Engage in meaningful dialogues with experts and explore how Blue Team stands on the front line of enterprise cybersecurity defense. Gain insights into how they keep pace with the latest threats and trends, defend against attacks and intrusions, analyze intelligence, and respond to cybersecurity incidents.
5/11 (Thur.) 09:30 - 17:00 | 701 C Meeting Room
This session discusses the latest attacks conducted by the big four nation state adversaries from China, Russia, North Korea, and Iran, with a strong focus on China-based actors, diving deep into the background of these adversaries, their motivations, and the latest tradecraft they leverage during their daily offensive cyber operations. The speaker will identify state actors, and the agencies they work on behalf of, and shared tactics, techniques, and procedures.
The presentation will then focus on the history of eCrime, the latest attack trends being used by adversaries intent on financial gain, with a strong spotlight on connecting and highlighting the broad, highly interconnected, and interdependent eCrime ecosystem. Long gone are the days when single actors conduct all phases of an attack; modern eCrime leverages elaborate capabilities from enterprising criminals selling their specialized wares.
Lastly, the presentation will demonstrate a distinct association, and blurring of the lines between nation state and eCrime adversaries. In many cases it is not easy to discern the difference between the state actor and a sophisticated criminal, in particular because of intent, but increasingly because of extremely specialized tradecraft. Motivation is gradually more difficult to discern due to this line blurring. The speaker will demonstrate this hypothesis through various anecdotes, trends, and extensive research into the topic.
This speech will introduce active directory architecture and present the current attackers’ novel attack on active directory delegation trust relationship, starting from Kerberoast (MITER ATT&CK™ Sub- technique T1558.003) and ASREProast to domain server Kerberos delegation relationship attacks such as 1. Unconstrained delegations (KUD), 2. Constrained delegations (KCD), 3. Resource-based constrained delegations (RBCD), attackers can use Kerberos delegation to Lateral movement and elevated privileges.
The attacker successfully connected the dots from a single host through the attack path and then pwned the domain to break through the current zero-trust architecture and evade the detection of the BLUE TEAM via Gold Tickets.
At the same time, share the hacker toolkit (such as Impacket). The implementation of red team drills in recent years let the audience understand how attackers break through layers of checkpoints, pwn the domain administrators. To remind Domain administrators must check the trust relationship attackers use to invade.
Attack Surface Management (ASM) has a decisive role in an organization's external exposure to threats, and therefore, I will focus on the core concepts of ASM and how it differs from traditional means such as Asset Management and CMDB. Through real-world examples, attendees will understand how ASM can help enterprises unveil undiscovered dark corners (Assets) and expose potential problems such as Misconfigurations that people are unaware of.
In fact, ASM has difficulties just like the others with similar functions, such as the possibility of evaluation of intranet devices, and the granularity level of threat detection patterns in regards to both depth and breadth. Thankfully, we can still supplement the Context-enriched Content with other sources to achieve the complementary effect. During the session, I will demonstrate how the usefulness and evaluation results of ASM can be greatly enhanced by introducing other trustful sources.
In the end, I will conclude by showing how companies can enact a series of subsequent security hygiene processes through the introduction of ASM, and eventually achieve a comprehensive understanding of themselves.
Hacking attacks on businesses are inevitable because hackers are constantly searching for weaknesses to exploit. However, many businesses still have inadequate response times and measures for handling such attacks, making it difficult to effectively manage these incidents. TrendMicro has been assisting customers with incident response for many years. In our experience, when an enterprise is hacked, the ability to respond quickly is crucial in controlling damage and achieving post-incident recovery. In this regard, two key indicators need to be evaluated: the time required to detect intrusions and the time required to complete investigations. My talk will explore why these two indicators may also fail to produce concrete results.
Taiwan is no stranger to nation state threats attacks, with numerous high-profile cases making headlines in recent years. In this presentation, we will delve into the tactics and techniques used by nation-state Activity Groups targeting Taiwan, with a focus on the lessons learned from similar attacks in Ukraine. We will examine how attackers leverage legitimate software to gain additional privileges, utilize LolBin techniques to escalate their access, and maintain a persistent presence in target systems.Additionally, we will discuss the importance of organizations being proactive in their cybersecurity efforts and implementing appropriate defenses to prevent such abuse. Through this presentation, attendees will gain valuable insights into the tactics and techniques used by nation state actors and how to protect their organizations from these threats. By understanding the similarities, victimology and differences between attacks in Ukraine and Taiwan, attendees will be better equipped to recognize and respond to potential threats in their own environments.
Learning objectives:
- Understand the tactics and techniques used by APTs targeting Taiwan
- Learn how to identify and prevent the abuse of legitimate software by attackers
- Learn about LolBin techniques and how to defend against them
- Understand the importance of being proactive in cybersecurity efforts and implementing appropriate defenses to prevent nation state attacks
This speech aims to explore how to effectively manage a cybersecurity team and improve the efficiency of cybersecurity personnel. Through attack simulations, we will divide cybersecurity operations into three aspects: construction, team, and investment, to comprehensively improve the efficiency and effectiveness of the cybersecurity team. Starting from the pre, during, and post stages of incidents, we will explore how to improve the procurement evaluation and decision-making efficiency of cybersecurity managers at the investment level, and improve the resilience measurement and product verification efficiency of cybersecurity construction. At the same time, we will examine in detail how to enhance the on-site response capabilities and cybersecurity exercise efficiency of the cybersecurity team to better respond to various cybersecurity events and risks. Finally, we will study how to combine the overall capabilities of the cybersecurity team with the strategic goals of the enterprise to achieve long-term development and success. These strategies will help to improve the overall capabilities and effectiveness of the cybersecurity team and ensure the security of the enterprise.
From our study, there is a gap between offensive and defensive side which makes Active Directory as easy target for attackers. To begin with, defenders are not sufficiently informed about the Active Directory attacks. With insufficient information about the Active Directory attacks, defenders lack the visibility for the potential threats in the environment to implement the defense such as getting the alerts to uncover an intrusion. Secondly, there are more challenges for securing the Active Directory even if defender has the visibility for the threats. With large amounts of assets and corresponding attack vectors, it is challenging for defenders to prioritize the threats to address. Without prioritization, it is impossible to efficiently reduce the risk in the shortest time possible. Thus, after investing the resources to address security issues, outcome cannot be certain with high confidence without comprehensive risk assessment.
To solve these challenges for defenders, we started by inventorying all the attack vectors for Active Directory to provide the visibility of potential threats. Also, we proposed a risk model to practically calculate the risk of attack vectors for prioritization. Thus, based on the risks for attack vectors, we can quantify the attack paths for overall evaluation. After a deep dive into our risk model, we will present how the attack vectors and the attack paths can be applied to the model for risk quantification with a strategy to reduce the overall risk in an effective and comprehensive way.
Content delivery networks (CDNs) have become an essential part of the modern internet, offering fast and reliable access to content for users around the world. However, while CDNs offer many benefits, they also introduce new security risks that many people may not be aware of. In this session, we'll explore the hidden dangers of CDNs and why they may not be as secure as you think. We'll delve into the various vulnerabilities that CDNs can expose, and discuss how you can protect yourself and your business from these threats. By the end of this session, you'll have a better understanding of the potential risks associated with CDNs and how to mitigate them.
Zero Trust is a new trend in enterprise network security architectures. Many enterprises are moving towards Zero Trust Architecture (ZTA). As AD and Azure AD are widely adopted as identity management solutions by enterprises today, AD and Azure AD can be expected to be one of the core components in zero trust architecture implementation of decision and policy engines. In ZTA, do these AD and Azure AD related techniques lead to security issues? ZTA can effectively limit movements of attackers, however, some attacks are hard to mitigate. For example, if an attacker controls a service account that does not support MFA, it is difficult to deal with such issues under ZTA. Active Directory Certificate Services (AD CS) is often used as a high security MFA option in Azure AD environments. Related attack techniques have been uncovered that allow attackers to escalate to high domain privileges, impacting the security of ZTA.
In this session, we will discuss potential risks under the ZTA from an administrator's point of view and provide recommendations for enterprises to strengthen their own enterprise security. Technical staffs who are concerned about ZTA can not miss this session.
In 2021, OMB published Memorandum M-21-31 developed pursuant to EO 14028. The memorandum establishes a maturity model for event log management, providing executive agency implementation requirements and details.
From the end of 2020, the U.S. public sector suffered two serious cyber security shocks. The SolarWinds hacked in December 2020 and in March 2021 the Microsoft Exchange Server were exposed to 4 zero-day vulnerabilities. The U.S. government were investigating these two major and large-scale information security incidents. However, investigators reported that the log retention policy in federal government agencies slowed down the process of incident investigations. The lack of log retention not only hindered the collection of event evidence, but also made it impossible for agencies to establish a baseline and detect abnormal behavior that deviates from the baseline. "Log retention of information systems in federal agencies is critical to the detection, investigation, and remediation of cyber threats," said the OMB director. Incident management is divided into detection, response, mitigation, notification, Recovery, restoration and experiential learning. Network traffic records allow incident response teams to find out the hacker's track, making incident response more complete when eradicating threats, without missing any host that may be embedded with a backdoor. What enterprises need to strengthen is definitely how to improve the resilience of enterprise information security after the cyber security incident.
In this session, I will first explain the differences between penetration testing and vulnerability scanning, and then introduce how to use the built-in developer tools in browsers to observe web application behaviors and perform manual testing. Meanwhile, I will share common vulnerabilities and testing techniques used through real world cases & vulnerable apps . I hope that the audience can get started on web application penetraton testing in daily work without professional tools after this session.
L.K.C. Lab is an MIT leading BAS Vendor, the only one that had the honor to be visited by the president and the vice president. Also, we are the only cybersecurity company presented in the military magazine. We've had won the champion of cybersecurity competition several times and discovered more than 10 Zero-Day Vulnerabilities.
With our independent development BAS product - ArgusHack, and our professional cybersecurity coaching team - H1DRA Security, we are dedicated to enhancing your immunity in case of facing severe risks under hackers’ attack.
CYBERSEC 2023 uses cookies to provide you with the best user experience possible. By continuing to use this site, you agree to the terms in our Privacy Policy .