The Briefing, London

Thursday, May 19th, 2022
09:00 – 19:00
County Hall, London, United Kingdom

Our most recent in-person UK Briefing took place in May 2022, for those that couldn’t attend in person, you can find the recordings of the presentations below.

The purpose of this event was to provide:

  • Technical and business-related insights
  • Practical ‘how-to-tips’
  • Guidance from cyber-security experts
  • The opportunity to network with peers and discuss the latest industry trends with our consultants

Presentation recordings:

Mapping and exploring cloud access management at scale, presented by Nick Jones

Tracking and managing access across a cloud estate is one of the biggest security challenges faced by many organizations, particularly as they scale up their cloud usage. The permissions systems implemented by the cloud providers are complex, out of necessity, to provide the required capabilities. However, this makes it very difficult to keep track of what users and systems can manipulate assets within an environment. This can lead to an attacker being able to escalate their privileges within a workload, or pivot from one cloud environment into another, as a result of unintended permissions being granted.

In this talk, Nick presents several different approaches to enumerating and evaluating the true permissions of an entity across an AWS organization, highlights some practical steps an organization can take to immediately identify the most dangerous effective permissions, and discuss how similar techniques could be applied in future across other providers and in multi-cloud estates.

Detectree - data visualization for threat hunting, presented by Tom Barrow & Giulio Ginesi

An adage within the cyber industry is that "Defenders think in lists. Attackers think in graphs". But what happens when Defenders too think in graphs? In this talk, we explore the importance of the way one visualizes data in the context of threat hunting, the application of graph theory to this data, and introduce a recently developed data visualization tool - 'Detectree'.

The audience will:

  • Learn why data visualization is fundamental to threat hunting rather than just a ‘nice to have’
  • Understand why ‘Continuous Improvement’ is important within Blue Teams
  • Get access to a new tool!

Exploring the macOS endpoint security framework for threat detection, presented by Connor Morley

Endpoint Security Framework (ESF) is the somewhat new security auditing tool that Apple has introduced to provide the security industry with a one-stop shop for all its telemetry needs. The ESF is capable of providing real time telemetry for detection and automated defensive purposes. However, despite this component being introduced in 2019, it wasn’t until late 2020 that most of the industry started taking notice.

This talk provides an overview of ESF, why it was introduced, how the ESF can be used in active threat detection, the issues with data collection, and an example use case against the Meterpreter agent on macOS 11.2.2.

The audience will learn:

  • What the Endpoint Security Framework is and why it was introduced to the macOS.
  • How the ESF can be used from a technical perspective and some of the caveats that are involved with its implementation
  • An understanding of the sort of telemetry that can be acquired easily via the ESF and its value to detection operations moving forward.

Exploring unconventional attack surfaces, presented by Katie Inns & Jake Knott

Attack surfaces have evolved faster than our techniques for securing them, meaning organizations are now being forced to consider attack paths that would historically have been lower priority. Have you ever wondered how an attacker could enter your corporate network through an employee’s residential broadband?

The rapid implementation of collaborative tooling and remote access solutions in recent years has seen an increase in misconfigurations and sensitive data exposure, creating new potential avenues for compromise.

These types of attack path are often overlooked due to being outside the traditional scope of endpoints, domains and network blocks. However, it's these attack paths that can sometimes offer alternative routes to a foothold.

This talk looks to explore various ways your organization could be targeted through unconventional means, and how attackers can often gain significant insights prior to gaining a foothold on a corporate network. It also looks to discuss how organizations can identify and reduce these areas of their attack surface.

The audience will learn:

  • Real examples of unconventional attack paths discovered by the ASM team
  • Why an organization’s attack surface isn't isolated to endpoints, domains, netblocks and assets with sensors
  • How organizations can detect and mitigate common untraditional attack surface exposure
  • Why traditional vulnerability management can miss realistic attack paths

What is effective ransomware prevention: Insights from the Conti playbook, presented by Arran Purewal

In 2021 and early 2022 technical documents were leaked by disgruntled affiliates from one of the longest running and most successful Ransomware as a Service operators CONTI. Aside from their political leanings and associations with nation states, this gave insights into multiple strands of interest from a Detection and Response perspective, their operator skill, the group’s technical proficiency and their preferred methods of exploitation at each kill chain stage.

This talk outlines the best approach to ransomware prevention and provides valuable insights on the approaches necessary to detect, evict, and prevent ransomware operators from reaching their goals.

This talk is applicable to all organizations concerned about the threat of ransomware or looking to bolster their detection and response program.

The audience will learn:

  • The techniques utilized by Conti and other ransomware actors
  • The common low-level techniques used by attackers
  • The mindset shift required to understand the most important aspects of ransomware prevention
  • What good detection & response practice looks like to prevent all threats, not just ransomware actors

About the speakers

Nick Jones, Global Cloud Security Lead

Nick Jones focuses on AWS security in mature, cloud-native organizations and large enterprises. He has several years’ experience delivering offensive security assessments and helping clients to improve their cloud security, specializing in supporting development of cloud attack detection capabilities. He has previously spoken on the topic at major security conferences like RSA and fwd:cloudsec,. He also maintains WithSecure's open-source cloud attack simulation framework, Leonidas.

Tom Barrow, Threat Hunter

Tom joined WithSecure in July 2020, prior to which he completed a Physics degree at the University of Bristol and worked at several cybersecurity start-ups.

Tom is deeply interested in the application of data science to cyber-security, including novel threat detection and data visualization. Outside of work his interests include music production, indoor rock climbing and Liverpool FC.

Giulio Ginesi, Threat Hunter

Giulio joined the company in March 2020 prior to which he completed a MSc in Cybersecurity and got involved in several academic research projects. Interests include malware analysis and electronics. Outside of work Giulio’s interests include travelling and reading.

Connor Morley, Senior Researcher

Connor specializes in endpoint security research. He joined WithSecure in 2017, prior to which he completed a Computer Security & Forensics degree at the University of Greenwich. Previously a threat hunter in the DRT team he has since moved to the research team to focus on improving detection capabilities. Interests include malware analysis, reverse engineering, devising and releasing tools for detection on both Windows and MacOS. Outside of work Connor enjoys travelling, gaming, cooking, and reading.

Katie Inns, Security Consultant

Katie's focus is on helping organizations reduce and improve the security across their external attack surface. Katie has 4 years’ experience in the security industry, working in consulting and within an in-house security team focusing on vulnerability management and application security. Outside of work, Katie enjoys dancing and travelling.

Jake Knott, Security Consultant

Jake's experience in cyber security spans both defensive and offensive functions. Jake currently operates within the Attack Surface Management team, which is responsible for continuous external perimeter mapping/monitoring and rapid response to new and emerging threats.

Jake's current specialisms lay in the application of open-source intelligence to proactive cyber defence.

Arran Purewal, Operations Director, D&R

Arran is a Director in the Detection & Response Team at WithSecure. He has experience in Threat Hunting and has responded to incidents deriving from a vast number of threat actors across customer estates. He joined WithSecure in 2017 as a Threat Hunter and played a significant role in shaping the DRT into a leading blue team.

Outside of work Arran enjoys running and spending time with his cat.