This month, members of NCC Group will be presenting their work at the following conferences:
- Dirk-Jan Mollema, “Walking Your Dog in Multiple Forests: Breaking AD Trust Boundaries through Kerberos Vulnerabilities,” to be presented at Black Hat Asia 2020 (Virtual – October 1 2020)
- Sanne Maasakkers, “Improve Security Awareness Campaigns by Applying Phishing Research,” to be presented at Grace Hopper Celebration of Women in Computing (Virtual – October 1 2020)
- Rob Wood, “Building Secure Devices in Untrusted Factories,” to be presented at Alberta IoT (Virtual – October 2 2020)
- Damon Small, “Keep your home office and your job hunt secure,” to be presented at ShellCon (Virtual – October 10 2020)
- Damon Small, “Cybersecurity Workshop: Protecting Assets in the Home Office and the Field,” to be presented at Oilcomm (Virtual – October 13 2020)
- Xavier Garceau-Aranda, “Offensive Cloud Security Training (Part 1),” to be presented at OWASP Global AppSec (Virtual – October 19-22 2020)
- Eric Evenchick, “An Introduction to Automotive Security in 2020,” to be presented at SecTor (Virtual – October 22 2020)
- Damon Small, “What Infosec in Oil & Gas can teach us about Infosec in Healthcare,” to be presented at Hou.Sec.Con (Virtual – October 23 2020)
- Sourya Biswas, “Psychology of the Phish: Leveraging the Seven Principles of Influence,” to be presented at Triangle InfoSecCon (Virtual – October 30 2020)
- Joe Meyer, “CCPA & the New United States Privacy Laws,” to be presented at Triangle InfoSecCon (Virtual – October 30 2020)
You can preview each of the talk abstracts below. We hope you will join us!
Walking Your Dog in Multiple Forests: Breaking AD Trust Boundaries through Kerberos Vulnerabilities
Black Hat Asia 2020 (Virtual)
September 29-October 1 2020
In larger enterprise environments multiple Active Directory forests are often in use to separate different environments or parts of the business. To enable integration between the different environments, forests trusts are set up. The goal of this trust is to allow users from the other forest to authenticate while maintaining the security boundary that an Active Directory forest offers. In 2018, this boundary was broken through default delegation settings and Windows features with unintended consequences. In 2019 the security boundary was once again established through a set of changes in Active Directory. This research introduces a vulnerability in Kerberos and forest trusts that allows attackers to break the trust once again. The talk will provide technical details on how Kerberos works over forest trusts and how the security boundary is normally enforced. Then the talk will discuss a flaw in how AD forest trusts operate and how this can be combined with a vulnerability in the Windows implementation of Kerberos to take over systems in a different forest (from a compromised trusted forest). The talk will be accompanied by a proof-of-concept and a demonstration of abusing the vulnerability.
Improve Security Awareness Campaigns by Applying Phishing Research
Grace Hopper Celebration of Women in Computing 2020 (Virtual)
October 1 2020
The number of phishing attacks is steadily increasing as a popular attack vector toward potential victims. During this talk 3 researches Fox-IT performed about how people are being influenced with phishing emails will be presented. What sociotechnical techniques do attackers (and ethical hackers) use to trick the human mind? And how can we use this knowledge to improve security awareness programs?
Building Secure Devices in Untrusted Factories
Alberta IoT (Virtual)
October 2 2020
Today the production of hardware devices involves multiple suppliers at various stages of the production and support life-cycle. With very few exceptions, no electronics manufacturer actually designs and manufactures every single component of a device in their own factory. These hardware and manufacturing supply chains introduce considerable risk that threat actors could gain an opportunity to defraud, steal, counterfeit, or otherwise undermine the security of the produced electronic devices.
Keep Your Home Office and Your Job Hunt Secure
ShellCon – Los Angeles, CA, USA (Virtual)
October 9-10 2020
Many of us are working from home these days. It is possible that we will continue working from home – at least part time – even after the pandemic becomes a thing of the past. This begs the question of how we, as employees, and our organizations, are protecting our information assets in the COVID-19 world. Are those assets just as protected in the home office as they are when in an office building? The speaker will explore this question from the perspective of an information security professional that has worked from home full time for 5 years – well before COVID-19. The goal is to provide simple tips to remain secure while at home, and also tips related to keeping productivity high without going stir-crazy.
Cybersecurity Workshop: Protecting Assets in the Home Office and the Field
October 13 2020
The COVID-19 pandemic was unprecedented. It created an environment where nearly all of our workforce transitioned to a work-from-home environment. This also created new vulnerabilities for our enterprise networks. What lessons did we learn from this world-changing event? How did COVID-19 change the way we approach network security? How do we handle managing networks that include integrated work and consumer devices in an environment we can’t monitor? Which videoconferencing platforms served the industry well during this period? Learn new approaches to manage your network security strategy that accounts for a large, remote workforce that extends to the remote oil field.
Offensive Cloud Security Training (Part 1)
OWASP Global AppSec (Virtual)
October 19-22 2020
While security awareness and collective experience regarding the Cloud has been steadily improving, one common difficulty is applying theoretical knowledge to real-life scenarios. This training’s goal is to help attendees bridge this gap by understanding how conventional technologies integrate with Cloud solutions. The training is scenario-based and focuses on applied exercises.
Attendees will experience first-hand how security vectors that exist in such ecosystems present opportunities for abuse. Throughout the training, we will also cover detection and mitigation of the attacks covered in the course.
The training is structured as a sequence of scenarios, which mix theory and practical exercises. The theory is imparted gradually, and attendees are be given time to think for themselves and work through the exercises.
Below is a summary of the training’s modules:
- The [Multi-]Cloud
- Overview of AWS, Azure & GCP
- Differences, similarities and important characteristics of Cloud Providers
- Security in the Cloud
- Enumerating cloud-hosted resources
- Identity and Access Management (IAM), Metadata Services and Credentials
- Typical application vulnerabilities and how they translate to the Cloud
- Cloud hacker’s arsenal
- Scenarios (non-exhaustive)
- Leveraging CI/CD systems to gain a foothold into Cloud environments
- Attendees will gain a foothold into a CI/CD deployment, and leverage this initial compromise to access additional environments.
- Lateral Movement & Privilege Escalation in AWS
- A number of scenarios will have attendees move laterally to gain access to additional sensitive resources, not accessible through the initial compromise.
- Azure Applications – Implementation and Weaknesses
- This scenario will introduce attendees to Azure’s implementation of programmatic identities, and highlight how design choices present an opportunity for abuse.
- Abusing Containers & Clusters
- We will review typical topologies of cloud-hosted cluster environments, as well as how attackers can target them.
- Hybrid Networks & Moving from the Management to the Resources Plane
- Many organizations maintain hybrid cloud environments, which contain a mix of on-premises, private cloud and third party, public cloud services. Throughout the training, attendees will pivot between these environments
- [Azure] Active Directory Synchronization Mechanisms and Pitfalls
- Corporate environments that contain Cloud components will oftentimes synchronize Active Directory with Azure Active Directory (AAD). The training will cover a number of implementations and compromise vectors for AD/AAD.
- A Blue Team Perspective
- Throughout the course, attendees will focus on exploiting cloud-hosted resources. This module will cover detection and remediation of the attack chains.
- Leveraging CI/CD systems to gain a foothold into Cloud environments
- Tying it all together
- The training will end with a CTF-type exercise, which will have attendees leverage the skills acquired throughout the course to compromise a realistic Cloud environment.
The scenarios are based on NCC Group’s research, incident response experience and on the knowledge acquired through countless cloud assessments carried out every year.
An Introduction to Automotive Security in 2020
SecTor – Toronto, Canada (Virtual)
October 22 2020
As cars continue to become more connected and autonomous, the security of these systems grows in importance. We’re now a decade away from the first public research on automotive security, and since then the challenges of securing these vehicles has increased due to new features. connectivity, and automation.
In this talk, we’ll provide an introduction to automotive security for those who are curious but have limited exposure to the field. We will cover how vehicle networks work, vehicle attack surfaces, and common vulnerabilities in vehicle systems. Next, we will discuss how the landscape of vehicle electronics is changing, and what is coming in future vehicles. We’ll finish off with some practical advice for getting your feet wet with hacking cars.
What Infosec in Oil & Gas can teach us about Infosec in Healthcare
Hou.Sec.Con – Houston, TX, USA (Virtual)
October 23 2020
One advantage of working for a consultancy is the constant exposure to a variety of organizations in a variety of industries. This has given the speaker, Damon J. Small, an appreciation for the importance of not only understanding the challenges faced by clients in protecting their information assets, but also understanding those challenges in the context of the business in which they exist. It is never enough to simply tell a client, “I hacked all your things, now go fix it.” Rather, the successful consultant must also help the client understand the ramifications of each finding and how to prioritize mitigation efforts given that neither time nor money are infinite.
To illustrate these points, the speaker will present several information security-related problems that have been successfully taken on by oil and gas clients. The speaker has learned that these problems are very similar to specific challenges faced by healthcare organizations, despite the fact that those industries are very unique to one another. The healthcare industry faces fiscal hurdles that energy companies generally do not, which makes it difficult for them to adapt as quickly. The speaker hopes that his analysis will help the audience learn from the experiences of other organizations in a way that will allow them to strategically align information security goals with current cyber threats more efficiently.
Psychology of the Phish: Leveraging the Seven Principles of Influence
Triangle InfoSecCon (Virtual)
October 30 2020
According to the X-Force Threat Intelligence Index 2020, produced by IBM X-Force Incident Response and Intelligence Services, phishing is still the number one attack vector in use today. Security professionals often overlook the “social” aspect of “social engineering”, focusing on tool deployment instead. The success of phishing is predicated on exploiting normal human behavior for nefarious purposes. This session looks at phishing through this psychological lens, specifically on how the Seven Principles of Influence as expounded by Robert Cialdini are leveraged by attackers.
Session includes the following:
- Why phishing is popular
- Seven principles of influence
- How phishers exploit psychology
- Security controls against phishing
- Tales from the trenches – real-life phishing anecdotes from my experience
CCPA & the New United States Privacy Laws
Triangle InfoSeCon (Virtual)
October 30 2020
This session is to help navigate which States “laws” are actually passed, which ones are still in limbo, and what are the common criteria for compliance between them all. Sifting through the Buffet options to find something healthy and appropriate is what we’re looking to walk away with from this session.
[Editor’s note: Updated October 1 2020 to include talks by Sourya Biswas and Joe Meyer and October 2 2020 to include a talk by Rob Wood.]