BSides Prishtina 2024 - Day 2 Live

Name: BSides Prishtina 2024 - Day 2 Live
Uploaded: 2024-05-04
Duration: 6 h 20 min 6 s
Description: BSides Prishtina 2024 - Day 2 Live

BSides Prishtina6:20:06263 viewsPublished 2024-05Watch on YouTube ↗

About this talk

Show transcript [en]

cool well good morning everyone uh we will start the day with a presentation from uh well Professor blim Rea cast uhan Alba de and malur so uh we will start our day with their uh well live demonstration and after that we have other uh speakers coming in and we have the workshops going going in parallel so we have one right now that is has already started and we get another one this afternoon and at the same time we have the capture the flag going on and don't forget once you go up to pick a uh to pick a ruffle number uh because we will uh do another uh Shuffle at the end of the day and we will also obviously

announce the CTF winners and uh distribute the prizes and yeah just have fun and uh the floor way to to the to the to the big team good morning everyone uh Welcome to our dos attack mitigation today my name is blim Rea I will be chairing the presentation today and guiding you through castot maybe the slides oh yes good I'll be sharing the presentation today and guiding you through this handson experience on attack mitigation with my senior colleagues Vian Roa kastriot fi and three excellent students Al Di and Mal abduli our presentation outline is as follows I supposed to Stand Here let uh so we will follow with small short introduction about motivation of dosex

and anatomy of dosex why we're using dosex why the dosex are still among us we will continue explaining the infrastructure setup how and what we have prepared for you today and what it needs to run this dos attacks we have prepared five scenarios starting bottom up from the simple simplest one dos ATT attack from a single I then complicating every step so DS attack from single country multiple IPS a very interesting one with a common and control attack and the last one Advanced dos attacks we will conclude our presentation for a few takeaways that I think everybody should take from the our presentation why we're using denial of service attacks and what is denial of

service attacks there are many definitions of denial of service I have gathered three of them from three very most important big players on the market starting with a cloud flare we will be referring Cloud flare later on as is on our example that we have prepared today based on cloud flare the Dos attack denial of service attack is a malicious attempt to overwhelm a web property uh cisa United States computer information security agency defines dust attack when legitimate users are notable to access the web services and the third definition is about from Ina Ina is European Network Information Security Agency they Define do attacks as uh when legitimate users cannot access the web services and where they are totally uh

provided uh denied from this service to three this main playist will coming we referring later on to our uh presentation why we are still uh dealing with DOs attacks they are still Among Us in fact the first dos attack happened in 1996 yes 1996 is the first dos attack incident recorded but still nowadays we have DOS attacks in many large companies like Microsoft Google Amazon and so on even last year Cloud flare reported the largest HTTP dos attack with 71 million requests per seconds also in our presentation we will be referring to http dust attacks but in order to understand HTTP dust attacks we will go down and layer down on network layer just to show why what is an anatomy of

the Dust attacks in fact dust attacks are still to many among many institution and they are con a constant concern every instiution organization what we have evidence recently that do attacks are becoming easier as you can see here we have only three laptops here so it means it's very easy to conduct them cheaper do attacks require only internet connection and laptop that you can run your uh source code and what is very much concerned from everyone dos attacks are becoming very aggressive Ana just filed a report about dos attack from 2022 and 23 and here I just summarized the result of this report it can be summarized on this Statistics 40% of the DOA Texs were

targeting public administration so if by any chance any public administration officer is Among Us they should know that they are the main target 50% of these attacks were motivated by the war of in Ukraine aggression of from by the Russia 56 of these attacks have totally caused disruption of the services this is very very important so if you are under dust attack it means by the probability of 56% you have a totally uh disruption of services and two3 of them are politically motivated so having said this gives us a motivation still today to uh have an a demo about dust attacks and mitigation techniques which are very important uh to protect our web services web web

resources in order to understand the Dosa text we need to boil down to the TCP segment structure just to recall you from the computer to network courses when a source and destination trying to communicate with each other they establish a communication and here comes the TCP segment structure and specially this negotiation phase that we call three-way handshake during this three-way handshake that is a negotiation between client and server between two nodes a very particular bit is very important so-called sin bit which is here marked with red if a client start initiation with the server it sets the sin bit one telling the server that it start negotiation to for all the parameters that need to have

reliable TCP connection where for example the client here said this initial sequence client and the server allocates server initial number acknowledgement number and other resources what happens here and exactly this point is where a malicious user exploits this point this behavior of TCP segment structure the same analogy goes for HTTP the application layer so our presentation today goes only application layer on hdp request which follows the same pattern what happens in real the user the malicious us that's presented here sends many sin initiation bits and packages called we call this Sin Sin flood so flooding the server with many requests that the server needs to allocate resources buffers and so on and depleting all the server resources so

the S flat the server answer with acknowledgement but these acknowledgement are never accepted by the client or in the worst case they are spoofed IP addresses from the clients that never initiated such a request so the server is busy with this request and this time the legitimate client will be not will be denied from its service furthermore we can can capture these packets with a wi shark tool as it's more familiar to you and here you can see my packets on my client on my laptop from my home address and the on cloud flare and here you can see the sin bit sent to one so these packets are going on the beginning every negotiation

the same analogy is also in HTTP requests that are sent to the server and remains open till the client responds to them but the malicious user exploits them in order to show you to showcase the Dos attack these five scenarios let's give you a small uh overview of our instruction setup I will call naan to continue yes thank you Professor Raa so now we are going to show the infrastructure that we have prepared for all scenarios so uh infrastructure is very simple is nothing complicated as you see in the slide so we have used hner as clo provider so we have set up a server there the server is set up on obuntu we have installed the WordPress

which has a database and since the focus is uh not to defend to protect the WordPress but to handle the deals that may be come from attackers uh we have used the cloud layer where we have registered the uh domain there so as you see in the slide so uh there is another hazner firewall uh we have we didn't configure this firewall we left with default parameters because the because the aim is to handle all the request uh from the Cloud Player also there is important to highlight that the access direct from user that may be attacker is not possible to the server uh because all the request will go through the cloud flare since they will type the DNS

uh it will go through the Cloud Player so the only way would be if uh they will know the IP address of the server but in the cloud flare level we have used the proxy and the IP address will not let be shown uh Von explain how the infrastructure looks but uh maybe you interesting how the product looks we have just published a simple free template WordPress site that is bide d.com that everyone can access and just to show a real example of how this specific uh uh website hosted in this kind of environment work uh and looks like so coming to the cloud layer configuration and Cloud layer overall most of the people's thinks that there

is AIT that most of the people thinks that if you want to protect your infrastructure your web application you just need to have the Cloud Player but but it's not true because even though when you config the cloud fler you might make some mistakes cloud fler is a platform that have many features one of them it can be it can be used only as a d service service provider just to link the D records and if you do that like we are showing here in this [Music] presentation if you if you do that like a record that we are pointing this domain to this IP that actually we have uh uh mask it and you you live this this

proxy trigger without enable it you will have only a DS DNS record and in this way you can expose your IP and all the rules and that you apply in in Cloud flayer firewall will not be applied so everything going to go through that with like you you haven't Implement any any far wall between uh the uh end users and and your servers so it's very important uh when you when we configuration uh we do configuration Cloud here if you want to have the full protection to enable this this proxy the the other thing is the other thing that you might see here here a lot of a lot of um uh companies have the

same domain that serve different application they might serve in a in a different servers or in the same server and if you see here in the slides like this domain this subdomain of from the University of Pristina is going to the CL layer the second one is going to Cloud layer too but this one that is web. University of prishtina that education is not going through the cloud layer we don't know if is the proposal of this should be like this or the administrator forgot it but in this case the user Administration actually have exposed IP and a lot of small to medium companies use the same server to to serve multiple application and if this is the case for

the uh for the University of Pristina what we can do as a attacker is just attack IP directly and this way we're going to bypass the the cloud flayer configuration and Cloud Flay protection because the traffic will not go through the cloud flayer fir wall but will go directly to the IP and in this case probably we can make more damage of attacking IP directly than going through the domain and the third scenario is something that is called D history a lot of companies used to have for many years the the uh default configuration with simple D records and after that they have attacks and decide to go through the cloud but what they happened is the a lot of

organization and a lot of service providers used to cash Dynasty courthous they used to be like two or three years ago if we have analyzed the bze Pristina website and we have seen that at 2022 they have switched from the D from Amazon uh to the cloud layer but actually we can see here that that IP address from Amazon is still still showing in D history if the uh uh besides Pisa haven't changed the IP of the server is mean we can directly attack the IP without going through the through the cloudfire protection so this this three examples or very common exam mistake that a lot of people who just want to protect the application just buy

the cloud there and they say they are they might think they they are safe but they make mistake uh configuration on on it so if you want if you have a legacy application that was running

without of the your server and first to implement the cloud layer after that change the IP to point in another IP and not not to use the lied IP that you you have used before thank you let's now dive to five scenarios and we have prepared the first the very simple scenario let me show you here castot and vgan will be on the service side they will explaining what happens in Cloud flare what kind of configuration they are undergoing in order to protect this massive attack and here my three young colleagues starting from Al de and Alba will playing attackers once per time individually sometimes in together so the first scenario will be an attack just attack

from a single IP I will ask Alba to continue and showing us how simple is to write a code and to execute a doch thank you Professor so let's start with the first live uh demonstration so sometime uh so for in this case we are going to do this attack from a single IP so sometimes some things are really easy to do so uh we know that everyone here is familiar with chat gbt so you don't have to be you don't have to uh to have a chat gbt premium account but uh right now I'm using chat gbt 3.1 is not the latest version of chat gbt so uh this attack will be uh really easy if

I ask uh chat gbt in this way so my uh question for Jud gbt will be like write a python

script that uh connects um to a destination sorry to a destination server given types the request for the chat gbt uh this is just to Showcase that how easy is to write the python code that will run the python code that will run in parallel and will bring down a server if this is addressed spos with IP address or is put on cloud flare without proper configuration in meantime I think Alba is trying to put the proper question to chat gbt take your time Alba we have tested this many times the code runs perfectly so even uh not you have not to be a computer scientist in order to ask a CH gbt and to run the

python code so just we give her some some time without any stress should okay and gener rate properly given okay so my question for jet gbt will be in this way so if I put enter chat gbt is going to generate me a code not every time chat gbt generate the same code so to be transparent I will copy this code and we'll paste in visual studio so after I paste this code I create it uh before this file like test file and I will save this file after I save uh the file we are going to uh terminal and we will execute so uh for CD desktop this is where my uh python file is saved and I'm going to run this

code in this way python test

test.py so um our code run successfully so I have to go at the besides uh web site and I will copy the URL after I cope with the URL we will put in our terminal and we have to put the the number of parallel par parallel connections to generate that we have 500 and uh the rate of connections that are the request for seconds that we have also 500 so we should wait and uh now if we switch from the uh uh administrators or how the this kind of does text looks like uh when it kick in from the a probably we can see here we have like 3 point the the CPU of the server is like pretty low right now

but when the attack going to kick of what we're going to notice we're going to notice that that the resource is going to go pretty high and depends on the internet connection and and the and the attack power that Alla is able to generate but it might go up to 100 100% of the CPU and RAM uses are you R the script yes are you sure that domain is right because I'm not receiving the I will try again save the file here okay uh let's wait a bit until the Ala start the script and attack to our server and it Meanwhile we're going to demonstrate that we have no security rules applied in a cloud flare this is

like a default configuration no security rules no rate limit and no or nothing and if you go and analyze the traffic in last 30 minutes when the traffic going to come we're going to see a spike on this graph but the traffic is pretty low it might be because the internet speed of the environment that we we are we are using it but this uh uh pretty low uh just to just to see this example now we can see now it's coming to 30% 57 and it depends on the uh Power of the user but this is how how it come and uh if the power of the user who attacking is uh pretty high it might go up to 100 uh% of

that and uh maybe to most of the you this kind of attacks might look like A Primitive attack that one user with with just a simple computer is attacking one one server but most of the small to medium applications who have no protection or have default configurations they fail down they go down from this kind this type of uh attacks and uh uh this kind of attack are are pretty easy to to block because since the source of the attack is coming from a single IP is very easy to block it and in clo ler you have many ways of analyzing it but one of the way to analyze it is going through the analytics and LS traffic

here and U focus on the Range when when you are receiving attack actually we are receiving in last this five minutes and here you can go and see the source IPS what L ler provide here they provide you what are the top most IPS that are attacking and here you can see that this is coming to the to the first place and and this other IP is just kick in uh uh recently so uh it's very easy to block it and how we can block this kind of Ip from this kind of uh from this kind of sources uh or our colleague weon going to explain how you can apply rule to block this yeah so since we have

logs and we see clearly in the log that this is the IP which caus many of the requests so we are just going to copy this IP address and we'll go uh uh and we'll go here at security and we'll use the wav which is the web application firewall of the cloud flayer so uh just I'm going back again to see if uh if uh that is the IP address that CS

the S SEC addresses

so so I'm going to block this one security web application firewall so here we will need to create one rule and based on this rule uh we'll block the uh request that will come from this IP so I'm going to create one rule I'll name it let's say single IP block since we know the source IP address from the logs so I will post it here and now we need to take an action so the action will be to block it so what we will do now uh because we want to show that uh this is blocked uh and we will call it the first scenario since we are doing the first scenario so I'm

going to use the

HTML and I will name a respond code I I will name like that 41 Z so I'm going to deploy it so it shouldn't take more than 2 minutes to be applied and then uh it should have effect uh since this uh this is like very uh easy technique uh to to block and um uh is is just by by blocking the IP and this kind of uh uh rules most of the time take two to three minutes to to apply we're going to move to the second second uh demo when we're going to show uh to interrupt you maybe we can just switch to the Ala screen and show in the response now that T client so this is

now the screen from Alba she trying to access the page D do besides dds.com and she receives now the message that the vgan previously configured that this is blocked by the server so this is the custom message now that the attacker receives having said this we have finished with the first scenario so the attacker is very simple to write even chat gbt can do for us can run and very simple rule that the vegan created let's move down to the second scenario the second scenario is similar to First scenario but now we going to we're going to simulate that multiple attackers from a same country with different tools going to going to apply the attack but before doing this just to

show that we all the rules that we are applying here are kicking with a with a different scenarios what we are going to do now we are just going to delete the the first blocking rule that actually blocked alas attacks and now can see this kind of rule have blocked till now have block 272 requests all the requests that Alba was doing with her python script now I'm deleting this just to to show that uh we going to block the AL attack from a multiple devices from a multiple IPS uh with another rule

okay the scenario looks similar to the wor one now we have just many attackers we have here three attackers in front of us they are trying to connect with different internet service providers like vaa ipco art motion and what are possible here so I'm giving out the floor to de thank you Professor Rea um so what you saw from the previous demonstration from Alba that was a denial of service when she attacked and then later on tried to access the web page it said that uh it has been blocked so that was done from a single IP from albas IP and what we're here for today is to mitigate the Dos attacks so what will make the a Dos to a

DOS is the distributed responsibility of attacking the website so uh Alba malur and I all will will be attacking the website at the same time and see how this will um affect the cloud flare and how this will affect the responsibility responsibity of our website uh we will be running similar Python scripts and I'm here today to describe the python script that I will use to attack the targeted website so I will just be showing how easy it is and um most of this could also be generated with chat GPT and we would just need to accommodate whatever it is that we need for example the URL the target of the website that want to attack so I will be

describing shortly what this code does so I will be running this code from the terminal and it's important for me to visually see how the response status code of the website will be so I can color code it into green and red respectively so I have um used the colorama library and imported some of its specifics as well as uh since we're going to be making get requests to our designated website I have imported the request library and it's also important that since we want to dis to demonstrate that we want to have as many requests as possible we want to do this through um a multi-processing approach so we want to have uh we want to import pools so that

different processes can run our main function simultaneously and what this will do uh in our hopes is that block the website and then we will go on to show how we can best mitigate this so what I've done is firstly you can have a global variable that defines the number of attacks that you want to to Launch and the target URL which was uh the website that we have created for demonstration purposes so the main part of this code is the attack function where we have given um the parameters uh the X parameters so as I mentioned earlier we we're going to do this with processes and it's important that we can track what process is doing what is

sending what requests so that we can have this um in order for us to um debug or things of the sort so what I've done is that we're going to be sending a get request we will give the parameters of the URL we have constructed some headers which are just some sample headers used via a python dictionary and I've also set the timeout of this request to three meaning that if the server does not respond within 3 seconds then the uh server will abort this request and then as I mentioned earlier in our terminal we can see the pool of uh in which the process sent launching the attack belongs to the request that is being

made as well as the status code of this request if this is successful the code within the tri block will be executed otherwise we'll have the site is down printed in our terminal indicating that the site indeed is down um this will be uh the attack from my side and I will pass it on to mil store to tell us about the attack that he will be launching to our website thank you thank you de we just have to switch the port okay just wait a few seconds to show it up in the screen so we are using uh an open source tool which is used for educational uh purposes as usual but we now are demonstrating how this tool

named gatter can be used also for denial of services ATT text so first uh First Step that we're going to do is uh we're going to run the gmet batch file and it opens a interface of apach JM now we're going to create there at the test plan and threade grab and on it we're going to create an HTTP request we go back to thread groups and uh we have to talk a little about thread properties so we see there the number of threads that in our case is going to be 500 and uh this determines the total number of virtual users that concurrently execute the test plan and represents the simulated load on the

server and we have here there the ramp up period in seconds which specifies the time duration which the uh defined number of threads will be started and also we have we have the loop count that we're going to do it in infinite which defines the number of times each virtual user will execute the test plan so we we are going to go to http request and we're going to write the protocol layer which is https and the server name or IP is besides Das deos.com and we're going to do there the get method because it's typically typically used for ret retriving data from the server and is suitable for requests that don't modify server side

data now we're going to run that also the squad going to run layer scripts after understanding that so now we have three concurrent attacks going on from three laptops here from different isps uh let's check now we see the 100% sastri maybe you take from here or be Yes actually now you can see that the attack is coming from all the sources and now the power is pretty high and what is happening with our small server is the CPU is going up to 100% as you can see in the slide and the ram is pretty high too is uh uh around 80 80 to 90% because not showing a percentage the same thing what we can do

is since since this kind of graphs in in a in a cloth layer are not real time and and they might take some time but you can see it just started to have to have a spike but uh this kind of attack is again pretty easy to to to block because what our our attacker has a common they are using the same uh they are using the same uh same country and probably the same service provider in this case how we can see how the traffic from which source is coming if you want to see from a country we just need to go here and uh we will see and it will list that the

traffic base based on the country and now you can see here that the spike is coming up we are not waiting until this the request going to go too high because this already this is already thring our application and or or server but what we can see here we can see that the major of traffic is coming from Kosovo and now uh Von going to tell how you can block a specific region or country on a cloud layer but this this kind of rules are apply only when ATT attacker is going to come from a country when you are not giving services so for example if the if the attack is coming from our country and we are serving the services

to our country we cannot block Kosovo because in this case we going to block legitim traffic legitim users to access our our website but if the uh this scenario is very suitable in a case for example like a foreign country that you don't have any relation with them for example if the country if the attack is coming from Russia India or or or China and we don't serve any of our servic to them probably just go and and block the service to them we're going to we're going to be safe and secure we G yes so uh based on logs we see that the country is or country Kosovo since the most of the request are coming from this

country and we have some others 51 from Albania Serbia but we are going to block this one so same again so we are going to security and under the W uh we will need to create uh one rule similar like previous rule that we did uh I I uh type a name of rule country block now this time uh we will not select the IP Source address but we are going to select the country there is continent so since we know the country uh will find the covo also it's very easy because Cod player list the list of countries so it will avoid for any mistake that can be caused now we'll need to choose the action same again we

are going to block it and uh we will provide response type because we need to show that uh when you try to open the website side it will show the block from Scenario

2 I will also name the response code 420 and I'm going to deploy now so we'll wait a bit and we'll check if the site is really blocked and if it shows the blocked by Audio too again a rule might take some time to kick in and how we can see if the rule have kick in is uh here vgan have set specific uh Response Code for block from the country is 42 to0 and in analytics here we can see that if if we filter with the S code that is the code that we respond to the users that we have blocked and if you if you put here 420 and apply this filter uh I did a mistake on applying

the

filter apply now you can see that it's just start it to block and here you can uh see the still the traffic is 100% because a lot of requests are in queue but if you wait like one minute we're going to see the traffic going to go down and or service or service going to uh or service going to be again up but only for the user that are not not in a covero because we have block as a country and even even though if you switch to to the ATT haers uh screen you can see that all the requests for them now are getting if if the site is responding they are getting 4 to Z the status code

that is used to block and even though if one of the users that is showing the screen can see in the in the browser is is saying block by scenario too so or or applied rule by blocking by country has actually worked and same you can see here now is one 1,000 request block so is the and even now it's 4,000 request block so it's it's blocking but the the graphs and and analytics in the cloud layer does come immediately they need some time to to process but we have still we have now you can see it's going down but always when you apply some rules the web server that we are using here is apachi and it needs need some

time to process all the all the traffic that actually have come from the but yeah now it's going down now it's going down because I have processed all the C request and the rul is applied now I will ask attackers to to stop attacking because we don't want to choke or server when we delete the rule in Cloud flayer and we're going to move we're going to move with the scenario number three meanwhile I'm deleting show I'm deleting this yeah and meantime so we have shown the attackers coming from same country with different IPS and in meantime castri will delete all the rules applied to the server attackers will stop the attacking and now we are moving to our

third scenario attacking from multiple ites and multiple country of course for this we will need some collaboration from outside so we using another tool and we go back now to Ala again she will now uh try to simulate the multiple user from multiple count therefore she will she's using a loader .io a tool software tool that simulates uh different countries with specific load so Alba the floor is yours now thank you so uh the third scenario will be attacked from multiple IPS so I will use loader iio Lo loader iio is a cloud-based service that helps to test performance and scalability for web application so to for not taking time I create some drafts so uh I'm using this draft and I will

say uh things that I edit in this file so uh every test uh should need a name that right now I use the hight traffic test and of course the test type we have different test types but we use the clients for seconds and then uh the number of clients that we want to use there are 10,000 and the duration is the time that we want to do this attack that that is 5 minutes after we uh put this uh numbers we have advanced settings that um some um in regular file is 50% but we use uh 0% for errors and after uh doing this we have to change the protocol because it was HTTP and we have to use https and

the host that is our website uh so after we put this uh uh we have to run the test so I'm going to run the test we should wait some seconds we will switch to our screen and since the loader iio is a tool Cloud tool that is actually able to make a lot of requests second you saw the you saw the configuration that all about did is it can go up to 10,000 requests for second what what we will see we will see that our CPU is again 100% And even though if we try to access now the site probably is going to take a lot of time or not going to be loading

the reason why I'm I'm doing this because now we don't we are not blocking our IPS we're not blocking our country Kosovo so in this case if we have some rules applied in this case we should be able to to access the site but what we are seeing here just loading and and now if you go to the traffic as I said before this kind of traffic don't come immediately but if you wait like a couple of uh more seconds you can see it's going to is going to the spike now we have a scenario that we cannot apply we cannot apply the rules that we used to apply before we cannot block the piece

because there is coming from different IPS with different load we can we cannot block the country because they are coming from different countries in this case mostly from us but in other Canal they will come from a multi multiple countries multiple IPS and we cannot block because there is something in internet called net and the aot a lot of user might use the same IP from the same country and we don't want the user that want to access our site they are legitim user we don't want to block that and this scenario uh we cannot apply blocking IPS we can canot apply Block in countries but we need to know our application to apply different rules for

example we know that our application is a WordPress site that actually serve news and we know that every user will not look more than five to 10 News at most for a minute so what we can do we can apply a rate limit what we can do we can limit the IP or how many requests can make for specific minute and what we will do right now uh Professor vgan going to explain how you can Implement rate limit uh uh rules in a cloud flare that going to limit IPS to 100 requests per minute and if they ex extend this kind of rate limit we're going to block only the IPS who extend this kind of

limit so since C explained that this kind of attack is different and it's a bit tricky also to uh prevent it so we are going to add another rule but this time the rule is different so uh we'll need to create rule under the rate limit rules so here I'm going to create a rule uh I'm naming it rate limit in the field now we need to select the host name the host name is the domain of or server so here this one besides dds.com and now we will uh select the when rate exceeds we will provide the request 100 and the period required will be for 1 minute so of course we'll need to take an

action for this and we are going to block same again I'm using HTML to show the message

and for duration I will leave for 1 hour we'll deploy it wait a bit and we'll see the result so uh this kind of attack that Alba is doing please Alba run run attack again if if it's if it's not running this kind of attack that all is doing is doing from cloud services and is not going from or I so if we if we try to access or side after the uh rule kick in uh we cannot see the message that is blocked by scenario 2 or scenario 3 but the attacker is going to going to see that message and how we can see that our rule is appli successfully again we can go to the uh analytics we can again we

can serve with the rate limit and the rate limit that is applied for for the uh uh thetical code that we are responding for the uh rate limit is 430 what we can do here we can have a filter we can select the uh Edge code 430 and we're going to need to apply again I make it mistake it's not happy

yeah uh the problem is that uh uh Cloud L is not allowing me to select the the codes that is not like a known as a code but here we can see in the ads that status 431 has kick in and how we can do we can just see the filter like this and we can see that a lot of traffic is going going on from the is is blocking with this kind of rules but still we have 100% like in the previous previous scenario and we need some time to wait until the this rule have blocked all IPS and after that we going to be able to to open the side so is black my2

probably because we have the same rate limit because probably the users have try many requests for the same time so if all buy is attacking from a cloud but a lot of you users are extending that 100 request from this IP that we are using in this network it going to block us too but yeah it's blocked and probably after some time you can see the CPU of for or server is done and we can say in this way that attack is mitigated successfully castria thank you very much so with this we have wrapping the scenario three having for multiple IP addresses as we showed by them uh loader iio just to remind you loader iio is meant for good

positive testing but malicious user can use them also for such case let's move to very now very a less more attractive attack scenario when we use a botn net soal command and control for this we're using our special Hardware the faculty of electrical and computer engineering we call a special sof server called Huna and d i is going to Showcase how we can exploit this the thank you um so as you were here and we're able to firsthand see how we are employing different attacking strategies to best try to unblock this website so far we did try to do um attacks from the same country from uh different IP addresses and high requests so a high

rate limit uh rule was able to block our attack so I'm going to try and make this situation more complicated so I will be Distributing the attack across multiple regions so multiple geographic regions in a low rate limits in a row low number of requests per second so that this will not go as a suspicious activity at least that's what we hope and this will make the attack a little bit more complicated since the rate limit rule will not be applying what I will we'll be using to demonstrate this attack is our high performance Computing cluster of the faculty of elect electrical and computer engineering at the University of Pristina which is used to facilitate

research and we're going to use its computing power to run a python script to use a proxy so the proxy will be able to geographically distribute the attacks that we will be launching into our Target website before we jump into the attack phase I would like to introduce you to the Huna uh website a little bit more so that you can see what it actually is uh you can recognize the names from Yan female names U holding historical significance for our culture and you can see there are nine Computing nodes named as follows what I would like to show you is the technical details of this um perform high performance Computing uh node it has for example two

* 16 physical course and 64 logical course as well as 128 gabt of ram so you can see that it's it's a quite high performance Computing node so what I will be doing is I will be um connecting to this uh to This Server via remote desktop connect connection where I have been granted credentials and uh will try to make the connection and access it remotely so for demonstration purposes we have created a a special website called besides prishtina and I will be entering the credentials to access it and hopefully um present to you uh what it looks like and how we can initiate an attack um from that so uh in just a couple of

seconds I will be um going into the terminal where the python script is saved so uh we can just see um that it's a python script as mentioned and we can just run it using the Python 3 um Python 3 command and um proxy dopy so this is the command used to run this python script which will um initiate the attack and right now we're going to be able to see that the request was successful and um after some time we're going to see what will happen in the back end of this with CIO showing the cloud flare aspect the scario that actually there is showing is like a a scenario that is uh uh very likely to happen when a specific

group or a a hacker have affect a lot of uh PCS and they have a command and control that that manage a lot of them and address all of them to attack against one target the problem with this kind of attack is because it come from many sources many IPS many countries and even though what is Mak more difficult to block is they go with a low request for a second so in instead of having 10 IPS that go with a 100 request per second now they use thousand IPS that go with the 10 request per second so they kind of spread horizontally and what what did happened in our case if you can see in our uh CPU is again 100% the

reason why even though if you have a rate limit rule applied they going to go under or rate limit in this case blocking IPS don't work because they are many IPS you cannot block thousand IPS one by one blocking countries not going to work because they are coming from a countries that we Ser service and rate limit not going to work because they are going under our late rate limit we cannot set a rate limit one request for second because no one going to be able to access our service anymore now what we we need to do we need to find what the uh what the attacker have come and most of the time when the attackers come

from a butt net they have the same over infected and they're going to have the same pattern of the attack how we how we can analyze how that attack is coming from and how this looks like you can analyze this in a in the in the events under the security and if you go in last 30 minutes there are many scenarios many types of attacks you you might have experience to analyze them and but what are scenarios having comment if you go to the items you can see this kind of a top IPS are coming a lot of requests but a lot of ips that we cannot show for now are going with a a low request but what

we can see is this we can see that most of the headers are legitim headers for the legitim users but some of them are from python requests and we know that no one from a python should be a should be access or service because we are serving web server and they might access it from a browser so what we can do we can list this kind of uh heads right here here for example this is not expected to come in our website this is not expected to come in a expect to come in a website and probably this is from JM because JM by Apachi and they do HTTP request probably this is not legit use

uh header uh is not user agent that we want and the loader IO is not the user agent that we want too but we are leaving out because we know right now in this demonstration we are not attacking from the loader iio what we can do here we can apply filters and we can go here and say give me the all the requests that are from this kind of user agent that actually we we detected as a not a normal traffic from our side this is the first one this is the second one one and this is the third

one and if we apply this filter what you can see here we can see the all the traffic coming from this kind of simulated butt net with a ro with a lot of ips as you can see but very low request for seconds are coming from this kind of user agent and what we can do now we going going to explain how we can we apply a rule to block users that are coming from a specific user agent yeah since we use the filters now so the it's very easy to create the rule so now the rule will be created here so I put

block block take con action so I'm going to block it I will use the same custom hm blocked by four so in this case the Response Code will be four four 4 4 Z and now we don't need to change anything so it seems to be okay and just we are going to deploy it and we'll wait for results uh when the rule going to apply if you switch back to the to the de's computer you will see that now de instead of having 200 Response Code that is kind of replying to that he she is receiving 404 but the rule that we have apply to block the butt net similar if you switch to or or scenario is

the load is coming down so we can see that the that the rule have actually applied in this case we mitigate kind of scenarios when we have a huge amount of ips attacking from different countries but in a very low attack this is the scenario four wean please delete the rule and uh you please block uh stop the attacking first you need to block the attacking let's move since we are a little bit behind of time and I think the next presenter is waiting yearly to come on the floor let's move to the last scenario the fifth scenario we are concluding the four scenario with very complicating rules to attack from multiple IPS level low liit low level

liit and also some uh browsers that utilize our website we moving to the last one to advance DS attack something that you might happen to uh uh take out to work on it so the last scenario the advanced scenario is we're using now malur to through to simulate the attacks through the G meter and castot and vgan will show what happened on the server side uh m s the floor is yours just show us what are you doing and on meantime maybe we can speed up a little bit last presentation what happens on the server side let me before before the uh before the my attack on this we need to to make some clarification when this kind of a

rules can be applied uh it's very important to know the the or application if you don't know our application probably going to have a problem by applying this because now what we're going to do as a a protecting rule we're going to apply caching and if our application have a dynamic content we cannot do that we can do this only in the static static pages that doesn't change often and here we have this page that is just uh uh is showing only only the is just showing the uh simple page that is or abstract or or presentation and we know that this page not going to change or going to change very very rarely what we can do we can grab this

link and we can go in Cloud flayer just to refresh here to see that this mitigator rule has been deleted uh we can go under the rules and we're going to go page Rule and we going to delete this because it's already applied we're going to create a a rule what what is the rule is we are doing for this URL we are applying cash rules so what we are doing we are applying Cash Cash level everything we want to cash post get and uh headers parameters or everything that is related to the HTP request we are applying we're applying browser cash tall that is the time when the browser going to uh browser going to clear the

cash we are doing this case only five minutes and we are applying as Cas TL that we are putting 1 hour and we are deploying it so in this can scenario we have deployed and if we run this we going to see the delay because is going to or server but if you're running this you're going to see that it's blinking very fast because all the serve all all the content is serving directly from a cloud layer and not going to our server now I'm asking all the attackers to attack or site and to see if they can bring down everyone with any tool you have you can apply but it's not important to attack in this

link because you have implemented in this case in the scario only the cash for this link not for the all side so please adjust your codes and attack on it okay uh so we go back again to the jmeter tool we're going to do the same configurations as we did uh uh before so we just going to hurry up because we don't have so much time we're going to write their https besides DH dd.com get method and the path DDOS Dash attack Das mitigation so we're going to attack the static page that they have there so we're going to start the attack also I'm uh trying to uh uh to get the help from the team

so we're going to save it and we're going to start it okay uh others please start the tack in in this uh this link too and uh uh if you are you sure that we have put the right link all of you or all all of you attacking in the in that cash rule uh because I I'm having lot a lot of traffic but same thing we can just we can add another cash rule let we can put for example holoc

side so if you want to cat

everything one hour and I'm adding another rule with a is with a with a prefix because some some user might use a www some user might my not and I'm applying

again I'm deploying and now if you we go to the caching under the the rules you can see in the last 30 minutes when we are applying that like most of the most of the apis even though in this time most of the most of the requests are coming from cash and only few of them are coming for our server and now if you go to our server even though they are still attacking that all resources are going going very very low so this is the last demo for this presentation and now Professor going to take going to tell us some takeaways from this okay for takeaway and wrapping all five scenarios I'm very happy for

the fourth and the fifth one which are real scenarios that you might experience dur your company your work etc so let me wrap up the takeaways from our presentation dos attacks are very simple we have showcased that for this you don't need an engineering background even uh chat gbt can help and you can run the scripts so it's very simple very cheap to develop and execute a Dos attack cloud is not a magic word just having a cloud with a proper configuration won't help you third it needs to understand your application and infrastructure if you have clients just in Kosovo you can block other countries but if your target is different countries that you cannot block just a

specific country because you're blocking L liit us and last but least you need to analyze your attack and to apply the smart mitigation technique as we showcased by rate limit by spreading by a browser Etc having said this we coming to QA session and please if you have any question we are here to answer immediately and also we are here after the presentation during the coffee period given that uh we are a little bit behind uh schedule uh I would ask you to keep questions at you know like not so many questions so we don't run uh a little bit uh behind with the schedule uh kri professor raaza and the others are going to be around and then maybe you can

catch up with them on the hallway maybe for one and two question I will give an extra point okay any question let me just pass the mic then

uh thank you for the demonstration say if someone or a group of people were to deliberately Target the University of Pristina during a exam period say to attack their service so that the students are not able to register to take their exams what's stopping them how well prepared is the University to defend against this type of

attack thank you for thank you for the question yeah that that's very legit uh scenario when can happen it there is no M magic way of blocking the tax you need to analyze that so if if is someone from uh the scard that we show for the first or second scenario that we show that they might use a simple script or pre pre-built tool to attack to attack the server we might block we might block the the specific IP uh on it or applying rate limit to the to that uh register page and uh uh even though applying rate limit sometime can work sometime if if if if the all the users from the University want to

register the semester or exams and we are probably apply the very aggressive rate limit they might block them too but this depends very much in in the in the in the attack and based on my experience like a lot of people who uh attack this do this kind of attacks for malicious proposes they use uh uh pre-build tools like lower bit is one of the most famous for for doing uh D service attacks and they have like specific patterns how they do the attacks so the idea is to analyze and to filter the traffic that come from that tool and block all the traffic that come for that tool okay one more question last question don't be afraid going on last

one here and we will be here around for taking another question or another comment suggestion as

well thank you uh it was very clear demonstration thanks uh if you do not want to use cloud Fair do you have any alternatives things just thanks yeah uh Prof want okay so that that's that's a great great question uh for sure because uh not all the users want to use a cloth there uh most of the most of the rules applied in this uh this presentation don't have to be specific for cloud FL or most of the uh firewall applic application firewalls provide a similar filtering and blocking mechanism the reason why we explained the cloud flayer because Cloud layer is uh just to uh give you example the plan that we are were using to block this kind of tech in

this is a Pro Plan that cost $20 for for monthly and CLA FL since it's a cloud service provider that provide firewall is the cheapest and the easiest solution to apply but if you have like a specific fir wall implemented in your network same rules can be applied but you have some takeaways from that too you need to have strong Network because if the attacker is going to apply more attack that your network can have handle they going to block your swis before they come to the to your firewall and even though we have some scar in government of kovo they they apply block and loose in the cloud layers but the uh not in

Cloud layer but in their own uh fir walls but what they have in Far walls they can address not more than 177,000 requests for second and if the traffic is more than 70,000 through per second the they can to sh the far wall too so it's very important and is highly recommend not uh you can use for internal uh uh uses like internal firewall but from external for S Services is highly recommended to to use cloud services that may be able to address more traffic and and handle more more attacks thank you okay thank you thank you for your present ation I have a question if the attackers can bypass the Cloud Player and they attack the IP of the server

they found it through the dnister or whatever uh how could you protect against that and uh yeah there are some cases when the there are some vulnerabilities in cloud fler and the user can can block uh can bypass the rules that apply from a cloud layer but actually in this case you need to trust someone if you want to use cloud layer you have have the attack away that you need to take as a risk if you don't you might address your your attacks manually by yourself but probably you're going to have more problem that that by passing the uh Cloud layer l so someone can do it that is uh can I continue so uh also

in the when we presented the infrastructure so we have show that there is another five of hner so in this case so we will need just to configure hazner some parameters and then will block these kind of attacks from the hner level not from CLA fler great with that being said we're going to wrap it up Professor Rea kastriot vegan and the rest thanks so much for this great demonstration we really appreciate

it again they're going to be around and I think that you all know each other so feel free to reach out to them and uh take it uh on a Lobby uh right after this right after this we're going to have a next speaker uh and then we're going to take a break if you want to stretch your legs probably like for 5 minutes that's fine but then let's get back uh so we are on schedule as planed

thanks

e e

open

yes test hello miror

okay so we are a little bit behind schedule so we're going to move on our next speaker is Oni amti and uh he has this great topic about grappling for evil in the cloud that being said on the floor is yours thank you good morning everyone thanks for coming to my talk about re grappling for ail in the cloud where we'll discuss about our open- source tool called CR G so a short presentation about me I'm onti I've been working as an associate threat researcher at permisso security for almost a year now I have um I'm an author of a tool open source tool called Cloud Grappler and a co-author to another tool which is

cloud console cartographer which I had the pleasure to present with my my manager de Bo or Daniel banon at black at Asia two weeks ago let's start with the agenda we're going to talking about the introduction part about the role of logs the cloud logs for Defenders we're going to hunt for evil with Cloud Grappler and lost a tool demo if you have time what is the role of locks in incident response blue team teing any of the above a log is a fact which could lead to a potential incident but not always logs are visibility having visibility on your environment you can see who does what and you can check the identities behind their

action always make sure to enable them some Services enable them by default some others don't always make sure to enable them because if an attacker comes by they won't do that for you after enabling them always store them to a secondary location you don't want to have a single point of failure where an attacker comes and deletes all of your logs so you are blindsided over there after storing them to a secondary uh location um aggregate them correlate them and most important thing hunt for evil in that environment because all of those previous bullet points have only one single purpose and that's finding the presence of evil on your environment next we're going to talk

about clot logs for Defenders first of all they are determined by the cloud provider some Services choose to log different things that the other service won't one clear example is that the AWS console logs all your clickings including the read only ones and AER tends to do the uh not to do that not to log uh enumeration uh clicks like listing users listing uh policies so that's a clear example you have a delay in log generation and that depends on many factors like the network connection and the most important one the retention limit some Services choose to save your logs or to store them for a 19 days period some others do 16 days period and

that's the clear clear example of the first bullet point and the last and the most important one they are far more abstract than other and by other I mean the on premise logs if you were to check the on premise locks you can see there are they are forer granular you have file contents file wres system uh logs Etc so you kind of see that the identity behind the uh actions that were taken they are kind of blurred out but we're going to make the mouse Tower of it and uh hunt for them now we know what cloud locks we know the cons of them where can you find it the first example is in AWS you can

access them through the event history you can access them through the CLI using the uh cloud trail lookup events API move moving down further to the aure where you can access them through the activity log on the aure portal cool you know where to find them now let's go to the most important part the cloud attacks in the wild and uh during the past years we've seen an increased activity of nonn threat actors like luer 1 or called as guil or ler 3 skater spider roset octopus they are the same and the detecting the presence of these threat actors in the cloud environment has posed a significant uh a challenge for the security teams and uh even though we

offered lots of tips and tricks uh with our blogs thread briefings we've decided to take it to the next level and actually publish an open- Source tool that acts like a cyber detective on your Cloud environment without further Ado we are presenting Cloud group Grappler which is an open-source tool threat detection Fame framework that has only one single purpose and that's catching bad guys on your Cloud environment and bringing out to your attention why Cloud Grappler it's a silly name it's a complex one I even misspelled it and lots of native English speakers do that too so we're going to start by the most important thing or the basic one which is a grab and it's funny

that if you translate grab to Albanian the hook to Albanian is called a grab and it has one purpose and that's grabbing fish but we are not hunting for fish over here we're hunting for bad guys specifically in the cloud environments but how cloud is related over here there's an open other um command in Linux which is the uh grab command which has the purpose of uh uh doing a regular expression on whatever you uh pipe it into turn it down to the cloud section we have the cloud grab open source tool which essentially does one thing is grapping for cloud storage and uh uh having Cloud grab plus the permisso Intel to know what to look for in your

environment we have Cloud Grappler which has been released uh one month month ago now let's go to the key features of this tool the first one is threat actor quering so this Tool uh specializes in quering for malicious activity in your C uh environment that are demonstrated by the most notorious threat actors so you query for your data in log you see if they match with rtps so the rttp is a tactic technique or procedure that is performed by by a threat actor until now Cloud Grappler has 60 ttps and is constantly being updated by our team with the latest Intel that we find going down further we have the single event detections where this tool

excels in uh quering for high fedility and single event uh detection across both AWS and uh Asia environments there are some here I presented some uh examples of single event sections in both ews and aser and the last thing is the integration with Cloud grab which I mentioned so we're using the robust uh capabilities of this tool and wrap it up with our ttps but how how Cloud Grappler works first we have the Scopes collector where we are defining the scope of your scanning so you can Define uh two cloud services awsn uh aure uh going down to the AWS part you can Define the bucket and the prefix but if you go further down you can see a bucket that has no

prefix so you can search for a specific resource or you can go to a a broader one and that depends on um how how much time do you have for the scanning also the aure one where you can uh Define the account name and the container you want to query at this is the query selector the query. Json file is the file that has the ttps predefined by us and if you can uh see every uh TDP has a name has a source of uh ews or Asia has the Intel which tells uh which actor is known for this CDP was the severity and the short description about it and last upon completion of the

scanning from the cloud Grappler uh we uh a report is generated in the Json format and we're going to uh talk about it uh later on the tool demo and last is the tool demo

so now starting we're going to uh change the data sources. Json file we're going to append our scope of the scanning we're starting with only AWS where we are adding the bucket the prefix you want to uh scan at and another bucket which has no prefix at all now let's go on the CLI part we're going to be running the uh help command to see what features Cloud Grappler has to offer and uh as you can see there are many uh uh flags that the user can append in order to make this work we're going to start the with the most simple one which is just running the main.py function and what this tool does after hitting enter

is checking if there are any new updates on the repository for any tdps and if the current uh project that you have is outdated is going to do perform a g pull action to create the uh latest version of this tool so the tool tool is started uh scanning we can see on the red lines that is checking for hits in the bucket that uh uh we added and the prefix and it's checking for all of the followings uh ques over here that are tied to the AWS service on the green part we can see that we found one hit about the get file download URLs which is event um in ews and apped at the back of it it has a

secret value which says if a file that contains the uh Secrets as a file name mark it as a hit and on the other uh bucket we see that or no hit found that's good news now we're going to start and explore more about the tool we're going to add the minus minus permisso Intel uh flag which essentially adds some additional data about the query that is being run also the start date and the end date which essentially uh does what it says it's looking for a timeline that you give as an input and that's a really cool feature if you want to scan only a certain uh period O on your uh logs so we should be hitting enter

now and this essentially will do the uh same same results but uh adding the uh permisso Intel so going further up we can see that for the uh first query we're adding the threat actor that this query is tied to we add the severity and also a short description about this uh event and the Damage it could have if is misused by a threat

actor going further down we see that the scanning is completed and we have the same results cool that's at the J flag which is the report generator or saying like do adjacent output of all your uh findings so we're going to hit enter we're going to see the uh same results and uh after the scanning is uh finished we're going to see the uh report structure of the scanning cool let's do a three command on the reports folder and we can see thearchy of the uh reports where it has the Tim stamp where you started running the tool it has the bucket the pric and the file name in Json format if there was a

hit cool we have three main takeaways from our presentation threat actors continue to Target Cloud environments for various purposes Financial ones uh uh political always configure the necessary Cloud logging options for retention forwarding querying capabilities that are required to detect and analyze suspicious logs and the most important one use cloud Grappler which is a brand new open source thread detection framework where you can find potential presence of bad guys in your environment thanks everyone for your attention great thanks Andi do we have any question that was great presentation we're going to give a shout out to Daniel if he's watching us and to prissa thank you guys for doing awesome job there was a question on this side

uh thank you for the presentation also I think it's really awesome that you made the tool open source uh my question is do you plan on expanding the tool to work with uh Google Cloud as well actually that's a great question uh enl which shout out to him also has said that the next steps is are adding more tdps and actually having coverage on gcp so yes my answer is yes we will okay any other question do I see any hands up no and thank you so much and good luck with everything that you guys have going and we look forward seeing other tools thank you

okay guys so we're going to take a lunch break uh lunch snacks drinks that are being served upstairs uh we're going to be back at 1:30 uh please try to be on time so see you after the lunch break thank

you

e e

test

e e

I'm turn test test

notific support to destroy that b prop apply

yep okay uh welcome back everyone I hope you enjoyed the no not yet I guess we are not ready yet give us a second

please

e e

you think on

all right guys I guess we are ready to uh return to our session uh welcome back I hope that you have enjoyed the lunch break um just couple of announcements um as you know there's a workshop going on uh for that you have to register but if there are spare spaces you can always like join them they're just on the other side of the building for the CTF Capture the Flag uh there are some uh technical issues that are taking place but blown it's taking care of those so there should be uh up and running very soon as you can guys tell he is multitasking he's about to present and he's also fixing that part

so thank you for that um Bon our next speaker it's also part of permisso security company uh and uh the previous speaker on the also works for priso uh last month you were guys uh part of the blackhe Hat ASA I believe uh so cudos to you guys uh thanks so much for contributing with all open source projects that you have in place uh for those that were previously with uh on this speech I was already like approach and I was asked for uh Google Cloud platform if it's part of that that was also a question so we are uh very intrigued and we are like impatient to wait for that to be included in your

project with that being said I think I'm going to pass it to blon now uh he's going to be covering uh encrypting bucket for compliant uh purposes but also look at them how they can be encrypted for ransom purposes with that being said the floor is yours so hello again sorry for all the technical difficulties with the CTF it never happened on our end yeah JS aside so uh today I'm coming with uh uh with a talk that I've also done on uh besides tyana related to how to use KMS uh service that AWS uses to uh manage encryption keys to do ransomware which is not the initial you know the initial idea behind it uh first off this is me I

am a a cloud researcher at permiso I'm also the author of nebula Cloud penetration testing uh tool I'm I've been working on different companies throughout you different different years uh starting from Telecom to Banking and right now I'm doing research on cloud and I've been working with different Cloud uh uh different Cloud researches on AWS Asia and digital ocean so uh the topic of today will be kind of uh cat and mouse game between our uh threat actors and us which are going to be the Defenders so our threat actors as you can see here are financially motivated as most of them they are not Nation supported so they don't have the resources they don't have

the funds they don't have anything they have a relatively low budget and I mean almost no money they have a couple of laptops and uh ransomware is a goal to them because they want to get money that's the whole goal and it's easy you you can just do it and you can just ask money you don't have to do anything else you don't have to sell them you don't have to bargain or anything you just put the price and that's all we as Defenders are again financially motivated Defenders because we randomly get paid uh we again are not Nation uh nation state supported we again have a relatively low budget so don't don't expect us to have much uh security

systems put in place so we are we are talking about a company that is small with very important data but not so much uh security systems and also our data is in S3 so ransomware is a risk to us because if we lose them we lose practically our Revenue so what is a ransomware and how it is usually done so in in a normal conventional classic ransomware you just get the access to the data you download them you encrypt the the original data you keep the the downloaded data then you uh ask for the uh you ask for the ransom if they don't pay you can share the the all the information online you can

sell it or anything if they do pay most of the there's a high chance that you will again do that but you will give them the data uh what about the S3 on the S3 you have to get access so there is a saying that uh in Cloud IM am is the new parameter you don't need too much perimeter security as much as you need access control since because you are using the API to do anything so you need to have access to that you need to download the data then you can do everything else you can encrypt them you can you know put them back you have all the data stored you know you have all the data

stored and then you can just ask for the for the random and then you can do everything else that you were going to do in the first place the thing with this is that our threat actors do not have the money they do not have a large infrastructure they do not have the guarantee that the client will get will pay them so they cannot just invest large amounts of money to get uh a whole infrastructure to uh to to keep all those data plus they are afraid of the monitoring so what do they do they start to look around and them being the crafty hackers that they are they found they look at the KMS so what is KMS KMS is literally

an encryption as a service service uh that allows man mement of encryption keys and uh practically allows you to encrypt the files or encrypt any data that you want without having access to the key so you don't just spread it around you don't just lay it around you don't just pass it in a notepad you don't have all of them you quite literally have the the you know have a service that is doing that for you uh so what you actually do is you just send the request to the KMS and they will just give you the cipher and again the reverse you send the cipher it will decrypt it easy easy stuff so just one

API call they also have something called the KMS policy so as I said uh identity is a new parameter so they can uh you can Define what is who is allowed and who is not allowed the way KMS works is that if you allow access to only one identity nobody else will have access to it it and especially if you put the effect here to deny and then you say everybody except for this identity quite LLY not even the RO will have access to that not even the root account so the there have been cases when uh users have been locked out of their keys just because of doing this on the other hand S3s allows you to uh to put the

config uh the encryption configuration because of obvious reasons and by using both of them an attacker can create or modify a case policy to allow only itself access to the key then put the uh policy then just encryp the bucket they will have to do an you know a a reedition of all the files but they don't need to to locally copy them and after doing it they quite literally have encrypted all the data and the way KMS works is that if even if you want to decrypt the data you quite literally do not have access to the data because you don't have access to the key in the first place so you can't literally even

download the data and I don't know try to do something like uh uh if you could brute force it or in the case of NSA probably use the back door on the rst but uh that's as I said that's how it is now what does this help how does this help uh the attackers don't want to download the data and they don't need to download the data they can literally quite literally lock the data so they can just put the uh the policy uh put the encryption configuration just recopy the files to so get the file do a loop with the file uh grab the file and then reput it back to the bucket and they have encrypted them and

when they want to give to allow the client access to the data they can just to the reverse so from encrypt to decrypt and again the funny thing about this is that if even the route doesn't have access to the key they cannot even look at the key policy so they will not know who which identity has access to this key unless they try to do something different so let's put our blue heads now and start to understand how we can kind of prevent this yeah uh so what what we saw is that even though we uh The Defenders or the administrators do not have access to the key when they open the KMS dashboard they will get an

error saying you don't have access to read this key and they will have the the key ID so they they will know which ID is doing the Mayhem on the other hand even though the route or the administrator doesn't have access to the to the key they do have access to each identity so what they can do is quite literally get create a policy that allows KMS describe key because the attacker might revoke that that right then list all the roles all the users uh put a new access key or just delete one and put another one for the users assume the roles and then just try to do describe key on that key and as you can see here this

identity has access it's supposed to be admin user here sorry if it doesn't look so good so we found out that that identity has access now that we know which identity has access we can protect our so we can uh revoke the the ransomware the blue teamer one on the other hand you also have the cloud tril logs which is a lot easier method than just looking you know just doing all of this but yeah you can just uh clearly look at the logs and then see which identity has touched this key and then you will know who uh who has access to the to the key and then again revoke the ransomware so the the threat actors don't want to go

there you know it's a whole hardle they will lose the access they will lose everything they will not do anything with this what do they do though what happens when you go stop the cloud trail at logs and for the sake of the argument we presume that they have access to do that they stop the cloud TR logs before they start everything then they create an IM user with a very random key uh with a very random name they do everything everything then they delete the user right now the Defenders will not know which user is doing this they will not have logs and they will not know what you know which identity has access to it

and when everything is being paid the uh the attackers can just say okay this is the user have fun you know create the user and just decrypt the the data and quite literally a AWS is being very generous with what it allows on on a username if I'm not wrong it allows 40 64 characters of all of them so you know random was never an issue to you know to the attackers what is the issue again with that one even if the cloud trail are stopped you know the cloud trail lcks are stopped there's still the event history event history is a feature that AWS has AWS cloud trail has that keeps every event of the last 90 days you will

you will have used uh event history if you have used Cloud TR lookup events lookup events quite literally grabs that uh so again having a random name does not work for the attackers on the other hand uh what KMS does is that it doesn't use the username on the policy but it actually uses the user ID on the policy so if you delete the user and you recreate that again they will not have access to the key so again they will have reached data distraction at this point there is no way to return the the data but they will not have uh done the the randomware with the low cost that we wanted to to do so again this is not

something the threat actors want again AWS is very generous and allows uh something called a cross account KMS key sharing quite literally how this works is that you can put the policy and allow one account to access the keys on another account think of this as an infrastructure where the whole KMS keys are put in one account then everybody else is uses and then you restrict access to that to those uh to to that account an attacker can do the same they can create their own account they can create their own key they can allow the compromised user access they can do everything they can remove the policy whe and then when the uh Target pays

they can just recreate the policy and allow the target to to decrypt the data quite literally this works and this is actually the best way and this is actually the way that uh rhos SEC uh did it like you know what rhos did on on a research like four years ago if I'm not wrong five years ago this actually works because you don't have to keep the keys you don't have to keep anything you don't have to have the data stored in you you have the account and everything and it also works for each each object object not just on the Bucket Level but you can quite literally encrypt object per object so you can

even you know mess with them and create like 10 keys and then just randomly do them so that they will have to find 10 10 Keys you know it this is just an addition but even the Bucket Level encryption does work unless the Defenders have created an SCP policy which uh is put on the organizational level and only allows resources to be accessed from their own organization right now the attacker's account is of course not on the organization the attacker has to put the account on the organ on the organization and that would include other issues because right now they they've given access to the diff to the to the Target and since they do this there will

be an access denied because the resource is outside your organization of the of the target so again the Defenders crafted as they were as they are they'll manage to to stop this but our attackers do not do not give up easily let's go back to the to the first transware what you do is you you get access to the data you download the data you encryp them locally what if you can do the same thing with KMS you get access to the data you download just one file you get you create a key on your own account you encrypt the file with the key here locally you put the file back again on the bucket then you

delete the file right now quite literally you are not storing all the files Lo uh locally because you are deleting them all the time and you are encrypting them with the key that is on the KMS and you are again Runing them and the funny thing about this is that uh when a bucket encryption is put uh bucket encryption configuration is put on a bucket other files cannot be added unless access to the Keys given in this way that doesn't work the file will have the same name and you know uh each time you upload the file with the same name it overwrites the old one so you you will quite literally just overwrite the file with the encrypted

version which leads us to the idea of the version there's something called a bucket versioning in AWS what bucket versioning is is quite literally keep every version of a certain file in in the bucket so you quite literally are keeping 100 versions of the same file think of this like uh git commits so you have everything there meaning the attacker will have this version which is the encrypted version but the defender will have this and this and the rest of them and other than that there is no uh to my knowledge there is no restriction to how many versions can be of a file I did the test once I create I rewrote 50,000 uh you know versions of a file

all of them were kept so you know uh to my knowledge there is no restriction I mean if there's a million I don't know if you'll need a million versions of a file but again at least you will need one one more to to protect that all yeah of course yes of course but as I said let's because if we go by that logic yes there is also uh there can be also restrictions on how much can be downloaded and there can also be a cost on on every download for the for the Target so you know yeah yeah uh there's also something called an uh MFA delete MFA delete is an extension of uh bucket versioning which quite

literally tells you you have to put the MFA code each time you modify uh an object or each time you modify the uh the bucket configuration the thing is this one here most of the times will not be present because buckets are usually storage that is dynamic and everything is done through a code so uh you will need to find a code that will just create the MFA and then push the MFA and then then to the modification you will most likely not find this unless it's a backup but if you have this one it's it's it's an extra layer of security by default this is not enabled you have to enable this even if you enable the

bucket versioning and how do you bypass this there are two ways the first one the easy one just you know suspend it if you suspend it there's no uh there's no uh bucket version any anymore yes there are versions but you can delete them you can delete every version you can list them you can delete them again we are presuming they have the rights to do that the second one is you can quite literally encrypt the file then you can list all the versions and then you can delete every other version except the encrypted one right now it doesn't matter if versioning is enabled they will only have one version on the bucket and that one version will be the the

attackers encrypted version so right now even with bucket versioning enabled they will still have only one version there because you delete it every other version after you put the encrypted version there so you know you do the reverse of what bucket version uh bucket versioning does and yes this is the whole idea at this point uh the attackers have managed to bypass uh so they have managed to go through all the hardles they have bypassed the scps they have bypassed the bucket so they have by they have compromised the user created the key on their own account bypass the SCP with the method of you know encrypting each each file uh once per and then they have also

bypassed the bucket versioning so right now the target has nothing to do so the target is random word so we lost guys sorry they B they beat us uh yeah just to show you we also have everything so uh in permisso we actually we've actually seen not seen ransomware happens but we have seen Keys being misconfigured so many people having access so we have uh a we have alerts quite readily for this we have alerts for the key lockout we have the we have alerts for uh cloud trail of course logging being being tempered with or the bucket encryption being tempered with or even uh the external um external uh resources being used so you know just just a heads up yes we do

cover you on that one and conclusion again I am is the new perimeter in I I I'm not saying you shouldn't have if uh you know you shouldn't put uh you know perimeter security but focus a lot on the IM if everything is done through uh privilege without with actually no no need for an access to the to the Target you don't need to focus too much on the perimeter as you do mostly on the on Prem but you need to focus on the on the am am secondly bucket versioning is something that you should enabled unless as he said you can AF you know if you can afford it of course because if you cannot afford it you can again do

something you can just rewrite your code and then just uh you know delete the previous version and then put the the new version and you do quite literally the same thing that is being done when you create an access key or when you create the a third access key so you delete the the previous version and you have the the other one so you will not have too much versions of of the same file if you do not need them if you only need them for uh for sort of a backup you should use scps you should first of all use an organization I've seen a lot of companies only use one account and have

everything there and you should use scps to limit the access on other regions and especially resources outside of your organization that you do not want to get access to there are some businesses that have connections to other businesses yes you can allow them but you should not allow access to everywhere and yes again as I said previously this is something that was that started from rhinos SEC uh so they they use the cross account technique which we later on find found out that is uh you know could be stopped but yes this was the the first idea that you know that they were the first one that that started this so kudos to them and again I want to thank

a lot of people so I want to thank the pzero team Nathan Debo and Ian and Opie for all the ideas that they have done for all the the help that they have given thank you to the ux team for all the designs and the marketing for all the merge and of course the design and thank you for the rest of the for for being awesome thank you any questions thank you do we have any questions yeah Ain has one give me a

second so thank you uh my question if you can go to the slides you share the use cases are those available open source or somewhere uh we haven't so they sort of is are you can quite literally just get everything and you can create some some uh some uh you know simple bus scripts but we are working currently on a simulation tool that will have different attacks including those these ones it's a thing you know it's kind of a difficult thing to share some something related or R someware automation stol especially on you know something like this which can be used with uh the targets uh Services internal services so I cannot say that we will release that

unless you know we see everything or we try to to limit it as much as we can but right now what the only thing you can do is just get everything here and just try to to automate this the second thing is would guard Dy protect from those no because I don't know if they have I haven't checked if they have up dated but to my knowledge no because uh creating the bucket encryption configuration is something normal you cannot just stop people from doing that or locking the keys I have never gotten an alerts while while locking the keys and I have like 15 in my own test account and I don't know what to do because I can't close that

account you know right now but uh no to my knowledge they do not do anything of that the only thing I think can be triggered is too much data being dumped and too much data being downloaded a bulk download and there's to then too much data being uploaded I think that can can be triggered but other than that to my knowledge no thank you any other question thank you blon that was great thanks for the [Applause] presentation so I think we are a little bit ahead of the time for 10 we are ahead for 10 minutes in the meantime you can stretch your leg I would invite the

[Applause]

for e

test beat

box I CTF up and running

here

e e

okay with without any more delays uh we are still on time by the way no delays we're just waiting to be actually on time CU we are ahead of time I'm presenting you kab kakola who's going to be covering uh open source intelligence and see different news cases with that being said corab the floor is yours thank you Aran so first of all hi everyone this is my first time being here even though that I'm a local I really enjoyed the previous workshops talks and let's continue with ENT let's do a short introduction on me first since this is my first time being here I'm kabola certified ethical hacker from E counil and Cisco I'm a ENT enthusiasm

practitioner obviously and I am a cyber security officer at nbit previously worked in the banking sector now switched up to a startup what is open source intelligence open source intelligence with a boring definition is a practice of collecting and analy analyzing information that is publicly available but what does that mean let's let's get a Everyday Use or everyday case if we post a picture on our social media and we we pick the Privacy option public a developer that is located in India takes that photo downloads it and uses it for an AI machine that he's he's doing on on on his own that is ENT this is just a simple let's say case who uses o the the the most the biggest

category is Hackers when I say hackers I involve black hats and white hats so I won't separate them I've seen hackers get thousands and thousands of dollars of bug bounties by using ENT open source in intelligence how come companies sometimes are not aware what they are posting on your on their social media for example if I own X company and I'll pause that our company now has some uh Cisco firewall implemented I'll get a picture of the firewalls posted on social media a hacker can see that I use Cisco firewalls go hunt for CVS on the specific Os or specific device and turn that information into a weapon I talked about the company perspective let's talk about the

personal uh perspective usually uh I hope not anyone who is present here but uh people in general tend to leave passwords something that uh describes them or it's personal about them so if a hacker has free access or open access to our social media he know anything about us if we have any child if we have any pet if we drive any type of specific car Etc he can get that details put it on a word list and continue further with an attack so the the biggest category is are hackers a lot of hackers uh let's say win a lot of money by just doing Google Dorking Google Dorking or Google hacking is typing specific parameters on Google search

giving specific P specific file types and Google will will give you back the results and with just a few clicks away you you got yourself a good back Bounty the second category are law enforcement agencies and in intelligence communities the law enforcement in general uh unfortunately not in Kosovo in general they use ENT a lot how I've seen people get arrested from social media posts criminals are being stalked on social media with sock puppet accounts so PE uh people who tend to post or show off their criminal activities on social social media that's just an extra pair of eyes and ears for the police officers that are stalking thousands of criminals on social media platforms as

about intelligence communities there are a lot of platforms that uh we cannot mention and are confidential that use our public data and uh intelligence communities have access to it by just clicking and putting on a single name the other category are journalists journalists love free data they they love everything that is available publicly out there for their profession so journalist also use O A Lot businesses tend to get as much information on they Co on their comp so they could get ahead uh of them and last but not least everyone who has access to public data is an ENT user if you've seen someone in this conference you were not sure who was that guy with just a

few clicks on social media uh you could get to the person without even knowing him so you did an ENT Act of intelligence there's a dark side of ENT and a bright side of ENT why is that the Dark Side of ENT is I I did put a quote on this one to have a much better overview too much information Exposed on the Internet is like leaving your front door why open in a crowded City no one wants to do that no one wants to leave our front door open in a crowded City so you have to be extra careful what are you posting on social media or leaving your traces on the internet because that

simple information that does not really matter for you can be turned in uh into a weapon by an hacker the bright side of ENT as I said police officers around the world are talking criminals are gaining evidence for criminal activities through oen so embracing oen is like having countless eyes and ears for law enforcement it's a powerful technique and they do use it a lot I'm about to present a few open source intelligence tool that I can share uh without even having to hide the names you can all download by just typing the name of of the tool the first tool that I'm about to present is the web check. as93 nnet this platform uh I

know that there are a lot of penetration task and security researchers here we know that the most critical part of hacking is gathering information or reconnaissance sometimes getting a lot of information for a web or having the architecture of the web is kind of tricky and can consume a lot of time for example for for the domain us you have to visit a specific p uh page for the SSL certificate specific page headers security. uh txt present they are all specific web pages that you have to visit this platform with just a single click can give you a good overview a good mind map of the website that you are trying to ethically attack as you

can see I took besides Prisa as uh an example and you can see a lot of useful information that can be turned into a weapon maybe later or can be used when you're testing a website ethically sockman Tracer uh usually when uh police officers or private investigators have a single name they do not know anything about the person they go after uh the social media Tracer is a platform on it's not a platform is actually a tool that is available for download on GitHub it is free sockman by the way just to clarify is social media intelligence it's refers to the intelligence publicly data available on the social media with just a single string you'll be able to automatically

get a lot of information where is that user present on social media I took an example as my my first name for example I only said kab I want to know where that name is available but a private investigator would actually Trace down hunt more information with the username as you can see this tool within a few seconds can check 175 sites even more and you'll be able to know where is that username available go there and hunt down for more information for your specific Target face check I ID the name says it all face check ID this platform is powered by Ai and it is pretty interesting when I first saw that even as a cyber security professional I was

kind of kind of surprised because the fiction movies that we saw When We Were Young younger are turning into reality uh let's take a police example over this one a spy that is not obviously from our country comes and all we have is a single picture how to find out who's that guy this platform helps us all you have to do is upload it and you can uh see that there are checks on social media sex offenders smug shot scammers videos news blogs everywhere where when that picture of that person was let's say present it gives you back the results for free even though this platform is turning onto a premium it gives you a free uh a

couple of free shots and after that you have to pay but it's easy just open a new account uh so uh I did I did not want to take anyone else as an example or a specific person so the famous hasbullah I took his picture uploaded it as as you can see there are links and the other social media where that picture is present you can see that uh you have numbers over there 40 60 70 that is the the the ratio of the tool being uh let's say true to avoid false positives test it I invite you all to test this platform test your face if your face comes up if social media posts

come up you have an option to request a removal so uh if you are present on here don't be afraid you'll be able to get yourself off spy talks spy talks unfortunately is not really popular and available in Europe but the Spy talks platform is able to find people by just giving out a single name a phone number or an email it's for free of course it has some premium options premium data that is linked to their third party vendors but in general it's for free it works awesome on US citizens in the European uh side not as much as accurate but sometimes when you receive a call from an unknown number located in us

your best friend is here to solve that mystery I could not get a phone number to demonstrate so you'll be able only to see this slide tinai the reverse image searching is very popular nowadays and the thy is one of my favorites when um the host of bides posted the the a picture of the object that we're currently hosting this event I was thinking what if someone in the other side of the world who does not know what is besides who does not know where is Kosovo or where is Kosovo located have access to that picture and with the help of the T ey all you had to do is to upload the picture and if that picture is available

somewhere somewhere else on the internet you'll be able to find it for example you can see that there's an article from a local newspaper uh and it gives you information where is it LO located and for what is used by by clicking on that first link you'll be able to know that this is some kind of library uh and you'll have good information you can upload a lot of uh pictures of objects Etc and tinai does not store your data of what you're searching dark web open source intelligence I could not uh present publicly the dark web tools that are free to use because the these tools can be uh weaponized and can be turned

into let's say something not good for the community and I took the uni- predo domain just to classify I am aware and I am informed that some student already reported this issue and the whole system is now requesting some kind of forcefully password change so just to clarify everything that you will be about to see is probably outdate with the use of Open Source intelligence tools all free of they are all free and a little bit bit of magic I was able to get uh accounts with this domain have them clear text uh even professors students etc etc but this probably is outdated and solved by the uh University weaponizing information versus weaponizing information when when it

comes to ENT it is pretty difficult to to separate the the good from the evil because every single information that can be used for good on the other side can be used for bad weaponizing information hackers do weaponize information if they access dark web they do have your password most of us have a problem with credential overlap or let's say password reuse the same password maybe will be on the other social media or the other account that will be able to find via the Tracer tool the social media uh intelligence tool on the other hand weaponizing information for good is a good thing why police can use that to Catch a Criminal for our safety there are a lot of communities

that use alen for good for example there is a community community Trace labs they gather they they make CTF parties and find missing people they try to find missing people and they're very very good at at at their job so this is uh uh let's say a topic that can go on and on but at the end of the day is weaponizing information versus weaponizing information at at the end of the day the the police officer and the thief they both have guns but the the the one uses it for good the other uses it for bad any questions

thanks cor that was very good presentation uh I'm still not getting used to you know like getting away from the mic from the speaker do we have any pres uh any question yeah give me a

second thanks for presentation K so my question is because I was seeing a lot of uh online tools do we have any recommendation for operation security because for example if I want to have to find a face of Arian or whatever so if I upload his file it's kind of personal data so do you have any recommendation when we are doing end which is linked with operational security so first to not be identified and also to not leak data because who knows maybe that aome platform is owned by AP or hostile State yeah thank you that's that's that's a great question uh as I said for the facee check ID it is controlled and uh

they do have some sort of compliance on specific uh Frameworks and they're not allowed to share that data they are allowed to uh manipulate for their AI purposes I know it is tricky because when we say AI purposes we don't know where the data is going but if you are able to find yourself your friend on that platform you'll be able to remove it as for your question if I want to find Aran sorry for taking you as an example but if I want to find Aran uh I'll I'll take the the most simple example that uh that we can all we need is to have a picture of Aran that is publicly available data on aran's social

media accounts or maybe a picture of Arian without uh his name or he him being tacked and open Google Images upload if Aran was somewhere in the Google ranked you'll be able to find Arian I hope I answered your question if if you want to discuss further feel free also not only you but everyone who wants to get involved on aome projects feel free to reach me out on LinkedIn great thank you do we have any other questions thanks very much that was great [Applause] presentation okay with that being said uh we're going to take a coffee break now uh we are going to be back at 3:15 quar 3 let's try to be on time we have

two more great speakers and then uh towards the end we're going to do the CTF and raffle so please stay till the end thank

you

for

e e

[Music]

okay I think we're ready to go sorry about that sorry about delay uh next we have Josh Blan uh he's going to be talking about malware cats and cryptography so floor is is yours test oh thanks so hello cyber security Community everyone who interesting on uh cyber security entry level Specialists professionals students and everyone who came to this interesting conference so today I will talk about the role of cryptography in malare development and uh considering uh results of an unusual research I conducted during the last one year so little bit introduce me it's not me it's me yes uh so I'm a malare analyst and thread Hunter and malare researcher cyber security Enthusiast also contributing some projects like Mal

pedia and sharing my knowledge during the years via my books so let's start today uh first of all I will talk about uh Mal protection a little bit uh introduced some techniques and tricks which malare authors used for protecting their applications then I will consider about Mal and how you can use uh cryptography for hiding malicious actions malicious payloads from uh security solution and finally I just share my last research about simulating ransomware and trying to decrypt some victims of ransomware like black cat ransomware Hello Kitty ransomware so cats are more than only not not only cats in cyber security and also ransomware today uh first of all okay defensive cryptography yes uh traditionally cryptography used for uh securing your

information your data or privacy uh from unauthorized individuals and uh many of us use cryptography for uh protecting um communication also for encrypting uh for example communication between servers between uh infrastructure protecting and encrypting data and U and other Solutions like uh pgp um mail and something else so uh defensive cryptography traditional is like balance between what's possible and uh what's acceptable because you cannot cryp cannot encrypt everything cannot secure everything um but uh bad news is today nowadays cryptography also us it as offensive instrument not only red team operations not only F testing also used for developing malware and using adversaries for protecting and hiding their payloads and assembly Cod okay uh Mal Mal

M outs try to create full undetectable M uh antivirus Solutions easily to bypass and you can easily bypass uh Security Solutions edrs it's uh some sentences when you can hear every day uh if you interested on Mal research and Antivirus researching so uh I also ask myself uh Hey really is it really too easy to bypass antiviruses and edrs or some other Security Solutions and uh I just uh concluded that um the classic tricks is divided to main these two three uh Concepts three main basic concepts to hiding your M from uh Security Solutions in your red team operations spin testing or some another educational and research purpose of course only the first one is

time Distortion tricks it's simple just uh trying to evade some uh virtual machines and boxes like using sleep get count and trying to Distortion time timing uh when you run uh your M the second one is uh wi API acusation and hiding uh what's what does it mean uh it's a bation when API functions and hashing using some CIS calls using hiding your uh calling V API functions from import address table and the last one is of course encrypting and encoding payloads and assembly code uh so for example what does it mean when we say Hing APS uh sometimes uh Mal good malare analysts good security engineers and reverse Engineers can uh detect any malicious actions from uh by analyzing

uh import address table of your M for example uh just in case in this example you can show that uh you can see that message box is detected from uh import address table of user 32 d uh what the problem the problem is uh you uh security analyst also can found another actions and uh can detect malware capabilities from import address table for example if you found something like um Rec open KX uh you can uh uh you you know that your Mal uh have capability for working with reg Windows registry and try to manage registry try to create new case and another one is uh for example if you found something like vs2 32.dll and your import address table

and found some functions like U uh like sleep uh like uh virtual aloc for allocating uh allocating memory for your payloads uh it's yes it's a probably but uh what's the solution the solution is calling wi API by hashing when you uh use some hashing algorithm for example something simple or maybe something complex like B 64 or something like more for example more is also used for in real life Mal and real life ransomwares like Cony like black cat and finally just hiding this from import address table as you can see we cannot see uh user 32 DL from address table in this case and of course just hiding function names also for you can't

found message box from by hex dump or something like strings also uh what about pilo encryption in this case uh the main concept is the same uh the only difference you uh try to hide your pad your uh assembly code uh for example let's uh uh let's say we have something like this or any any pilot any msf Venom or another pilot maybe in in this case it's just message box pilot and just in case it's uh let's say it's malicious okay uh for protecting this from uh static analysis uh we can just encrypt it via something like XR or maybe rc4 or maybe Advanced encryption standard or any anything else uh which use it by U

malware actors and malware authors and also these algorithms used uh in real life MERS nowaday like ransomware or also um drop ERS and MERS and uh K loggers also uh what's the trick just dynamically decrypt it the crypted in just in case in this case is or uh I just show only the exr algorithm but in new case you can use any any of them so finally just run decrypted pilot as a result it's worked and uh in me in most cases uh this one is uh this trick is bypass many Security Solutions like uh Windows Defender kasperski uh of course uh in most case it's not bulletproof uh trick and bulletproof technique for bip fully bypass security

solution edrs for example if you have uh some theistic analysis or behavior analysis or maybe uh and other types of uh deep analysis like sandboxes or man analysis by good reverse engineer or good Mal analyst but in most case it easily bypass static analysis and uh signature based detections like Yara rules Sigma rules and anything else so but uh of course there is a c about shenon entropy what's the shanon entropy in in this case Shan enthropy is the quantity of the information included in data and information and mathematical Theory and information Theory uh entropy is uh measure of the unpredictability of your data it's also Shen entropy is name it after the famous mathematician shenon

clo uh of course note that uh if you have highight entropy shanon entropy it's uh having a file with a high entopic score can cause Security Solutions to flag the file at least or at the very least consider it it suspicious and uh Place additional screening of course uh Shan entropy also the simplest uh formula is this one and uh you can easily create something simple in Python for example for just analysis and just for creating for doing some research for example in this case I just create a simple python script as you can see it's same as uh virus total uh score virus total calculating entropy okay uh how is going uh what what about

comparing um classic algorithms which I uh showed before for example rc4 maybe XR uh first of all for example X rc4 is can be easily detected and easily reimplemented and easily uh us it by without using win API calls for example you you not need to uh use Crypt and crypt API or something like Big R up API uh you know not need to call any suspicious V API so you not need to hide wi appals by via Aus skating itating your calls for function names you just need to hide your payload but the problem is this algorithm of course it's easy and well known so nowadays it's easily detected by Security Solutions of course any antivirus or

adrs easily detect this algorithm um but what about exr or a advaned encryption standard uh this algorith also easily implemented uh in C in C++ in Python and Goan uh many many open- Source libraries from GitHub you can use it for encrypting anything any data even payload even some malicious sections or your file but the problem is the same these algorithms well known and uh uh more complex Security Solutions and more complex and more um clever uh security analysts like reverse Engineers I easily detect these algorithms so I just ask myself okay uh welln algorithms is not good for encrypting your pilot today but what about uh classic algorithms in it's which is not well known it's not famous

like rc4 it's not fos like is or uh I just trying to get some encryption algorithms from applied cryptography book by Bruce schneer cryptograph um for example some algorithms like madria RCC skipjack tin encryption algorithm X encryption algorithm and another algorithms from 17s and 19s uh but what the main goal of This research um how does this using this algorithms cryptography algorithms is the effect in shanon entropy it's increased or decreased and what about uh virus total score what about uh what about um shenon entropy and what about um total score okay the first one is uh T encryption algorithm this algorithm is block Cipher which use uh 64bit blocks for encryption uh algorithm and use

128 K SI for encrypt so you need to divide your payload uh to uh blocks uh for encryption for using this encryption of course uh in this implementation and see by me I use just K size in 60 and 32 rounds rounds for encrypt my payload as a result as you can see the shanon entropy is not so highight uh what does it mean 6. 28 if your shanon entropy is uh greater than seven it's detect as malicious as immediately by some Security Solutions like Windows Defender or something else uh but uh in this scenario and another scenarios also I use the most easy scenario just encrypt pad not using any ant VM or anti

disassembling technial or anti some anti reverse engineering technial in in these cases so but uh even we have a good virus total increasing uh uh decreasing score for example from 32 to to 84 it's not not bad for and uh this that's concluded that uh T encryption algorithm is also used as starting point for your uh by for bypassing Security Solutions the next one is uh madri algorithm in 1984 uh which will was shared um and uh also used as advanced encryption standard in USA but uh after founding some issues and some box Security Box in this algorithm it's retired but uh why we cannot use it for encrypting or Pilot in this case I just use uh 16 rounds and

using this case just using this Del Delta of course uh you can you can ask it's easily detected by Something Like aara rules or something and other Security Solutions by just founding this Delta of course but even as you can see is also good uh result of shenon entropy not so height and virus total score also decreas it from 31 to 17 it's also good result and also you use as starting point for encrypting and uh adding uh another features like anti VM anti- disassembling and anti reverse engineering tricks and features the next one is skipjack algorithm which will uh which was released by National Security Agency in USA it's also us it in the uh

competition for uh using as advanced encryption standard and uh for standard encryption tool encryption algorithm in USA But retired and uh many years ago it also not it's not um patent as open source or some open algorithm it's a closed uh algorithm but uh also retired and unclassified by National Security algorithm in 1998 as I know uh so also reverse engineered by pauletta and I just reimplement it with some different some simple additions adding some modifications but basically it's a power modification optimiz it by P implementation and of course as you can see in this case also good result for Chanel entropy you can use it uh you can use it for a starting point for encrypting your

pad uh the next one one is rc6 algorithm it's um it's one more Cor in this case uh as you as you as you can see we use just p and Q prime numbers constants for this algorithm but uh if you try to use different constants and different rounds as you can see the scale in and bit uh how many rounds you can use if you use more rounds more 20 is shenon entropy highly increased in this case and easily detected immediately but uh if you use uh this uh this implementation with these case uh these constants it's also can use for as uh starting point for encrypting your payload and malicious activity uh the next one is the final

one uh the interesting case in this here because this encryption it's not used for protecting just data on U machines or technial it's just using for encrypting GSM it's a JSM standard or using uh encrypting your communication between base stations and your mobile phone so but we can why we cannot use it for encrypting our pilot of course in this case also uh as you can see I also use simplest case and simplest implementation with round case 0000 and chel entropy is not so high and it's good it's good for us uh if let's say we are try to evade uh security solution and virus total score is also good showing good result and decrease it and

uh I just in this case I just try to uh Deep dive into this algorithm and deep dive to protecting my malare sample and as a result bypass this algorithm also bypass uh kasperski antivirus and some Security Solutions like Windows Defender in the real in the real case and uh it's really used in our pentest one of the our red team operations so uh in practice these algorithms also use it in real in real pent test and real rtim oper operations but of course uh as I as I said before you need to not only encrypt it uh with algorithm you also use uh ANTM and different another different um protecting uh tricks like using timing

time Distortion using upos skating wi API strings and functions adding some tricks like uh try to evade virtual machine and sandboxes what about full undetectable malas the main question is is it really to create as I said the previous slide uh yes you can you can do it by these algorithms any of these from uh during my research any of these four five uh classic algorithms uh the main the main reason I think uh is using this it's they are not not so popular so uh for full undetectably uh you need to use legit C2 uh infrastructure like telegram IPI it's also uh I I have a practical case used it slack API and Discord API

for stealing for communicating for sending commands of course everything will uh need to ENC encrypt it andate it at least base 64 or base 58 also for example uh of course you need to divide by lot it also a good trick uh because sometimes if you use standard reverse uh reverse reverse shell pay loads from something like msf venome from metas spit in your R operations it's easily detect if you not divide it to blocks but it's also good for encryption because as I said before uh some algorithms for example T encryption algorithm is a block algorithm block Cipher so you need to divide your payload to blocks and then encrypt it of course and use ant VM and anti

debugging teches like uh founding easy debugger present flag uh anti Global flag um uh something like uh is being the vaget flag also from parsing P files parsing your malware and also good uh good thing is hunting persistence mechanism of course because uh it's good if you was in my uh Workshop yesterday I just showing some tricks onti uh bypassing Security Solutions like encryption persistence and so on and uh what about uh okay let's for example let's see that is a full undetectable malare in this case but what about ransomware okay we can can encrypt payloads we can encrypt strings we can encrypt everything in Mal but what about ransomware can can we use uh

these uh strange algorithms and classic uh encrypting for simulating ransomware attacks in Real uh but of course uh during my research I also trying to decrypt the Black Cat and hello kit rans rares and because this encryptions a little bit um uh use same tricks uh not using wi API not using uh malicious suspicious strings also use same tricks as you as I said before so try to simulate uh different Ransom and reimplement it from Cony Lake and copy kittens and black Trans somewere okay encryption uh in case of Hello Kitty Hello Kitty use U encrypt algorithm it's just uh name of the library from GitHub they us it this strange library with various encryption algorithms and

encryption reimplementation andc and um assembly of course and uh so this one is same little bit same modifications of advanced encryption standard but as I said before Advanced encryption standard is well now so easily detected sometimes and they just little bit modification modificated for encrypting their uh victims and another case is black hatat ransomware is also use wellknown algorithm uh chaa 20 it's uh also used by uh Mal actors and Mal aors in their malicious actions but it's also use same algorithm like as the only difference is they just replace V API it's it's the same like is encryption and like chaa hting uh hashing and um I also use more more has more more hash to a

modification uh and uh when you replace V API functions uh it's uh uh really decrease your detection score really DET really in decrease your entropy sometimes and really when I try to research these cases in my inur during my career the next one of course um what about Effectiveness and problems when we try to prevent this preventing and hacking ransomware algorithms it's not so easily easy think ransomware threats using different uh and another different tricks like uh Deep dive into anti- debugging and some anti reverse engineering tricks uh so I try to help victims and decrypt f file is it really easy or not uh and there has been minimal research unfortunately um in the

GitHub in academic research I just uh tried to hunt new research about uh how we can use uh some uh results from academic uh professors and mathematicians and cryptographers uh how we can try to decrypt file but unfortunately so there has been minimal research in in the world in this case for these cases okay I just uh during new research okay what is the methodology of resarch it's a simple just using virtual machines like Windows 11 or 10 or Windows 7 uh maybe I just uh using Linux in in my future uh my future research during these uh interesting cases uh of course D me this uh V virtual machine with different files just in case something like do Excel

Microsoft PDF files zip files MP4 CSV files F them fo them these virtual machines and try to encrypt it by ransomware uh of course disable just in case for research purpose of course disable any Security Solutions like edrs and of course use legitimate c2s like telegram IPI as as I said before and compare and finally compare it with no more Ransom uh site and try to and decrypt the Crypt some files from these cases what's the results results everything is very bad but very bad but there is a trick I just show later uh of course the first issue is the hard math decryption because it's pointless and labor intensive because sometimes if you use all superc computers of around the

world for decrypting some algorithms it's not not good idea because because you you need to 1 million years for this um of course better results in best result is in best scenario is also less than 50% maybe less than 30% it's so bad and of course uh we need to do a lot of work we will need to research any new cases and more complex algorithms of course or need to be tested as this methodology maybe you need to another methodologies uh like combining some sandboxing and manual decrypting and some reverse engineering and trying to using some forensic tools like volatility and uh so on uh as I said uh there is a trick uh what's the main idea of this

trick let's say we try to decrypt yes no it's bad idea so we try to find the vulnerability in the ransomware what does it mean I just uh want to say instead of decrypting uh to hard mathematical decry algorithms and try to decrypting some in some case is so impossible with your resources so try to find vulnerability in ransomware architecture and because ransomware is also application as any application is Wroten by people and brought them by stupid hackers sometimes so try to find this and uh in this case we are doing research in with my R&D uh in the web SEC company so I think uh we try to more complex algorithms and uh in some cases

we will find some uh vulnerabilities in Ransom Wares and after finished our research it will be public paper I think I I hope it will be help for decrypting any uh Ransom Wares in the future so thank you it's the finish and if you have any questions you are welcome

thank

you thank you Jan uh okay I think we have a question there let me just pass the

mic so I was just interested um how important or like how much would one you specifically suggest uh honing one's mathematical skills and reading on exal theory on cryptography and and and and and I know encryption uh to to like being a good like U ethical hacker or is there some sort of work around that you don't need to know this whole bulk of theory and you simply get to use the tools that some other people have written what is like the the middle line between this do you do do have you for example had to read on on Theory before or or have you gone got gotten around to it just just sharing your knowledge just

sharing your any research by doing some good things you know uh traditionally M analysts use only reverse engineering and not try to reimplement some tricks as really hacker because sometimes it's really helping when you let's say you are blue team for example in my case I I I'm not I'm not offensive security specialist I uh I just mathematician and uh traditionally I try to use uh reverse engineering skills my reverse engineering skills to beating MERS and combating moders but uh in my case I also have some soft engineering uh experience more than 10 years so it's helping for reimplement some things interesting things and try to analyze it try to research it so I I hope it will

be help helpful for any who need to analyze Mal and try to decrypt Ransom ways maybe okay thanks thank you any other question no justone thanks so much that was very insightful presentation [Applause]

I think this is perfect timing uh we will continue with uh one more speaker um so with that being said if Resort is here we can call her on stage thanks [Applause]

spe for

foreign e

you I keep forgetting about it okay next we have rort thi and she's going to be presenting about Cloud protection specifically fighting of MLA uh sorry machine learning against DD do so with that being said floor is yours thank you okay hello everyone so first I would like to thank you for your time to be part of this presentation today and also at the same time I'm very honored that I had the chance to present this topic in front of you and I think that it will be a very interesting topic that I'm going to to present today so uh my topic is cloud protection the fight of machine learning against the Usos and ITC attacks but before

starting I would like to give you an introduction about myself for those who don't know me so I am RAR Tachi and currently I'm a teaching assistant at the University of Pristina at the faculty of electrical and Computer Engineering and at the same time I'm a first year uh PhD degree student at the same faculty and also uh devops engineer for almost the uh three years so that's also the reason why I have oriented my topic into the cloud related to my experience that I had until now uh and also through this topic we will not see not only the fight that has machine learning against the US andc attacks but we will see that how does uh

machine learning uh enhance the detection processes uh of uh this type of attacks and also the others so I haven't prepared you what I'm going to talk to about today but we're going to see along the way so it could be maybe more interesting for you I'm going to start B with an introduction then we're going to dive in uh into the world of cloud cloud computing and how uh machine learning has its approaches through their algorithms to improve this uh process of detection of these attacks so as all we know uh cloud computing is one of the most popular Technologies nowadays so if we see uh before some years ago and until now there are a lot of change that has

occurred uh in the it companies uh I have uh showed here in this figures uh the changes that have been done from 2019 to 2025 uh you can see that have there has been a comparison between a traditional or on premise and cloud computing that uh is going to happen now so if we can see uh cloud computing has the total revenue uh comparing to traditional one uh having a very great growth in revenue and also in usage now we can say why is this so uh we know what are the advantages of cloud computing including its uh scalability and also its safety and many other things that uh improves any processes in the IT

industry but also apart from the advantages that cloud computing has it also has as disadvantages that we're going to see right now uh that is cloud security so why especially Cloud security uh because machine learning until now has made different solutions not only for detecting uh threat or vulnerabilities in Cloud but also for other different environments but I'm going to orient my topic towards Cloud security was uh also the main uh purpose of this topic so uh the main attacks that are happening now in Cloud are the and mitc that's also the reason that I have chosen this two to see how is the process of uh detection so to remediate them and to avoid these problems in the

future but uh if you can see uh through some research that I've made uh I have seen seen some of the most recent vulnerabilities or attacks that are happening in Cloud as you can see there are security incidents during run time unauthorized access misconfigurations uh major vulnerabilities that have not been uh remediated and also a fielded audit now we can see the part of on unauthorized taxes that is for 33% this is support of uh mitc because mitc is an attack where a user can get different resources in Cloud without uh having the need to be authorized in that environment and also on the other hand that is the that is in the group of the first one security

incidents during run time that is for 34% now the main purpose of the DS is to overload the network traffic uh that's uh sending a lot of packets a lot of requests until it blocks the website or or that environment that is operating and also we have data loss data corruption and also many others but uh these are some of the more popular ones in cloud computing uh and now many researches uh have been done of what approach to take in order to detect this kind of vulnerabilities because they're being day by day growing one by one so we can see that is a big interesting uh interest in using machine learning for tax detection and now we

can see why I have summarized here some of the papers that have used m machine learning detecting different TX and Cloud but not those that I'm going to talk about later so the process section of uh Cloud attacks is still a on topic uh as I saw as we saw earlier uh Cloud security is a very sensitive topic and it needs to be improved so there is where machine learning helps this way so through the researches there are some of different machine learning algorithms that have been used through years so uh most of the more more popular one is ilsm through automated training and then also they were different approaches using statistical methods combination and

algorithms machine learning uh achieving uh from this an occur of 99.26% and also detection rate of this kind of attack of 100% And also using a hybrid algorithm for DM ITC which I have been trying to do now through the slides uh we're going to see what approach I have uh provided to uh detect these two vulnerabilities in Cloud using machine learning and also the algorithms using to do that and also what is based what I was based to do this approach is the network package characteristics analysis and here is a figure of how is that done so first the network traffic is analyzed and then for each packet there are uh different fields extracted from

that and the this is the phase where we collect the data that is going to be trained and also uh to do the prediction by Machine learning using the data that we have generated uh but for more details we're going to see in the next slides so I kind of mentioned what did and MIT itcr so here we are going to see with figures what they actually do uh in the cloud environment so the the first picture there is an example of how D effects in Cloud environments so uh the previous slide I said that main uh purpose is to overload the traffic that is currently operating in the cloud environment so in this figure uh we have a legitimate user

that's currently can be us that is trying to operate through the internet and the other uh part is the victim or the person that's is trying to communicate with us so in the middle that we have the internet we can suppose that we have a cloud en environment that is operating that part and there we can see three machines that are controlled by attacker now here in the middle of communication between two users uh we can see different attacks with three machines in this example now maybe you saw the first of uh part of the conference today how did you actually work with the real scenarios as we saw so that's it is uh with three different machines from

different IP addresses they're trying to attack or to overload the traffics uh through this network between the two users and this is hows uh is done and at the moment the another part is the victim and can get the the data that was s from the legitim user because of the hackers that were on the middle of internet and at the other hand we have the mitc attack or the unauthorized access so we can Al to have this Cloud hero Cloud environment and also a person that tries to upload a file there with authorized access that is should be and on the other hand we have an hacker in this case that tries to upload a file there

and also to download from that from there without being authorized and in this case we have a cycle has created for the MC attack uh we can also see that when the hacker uh gets or uploads something in the cloud the main user that has an access maybe it doesn't know at all and there could be many uh consequences so after this uh we can see what machine learning algorithms I have chosen to be analyz in this case so there are four machine learning algorithms that I have chosen are decision trees support Victor machine nav bias and K nearest neighbors all of these are machine learning algorithms they are from the part of supervised learning and now what I why have I have

chosen four algorithms we will see on the slides um later after analyzing after analyzing each of this uh these algorithms we can see that the algorithm that has the most higher accuracy uh will be used for prediction now we can see that all of these some of those or fast some of those maybe doesn't operate a good and big quantity of data some of those are easy and fast some of those are easy to be applied but uh this is uh related also to the size of the data set that can be used and also for what operation uh they're going to be used to do the prediction so at a case study that we're

going to analyze now as we saw from the title it's about a cloud environment so the first step uh includes of creating a cloud environment in this case I have shown a simple architecture the cloud environment that is going to be analyzed now it's a is2 instance that is created in the AWS and it has full access to the internet and also there is a web application hosted uh to uh to be this analyz is more complicated that it seems so to see how does it work and after that um I'm going to show you how I did some simulation tests of the andc in that environment and now we get to the most important

steps of this case study that is package analysis data collection model training then finding the best algorithm and last but not least that is the main part of this is U doing the prediction to see if these attacks will happen in the future or not so these are the configuration of this instance that I have created as I said is accessible from outside has application host it and now we're going to see how it reacts so here are two screenshots the first screenshot uh tells of how the US attack is conducted in this case so there are some examples that we can do the D attack including specifying the number of attacks that we want to

use or the number of packets that we want to uh to send towards the cloud environment but now you can see I have made an endless loop so uh through this code we do the DS attack sending a lot of packets until we block complet the website that is host hosted on the instance in in AWS and then after sending all those requests in this case you can see that after the tri part there are some get requests there are being sent through that cloud environment and until we see that the website is blocked then this process is finished and so on we can continue with the process of detection and on the other side uh I have shown

you a part of code to simulate the mitc attack we all already saw that what is the main purpose so uh we have the first method of uploading a file without having an authorization and the second one is downloading the file from the cloud environment and also the synchronized uh method that synchronize the files in order so the user cannot detect that there is any change in its Cloud environment and here we have a screenshot after the DS attack is conducted and we can see that the side can be reached and after this part we continue to analyze all those uh parameter parameters of those packets that we are interested in so as you can

see I have chosen some of the most uh important characteristics that I want to in this case for each packet so we have the duration Source IP designation IP protocol uh send bits acknowledgement bit F bits and also the packet size packet per second sequence number and is aack now the variable is a attack uh in this case uh can have the value zero or one now it only relies if uh that packet that is going through that network uh connection uh is supposed to be an attack or not so in this part of the code uh it's the proc of how uh each of those parameters are being extracted so uh this part at the end you

can see at the code in order to know if we should give the teack the value zero or one we do this uh analyzing this PPS or this case that is pack is per second and if it if it is uh above 1,000 then the sequence number is analyzed and based on that is that that can have the value zero or one and this is an example of how a data set uh is after extracting all those data that we're interested in so this data set can be up to 100,000 rows or uh more but this is only a part of data set of how it can be looked as you can see there a tack part

uh some of the rows has the value value zero and some of the rows have the value one now we can uh if we can analyze uh the part of the PPS we can see that in those rowes where PPS or packet per second or uh 900 for example or 577 we can see that the a attack is zero now in that case uh that process were that packet was being sent over that Network it wasn't considered to be vulnerable andless it's not an attack it's not an attack and we we we see the other values that are above 1,000 we have 1,200 we have 4,000 we can see that the value of his attack is one and thus we can know

that that packet was intended uh to cause an attack in that cloud environment after generating this data set then uh we Define the models of each algorithm that is going to be analyzed the four ones that we show earlier and then for each of those models that are being created after using those four algorithms uh each of the models are evaluated and then we extract the accuracy score so in order to to find that which is the most accurate algorithm is in this case we see the accuracy score and in this case in this execution this is uh decision tree uh was the most accurate algorithm and that was going to be used for the predic

uh here we have a screenshot uh where we find the model with the highest accuracy that is able as the mass model and after that the result of prediction is being shown that application that is hosted uh in that case we have that DS or mitc attack is likely to occur on the IP address in the near future that tells that is vulnerable also in the future future now as I said uh decision ches was the most accred algorithm in this case and it showed a perent of a curreny of 100 so after getting the results after the simulation of these attacks and detection of them I also did some tests including the variables of time stamp p number

requests number of erors duration bite sand data and is attack uh here you can uh give different values different number of requests and then you can see through that model if your Cloud environment is vulnerable also from those attack or not so it can highly be used also for uh different project if you want to be using this uh here's a summary of the results that I have gained uh through this through this experimentation if can I say uh so as you can see the first part uh is when I inducted or assimilated those attacks through those script that we have shown before on the slides so we can uh if you can see there

are different examples of number of threads that are 100 1,00 10,000 52,500 and for different amount of threshold that is the number of PPS or packet for seconds for example the first case we have uh if the PPS is greater than 1,000 then we already had an example when the data was generated the other part is when the PPS is greater than 50 greater than 100 greater than 50 and also greater than 10 and also the duration of how much time did it take to make the simulation of attacks and how much was the time of the detection of those attacks and also the prediction that it tells that if that uh Club environment is vulnerable or not we can

see that for some of the cases we have true for almost 100% but that uh this doesn't tell the curreny store uh score of the algorithm that was being used because I said before there 100 now we can see that is uh 0.975 for example uh but this is how much are the chances so the environment can be vulnerable to attacks in the future if we can see now the second table uh the second table in this case uh I have used J meter to uh to do our or simulate those attacks in this case and I have compared with those that I did through the scripts and as you can see there are much difference uh in the

prediction score but we can see some of them for example we see the false uh prediction of the first row from the two tables we can see that the first one we have fals of 0.712 now we have 0.191 but this also can be related to the duration of the attack or the number of requests that have has been done but in order to be more precisely I have chosen the same number of threads also when I did the test in J meter threshold and also the duration so the results can be uh more positive or more related to each other and now I'm going to give you some takeaways or some conclusions from this

analysis now through this study we can also say that um machine learning is a great method and plays a vital role uh to increase the accuracy of detecting different attacks not only in Cloud environments for or but only but also in other environments and it also can adapt to evolving attack techniques now we can see at the end what are the possible improvements in this case we saw what the US attacks are also mitc attacks and how they can be achieved how they can be simulated and how they they can be detected but remember there are also different approaches apart from machine learning but machine learning has shown a very uh great uh role in detecting

these kind of attacks so it's highly recommended to use that so some of the possible improvements that are in this case uh can be the four that I have highlighted here so for example improve feature selection so if you saw that part that I have extracted data based on uh some features that I were interested in uh so maybe in the future we can also see other features that have a great impact maybe in the future in that process or maybe to use hybrid approaches as I said we can combine to our uh three machine learning algorithms uh to improve that accuracy score in order to have better results the behavior analysis and also threat

intelligence uh now in my PhD studies I'm working this direction of threat intelligence uh so with r intelligence we can maybe achieve a more curate score and thus we can see that how uh it differs with machine learning techniques when we use to collect data with extracting from the packet and also different improvements but uh these are some of the most important one that can uh be to be in the future so thank you very much for your attention if you have any questions or comments you're

welcome thank you rort do we have any question

y hi uh my question is can we use something similar to kind of build early warning system like for example non birth connection from those IPS I'm not hearing you very well can you repeat the question can we use something similar or the same model to to use kind of early warning system for example with the same logic yeah as I said this solution can be integrated of whatever you want to do uh it's very easy to be integrated and automated at the same time so you can use it for different purposes you can not also detect the DS or MDC but also you can get different vulnerabilities or attacks that you you want to consider in

your environment so can be integrated Al can you elaborate a bit more link between thre intelligent how can we utilize threat intell in this case Okay the threat intelligent part M okay uh so we saw the previous slides how those data were generated now through threat intelligence uh we can have uh more data analyzing now also uh using that data for different alarms so we can help us to know before when a attack is being done in that environment and also to use different data sets Al analyzing maybe two or three environments at the same time so that was the logic of using threat intelligent in the future thank you great thank you any other question

yeah thank you uh for these machine learning models to make uh reliable predictions and accurate predictions they obviously need a lot of data to trade on now uh like smaller businesses or organizations or whatever they might have a lot less Network traffic going through their uh Cloud environment so a lot less data to work with could they benefit from these models or is the data too little uh well it's right as you said because as much much data as we have is better we have a greater curacy but it's not very worth it to for small companies because if they they don't have a large amount of data maybe they won't get an accurate result or

something and that maybe it won't be as much as accurate as uh it could be for a greater company for example great thank you any other question thank you Resort that was very great presentation thank you very much for

okay guys uh this concludes our speakers for today uh next uh we're going to announce the CTF winners and also we're going to do the draw on our rawle tickets that you have I hope that you have picked up one either yesterday or today all right so for CTF teams uh I don't know like who are the members so if you are uh here uh you can then just join us so we can uh collect your name and uh do the awards actually there are uh we are closing the CTF 30 minutes earlier uh because otherwise everyone has to wait for additional 30 minutes but we will start first with a ruffle game and then we

will move to the the CTF uh announcements so we have well we have some last minute changes so some teams are uh let's say on better positions now and we had some technical issues so hopefully uh these technical issues won't be present next year uh but yeah uh as organizers we had nothing in hand uh related to the CTF so hopefully uh next year we will uh be more careful with the CTF organization

Wonder talk

so uh we will start with the ruffle similar to uh yesterday uh let's start with the first draw

77 105

50 54 98 we have a winner have a first [Applause] winner 28

68 51 41 19 five it's going to take a while I think 104 62

68 34 56 10 no one 56 yes okay so we have another winner there a lucky winner though 67 no one 52 53 81 43 78 no one you another winner do [Music] 59 38 yeah we got another [Applause] winner and the last one not yet seven the lucky number no one lucky number seven 30 69 and we got our [Applause] winner uh you all have I mean you all have won uh pentester lab Watcher so you will have to send an email at info bpa.org and you will receive it via email you need to take a picture of the number and uh you will get the the link to register on pentester la.com and now I will uh go go to the uh

well to uh to the CTF statistics actually first so uh just to well give you an idea there have been 65 uh different users registered on the platform 27 different teams and I I guess some of the users and teams were also doing it remotely and out of the 27 teams uh yeah I think 11 wait yeah only well 12 of them actually scored so uh I will change my uh my my window just one second

so all the ruffle draws that we just did if you don't mind taking a picture of your raffle ticket and then email it uh info@ bpa.org and then you'll get a voucher link to to activate the account from penter

Lab okay do we have the city F players here or is anyone still

missing okay let's give them another minute there are more people

[Music] coming uh just one question the third team there are you here in the room or the third one okay and you are the first team cool well uh as you saw earlier uh the three first teams are uh padon so the first place is for the poson team can you come on stage I'm

which uh well uh it's a you did a great job guys to to get in the first place and we will write your names afterwards because we don't know your names so we only know your nicknames and uh you well we have some prizes here from Bon and on top of the the prices here you will also get like six months vouchers on pentester lab like each of you and yeah congratulations on uh winning the first [Applause] place do you want to say anything or no it was a very nice we enjoyed being here thank you

wait okay and the second team is the not found team can you please come on stays [Applause]

we found you congratulations for uh winning the second place and some of you have been play well have been taking part of L year CF so good job [Applause]

and I forgot to mention so on top of the let's say physical uh prizes uh that blown and will distribute to them they also have each one uh voucher for uh ISO 27,1 certification by treser uh which is one of the uh sponsors of of the city F prises so you will have some well some additional let's say certificates in in your resume and the third place for free Wi-Fi can you guys come up on [Applause] stage so you need to be for where where are where are they

[Applause] congrats okay one important fact all uh three first places of course like for the people that were onite are from Albania so well done guys congrats [Applause]

okay guys with that being said um

sorry

another okay let's all three places I guess uh come to the state so we can just take a picture together of all winners I guess guys you all know each other you probably even travel together

I guess you're going to make a lot of trips because there are so many presents so you want me to help you any presents for us no I'm kidding I'm kidding

congrats guys thanks again all the

best okay great you should maybe share that with us so okay okay guys so with that uh we will conclude the Third Edition of bides Pristina thank you so much for taking your time uh the speakers uh organizers host and our sponsors we hope to see you again next year thank

you

e e

BSides Prishtina 2024 - Day 2 Live

Related talks