The WithSecure Briefing
Wednesday, March 22nd, 2023
09:00 – 19:00
Tate Modern, London
Our most recent flagship event took place in March 2023. Together with our partners and clients, we considered upgrading security mindsets in ever changing technology and security landscapes. For those that could not attend in person, you can find the recordings of the presentations below.
The day entailed presentations from our leading cloud security, purple team, and attack detection experts.
New additions to the Briefing format included:
- Bringing to life our co-security partnerships as we put greater emphasis on sharing the stage with our clients and partners.
- An overarching theme - 'Upgrading the Security Mindset' - that acted as a strategic thread between the presentations as we considered how to stay ahead of new attacker techniques, tactics and processes.
- Our first panel discussion, with participants from across WithSecure's partner and customer communities, who helped to draw actionable conclusions from the day's technical content.
Dangers of Service as a Principal in Amazon Web Services
by Matthew Keogh and Tom Taylor MacLean
This talk focuses on AWS resource-based policies and how an attacker can use these to bypass permissions boundaries within an AWS account. Specifically, focus is on how resource-based policies are misconfigured in the real world which can lead to resource or whole AWS accounts being exploited by an attacker.
The speakers demonstrate the real-world impact this can have while highlighting certain AWS services and configurations that can be exploited by this attack. A less well-documented misconfiguration which is still often seen in engagements, and can unintentionally provide attackers with privileges, is explored. Attack vectors with real impact are demonstrated before defences against these are explored.
Az-ure Door Been Left Open? Common Azure Misconfigurations
by Aled Mehta
We often see a number of recurring issues across customer Azure and Azure AD environments. The benefit of remediating some of these issues is not always immediately visible and can often be outweighed by the cost associated with resolving it. The focus of this talk is to highlight some of the common cloud management challenges that enterprises face along with high level guidance for avoiding these issues or mitigating their impact. The talk aims to cover a range of issues from over privileged identities to poorly secured storage accounts.
The audience will be given context as to why some of these configurations are risky, what the potential impact can be, and what considerations can be made to avoid these configurations in the first place.
Pithing Needle: Detection of Sliver Command & Control
by Riccardo Ancarani
This talk focuses on the methods and techniques used to identify the presence of Sliver Command & Control (C2) implants, from a network, memory and OS artefact perspective. Recent threat intelligence showed that the usage of Sliver as a commodity C2 by criminals has increased over the past year, making it a pressing concern for organisations.
Building on the research done by Microsoft, this talk aims to provide a vendor-agnostic approach of detecting and defending against this type of threat. The audience will gain an understanding of the internals of the Sliver framework and its agents, as well as the tools and strategies available to security professionals to combat these attacks.
Increasing your Fiber Intake: Detecting Windows Fiber API Abuse
by Daniel Jary
This is a technical talk focusing on the lesser known subject of Windows Fibers; including how and why they are being abused by attackers and the challenges faced from a detection engineering perspective. It details the reverse engineering of the Windows Fiber APIs and how, by understanding the underlying mechanisms used, we are able to build forensically relevant telemetry from process memory. In addition, Daniel will demonstrate how an in house POC fiber enumeration tool can be used to detect fiber abuse.
Recording to be released later in 2023.
How the DPRK like their Pizza: Lessons Learned from a Cyber Crisis
by Mehmet Mert Surmeli and Tim West
During Q4 2022, A proactive threat hunt by WithSecure Intelligence identified persistence access from a WithSecure Elements EPP (Endpoint Protection Platform) customer estate. Although initial indicators were linked to a ransomware actor, the WithSecure Incident Response team found the cyber-attack was conducted by a threat actor that WithSecure have attributed with high confidence to an intrusion set referred to as Lazarus Group.
Tim and Mert walk you through the timeline of the case from the perspective of the victim, showing how decisions taken early on can impact the investigation and cost of an incident. The presentation also depicts how good cyber threat intelligence can deliver a force multiplication effect in IR cases while considering where it can detract.
Pain in the SaaS - Persistent access in the SaaS-first World
by Luke Jennings, VP of Research and Development at Push Security
For many years, a common compromise scenario has involved phishing attacks leading to an endpoint compromise, deployment of a malicious implant, a command and control channel and endpoint persistence to survive reboot, followed by lateral movement to other systems inside an internal corporate network. However, simultaneously the world has been moving increasingly towards a SaaS-first, remote-working model and endpoint security, detection and response techniques have been steadily improving. So how is this changing cyber attacks and threats?
This talk focuses primarily on one key phase of the cyber kill chain - persistence. We look at how technologies like OAuth can be used to achieve persistence and impersonation, how common SaaS services and software clients can be used as part of this and how traditional incident response procedures such as password resets and secure device wipes are not enough to kick out an attacker who persists at the SaaS layer.
By the end of the talk, the audience should understand how the migration away from large internal networks towards SaaS-based remote working models is introducing a new set of threats that require a new set of prevention, detection and response approaches.
Closing Panel Discussion
This new addition to the Briefing format entails participants from across WithSecure's partner and customer communities, who consider actionable conclusions from the day's technical content in relation to the overarching theme of 'Upgrading the Security Mindset.'
Join us next time
If you'd like to be informed regarding future events, fill out the form and we'll be in touch.