Event takeaways: BSidesMeSh21 – day 2

My key takeaways

• 11 min from publishing credentials (accidently) to github till pwn
• 2019: ~200k credentials in Github ; 2021: +20%
• runtime secrets go to application secrets managers
  • AWS Secrets Manager
  • GCP Secrets Manager
  • Hashicorp Vault
  • Azure Vault
• InfoSec’s dirty little secret:
  

  We can’t know all the options, but we still need to help secure all the things — Jenn Janesko

• Ideas, how to solve this according to Jenn:
  • start small, pick something achievable
  • select and verify tooling
  • trial it with some teams
  • document and curate code artifacts
  • rinse and repeat
• black hats use NDS/CAS to proof that their malware will evade AV detection
• these tools also offer periodic scans for burnt infrastructure and updates of AV on the malware of the bad actor
• AI made it through the trough of disillusionment
• if an attacker is able to poison the training data of an AI, it will make it at least useless if not backfire
• attacker have poisoned image classification AI by adding noise of images which would be a positive match and is invisible for human QA, making AI believe that a dog is a fish 😀
• Mitigations to get your AI poisoned:
  • filter suspicious data origins
  • fault-tolerant data sampling
  • diff-tracking (detection)
  • reliable benchmark (detection)
  • no silver bullet availble
• WAF with a positive security model needs to build a baseline <- prone to get poisoned
• Why allow access to AI training data in the first way?
  • depends also on budgets, if you have to rely on external sources eg use of crowdsourced data or public influencial data like webtraffic
• Botnets are all over the place
  • Crpyto-Miners <- most common at the moment
  • Ransom-botnets
  • DDOS
  • BNaaS
• Most Botnets get known by accident or are sometimes hunted by security researchers for fame. No commercial benefit, no continous hunting from the private sector. Remains a duty for law enforcement
• Ransomware has increadible timelines from infection to ransom demand: 5 – 1h only
• "Tradecraft":
  

  the skills and methods used by someone doing a particular job — Sajal Thomas

• Adversary profiles:
  • criminals:
    • noisy
    • smash & grap
    • take what you can get and extort
  • APT
    • stealthy
    • low & slow
    • specific information and persistent access
• Operation tempo will vary on type of adversary
• A lot of EDR, NDR, XDR will need 30-90 days to learn what is "normal"
  • a lot of time for an attacker
  • if beacon is placed in this time, it will be considered as normal traffic
• Cobalt Strike is a framework used by security researchers as well as by criminals
  • well known and heavily signatured but used anyway as it saves time and effort for criminals and is tested in "production". It is also hard to attribute as used by almost everyone.
• code-sign-malware is getting more and more prominent on dark markets
• OpSec failures like loud Kerberoasting is only a problem for the attacker, if the victim has effective SIEM in place
  • a "funnel of fidelity" is needed due to finate ressources in security teams: Event -> Alert -> Lead -> Incident
• secruity systems like card access systems, CCTV,… can send data to centralized log management systems as well to give a more complete picture
• Greylog is open source and can be run on a Pi
  • good for homelab testing

Env

• Provided by BSidesMEsh21
• Moderator:
  • MUC:SEC e.V.
  • Elbsides
• Presenter:
  • Jenn Janesko
  • Mathieu Gaucheler
  • Florian Murschetz
  • Itsik Mantin
  • Johnathan Azaria
  • Sarit Yerushalmi
  • Ofir Shaty
  • Sajal Thomas
  • Henning Kopp
  • Sascha Steinbiss
  • Andreas Herz
  • Jeff Darrington

additional links

• 
• https://2021.bsidesmunich.org/agenda/
• OWASP Software Assurance Maturity Model
• Counter Antivirus Services
• https://www.imperva.com/blog/crimeops-of-the-kashmirblack-botnet-part-i/
• customize cobalt strike
• open source threat detection engine
• framework for convenient attacks on CBC-padding-oracles using PKCS7
• learning greylog

agenda

• 13:00 – 13:05
  • Opening Day 1 ;
• 13:05 – 13:40
  • BSides Munich Keynote – InfoSec’s Dirty Little Secrets ; Jenn Janesko
• 13:40 – 14:00
  • No Distribute Scanners: A Perfect Testing Ground for Malware Developers ; Mathieu Gaucheler & Florian Murschetz
• 14:00 – 14:35
  • AI in a Minefield: Learning from Poisoned Data ; Itsik Mantin
• 14:35 – 14:45
  • Coffee Break ;
• 14:45 – 15:15
  • CrimeOps of the KashmirBlack Botnet ; Sarit Yerushalmi & Ofir Shaty
• 15:15 – 15:45
  • Modern Adversary Tradecraft ; Sajal Thomas
• 15:45 – 16:10
  • Coffee Break ;
• 16:10 – 16:45
  • Padding Oracle Attacks – The critical bug in your home-brewed crypto protocol ; Henning Kopp
• 16:45 – 17:15
  • The Care and Feeding of Meerkats ; Sascha Steinbiss & Andreas Herz
• 17:15 – 17:35
  • Log Management Keeps Your Network Secure — Real-World Examples ; Jeff Darrington
• 17:35 – 17:40
  • Closing Notes and Virtual Prosit with organizers ;