BSides London 2021 BSides London 2021

Track 1

Saturday, November 13, 2021

- GMT
Decriminalization of Ransomware

Ransomware is becoming legitimized through acceptance of business risk. When accountants rationalize paying the ransom as a cost of doing business, it makes the act of providing the ransomware a security service. Just like any service, ransomware providers can be negotiated on price. Furthermore, we already have a set of laws that provide punishment for the consequences of ransomware. Legitimizing ransomware and making it a service can provide an economic benefit by allowing for the taxing of the recipients on top of the tax benefits the accountants have made by writing this off as a business expense.

- GMT
How we hacked your billion dollar company for forty-two bucks

This talk will be about some common but surprising flaws found during a year of red teaming and how to check for, exploit and defend against them. In particular, combining several seemingly low-risk authentication problems can allow for a successful compromise of a user account without always resorting to phishing, giving the attacker a foothold within the organisation. None of these attacks are particularly novel, but the impact of chaining the individual issues does not seem to be well understood. We also digress slightly into an appeal against traditional infosec gatekeeping – partly because no special magic is required for these attacks, just a month or two’s use of a Linux VPS. Patience, curiosity and outright stubbornness help too, of course.

- GMT
Defeating AV and EDR solutions in user-land by chaining well-known deception techniques

<Not Recorded>
In the current Cybersecurity world, both Anti-Virus (AV) and Endpoint Detection and Response (EDR) solutions are becoming more and more successful in blocking emerging threats. External attackers need to develop highly sophisticated payloads to circumvent all these security controls, raising the bar for defenders to detect them as well as for threat emulators to emulate them. Although useful, are these controls enough to block more complex malwares? This talk will go over the most successful techniques used to bypass AV and EDR controls, and the tradecraft theory used in malwares to evade EDRs and other endpoint controls. This will primarily focus on general techniques to ensure malwares and other payloads can evade signature-based detection, behavioural analysis, and user-land hooking. This talk will then present Inceptor, a recent AV and EDR bypass framework I’ve developed and open-sourced, highlighting some of its features, implemented to aid red teamers and Pentesters during operations. By the end of this talk, the audience should get a detailed overview about how to use Inceptor, along with other tricks and opsec considerations useful to develop payloads which can run undetected.

- GMT
GitOops! All paths lead to clouds

Can you take over a company by opening a pull request against an internal repository? Probably.

We'll explore lateral movement and privilege escalation in a GitHub organization by abusing CI/CD pipelines and GitHub access controls, and present a tool for querying attack paths via a graph database, Bloodhound-style.

We will start by covering how an attacker can leverage CI/CD pipelines to exfiltrate credentials or gain command execution in restricted contexts, giving concrete examples with CircleCI and GitHub Actions. We will then proceed to showcase another vector attackers can take advantage of to pivot into production contexts in many organizations: Terraform plans.

  At this point - if you weren't already familiar with the dangers of CI/CD systems - you'll never look at pull requests the same way again. After covering the basics we will introduce GitOops, a tool we developed to query these attack paths at scale in large GitHub organizations with multiple CI/CD systems. In addition to mapping relationships between GitHub users, teams and repositories, GitOops maps relationships between those and environment variables in CI/CD systems. This will allow us to query paths to secrets available in pull request contexts.

 We can now get answers to questions such as "What AWS credentials can my user directly and indirectly access?", "Who do I need to compromise to get access to Artifactory and GCP?" and "I see there's a GitHub token in this CI/CD pipeline, what new repositories and secrets can I gain access to by pivoting through that token?". This talk will hopefully add another dimension to your offensive and defensive toolkit.

- GMT
Practicing Safe Sex(t) - with xxxtra content

<Not Recorded>
Nudes, Dirties, Pics, whatever you call them, you’ve probably sent them or know someone who has. But how can we protect ourselves and our opsec when we’re sexting, producing sexual content of ourselves or even watching and buying sexual content online?

 This talk will discuss how we can protect our physical bits online, how to practice safe sexting properly, how sex workers have better opsec than us all and looking into the weird, wonderful and sometimes scary world of sex online.

 This talk has been delivered before, but has been updated to include new content about sex toys and how the pandemic affected sex online.

 CONTENT WARNING - There will be sensitive content such as sexual/domestic abuse and suicide."

- GMT
Charge my car, for free, forever!

Current trends show that electric cars and green energy, especially photo-voltaic energy, are being widely adopted in both commercial and home user markets. During this talk, we will see that they suffer from typical "rush to market" problems that can potentially allow a remote attacker to control them. This could lead to free charges for car chargers, to them being used as a pivot point to get access to your internal network. This talk will also discuss the possibility of a grid attack by using these vulnerabilities in conjunction.

- GMT
F*** Around & Get Found Out: Disinformation As A Service

CVEs and big vulnerabilities are being released on a daily basis with and without proofs of concept. 14th July 2020 was a day that rocked the internet, it was the day HoneyPoC was born. What started as a joke proof of concept quickly built traction and built a new class of disinformation campaigns. 

  This talk will dive into not only how HoneyPoC came to be but will also explain how I took it one step further in exploring disinformation as a service and exploring the scientific method of f*ck around find out. I will also be demoing how I took a simple piece of proof of concept code and built a DaaS campaign out of it which poisoned many CTI feeds, found its way into some interesting situations. Uncovered APTs, Insider threats and charlatans alike. 

 Not all talks are Red/Blue/Purple, some are learning opportunities for all. HoneyPoC opened the eyes of many folks and why is it important to be careful about the Proof Of Concepts(POC) that you download/review. What started off as a minor troll turned into an integrated research project, the talk will embark on knowledge about threat intelligence and educate the watchers. Who watches the watchpeople?

 This was a particularly "amusing" troll because the sort of people who keep up with CVEs and look for proof-of-concept exploits should really know better than to run random code they just got off GitHub without checking what it does."

- GMT
Ready for (nearly) anything: preparing your organisation for a cyber incident

Every organisation has experienced, or will experience, a cyber security incident; depending on how you define the term, most have multiple every day. Increasingly punitive data protection regulation, coupled with increasing public awareness and scrutiny of organisations’ public responses means that it’s more important than ever to respond effectively. However, many security teams still struggle to do so.

 

 In this talk, I’ll cover the five key things that cyber security teams should do to prepare for an incident, which will improve the efficiency and effectiveness of their response. In turn, these will minimise the security, operational and financial risk to the wider organisation. I’ll go into detail on:

 

 (1) Processes that security teams should document and keep updated, to ensure everyone knows the key actions and decisions to be taken in the event of an incident.

 

 (2) How security teams can ensure they have skilled and experienced people, who can lead, coordinate and deliver the response to an incident.

 

 (3) Key logs that should be in place to inform the investigation into an incident, to maximise the likelihood that security teams understand what happened, when, and how.

 

 (4) Security technology that teams should have in place to deliver containment and eradication actions, which mitigate risk from the incident.

 

 (5) Management and coordination technology needed by security teams during incidents, to ensure they can communicate and collaborate, delegate and track response actions, and manage delivery.

 

This talk is designed for anyone working in, or with an interest in, security operations. Attendees will come away with a clear understanding of the steps they can take to directly and rapidly improve their own organisation’s readiness for a cyber security incident.

- GMT
Forensics as a Service: Building automated, scaleable, and accessible analysis environments

<Not Recorded>
DFIR providers all over the world right now are facing the same demand: deliver services faster, cheaper, and better. That's an immense challenge when we're faced with a severe skills shortage, increasingly vast client data sets, and a daunting array of manual tasks and processes.

  So, what's the solution? By incorporating techniques from DevOps (automation pipelines, microservices), IaC (infrastructure as code), and wrapping everything within intuitive GUIs, we can build environments that facilitate incredibly fast forensic triage and generate timely findings even when faced with terabytes of inbound data.

 Throughout my talk I will walk you through how we've designed this ""Forensics as a Service"" model, discuss the core technical design principles, the challenges and lessons learned, and end with some recommendations on how the DFIR community can take this model forward with an open-source and collaborative spirit."