Comprehensive Training (Sep 14-16, 2020)

Preceding the core conference, we run three days of intensive technical and management training.  All content is delivered by some of the world’s most knowledgeable and influential IT security experts in private, public, and research sectors.

Hunting APTs with Yara

INSTRUCTORS: Costin G. Raiu & Vitaly Kamluk

Costin G. Raiu, Director, Global Research and Analysis Team (GReAT) – Kaspersky Lab
Costin specializes in analyzing APTs and high-level malware attacks. He is leading the Global Research and Analysis Team (GReAT) at Kaspersky that researched the inner workings of Stuxnet, Duqu, Carbanak and more recently, Lazarus, BlueNoroff, Moonlight Maze and the Equation group.

Costin has over 24 years of experience in anti-virus technologies and security research. He is a member of the Virus Bulletin Technical Advisory Board, a member of the Computer AntiVirus Researchers’ Organization (CARO) and a reporter for the Wildlist Organization International. Before joining Kaspersky Lab, Costin worked for GeCad as Chief Researcher and as a Data Security Expert with the RAV antivirus developers group.
Costin joined Kaspersky Lab in 2000 and became the Director of the Global Research & Analysis Team in 2010.
Some of his hobbies include chess, photography and the Science Fiction literature.

Twitter: @craiu
http://www.securelist.com/en/blog/

Vitaly Kamluk, Principal Security Researcher, Global Research and Analysis Team (GReAT) – Kaspersky Lab

Vitaly joined Kaspersky Lab in 2006, after winning a security contest organized by the company to find the best, most talented security researchers.

Vitaly worked as a Principal Security Researcher and trainer and for Interpol, at the Interpol Global Complex for Innovation in Singapore. Since 2017 he is heading the APAC division of GReAT. Vitaly has a vast area of experience in analyzing malicious code, reverse engineering, rapid prototyping and developing defense technologies.

COURSE OVERVIEW:

This training will lead you through one of the key tools for the APT hunter: the Yara detection engine.

If you’ve wondered how to master Yara and how to achieve a new level of knowledge in APT detection, mitigation and response, it all breaks down to a couple of secret ingredients. These include our private stash of Yara rules for hunting advanced malware, custom tools and processes and last but not least, our experience and best practices developed in-house by our researchers.

During this training you will learn how to write the most effective Yara rules, how to test them and improve them to the point where they find threats that nobody else does. During this two days-training, you will gain access to some of our internal tools and learn how to maximize your knowledge for building effective APT detection strategies with Yara.

Syllabus

  1. Brief introduction into Yara
  2. Yara syntax
  3. Useful tips
    1. adding metadata
    2. adding conditions
  4. How to make effective Yara rules
  5. Performance tips
  6. Yara-generators
    1. YarGen
    2. yara-generator.net
    3. Xen0ph0n
    4. joxeankoret
  7. Sources of Yara rules
    1. Public sets
    2. APT reports
      1. Directly published rules
      2. Indirectly published rules (IOCs – strings, file names, registry keys, mutexes, c2’s…)
    3. Closed exchange groups
  8. Testing Yara rules for false positives
    1. Public clean samples sets
    2. Public and free malware samples sets
    3. Private malware samples sets
    4. VT
      1. Vtmis notifications
      2. Retrohunt
    5. “Klara”
  9. Hunting for new and undetected samples on VT
    1. by making rules, specific for each APT group / malware family
    2. by making generic rules for Trojans, rootkits, downloaders, keyloggers, backdoors etc
    3. by anomaly search
      1. Fake timestamp
      2. Fake signature
      3. Connections to known bad dynamic DNS hosts
      4. Mimics to legitimate file (above or MS or Skype etc)
        1. Using legit PE info but not signed/trusted
        2. Using legit resources (Skype icon for example)
      5. By lateral movement patterns
      6. By crypto signatures
      7. By atypical actions for this file type
    4. VT tags to avoid FPs and tons of useless notifications
      1. New_file
      2. Submissions < 4
      3. Via_for
      4. Trusted/nsis
      5. Corrupted
      6. Positives
  10. Using external modules within Yara for effective hunting
    1. PE
    2. Cuckoo
    3. Enhance Yara by adding & importing your own scanning modules (XORSearch, SSDeep etc)
  11. Useful tools
    1. YarAnalyzer
    2. BloomAutoYara
    3. YaraManager
    4. Plyara

TOPICS COVERED:

  • brief intro into into Yara syntax
  • tips & tricks to create fast and effective rules
  • Yara-generators
  • testing Yara rules for false positives
  • hunting new undetected samples on VT
  • using external modules within Yara for effective hunting
  • anomaly search
  • lots (!) of real-life examples
  • a set of exercises for improving your Yara skills

PREREQUISITES AND TECHNICAL REQUIREMENTS:

Coming Soon

Bughunting Bootcamp

INSTRUCTOR: Eldar “Wireghoul” Marcussen – Lead Security Researcher – xen1thLabs

Eldar is a long time bug hunter and was a recipient of the first CVE 10K candidate numbers.

In addition to finding vulnerabilities he contributes to and maintain several open source projects in his spare time aimed at web application security and penetration testing. These include graudit, doona, lbmap, dotdotpwn, nikto and more.

COURSE OVERVIEW:
Want to find zero days? write exploits? do some cool research? This intense three day, lab based, course will teach you the skills to find new security vulnerabilities, evaluate the root cause, assess impact, and write exploits to prove the existence of vulnerabilities in software. The course will cover both manual and automated vulnerability hunting in source code, web based software, compiled binaries and embedded systems.

Additionally we will cover how to chain vulnerabilities together to achieve unauthenticated remote code execution, vendor notification, vulnerability disclosure and how to obtain a CVE. The training prioritizes real world vulnerabilities across several languages.

Day 1:
* Theory and web application security
* Choosing suitable targets
* Static and dynamic analysis
* Web application vulnerabilities and exploits

Day 2:
* Embedded and web vulnerabilities and exploits
* Logic flaws
* Chaining bugs in exploits
* Bug hunting in embedded devices
* Basic reverse engineering using Ghidra

Day 3:
* Memory corruption vulnerabilities and exploits
* Shell code
* Fuzzing
* Triage
* Writing memory corruption exploits
* Dealing with disclosure
* Conclusion

LEARNING OBJECTIVES:

Students will learn how to identify and exploit common security vulnerabilities in open and closed source software.

Attendees will be provided

  • Slides for the training course.
  • Virtual Machine with all the required software and reference material.

PREREQUISITES:

The course is aimed at beginners and security professionals alike, with a variety of targets to practice bug hunting skills, so the attendee will find something suitable for their skill level. Students are expected to be somewhat familiar with the Linux command line as well as OWASP Top 10 & CWE-25. Basic scripting knowledge is recommended, but not required.

Attendees must bring a laptop capable of running a virtualbox virtual machine in order to complete this course.

Hacking and Securing Cloud Infrastructure

INSTRUCTOR: 

Anthony Webb, Principle Senior Consultant – NotSoSecure

Anthony Webb has been a committed tech geek ever since first learning to code on a BBC Micro at around 6 years old. He has worked in IT security specifically for the past 5 years, specializing in both traditional and Cloud infrastructure and is a Principle Senior Consultant at NotSoSecure. Anthony currently holds industry recognised accreditations including CREST CRT and OSCP as well as a number of Amazon Web Services certifications. He is also a trainer for NotSoSecure’s Advanced Infrastructure Hacking (AIH) class, which he delivers both to classroom-style audiences and large conferences such as Black Hat.

COURSE OVERVIEW:

This 3-day course cuts through the mystery of Cloud Services (including AWS, Azure, and
G-Cloud) to uncover the vulnerabilities that lie beneath. We will cover a number of popular
services and delve into both what makes them different, and what makes them the same, as
compared to hacking and securing traditional network infrastructure. Whether you are an
Architect, Developer, Pentester, Security or DevOps Engineer, or anyone with a need to
understand and manage vulnerabilities in a Cloud environment, understanding relevant
hacking techniques, and how to protect yourself from them, is critical. This course covers
both the theory a well as a number of modern techniques that may be used to compromise
various Cloud services and infrastructure. Prior pentest/security experience is not a strict
requirement, however, some knowledge of Cloud Services and familiarity with common
Unix command-line syntax will be beneficial.

Highlights of our Training:

  • Attacking Cloud Services
  • Gaining Entry via exposed services
  • Attacking specific cloud services
  • Post – Exploitation
  • Defending the Cloud Environment
  • Host base Defenses
  • Auditing and benchmarking of Cloud
  • Continuous Security Testing of Cloud

Key Takeaways:
Students will gain knowledge of attacking, exploiting and defending a variety of Cloud infrastructure. First, they will play the part of the hacker, compromising serverless apps, cloud machines, storage and database services, dormant assets and resources. Students will learn privilege escalation and pivoting techniques specific to cloud environments. This is followed by Infrastructure Defense, secure configuration, auditing, logging, benchmarks. Students will learn preventive measures against cloud attacks, host-based defense and a number of cloud tools that can help in securing their services and resources.

Apply the learning to:

  • Identify weaknesses in cloud deployment
  • Fix the weaknesses in your cloud deployment
  • Monitor your cloud environment for attacks

PREREQUISITES AND TECHNICAL REQUIREMENTS
Whether you are an Architect, Developer, Pentester, Security or DevOps Engineer, or anyone with a need to understand and manage vulnerabilities in a Cloud environment, understanding relevant hacking techniques, and how to protect yourself from them, is critical. This course covers both the theory a well as a number of modern techniques that may be used to compromise various Cloud services and infrastructure.

Prior pentest/security experience is not a strict requirement, however, some knowledge of Cloud Services and familiarity with common Unix command-line syntax will be beneficial.

Students must bring their own laptops and have admin/root access on it. The laptop must have a virtualization software (virtualbox / VMWare) pre-installed. A customized version of Kali Linux (ova format) containing custom tools, scripts and VPN scripts for the class will be provided to the students. The laptop should have at least 4 GB RAM and 20 GB of free disk space dedicatedly for the VM.