BSides Prishtina 2024 Live

e

e

e

e e

e

e e

e

e

e

e

e

e

e

e

e

e

e

e e

T test test test test check check test

do

e

e

e

e

e

e

e

e

e e

test

whoops okay good

[Music]

morning English good morning everyone thanks for taking your time to attend Third Edition of besides uh Pristina uh first and foremost let me just go and thank our host University of Pristina also our esteemed speakers uh some of which are uh flu and some of them are here for the first time so I hope they like Kosovo please make sure you make them feel at home but nevertheless we also like to thank our local speakers as well and our sponsors uh some of which they have been supporting us since the biz Pristina Inception speaking of sponsors uh I know that some of them are also hiring so for example pra Bon econom and salonist so they do have

their Booth uh upstairs if some of you are interested in any of the positions like internship positions specialist in information security cyber security please uh reach out to them okay let's see what else uh I would like to thank organizers dardan valiran gim and then most importantly flk as well yeah well all volunteers from from flusk and then last but not least thanks very much for taking your time uh to be here with us uh this is a two-day event uh agenda exposes online on our website we do have some awesome speakers and some workshops uh workshops are being held uh on the other side in the Venture up uh offices I know that some of people

already registered for those workshops if you didn't register and there's a spot you can feel free to to join those uh workshops I'm going to pass it to dardan now so uh thank you everyone for joining for the Third Edition of besides Pristina and uh first of all I would I would like to to thank all the well speakers some of them came from really far away some some others from closer and uh as Arian said there are a couple of workshops going on in parallel so uh well if you have registered feel free to go if you haven't uh and there is a spot free you can also join and uh I would like us also to to announce that

we have a capture the flag competition that has been developed by Bon he's sitting there from permiso so the CTF will open at 5:00 p.m. today and it's a 24 hours uh well Capture the Flag competition some people already registered for it so feel free to register there are some cool prices and uh well in addition to the let's say physical touchable prices we have some vouchers from pent lab for the first uh well place in addition to other prices and we have some uh well some other watchers from trer uh well certification uh company and uh yeah feel free feel free to compete and to to to win to win the first place uh and uh yeah looking

forward to to have fun for this third edition with all of you so uh uh there is also the raffle game game that we uh had last year so uh after the well keynote speech you can go to the registering desk and pick up a raffle number and uh later today and also tomorrow we will do uh the raffle and we will pick some random numbers and there are uh some vouchers and prizes to to win as well so even if you don't win the well the CTF you can win the uh the raffle and uh yeah that is it for now and we uh I'm turning back the floor to toan so great thanks

[Applause] D okay so it's going to be pretty interesting for the next two days uh a lot of prices great speakers I invite all of you to network to to widen your Professional Network and let's have fun uh without any further Ado I would like to invite our Keynotes speaker Brian Harris who's going to be covering uh the physical security well Mis misconceptions about physical [Applause]

security e

okay um

yeah my name is Brian Harris uh I currently am with a company called covert access team I operate in both the Cyber and the physical spaces a quick little background about me um I've been all over the world I've been doing for almost 20 years and I've worked for major companies NCC group uh I've had lofty titles like director and defensive security regional manager I've worked for smaller companies I've worked for my own um I've had the opportunity to do a lot of physical uh engagements over the last 20 years uh everything from it environments to OT environments um and it tends to pigeon hole me into a lot of physical stuff so I'll just skip all this we got a lot

to do um so why are we here why is this talk going on well all of you are in some ways in cyber security physical cyber whatever it is the Cyber secur if you jump on LinkedIn or exploit DB or anything at any given time you know that there's tons of cves coming out in fact if you've missed out on a cve if you've taken a break for about a month chances are you've missed out on tools you've missed out on exploits you've missed out on something right this is being being constantly updated it's new tools new exploits things are coming out every single day possibly every single hour but what about physical well anybody know is there even

a database for new exploits on physical security what what is an exploit in physical security right this is something that most people have no idea about I spend most of my time running physical audits training other companies and organizations uh and then running physical engagements what I usually say is this no self-respecting company today is going to say the following things we have no idea what a cyber pen test is we've never done one and we don't see the value of it because we have antivirus and firewalls if any company said that today you should leave that company immediately or you know just roll your eyes but most companies most organizations even governments will say

we don't know what a physical pin test is we've never done one and we don't see the value of it because we have alarms and cameras and it's the same thing it's literally the same thing in fact in a lot of ways it's worse anybody who has any influence you probably have a number of ways of how did you how did your company your organization increase their cyber security last year you went to training you hired new guys you paid for licenses you did everything you could to increase your cyber security but how did you increase your physical security nobody ever has an answer they're like well we get why would we we have fences we have razor wire on top we

have some cameras we hire some third party security company that's all we need right I like no it's not all you need so one thing to realize is that and all of you know this you can do things with physical access that you simply can't do when it comes to cyber so when I was working at certain organizations I do a lot of what's called PCI compliance or more of the offensive side of it basically what this is is that if you want to be a bank most governments in the world especially the Western World will force you to make sure that you can't go from the internet and grab hold of the main frame where all the uh the

payment card industry your credit card information is okay there's some type of segmentation that separates the two great and typically what happens is that you go on site you check you're like yep you're you have not changed anything from last year I cannot go from the the internet directly to the main frame good job gold star your secure but if I break into the bank physically and I just go to the main frame you're screwed aside assuming that I'm one of the 10 guys on Earth who know how to hack a main frame similarly every single person at your home your office wherever you have what you have uh cell phones that all connect to the internet right connect to

your router what did you have to do the first time you did that typically you had to type in a password well 99 times out of 100 if you just plug into your router directly to the uh to the ethernet cable you probably bypassed all that unless it's configured in a really secure way there's a lot of things that you can do that bypass cyber security as long as you're physically there and the point of this talk is basically to demonstrate that it's basically to take a whole bunch of things that most people take for granted and have absolutely no idea about security and hopefully maybe scare the hell out of you but also just kind of

educate people on what is physical security so when you're running an engagement I hear this a lot when I talk to people at really big companies they saywell we have a 100% success rate of getting inside your building when we run a physical engagement it's like well good good for you so do I if I have a brick right if I throw a brick through your window I have 100% chance of getting inside but who cares if I take five steps inside and I'm immediately arrested nobody cares in fact they look at that as a win right what they actually care about is three things you know were you able to get in what did

did you do after you got inside did you have persistence meaning did you come and go as you pleased was it a one-off did you run into the building tailgate in somewhere grab something and run out and it was a one-off or were you secretly inside the office inside the government agency for over six to 12 months and nobody knew that you were not supposed to be there well that's super important and lastly did you get caught these are the things that you actually care about these are the things that organizations care about and unfortunately for most organizations what they will do is they will sell a unicorn so n times out of 10 99 times

out of 100 they're selling web apps they're selling mobile pen tests if you're working for a security company that's what they're selling web apps they're selling Network tests they're selling these types of things right and every once in a while they'll sell a red team engagement or a Tyber here in Europe which is basically the same thing just kind of handti and a part of that might be well hey you can do you can try to break into the client's place you know we can spend six months trying to break in through the internet and the network and this and that and you can spend four days May maybe two days trying to break into the

building it's like yeah okay great so what happens well you spend Bob the web app guy to go try and break into the building and what does Bob know well he maybe he watched a YouTube video on how to lockpick maybe he owns a flipper and and that's usually about it you know I'm gonna try to tailgate and that's basically all I'm going to do but there's a whole Litany of skills anybody here who's done pin testing probably knows that you can't take the web app pin tester and he's just good at mobile testing similarly you can't take a guy who's really good inside the sock and turn around and have him go do a pen

test these are not interchangeable skills there's a lot of overlap for sure but being good at one does not make you good at another similarly if anybody here has ever done a pen test and I said okay I've got a web app I'm a client I want you to pen test my my application right what are you GNA do you're GNA first negotiate with me maybe it's five days four days of testing one day of reporting okay that's fine that's reasonable but what are you not going to do you're not just going to go to the web app and say well I threw a cross site scripting attack on the login portal on the user inut field and called

it a day and said okay that's it that's the whole test right that's bordering on fraud if you did something like that if you said that was the entire test I threw one cross-site scripting attack at one thing if it worked great if it didn't that's fine it's going to go in the report either way but that's the entire report well but now go take a step back and think about well how did most people break into buildings they try to tailgate or they try to clone a badge and that's all they've got well that's basically the same thing you've got to test everything you possibly can in the time you're allotted well within what's in scope

in Europe you have a few security standards that are coming up uh they've been pushed back a few times allegedly they're going to roll out around October N2 C Dora these are all basically well not all of them but a lot of these basically in vague scary Brussels language say you have to increase your physical security especially in critical infrastructure I'm sure everybody here knows what the uh the Nordstrom bombing was and other types of infrastructure you know issues these are the reasons why governments say look if you're in certain industries critical infrastructure uh or any adjacent you have to increase physical security you have to increase your physical pen testing you have to now there's a lot of

cyber aspects to that but you have to increase it and I will tell you from doing this all over Europe and all over the world over a long time most organizations are woefully underprepared for this the problem is is that you're going to lose about 2% of your I think it's 2% of your profit uh annually if you don't comply with this so a lot of organizations are kind of scared but now the rest of this talk I'm going to go as fast as I can so apologize for that it's lot to cover I'm going to try and I'm going to try and uh show you a lot of what is wrong with physical security

because there's a lot of misconceptions and you'll see what I mean in a second you guys are in Europe I guarantee all of you know what this is right this is a standard Euro cylinder lock you put the key in that on the picture on the right over there that little middle black bit that's the little cam you turn the key that operates the locking mechanism that's all that it does putting a key inside turns it back and forth that's it okay now now what's the problem with this by the way the uh the one on the right was something that I saw just the other day uh when I was here in Koso walking around notice how it sticks out

shouldn't do that now there's a reason why it shouldn't do that it doesn't matter if it does you can you can do what I'm about to show you either way but I have a collection of these from Europe from one I've been running around and I've broken them in half and you'll see in a minute how easy this is this is just simulating being in a door how fast and effortless this is to snap these in half now where did that break in half it broke in half in the middle well what's in the middle that little can that little operating system right so if I break it in the middle in the picture on the on the

right at the very bottom that's where a single screw would go in okay what that is is that the entire point of these little Euro cylinders is that you remove one screw you take the entire thing out you can put a new one in and you can real fast okay why why do I Want to Break these why do I want to snap these in half well take a look at these I'm going to give you a couple seconds are these the same lock it's the same door it's the same mechanism but is it lock and the answer is no it's not the same lock what I've done is I walked up to your door the attack Vector looks

like this I walk up to your door I take a picture of your lock I operate a lot in Denmark in the Nordic region these days so I'm gonna it's always going to be a ruko lock I take a picture of it I need to go buy that exact same brand in the exact same keyway okay fine I come back to my place or wherever I'm operating out of and I repin it in such a way that every key that fits inside there will work now there's ways to do this and it's not hard so I now have your exact same make your exact same model of lock that's repinned so that every key that fits in there is going to

work okay I come back when there's no alarm on usually in the middle of the day I snap that lock from the outside while it's locked you saw just a second ago that it's not hard it takes really quick now that there's no lock inside I can just unlock the door open it and replace it with my lock why did I do that because every key that fits in that lock will work the victim's key will work but my key will work and unless you're really really like observant you won't notice it's not the same lot I now have persistence into your facility and you have no idea that I do and that entire attack Vector takes all of 10

minutes so again this is something that most people aren't even aware as a thing right most people and I be I challenge you when you go home tonight take a look at your lock have you ever looked inside of it to see is that actually my lock no is are you running some type of Euro cylinder lock there's a good chance you are now some of these are resistant to snapping it which is breaking it in half or drilling it so if it's totally flush I would drill the lock some of them are they'll tell you right off the bat they'll tell you look this thing right here this little middle bit right here that's anti-drill means that I can't

drill through the lock the little cut out on the back end that means that if it does snap it's not going to break in the middle well how would I know that as an attacker see that little thing on the very front that says Yale three star star heart whatever I don't know what all these things mean but when I take that picture of it I'm going to go look it up and I'm going to say oh okay well I've looked it up I've Googled it and it says oh this is anti-drill anti snap so I can't do that to this lock I'll try another lock it tells you right off the bat what you can do now what about these

this is another variation of this this is a little thumb Turner you'll see these sometimes in shops at the front door you'll see these sometimes in interior doors but you'll notice what you're seeing here is how it's supposed to work you got a key inside it turns the cam mechanism great that is not the key right but what you'll notice is that it takes me longer to get that inside and I'm still operating it because it's not secure so yeah you might have spent 20 30 bucks on a lock like that but it's not secure now the minimum amount of damage when you're running one of these engagements one of your often times you don't have the ability to just destroy

stuff and if you do it's usually the minimum amount your client's going to let you do so what about this now this isn't something that I did but what if your client comes to you and says hey we noticed this tiny tiny little hole about this big in one of our doors is that an issue anybody think it is well here's the video of how that hole got put in now this is going to be pretty damn loud but what he's doing is he's making a little hole right in the middle of a steel door why would he want to do that why is a small tiny little hole useful well because there's a crash bar

on the other side of that door everybody uh those little things that you push in and the door opens hey door open now that's a solid steel door that's a heavy very expensive door defeated by a hole about this bck now think of it this way you have a letter box in your front door that's a hole if there's a hole in your door that'll work well assuming you have a crash box now there's other ways to go about it so there's lot now again these are just some things that you can do and the whole point of this talk is basically to show you there's a lot of things with physical access that you can

do that you can't do with with cyber but if I get inside think of it this way if any of you have jobs I guarant you already know how to break into your own buildings you or at least have good ideas you know what's insecure you know what employees are wearing their badges outside of work you know who's propping the door open to go take a smoke and walking away you know all these things the goal of an attacker is to figure it out but you already know them right you know where the server room is you know where all the good stuff is that's my job I have to figure all that out and

then go exploit it but you already know it so I mean just keep that in mind now you may say okay well nobody uses physical locks anymore right that's they did do but we're moving today to Access Control Systems right cards ID badges I like okay that's great well first thing to keep in mind is that there's usually assuming that it's not a self-contained access control system two languages that they're running the front end which is the communication between the card itself and the reader so this is you know if you've got a if you got an ID card like I've got my little hotel badge here and you swipe that card there's a Communications between the door uh or

the card reader and the card that's usually communication one or the front end well there's usually I mean there's three technically but there's low and high frequency the only one here that is actually secure as of today well really secure is the one in green so what's the probability that your card is actually secure now the reason for this is that all the other ones you can either decrypt the encryption scheme is basically completely broken you can think of it in the same way that uh md5 is not really a secure protocol anymore so you can think of it that way now some of these are so so secure or you have to go a few extra

steps or they're really close to being broken but the only one today that's actually really secure is the one in green so what's the probability that your office your work your thing whatever is actually running a a secure front end well probably not not great I mean the hotel card that I'm running right now definitely isn't I check now when you want to clone a card generally speaking you'll use something like this you might use ey copies chameleons long range readers uh prox marks flippers whatever you might use something right well okay and that's fine as long as you have what you have the badge as long as you have access to the badge and you can put the device on

that or you have a long range reader and it's close enough usually about maybe about this then you're fine you can clone that badge assuming it can be cloned but here's the trick or here's a thing that you should know your phone actually has can operate as a reader this little thing that you're looking at here uh instead of a card it's basically just a little antenna what do you notice in these two pictures in one picture there's a light on in one picture there's notot well that's because it has to be a certain orientation in order to pick up the energy to P that that it's producing the card reader is putting out a bunch of power the card or the is

using a small antenna to take up that power and power something usually it's a chip in this case it's an LED what do you notice well in one of these it's working in the other it's not so that makes that's that's a difference right if you have a badge that's sitting out on a desk and I've got a long range reader in like a shoulder bag I can't just get close to the card and have it work because the angle isn't right so if you want to actually clone a car that's sitting on a desk clandestinely maybe the person sitting right there you actually have to put the device basically on top of it that's an issue

right that's fairly suspicious but you what if you did something like this what if you used an extender so here what you have you have any of those devices that can clone a badge you have it in your pocket and you have a small wire that runs up to your palm of your hand maybe you're wearing a glove maybe not and then you touch it so here's a real life story of how this works often times in the front desk you will have a bunch of guest badges extra badges lost badges Etc and they'll usually have those right behind the front desk so in many organizations you can get into the lobby as public right let's say

you're doing a bank well everybody can this is what's referred to as embedded Recon right you can get into the building under false or real pretext to look at the look at the security layout maybe clone badges maybe you know whatever everybody can go into the lobby of a bank why well because maybe you want to open an account maybe you're having trouble with your account maybe you have you know whatever you can go into the lobby of a bank and that's not suspicious you're supposed to be able to do that in this particular case this wasn't a bank this was a a let's just call it an organization that sells really expensive stuff right

not physical items but things in this particular case I could go into the lobby and I did I went into the lobby they had a they had a cafe in the front area and I got a coffee and I sat there and I watched and what I noticed was that the front desk staff had a bunch of access cards basically sitting right behind their uh right behind their desk in this particular case what I wanted to do was I wanted to get access to those badges so what I did was I noticed that there was a lot of people who could come into this organiz ation and set up a meeting this is an organization that

wants to sell you things so I called them you know not when I was in the bank or in the facility but I called them and I said I would like to set up a meeting I'm interested in buying your product we set up a legitimate meeting I was coming in to get a real badge I was there with with a colleague of mine we show up he's in line waiting to get his little badge I'm off to the side pretending to be on a phone I'm standing off to the desk you know pretending to be on my phone pretending to be on a call I've got the reader in my uh palm of my hand

and we purposefully set up the most obnoxious name possible for me so think of the worst most long most hard to pronounce Indian whatever ethnic name you can possibly think of and that's my name right so my colleague walks up to the front secretary she's got all these badges everywhere I'm standing next to one I'm wearing fake glasses and that'll be important in a moment and she gives us the badges and he goes look at how they spelled your name and I pretend like like I can't see with my glasses and I lean over the desk what did I do I put my palm on the card I leaned over the desk and oh that's so funny that's

how all these people that's how all these you know people who don't know how to pronounce my name and we're talking to the secretary while I'm leaning over and I'm pointing out like oh no no no it's actually this this this well the secretary feels really bad right it's her job to do this and I'm telling her that she's screwed up so she's not going to tell me get away from my desk so in that time I've cloned her badge and I step back and then she she you know nervously and anxiously you know makes a new one real fast and gives me one and we put it on and we go and have our

little meeting and we leave but now I have a real badge I've cloned it right so again now I have free access to come and go out of the building because now I can show up later give that to one of my colleagues IDE and they can come in and they got a real ID badge so again this is these are ways these are tricks these are techniques that you can come in and get persistence and do different kinds of things but what if you don't want to clone a badge what if the badge can't be cloned that's possible maybe they're running something awesome well the badge reader is also vulnerable you can pull that thing off the wall it's it's just a

device what I've got here is I've got a little hid reader and that little thing in red is a tamper switch basically it's just an optical thing think of it like a flashlight that needs to be reflected now you can have different types of tamper switches but the issue with tamper switches is that they're it's really important is it wired so you might have one of these if let me say this way if I pull that off the wall it's possible for me to do something to steal your data assuming that it's vulnerable uh when you badge it but if I do pull it off a wall you expect there to be some type of tamper switch well

the question is um is there actually a tamper switch is it actually wired and if it is wired and it's alerting does anybody care or does it just go into a massive log file that sometime somewhere somebody can go check all these things have to actually be done in order for it to matter I've pulled a lot of card readers off walls before and most of the time nobody notices now this is a really really simple access control system okay you got the carard the reader you've got the the little controller on the other end the door and then something that's locking mag lock an electronic strike plate something well I told you there was two types of communication between

the C the reader and the reader and the controller generally well if I get access to that red cable that red cable nine times out of 10 is using a 1970s protocol called wean which is basically just a hex number unencrypted HEX number so even if you're using an encrypt an unencrypted or sorry an unclonable ID badge if you're using weand on the back end and I can pull that card reader off I can steal it and all the all the controller is going to see card number five is card number five valid yes or no card number seven is card number seven valid yes no and I can grab that from that red wire and replay it back to the

controller so that's an issue some card readers most people don't realize this but some card readers actually can read multiple cards so if your card reader can read multiple cards and you've got some awesome unclonable badge but it also reads really crappy easily cloned badges well I can just give it a really crappy easily cloned badge and it will the controller will see the same data because the card reader is just decrypting it and sending it to the back end so that's an issue this happens all the time in major organizations I'll pick on the police for a minute what do the police have lots of facilities all over the country right it's not like the

police have a single place well it's not just the police what about a major organization what about a company that has a hundred different facilities okay what if they're trying to upgrade their access control system from a crappy clonable thing to an unclonable thing well they're not going to do it all at once it's very expensive time consuming so they'll usually start the headquarters and they'll slowly percolate out over time maybe years but in the down time you need to be able to get access to that so usually what they do is they use multiple multiple card readers that can read multiple types and this is again a vulnerability you can steal this type of

backend technology with something like this little ESP key I pull the card reader off I plug that into the wire itself it sits as a man in the middle and then every card that comes through is going to grab that backend wean data assuming that's what they're using but it's 80% the globe and then I just come in with my phone and I say oh about five hours ago Bob Smith with card number five went through and the C and the controller said it was valid I'd like to replay card number five please sends it back to the controller says yeah sure that that's a valid card and I get in the door again that's an issue this is a

brand new thing uh not I mean it's not this is a company uh uh practical physical exploitation they're in the US what did he just do he just stole the reader why did he do that well what this thing is doing is it's literally a Deployable access control system I just just put this on a door that doesn't actually need it and if I can trick an employee to badging in I steal your data and then I can just leave with a thing so yeah that's a thing now if I need to get to the back end of your wiring I may not actually need to take it apart if you set this up improperly I might be able to get to the

wires without actually having to do anything now here's a question for you you can be rhetorical or you guys can shout it out either way who in the organization has the highest privilege of access who has who in your organization your company your work whatever can get to the most places who has who's the ability to go from the top floor to the bottom floor to the basement the CEO's office the board of directors to whatever right think about it now who has the most security training who is the most security aware the IT staff the security guard the CEO who actually has the most training well when I break into buildings I typically exploit these

people because they typically have to get everywhere they have the least security training they're the least paid and they don't care they are paid almost nothing to clean the toilets and mop the floors and do these kinds of things okay but their badge gets them everywhere so if I use that to make a buddy so let me let me point it out like this what do you see in this picture it might be kind of hard most cleaning staff will have a trol right just like you see in this picture they usually have like a a thing that holds all their cleaning products well I will tell you from doing this for almost 20 years most

of them will put their IDE Badges and keys on that trolley and when they go clean the bathrooms they'll just leave it there for 10 minutes at a time it's good to know I can steal that badge I can clone the key I can clone anything now let me ask you this let's suppose that you're working in a major organization and the CEO of the cor of the organization walks up to you personally and says wow you look like you're working really hard I was just about to go get a coffee could I get you one your impression of that CEO is probably going to be very different now right you're like wow this guy doesn't

have to be nice to me he's way the hell up here as far as the company goes and I'm way the hell down here I'm an intern I'm a college student I'm you know I've been here for five months he's the CEO he doesn't have to get me a coffee okay I like this guy he's nice right well the difference in importance pay Etc to the company between you and the CEO is about the same difference as you and the janitor so if you walk up to the to the uh the guy who's cleaning the toilets and you're like hey man I'm about to go get a coffee you look like you're working really hard could I get you one

chances are he's going to look at you with wide eyes like he's seen you for the first time and go yeah thanks that's really nice that'd be great you just made a friend that friend's going to trust you you build rapport with that person he might hold the door open for you he might help you with something he might give you information that he shouldn't he might leave you alone with his keys and access things longer than he should making Rapport now when it comes to once you're inside the building after you've gotten inside what do you do right well I will say from working on many many countries all over the world every organization

seems to by law have to have one of these they all do every one of them every major organization has this giant industrial printer now despite the fact that they're all on Wheels nobody moves them not even the cleaning stuff and I know because I move them that ethernet cable if you look in the bottom left of that picture is almost always open and unfiltered right because they everybody needs to be able to print crap well okay I can put my little man in the middle devices underneath that big printer and use that unopen unfiltered ethernet port and nobody's ever going to find it why would I want to do that right well one of the one of the benefits of doing is

that if you use something like that as a man in-the-middle thing you're on the network for sure but if your man in-the-middle device is operating on a SIM card any one of your colleagues anywhere in the world who knows how to connect to it is just on their Network instantly and because it's not using Wi-Fi or their internal Network it's using the cell line they can't see that data being exfiltrated it's not on a Communications Channel they can see so now I'm in London and I just plugged in one of these devices underneath your printer and my buddy in Bangladesh is on your network work on the cell line and you can't see it that's

useful often times you know well so it's it's uh yeah you have to think outside the box but when it comes to bugging things and I said that you can do things with physical that you can't do with cyber usually when you're doing Network tests or internal test everything is about ad I'm gonna get to ad I'm gonna get to ad I'm gonna get to you know I'm gonna do this and then the test is over right well that's not quite so with with physical what about like something like an HDMI man in the middle right what if I really wanted to steal this presentation right got an HDMI my cable okay I put an HDMI man in the middle and

I've got some type of audio bug on that device as well so now I can hear everything and I can see the I can see the presentation right great yeah this is a great presentation I'm gonna steal it slide for slide and everything that's said okay but where else might some HDMI man- INE middles be useful well a lot of places ATM machines for instance the backs of you walk into the corporate boardroom there's always a big TV you think anybody's ever looked behind that TV to see if there's an H my man in the middle nope I know because I do it all the time I leave them there purposefully to see how long does it

take for somebody to find it you think that your competitors when you're think of it this way you think that inside the corporate boardroom anything is being discussed the employees might want to know oh hey in six months we're going to lay everybody off oh hey the source code for all our most important crap is this oh hey you know this thing that we're trying to do is not working out so well I really hope that our competitor doesn't know this yeah there's a lot of information that might be going on in corporate boardrooms there's also a lot lot of information that might be going on in client meeting rooms that you could steal corporate Espionage is a

real thing happens all the time so yeah like there again there's the attack vectors for physical are not the same what about security cameras right these increase security right these are just something that oh well we' got security cameras that increases things well not so much if I told all of you to take out your smartphone right now and start recording a video how many people here think that you're you'd still be recording video tomorrow none of you your phone would like flip you off and say you have no more space available right yeah because they're bloated file sizes 4K 1080p whatever you're running well most of the time you're running some type of third party uh security

company think of how many 4K video feeds they're pulling in at any given time from however many clients how many ever I mean think about this building alone how many security cameras do you think are in this building total now think of how many video feeds that are at one time that's a lot of file size right so usually what happens is that if you look in the fine print of your third party security company after about three to five days they wipe over it why is that valuable to you well that means that if you broke into the building or you did something and you didn't get caught for two weeks there's no record that you

were ever there because there's no video camera evidence even if you were in front of a camera doing something if nobody noticed you did something bad for two weeks the feed has been wiped over because again bloated file sizes now when it comes to wireless cameras you can de authenticate them just like any other wireless device now I do not get paid to steal water bottles but this is just a little demonstration that yes you can absolutely de devices and steal anything that you want and if the device is powerful enough and you know that they're running wireless cameras As you move through the facility you're just a ghost it just you weren't there because every time you get

within range of a wireless camera it get kicked off the network and it's not actually recording well let me rephrase that it is actually recording you but it's not sending alerts so what this camera should do at the very top of that cell phone you should see an alert pop up that said hey there's motion I see motion but I've deauthenticated the camera so no alert trigger but if you watch the camera what I'm going to do is because that camera has a SIM card in it even though no alert was triggered because the camera was kicked off the network while I was actually screwing with things and stealing this coffee cup the SIM card caught

it so what you'll see here is that when I go to the memory of this uh wireless camera eventually it actually saw and recorded exactly what I was doing even though it was kicked off the network because it was locally recorded again useful information but most people aren't aware of this now that said if you are already de authenticating a camera and you have access to it you could just steal the SIM card and then there really isn't any you know memory that you were ever present so and by the way with wired cameras they're more expensive and that's usually why you don't see them as often except doing major facilities but with cameras they're usually running on a

ethernet cable or some type of RJ45 you can unplug that you can plug that directly into your stuff and get on their Network even from the outside if it's hooked up poorly so going back to this uh this thing right here do you think that there would anything that stops you from unplugging that and plugging that directly into your device no that's a pretty bad setup when you see security cameras wired cameras look around see if you see stupid stuff like this go out on that Terrace right there and look left you'll see one this right here by the way is a myth you do not have this this is not what happens you don't have some poor soul

who's sitting in front of a wall of monitors all the time what happens with security cameras is that if something has gone wrong if something has stole been stolen then they go back and they try to retroactively see who did it what happened right but again if you weren't caught if if nothing was triggered no alerts came off for at least about about a week There's No record you ever there now this popped up on my feed the other day and I thought it was hilarious so I thought I'd include it uh again talking about de authentic cameras somebody's using a drone with a trash can to cover a camera again funny but it works and if you you know if you're not

actually monitoring this actively well hey I mean You' covered the camera great good for you so again deauthentication now I've dealt with a lot of clients who have discovered bad devices uh inside their facility somewhere and they say hey what do we do we discovered this really weird device on the back of a uh corporate boardroom we don't know what it is we don't know what it's doing can you come and take a look we already went to the police and there's no fingerprints well how does that work well anybody here have glasses you know those little alcohol wipes that you can run over your glasses to get smudges off well they have a little

alcohol on them after you plant the device if you wipe off that uh with that little alcohol swab there's no fingerprints anymore so if now put yourself in the mind of a security operative your company has just discovered some weird device on the back back of the corporate boardroom or underneath a uh a table somewhere and you don't know what it does and you call the police they don't know what it does and there's no fingerprints and you went back to the security logs and there's no videos in the last week of anyone coming into that room and putting something there what do you do right what do you do think about it it's tough It's

Tricky now one of the things that I enjoy are safes because safes are hilarious safes are where you put all the good stuff right because that's secure safe is awesome safe is you put all this stuff that you don't want to be stolen but what do you notice about all these safes and many more they're electronic well what happens if the battery dies what happens if you forget the code what happens if an EMP comes or or whatever and you can't plug in the uh inside the data and to open it up well they all have what's called mechanical overrides mechanical overrides are just these little tiny uh usually a cross lock or a little tubular lock and it's

going to take me longer to show you that this is locked than it is to actually open it so you can use something called you can use various tools to get into these types of locks but it's not hard and if I get into the CEO or the boardroom or wherever and I find a safe that's not properly set up or it's you know A1 thousand safe with a $10 lock I'm going to go after the $10 lock and that's how fast you can open them up they're not hard it's not hard these things how many people have seen these right they're freaking everywhere every Airbnb in the world most Corporate Offices they'll have stuff like this outside the

building with little Keys RFID badges something inside of them well when I teach a class on how to break into buildings within 10 minutes of learning how to do this people are breaking into these stealing Keys cloning Keys physical Keys you know ID badges whatever the picture on the right by the way actually shows you the exact building they actually taped well this this lot goes to this building and this lck goes to this building and this floor and this it was ridiculous right it literally tells me like what I'm supposed to be doing but it's not just about outside what about inside well sometimes when you break into a building you're GNA have key boxes inside because they

they're trying to solve security they're saying okay we're keeping all the important stuff all the records all the data we're keeping that behind lock and key so you need to get access to a key box once you're inside okay well it's the same thing what happens if that's easily to get if that's easy to get into in the US or most places a lot of things are keeto like and we'll talk about that in a second um anybody know what the symbol is this is the TSA symbol this is the symbol that basically says you can use this lock on your luggage and you'll see that on the bottom right basically that just says you can use this lock for your

luggage when you fly you know wherever you're flying and the reason for that is simple you don't want a million different brands a million different locks because how is the how is the security at the airport going to check oh hey it looks like there's something weird in this luggage we've got to get inside of it and see what the hell it is right well we don't want bolt cutters to cut into every freaking lock we want all the locks to have one key and that one or two or three keys will get into every lock that's called key to life or Master Key System well that TSA lock gets into well there's about there's like three or

four but really only two keys that will get into every single piece of luggage so that's got to be really secure right that's that's got to be like a really secure lock because otherwise any person go to the airport any person go anywhere that there's luggage and steal everything from any of those locks it couldn't possibly be that I could go on to Amazon for $10 and buy these which can you can go on to Amazon right now and buy these two locks and or these two keys and steal whatever but it's not just luggage there's a lot of things that are key to like construction equipment elevators cabinets police cars in the United States uh like all kinds

of stuff are key to like you buy one key it opens everything that's important to know why is it important to know because it often gets used for crap like this this is inside London and this is somebody who has stolen basically a Dozer with a crane on it to break into a building to then steal an ATM machine I mean hey it works right and this is again now I question the the legitimacy of this because you're stealing something that probably cost hundreds of thousands of dollars to steal something that might have $50,000 in it but hey the money is easier to you know use than the big Dozer so again like you can

steal a lot of stuff now in the in United States it's not just the stuff either you have things in the United States you have what's called The Arrow key this is something from the the Postal Service one key opens every single mailbox in the entirety of the United States right it's supposed to be that way that's way the mail guy can go in he can open up every single mailbox anywhere unfortunately those get lost and stolen all the time so now everybody who wants it knows exactly what that key looks like and they can go and steal anything from any mailbox that's an issue in the United States we don't typically use those little uh Airbnb

keys for secure things we use what's called nox boxes which are really really secure really hard to get into steel boxes unfortunately the keys for those get stolen too so there are criminals out there right now who can get into any of these and those keys open up every door in a building they're specifically set up for EMS Emergency Services cops firefighters EMS so that they can open up every single door in case Grandma's had a heart attack or the smoke alarm went off or whatever else yeah you can steal those you can get into OT environments too these things these wind turbines by the way it's not just it it's OT as well you can get access to these easily get

access to these um it's not hard the cost of building one of those things by the way is about 2 to million and it takes about one to three years to get up and running so that's a lot of money that you can mess with now this is not just about when I break into buildings it's not just buildings it's not just all I do there's a lot of other things one of the things that I do most often is play basically war games with companies governments organizations Etc trying to help them think through problems okay so right now you guys are going to play that role you're going to play my role you're going to be the pen

tester you're going to be the the physic guy right I've Picken a random City completely at random and your goal is to find out how could you remove power from the city for at least one year okay so your government or whomever has said well we're really concerned about this we want to play this simulation so that we know where we're weak where we're vulnerable and how we could actually fix those problems okay so the client asks you how could if if at all is it possible to remove power from this entire city not a neighborhood not a building the entire city for at least one year it's like okay well you think about it you're like well I could bribe

an official turn off the power at the power company yeah that might do it I could you know if the city blows up then I've won by the null Factor there's no City therefore there's no power but there's other things right you're about to see my amazing art skills how does power work the red circle here is simply the power plant the yellow yellow circle is where it's generating power usually in a big ring like an entire city that blue square is usually a Transformer a substation or something the power has to be produced at really really high voltages so that it can go far away but you don't have like a thousand volts coming out of your

outlets right it would fry everything you'd have electricity flying out at any time in Europe you're usually operating at 220 volts in the US it's 110 so there's has to be something that takes that thousand volts and converts it down to something useful and that's usually a Transformer okay this is a substation with a bunch of Transformers what do you see a chain link fence in this Photograph how many highdef cameras do you see none where do you think this is do you think that this is got armed guards walking and patrolling it at every moment no it's in the middle of nowhere it's in the middle of nowhere and it's being currently guarded by the you know most high-tech

fence money can buy these are Emergency mobile substations okay these are things that if in the event that the substation goes offline these things can be brought in to take over load and continue giving power to wherever it's needed there are not many of them in the US the US is one of the largest economies in the world I don't know if it still is but we don't have many of these how many do you think you have that's an issue right because if your substation goes offline well how many of these do you have to take over the load why is that important well because substations are not sitting around ready to go they take about two

years to make and then after from the time that somebody says I want a subst to the time that it's built put in place and it's actually running it's about 2 to 40 years so what happens if the substation goes away you're all without power if you don't have an emergency mobile substation that can take over the load you're without power for years at a time and you might think okay well that's never going to happen except it does it does happen this is Fort Brag North Carolina and for you guys who don't know Fort Brag North Carolina is the largest US military installation in North America it's home of the Special Operations Command the Airborne import a

lot of really important stuff right how did that work how did this get taken over well because I'm not going to tell you exactly how to do it but if you know where to shoot one of these you can take them offline and the entire thing was taken offline with about three blls now let's go back to that picture for a minute if you stood off at about 200 meters and you shot in the right place and you took this offline first question what how much money and things did you have to invest in that attack nothing you bought a gun and a couple bullets now how many cameras do you see that can pick out a

face at 200 meters away in every direction none the people who did this as far as I know have never been caught now the US brought in an emergency mobile substation and they took off the load and they fixed the problem but this attack took out power to the largest military installation in the entirety of North America and if it wasn't for that Emergency mobile substation it would still be offline to this day so going back what is your entire power grid currently being protected by offense and prayers and that's that's true for most countries right and you start to realize that oh [ __ ] physical security actually you know plays a bit of a role it's not

just it's not just about well can I you know I deal with this all the time when an energy company or an OT environment says well we did pen tests we did cyber stuff and nobody can get access to it it's like yeah okay but what happens if I take a rifle and a few bullets and I know where to shoot how what amount of firewalls is going to prevent that nothing nothing's going to prevent that so you play these little games you walk this through you figure this out and you help companies organizations governments Etc fix these weaknesses and there's a lot of weaknesses again I go back to the thing that I originally said these these

security standards are rolling out literally this year and most people not only are unprepared for this but they don't even know that most of the things that I just gave in this talk are even a thing they have no idea that these are actually vulnerabilities because they don't know right and that's the entire point you need to know you need to hire somebody who knows what they're doing and you need to actually go through and fix these things but you guys have any questions or you guys want to ask anything feel free any question is fine questions any questions no Brian I have a question or two sure did you ever like injured yourself like trying to get in and I'm asking

this because I heard this I listen a great podcast on Dark Knight diars about physical security and there was this guy I forgot his name that uh he told like great stories yours was even better like how he got injured while trying to get in yeah yeah so you're you're always going I mean I don't say always but you are often going to hurt yourself doing little things so one thing that that you have to realize is that you might be able to pick a lock you might be able to scale a building you might be able to do these things but when your heart's pounding and it's cold outside or it's wet you're going to make little mistakes

you know if you're trying to do anything really delicate but you're doing it on a time constraint and people are walking around you don't want to get seen you're you're going to be have a bit of an adrenaline dump and you're going to you know mess things up yeah you're going to you know poke yourself you're going to do little things like that absolutely that happens all the time as far as big injuries go yes I've crushed my hands in doors before I've I've you know I've been carrying really heavy pieces of gear and I've dropped down and I've you know rolled or sprained my ankle little like things like that yep they absolutely happen I've yeah so it's it's

not exactly a good thing when you're inside of a facility that took you maybe three four weeks to get into and then you crush your hand or you you know you break a finger or something and you have to sit there and basically be like no it's fine got to keep going like it's it's not fun but it does happen right do you have second question do you have like a van like a constructing company with lots of stuff in there do I'm sorry do I have what like a van uh ah so okay so this is an interesting question when you're when you're going in you're probably going to have all kinds of stuff right you might have disguises you

might have RFI so even when you're doing physical security once you're inside you're still going to be planting devices you're probably going to be get on the network you're going to be doing a cyber aspect of things you're bringing in laptops and uh the middle devices and all kinds of crap but you're also bringing like disguises underd door tools lock picks like all kinds of stuff and you can't go in with a hiking backpack full of crap right so usually you're Distributing your stuff amongst teammates uh if you have a big team but no what usually what you do is you you have to be able to blend in so if I go in looking like this I might have a

shoulder bag that is stuffed full of all kinds of crap but then at the same time you have to have room what if you're going to be stealing documents What If part of the engage is we want you to get to this location and steal something right um so yeah you have to go in with the bare minimum that you think you're going to need and then and then hopefully you've got teammates who are you know also carrying gear or other things for you or you have somebody who's basically a mule who you can get inside the building and be like oh crap I need this device I need you to bring it to me you know uh but yeah so you're

trying really hard I mean there's a really big incentive to bring all the stuff the kitchen sink everything but you have to like you know downplay that and be like okay this is where you do the reconnaissance and you're like okay I've got to figure out what the hell do I need what do I likely need what do I don't what can be left behind and then hope and pray that you don't actually need that that's great that's great okay hey um I mean some of your examples you either break off Locks or or make holes in doors have you had ever had an issue where somebody else broke into because you made something vulnerable uh

so this is this is a fantastic question so one of the first rules of doing this is that you cannot downgrade the client's security unless they are one aware of it two okay with it and it's usually only for a really short period of time right so if I have disabled the entire security system that tantamount to taking off the ad or take I'm sorry taking off the uh the antivirus from a from a website right you don't want to do this and if you do you have to tell them this is what I'm going to do you have to give me the okay before you just do it uh because keep in mind like it's

very uh uh you have a lot of incentive to just kick everything off the network or destroy stuff which you can't right the client has to be okay with it but I will say this I have come across instances where I've gone and been breaking into buildings and I found those things so I on on two occasions that I can think of right up top my head I got into corporate boardrooms and I went to go plug in my man- in-the-middle device and there was already one there and it was like oh okay so now that the entire test has to stop and I have to say Okay this is transitioned from a pin test to like an incident response but no

when it com com to actually like downgrading the the security you don't want to do that any more than you absolutely have to and they have to be okay and I will say this you have to be you have to go into gross detail of exactly what you're about to do because the client doesn't know if you tell them I'm going to make a hole about this big in your door you have to really walk them through why and what is it going to do and how much is it going to cost them uh thank you Harris thank you very much for your presentation sometimes we in the community of cyber security forgot about the physical IAL security

and this is the major foundation of the security in general can you share maybe from your experience combining now the physical security with social engineering the impact of this yes so social engineering is an amazingly large part most people are familiar with fishing of various form you know you know it's got like 30 names now like whaling spear fishing fish like whatever it's just fishing it's just social engineering right most people are aware of this most people have to go through that rudimentary every single month or however like oh your company's it Department sent you a uh fishing email and see if it worked you know you all have to go through that at some point

but when it comes to physical engagements what I do is I try to effectively develop assets I try to social engineer people so there's a technique called elicitation now elicitation the entire point of it is to get useful specific information out of a person without them realizing that you're doing it okay so I would never come up to you and I would say hey tell me what the security layout of the building that you work at is that's suspicious it's invasive and I don't have rapport with you to be able to ask that question so think it in your own life I don't know any of you if I were to walk up to you and I say I would like

you to tell me exactly where you live exactly what time you're going to be away from your house and I want to know all the passwords for your social media accounts nobody is going to tell me that but I'm willing to bet that there's somebody in your life you would tell that to somebody in your life that you trust that you would say oh I'm going to be gone from this hour to this hour and you know where I live and you might even tell your relative or whoever like what your passwords are right for some reason the point of elicitation is to build up Rapport to be that person to get them to feel that they trust you so

much that they will tell you those secrets and then you ask it in such a way that they don't realize that you're doing it so for example with elicitation you typically don't want to ask any questions so how do you get information without asking questions well one of the the most obvious uh or one of them the first ones would be something like a presumptive statement so instead of saying something like um did your company bid on this big government contract I might say you know I read in the paper that your company wasn't you guys don't have enough money to bid on this government contract which makes sense because I mean I I I heard that

you guys were laying people off left and right well what is human nature human nature is to defend that human nature if that's wrong human nature is to go no no no no no that's not true we we absolutely did we're not laying anybody off we're doing this right it's we have this kind of reciprocal uh ability or the reciprocal nature about us so if I say hello to you chances are you're going to say hi if I say I work at ex company chances are you're going to tell me where you work not because I asked but because you're a reciprocal person so you use these types of human propensities to like get them to say

things and do things and if you sandwich that elicitation in between a bunch of [ __ ] a bunch of like random talk and small talk and then halfway through this conversation I ask or I I elicit that information and then I go back pivot back to you know useless crap then chance are you're not even going to remember that think of it this way I just gave it talk for about an hour how many people here by a show of hands think that you could tell me every single slide that I went through nobody right you forget things we all do we all forget stuff right so if you can sandwich that elicitation in between a

bunch of useless BS you're probably not going to remember or even realize that happened and yeah you elicit information all the time cleaning staff employees anybody anybody who might have information you might need yeah absolutely elicit them and the the real trick is it's really hard to figure out if you're actually being elicited because when does it start like are you actually like it's hard It's Tricky counter elicitation is a really really hard thing yep hi so I have a question related to security cameras now if you put so a live picture in front of the camera does it work to getting blocked on what you're doing in background so if I understand so so I'm

going to repeat what you just said to me and you tell me if I got it right so if I took like a a live picture and I just put it right in front of the camera would it know the difference or would it see well so I don't think that I can pull it up fast enough but I actually have a slide somewhere on another talk of me doing basically a similar thing where I just take my hand and I put my hand in front of a camera real fast and because it happened quick enough the camera didn't notice the transitional difference and it never alerts so here's something that like one of the things that I tell uh

people when they're getting into this is buy all the local security crap you can go around and figure out what locks are being used in my region of operation what cameras what security systems what things buy them and then test them just like you would with anything else because a lot of cameras they need some type of a difference okay so if there was a c there's a camera sitting in the back room it might be able to see me if I'm moving slow if I'm moving like this but it might not see me if I just really slowly am moving it might not alert motion right so figure out what the differences are I've literally seen

cameras where you can put something right in front of the camera quick and it will not alert because it happened too fast it needs like several frames of the camera in order to alert there has to be like a transitional difference if that's the camera that you're using then yes absolutely you could put something in front of the camera and it wouldn't see the difference the downside to doing that is you would have to do it in such a way that it was just the right distance to make it look real but yeah there's nothing that prevents you from giving that a shot so I mean I would tell you like look at the cameras that you got

operating in this region by bu a couple and then test that see how how could I do it but yes you absolutely could give it a shot yeah uh so in general uh we had um a case in 2022 when Iran attacks uh the information of U the Albania or or to be more clear the uh online all information which have in the government of Albania and my question is if we suddenly are attacked and the information of million of citizens for example of Kosovo and other country are attacked by the other haers on the other part for political motives what uh what is the best reaction or uh against this attack what should we do or to be more

clear uh according to you which country which state has not to say ideal but closest to Ideal Politics as belong information security policy thank you very much sure so this is a very interesting question this is what do you do if the entire country's information is stolen or a large amount of incident uh information is stolen the first thing that you have to ask is what can you do with that information right it like is the information actionable so for example is logging into your bank if you lose the credentials this is my username this is my password maybe you need a third uh two-factor authentication type thing and you lose all of that okay well

then you may immediately have to change all your banking information right the first question is what can you do with the information that's stolen the second question is what do you do once it's stolen and this is an incident response this is how how resilient are you so you have lost um all your country's information first off what was lost and second can you recover from it so let's suppose for a minute that everything important to you the government has all this information on all of you and all of it has been stolen can it be recovered like do you do you have to actually give every single person a new social security number do you have to

actually give every single person a new driver's license do you have to give every person a new bank account information what H like can it actually be done is it possible to fix that problem what is the what is the scale like is this is this going to be well we could fix it but it's going to take us a year two years three years you're not going to have banking ability for you know a year and a half right A lot of people are now on online banking and if that system goes down for even a week you might have riots in the street if you can't use cash there's a lot of countries out there right now that have

almost completely transitioned to a cashless society and if those systems go off even for a week and you can't buy food you're going to have riots you're going to have serious problems so in your specific question it all comes down to what information is stolen which is a big question to your government of what information are they keeping on you two how protected is that is it actually being safe and three in the worst case scenario that somebody actually steals it what can they do with it and can it be fixed and that's a question that's you're going to have to ask your own government you know because I can't tell you what the local government here has

on you and I can't tell you if they have any kind of redundancies can they fix it can they solve it as far as which countries go I would say every every single state entity is a threat every all of them and the reason is is because they all might have a motive at some future date to do it and we've all heard stories of you know Bob the 15-year-old high school student who broke into the NSA right these are always threats so yeah it's it's there unfortunately there is no real easy answer to that but I would say that any country has the potential to harm any other country really it just comes down

to allegiances alliances and hopefully a lack of motive but if Iran stole Albania information I mean then it just comes down to what are they going to do with it what can they do with it and can your country recover from it and how fast is it going to take to recover but unfortunately there is no easy answer to that question it's a very very deep question that a lot of people are paid a lot of money to try and solve and it's not solved yet as far as I know great okay we have one more question we have plenty of time we are I think ahead of time 10 more minutes till noon so feel

free first of all thank you for the talk uh continuing the question that that was prev previously made uh what kind of drawbacks or what kind of difficulties could a coordinated attack on all the uh all the elect electricity stations in a you know in a in a country could be or what what kind of issues a coordinated group could have to actually take down everyone at once and actually take down the whole country because pretty much even a large country like USA will not be able to to handle that let alone a small country like us so why should the uh attacking team have to go through the hardle of actually attacking the systems the uh the it

systems of a country when they can just take down practically the whole the whole thing so what is the right yeah so I'll answer your question in a few in a couple ways here one the tradeoff to doing things through the internet is anonymity and distance okay if you hack into another country's facility whether it's a bank an it you know environment OT environment whatever the benefit to doing it through the internet is that you anyone can do it you're far away from it and the and you there's very very uh small chance that some cop is going to bang down your door that hour or that day right you have a chance to run away

um the the benefits of being physically on site is that you have access to a lot more you might literally be able to plug into the network you might literally be able to unplug something you shouldn't unplug or inject malware ransomware whatever so there's tradeoffs to everything that you can do the likelihood that it's going to happen in the United States according to the US Department of energy and some other organizations there are about one to 200 attacks every year on the the critical infrastructure inside the United States on Power and other things right 100 200 tax a year now the United States is Big you can roughly say the United States is kind of like the whole of Europe right

size population Etc so the issue with what you're asking is not do we have to take everything down this is what you this is what's referred to as an as uh an asymmetrical attack okay let's go back to the power plant example what did I have to do to take down that power plant or that substation I needed a rifle a few bullets and to know exactly what to do with that okay that is when you think of how much does it cost to build the substation how much does it cost to secure it how nothing because you bought built a fence but how much does it cost to to to do all that it cost a lot of money how much

does it cost to buy a gun and some bullets almost nothing a few hundred bucks maybe so that's an asymmetrical attack right if I can spend a few hundred dollars to take down millions that that's not good now the other question the point of it is that you don't have to take everything offline you just have to take enough offline let's suppose for a minute that your country has access to five mobile substations okay other you either have them or other countries have said we will give them to you to use and you have access to five well if you have 50 substations all over the country I don't have to take down 50 substations I have

to take out six because if I take out six and you only have access to five Emergency mobile substations somebody's going without power for years and that's the problem so that is the issue right you're you're looking at this uh I don't know if this is a thing here but do you know the game Jenga like it's it's like a stack of blocks and that's what you're trying to do there's always that one block that if you move that one block everything falls over that's what you try to do in in my position you look at a situation and you say I don't need to take everything and and smash the whole board I just have to figure out that

bottleneck what can I remove and ruin everything and that's what you're trying to go after that's what you're trying to do and in this case I don't have to take down the re let me say this way why did I not go after the power plant because the power plant is going to be really really well guarded it's going to be harder to get into I might need a larger team you're going to have much more beefy security you might actually have armed guards but what did you see at the substation it's in the middle of nowhere it's not really being guarded or monitored and there's just a chain link fence okay well that's a hell of a lot

easier than try to break into a power station so that's the whole point right you're looking for the weak points and then figure out how or why do I go about that so again asymmetrical type of you know attacks great any more questions Brian thanks very much for your great

presentation thank you just before we go let me make couple of announcements please uh we're going to take a break lunch break uh we're going to be back at 1:30 so 90 minutes please do not go beyond that time uh as dardan mentioned before uh at 5:00 p.m. the CTF is going to be opened if anybody has time it it's bored has nothing to do and wants to do a mini CTF there's a Min CTF that was posted on PR's website it's on our LinkedIn page cf. pra.com uh it has few challenges there so if you guys are impatient for the major one which is at 5:00 pm you can knock yourself out and give it a try

okay see you in a bit

e

e

e

e

e e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e e

test test

test

test

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e e

Trish C that's yeah

yeah

e

e

e

e

e e

test okay I guess we ready to start uh welcome back I hope you guys are fed up I mean you have to eat and drink coffee to stay awake um just before we get started uh for those that join us late uh let's not forget about the CTF uh context that is going to start at U 5:00 p.m. and then for those that they didn't pick up the Ruffles like the raffle draw uh they can pick up their tickets upstairs in the reception uh area uh without any further Ado let me introduce you Roland Sako he's is here for the second year I believe uh he's going to be talking about uh hidden dangers uh for the small

devices I know that in your agenda you're going to see the second uh speaker who unfortunately could not make it but I think that R Roland is going to make up him as well so Flor floor is yours thanks yeah so hi everyone thank you for coming to the talk I'm happy to be here for the second time I was here last year for a work sh about fuzing so my name is Rand Saku I'm a security researcher at kasperski icert unfortunately uh my colleague Nikolai frolov couldn't come to the talk because he got a Visa issue in last minute so I'm going to give the talk by myself so we are as I said we are

security researchers uh we mainly focus on Automotive Research so uh searching for vulnerabilities in cars and stuff related to Automotive also IC devices so industrial control system iot uh consumer iot or industrial iot and then we do a bunch of uh vulnerability research through fuzzing and reverse engineering we also give some training sometimes uh I'd like to give a shout out also to all of my colleagues from the team because uh since we did the research ourself there are also some huge support from our team members and managers so uh just a shout out to my colleagues there so what I'm going to talk about today is two small little devices that are interesting uh fun and uh so that's

going to be a smart PR feeder and a smart educational robot that is using Ai and you probably think why does it matter it's just a small little device is a smart pet feeder nothing critical and as you can see as you will be seeing during the presentation uh it doesn't matter if it's critical or not it still has an impact let's get started with with the smart bread feeder so uh I do have a cat I don't know if any of you guys have PID at home cat or a dog I do have a cat um it's very useful to have such devices because um first of all you don't have to manage the schedule for feeding the

cat or the dog or whatever other pet you have uh you can do it in advance and say for example every day at 88 in the morning there's going to be that amount of food on the table uh you can also remotely access it uh there's a camera there's a microphone you can talk to the pet interesting device and one thing most of the time I do before I get started with the research in that case we ordered the device it took a few uh days to come I had to look at the FCC database so FCC is uh the organism that regulates the um telecommunication in the US so every single device that you have uh

that communicate on the any frequency has to comply with the FCC so basically they have to yeah y okay they have to F documentation with the details with test setup internal pictures Etc and they have to comply and the good thing is everything is then is public I think you probably if you look at your phone or something that you have at home you will see this FCC logo and there's an ID so which with this ftci ID you can access to the information that is public in that case what was interesting to me was the internal pictures so I look at the internal pictures and I see this so basically seems like it's just a smart camera in a

big box with some mechanisms to dispense the food so pretty interesting sometimes it's also good for me to have this kind of picture because I can see what is on the PCB and I can get my tool ready in order to get the correct adapters and stuff in advance in that case the the picture of quality is not very good so I couldn't see nothing okay so now that I get the device first step is to get it connected you have to install the app create your account and put your Wi-Fi name and password and it will generate the Q code you show the QR code to the pet feeder camera and you just get connected to the

network nothing special first thing first I set up a proxy and uh you see there's a bunch of uh https requests and one HTTP request in clear text uh funny enough not really funny but um most of the requests are using https with certificate pinning I was able to see that because I instrumented the app so I could see the traffic the last request is using HTTP and it has bunch of parameters including my phone number which is used as a user ID and then there's also the command name which uh says um uh sync feed list for now we don't really know what it is but it doesn't really matter now I'm looking for the low hanging

fruit so the very easy stuff so it's connected to my network I'll do a quick and map scan and what I see is uh there's a tet Port open good news for me at least so now that's a very good start for me because it's like very easy to exploit in principle I mean just connect to it only thing is they set up a password and the username so so I needed a way to extract the username and password first thing I do is just crack open the device thanks to the FCC ID pictures I could see where the PCB is located without destroying the device completely and as you can see it's just a simple little chip uh that talks

SPI so usually the firmware is stored there so uh I just need to extract the information and then I get access to the firmware there are different ways to do that I had a tool that is called bus pirate so bus pirate is the tool that is able to talk different protocols uh it can talk SPI so I use that connected to the pins correctly and use Flash form which is a open source software to extract um to to program such chip for some reasons I had some issues so I had to move to another solution and other solution is a bit more destructive so I use the hot hair gun and I unsolder the chip put it on the

chip programmer and read it out like very straightforward I had the all content good now in order to continue the research how to to sld it back uh that's not for me I didn't want to do it because of laziness but also I thought if I need to change something inside the device and then just keep going for testing I didn't want to unsolder resolder Etc so I just SKT it like this and I just kept it on the adapter on the breadboard put the connection point to the PCB and then just continue working with that so once you once you read everything from the chip uh I use binwalk to see what is inside to extract the information

nothing special just a embedded Linux file system with everything that we know this now we moved from uh like Little Hardware stuff to software problems let's a software research um at to there was um a taet network uh server running I didn't have the credentials so automatically I go to the shadow file I see the hash of the password next step I tried to crack it so I set up my basement with uh no just kidding I just Googled the the hash and I found it first result funny thing is uh many of the cameras uh from high silicon and some other brands are using the same credential for some reason I don't know if it's probably be part of hdk and then

you use the default credentials but doesn't really matter I got the password connected to the device and I'm roote um I get rot access so I get full power to the device only thing you need to uh keep in mind is that you need to be on a local network the same local network this attack doesn't work from outside of the network but it's still interesting then um looking to the file system I saw something interesting in the start of script so at the beginning of the device there is a a script called run Alex that is run that is is responsible for launching a binary that is called mqtt Alex with an IP address

and this is basically connecting to a mqtt server in order to receive the um voice command so basically that device can be controlled with the mobile application but also with the voice command through uh Alexa so started reversing the binary in the main not very visible there but yeah in the main function you see there is a mq in it authentication so what the first thing it does is connect to the mqtt broker with the credentials and the credentials are out coded into the binary so basically if I install any mqtt client I could connect remotely to the broker and then access to all of the information and once the device connects it doesn't bunch of uh subscribe so mqtt

works on a pops up uh principle so means that you subscrib to a topic and then whenever someone publish on that topic you receive the information in that case there was uh the main topic was voice and then you have the commands and after that you have a secret ID and the secret ID is the secret ID for each device this is how it works so whenever you launch a uh voice command it will send uh a message in Json format with voice shre is the command and then the secret ID so basically if I know the secret ID of a user I could send any command that I want so how this secret ID is

generated uh not so complicated uh it's basically using bunch of information that are static and one information dynamically which is the MAC address of the device doesn't really matter because since we're in mqt and the secret ID is part of the topic what I could just do is create uh take um mqtt client connect to the broker and then with that connection subscribe to all the subtopics so basically you connect you subscribe to voice and then use the Wild Card which means that every subtopic will be uh the topics that you're interested in once you do that you get all of the information that is going on in the mqtt server and then further uh this is a

test mqtt broker so of course we're not going to test it on production from the vendor I just set up my own mqtt server with the same credential I had my device connect to it to see what is going on what you can do is not very critical at that point I can just extra feed the the pets indefinitely have it like going that way another interesting fact is if you look further on the parsing code that is uh basically most of the time where the critical issues are the memory issues are you can see that um the code assume that the values are not nil there's no Integrity check there's nothing checking the size of uh the receive packet Etc

and uh doing some very little uh dumb fuzzing I could make the binary crash so basically if you send a message to any device uh and you miss one of the field it would just scrash the binary so you have a DS attack very uh easily and then I was interested in how the backend communication was done from the device to the back end I found the function that are responsible for communicating and interesting interestingly enough I saw that it was only using curl and doing bunch of HTTP request not even encrypted and there we go we have our CMD which is the topic and then we have the upload key which is the same for every device

so basically everything is done through HTTP and um if you're in a position where you can be a man in the middle you can just Tinker with everything that you want and finally the update process uh very interesting um I rarely saw this kind of uh kind of things they simply have their update um file on a on a server it's a zip file that is encrypted with a password and the password is hardcoded into a script that in the device so basically um if you manage to get access to the back end you create your malicious update file you encrypted with the same password and then you can potentially have their other device infected so yeah somehow someone had to

uh put all of this little issues into this device and make it not very uh very secure uh vendor communication uh unfortunately wasn't that good so I started we started uh communicating with the vendor October 20122 and until February 2023 we didn't have any answer and then in March we had some uh contact with the vendor and uh we asked them to establish some encrypted communication so uh give give um give us a direct gpg key so we can send everything encrypted no answers so we just published so let's say that the vend communication was not very successful okay so next one uh is a small little robot that is also a fun device for kids so basically it allows

you to uh give it to your kid so they can help um the kids do the homework uh learn a new language do some mathematic physics and stuff like this uh the vendor claim that every single bit of information is encrypted protected and uh that's for your privacy and the privacy of your child so nothing to worry about first thing we do is to connect the device to our Network and uh start monitoring the traffic first thing we see is HTTP request

everywhere there we go again there we go again next thing again uh we take the device tear it AP apart look at the PCB bunch of components in our case we're not really interested into all of this uh components we go straight to the memory and uh so this is the picture where I got started to put the pin by pin because I didn't have the correct reader at the end it's the huge mess because there wire everywhere uh but at the end we managed to extract data from the emmc and then we started analyzing the firmware interesting things is uh we look at the USB configuration we saw that there is ADB enabled and whenever we connect it to

the computer I we start uh connecting after the third line there and we see ADB for 5 Second and then disappear that uh so basically when the device gets started there is then um um main uh main application that this is the launcher who is responsible to uh interact with the configuration and check whether the ADB is activated or not and basically it does it by checking a file and that file will will manag to just change from enable L to enable yes and then connecting to the device through USB we add root access through ADB so now let's go back to the back end so the back end is also very interesting um interesting in a in a sense that it's

not really good but the password is uh a six uh digit and character a mix of digit and character only six in uh size which is pretty weak and then they're using the serial number as a login and still regarding the password this is the function that is um responsible for generating a password so that's pretty weak so basically it's just taking a bunch of like small small little data and converting to exod decimal and that's pretty much it even better so you connect to the uh you can make it with the backend using the login uh API you put a random password and you still get a token so basically there is a function that check for the ination

that does nothing that just return you a token so it doesn't really matter if you have the correct password or not you just get the token and you just get

access and we keep going so we have another endpoint get app configuration here uh also a little bit weird so basically if you connect to that endpoint and you provide the robot ID then you get bur Burch of information so you get the chart name the age which is not very critical that much if you just the first name and the age but then you have the exact location of that robot and then the check authentication same thing you provide the robot ID and you get the username password uh the parent email phone number and some useless information but still uh basically you get all the credential for every you can enumerate all the credential for all the user for

that robot and um also something that I didn't know about before uh we get started with this research but uh they are using jungle rest framework which is a framework that I not really aware about but that what we detected is they had the debug enabled to through which means that we could enumerate a bunch of information so for example we can see all of the endpoint we could see error messages in details and uh we managed to figure out that they are using Agora in order to handle the video stream so the video stream allows the parents to call the kids through the robot and then have some visual conversation and um when whenever you

send that request without providing providing nothing you get a token for free so you can communicate using Agora for just uh without providing any proof of uh being the owner of the robot and in order to use the Agora API you need the token so the token that you got for free last night then you need the Agora app ID which is the same for every owner of the robot and then you need the ser number so the serial number as we saw previously is very easy to guess or to enumerate and then uh what we did is just like trying to make a call to robot a second robot that we bought and it worked out straightforward

very easy to uh exploit so basically anyone who get access to uh a robot ID or simply enumerated the all the robot that are existing can make a call to any children that are owner of this robot and then the mobile application also an interesting uh thing so whenever we need to pair a mobile application with the device or you need to change the the owner of the the robot you have to provide either the email address or the phone number and after that you will receive a OTP code which is a six digit it or or leather and then you have five minutes to put it and during our testing we noticed that there is no um

protection for Brute Force so basically you can try as much as you can as you want with think it's 5 minutes and there's no limit soop so yeah at some point you you'll manage to just crack and uh just get in so once you get the application from another person you can uh detach the robot from that actual parents and usually uh when you get the first pairing this is the code that is shown on the robot screen that you have to put on the mobile application and um as we saw previously this uh password is the one that is uh detect generated in the password field there so you can easily get it even with having any credential

from the users and then finally the updating process is also uh pretty weird because uh it's simply a script that is downloaded from a server and there's no signature uh there's no uh Integrity check so basically if someone managed to get into the server and then change it and put some commands over there uh you can uh get remote code execution very easily uh vendor communication uh that case was pretty successful so March uh 2023 uh we communicated with the vendor for the first time and after a couple of week they got back to us and they acknowledg um they so they confirmed that they received the report and then they were going to verify it and then

after a few months they an knowledge the security issues and they actually fixed a couple of week after that also and then we decided to publish the results uh thank you for your attention if you have any question just let me know otherwise there is all the detail of the research for the robot for the pet feeder we already have a like small paper with some more details doesn't yeah okay any questions we have any questions r that was pretty interesting especially because we live in that Ag and time where we are using smart devices they are there to make our life easier but apparently at the cost as you explained what do you think um vendors

should have in mind when they uh design these things obviously we have seen some issues but they are not responding uh and then you just go ahead and you publish your uh research but what they should do in order what's that fine line maybe where it is secure but then it's still like friendly like and easy to set up to have that user experience I mean first thing in general is to first of all answer the whenever we try to communicate with the vendor just answer um another thing is um I thought it was already clear that you should not assume as a uh iot device maker that people would not access to the device itself so for

example with the pet feeder uh having all this hardcoded password credentials um typically if you doing software vulnerability research you're not going to probably get into the credentials uh as you can see with like very little basic uh let's say Hardware what I just did is extract the firware from the chip it doesn't imply any sort of advanced knowledge and Hardware uh and not even uh pricey equipment I could access to the internals and again this is really some secondary research that we do outside of our normal Duty so it's just to proof that after spending a few hours on some kind of devices like this you can already find some like very critical um critical issues sometimes

it's also because people take uh device from a Chinese brand UNAM and they put the name on it and then they just don't check nothing and the most important thing for them is to have everything working in term of functionality but then security comes really after but um I don't think there's more recommendation for these iot makers more than traditional uh software manufacturer it's just uh yeah be aware of the attack vectors and also for the users especially whenever you choose some kind of devices like this and thinking they are not critical because they're fundamentally they are not very critical devices but it gives an attacker access to confidential data and it can also be some kind of Bridge to

conduct attack to other devices at home so yeah that's great thank you any other question yeah first of all thank you it was really cool talk also to like show your your inner working so thanks for that um do you in your role right do you think over the years is it getting better or worse because you mentioned a few things right that they seemingly doing right but then obviously lots of other flaws so you mentioned certificate pinning but then also I don't know you were still able to bypass it and get to the commands and stuff right do you think on the whole yeah so is it getting better or worse basically uh it is getting better

because uh so for example the first device is using Toya smart which is a framework to develop iot devices it's I think it's Chinese is pretty good uh if you order devices from AliExpress or some other places sometime they using this framework so basically it's well tested pretty much uh the problem comes from so if you uh focus on the first um exchange one I that you mention so there is some buch of htps request and then one single HTTP one um my assumption is they took the uh twoe smart framework to do the basic stuff and then they added stuff afterward and the stuff that they added they didn't pay attention to any sort of

security and there are more and more framework to work with that are secure that allows them to get started at least with something that uh it's not too bad let's say um so yeah if they start using existing stuff that are proved to be pretty much secure and then they do correct implementation is already good stuff

yeah thank you so much that was very great thanks again for uh coming back to Christina thank you and I hope to see you again okay guys uh our next speaker Alejandra unfortunately could not make it so we're going to be taking 15 minutes break and then in the meantime again just as a reminder for those of you that you didn't pick up your raffle ticket uh please do so because we're going to do the draw so you might be one of the winners you never know so is it okay uh because what we are thinking rather than having this uh large break or yeah we have our next speaker uh already so after 15 minutes let's get

back 15 minutes is 15 minutes guys please be on time thanks

e

e

e

e

e

e

e

e e

so having a conference actually preparing that is pretty good sounds like he can hear me there so bro yeah I'll keep talking for a bit and at some point it will start making sense um yeah go for it yeah try and limit myself okay yeah that's fine right yeah you have to oh you have to Swift all the time so that's fair enough I I'll

try slice it up so share it in bro and spread the word that sounds good that sounds good I'll just keep talking and at some point hopefully they will find the right volume yeah yeah no that's fine that's fine um hopefully this all works and this all I've connected it but I haven't it's it's not changed yet so don't know if I need to change anything there you go yep that looks great click works as well so you should be good and you said I should TR try and stay here so I will do my best not to move too much it's just for the camera right as long as I don't

yeah there we go

cool I'm I'm fine I'm fine yeah leave it on

thanks

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

for e

for

e e

okay so we are ready to move on our next speaker is vit from Amsterdam or from UK he will tell us about that in a minute uh he's going to be talking about the common line observation so V floor is yours thank you very much all right uh hey everyone welcome to this talk as as was just said we will be talking about command line opusc in the next 40 45 minutes or so um you may have heard of the expression you can run but you can't hide well today we will find out that sometimes you can do both uh so just briefly before we move on um who am I so yeah my name is vit

that is a Dutch name I'm originally from Amsterdam uh but currently I live in London where I work as a um threat detection and response engineer um I really do like cyber security I've spoken at other conferences before I'm involved in other uh open source projects as well for the entire community so later on we will be talking about the lbass project as well it's one of the projects I help out with and um yeah I'm just looking forward to um sharing some of that knowledge uh that I also um got through other resources with you guys today so I was going to say let's just Dive Right In um so command line obis right what what is that just a reminder

I know some of you um have different levels of of technical detail so I thought let's start with the basics command lines so every process on your computer has a command line might not be much on it but there is always a command line attached to any process you're run on your computer for example um say notepad I could start notepad just say notepad.exe on Windows that will simply start the program um however sometimes it's a lot easier to just give it some extra parameters so extra context on the command line and that will allow the program to change the flow uh before the program has even properly started so I could also say notepad.exe followed by

hello.txt that will tell notepad when it starts to open hello.txt as file seems straightforward right um on windows are many more different ways in which command lines are used you very often we'll see these um command line switches with a forward slash followed by one letter multiple letters so for example shut down for SLR that tells the program shut down to not only you know stop your computer but also to restart it so yeah as I was saying initializing parameters that allow the program to change the flow now my fourth example here is an is another example where you see that a command line can contain everything right so we see here reg. eex export

then we see a registry location and then we see a file path so these are all different they all different functions right um now this is the context so that's that's a command line This is how we use them um why why does this matter in a cyber secur context now if you are a threat uh Defender like myself command lines are hugely useful because they tell a bit of a story right so from threat detection point of view looking at command lines can really help you understand what an attacker might be doing or try and identify behavior that could be an attacker because if we look at these examples I Gave You by just

looking at the command line right just not even understanding what the processes do but just looking at these starting commands I can tell you what these programs are doing the first one is opening Notepad the second one is opening hello.txt and notepad the third one is rebooting the computer and that last one is exporting something from the registry so command lines tell a story and that's hugely helpful if you're trying to establish what is going on and for that reason lots of antivirus and EDR software you know so the tools Defenders use um rely on command lines in order to detect possible malicious behavior today we will be talking about command line obfuscation excuse me obfuscation means

in this context that you're trying to hide what the program is doing so in these examples that I gave you those four it's very clear what the com what the command is intended to do but as an attacker you can imagine that you don't always want um EDR or or an analyst to understand what you're trying to achieve so masquerading the true intention of a command you're trying to run pardon me so yeah as I was saying that poses a problem because if I can change the command line in in small ways I can bypass potentially defensive measures like antivirus like EDR tools U because very often these tool rely on command lines that in itself is not bad like I

said it's a great source of information but if you rely on it too much or if you make the wrong assumptions it can be dangerous so in this talk I'll be talking about Windows Mac but also Linux and I will show you with very small subtle changes how you can bypass known U security tools so yeah for that we're going to be looking for um command line equivalents what I mean by that is that you find a command line with um you know that you would normally run but then I'm going to change things so that the command still works but an EDR tool might not Spot It so as I was saying we will start by

looking at windows and we will look at what what command lines regularly look like and then we're going to be looking at four different programs as an example of how command line alisation can be applied there so on Windows there is a number of conventions so these are not hard rules but sort of I don't know like uh normal uh behavior of command line tools that most programs adhere by so if you use Windows this will all look very familiar to you command lines often use forward slashes um we saw that shutdown command for SLR here's a couple of other ones ping sln1 cmdc ip config SLO so very often you will see command lines that have forward

slashes you may know that sometimes hyphens or dashes you know these These Bars are also used um more on that later Windows is also very case insensitive you you will also know this right like a file path doesn't matter if you include uppercase lowercase characters Windows considers it all the same and for many command line tools that applies as well so Comer selction all uppercase lowercase combination all works double quotes also often used on the command line if you have a space in your command line argument by wrapping them in double quotes the program can understand that you mean in space and it's not a um separation between individual commands again more on that later because that is actually a great

way to bypass security but an important Point here to make is that this these are all conventions in Windows none of this is enforced any program you write so if you write a program yourself or you use a third party tool the program itself decides on all these rules it doesn't have to be case and sensitive it's just most windows program decide to be and that means that there is a scope us make small tweaks and that may have big consequences so as I was saying we will now be looking at four programs most of you hopefully know if you used to Windows I'm just going to show you how an acher may use it and how you with

minimal changes can successfully bypass security so let's start simple with option characters um hopefully you're familiar with Powershell Powershell is Windows version of a bash or scripting environment um it's use for automating tasks it has lots of deep Integrations into the system therefore it is loved by attackers um an example here I could run this command Powershell for/ command ride host P hope I said that right hope I passed the integration test um and if you execute this in your shell it will um just give that word back on your command line and um now you see there the forward slash again which is normal in Windows it turns out if you run it I

hope it's not too small and too low um that works we already knew that but turns out there's multiple option characters you can use there so you see that Powershell um hyphen command and then you see what seems to be three more hyphens right it looks like the four hyphens for the word command now if you look at these commands not in your shell but in task manager or in this case process monitor you will actually see these are not regular hyphens so if you look here at the the third column you see first forward slash then you see a regular hyphen like a small bar but then you see a slightly wider hyphen you see a really long

hyphen and then you see a weird one that's sort of at the top what's going on here turns out that Powershell accepts not only forward slash and a hyphen but also the so-called Unicode equivalence you may know that in Unicode there's lots of different characters uh and for example there are multiple types of hyphens or dashes so as you see here um also put the Unicode uh codes there you see for Slash and hyphen that's normal but then you see these really high values so 2013 14 and 15 which are different types of dashes the N Dash the M Dash and a proper horizontal bar now it's not normal for a program to accept these

right in Windows normally we only expect a program to accept that forward slash but by having four other options um this is actually allowing attackers to bypass very simple and naive detections because consider this detection rule through the course of this um presentation by the way I will show you different sources of detection content um open source different vendors and I don't mean to pick on them but I just want to show you that um it's very often uh not taken into account and therefore you can bypass detections so this one is for Microsoft Defender for endpoint it's taken from this website by the way great resource if you use Defender for endpoint um but if you see

here what it's looking for in this detection rule it's trying to look for encoded commands and it does so by looking for a command line containing the word hyphen encoded command or python andc if you now look at the examples I just gave you right um we know that there is four other ways in which you can invoke the same command with a forward slash with a n Das M Das and a horizontal bar so detections like this look great and they will work in most of the cases but by simply replacing the hyphen with a forward slash you would completely bypass this detection so as an attacker making this minimal change you can already potentially um allow

yourself to bypass detection mechanisms so I hope that made sense this is a very basic case but as we go we'll go further and further oh thanks I do need that cheers all right so let's move on that was power shell Ms exac so um Microsoft install or executable allows you to install software packages you may have heard of this system administrators use it a lot to install um extra software on on the um endpoint Fleet attackers also like to use it because they can install malicious software or sometimes even legitimate software that they use for bad purposes so a normal way to invoke this program is to say MSI exec forward SL package and then the name of some um

tool you want to install now we already looked at the forward slashes so let's not go over that but what about other characters we've seen that know that that that uh High had four different equivalents right can we do the same with letters turns out you can so if you look very closely at the screenshot here you see Ms I exac for slash p and then a small a and a subscript a or superscript and then regular CK again and small A and G what I'm trying to do here is install the tool any desk which is a remoting tool but as you see it accepted it so again this can be problematic if you have a detection rule looking for

installations with Ms exact you may be looking for the word package but if you use this small a the command line will still work but your detection may fail so again I hope you're trying to understand what I'm trying to do here small changes um that will detect simple naive detections now let's look at a more problematic one because this one works on a couple of um build-in tools but not all of them this one works on nearly every of them cscript again hopefully you know it is a um tool that allows you to execute VB script and J script on Windows computers so again system administrators use it it's a bit of a legacy tool but

still um malware writers love this as well because it's present on every Windows version and you can do a lot with it U one way to run it is this command so cscript SL no logo SL e for engine FB script and then uh a command uh file path containing your FB script in this case my FB script might just say Hello World um so look at that top one that is just the vanilla version right that works as I was alluding to earlier double quotes um are common place in Windows so um you could for example say for/ e colon FB script wrapped in double quotes that would still work what you could also do is add more double quotes

in different parts of that command line so as you see here um FB SC RIPT does still work um and I could put them even if you look at the bottom one right basically every character is wrapped in double double quotes and for some reason the output is still output you would expect to be right if you now look in task manager or your EDR tool it actually gets passed on those double quotes so it does not live just in your command prompt this is what your EDR tool will see and again this is a big problem for detection this is another great resource again if you're new to cyber if you've not heard of this the sigma project

great project lots of Open Source detection rules and again I don't mean to pick on them because they have great content there but this is one of the detection rules they are looking for cscript execution if you look at the very top that have a command line that contains at the very bottom for/ e colon VB script now if we looked at these different versions that I just showed you on the previous slide that that first version the original one that most people use it would detect that any of the other ones it would not detect and we know that you know this is what your EDR sees so um that means that this detection rule will be completely

bypassed as I was alluding to this is probably the most common type of command line officiation you can use in Windows and because nearly every program is is vulnerable to this at least of the ones that are built in I don't know why I have such a dry tro I'm sorry cool now to make it even more complete I have a bit of a demo so is a video there's a lot going on so if you lose me at some point because it gets too complicated that's fine um towards the end I'll try and wrap it up and give some more sort of like high level Lessons Learned what I thought I'd do is look at

this specific dll um hopefully some of you here will have heard of the labass project um it's a great open-source project where it tries to list these living of the land binaries and scripts one of them is com svcsd so on this website you can find many tools that are available on nearly all windows versions that have some weird functionality the reason this is one of them is because this dll can U dump the contents of a process memory now why does that matter well on Windows you have this process called Elsas it's probably the most important process on Windows because it does everything that relates to security this process contains lots of sensitive tokens

sometimes even clear text credentials but also just hashes um as an attacker you often try to get the contents of this process because it will help you um get further into a network right you can possibly move laterally so with this tool let me enlarge that with this tool with this dll you can use run dll 32 which is another built-in Windows tool you can call that dlll and then with these with a specific structure so mini dump it's the name of the um export then the process ID of the process you want to uh drop which is Elsas Follow by a path here it's dump. bin and then the keyword full so this is

how you run it and again trust me lots of attackers do this they would use this specific command in an attempt to try to dump credentials so naturally as a threat defender or as an antivirus software you try to detect and block this now in this demo it's a video I'm going to walk you through it um you will see that Windows Defender does prevent this to some degree but with minor changes we can actually bypass it so let's have a look I'm going to need my computer for for that so the first thing we need to do is to understand what the process IDE is for Els right we just saw the structure that we need so I'm going to

do that shortly and then um let's start by just executing the command as it says on the law bass website right what happens if we do that with just vanilla with Windows Defender so here I found the process ID 680 and I'm going to run it um so this is what the labas website said right rundll com svcsd then the word mini dump then the process ID which we know is 680 then a file path which I call variant one because it's my first attempt and then the keyword full now if I run that Windows Defender tells me you can't do that that's not safe so it says access is deny so sadly you see on my left hand side no

file was created now let's try to make some small changes because there's again with the knowledge we have from the previous examples there's a few things we can do oh how am we going to move this forward let's try this um so if you use rund you may know that you can also use a comma instead of a space so that was my first try let's try that does that work does not work it's still blocked I even dropped a DOT D bit which you can also um leave out if you use rundll 32 but sadly enough no luck now something is is uh like Windows Defender is picking up on something right it knows something about this

command line that it knows it should block maybe it is um the process ID maybe it knows that L say 68 Z so when it sees that number it will try and block it so what we could try let's go come on so what we could try is simply changing the number a little bit and then maybe we'll have success so what I've done here I've simply added a zero at the start of that process ID and if you look at the left hand side now we have a file Varan 2 a another thing you can try is adding a plus sign at the start of it and again it does work that seems weird right because the number 680

is still there we just represented it in a different way so simply adding one character already bypassed this detection so um interesting is there more we can do well let's have a look another approach uh that we could try is using ordinal this is a bit more technical um we've seen the word mini dump right in that in that command line thanks we've seen the word mini dump in that command line now dlls often also have a um numeric representation of that function so every dll has functions you can call those we use Min dump but you can also use the numeric version so um in this case it's 24 you need to look that up it's it's not straightforward

but um once you figure that out instead of the word mini dump I can also use ash24 so interestingly enough now I don't need to uh pad that with a zero right if you look at the very first version um 680 still worked so I don't know what Windows Defender is doing but clearly it wasn't just looking for the number 680 um because # 24 also worked without um the the padded zero however the 24 we can also Pat so # 0024 works but also we can add the plus sign again so now we already have five memory dumps over there right so this is what we not want to see but somehow we we did

work we did work it now let's look at some more options can we do the same but then with a comma this is weird these are the exact same commands I just run but instead of a space I used a comma over there um that somehow is blocked so Microsoft Defender is aware that this this trick exists but it's only looking for the comma version which is quite strange what I think happened is that Microsoft found a Blog where this trick was described they saw that in that blog they used a comma and they just didn't think about like oh maybe you should also look for the space because the space also works so um there we go that

one is blocked it doesn't matter if we padded with zeros it doesn't matter if we pad it with a plus now look at the very bottom so i' I'm not pading it with like five zeros but with like 15 what do you think is going to happen if I press play you can see where this is going so if you if you add enough zeros at the start of that hasht 24 if I now press press enter that did work so we have another file there so again don't ask me why but if you add enough zeros you can still bypass this detection so crazy now um let's look at two more

versions let's clean up so uh another thing you can try oh that's a long um so we looked at commas and spaces now we know Windows loves to double quotes so what if we just leave out a space um interestingly enough if say com svcs and then don't use a space or comma but just wrap it in double quotes and make it follow with ash24 run dl32 is clever enough to understand that those are two separate things so I'm not using a comma I'm not using a space and now now the command line works again so that's another variant that we have so we already have seven version for seven different

bypasses oh that's not what we wanted this we tried this we tried oh my goodness it's going to restart every time okay um this is getting even more complicated now we reaching the end I promise you um numbers in Windows in any pro uh programming system or any operating system numbers are represented in memory right and um for the computer science students you will know there's different ways in which you can store integers sometimes they're signed sometimes they can be small numbers sometimes they can be large numbers what I'm going to try now is an integer overflow so these exports we were talking about this ash24 um that number is what they call an um oh it was a name supposed to be

Nam for it a 16- bit integer so that means there's 16 bits of data you can put in there for that number and if you exceed that amount basically what will happen is that the number will return to zero so what I'm doing here is I make the number so big that it doesn't fit in the memory space and therefore this number 65560 in a 16 bit um world that means it will just become 24 again so if you make the number larger enough you get an integer overflow you can see what's going to happen now if I press play that created an exra file so again because the detection is looking for hasht 24 um it's it's it's not working but if

you increase the number now even that version with a comma that was blocked before if you remember right there was one version that was blocked by simply creating increasing that number we still get the result that we want so again the the detection here that Microsoft is using is not very resilient now final one this trick we can also apply to that um process ID because do you remember there was one version again where the process ID was being detected now process IDs are different type of integer there are a DW which is an unsigned uh long so that number can get really big it's almost like 5 billion so by simply adding that very

large number to um our Pro ID which was 680 again we can create an integer overflow uh Windows Defender doesn't know what's going on and we still get our memory dump so as you've seen we've had numerous detection bypasses so this is an overview of all of them that we've seen so we've seen it blocks the obvious ones the ones that are on lbass the ones that are have been blogged about but we've seen numerous versions with small tweaks adding one or two characters or sometimes just leaving out a character did bypass Windows Defender right like the most used security tool probably because it is buil so before we move on to Linux and Mac what did this tell us right what is

US teach us so um we have seen here that we had a single command that we were interested in but we found like 15 different ways of um getting that command so there are many different ways in which you can express a single command now what we've also learned is that EDR or AV Tools like Defender are not very resilient they were very focused on specific samples that they've seen but they didn't take into account that you can express commands in a different way so both as offensive security Specialists as well as defensive ones look beyond the surface because by making small tweaks you can see here the the the difference could be between dumping credentials and not dumping

credentials right so that's that's a big um big reward now that's Windows bit of a mess but as we will see Linux and Apple Mac OS are not necessarily much better they just have different problems perhaps on a smaller scale so think about um command line arguments on Linux again those of you who use both windows and Linux will know there is a difference um Linux does not do command line arguments that start with a forward slash for the very simple reason that their file system often uses that right so on Linux you will almost exclusively see hyphens um often you see these Single Character arguments like- s but often you also see these long form arguments so hyphen

hyphen and then a word or in this case almost a sentence so long form arguments Single Character short form arguments um what's also really annoying from a detection point of view is that often you can combine these short form arguments so if you have hyphen a hyphen B hyphen c um you see that you can ALS also um use hyphen ABC and it will have the same effect again if you're writing detections this can be really annoying uh something I I won't have time for today to talk about but what is different on Linux is that arguments are not a string but they are passed as an array of arguments that does make a difference again I won't go into too

much detail but for that reason I would say on Linux the problem of command line officiation is slightly less worrying as we will see uh there are still issues but still just as I said with Windows the problem here is that these are conventions they're not rules um there's nothing that prevents you on Linux from having a a detection tool that uses U forward slashes or um on Linux things are tend to be more case sensitive right it's not a rule you can uh as a as a program writer you can just write your own interpretation uh but um typically it's not however because programmers have their own conventions this will cause problems so let's start with the first

one oh sorry so these are the three executables we will be talking about base 64 xxd and netcat or NC so this is a very simple one base 64 it's a tool that is found on most Linux distributions it simply allows you to encode or decode content to Bas 64 straightforward right so if I run this command um Echo and then this this blob and then vertical pipe base 64 D- dcode I will get the string he B sides now as you already probably have noticed from the screenshot um you can also leave out letters from that hash D- decod Deco deck de even-- D Works despite the short form version being just- D if you see all the results under

that this all works now again you might think why does this matter right um because this probably just to help users out so you don't have to remember to decode or if you're lazy you can just press enter and it still works again this can be problematic this is an open source detection from Splunk again um great website with lots of resources again they do great work but this is just an example where you see what they're looking for they're looking for base 64 or base 64 um hyphen D and hyphen hyphen decode so it would detect the top one it would detect the bottom one but everything in between I hope you you agree with me will not be CAU by this

logic so again small changes potentially big impact because we now bypass a vendor detection now you might think oh but maybe it's just Bas 64 and Bas 64 is not a particularly interesting command I agree um could still be used as we've seen there is a detection for it after all however this is very common in built-in Linux programs so this is taken from yuntu um the versions I could find on the latest um stable release W get Curl touch LS Ln many many more they all have something like this so on the screenshot you see W get again a tool attackers love together with curl to download stuff and again you see the same sort of

behavior where you can leave out letters command still works as you see at the bottom um but you potentially bypass detections so again that's problematic right um another example that I think is actually worse um xxd you may not know this one it's a bit more Niche but it is like B 64 it allows you to decode and encode hex content so um it's just a slightly different alphabet compared to base 64 so the characters only go up to to f so it's 0 to 9 or a BC d e f um but what you could do for example here if this string I could pass it to xxd I pass it two options- p and- r and

what it will do is decode it and it will tell me hello bze Pristina now the answer is already in the screenshot but what do you think should happen if I run this command as hyphen P ABC hyphen R XY Z what should happen with any logical sense right um it should either break because hyen a does not exist or uh pabc is not a valid command or it should somehow I don't know um give you an indication that what you're trying to do does not work however as you can see from the screenshot it does work so I can execute X xd- pra D rocks and that's a valid command because as you can see it

successfully decoded the thing it was trying to decode so as I was alluding I think this is the worst kind of um software implementation of command line arguments because what is happening here is that this software it reads The Hyphen it reads the letter P or the letter R and then whatever follows next it just ignores it it's not interested it's not going to print an error message it just accepts it um why is that problematic well first of all that means that there is basically an infinite number of command line equivalents because I can make up any sort of letter combination command light would work and I might bypass a detection what is even worse

is that potentially you can even fool an analyst some of you may be working a sock or have some other defensive role um what would you think if you see a command like this xxd D print equals documents history uh read only equals true we were saying before right a command line tells a story so if you read this you may think okay it's maybe printing a document and it's only doing that as read only well this is this is all made up right because we know xxd only looks at the first two characters so as you see in the screenshot these command lines are the exact same it just blatantly ignores all the extra bits

that I added the lesson here therefore is um xxd can be used to make decoy commands I can even try to fall an analyst into thinking this is a legit action even though I might be doing something malicious so these Wild Card style arguments are something to look out for they're they're quite bad cool finally in this Linux section um netcat so netcat is a tool it's it's present on most Linux distribution not always but um it's often used by um developers and also by malware makers because it is a great tool for interacting with network it can make TCP UDP connections it can receive them all sorts of things so for example I could execute

this command which will um so NC is net it can then uh I can pass it hyphen VZ which basically tells me be for Bose and reach out for Port testing then I pass an IP address in this case I said 8.8.8.8 and then a port number 53 what this does is it tests if that IP address is reachable and if the port number is open so in this case it tells me yes Port 888 sorry IP address 8888 exists Port 53 was open and I could send it atcp uh packet so great tool for just doing Port knocking for example um this command line also or this tool also takes domains so if you

look at the bottom there of my screen um you can also call google.com 443 it will then work out that Google is available and Port 443 is open so far so good now let's talk about IP addresses because what is an IP address we all know know what it does right it allows you to talk to a different computer connected to the internet but why do we always write it in this form where you have three digits a DOT three digits a DOT three digits a DOT why is that again this is a convention because an IP address actually is just a number it's a very big number but no one is going to remember a very long number right you're

going to have mistakes um you're going to end up uh I don't know talking to the wrong computer so historically when ipv4 was created they came up with this dotted decimal uh notation so if you look at the top command there um that's how we normally write it right 127.0.0.1 which is Local Host that's how we know IP addresses now some programs not all of them um also accept different notations because ultimately an IP address is just a number so netcat for example also takes 1271 without the zeros weird right to me that does not look like a legit IP address if you look at the bottom I don't know if this is going to work no if you look at

the bottom you see there the second line says connection to 1.7.1 brackets 1.7.0 0.1 so neat worked out that whilst it wasn't a legit or a normal IP address it worked out oh you probably meant this one um that is weird because that's not how addresses work if you look at that second block you see heximal notation which are characters up to the letter F again um octal notation which are digits only going up to number seven and decimal notation which is just um numeric right up to the uh 0 to9 so interesting fun fact therefore IP address one 127.0.0.1 internally actually is this number 21307 06443 433 um interestingly enough ncat again is willing to convert these number back

to their normal IP representation again I find this very strange like how many people actually would ever use an IP address like that um yet netcat is helpful enough to actually help you do that and it get gets worse because it can take combinations as well here we see hexadecimal in normal IP notation we see octal in IP notation but then the really weird short notation um or even a combination of all of them octal decimal hexadecimal and there's a bonus there as well you can pad the port number again with unlimited number of zeros and as you see all of these commands worked what I think is worse it actually tells you is like oh you did something stupid

but I saved the day by actually turning it into a proper IP address um so again I think this is problematic because means um if you enter things like IP addresses you can make it look like something that is more like a domain name or something that isn't even an IP address like how many of you would recognize that um decimal version as that being a connection to an IP address right it looks like something completely different so again from deception this can be um really problematic and if you have a detection with a Rex for example looking for an IP address other than that first one is not going to match on any of the other ones right so again you

may bypass detections with this now I think we need to uh make some progress here because we're nearing the end of the presentation so Mac OS I think the news here for Mac OS is that it is both is UNIX based so lots of these tools have just shown behave similarly on uh Mac OS but I thought I give you one more example that's specific to Mac OS to show you that that program isn't immune either so yeah very similar to Linux same command online um conventions but there are some specific tools with unique behavior and once again the implementing program the sides so therefore weirdness guaranteed so this is my one example OS script is a built-in tool similar to

cscript I suppose it allows you to execute scripts um in different languages including Apple script now I've been told on slack overflow that Apple script is one of the least like languages um poor Apple but um actually it is quite powerful you can do lots of um interactive things with your operating system such as display a message box running this command um basically allows you to run any Apple script on the command line um and here we say display dialogue hey friends with title waving Emoji as you see that works if you look very closely though there is a difference between what I put there and what I put in the command line boom um again very small change but

we used this trick on rund 32 before as well you can leave out of space by simply um instantly adding a quote after the letter of interest and again this is a screenshot taken from the sigma project once again great project but one of their detections is looking for Osa script and uh space hyphen eace and now we've seen with simply leaving out the space and immediately putting a quote we can bypass this detection and therefore um you might miss out on some interesting Behavior boom wrap up so what did we learn because we've seen a lot right it was all over the place lots of technical stuff what do we learn from this if

you're here today and you are in offensive security you must have loved this because what we've seen here is that it is absolute chaos right small changes possibly bypassing detections um especially on Windows right um you could really benefit from this so if you are doing offensive security gigs my recommendation will be is look into this because with small changes small risk you can have a really high reward so what I hope one of the take is of today is that look beyond the surface if you have a command you like to execute um but you're worried it might get detected look for these weird anomalies that allow you to execute in anyway command lines are much more

flexible than you think as we've seen from that example of the lbass project if you copy paste it it was blocked but just the small differences um can really uh enable you to to do it what I would say however be very careful not to overdo it so um you remember these weird little A's we seen at the start if you add too many of them then the command Layel would just look weird so that in itself might stand out it might get detected because you applied too much alisation so um be careful same with the double quotes that the final one I showed you right had like 50 double quotes in it that in

itself is likely to get caught so um don't overdo it it's my tip um then the final one Defenders if you're a Defender like me um please don't cry because it's it's not as worse as it seems and not as bad as it seems um what it should be your takeaway of today though command lines should not be relied on what do I mean by that um by all means keep writing detections for command Lin because as we've seen it does pay off lots of attackers don't bother changing them what we do see though is that if you don't write them carefully like the people from Microsoft um you can be bypassed it is also really hard in their

defense to account for all the different options because these tools by their very nature are just super flexible so I would recommend right don't overly rely on command lines but try to find detections that um work on other events so that um look look at that example I gave from netcat right where we were looking for IP addresses rather than looking for IP addresses on the command line what's a much better approach is look for Network events Network events after all um they don't it doesn't matter what notation you use they will always have the same notation in your EDR so if you can write detections on file level Network level DNS level honestly it is much more reliable than

trusting command line arguments so look for the underlying Behavior rather than the command line but finally again sometimes you just you can't right you have to rely on the command line in order to write detection so my tip would be focus on resilient detection have a think even if you're not sure um do I really need to hard code that hyphen or forward slash in my detection maybe just leave it out it probably won't hurt your detection it won't get more noisy but you would catch um possible obfuscation attempts but yeah assume that it might be bypassed and hopefully there is other ways in which you can detect uh the offending Behavior now finally before I wrap up um

thank you for listening first of all secondly wouldn't it be great if there was like a single resource because we talked about all these different examples right I gave you all sorts of anecdotes different platforms different uh iies how as a Defender are you supposed to know which one can be bypassed with which trick wouldn't it be great if there was one platform later this year I hope to launch an open source project that documents all these weird anomalies so if You' like to um stay informed on that give me a follow on Twitter if you're not on Twitter I'm also on LinkedIn so um I hope that really helped thank you for listening and uh if there's any

questions ask away thanks so much that was so nice guys any question

yeah thank you very much so I have a question regarding like detection new cases so what you recommend because for example usage of netcat it's red flight what do you think user base you user behaviors would this cover this those kind of attacks or can you give us more a concrete example how can we defend against those type of attacks sorry so so I understand your question so you say the net cat example right so you said like what for example net cat for example if I have user Behavior analytics or something similar would affect this or can we protect or detect most activities well that's an interesting question right so use Behavior so you could look at for

example um anomaly Behavior which again would not depend on the command line if a user suddenly starts using netcat and never used it before could already be interesting right or if you look at frequency behavior of what command line options are used right maybe you will see that lots of your users uh connect to Local Host and want to 7. z001 but maybe not that many go to this weird you know uh decimal representation so again that's a clever way of actually bypassing this issue is by looking for anomalies instead so you just rank them according to popularity or you rank them according to I don't know how long the command line is how many different

characters are on there those are also clever ways in which you might actually detect anomalous Behavior which could lead to finding malicious behavior so yeah you're right I think looking at behavior and things that stand out anomalies that's that's a key approach to actually making sure you do detect stuff like this also maybe I can share my personal experience we have kind of same problem we are using risk based alerting and it means that every time you use one of those binaries that you shown us it will be a risk or assigned to that user so if you misuse it I don't know netet five times it reaches threshold and you will automatically have alert so exactly don't overdo it

because you get precisely no that's that's good advice and it's it's also difficult right because depending on where you work I work for a company where we have lots of developers right sometimes they will just execute net cat 100 times in a single minute right it does happen it's users are weird but that's why it's still interesting to look at the behavior right you could still see a spike and it could still end up being legitimate but by making sure you do detect it so you at least get an alert you can investigate it and depending on as you said risk score sometimes you can say a person works in the development department it's a lower

risk score but if it is a receptionist to get a higher risk score right so taking all these factors into account is also key in making sure you detect things as early on as possible so yeah thank you any other question V is it defense getting better or like these vendors like Windows you said macw yeah is also a good question I think on the whole yes they are getting better so I think um again when research get published Defenders are very quick to actually add detections um this specific topic I was talking about today it remains a difficult problem because often we don't know know about these weird quirks so um I think on the all

they do get better I think there's a lot more attention for these sort of Tricks living of the land executables probably had their popularity 10 years ago when it became really popular they're still one of the most used tools if you read any vendor report on the threat landscape they will always tell you executables like I've shown you today that is what attack is used most of the time not the fancy malware not the complicated binaries that you need to reverse engineer it's simple tools like this so does it get better yes um what I would say though I would really encourage Microsoft to stop some of these um weird functionalities in these buil-in tools because that's

making our lives as Defenders harder right some of this functionality should not be there in the first place but because it's already present on your operating system it's really easy for malware um or attackers to actually abuse that and with minimal footprint still execute their target so um does it get better yes um but there's still a lot of ground to gain from a defensive point of view okay and I noticed that some of the commands you need to add like a elevated privileges right correct yep yep so some so for example we did the memory dumping right you do need certain admin privileges the system one because it's a protective process in more modern versions of Windows if you

use kernel isolation as well you might not even be able to touch it as all at all but that doesn't stop uh attackers from trying right so but simply by just detecting it might again prevent you from worse things to happen but yeah it is important to bear in mind all all these tools right they they assume post exploitation most commands work as user some of them require admin but again depending on how your organization is set up it might not be too difficult to get to admin right once you're in there's always ways to to elevate your privileges that's again something you need to assume if an attacker is in assume that somehow they at some point

will get to admin so as a security boundary that's also important to to Bear mind thank you so much that was [Applause]

great 20 minutes break I think they're serving cofes and some snacks I'm not sure but we have 20 minutes break and then we'll come

back

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e e

e e

to take it with my phone yeah

yeah

e for

T okay so we are ready to continue our next speaker is AB the Samad and he's going to be talking about how to build an application security program I'm looking forward to your talk the floor is yours well hello everyone thank you for having me it's uh it's a big honor today to be with you um first I'm going to start with this simple question who has never heard about the O Community okay we have some few number but I believe uh most of you guys are already familiar with the community and the projects its different guidelines and toolings and publication that all for free and the goal is to help developer build secure software in fact as of today if you

check the official git repo of this community we have 1.2k projects and again it include free resources that can be used by Developers to uh build secure software and it's not the only resource today we are starting to see more and more organization working under the same goal like the op ssf for example or Nest from the United States but also an in France and Etc and again they operate under the same goal which is providing free resources to everyone interested by application security this is all good but in my opinion we still don't have a clear answer when it comes to this type of question which is simply how we can integrate all of these

resources all of these tooling into our organization and you may get hundred of answers and many approaches on how to do this and in fact a few years ago we had this uh Dev s Ops concept and how it can help you to solve all your security problems and you may also came to something called the shift lift concept which is a uh an approach to integrate security within your projects and there is also this research article from the IBM system Institute which claim that bgs bugs are six more expensive to fix on the implementation phase than in the design turns out that this article is a big fat lie I mean you can check the

fact by yourself and after some research we will find out that this research doesn't exist and the IBM Institute even if it exist it's just an internal program made for IBM employees and the last point is there is no data that confirm this assertion let me repeat this again there is no data that confirm this assertion I mean I'm not against the concept of Shifting lefts it totally makes sense when you fix an issue earlier in your product the less likely it will propagate deep down in your code and create dependencies everywhere that you need to fix later on but why do most of companies today that have invested Millions on security tolling to achieve

this defit cops concept are still struggling with basic security issues into into their products um and why I don't want to sound pessimistic from the beginning of this talk but if we have some penetration tester in the room I think we all agree that it's quite few to do a security assessment without finding any uh security issue or anything to write in the final report also now with the the shift to Ai and llms and all this crazy discussion on um do we need to replace developers or something else as someone who work on a daily basis with developers do I have to maybe change the way I do my work or maybe uh find

another job so this is basically what we are going to cover in this talk on building a modern scalable and effective application security program a bit of background about myself so again my name is ABD Samad and I'm application security engineer and educator I been working a lot and before on penetration testing so I'm certified penetration testers since 2014 and I used to do a lot of security assessments and four years ago I switched to different role where I work on a daily basis with developers and helping them with uh their uh products by providing the right security requirement and doing a lot of Security review and acting as the subject matter when it comes to security topics I'm

also a contributor of the OAS community and I had a chance to contribute to different project like the mobile security testing guide the OAS proactive controls and I'm also founder of klock Academy which is an e-learning platform on how to use this solution for identity and access management and finally you can reach it by uh on LinkedIn so as you uh May notice I had a chance to work on both side of the industry and this is basically what it feels like and um the thing is you need to have or see think from two different perspective because as a security folks we tend to see everything as an importance but we also need to take into the account the

developer perspective because they have the their own workload their own deadlines to to fulfill and I believe this is the uh the way we need to approach this kind of topics when we want to integrate application security into the sdlc and this is basically what we are going to cover in this talk so I'm going to present some of the latest Trend in application security and also provide you with some tips on how to scale your application security program uh especially when we are working on large environments and and this talk isn't uh a silver bullet I'm not claiming that it will solve all your security problems I'm just going to um explain the things

that work for my own organization and showcase the things that work and also the limit of it and it's completely vendor neutral in case I mention any vendor's name it's more often like um uh a habit and it's not U and it it's definitely not a s speech with that said um let's jump right to it um let's first start uh with the global definition of what is an absc program and why do we need uh an absc program an appc program has an objective of reducing the number of vulnerabilities in your products over time by building a repeatable sustainable and proactive security practices that are embedded seamlessly within your product life cycle and with that objective we do a

bunch of activities a bunch of things the goal here is to combine and split the problem into different area uh instead of focusing only on a specific approach to deal with application security and each um component of this of an absc program will require at least one talk to cover it in detail but in today presentation we are going to focus on two main component which is treat modeling and detection simply because we are seeing um big change on these two component over the last uh year or even the last month okay let's start with detection the goal here is to be able to detect security issue into your existing products or even new ones and here we

don't want to rely anymore on manual assessment like penetration testing or manual code review simply because it cost too much and also because the development these days is more into um rapid agile approaches and chipping things more frequently um not like the old man where these where we used everything um we script everything and do everything um on a minory basis the goal here is to be able to keep up with the velocity of change and build on the existing process and integrate in all of these so how we can achieve this how we can Implement security testing when working with model teams in order to answer this question I'm going to walk you through

the history of software security testing software security testing goes back to the 30s where alen Mach uh Alan Trine and his team worked on uh the bomb machine in order to break the crypto system Enigma they uh they even made a move for this which is a a cool one by the way and it was this big giant machine with hammers and cranks and wires everywhere and it was a big things back uh to to this period because it did change the course of events during the second world war and then around the 70s we had a tool called lter which is which was the first static analysis tool and it did Lay the ground

for many other tools that will take as an input your source code and point out exactly where you have security issues and innovation did really accelerated around the 2000 uh and here we have most of the tools that we um we see today and use today on the market and the the main issue with this kind of tool is that they are resource intensive and they require a lot of uh uh requirement lot of uh Memorial resources and uh CPU in order to execute uh security scan and it's even and you need sometime to wait for hours or even days in order to scan your whole code base and get the scanning reports and that's

why we have new generation of static analysis tools which can be used to run fast scans focusing only on the important security issues so as a developer I can use this kind of tool to verify my merge requests before I am allowed to um push the code to uh the main branch and this is something that can be done in few minute or few seconds parall to this we had other subcategories of software testing tools like software composition analysis which aims to detect or scan your projects in order to detect what external dependencies are used inside your project and then verify if these dependencies have security issues and cve also we had tests which is um

automated penetration testing and here the approach is different from static analysis because we interact directly with the application by sending HTTP requests analyzing the response and deciding from there if there is any security issue to fix and last type of tools is interactive testing here the approach is completely different and it combines both static analysis and dynamic analysis the idea here is to instrument your application so we have deep visibility on the one time and parall to interactive testing the tool will alert you uh whenever you have security issues and this sums up the the uh Innovation we had and many different research we had regarding software security testing from the old days where we used to have big machines with wires

and cranks Etc to the latest technology in term of software security testing with all this tool in with all this option we have now on the market which one is more relevant today which one deserve to be integrated into our organization do we have to put all or purchase all these tools or maybe we need to pick one depending on our specific needs and whatever solution you may pick there is uh some success criteria that you need to consider before uh trying to deploy this kind of tools the first one is uh integration here um as a security folks we need to understand and accept the fact that that these developer teams and develop teams has already their tools

they have already their pipelines and workflow to build the software so from a security perspective we don't need to change the way this tee works and operates but instead we need to First understand the process and build on top of it in order to integrate in all of these then we have the uh implementation speed uh as we uh mention as I mentioned earlier the development these days is uh um more uh focused on the devops devops uh life cycle and shipping things uh um at high speed so we need to be able to provide tooling that much the velocity of change we see in devops environment then we have the ease of use um as a

developer I don't want to change the way I work I don't want to change my setup in order to install your tools um I'm already happy with my own setup and I'm not going to change it just to run security assessment so from the security persp perspective again we need to figure out how to propose a developer friendly solution that can be seamlessly integrate into an existing environment then we have accuracy this is very important because most of the tools that we uh saw later on May generate false positives and this can be acceptable at some level but if we continue to push every time false positive and not accurate results this may impact the trust Foundation we have

with our development teams so it's very important to leverage tool or use tool that provide accurate results and then portability here the goal is to be able to run my security tooling basically from everywhere with there it's locally from the CI as a web service as a container image etc etc

TR I think there's a

between so we had the same question um almost six years ago and our decision or our choice was to start with Dynamic application security testing but down the road we uh notice that this is something very difficult to setup and scale and simply because it has a lot of requirement you need to configure account you need stable environment to scan and you it cannot guarantee a good test coverage because the first step of dynamic scan is to map all the entries of your application which is something very difficult when you want to scan uh a single page application and sometimes it will take hours before getting a scan report especially when you scan a large application and when it

comes to fixing issues again it's very complicated because the developers need to inspect the code and figure out where he need to fix the issue this is why we decided to to switch to static analysis and in my opinion it's one of the most used Tool uh today um by many organization simply because it's very simple to deploy the only requirement is the source code you can Alo achieve 100% code coverage because scanning the whole code base will allow you to spot on any security issue you can run at any time um and also in term of redition it's very straightforward in the report you will get exactly which line of code you need to fix uh without having to invest much

effort okay now we decided to go for example with sest the next question is where do I need to put or configure my tool and here there is different possibility and if you ask your security vendor he may told you to uh use his ID plugin to uh Run Security testing and the idea is to be able to flag security issues while the developer is building his own code this in theory may sound interesting but uh imagine yourself working as a developer with a tight deadline you just need to finish this merge request and go home and on the other side you have manyi tool and soall on your ID in your development environment telling you no

no no you don't need to do this you don't need to do that and sometimes the results are uh inaccurate this is can be overwhelming from uh as a developer experience and also for the security teams it's not that easy to install and configure simply because uh developers use different technology use different ID and it's very possible to cover all these toolings so this is very terrible idea when you want to integrate security tooling next option you may have is cicd integration as of today M most of the vendors today provide plugins that you can install on your junkins for example in order to run security uh automated security scans but if you uh use this kind of

approach you end up with pipeline that look like this and here you are just dumping bunch of tools to your developers generating hundred of results no one will review no no one will um be interested by this kind of U approaches and it will create definitely a chaos in your Dev uh devops pipelines so that's why we have now new approach again the old way to do just to sum up the old way of doing uh security integration either inside the Ci or in the IDE it doesn't guarantee you will achieve 100% coverage it can be easily bypassed uh on the junkins file pipeline definition for example you just need to switch the option that TR security scans

and it will disable all uh the scan uh that you have configured and also the fact that we have decentralized configuration it's very difficult to update a set or made a change to the way you configure your scans and that's why we have a new approach which called pipelin integration pipelin security it's uh it's very simple the idea here is to um configure tools that will watch events from your secm tool and whenever for example you have a new code that has been merged you get repo this will automatically trigger scans somewhere that will verify your code instead of doing this uh directly in this CI and then it will provide isolated feedbacks directly to the person who did the

change and this kind of approach can be used to achieve 100% coverage from day one uh technically you just need to configure a web hook for each repo and and then from there the security tooling will be able to to automatically trigger uh analyses whenever we have a change into your G REO and the interesting thing about this approach is that you can manage everything in one place so once you get all your security tool in from the CI and have them in one place you can have full control on the configuration you can may change frequently etc etc and one interesting thing here is using this approach you can provide fast and private feedbacks so usually

when we run security scans we send the report directly to uh the mail address of a def team but this is not something we can do for example where when we scan uh when we detect secrets in the code you can't push all this uh the secret to a generic mail address with hundred of people here here we can by watching the web hook we can detect who made the change who pushed the secrets and from there send isolated feedbacks and private feedbacks and also trigger other process to um for example reset the secret that has been linked in order to implement this again you just need to configure web hooks that um will watch for events um that

happen inside your uh uh git repository and from there you will uh trigger a workflow that will run security assessment here you have two main option either use custom script to code your workflows or use uh a solution that can handle this like kestra for example which is an open source solution to implement your workflows and the cool thing about this kind of platform is that you can reuse components into different workflows you can uh also uh Define these workflows as code AS yl file so it's very easy to update and uh maintain and this is basically our existing uh the workflow I'm using within my organization I'm not going to explain it um directly on the slides um

but this is something that we again we can configure only as code so it's very easy to understand and also we can again reuse different components into different uh workflows let's see this uh now this workflows in

actions and how we did Implement pipel and Security in our case so here we we have a simple setting file that contains um some parameters related to this specific project and here the starting or we start just by pushing a vulnerable code to our git REO okay so here we push the code and we commit the code to this remote get Repository and behind the scene we will have a tool that will scan the code and then detect if this new change contains any security issue here the code has been merged into into the remote brange and again behind the scene we have already a report a scanning report ready to chair with the corresponding uh

developers and it will be uh sent by email so as a developer I don't need to check on a different tool I will have the information straight away to my my mailbox and here for each security issue we point directly to the git repository so again we don't need to view the issue in any external tools we are just reusing the existing one to uh provide provide uh detailed information and specific information about the issue so here we understand that there is um SQL injection issue and parall to this we open a j tickets because everything is done uh using using tickets especially when working with the teams and inside the tickets we will have all the necessary

information in order to fix this issue

and

finally we have a Confluence page that contains that some simple secure code to reuse in order to fix each specific issue

and basically that's it so parall to this we tried to collect some metrics in order to evaluate the effectiveness of this approach and we did notice that um over time we had a significant um uh we had low um number of issues over time which was really interesting and regarding the time to fix or the efforts required to fix an issue we noticed that it's also going down because as developers start to work on security tooling they started to get more and more familiar with um classic security issues okay let's move on to the next component which is trade modeling most of classic tra modeling approach will require you to uh draw a diagram like this this is uh for example

in this tried methodology this means that you need to convert all your existing documents all your diagrams into something similar to this and I guess and we all agree that this is a painful task especially when you are working in a team with um huge workload and it's a very slow it's a very Road there is no better way to make security the worst part of someone's job and it's again it's very complex and we cannot use this kind of approach to review every change and it's difficult to scale and that's why we have now a new approach that try to leverage Ai and llms in order to at least automate the repetitive tasks it might seems um complicated at

the beginning to use this technology and embed this technology into your existing workflows but we have today many Frameworks that can make it easy for us especially for someone who doesn't want to care much about what happening behind the scene like for example the L the L chain framework I'm not going to dive into the significant of each component but here the important one are first the uh LM llms integration component it will allow you to integrate with different llms uh like open AI clo etc etc and you can even chain and combine these these uh these llms in one uh workflow and third component is document loaders is basically really interesting because it will allow you to enrich llms with

your own data so for example if you have document architecture or security policies specific to your organization you can inject this um you can reuse this this this information along with an llms which is very powerful and last component is prompts prompts will be used to give instruction to llm agents in order to do a specific task for you and actually there was a nice research um that has been done to test how llms can be good at performing treat uh modeling so it the entry point was basic application called meal planner with the frontend API published behind the gateway and uh databased to persist user data here the diagram was provided as C4 model language which is a way to

represent a diagram as code in order to make it easy for llms to understand and uh use it as as an entry point so along with the architecture diagram we provide also the project description and also a test user story to the longchain framework which is backed by different llms and instead of directly asking the agent to do the security assessment or the treat modeling uh in one question here we split the the question or the task into two basic pumpt the first one will just list the data flows and different connection between the different components and the second we review each Connection in order to detect potential risk and the result of this experiment was a bit

interesting sometimes um some llms uh did provide relevant uh results to the scope but they were so generic here for example uh the mitigation is use https which is not something specific to this um to this uh use case but it's applied to any uh kind of architecture and also we had interesting result with different models like clo for example so here we were able to get volid threat which is Flo in the API uh Gateway and one interesting thing is that he managed to understand that we already have a security future to mitigate risk it was mentioned somewhere in the project description so we were able to understand this and use it as uh component to mitigate the risk

and he did even challenge it because in the project description that has been provided in this study they didn't provide much details about how this future is implemented so he provided as um uh as a recommendation to uh review this uh this implementation and make sure that it will mitigate the risk also um last week the open AI security team released some Bots that they are using that they have been using to automate some of the uh most common security uh tasks and one of the agents is called is the C slack boat so this one basically acts as an entry point to product team to decide if a new product or a new future need to undergo a

Security review this is really important because as a security folks we always get requests from different teams uh we don't know which one we need to handle first by using this kind of approach I believe we can focus only on on the critical chains and the critical uh applications so what the future looks like with llms and um and trat modeling definitely this kind of Technology will reduce uh the workload spec spec especially when it comes to repetitive tasks I mean I think the um the road part of uh let's say trat modeling need to be done by machines not by uh by human and it's also uh important to customize llm Frameworks and uh design our prompts

but it's definitely worth it because it will save us hours and it will be more interesting to do this using llms than having someone um uh from security to the with every day and last Point uh in order to make uh results more accurate and more relevant it's important to combine llms with rxs and also uh decision tree uh this will definitely help and prevent AI or llms from alysin eting okay let's do a recap in order to build an scalable effective modern security program first regarding the Scali part I think it's interesting to not put everything on the CI this will all only slow down your process and it will be difficult to manage it's better

to implement external workflows that will just watch events from your uh existing uh Dev tools and then uh send privat at uh security feedbacks directly to the corresponding team and this will definitely minimize the configuration effort on dev team side regarding effective it's very important to collect data and trick as much as possible because it's the only way to detect if you are going on into the right direction and regarding um the last Point uh I think it's time to invest more and more in lolms especially on the IC field to automate basic and repetitive task this will allow us to focus only on things that matter and regarding the last point I will I definitely recommend reading this

bo uh this book life 3.0 which has been published I think six or five years ago um in this book we are trying to imagine how life will looks like in the at the age of AI and it brings some important question about how we can inject this technology into our daily lives um as an NPC engineer some of the question I ask myself do I have to maybe automate the most repetitive t TKS and focus only as uh into the important one or maybe delicate everything and just chill and relax and the book uh explore many many other possibilities so I would definitely um recommend checking this book and why do we need to ask this question today is

because the earlier we know where we want to go the easier we'll be able to attend it again my name is ABD Samad and um it was a pleasure speaking at your conference and I'm looking forward to have your

questions do I see any hands up any question I guess you were so clear thanks so much that was so nice and informative thank you we look forward having you again yes sure I enjoy your stay in C that's your first time right yes it's for my first time

okay uh our next speaker uh there you go

aror e

find for

okay our next speaker I guess it doesn't need any introduction uh he's a well-known figure in our cyber security here in Kosovo aror imir today he's going to walk us through about deep learning for protective alerting that being said AR floor is yours thank you so firstly I would like to thank the organizators for this event and also the participants that uh you're staying a bit late today it's Friday afternoons so I will try to complete the presentation in time so you'll be then free for the socializing event so the topic that I'm going to present today is deep learning for predictive alerting and Cyber attack mitigation this is a research paper that uh I have prepared uh is this is not

working I think or there I'll use this one okay this is a research paper that I've been prepared as a part of my uh PhD studies at burner University of Technology so besides my PhD studies I'm also a a chief information security officer at procredit bank Kosovo but at the same time I working as cyber security researcher at Sans NGO so uh without further Ado let's continue so initially I will start with the introduction to the topic to the paper that I'm going to present today then I'll go a bit through the related work that have been done in this field after that uh we'll focus a bit a bit in this uh predictive alerting as a

model that's being used to uh detect uh an anomal behaviors then uh part of this paper was U also some experiments that we have conducted in order to test this um uh machine learning algorithm that we have included in the paper and as a final uh we'll do some conclusions related to this paper so now as we all know we are living in the fourth Industrial Revolution where the problem is is not anymore to get connected to this virtual world world but the problem is how to secure our spa ourself in this cyber space so what are the challenges in this field so in general the main challenges in cyber security de derive from the

complexity of cyber space and uh this rapidly evolving uh techniques and tactics of uh cyber threat actors uh as we all know it's not not a matter if we are going to be attacked or hacked but it's matter of when we are going to be hacked act or attacked therefore um the main objective is to minimize and control the damage caused by cyber attacks and incident to provide uh like U uh U idea is to provide an effective response and recovery and also to prevent future incidents from happening uh let's talk a bit in this case regarding cyber threat intelligence so what cyber threat intelligence the main idea idea is to proactively protect our system so uh it's not a matter just to

deal with uh incidents when they happen but uh the idea is to uh fight with them to uh uh look for them before an event happens in the organization uh cyber threat intelligence in General Uses Data Mining and uh machine learning uh techniques which aim to transform the process data from large data sets from large sources that feeds that we get into knowledge into information so uh part of this is this predictive alerting as a uh method that's used to uh uh check for the historical data and realtime data in order to make this connection and at the same time to predict the future threats and attacks that might occur to our organization so the main challenge here

as you can see is to transform this a huge amount of data that we collect from lots of sources into actionable in intelligence so it idea is to have the actional data not lots of sources of information then we get lost on it so this is the the main uh the main focus of predictive alerting in cyber security so what's the motiv motivation behind this research as I mentioned at the beginning I'm uh currently doing the PHD thesis which is threat intelligence and situational awareness in cyber security with the focus of cyber space in Kosovo therefore the idea was to test a new protocol uh a new uh in this case machine learning algorithm in a a real

case scenarios and to see how it uh uh Compares with other machine learning uh and data mining algorithm in this case uh we used the Deep residual neural network as a model and compared it with sequential rule mining intrusion detection Tre intelligence intrusion detection model and scal net these were the four models that we compared our uh model that we use for this experiments the model that we use deep procedural network is used in image processing and we wanted to see its performance in cyber security so in order to analyze and to evaluate its performance we needed to compare it with some uh actual uh uh machine learning algorithm that are used in uh cyber security in this p

in this table I have put the four main papers that have been focused and the four main methods that have been used in the uh in this predictive alerting in cyber security the first one was sequential rule mining approach from author Martin hosak uh in this paper uh and this this uh method had a very high s successful I mean rate of detection but failed to train machine learning algorithm to automatically detect the good rules the second method that was used to compare our model our Mo method uh is intrusion detection tree uh which had it was like a very good in terms of computional uh cost in terms of using the uh uh Power

of processing but the has in general it has a lack of generalization approach the third me uh method that we uh compared was intelligent intrusion detection model this method effectively reduced the computational complex in this case but failed to consider filtering and wrapping method for better performance so it couldn't achieve better performance and the last one was deep domain generation algorithm by author vinak Kumar he this approach provide very detailed information about the malwares but um it wasn't tested on Real Environment so these were the four methods that we compared our uh model so main contribution here is uh to predictive alerting is to provide as I mentioned the beginning actionable and prediction of allers

based on this machine learning algorithm by processing uh different sources of uh information data sets Etc so what our proposal was and the experiments we conducted was deep procedural Network predictive alerting it was used as a plugins and these were integrated in the Sabu platform Sabu platform is a platform used in Czech Republic which is developed and maintained by an um academic uh uh uh entity in the Czech Republic and it collects feeds from third party from Honeypot from intrusion detection systems then it has a database called nerd uh which calculates the rep reputational uh I mean scores for Network entities is similar to Shodan and also it has this Menat where users Can U register to this platform

and get the feeds according to their uh IP addresses and indicators they want to receive and this uh I Abu is an Al analytical component that is um uh used by the administrator of this platform so what we did we use this um threat intelligence sharing platform and we integrated uh two machine learning algorithm that weren't tested before so we integrated for alert segregation fitc means clustering and also for alert prediction we integrated as plugin this uh uh model machine learning model called Deep resal Network which I mentioned is used in the image Pro processing so it was the first time to test it in the cyber security how we did this so there are

some stages in this the uh Sabu threat intelligence system platform firstly we get the input from that data set of this threat intelligence uh by normalizing first the first step is to normalize the data set and in one identified unified I mean uh format the second uh stage was here to normalize them together with the inputs that we had from logs uh in the situation awareness here we used fitan clust string as an algorithm where we provided this as a plugin to the platform so we use this Sao platform and we use this as a PL plugin with our um uh uh protocols uh I mean machine learning algorithm that we wanted to test third stage after we did clustering

groups of U uh information we used feature selection in this case we used the hel finger distance uh uh to identify I mean the uh uh feature selection in this case third and fourth uh stage was threat intelligence AG engine here we included the machine learning model that we wanted to test and at the beginning at the end we did blacklisting by uh blacklisting the suspicious IP addresses based on this all process so I just explained this uh theoretically how we did the experiments uh during this uh research paper so how we did the experiments we used the Python programming language database from uh this is the Sabu platform specifically the warden server uh where

these information are collected currently it has 34 gabit of uh information there are 10 million uh events there are 25 senders and 33 receivers uh during our test we used nearly 12 million alerts generated by 34 intrusion detection systems honeypots and other data sources that we can see here in this uh design so these were the information that we used to make this uh uh test of this uh machine learning uh algorithm here you can see the results uh there have been several tests several iterations uh firstly with 60% of train data then with 70% of train data 80% of train data until 90% of trained data to to analyze the performance of this deep

procedural Network predictive alerting uh by using these uh four uh three main performance metric which was precision uh recall and F measures as you can see here are explained the uh uh what does these um uh measures mean Precision we have false positive true positive then we have relevant event Precision means that total number of f uh true positive divided by the entire true and false positive then recall we have number of true positive divided by relevant events number of real all relevant events the results here are with each iteration firstly with 10 iteration we tested all the metrics all the performance metrics with 15 with 20 and 25 iterations so this test was conducted only for deep

residual Network algorithm what we did next we wanted to see how this uh uh machine learning algorithm compares with other relevant uh machine learning algorithm that I mentioned in the uh beginning of presentation so what we did we tested also all of them we integrated them as plugins to the Sabu platform and we tested with 60% with 70% 80% and 90% of trained data and as you can see in the result the Deep residual Network machine learning algorithm outperformed the other uh Al algorithm in terms of precision recall and f measur as you can see the first is around the with sequential rule mining there is around 15% better performance 80 with 95 uh with intrusion detection tree is

around 14% better with second uh machine learning algorithm there is with the intelligent intrusion detection model is 10% better performance and in scale net that was the best performed out of these four it's around the 8% better performance this is only for precision as you can see for recall the same and for f measure the same so this protocol uh provided better this uh machine learning algorithm provided better results than the others in detecting and predicting cyber attacks so as conclusion uh the use of machine learning in threat intelligence and analyzes as you can see can improve the effic efficiency accuracy and effectiveness of threat detection and response which in today's fast evolving threat landscape is very critical as you

all know the proposed model that we used uh enhances the performance of generalization and also it used less uh processing time when we use this relu function activation function which was better than tangent and sigmoid function so mathematical function that are used to test the performance uh the idea as the AG alert segregation fit means that we used also Pro provided very effective in clustering in the groups the threats and as a future work of course we can improve this uh protocol by uh testing it with a higher data set and also in Li live environment so this was in general I tried to be a quicker than I planned uh because it's uh Friday afternoon there's

suchal liing event so I didn't want to uh stress you more if you have questions you can address them directly or you can uh contact me through the um email address thank you AR not does anybody have any question okay you're going to make me walk up there that's fine no

problem you good uh so just out of curiosity I I'm not going to name company names I don't want to go that route but so when I'm doing uh detection bypassing and such so you let's suppose that you have a some type of threat uh detection mechanism that uses AI the ones that I see often use used uh have a long spin up time so they learn a company or even a person's Behavior they learn what's uh normal and then then they can detect what's abnormal the down the downside to this of course is that at the very beginning everything is abnormal right the the the LM or whatever you're using has to be trained up um so I guess my question is

is this something that can be uh user friendly so if you are if you're trying to train up an AI to detect um any type of malicious behavior are you basically looking for anomalies or anomalous Behavior or are you looking more for um machine code or other things how how are you detecting it and do you see this impacting uh the usability of somebody's day-to-day operations but well in general uh these methods goes in combined with other techniques because of course there are lots of uh false positive rates in this case and that's the the main challenge in this field so it tries to get the best results but of course in this case you have lots of false positives which

then you need to combine with other techniques in order to uh have the a more accurate uh results in the predictive alerting is your research uh available online or yes Arian it's in i e explore it's published it was part of uh ccvc itle e conference I present there and it's available in i e explore great thanks so much any other question yeah is this project some implemented somewhere you mention in in Czech Republic yes uh in fact the similar idea I am uh trying to implement in Kosovo in National cyber security unit which is called cert so the idea started from here when I started the to do I mean to when I initiated the stting

studies in cyber security I saw such kind of project then I saw it as a possible to be able to be integrated in the Kosovo So currently with some of the teams uh from Research Center we are trying to implement similar solution in Kosovo and at this at the same time to to implement to integrate that algorithm in order to achieve better results great any other question aror thanks so much that was very informative thank you very [Applause] much okay guys as we are coming towards the end of uh today's session let's just remind you once again this is a two-day event so we hope to see you tomorrow again we're going to have some very

interesting talks workshops um as we coming to the end uh what's next let me okay so uh the CTF is open like the bside CTF and it's will it will be open for 24 hours so you can play it from your I mean from your house your hotel wherever you are staying and you have to obviously register on CTF besides Pristina do uh well or org and we also have a raffle game so we have five actually six vouchers to well to share with you so I hope that everyone got a a raffle number at the registration desk and there will be another five uh well Watchers tomorrow uh during the day as well

use Excel like a random number

almost e

who has uh

72 okay no one

85 18 sorry yeah yeah yeah well we got the first one

your number

up okay uh let's go for the next one 1002 no one 90 okay okay so Cy got number 90 80 no one

46 uh 105 now one actually the number is upstairs so maybe tomorrow 15

12 37 congratulations 64 64 bits 94 99 uh actually I know

33 1 86 39 18 [Music] 10 24 okay we have another winner here [Applause] do two more prizes left to go 16 18 was already uh 96 I think it went previously 75 uh we got another winner over there and uh the final one 21 no one 75 already 21 again 58 and we got the final uh winner so uh please send an email uh with a picture of the of the the number to uh info@ bsa.org and you will get the voucher in the next coming days on the well on the lest on Monday thank you and have fun with the CF and see you tomorrow at

time

e

e

e

e

e

e

e

e

e

e

e

e e