BSides London 2021 BSides London 2021

Track 2

Saturday, November 13, 2021

This Is How The World Ends (Not with a bang, but with a FUD)

There are various apocalyptic scenarios bounced around with cyber security, often by people promising to sell the latest silver bullet to prevent them. From hijacking DNA synthesizers, to the classic nuclear war, to destroying food harvests, to collapsing economies. 

Are any of them plausible outside the realms of disaster sci-fi? Should we do anything about them? Can we do anything about them? Is it time to go off-grid and take up locust farming to establish your self-sustaining commune, or is it all just FUD and nonsense to sell products.

 This talk will go through some of the most dramatic scenarios, looking at what is in place (or not) to prevent them, evaluating the effort required to achieve them, and either leaving everyone at the end relieved that it is all FUD or with a sense of existential dread that we're all doomed."

CrowdSec, a crowd-based approach to infrastructure defense

Did you know that, every day across the Internet, each IP address is scanned hundreds of times? Or that more than 2,000 attacks are perpetrated, stealing 1.4 million personal records? That’s right, every single day! Today, there is a way to rebalance the odds and protect our resources through crowdsourced security and reputation. In 2021, our ways of living and working turned completely upside down in a matter of days. We all brought our companies home and our homes in our companies’ systems. Staying connected to our colleagues, friends and family became a critical necessity, which opened the door for hackers to cause disruption and we saw a huge increase of attacks all around the world.

 Even though worldwide spending on cybersecurity is predicted to reach $1 trillion in 2021 according to Forbes, the game will still be asymmetrical and all companies will keep being hacked regardless of their security budgets. Expensive security doesn’t mean better security. A new approach is needed.

 Join us for this talk so we can explore why a collaborative approach to security could contribute to solving the problem and how we could make the Internet safer together.

 Discover CrowdSec, a collaborative, free and open source security automation platform relying on both IP behavior analysis and IP reputation. CrowdSec identifies threats and shares IP addresses behind malevolent behaviors across its community, to allow everyone to block them preventively. Already used in 80 countries across 6 continents, the solution builds a real-time IP reputation database of currently ~200.000 ips that keeps growing every day and benefits all community members who have each other's backs while forming a global defense shield.

Pushing Left - How we're all doing it wrong (and how we found a better way in an unexpected place)

Pushing Left is the new hotness in AppSec, but through a chance discussion with a software testing team, we learnt that not only are most companies are getting it wrong but that a much better approach was staring us in the face all alone. What's more, this didn't just apply to AppSec, but to all kinds of security testing, from Pentests to Vulnerability Management, dependency checking to WAF review.

 This 45 mins talk takes you through our journey of turning software test engineers into the first and often strongest line of defence against vulnerabilities and how the Pentesting Industry has some really valuable lessons to learn from software testers.

Audit and compliance headaches - can data you already have provide the answer?

<Not Recorded>
For security teams and security managers, there are more and more tools, in more and more places than ever before. At the same time, we have increased interest from management, investors and auditors about the security posture, operations and risk.
 For real teams on the ground, answering the questions that stem from this, and providing the data is increasingly time consuming, often manual and quite frankly, frustrating. I didn't sign up as a security analyst to be pasting data from McAfee AV! This talk describes some common challenges, how the author has approached them in the past, what works/doesn't work, and explores some really useful data sources that you probably have, but probably haven't exploited yet.
 The good news, is that oftentimes, there is good hard data available which demonstrates the value of all your hard work; it just needs to be brought out.

Credential attack recon detection: How current UEBA & NID tooling fail and how to reduce false positives

Organisations throw money at the latest user entity behaviour analytics (UEBA) and network intrusion defence (NID) tooling but these still allow credential attack and other reconnaissance activities to slip through undetected.

This talk will demonstrate what UEBA/NID traditionally flag, and several ways that they can be improved to detect and stop almost certain indicators of malicious and unauthorised recon activities, principally around credential compromise.

The attack signatures described will not only significantly reduce the likelihood of network and application compromise, but will also reduce the instances of false positives and improve detection and attack prevention earlier on in the cyber kill chain.This is all based on research on the methodology of recent successful credential attacks and the offering of current UEBA/NID tooling which fails to detect these key signatures at the recon stage of an attack.

The presentation will cover the following areas with examples included:

1) Overview on why it is easily possible to evade current network defences; research into some major network defence tooling reveals how recon flags are not being detected; how network defence tools can be configured to detect recon activity/credential attacks.

2) What UEBA and traditional network defence tools filter and how they may detect a credential/recon attack

3) A walkthrough of recon attack signatures that give a high indication of malicious activity and which are not currently built into existing threat detection tooling

From Paupers to Queens: The Tale of Two Wannabe Hackers

A long, long time ago in a land far, far away - two wannabe hackers embarked on their journey of a lifetime to become cyber security professionals. They faced barriers and triumphs - through blood, sweat and tears. But how did they do it?!

This talk will be a reflective look into two very different career journeys and how the Security Queens came to be. We'll be talking about our own struggles that we faced, the areas of interest that we work in, as well as our top tips for newbies and career changers. Tune in to find out the backstory of two cyber security-now professionals, our war stories so far, and the huge variety of ways to break into the infosec industry.

Reflections on trusting Zero Trust (or why I have zero trust in Zero Trust)

This one was inspired by a conversation with a friend who red teams for a well known consultancy… I have a vendor hat, I will remove said hat for this presentation. The purpose of this talk is to take a ""neutral"" look at Zero Trust in the wild and dissect what market analysts promise vs the realities of implementing it. This talk looks at:

 * Technical debt that often gets inherited along the way

 * Control gaps we lose as we dash headlong into the cloud and how we might replace them

 * New weaknesses that Zero Trust implementations bring by virtue of how “Zero Trust” software sometimes works

 I'll go into the catalogue of vulnerabilities and weaknesses that I've been building surrounding Zero Trust technologies and make some observations about where we might do better.

Securing Cloud Delivery Pipelines - Findings from a blue team/red team security simulation

As public cloud adoption continues to grow across government applications and services, it is now more critical than ever to understand the limits afforded by cloud security controls.

To help us better understand the security and risk implications of new paradigms such as continuous delivery pipelines and infrastructure as code, a blue/red team simulation exercise was undertaken.

As the tech lead of the blue team, I’ll present the context of the exercise and the threat model we developed for it, then discuss what worked and failed in defending the pipeline from a red team in possession of engineers’ credentials.