BruCON 0x0B

My name is Rob Fuller, I've been around a bit, not as long as some but longer than others. From the US military to government contracting, consulting, large companies, tiny startups and silicon valley behemoths, from podcasting to television, I've had a storied and humbling career in infosec. Let’s get past complaining about blinky lights and users. Let’s talk about what actually works and what doesn't.

Analyzing a binary or firmware often starts from a more or less blank page of assembly code. Decompilers such as the Hexrays or Ghidra decompiler can make assembly code more readable but if symbol information such as function names, user defined structures or class information are missing it can still be a mess to work through.

Enriching you project with symbol information is a lot of work but in the end can be the difference of successfully achieving your reversing/bug finding goals.

Within this workshop i will present various approaches and open source tools to add symbol information to a real world firmware and then will train to use these with the attendees inside a prebuild virtual machine.

Elastic Stack is one of the most commonly used open source data analysis and management platform today.  It quickly became popular among security professionals too and it is also the building block of many open source and commercial SIEM.  Elastic Stack is designed for speed and ease of use; it indexes data as it is ingested (write once read many or "WORM" storage) and it is extremely scalable and powerful, making ad-hoc queries and real-time visualization very easy.

The components in the Elastic Stack are designed to be used together and releases are synchronized to simplify the installation and upgrade process. The stack consists of:
- Beats, which is the platform for single-purpose data shippers;
- Logstash, which is a server-side data processing pipeline that ingests data from multiple sources, transforms it, and then sends it to one or more outputs ("stash");
- Elasticsearch, which is a distributed, RESTful search and analytics engine;
- Kibana, which lets users visualize data with charts, graphs, and dashboards.

During this two-hour workshop, we will see how to use Elastic Stack for security monitoring and cover the following topics:
- Beats (filebeat, winlogbeat, auditbeat, etc.)
- Logstash (input, filter, and output plugins)
- Elasticsearch (cluster, node, index, shard, mapping, search, aggregation, etc.)
- Kibana (index patterns, searches, visualizations, dashboards, etc.)
- Elastic Stack Alerting and Security (X-Pack, ElastAlert, Search Guard, ReadonlyREST, etc.)

Technical requirements for the workshop:
- A laptop with at least 8 GB of RAM and 30-50 GB of free disk space;
- VMware Workstation, VMware Fusion or VMware Player installed.

Rich Text Format (RTF) documents are also used to deliver a malicious payload. Unlike Word documents, they can not contain VBA macros. To achieve code execution, malware authors have to exploit vulnerabilities, or social engineer the recipient into executing an embedded payload.

Microsoft Equation Editor vulnerabilities are being widely exploited, and this is reflected in the increased popularity of the RTF format with malware authors.

The RTF format also lends itself to many obfuscation tricks, making the task of the analyst much harder.

In this workshop, Didier Stevens will teach you analysis of malicious RTF documents in his typical workshop style: this means hands-on, many exercises, and just a few slides.

5G raises the security bar a level above 4G. Although IMSI exposure is prevented in 5G, we found new vulnerabilities to attack devices and subscribers.

In this talk we expose a set of vulnerabilities in the 5G/4G protocols that are found in network operators equipment and also consumer devices such as phones, routers, latest IoT sensors, and even car modems. Our vulnerabilities affect several commercial applications and use cases that are active in 4G networks and are expected to take off in 5G networks.

We developed automated tools to exploit the exposed cellular information and share some of our research traces and data sets to the community. We demonstrate a new class of hijacking, bidding down and battery draining attacks using low cost hardware and software tools.

We did a rigorous testing worldwide to estimate the number of affected base stations and are surprised by the results. Finally our interactions with various vendors and standard bodies and easy fixes to prevent our attacks are discussed.

ISO/SAE 21434 "Road vehicles – Cybersecurity engineering"

The automotive industry is currently working with the ISO and SAE standardization bodies to make a standard for automotive cyber security, expected to be released in 2020. After all, simply putting sometimes numerous wireless connectivity devices (e.g., GSM/3G/LTE, bluetooth, tire pressure sensors, ...) into a vehicle has again and again turned out to be a playground for attackers, and can haunt both customers and manufacturers in the long run.

This talk will give an overview of the key elements in the draft, and how they play together to minimize the risk of getting pwned while driving 250 km/h on the Autobahn. I will focus on the technical mechanisms as the point-of-view, and how they are usually embodied in a modern car. This will include signed software updates, authenticated CAN bus messages and secure gateways, just to name a few.

Bloodhound is an open-source Active Directory object relationship graphing tool.
Initially design for offensive purposes, it has lately become a tool of choice for defense as well as regular admins wanting to have a clearer picture of their domains/forest.
In this session, attendees will learn the core Bloodhound concepts and UI navigation, before diving into Cypher - the Neo4j database query language.

Understanding the basic Cypher syntax is important for users to start writing custom queries, including 'Metric' queries that can not be perform in UI.

Various Cypher input techniques will be demonstrated, as well as a custom PowerShell tool build to interact with the bloodhound Database.

## What is bLoodnound?
-Intro to BloodHound & relational databases
-Bloodhound Node types and relationships
*Break15*
-Sharphound: Harvesting and Ingesting AD data
-Initial Setup & Sample DB
-Self Discovery & UI Secrets

## What is Cypher?
-Intro to neo4j Cypher language
-BloodHound Cypher 101
-Custom Cypher Queries (UI/Browser)
-Cypher over REST API
-Maniplulating BH DB with Cypher
-Advanced Neo4j Syntax tricks
-Pulling AD metric from BH DB
-Tool Demo: CypherDog

Welcome in PacFirm, the most insecure network ever, we have a very large Active Directory environment and we do no security at all. For now, no ghost has ever hacked our corporate network (at least we hope) but our new CISO requires us to perform a security assessment.

Your mission, should you choose to accept it, is to evaluate our security level and fix the issues.

In this fully hands-on workshop, we’ll guide you through 8 of the lowest hanging fruits weaknesses that we witnessed during numerous penetration tests. You’ll learn how to:

- Spot passwords inside user descriptions
- Find passwords on shared folders
- Spray passwords over accounts
- Quickly detect obsolete workstations and servers
- Get free password hashes by kerberoasting
- Pivot from machine to machine by reusing local credentials
- Spot machines where Domain Admins are connected
- Retrieve Domain Admins credentials in memory

Crackmapexec, Powerview, Rubeus, Mimikatz will be your best friends during this workshop.

Hand-on exercises will be performed on our lab environment with more than twenty virtual machines. For each attack, we will also discuss about mitigation techniques.

This training is aimed at sysadmins or security professionals willing to start with Active Directory security and hands-on sessions. There is no specific requirement for attendees except a basic IS and infosec culture.

All attendees will need to bring a laptop capable of running virtual machines (4GB of RAM is a minimum) and an up-to-date RDP client. Each attendee will be given a USB key with a Windows virtual machine with the necessary pentesting tools to perform the lab sessions.

With this 4h workshop we will teach you how to use threat modeling as an offensive weapon. Traditional threat modeling looks at the attacker, the asset and the system.

With offensive threat modeling we look at the defender to understand his tactics and expose weaknesses.
The workshop uses a real-world use case provided by Toreon.

The students will be challenged to perform practical threat modeling in groups of 3 to 4 people covering the different stages of offensive threat modeling. They will analyse the weaknesses of an Internet of Things (IoT) smart home deployment. This will enable the student to better perform a penetration test, red team engagement or bug bounty.

The successful fusion of cloud native SIEM and AI is a watershed moment in cybersecurity that many are yet to fully grasp. For those organizations tainted by past on-premise SIEM experiences and burdened by promises unfulfilled, cloud SIEM ushers in the dream of real-time threat discovery and mitigation at a cost both the CFO and CISO find compelling.

Cloud SIEM is a watershed moment not because of the realization of its integrated technologies, but for the changes it will affect on operational security teams and risk management processes far into the future.
Being able to preemptively identify and categorize an attack in motion before it escalates, and being able to proactively disarm or neuter that attack before evolving into a viable threat, is well within the grasp of first-generation cloud SIEM. What happens next for cloud SIEM?

This session examines the role of “Threat Hunters” and security analysts when incident identification and response becomes just another API, how SecDevOps will embrace cloud SIEM and spearhead threat response, where and when AI will inevitably have to cede expertise to in-house experts, and how an ROI for enterprise security just landed on the CISO’s lap.

The aim of this presentation is to discuss the subject of how Operational Technology (OT) differs in relation to Information Technology (IT), how this should affect any approaches to testing the security of OT systems, and what the impact of applying a traditional penetration testing model to an OT system is likely to have.

For example, the security of an IT system centers on the protection of data from observation, alteration or deletion. However in OT the key security principals lean more towards ensuring the reliability and safety of the system. This shift in priorities needs to result in a completely different approach to security assessment, not simply because of the potential impact of downtime on a given system, but because the priorities of the test are completely different. A simple adaptation of a typical IT testing methodology isn’t enough; For this reason, security testing of OT systems provides a growth area for specialized companies as they are frequently the most able to make the shift away from a dedicated IT testing methodology.

In addition to the difference in the core concerns of stakeholders between OT and IT systems, the security community also needs to acknowledge that the threat actors in play, and their methods and resources, are going to differ vastly. This needs to be considered in conjunction with a realistic view on what security measures should and could be implemented on OT systems; in a system where downtime potentially costs millions of pounds per minute patching is never going to be considered a priority, and neither are time-consuming or complicated procedures which interfere with a user’s ability to monitor the system in a potentially time-sensitive environment (such as two-factor authentication for operator login).

Without taking the above factors into consideration mistakes will be made by security professionals conducting security testing of OT systems. These may take the form of inadvertent downtime, costing the client in terms of money or even lives (depending on the target system), or may result in the actual security profile of the system being overlooked due to the focus remaining data-centric, as is standard with IT systems. While this presentation does not claim to have all the answers, the intention is to create methodology as a basis for discussion to help move the industry forward, resulting in a higher standard of testing and increased confidence in the security status of OT systems.

Almost everything about us – our handwriting, DNA, faces, voices, fingerprints, even our eyes – can be used to distinguish us from the seven billion other people on the planet. These physical identifiers can allow law enforcement to trace back real-world crimes to offenders, and enable biometric authentication mechanisms. However, such identifiers are often irrelevant when it comes to attempting to track or disrupt threat actors.

In this talk, I will discuss, explore, and explain identifiers which are unintentional, non-physical, and generated as a result of human behaviours and activities, but which can still be used to uniquely identify and/or track individual users in the digital realm. I call these identifiers "human side-channels", and will explore how they work; how they can be used for both attack and defence; and how they can be countered.

I'll examine three human side-channels in particular: forensic linguistics; behavioural signatures; and cultural references. I will start by exploring the theories underpinning these side-channels, which are rooted in personality psychology and the concepts of consistency and distinctiveness as a result of our unique experiences, training, and feedback. I'll then explore how they work; walk through case studies and examples/demos of using them practically in security contexts; and discuss how they could be practically applied to investigate and track threat actors, in situations ranging from hostile social media profiles to post-compromise exfiltration and privilege escalation.

I'll also examine the privacy implications of each technique, and how such characteristics – which are much harder to recognise, obfuscate, or spoof – could be used to erode privacy. I'll go into detail regarding possible countermeasures to disguise your own human side-channels, and I'll wrap up by outlining some ideas for future research in these areas.

Soc analysts face a tough job every day to keep their detection capabilities up with  latest vulnerabilities and threats.
What to start looking for? Where in the network? What about risk of False positives? How frustrating if we missed an attack!

It’s not just about catching the latest, though. For example Windows management instrumentation (WMI). It ’s built right into Windows for years and has become more and more prevalent to attackers. Many administrators and attacker’s love WMI.
Much can be found on its use, however very little seems to be documented on how to detect it on a network level. We gave it a shot.

In this talk, we will have a quick overview on Windows management instrumentation (WMI), our first naive approach to detect it’s usage, the challenges we faced, lessons learned and results.

Part of the results are custom IDS (snort) fingerprints, with some tweaking, could fit your environment. As next step we would like to share it with you. So let’s improve together!

One of the reasons Industrial Devices have been coming into security news is the general lack of any security measures present on those devices.
A lot of the vendors have no default security embedded in their protocols. This talk will take a look at one vendor that uses security from the start.
Tijl Deneut from the IC4 research group (ic4.be) will perform a short dive into a very famous industrial protocol called TwinCAT.
We will walk through the security measures and why they are not sufficient. We will end with a demo of pwning a *completely* up-to-date Windows Engineering Laptop.

MITRE ATT&CK is quickly gaining traction and is becoming an important standard to use to assess the overall cyber security posture of an organization. Tools like ATT&CK Navigator and Caldera facilitate corporate adoption and allow for a holistic overview on attack techniques and how organizations are preventing and detecting them. Furthermore, many vendors, technologies and open-source initiatives are aligning with ATT&CK. Some more information on Caldera from the official documentation (https://github.com/mitre/caldera):

"CALDERA is an automated adversary emulation system that performs post-compromise adversarial behaviour within Windows Enterprise networks. It generates plans during operation using a planning system and a pre-configured adversary model based on the Adversarial Tactics, Techniques & Common Knowledge (ATT&CK™) project. These features allow CALDERA to dynamically operate over a set of systems using variable behaviour, which better represents how human adversaries perform operations than systems that follow prescribed sequences of actions."

MITRE recently released Caldera 2.0 (end of April 2019), which includes a larger focus on "extendibility". During this talk, we will leverage these features for maximum effect. We will highlight some interesting improvement opportunities in Caldera and we will focus on how we developed additional plugins & features. To make this a bit more concrete:

-How can we improve Caldera's reporting engine? (It's currently not possible to get an easy ATT&CK coverage report / deliverable out of the tool). This is of great use if we want to increase usability of the tool and ATT&CK overall!
-How can we build additional plugins for MITRE Caldera to increase the ATT&CK coverage of the tool?
-How can we adapt Caldera to work around common security controls in place at organizations (e.g. Windows 10 security features such as ExploitGuard and AMSI, which hinder Caldera's PowerShell scripting).

This talk will arm infosec professionals with the required skills to further extend their adversary emulation options without breaking the bank for a commercial tool! As our main focus is to increase Caldera adoption and help the community, we will also publicly release developed plugins!

We will go into the nitty-gritty details of our development efforts and will also include several technical demo's that will help transfer knowledge to the audience and encourage their own development efforts!

Note that this is currently work-in-progress, thus the paper that was added to this submission covers what we set out to do, but not the full result. It is in fact the internal NVISO R&D charter that was approved to start our development activities.

It is worth mentioning that the task set out is feasible and we have already successfully adapted our own internal Caldera with additional functionality (e.g. the AMSI bypass was implemented). We are now working on further optimising, stabilising and documenting our work!

We will be able to provide additional details on our results and status around summer time.

Are you justr starting out in the InfoSec Industry or in need of some good tips and tricks?

Then you HAVE to come to BruCON's third Mentor/Mentee Google Sponsored Program!

All details are in the booklet, check it out now!

Le Bateau, 1 Muinkkai, 9000 Gent

What better way is there to start the second conference day than running 10km with a bunch of hackers?

Put on your running shoes and join us at the entrance of the Novotel (workshop venue) on Friday at 7:30.

We’ll be back in time to freshen up and attend the first presentation of the day.

Word is that it’s also a good way to get rid of a hangover!

It takes a village... is a discussion about the challenges we face building security teams and strategies to alleviate our hiring bottlenecks. In a field riddled with unconscious bias, the community must work together to explore alternative recruiting strategies, expand hunting grounds for talent, and actively seek out folks with varied backgrounds and experiences who bring fresh perspectives to our projects and teams. Kimber will discuss mentorship programs and how to retain talent through professional development. She'll also provide some tips for jobseekers who've had a non-traditional path to security and ways to improve visibility and marketability to recruiters and potential employers. Whether searching for talent or seeking new opportunities, the landscape is rapidly changing and the security industry needs new approaches to recruiting and hiring if we're going to Secure All The Things™. 

During this workshop an introduction of the new Tsurugi Linux open source project will be done and several DFIR investigations will be performed.

Memory dump, network behaviors, malware analysis, disk image investigations and much more will be treated in the time-slot.

Attendee's need to download and install a Tsurugi linux VM for this workshop. They can download the required files from: https://tsurugi-linux.org/downloads.php

Maintaining real-time insight into the current state of your endpoint infrastructure is crucial.  It is very important from operational, continuous security monitoring, and incident response perspective.  Created by Facebook in 2014, osquery is an open-source instrumentation framework for Windows, OS X (macOS), Linux, and FreeBSD operating systems.  

Osquery exposes the operating system as a relational database and allows you to write SQL queries to explore system data. The generic SQL tables represent running processes, loaded kernel modules, open network connections, browser plugins, hardware events, file hashes, etc. These SQL tables are implemented via an easy to extend API and several tables already exist and more are being written. The main advantage of osquery is that it allows you to use one platform for monitoring complex operating system state across an entire infrastructure. It has a high-performance and low-footprint distributed host monitoring daemon, osquery and also an interactive query console, called osqueryi.

During this two-hour workshop, we will learn about osquery's capabilities and cover the following topics:
- Osquery basics (installation, osqueryi, osqueryd, osquery schema);
- SQL refresher (SELECT, FROM, WHERE, LIKE, JOIN, etc.);
- Osquery configuration (flagfile, packs, schedule, logging, file integrity monitoring, etc.);
- Fleet management (Kolide Fleet, Doorman, SGT, etc.);
- Osquery extensions.

Technical requirements for the workshop:
- A laptop with at least 8 GB of RAM and 30-50 GB of free disk space;
- VMware Workstation, VMware Fusion or VMware Player installed.

This workshop will help users with some AWS experience to understand how to exploit AWS IAM (Identity and Access Management) configuration weaknesses in order to obtain elevated privileges. During this hand on workshop, we will cover:

- Overview of AWS security model and how IAM works
- How users, roles, groups and policies are used by organisations to give permissions to AWS resources
- Common security weaknesses and misconfigurations that could allow privilege escalation
- How to identify and exploit these weaknesses
- Tools and resources to assist with the process

Bluetooth Low energy version 5 has been published in late 2016, but we still have
no sniffer supporting this specific version (and not that much compatible devices
as well). The problem is this new version introduces a new channel hopping algorithm
that renders previous sniffing tools useless as devices can no longer be attacked
and connections analyzed. This new algorithm is based on a brand new pseudo-random
number generator (PRNG) to provide better collision avoidance while kicking out
all of our good old sniffing tools.

Unless some random hacker manages to break this not-that-strong PRNG and upgrades
his BLE sniffing tool to support this algorithm ;). In this talk, we will explain
why this PRNG is vulnerable and how it can be easily defeated to sniff and jam
communications between two BLE 5 devices. A new version of BtleJack will be
released during this talk, providing an efficient way to sniff BLE 5 connections
to our fellow IoT hacker family.

Recently we discovered weaknesses in the Dragonfly handshake of WPA3. But how serious are these issues in practice? In this presentation we will explain the attacks we discovered, and discuss whether they pose a practical risk or not.

In our research, we analysed the security of WPA3. This certification aims to secure Wi-Fi networks, and provides several advantages over its predecessor WPA2, such as protection against offline dictionary attacks and forward secrecy. Unfortunately, we show that WPA3 is affected by several design flaws. Most prominently, we show that WPA3's Dragonfly handshake is affected by password partitioning attacks. These attacks resemble dictionary attacks and allow an adversary to recover the password by abusing timing or cache-based side-channel leaks. Our side-channel attacks target the protocol's password encoding method. The resulting attacks are efficient and low cost: brute-forcing all 8-character lowercase password requires less than 125$ in Amazon EC2 instances. We also discuss backwards-compatible countermeasures against all attacks.

Although all attacks can be mitigated with software changes, our conclusion is that WPA3 does not meet the standards of a modern security protocol. Especially on devices with lightweight processors, vendors may not implement all the costly side-channel countermeasures. This would allow an adversary to perform dictionary attacks even when WPA3 is used.

During this workshop we will discuss RFID implementations such as access cards and badges. We will start some theory (about 20 minutes) describing different RFID based products and security solutions and their inherent problems. To demonstrate the workings of RFID badges and dongles, each student will receive a package containing an Arduino clone, an RFID reader/writer and several badges to play around with.

We will help the students set up their environment and show them different ways to read and write RFID badges (13,56 Mhz). Several exercises will be performed; each student will be able to try while we (myself and 1 colleague) help them out. For each we will of course also provide a sample solution. These exercises are interrupted with some extra theory before so each student realizes what he is trying to achieve.


We are going to show demo's using RFID shields (125KHz and 13.56 MHz) with an Arduino and/or Raspberry Pi as well as at least one ready-made product to clone 13.56MHz badges.

The exercises with the students will be on 13.56MHz only but we provide the hardware for them to use (they can keep this afterward). We will first show them how to read the cards and then break any protection / encryption present and write a new card that can be used. For some exercises we will look at Salto locks, some custom implementations we have encountered during red teaming, ISO standards 14443 (on which MIFARE is built) and 15693 (on which the HID products are built). We will try to stay away from theory since that would take us too long. We had the idea to focus on MIFARE since we encounter that the most but since we operate mostly in Belgium this might be different for an international audience, in that case, we are more than willing to change our focus.

Some of the exercises are:
- installing the development environment
- reading a badge
- writing data to a badge
- cloning a badge
- cracking a MiFare implementation

The workshop aims towards making beginners aware and comfortable with various facets of Scapy and its real time usages in various task of penetration testing.

The flow of workshop will be as under:
1. Scapy basics
2. TCP Basics
3. DHCP server
4. DHCP server flooder || DNS/MDNS
5. Crafting a layer using Scapy
6. Fuzzing protocols with Scapy
7. Covert channel using Scapy
8. Scapy-radio

Key takeaways for attendees:
- sending/receiving/displaying/modifying packets with Scapy
- implementing custom layers in Scapy
- implement answerMachines in Scapy
- to construct tools implementing some real life examples
- simple fuzzing through Scapy and generators
- to decode live traffic with an implemented protocol

Working in Scapy consequently attendees will learn:
- TCP basics
- DHCP/DNS/MDNS basics
- AJP13 protocol
- fuzzing
- Scapy-radio

Prebuilt VM containing all scripts and dependencies in place.
An ISO in progress can be found at:
https://drive.google.com/open?id=1wJ9OQOAnew3upyoFdMUz1hlo0WEuogJW
(/root contains install script. /src contains scripts. python-netaddr dependency needs to be installed manually as of now with apt.)

ICS cybersecurity has been a new subject for years now, especially since Stuxnet. Has the security level of ICS improved?

Well, even if ICS are more and more interconnected, we can probably say yes for network segmentation, as well as patching. And it is mostly true for critical infrastructures that must comply with multiple laws around the world. But what about the most critical components such as PLCs?

In this workshop, you will learn how to attack PLCs, by attacking ICS protocols: a well-known legacy protocol, Modbus, as well as an open source protocol considered as the future of ICS communications, OPC-UA. And to do so, what could be better than giving you hands-on experience on real devices by hacking our model train?

We will start by defining industrial control systems and its main components, as well as explaining the key risks and vulnerabilities that affect them. We will then focus on their key assets, Programmable Logic Controllers (PLCs), and discover how they work, how they communicate, how they can be programmed to learn the methods and tools you can use to p*wn them.

Then we will move on to real-world by attacking real PLCs from two major manufacturers on a dedicated setup featuring robot arms and a model train! And to conclude, probably the most difficult, let's discuss how to secure ICS communications.

Prerequisites: A computer with 4gb of RAM, 30GB disk space and Virtualbox. We will provide a Virtual Machine for attendees.

Over the past few years we have seen organizations move a part of, or even their entire infrastructure to the cloud. With on-premise infrastructure it used to be clear that the security needed to be taken care of by the organization itself. With cloud infrastructure there is quite some confusion about who takes care of which security controls. This confusion has led to several painful incident response cases where we were called in only to discover we hardly had any data to work with. In general, we observe 3 common problems with incident response in the cloud:

1. Lack of knowledge about the different logging options within cloud environments. What is enabled by default and what is not?
2. Increased response times due to the lack of visibility and security knowledge about the cloud environments.
3. Lack of resources available to respond to the incidents, most organizations are not capable due to the limited amount of people and tools to respond timely.

This presentation consists of three key parts highlighting incident response challenges in the cloud, but also how we can purposely use what cloud providers offer us to improve our security operations.

The first section includes some key examples of what went wrong during incidents in cloud environments and lists some key challenges that we face as an incident response team to investigate security incidents in depth.

A second section in the presentation describes the overview of critical logs that are required to do incident response. These logs and settings are mapped on the 2 main cloud providers; Amazon AWS and Microsoft Azure. This will allow you to understand which logs are there by default and which logs should be activated for incident response and forensic investigations.

A 3rd section will introduce automated response, by explaining a use case were a system gets infected, server-less code will be executed to protect other systems and enable advanced analytics on the compromised system. This example is based on Microsoft Azure Security Center and applogic to enforce actions in case a specific alert is triggered.

Industrial control system (ICS) attacks typically focus on immediate process disruption: turning off the power, shutting down a plant, or something similar. Yet an examination of the history and potential of ICS intrusions shows a far more worrisome attack vector: undermining the integrity (either via process accuracy or process safety) of an industrial environment. While not necessarily immediately evident, such an attack can produce significant impacts through undermining a physical process and calling into doubt the viability of a specific facility.

Historically, such attacks are not new, but instead encapsulate the very first know ICS-targeting malware: Stuxnet. Rather than seeking direct disruption, Stuxnet sought to undermine process integrity by altering the functionality of the plant in question while masking effects to operators. Since that time, the industrial community initially faced a long period focused only on direct disruption, until the emergence of CRASHOVERRIDE in 2016 (whose integrity-impacting effects have not previously been discussed) and the safety-system targeting TRISIS. Each of these sought in certain ways to undermine the very reliability of underlying processes to produce potentially disastrous outcomes.

This presentation will explore these historical examples while presenting potential attack scenarios for future integrity-based attacks. In doing so, attendees will learn more about the risk framework faced by ICS-operating organizations and unique defense and recovery requirements within these environments. This talk will conclude with recommendations for defense and recovery to mitigate against integrity-based attacks, while seeking to educate audiences on the unique risk posed by such events.

We will present our project — Atomic Threat Coverage framework (https://github.com/krakow2600/atomic-threat-coverage), which allows to automatically generate actionable analytics, designed to combat threats (based on the MITRE ATT&CK adversary model) from Detection, Response, Mitigation and Simulation perspectives. This way Atomic Threat Coverage represents a Core of Security Operations Center, creating analytics database with all entities, mapped to all meaningful, actionable metrics, ready to use, ready to share and show to leadership, customers and colleagues.

There are plenty decent projects that provide analytics (or functionality) to counter cyberthreats (Sigma, Atomic Red Team, MITRE CAR). All of them have one weakness — they exist in the vacuum of their area. In reality everything is tightly connected: data for alerts doesn't come from nowhere, and generated alerts don't go nowhere. Data collection, security systems administration, threat detection, incident response etc are parts of bigger and more comprehensive process which requires close collaboration of various departments.

Sometimes problems of one function could be solved by methods of other function in a cheaper, simpler and more efficient way. Most of the tasks couldn't be solved by one function at all. Each function is based on abilities and quality of others. There is no efficient way to detect and respond to threats without proper data collection and enrichment. There is no efficient way to respond to threats without understanding of which technologies/systems/measures could be used to block specific threat. There is no reason to conduct penetration test or Red Team exercise without understanding of abilities of processes, systems and personal to combat cyber threats. All of these require tight collaboration and mutual understanding of multiple departments.

In practice there are difficulties in collaboration due to:

- Absence of common threat model/classification, common terminology and language to describe threats
- Absence common goals understanding
- Absence of simple and straightforward way to explain specific requirements
- Difference in competence level (from both depth and areas perspectives)

That's why we decided to create Atomic Threat Coverage — project which connects different functions/processes under unified Threat Centric methodology (Lockheed Martin Intelligence Driven Defense® aka MITRE Threat-based Security), threat model (MITRE ATT&CK) and provide security teams an efficient tool for collaboration on one main challenge — combating threats.

This talk will show the results of an internet-scale analysis of the security of AWS Cognito configurations. During this research it was possible to identify 2500 identity pools, which were used to gain access to more than 13000 S3 buckets (which are not publicly exposed), 1200 DynamoDB tables and 1500 Lambda functions.

The talk starts with an introduction to the AWS Cognito service and how it can be configured by the developers to give end-users direct access to AWS resources such as S3 and DynamoDB. Access is restricted by IAM policies which are under the developer's control and, in many cases, do not follow the least privilege principle.

The configuration weakness is first explained step by step for a specific AWS account and Cognito identity pool using a series of demos, the same concepts are then automated to perform an internet-scale analysis of AWS Cognito configurations.

Because Cognito identity pool IDs are UUID4 it was necessary to download thousands of APKs from the Google Play store, decompile them and extract the identifiers. Other sources such as Common Crawl were also used to identify valid identifiers. The tools used to perform these tasks will be made public.

Each Cognito identity pool that was configured with an unauthenticated role was analyzed using an in-depth permission brute-force tool that identifies potential breaches to least privilege principle.

The talk ends with recommendations for developers that want to configure the service in a secure manner, and an analysis of potential reasons for this widespread issue such as poor documentation and examples on AWS site

We will be bringing our combined decades of experience to teach the most common and effective physical security bypasses we use to enter commercial buildings and combine every technique with a war story. The last ~20m will just be our most enthralling stories from physical security engagements we've performed including some hilarious failures and how we social-engineered our way out of them.