AVENGERCON V

WORKSHOPS

Attacker methodology: Cyber Kill Chain

While cyber vulnerabilities are common knowledge across the Department of Defense, the fundamentals of how to discover and think like your adversaries are less well known. Learning about each individual phase within the Cyber Kill Chain can help with this process. The Cyber Kill chain breaks down the mechanisms of an attack, so you can understand each phase from reconnaissance to actions on objectives. The lecture on the Cyber Kill Chain will be followed by an interactive capture the flag exercise.

Making the spook in your pocket less spooky: Upgrading the privacy of Android phones

Today, the privacy and security risks and consequences of using smartphones are numerous. 1 2 3 Many smartphone users are either unaware of the privacy risks inherent to using smartphones with default settings and common applications, or have resigned themselves to the apparent unavoidable compromise of privacy in exchange for the convenience of a modern lifestyle and the ability to seamlessly communicate with friends and family. But is that loss of privacy really unavoidable? In this workshop, I will provide an overview of the Android operating system, the common ways that smartphone activity can be tracked, how you can analyze Android applications for privacy and security risks, and how you can configure select Android phone models to better respect your privacy without sacrificing all of the conveniences of the smartphone.

PowerShell crash course

This course will give you the basics of PowerShell. You will learn the PowerShell syntax. Learn things like how to repeat tasks, iterate through a list of objects, and the various things you can do with PowerShell object. You will also learn how to discover new cmdlets, modules, and functions. You will gain experience by practicing what the instructor is teaching, and demos of production scripts and tools. The target audience for this course are individuals who are new to scripting and individuals who are new to PowerShell. Play in the PowerShell CTF to help enforce the learning.

Open source threat intelligence tools and hunting

Organizations need to identify and disposition new threats to ensure active, adaptive defense. This workshop will walk through open source resources and freely-available techniques to identify new threats and attack trends, and how to then formulate defensive strategies for enterprise protection.

Introduction to reverse engineering

Reverse engineering is an essential skill for many tasks in cybersecurity, such as malware analysis, vulnerability discovery, and exploitation. In this 6 hour course, we teach students how to use hex editors, disassemblers, and debuggers on x86/x64 binaries in Linux as applied to these various tasks.

Penetration testing and forensics: Credential abuse

In this hands-on workshop, students will perform both offensive and forensics tasks. Students will be conducting several attacks from the perspective of a penetration tester in an Active Directory environment. Students will execute a password harvesting attack against Active Directory, perform a Kerberoast attack, crack password hashes, and dump hashes from the domain controller. Once the attack is complete, students will examine the event logs and other forensics evidence left behind by these attacks.

Modern glibc heap exploitation

Heap-based exploitation is an active area of software vulnerability research. All known heap allocators have security problems, and most mitigations depend entirely on a randomizer. In this workshop we will cover the most recent breakthroughs in modern glibc heap exploitation on Linux, with an emphasis on underlying mathematical techniques for mitigation (focusing on address space layout randomization and safe linking) and mitigation bypass.

End-to-end security

Security is everyone’s responsibility. Blinds spots are the enemy and the attack surface is growing due to strategic shifts to the cloud, remote work, BYOD, and more. And security analysts are often overwhelmed by alerts, false positives, or lack of support due to a global cyber-skills shortage in security. In this hands-on virtual workshop, you will be participating in an authentic threat scenario based on Advanced Persistent Threat (APT 28, a Russian Cybersecurity Espionage group) and learn how to identify them through endpoint and network collection. You will get full access to an Elastic cluster to follow along and will learn several concepts and best practices used to be able to hunt for other attacks. You can learn more about the APT we will be investigating in this interactive hands-on workshop.

Big data tools: Understand your cyber operating environment the easier way and sleep better!

You can put just about everything on the internet today. From traditionals (laptops, servers, phones, network hardware, etc.) to Internet of Things (smart speakers, thermostats, fridges, crockpots, and more) to everything else (ICS/SCADA, sensors, cars, and others), do you really know what is in your Cyber Operating Environment? Are you vulnerable (due to the “smart” thing your employee BYOD’d)? Is your data leaking right now (via something you thought you could trust)? If any of these questions keep you up at night, then this talk is for you! Let’s explore “free” (other than your time) big data tools, tactical techniques, and concepts you can use right now to begin to understand the cyber stuff in your environment! And hopefully sleep a little better!

Hunting an APT

The purpose of this workshop is to enhance your knowledge on techniques used to hunt an APT. During this workshop, we will talk about hunting and why we hunt, we will set our scenario and then we will work through several different hunting scenarios that all tie back to a specific adversary and threat and develop a better understanding of what went on as we confirm each hypothesis. Each section will walk through a hypothesis that will be mapped to either a phase of the LMKC or the ATT&CK framework. At the end of each section a slide will describe lessons learned, provide a threat picture based on what was uncovered when proving the hypothesis as well as potential actions that can operationalize the intelligence gathered for use by the incident response team in the future.