide all this the the details regarding their name company address city all those things and to mail the

order to appeal box in panama so this was the first ransomware 1989 and it was propagated through the use of fluffides now let's fast forward to this century okay so in 2006 there was archivos and it was propagated by the use of malicious website links and spam email and users were tricked into clicking a link okay and what happens here is that once this once the user or the victim downloads this the malware the malware will scan the documents folder for files with certain extension names like that key that c that pdf that txt that xls and then what the malware would do is that it will copy all these files in into a into an encrypted password protected

folder and all the files are going to be locked inside that encrypted password protected folder and all the originals are going to be deleted and then what was left behind was a text file labeled how to get their files back.txt so every time a user tries to open a file this particular ransom note will be launched and the messaging informed the victims that their files were all encrypted and can only be accessed using a very long password of more than 30 symbols and the victims were told or instructed to email us the certain email account for further instruction and once the victims send out an email to this at the the email address the attackers asked the victim to

actually purchase from several online stores and once the purchases have been made the attacker would send the password over email and then the the interesting thing about archive was this particular ransomware was that it's the first ransomware to use asymmetric encryption now the downfall here is actually this what you see on the right side of the screen all these characters in purple that was actually the password meaning every decryption unlocker that was provided turns out it uses the same password so once word got around that this was the password that can be used to uh decrypt the password protected folder so uh what happened was that nobody paid anything or they didn't the victims didn't email

um the attackers anymore so this was archivos now that was quite and then in 2012 there was this ransomware called reviton and this was propagated via drive-by download or spam and pitching email messages or via dummy app downloads so what is the significance of this particular uh ransomware this was the first ransomware that was considered a police trojan what do we mean by this what happens is that the malware installs itself as a dot dll file and then what happens is that all the applications is covered with this web inject or full screen web page and the instru the thing here is that it looks as if uh this was a message from the police or

from the fbi or from the department of justice and the victim is actually scared into paying a ransom because they supposedly visited sites that contained csam or child sex abuse materials or other illegal sites and the payment was supposed to be in the form of money pack and then later versions actually use the bitcoin so this was the first um type of ransomware that actually scared you know use like scareware or scared people into paying ransom okay and then in 2014 there was the crypto defense um it was propagated through the uh programs pretending to be flash updates or updates for video players required to view online videos or the other uh way it was propagated

was via the use of the spearfishing campaign it was interesting because uh this uh they basically use a payment site in tor network and they required bitcoin payment and then uh this particular ransomware actually used the windows building encryption crypto apis and used 2048 bit rsa encryption now having said this this actually led to the downfall of this particular ransomware because what happened was that the keys were actually uh stored a copy of the keys were actually stored in the local computer so there were different um malware reverse engineers who were able to figure that out and gave instructions the different victims on how they could recover these keys in their local computer now there are also a lot of other you

know notable ransomware through the years so there was the crypto wall in 2014 where it was the first to establish persistence via registry keys and copying itself to startup folders then there was also ctb locker so it was the first ransomware to communicate to a c2 server in tor as well as delete the volume shadow copies and then in 2016 there was like lucky it was the one the ransomware that started the healthcare trend and then there was the petya which was very destructive because it infected the master boot record and encrypted the file system table and then there was also samsung which was the first ransomware to actually target a jboss server and gain persistent

access to victims network so if you're quite interested in looking at the history and other notable ransomware i suggest that you visit the blog from carbon black wherein they have a very uh interesting um ransomware timeline in terms of the history of ransomware now it is useful to know the history like uh how things have evolved so that we have an idea in terms of how different attack groups have changed their different tactics or the procedures that they use now so with this let's look at some of the you know reaction from different you know industry different you know like government entities and what are the possible actions that we can do okay

so in terms of the business model for the different attackers they have actually uh moved into having this ransomware as a service model wherein you have those uh groups of people with the technical expertise to develop their ransomware and then they use like affiliates that will distribute uh this ransomware to the different victims and the percentage of the ransom actually go into into the affiliate so it has become a business and there's the infrastructure that they have set up there in order to train their different affiliates now another notable thing that has happened in terms of ransomware was that uh remember that uh there were some people who actually paid ransom and they were not able to

uh decrypt their files using the decryptor provided provided by the ransomware guns so there is really no guarantee that once you pay the ransom it will be able to decrypt all your encrypted files so that has led to this idea that we're not gonna negotiate with terrorists so this screen here i'm sorry that it's like a little bit blurred it's from a movie tropic thunder uh that was a very funny movie so what has happened is that the ransomware gang now evolved their techniques now they have started engaging in what is called double extortion what does this mean so not only are your files encrypted but they are also exfiltrated out so that if you

don't pay they will actually release those uh private or confidential information out to the public so that is what is called double extortion and that was what we've seen in 2020 now um in order to combat this starting last year there was a group called the ransomware task force it was convened in the us and they actually came up this year with this document called combating ransomware it's an 81 page document but it has very good recommendations on what we can do in order to combat ransomware now they uh they actually uh divided it into four goals the first is the third ransomware attacks and then second disrupt the ransomware business model the first two goals here

are geared towards um national government so think of it it's like government law enforcement agencies and then uh the third goal and the fourth goal you can actually look uh see that these these also involve the government but mostly it focuses on the different organizations or companies okay so the goal one is to deter the ransomware tax through a nationally or internationally coordinated comprehensive strategy so there's a call for both public and private collaborative anti-ransomware campaign and to make this uh the ransomware attacks and investigation and prosecution priority and one of the interesting that they actually recommended was that uh we need as a global you know um economy to reduce safe havens for those gangs

that are uh involved in the uh in launching ransomware now the second goal in terms of disrupting the ransomware business model uh this one of the recommendation there was to disrupt payment system to make ransomware tax less profitable and to disrupt the infrastructure that are used to facilitate the different attacks so that would involve both governments and also uh different companies now for the third goal it's about helping organizations prepare for ransomware attacks so there was a recommendation to support organizations with developing their practical operational capabilities and to increase the knowledge and prioritization among the different organizational leaders and there was also the recommendation to financially incentivize adoption of ransomware mitigation so this is some

some of their recommendation and the fourth goal is to respond to ransomware attacks more effectively so there was a recommendation to increase the support for the different ransomware victims and to also increase the quality and the volume of information about the ransomware incident there is a call to actually encourage organizations who have been subjected to ransomware attack to actually report the ransomware incidents and lastly there is a recommendation to require the different organizations to consider alternatives to paying ransom so this is a mixture of both public and private and divorce so i strongly encourage you take time to actually go through that uh that document called combating ransomware a comprehensive framework for action key recommendation from the

ransomware task force now let's scale down and then let's look at what we can do as individuals working in the infosec industry so one of the things that i've always highlighted is the need to do preparation so this is another meme um for my one of my favorite sci-fi movies matrix so one of the things we have to remember okay we go back to the basics cyber hygiene practices so we have to know what are our assets there what are the important things what are the keys to the kingdom what are the important assets in our organization and then we also have to check in terms of remote connectivity options do you have rdp you

know like open out there in one of your servers that's connected out to the internet so you gotta check all those things then make sure that you have a good backup strategy make sure that you always frequently update both your system and your software you apply mfa scan and remove you know suspicious email attachments and disable file and printer sharing services so these are all like basic cyber hiking practices that we should actually be implementing another thing is that from think of it from specifically from the cyber security infosec side is that preparation so when was the last time you actually uh read your ir plan your incident was planned and most importantly when was the last

time you tested it i really hope that you have an ir plan there another is that you can also do like ransomware readiness assessment you need to you could engage a third party vendor you could like uh do an exercise like have someone in your organization assess how ready you are in terms of responding to a ransomware incident so you could potentially do tabletop exercises another thing is to use or do attack emulation you can use are the different ransomware ttps there's a lot of data available out there and map it against the attack framework you can use the attack navigator there's actually a good write-up it's in the last slides i'll show it to you later last slide

uh it was from site so how they used the ransomware to do these two and then use the attack navigator in order to do an attack inhalation another thing to remember is look at your business continuity plan and disaster recovery make sure that you review and test your backups and then implement a zero trust security model so that's it for the preparation now for detecting and responding to this okay utilize you know tools that uh tools for ueba user and entity behavior analysis then use the different monitoring tools and then make sure that uh you fine-tune your rules and signatures because if it's like too noisy then how can we figure out which are like the two positive and consider

some heuristics based blocking policies because when ransomware starts you know encrypting your files it could be as quick like starts like three seconds okay another is implement segmentation policies and understand what is the normal traffic flow in your environment okay and then if for example um there is an ongoing ransomware attack utilize you know the fear digital forensic incidence response capabilities or and if you have like cti cyber threat intelligence to identify how the attack occurred and then the end goal here is that based on your ir plan what is going to be your plane are you going to be immediately containing meaning are you going to be using some of your tools to contain the

end point or if you don't have those tools what is your visibility or are you just gonna be unplugging certain segments so these are the things that you need to think about so now i'm about to end this presentation going towards the last part of my presentation so after this besides birth okay on monday there are three things that i want you to think about i mean or do not just wake up kick ass and repeat it but rather to answer my question earlier regarding can we run away from ransomware based on all these years i don't think where ransomware will you know go away it will continue to evolve and what we need to do as defenders is

that we need to prepare and then we need to take action this okay so with that i hope you learned something from this short presentation so i'm gonna just show some of this like uh my sources here so there's a pot of credits and then the sources there is this last link here from site this was the one that i was pointing out regarding the use of the different uh ttps of the ransomware actors and how they mapped them against an attack navigator so thank you very much for your time and let's continue the conversation in the besides birth discord or you can feel free to dm me i'm in twitter at guile dc okay so with

that take care everyone and um may you be safe and may you be well and happy take care everyone hi there

hi there thank you

thanks everyone we'll just hand over thanks to that girl i know you're listening in awesome talk thank you we're just getting set up for shane now with offensive rfid nfc

okay still not had any takers for the uh lost headphones if anybody wants to give me a shout just finishing the setup everybody see the slides okay discord channel we're live can you see us

awesome thanks everyone for giving us a shout it's all still very new to us so we appreciate the feedback

good to go mate

okay we're just logging in and getting this one set up so about 30 seconds away

we've got to say as organizers of this we have been hugely stressed with the whole in-person virtual thing but it seems to be working out really really quite well so stress levels decreasing

this time with feeling yeah yeah just right close

can you try it sweet okay i think we're ready to go so grab your seats shush all the cool things thank you let's kick this off and i will hand over to shane who's talking about offensive rfid nfc thanks shane thanks nige all right uh so good afternoon everyone uh my name's shane my name's shane and i'm here to talk to you about rfid and uh why you should start caring about it alrighty so could i manage two screens here sorry mate that better better i don't want to eat it how's that good all right okay so uh who am i um i'm a penetration tester uh with kinetic it's protect plus security consulting team

a bit of my background i've got around a decade of experience within law enforcement and defence i was in the navy for a bit and worked for the government after that my most recent role uh was as a marine tactical officer which sounds um probably a lot cooler than it was um i spent a lot of time at sea watching movies in alphabetical order so there you go all right um uh for hobbies um i'm a commercial pilot i'm a flight instructor so i fly things i do skydiving scuba diving i like to get away from the computer every now and then which i'd highly recommend all right so uh most of my cyber experience before this was in uh dfir

just for a bit of background alrighty so uh what are we talking about today um today i'm going to talk about rfid and nfc so because it's a little bit of a niche subject you can go into real fine detail with this and i want to avoid that so i'm just going to start with a high level overview of what rfid and what nfc is so if you're a proxmon guru just go and have a nap for the next 15 minutes and wake up at the end all right so yeah we'll have a look at a high level of how it operates then i'll talk about some of the more interesting tools you can use to bypass

access control then we're going to have a chat about bio implants so nfc implants under the skin which are pretty cool then i'm going to show you a demo of a couple of things that i've done with that which some of you may or may not think is cool but we'll see all right so a bit of a disclaimer um some of the stuff particular at the end of this these slides it's not a good idea don't try it at home um i don't recommend it um and yeah don't go out scanning cards of people um without their permission that goes without saying all right so uh rfid so generally speaking uh what is it well um it's a radio frequency

identification that uses electromagnetic field to automatically identify and track tags attached to objects so um historically interestingly the first known use of rfid tech goes all the way back to um there was a russian chap called leon theremin and he invented a listening device it's the one you can see in the picture there was ominously called the thing so who come up with that but inside the device it had like a sensitive membrane and basically when that membrane vibrated it vibrated when it was subject to a certain uh rf a certain radio frequency and when that happened it would then transmit audio um when it when it was subject to that rf that signal um that

was gifted to the us ambassador to moscow and it sat in his office for seven years until it was discovered in 1952 so that is the precursor to modern day rfid alrighty so uh what are the modern uses of rfid and nfc so nfc is pretty much everywhere and um the current global estimate is placed at about two billion devices so or for example all of you in this room have an nfc tag around your neck pretty much unless you don't upgrade your phone very often it's going to have nfc on it too which is a form of rfid so greater than twenty percent of the entire world's population have access to an internet enabled nfc device

all right so uh what are some of the uses well we use it for access control chances are you get into work using an access badge use it for stock take inventory anti-theft e-wallets library cards vending machines laundries yeah hospitals they're in breast implants you name it you're going to find an rfid tag

all right so here's some of the examples so you can see there well how do we identify this tech well not by the look obviously um you can see at the bottom you've got a cup there that's at a takeaway store um and it stops people from having more than one refill of the drink so you can hack that and get multiple refills if you like if you have a prox mark it's used in nrl to track players casino chips to automatically count bets the one on the tooth is pretty interesting that automatically measures glucose intake so you can track your calories through it the one up the top is a breast implant i'm not quite sure why they're tracked

but i think it's a health and safety issue all right okay um and we've got the cow there so for tracking livestock but um generally speaking hard to tell what a tag is just by looking at it um you can use some tooling to figure that out all right so how does the tech actually work well uh for rfid there's three types you've got passive active and semi-passive so the first one which is actually the one you've got around your neck too if you look at that circuit board you'll see there's no battery on it um so how it works is the electrical current which comes from your phone when you place it on that pcb

provides power to the tag the chip which allows it

BSides Perth Day 1 (Part 1)

Related talks