Research and Development

Portcullis Labs


Portcullis Labs is the R&D arm of Cisco’s Security Advisory team in EMEAR.

We built this web site to share some of our knowledge. You’ll find several tools, papers and presentations mostly by security geeks, but all for security geeks.

For more information about Cisco’s Services, please visit our corporate web site to get more information.

Recent Content


  • Security Engineering – A manifesto for defensive security (6/28/2019) -
    Presentation on the need to re-examine how we engineer systems (taking service providers as an example) and the implications on how we quantify cyber risk if we want to take this message into the board room (as given at BT’s SnoopCon 2019 and Cisco’s June 2019 Knowledge Network webinar for service providers). Having delivered security […]
  • So you want to build a SOC: Lessons from the front line (6/20/2019) -
    Presentation on building an effective operational security capability (as given at Cisco Live US/Talos Threat Research Summit 2019). This talk will not help you build a SOC in only 60 minutes, but it will help you build a functional security operation over time. Building a SOC can be daunting. This talk will look at how […]
  • Is that really you? The importance of identity in breach response and recovery (6/18/2019) -
    Presentation on Zero Trust and the importance of identity in breach response and recovery (as given at InfoSec Europe 2019 on the tech talk track). Richard Dean, Cisco’s EMEAR Head Of Security Advisory Services looks at Cisco’s approach to zero trust. This talk discusses the need to monitoring your users’ access and privileges and how […]
  • Discover the secrets of the SOC (6/18/2019) -
    Presentation on building effective SOCs (as given at InfoSec Europe 2019 on the interactive workshop track). Simon Crocker, Cisco’s EMEAR lead for SOC Advisory looks at what goes into making a SOC work effectively. This talk discusses the core SOC requirements around monitoring and incident response function, but also touches on some of the other […]
  • Use Infrastructure as Code they said. Easier to audit they said… (part 1) (1/26/2019) -
    Whilst there are some great examples of how to assess infrastructure as code dynamically with things like the Center for Internet Security‘s Docker benchmark and CoreOS‘s Clair, these kinda run a little too late in the pipeline for my liking. If we want to treat infrastructure as code then surely we ought to be performing […]
  • Reverse port forwarding SOCKS proxy via HTTP proxy (part 1) (1/25/2019) -
    In the context of a Red Team assessment, in this post I’ll look at some options for using SOCKS to gain external access to an internal network. I’ll cover the obvious methods and why I’m overlooking them, a crude method using standard tools (this post) and a more refined approach using modified tools (in part 2). […]
  • An offensive introduction to Active Directory on UNIX (12/6/2018) -
    By way of an introduction to our talk at Black Hat Europe, Security Advisory EMEAR would like to share the background on our recent research into some common Active Directory integration solutions. Just as with Windows, these solutions can be utilized to join UNIX infrastructure to enterprises’ Active Directory forests. Background to Active Directory integration […]
  • Where 2 worlds collide: Bringing Mimikatz et al to UNIX (12/6/2018) -
    Presentation on Active Directory integration solutions for UNIX (as given at Black Hat Europe 2018). Over the past fifteen years there’s been an uptick in “interesting” UNIX infrastructures being integrated into customers’ existing AD forests. Whilst the threat models enabled by this should be quite familiar to anyone securing a heterogeneous Windows network, they may […]
  • The importance of logs: You won’t see what you don’t log (10/31/2018) -
    Presentation on logging and auditing strategies (as given at Secure South West 11). Building on my blog post on Cisco’s security blog entitled The Importance of Logs, I put together a presentation that picks apart some of the practical aspects of building a successful logging capability focusing on the need to document “good” and curate […]
  • SetUID program exploitation: Crafting shared object files without a compiler (10/31/2018) -
    In this post we look at an alternative to compiling shared object files when exploiting vulnerable setUID programs on Linux. At a high level we’re just going to copy the binary and insert some shellcode. First we take a look the circumstances that might lead you to use this option. Also check out this previous post […]
  • Playback: A TLS 1.3 story (8/13/2018) -
    Presentation on 0-RTT in TLS 1.3 (as given at DEF CON 26 and Black Hat 2018). TLS 1.3 is the new secure communication protocol that should be already with us. One of its new features is 0-RTT (Zero Round Trip Time Resumption) that could potentially allow replay attacks. This is a known issue acknowledged by […]
  • Playback: A TLS 1.3 story (8/8/2018) -
    Secure communications are one of the most important topics in information security and the Transport Layer Security (TLS) protocol is currently the most used protocol to provide secure communications on Internet. For example, when you are connecting to your online banking application, your favorite instant message application or social networks, all those communications are being […]
  • Grabbing firmware from my cheap STM32-based magstripe reader (using ST-Link v2) (7/20/2018) -
    In my previous post, I worked around the fact that the card reader could only read credit cards – when I wanted to read other types of magstripes. I’d thought at the time that it would theoretically be possible to replace the firmware. In this post I don’t get as far as writing new firmware, […]
  • Reading hotel key cards with a credit card magstripe reader (7/4/2018) -
    In this post I describe how my cheap magstripe reader wouldn’t read all magstripes, only credit/debit cards. This did nothing to help me understand what data was on my hotel key card – which is what I really wanted to know. Rather than take the obvious next step or buying a better reader, I opted […]
  • Exploiting inherited file handles in setUID programs (6/28/2018) -
    In this post we look at at one of many security problems that pentesters and security auditors find in setUID programs. It’s fairly common for child processes to inherit any open file handles in the parent process (though there are ways to avoid this). In certain cases this can present a security flaw. This is […]

Twitter Feed