Security BSides Athens 2022

BsidesAth Speaker

Talk #1

Cameras, CACs & Clocks: Enterprise IoT Security Sucks - A Story of Two Million Interrogated Devices

by Brian Contos, @BrianContos

Abstract: Working globally with Fortune 500 enterprises and government agencies for the past six years, we’ve interrogated over two million production IoT devices. Across these two million devices we’ve identified threats and trends, compiled statistics, summarized compelling cases, and evaluated common offenders. We’ve also assembled tactics that organizations can employ to recognize value from their IoT devices while minimizing risk and ensuring that devices that are secure today will stay secure tomorrow. Security issues are compounded by the quantity of IoT devices. Our analysis indicates that most organizations have 3-5 IoT devices per employee. The global IoT market has grown from $100 billion in 2017 to over $1 trillion in 2022. We are increasingly dependent on consumer, enterprise, industrial, and military IoT devices for cost reduction, supply chain logistics, productivity gains, security, and everything in between. Despite the criticality of IoT, our security hasn’t kept pace. In the enterprise, we’ve identified that we simply don’t know: - What IoT devices we have - guesses based on legacy asset discovery solutions are consistently off by at least 50% - When our firmware was last updated - in many cases the firmware is end of life and the average IoT firmware age is six years - If our credentials follow organizational policies - passwords that are default, low-quality, don’t have scheduled rotations, and lack centralized management are the norm - How vulnerable our IoT devices are - at least half of the IoT devices we’ve interrogated have known, high to critical level CVEs

Bio: With two IPOs & eight acquisitions Brian has helped build some of the most successful security companies in the world. He has over 25 years in the security industry as security company entrepreneur, board advisor, investor, and author. After getting his start with the Defense Information Systems Agency (DISA) and later Bell Labs, Brian began the process of building security startups and taking multiple companies through successful IPOs and acquisitions including: Riptech, ArcSight, Imperva, McAfee, Solera Networks, Cylance, JASK, Verodin, and Mandiant. Brian has worked in over 50 countries across six continents. He authored the book Enemy at the Water Cooler and he co-authored Physical & Logical Security Convergence with former NSA Deputy Director William Crowell. He was featured in the cyberwar documentary 5 Eyes alongside General Michael Hayden, former NSA and CIA Director. Brian has written for and been interviewed by security and business press and regularly presents at conferences worldwide like Black Hat, RSA, & BSides.

BsidesAth Speaker

Talk #2

Team Europe & the International Cybersecurity Challenge

by Christina Skouloudi, @miss_narbi

Abstract: More than 100 new talents from all over the world, aged 18-26, participated in the 1st International Cybersecurity Challenge, through a total of 7 teams, of 15 people each. These teams represented more than 64 countries, from regions of Europe, North America, Asia, Africa, Canada and Oceania. The team that represented Europe in the 1st International Cyber Security Challenge consists of 15 members, aged 21-26, that come from 12 different countries. ENISA is responsible for training and forming Team Europe. In this talk, specific information on current and future activities for the training of Team Europe and the organisation of the International Cybersecurity Challenge will be presented.

Bio: Ms Christina Skouloudi works at ENISA, the EU agency for Cybersecurity. Christina has a background on computer science and holds a master’s degree on Digital Systems Security. At the early stage of her career, she worked for several years as a Full stack developer and moved to the Information Security area working as a Network and Information Officer at ENISA. Combining the two things she is passionate about, namely Software development and Information security, she likes to offer smart and innovative solutions through her work. A maker and breaker, who loves to contribute to both development and security community. Her main research interests focus on Internet of Things, Wireless Sensor Networks, Cloud Security, Incident Reporting and technical development of Cyber Security Exercises. She has published various papers on these topics and has also presented pieces of her work and developments in conferences like BSides

BsidesAth Speaker

Talk #3

Tales from the DevSecOps world - a SIEM completely «as-Code»

by G. Tsigourakos, K. Solomidou
& J. Torakis
, @Twitter

Abstract: Filtering the massive amounts of data traveling across an organization's network between applications, systems, endpoints, firewalls, routers can be a real pain. Collecting, parsing and filtering-out relevant data in real-time in order to alert our teams on suspicious activities & relevant security events This leads us to one direction only; a centralized Security Information and Event Management (SIEM) system. We know these have been out in the wild from multiple vendors and for quite some time now, but the million dollar questions remain: - How to set up & configure it efficiently? - How to maintain/update its infrastructure on (any) Cloud or on-premise? - How to establish change management and introduce accountability? - How to follow best practices and minimize the operational effort? We - @ Skroutz - try to answer these questions with Infrastructure as Code (IaC). And we didn’t stick only with the Infrastructure this time - we did Everything as Code! Users, Indexes, Lifecycle Policies, Pipelines, Rules and Exceptions are applied and maintained “automagically”, while we lean back enjoying a sense of self-fulfillment. We used Terraform which enables us to keep a consistent, repeatable, maintainable working configuration for our SIEM, with our Terraform code as the single source of truth. Combining all of the above, we managed to create an open source Elastic (ES) SIEM module and maintain the entirety of its configuration using Terraform. Our main infrastructure is set up on Kubernetes via Helm currently hosted on Google Cloud, but Kubernetes ensures portability on different cloud providers and on-premise setups. Cloud bucket storages (e.g Google Cloud Storage, S3) are also handy tools to store cold logs efficiently and cheaply. The entire SIEM configuration exists under Git repositories spiced with Continuous Integration / Continuous Development (CI/CD) fu that enables us to create anything from a new SIEM user to a Rule exception through the familiar workflow of Pull Requests without breaking a sweat.. Summing up, our journey on «How to SIEM as Code» will include: - GCP - Infrastructure Stack - Bucket Management - Elastic Stack - User Management - Index Templates - Lifecycle Policies - Ingest Pipelines - Snapshots - Elastic SIEM - Security Rules + Exceptions

Bio: > Kiriaki Solomidou I am Kyriaki Solomidou, a newcomer Security Engineer working at Skroutz. Hopefully, a graduate student of the Computer Engineering and Informatics Department. I use my Capoeira skills and my positive attitude to deal with Security Information and Event Management (SIEM) and Static Application Security Testing (SAST) stuff. Since last year, my favorite phrase is ‘Infrastructure as Code’. Sometimes, I enjoy the emotional roller coaster looking for the lost treasure in Hack the Box challenges. I really worried about myself when I found ‘Kibana’ a cool name for my cat. Now, inevitably, the next one will be ‘Lucene’. ---

> John Torakis Trying to create a Bio without feeling like cropping out the wrong part of the picture. I am John Torakis, most of the time a Security Engineer, SecDevOps shenanigan, «anything» as Code advocate, Dev of various inspirations and author of 'securosophy.com' blog. I do maintain an obsession with Security Information and Event Management(SIEM) systems, mainly because I tend to exaggerate their similarities with how human perception works. Secondarily because they offer an adrenaline rich way to chase h4x0rs over the network and also to pay bills! Right now I am trying to bring the Terraform vibes to SIEM Engineering, as stuff is starting lifting and shifting to computers owned by other people while we act natural about it. ---

> George Tsigourakos Hi, I'm George and I like cats. I am a full time Security Engineer @ Skroutz after being a Dev for many years and I enjoy writing code to automate my life. Why waste 1 minute to do something when you can take 20 hours to automate something and feel special? I enjoy hunting vulnerabilities and writing custom scripts to exploit my targets. This way we can find interesting holes and logic flaws in order to create rules on our SIEM. I like to hack my way in! On the other hand, my romantic nature hit me at a very young age and got me singing and playing the piano as a hobby. New hobbies are my motto. Last but not least, enjoying good junk food and working out is the perfect plan to stay in shape. You don't need to see my credentials. (Star Wars) ----

BsidesAth Speaker

Talk #4


by Nikolaos Vourdas, @Νickvourd

Abstract: During long-term adversary simulation engagements, host persistence is a useful method of regaining access to a compromised workstation or server, without having to reabuse the initial foothold all over again. COM object hijacking is a unique technique in which a default system-wide COM Object can be replaced by malicious software and loaded in its place. In this presentantion will release COM-Hunter tool. COM-Hunter is an open source upcoming tool written in C# which helps you to find valid CLSIDs more eficiently. Moreover, it automates all the process of the persistence in a workstation/server.

Bio: Nick Vourdas is a «Young Padawan» and Cyber Security Consultant based in Greece. He has a dream that one day will become a «Jedi Master». Nikos studied at University of Western Macedonia (Kozani, Greece) as a Informatics Telecommunication Engineer. He holds OSCP and OSWP certifications. His prior working experience includes the Cyber security Directorate department of the Greek National Defense. From the age of 18, Nikos participates in Bsides Athens and Bsides Cyprus as a CTF organizer. He loves open source but one day Microsoft's Active Directory «stole» his heart... He evolves to Web Application, Internals, Externals Infrastructure Penetration Tests and Source Code Reviews. You can call him «nickvourd» or «ncv». His favorite phrase/slogan is «Last but not least, It is what it is, boyz!».

BsidesAth Speaker

Talk #5

Lessons learned in automating the incident Life-Cycle

by A. Sinno & W. Stinkens, @SinnoAlexander

Abstract: Over the past several years the volume of alerts coming into the SOC has been untenable especially considering the deficit in Cyber Security personnel globally and the required effort to train an analyst. Creating and structuring an operating model based on SOAR with multiple layers of abstraction including, enrichment, incident management, analysis, notification and remediation will not only drastically reduce the workload of your L1 efforts in your SOC, it will also help your team focus on the important events. Many of the misconceptions of a strong SOC is to focus purely on detections and threat hunting capabilities from the start, however, it’s more important to first have an operational framework in which you able to capture the threat actor expeditiously and react to the attack with aggression by cutting them off in the kill-chain. In this talk we will explain how to build your Incident Life-Cycle. This is an important aspect of the operating model, in your SOC to leverage the power of automation in order to react quickly and decisively in the event of a real breach. There are multiple facets of this presentation that will help SOC professionals achieve a high level of maturity, through SOAR development methodologies, tying your automations into your operation and achieving extremely fast reaction times in your SOC. This talk will present real-hands on experience from the past several years of building SOCs and the lessons learned of what to do vs what not to do. It will cover choosing your platform, operating and maintaining it and implementing your designed incident life-cycle including a live demo of our current automated workflows.

Bio: Alexander Sinno is an expert in Cyber Security operations. He has experience in building SOCs around the world and started his security career in the US Military. All of the operations he has built has been on SOAR with a focus on the overall Incident Life-Cycle framework for controlling the flow of an event from ingestion to remediation.

BsidesAth Speaker

Talk #6

Baby, Don't Forget My Number - OSINT using your phone's address book

by Leonidas Tsaousis, @laripping

Abstract: You reach for your phone and see a missed call from a mysterious number. Another «brand new banking plan tailored just for you»? Probably. But, what if it's your boss? Should you call back? You need more info... What's your next move? You might want to save the number... In this talk we will go over that good old OSINT trick to enrich a given phone number. We'll discuss OPSEC in the age of GDPR and the challenges of creating «sockpuppets» while looking into why this simple technique deserves a place in your investigation pipeline.

Bio: Leonidas Tsaousis is a security professional with a diverse career in infosec, having lived and worked in three countries in the past six years. From Greece, to Cyprus and the UK, in offensive security roles including vulnerability research, all-around consulting, and lately internal red teaming in a military context, he has acquired industry certifications and decent conference mileage along the way. His passion lies in technical research, with a focus on mobile security and reverse engineering, which has resulted in the discovery of several vulnerabilities against companies like Cisco, Xiaomi and Wind Hellas. Always responsibly disclosed and issued CVE IDs, his findings have been presented at global events like ROOTCON or regional Security BSides.

BsidesAth Speaker

Talk #7

Stay Safe and Trust Noone!

by Konstantina Koukou, @Twitter

Abstract: What are we talking when talking for zero trust security ? Talk is aiming to explain the basic pillars of zero trust architecture, analyze why each of them is important to stay safe and walk through some practical implementation steps

Bio: Computer Engineer with specialization in Telecommunication and Information Technology with 11 years of experience . For the last 5 years my focus is solely in Cyber security and how to keep the world safe!

BsidesAth Speaker

Talk #8

API Security Testing Automation: A story of shifting left

by Ignatios, @Twelvesec

Abstract: This talk is about an SDLC engagement we have and the challenge we face shifting the API security testing earlier in the SDLC process. We tried to keep this as short as we can.

Bio: My name is Ignatios and i work as an application security engineer at TwelveSec for almost 7 months. You can find more about us at https://twelvesec.com/ I was a software engineer for 4 years. I am a CSSLP and AWS-CPP credential holder.

BsidesAth Speaker

Talk #9

Vulnerable No More: Protect 3v3ryth1ng incl.

by Argy Makrygeorgou, @Twitter

Abstract: Lightning Talk ahead: Dedicated to every Infrastructure along the End User, but also the Human being behind every Cyber Security professional; I eager to address the top issue of the Vulnerability Management Lifecycle (CVE-based continuous monitoring and identification, Retrospective Alerting, Compensation vs Remediation, ASVS levels, etc.), including the vulnerability that every (untrained?) end user constitutes, and ending up with a Work-Life Balance, or, better, Life-Work Balance, «how-to» for all us professionals.

Bio: ICT/IS Professional with extensive experience in Operations, Solution Architecture, Managed Services and Information Security. He is juggling strictly Cyber since 2013, undertaking senior roles in Dublin, Ireland & Athens, Greece and contemplating projects around the globe. Favorite work moto would be “Don’t look back - you’re not going that way”. He joined Algosystems on Q4 2018, as the Head of Managed Cyber Security Services, leading the new Security Operations Center, orchestrating in parallel the Security Integration part. He holds a BSc in Computer Science & an MSc in Information Security both from Athens University of Economics & Business, along with numerous-industry leading certifications such as CISSP, DPO and more. He is also the Membership Chair of the Hellenic Chapter of ISC2 and very often offers Security consulting/awareness when needed.

BsidesAth Speaker

Talk #10

Future of Application Security

by Tapendra Dev, @TapendraDev

Abstract: Pandemic has undoubtedly triggered digital transformations nearly to a different level without leaving most organizations across the globe transitioning to an entirely cloud-based ecosystem with more emphasis on 'work from home' culture with a critical focus on the web application to manage the remote workforce. As enterprises continue to experience unprecedented security challenges emerging every passing day, leaving applications as the first point of contact for both users and attackers. So an organization will perhaps cease to exist if the business decision fails to concentrate on the fundamental logic. The application threat landscape will only get more rational and complex in and beyond 2021, so bringing Application Security into the boardroom will be capable of ensuring clarity and reaching momentum in getting the program up and running.

Bio: Tapendra Dev is a multi-skilled Cyber Security & DevSecOps Engg. with 7+ years of prolific experience across cross-functional areas of cybersecurity. He is badged as an OSCP certified professional, collaborative & inclusive team leader working on services from back-end to front-end. He has a constructive background in working with global companies and reputed start-ups. He has also been spearheading the Product Development of the company for the past five years.

BsidesAth Speaker

Talk #11

Phishing With Phineas (Again) Hack Recreation On Steroids

by George Karantzas and
Prof. C. Patsakis
, @GeKarantzas - kpatsak

Abstract: A few years ago, a vigilante hacker under the name “Phineas Phisher” conducted a series of high-profile attacks, including hacking into a company that, among others, was developing and selling spyware to government agencies named “Hacking Team”. This was not a result of a random attack but a wellplanned and targeted one. To achieve his goals, the hacker developed a 0-day for the SonicWall VPN appliance. After this attack, the attacker scanned the internet for such devices and found out that an offshore bank in the Cayman Islands was using the same vulnerable version. Beyond this exploit, he reported through his write-ups that he used common hacker utilities like Meterpreter and Empire and that he was not some kind of APT with custom malware writers nor received significant funding and support, but he claims to be a humble ‘one-man army’. The final goal of the bank hack was to access Bottomline’s SWIFT management panel and initiate transactions targeting his own accounts. Then, he uploaded the VMs used by the bank along with all the sensitive clients’ information that was stored in these systems. The scenario is rather intriguing as, despite the impact and sensitivity of the information, it provides a deep insight into an environment in which few people operate. Moreover, such environments are not well publicly documented, and their digital twins are hard to find. We argue that emulating such an attack scenario and adapting it to current tools and methods, offensive and defensive wise, can provide a good baseline to understand the capabilities of both sides and stress the changes that have undergone these years. To this end, in our scenario, we have tried to follow the evolution in defensive and offensive security by rebuilding such an environment, equipping it with modern defence mechanisms. Since most organizations are now integrating endpoint detection and response (EDR) systems to their endpoints to behaviorally detect and throttle cyber-attacks, we have equipped our endpoints accordingly. However, as shown in our previous research, EDRs are no silver bullets and have their weak points as well. In fact, Advanced Persistent Threat (APT) groups have significantly advanced their capabilities. Therefore, having access to several such defensive technologies, they study them and customize their malware accordingly to target them and minimize their detection. Moreover, APTs and ransomware groups are using several C2 frameworks, with the most widely used being Cobalt Strike; however, there are different options that may provide different capabilities and serve fit better in the cyber kill chain. Based on the above, this work can be considered a purple teaming scenario in the financial sector. Practically, we present the blue versus red team fight detailing, where possible, detection and bypass methods, their rationale and gaps, where applicable, mainly through the use of C2 servers. Therefore, we present in each step the attacker’s and defender’s perspectives of the same scenario. This means that we report by what means an EDR would report and/or block and how the attacker would try to prevent this.

Bio: George Karantzas Security researcher born in 2001.Since childhood, I always wanted to avoid being a skid but rather enjoy the deepest knowledge and experiences (and BSODs) this science can offer.TLDR; I kick computers until they work. Currently employed as an Antivirus Researcher and my previous publications and talks include threat emulation , defense engineering and evasion , forensics, malware, red teaming and infrastructure hacking and more. Prof. C. Patsakis https://www.cs.unipi.gr/kpatsak/

BsidesAth Speaker

WorkShop 1

From SEH Overwrite with Egg Hunter to GEt a Shell!

by Rodolpho Concurde (ROd0X), @Twitter

Abstract: In this talk we gonna learn what is SEH (Structured Exception Handler), what your function in the system, as well as your famous message «program has encountered a problem and needs to close«, and how and why sometimes in exploit development is necessary in memory stack, overwrite the SEH. We also gonna learn what is the function for exploitation technique called Egg Hunter, and when is necessary to make use of this technique. For end, we gonna learn create from zero an exploit, to exploit a Buffer Overflow vulnerability utilizing the technique SEH Overwrite with use of Egg Hunter, and we will looking for badchars to avoid errors in our shellcode, all this to get a reverse shell. Video PoC is included :) of course!

Bio: Brazilian, certified C|EH, having begun his studies about Information Security 13 years ago, and passed 11 years has realized projects of Application/Infrastructure Penetration Test, Security Analysis, Code Review and Hardening for industries such as: Telecommunications, Aviation, Financial Institutions, Information Technology and Mining. In his free time like of research and practice news techniques of Attack and something of Reverse Engineering. Speaker at many conferences as: Hack In The Box, Ekoparty, Arab Security Conference, Red Team Village, Stackconf, MorterueloCON, BSides Calgary, BSides Newcastle, BSides Athens, etc... Author: From SEH Overwrite to get a shell – Pentest Magazine Covert Channel Technique Explained - Pentest Magazine From Fuzzing to Get a Shell – Pentest Magazine Stack Overflow - Hakin9 Magazine