Az-ure Door Been Left Open? Common Azure Misconfigurations

by Aled Mehta

We often see a number of recurring issues across customer Azure and Azure AD environments. The benefit of remediating some of these issues is not always immediately visible and can often be outweighed by the cost associated with resolving it. The focus of this talk is to highlight some of the common cloud management challenges that enterprises face along with high level guidance for avoiding these issues or mitigating their impact. The talk aims to cover a range of issues from over privileged identities to poorly secured storage accounts.

The audience will be given context as to why some of these configurations are risky, what the potential impact can be, and what considerations can be made to avoid these configurations in the first place.

Pithing Needle: Detection of Sliver Command & Control

by Riccardo Ancarani

This talk will focus on the methods and techniques used to identify the presence of Sliver Command & Control (C2) implants, from a network, memory and OS artefact perspective. Recent threat intelligence showed that the usage of Sliver as a commodity C2 by criminals has increased over the past year, making it a pressing concern for organisations.

Building on the research done by Microsoft, this talk aims to provide a vendor-agnostic approach of detecting and defending against this type of threat. The audience will gain an understanding of the internals of the Sliver framework and its agents, as well as the tools and strategies available to security professionals to combat these attacks.

Increasing your Fiber Intake: Detecting Windows Fiber API Abuse

by Daniel Jary

This is a technical talk focusing on the lesser known subject of Windows Fibers; including how and why they are being abused by attackers and the challenges faced from a detection engineering perspective. It details the reverse engineering of the Windows Fiber APIs and how, by understanding the underlying mechanisms used, we are able to build forensically relevant telemetry from process memory. In addition, Daniel will demonstrate how an in house POC fiber enumeration tool can be used to detect fiber abuse.

How the DPRK like their Pizza: Lessons Learned from a Cyber Crisis

by Mehmet Mert Surmeli and Tim West

During Q4 2022, A proactive threat hunt by WithSecure Intelligence identified persistence access from a WithSecure Elements EPP (Endpoint Protection Platform) customer estate. Although initial indicators were linked to a ransomware actor, the WithSecure Incident Response team found the cyber-attack was conducted by a threat actor that WithSecure have attributed with high confidence to an intrusion set referred to as Lazarus Group.  

Tim and Mert will walk you through the timeline of the case from the perspective of the victim, showing how decisions taken early on can impact the investigation and cost of an incident. The presentation will also depict how good cyber threat intelligence can deliver a force multiplication effect in IR cases while considering where it can detract. 

How Attackers are Adapting in a SaaS World

by Luke Jennings (external presenter)

A WithSecure alumnus, Luke Jennings is now the VP of Research & Development at Push Security. More detail regarding this anticipated talk to follow shortly.