Comprehensive Training (October 26-28, 2020)

Preceding the core conference, we run three days of intensive technical and management training.  All content is delivered by some of the world’s most knowledgeable and influential IT security experts in private, public, and research sectors.

Hunting APTs with Yara

INSTRUCTORS: Costin G. Raiu & Vitaly Kamluk

Costin G. Raiu, Director, Global Research and Analysis Team (GReAT) – Kaspersky Lab
Costin specializes in analyzing APTs and high-level malware attacks. He is leading the Global Research and Analysis Team (GReAT) at Kaspersky that researched the inner workings of Stuxnet, Duqu, Carbanak and more recently, Lazarus, BlueNoroff, Moonlight Maze and the Equation group.

Costin has over 24 years of experience in anti-virus technologies and security research. He is a member of the Virus Bulletin Technical Advisory Board, a member of the Computer AntiVirus Researchers’ Organization (CARO) and a reporter for the Wildlist Organization International. Before joining Kaspersky Lab, Costin worked for GeCad as Chief Researcher and as a Data Security Expert with the RAV antivirus developers group.
Costin joined Kaspersky Lab in 2000 and became the Director of the Global Research & Analysis Team in 2010.
Some of his hobbies include chess, photography and the Science Fiction literature.

Twitter: @craiu
http://www.securelist.com/en/blog/

Vitaly Kamluk, Principal Security Researcher, Global Research and Analysis Team (GReAT) – Kaspersky Lab

Vitaly joined Kaspersky Lab in 2006, after winning a security contest organized by the company to find the best, most talented security researchers.

Vitaly worked as a Principal Security Researcher and trainer and for Interpol, at the Interpol Global Complex for Innovation in Singapore. Since 2017 he is heading the APAC division of GReAT. Vitaly has a vast area of experience in analyzing malicious code, reverse engineering, rapid prototyping and developing defense technologies.

COURSE OVERVIEW:

This training will lead you through one of the key tools for the APT hunter: the Yara detection engine.

If you’ve wondered how to master Yara and how to achieve a new level of knowledge in APT detection, mitigation and response, it all breaks down to a couple of secret ingredients. These include our private stash of Yara rules for hunting advanced malware, custom tools and processes and last but not least, our experience and best practices developed in-house by our researchers.

During this training you will learn how to write the most effective Yara rules, how to test them and improve them to the point where they find threats that nobody else does. During this two days-training, you will gain access to some of our internal tools and learn how to maximize your knowledge for building effective APT detection strategies with Yara.

Syllabus

  1. Brief introduction into Yara
  2. Yara syntax
  3. Useful tips
    1. adding metadata
    2. adding conditions
  4. How to make effective Yara rules
  5. Performance tips
  6. Yara-generators
    1. YarGen
    2. yara-generator.net
    3. Xen0ph0n
    4. joxeankoret
  7. Sources of Yara rules
    1. Public sets
    2. APT reports
      1. Directly published rules
      2. Indirectly published rules (IOCs – strings, file names, registry keys, mutexes, c2’s…)
    3. Closed exchange groups
  8. Testing Yara rules for false positives
    1. Public clean samples sets
    2. Public and free malware samples sets
    3. Private malware samples sets
    4. VT
      1. Vtmis notifications
      2. Retrohunt
    5. “Klara”
  9. Hunting for new and undetected samples on VT
    1. by making rules, specific for each APT group / malware family
    2. by making generic rules for Trojans, rootkits, downloaders, keyloggers, backdoors etc
    3. by anomaly search
      1. Fake timestamp
      2. Fake signature
      3. Connections to known bad dynamic DNS hosts
      4. Mimics to legitimate file (above or MS or Skype etc)
        1. Using legit PE info but not signed/trusted
        2. Using legit resources (Skype icon for example)
      5. By lateral movement patterns
      6. By crypto signatures
      7. By atypical actions for this file type
    4. VT tags to avoid FPs and tons of useless notifications
      1. New_file
      2. Submissions < 4
      3. Via_for
      4. Trusted/nsis
      5. Corrupted
      6. Positives
  10. Using external modules within Yara for effective hunting
    1. PE
    2. Cuckoo
    3. Enhance Yara by adding & importing your own scanning modules (XORSearch, SSDeep etc)
  11. Useful tools
    1. YarAnalyzer
    2. BloomAutoYara
    3. YaraManager
    4. Plyara

TOPICS COVERED:

  • brief intro into into Yara syntax
  • tips & tricks to create fast and effective rules
  • Yara-generators
  • testing Yara rules for false positives
  • hunting new undetected samples on VT
  • using external modules within Yara for effective hunting
  • anomaly search
  • lots (!) of real-life examples
  • a set of exercises for improving your Yara skills

PREREQUISITES AND TECHNICAL REQUIREMENTS:

Coming Soon

The ARM IoT Exploit Laboratory

INSTRUCTOR: Saumil Udayan Shah – CEO – Net-Square Solutions

Saumil Shah is the founder and CEO of Net-Square, providing cutting edge information security services to clients around the globe. Saumil is an internationally recognised speaker and instructor, having regularly presented at conferences like Blackhat, RSA, CanSecWest, PacSec, EUSecWest, Hack.lu, Hack-in-the-box and others. He has authored two books titled “Web Hacking: Attacks and Defense” and “The Anti-Virus Book”.

Saumil graduated with an M.S. in Computer Science from Purdue University, USA and a B.E. in Computer Engineering from Gujarat University. He spends his leisure time breaking software, flying kites, traveling around the world and taking pictures.

COURSE OVERVIEW:

ARM has emerged as the leading architecture in the Internet of Things (IoT) world. The all new ARM IoT Exploit Laboratory is a 3-day intermediate level class intended for students who want to take their exploit writing skills to the ARM platform. The class covers everything from an introduction to ARM assembly all the way to Return Oriented Programming (ROP) on ARM architectures. Our lab environment features hardware and virtual platforms for exploring exploit writing on ARM based Linux systems and IoT devices.

The class concludes with an end-to-end “Firmware-To-Shell” hack, where we extract the firmware from a popular SoHo router and an IP Camera, build a virtual environments to emulate and debug them, and then build exploits to gain a shell on the actual hardware devices.

LEARNING OBJECTIVES:
——————-
* Introduction to the ARM CPU architecture
* Exploring ARM assembly language
* Understanding how functions work in ARM
* Debugging on ARM systems
* Exploiting Stack Overflows on ARM
* Writing ARM Shellcode from the ground up
* Introduction to Return Oriented Programming
* Bypassing exploit mitigation using ROP
* Practical ARM ROP
* An Introduction to extracting firmware from devices
* Emulating and debugging a SoHo router’s firmware in a virtual environment
* “Firmware-To-Shell” – exploiting an actual SoHo router
* “Firmware-To-Shell” – exploiting an actual IP camera
* The Lab environment is a mixture of physical ARM hardware and ARM virtual machines.

TARGET AUDIENCE:
—————-
– Past x86 Exploit Laboratory students who want to take their elite exploitation skills to the ARM platform.
– Pentesters working on ARM embedded environments. (SoCs, IoT, etc)
– Red Team members, who want to pen-test custom binaries and exploit custom built applications.
– Bug Hunters, who want to write exploits for all the crashes they find.
– Members of military or government cyberwarfare units.
– Members of reverse engineering research teams.
– People frustrated at software to the point they want to break it!

DAILY SCHEDULE
————–
DAY 1
* Introduction to the ARM CPU architecture
* Exploring ARM assembly language
* EXERCISE – Examples in ARM Assembly Language
* Debugging on ARM systems
* Understanding how functions work in ARM
* Exploiting Stack Overflows on ARM
* EXERCISE – ARM Stack Overflows

DAY 2
* Writing ARM Shellcode from the ground up
* EXERCISE – Embedded Web Server exploit
* Introduction to Exploit Mitigation Techniques (XN/DEP and ASLR)
* Introduction to ARM Return Oriented Programming
* Bypassing exploit mitigation on ARM using ROP
* ARM ROP Tools
* EXERCISE – Searching for ARM ROP Gadgets

DAY 3
* Practical ROP Chains on ARM
* EXERCISE – Exploit featuring ARM ROP Chains
* Bypassing ASLR
* An Introduction to firmware extracting
* Discovering an IoT devices’ serial pins and extracting actual firmware via serial console
* Emulating and debugging a SoHo router’s firmware in a virtual environment
* EXERCISE – Attacking a DLINK DIR-880L ARM Router – from firmware to shell
* EXERCISE – Attacking a Trivision ARM IP Camera – from firmware to shell

PREREQUISITES:
————–
* A conceptual understanding of how functions work in C programming
* Knowledge of how a stack works, basic stack operations
* Familiarity with GDB
* Not be allergic to command line tools.
* Have a working knowledge of shell scripts, cmd scripts or Perl.
* If none of the above apply, then enough patience to go through the pre-class tutorials.
* SKILL LEVEL: INTERMEDIATE (leaning towards advanced)

PRE-CLASS TUTORIALS:
——————–
The following tutorials have been specially prepared to get students up to speed on essential concepts before coming to class.

a) Operating Systems – A Primer

b) How Functions Work

c) Introduction to Debuggers

HARDWARE REQUIREMENTS:
———————-
* A working laptop (no Netbooks, no Tablets, no iPads)
* Intel Core i3 (equivalent or superior) required
* 8GB RAM required, at a minimum
* Wireless network card
* 40 GB free Hard disk space
* If you’re using a new Macbook or Macbook Pro, please bring your dongle-kit
(especially for reading USB-A pen drives)

SOFTWARE REQUIREMENTS:
———————-
* Linux / Windows / Mac OS X desktop operating systems
* VMWare Player / VMWare Workstation / VMWare Fusion MANDATORY
* Administrator / root access MANDATORY

THE EXPLOIT LAB BLOG: http://blog.exploitlab.net/
OUR TWITTER STREAM: @therealsaumil

STUDENTS WILL BE PROVIDED WITH:
——————————-
Students will be provided with all the lab images used in the class. The ARM IoT Exploit Laboratory uses a “Live Notes” system that provides a running transcript of the instructor’s system to all the students. Our lab environment, plus about 800MB of curated reading material, will be made available to all attendees to take with them and continue learning after the training ends.

Hacking and Securing Cloud Infrastructure

INSTRUCTOR: 

Anthony Webb, Principle Senior Consultant – NotSoSecure

Anthony Webb has been a committed tech geek ever since first learning to code on a BBC Micro at around 6 years old. He has worked in IT security specifically for the past 5 years, specializing in both traditional and Cloud infrastructure and is a Principle Senior Consultant at NotSoSecure. Anthony currently holds industry recognised accreditations including CREST CRT and OSCP as well as a number of Amazon Web Services certifications. He is also a trainer for NotSoSecure’s Advanced Infrastructure Hacking (AIH) class, which he delivers both to classroom-style audiences and large conferences such as Black Hat.

COURSE OVERVIEW:

This 3-day course cuts through the mystery of Cloud Services (including AWS, Azure, and
G-Cloud) to uncover the vulnerabilities that lie beneath. We will cover a number of popular
services and delve into both what makes them different, and what makes them the same, as
compared to hacking and securing traditional network infrastructure. Whether you are an
Architect, Developer, Pentester, Security or DevOps Engineer, or anyone with a need to
understand and manage vulnerabilities in a Cloud environment, understanding relevant
hacking techniques, and how to protect yourself from them, is critical. This course covers
both the theory a well as a number of modern techniques that may be used to compromise
various Cloud services and infrastructure. Prior pentest/security experience is not a strict
requirement, however, some knowledge of Cloud Services and familiarity with common
Unix command-line syntax will be beneficial.

Highlights of our Training:

  • Attacking Cloud Services
  • Gaining Entry via exposed services
  • Attacking specific cloud services
  • Post – Exploitation
  • Defending the Cloud Environment
  • Host base Defenses
  • Auditing and benchmarking of Cloud
  • Continuous Security Testing of Cloud

Key Takeaways:
Students will gain knowledge of attacking, exploiting and defending a variety of Cloud infrastructure. First, they will play the part of the hacker, compromising serverless apps, cloud machines, storage and database services, dormant assets and resources. Students will learn privilege escalation and pivoting techniques specific to cloud environments. This is followed by Infrastructure Defense, secure configuration, auditing, logging, benchmarks. Students will learn preventive measures against cloud attacks, host-based defense and a number of cloud tools that can help in securing their services and resources.

Apply the learning to:

  • Identify weaknesses in cloud deployment
  • Fix the weaknesses in your cloud deployment
  • Monitor your cloud environment for attacks

PREREQUISITES AND TECHNICAL REQUIREMENTS
Whether you are an Architect, Developer, Pentester, Security or DevOps Engineer, or anyone with a need to understand and manage vulnerabilities in a Cloud environment, understanding relevant hacking techniques, and how to protect yourself from them, is critical. This course covers both the theory a well as a number of modern techniques that may be used to compromise various Cloud services and infrastructure.

Prior pentest/security experience is not a strict requirement, however, some knowledge of Cloud Services and familiarity with common Unix command-line syntax will be beneficial.

Students must bring their own laptops and have admin/root access on it. The laptop must have a virtualization software (virtualbox / VMWare) pre-installed. A customized version of Kali Linux (ova format) containing custom tools, scripts and VPN scripts for the class will be provided to the students. The laptop should have at least 4 GB RAM and 20 GB of free disk space dedicatedly for the VM.