Having delivered security consultancy as part of Portcullis/Cisco for over 15 years, I’ve seen a variety of shades of broken. Since I recently spent some time on secondment to one of our customers to help them design, build and operationalise security as part of their digital transformation programme, I got to thinking: what would I do if I wanted to get projects delivered right? With apologies to grsec, Jericho Forum, BeyondCorp and Trusted Computing, what followed was part philosophy, part technical brain dump, the result being my take on security engineering and how to build defensible systems. This talk includes the following hits:

• Helping the blue team – a case study in 3 parts…
• Blue doesn’t have the man power to adopt gift wrapped improvements let alone offensive research thrown over the wall
• Static passwords – why the hell are we still using them?
• Vulnerability management – didn’t we say blacklists were bad?
• Forget about penetration testing – what are your controls?
• Is there another way to report – why don’t businesses listen to us?
• Monetising MITRE – can we make money out of CVEs?

SEAMFDS.pdf
June 28, 2019

311.8 KiB
MD5 hash: 185701fbc113ca2a676e802b61df53e2
Details

Date:

June 28, 2019

The post Security Engineering – A manifesto for defensive security appeared first on Portcullis Labs.

This talk will not help you build a SOC in only 60 minutes, but it will help you build a functional security operation over time.

Building a SOC can be daunting. This talk will look at how to pick your fights and the key battles (authentication, logging, etc.) that any operational security team needs to win. The session will discuss how to ensure you formalize existing good practices and just as importantly what gaps may exist in the team’s processes. The session will look at the next steps that any organization intending to set off down this road ought to consider.

TTRS19SYWTBASLFTFL.pdf
June 20, 2019

1.6 MiB
MD5 hash: 9fd544a63fcac10688d82d4cec24df44
Details

Date:

June 20, 2019

The post So you want to build a SOC: Lessons from the front line appeared first on Portcullis Labs.

Richard Dean, Cisco’s EMEAR Head Of Security Advisory Services looks at Cisco’s approach to zero trust.

This talk discusses the need to monitoring your users’ access and privileges and how securing them as they interact with the Internet is core to a Zero Trust approach to cybersecurity. Richard doesn’t just stop there though but rather moves on to look at what happens if you’re facing a deliberate attempt to steal your users’ identities in order to take advantage of these privileges? In this talk, you’ll learn how to manage identity effectively, as well as the importance of software defined networks in the drive to zero trust and rapid threat containment.

Learning outcomes:

1. Learn how to manage identity and access management effectively
2. The importance of software defined networks in enabling rapid threat containment
3. The first steps an organisation should take to start on the Zero Trust journey
4. Aligning corporate and personal security practices to get better adoption from staff, identify and password management
5. The importance of Software defined networks in the drive to Zero Trust

I2019ITRYTIOIIBRR.pdf
June 18, 2019

1.6 MiB
MD5 hash: 14981f12020f7774971ef61b8229188a
Details

Date:

June 18, 2019

The post Is that really you? The importance of identity in breach response and recovery appeared first on Portcullis Labs.

Simon Crocker, Cisco’s EMEAR lead for SOC Advisory looks at what goes into making a SOC work effectively.

This talk discusses the core SOC requirements around monitoring and incident response function, but also touches on some of the other services that SOCs can also provide.

Learning outcomes:

1. The challenges that SOCs face and approaches to overcome them
2. The array of services that SOCs provide
3. The roadmap to build a SOC
4. Learn how to threat hunt proactively to root out hidden threats
5. Discover best practice on threat hunting from the largest non government threat intelligence team

I2019DTSOTC.pdf
June 18, 2019

925.6 KiB
MD5 hash: 904adc3b1b54f73227ad53807bac5004
Details

Date:

June 18, 2019

The post Discover the secrets of the SOC appeared first on Portcullis Labs.

Over the past fifteen years there’s been an uptick in “interesting” UNIX infrastructures being integrated into customers’ existing AD forests. Whilst the threat models enabled by this should be quite familiar to anyone securing a heterogeneous Windows network, they may not be as well understood by a typical UNIX admin who does not have a strong background in Windows and AD. Over the last few months we’ve spent some time looking a number of specific Active Directory integration solutions (both open and closed source) for UNIX systems and documenting some of the tools, tactics and procedures that enable attacks on the forest to be staged from UNIX.

This talk describes the technical details regarding our findings. It includes Proof of Concepts (PoC) showing real-world attacks against AD joined UNIX systems. Finally, potential solutions or mitigation controls are discussed that will help to either prevent those attacks or at the very least to detect them when they occur.

Tools referenced in this talk include:

• Linikatz
• JohnTheRipper dynamic.conf rules
• metasploit-framework post-exploitation modules
• auditd policies
• fuzzers

eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf
December 6, 2018

724.9 KiB
MD5 hash: cc712c5e46b16fbff22a2566b1248a91
Details

Date:

December 6, 2018

The post Where 2 worlds collide: Bringing Mimikatz et al to UNIX appeared first on Portcullis Labs.

Building on my blog post on Cisco’s security blog entitled The Importance of Logs, I put together a presentation that picks apart some of the practical aspects of building a successful logging capability focusing on the need to document “good” and curate “bad”.

The purpose of this talk is not to help you build a SOC in 30 minutes, rather it looks at how logging can go wrong and how to plan in order to get it right. The talk includes some composite case studies which highlight some of the challenges that we’ve seen over the years (particularly when responding in customer breaches) and makes some suggestions on where interested organisations should focus their efforts next.

SSWTIOLYWSWYDL.pdf
October 31, 2018

463.7 KiB
MD5 hash: 390c1d8b29e74f2c15df434b4d0d9f99
Details

Date:

October 31, 2018

The post The importance of logs: You won’t see what you don’t log appeared first on Portcullis Labs.

TLS 1.3 is the new secure communication protocol that should be already with us. One of its new features is 0-RTT (Zero Round Trip Time Resumption) that could potentially allow replay attacks. This is a known issue acknowledged by the TLS 1.3 specification, as the protocol does not provide replay protections for 0-RTT data, but proposed countermeasures that would need to be implemented on other layers, not at the protocol level. Therefore, the applications deployed with TLS 1.3 support could end up exposed to replay attacks depending on the implementation of those protections.

This talk will describe the technical details regarding the TLS 1.3 0-RTT feature and its associated risks. It will include Proof of Concepts (PoC) showing real-world replay attacks against TLS 1.3 libraries and browsers. Finally, potential solutions or mitigation controls would be discussed that will help to prevent those attacks when deploying software using a library with TLS 1.3 support.

Tools referenced in this talk include:

• TLS Playback

us-18-GarciaAlguacil_MurilloMoya-Playback_A_TLS_1.3_Story__v6.pdf
August 13, 2018

2.6 MiB
MD5 hash: c56f49adfbda571c9c32f5860d6f9319
Details

Date:

August 13, 2018

The post Playback: A TLS 1.3 story appeared first on Portcullis Labs.

A lot of recent work has gone into the discovery, analysis, and (on occasion) marketing of hardware weaknesses in the Intel x86[_64] platform particularly with respect to how it is often implemented as part of specific motherboard designs. Some, such as the recent speculative execution borne attacks, are issues in the architecture itself. Other issues, however, affect individual implementations. This talk will take a wide-coverage “state of play” look at x86[_64] platform security covering:

• Architectural failings in hardware design
• Identifying security issues with modern computer hardware (treat it just like IoT devices!)
• Attempts at restoring privacy, ownership, and security
• Code and data persistence
• How secure hardware can be re-used

44CSOTM.pptx
February 16, 2018

5.7 MiB
MD5 hash: 912badf9570eef6597578674e52bbb9d
Details

Date:

February 16, 2018

The post Secrets of the motherboard appeared first on Portcullis Labs.

A lot of fantastic work has gone into the discovery, analysis, and (on occasion) marketing of SSL/TLS vulnerabilities. Some, such as BEAST and LUCKY13, are issues in the protocol itself. Other bugs, however, affect individual implementations of this complicated and nuanced protocol. This talk will discuss an approach for identifying security bugs in SSL/TLS server implementations, outside the mainstream well-publicised issues that we all know so well.

Tools referenced in this talk include:

• sslxray

STHST.pptx
November 16, 2017

1.0 MiB
MD5 hash: 503a77150111d59a0352c27a62195c4c
Details

Date:

November 16, 2017

The post SSL/TLS Hipsterism appeared first on Portcullis Labs.

GITR044C.pdf
September 24, 2015

1.2 MiB
MD5 hash: 580f0d3354e95e5447f497677cd1a1bc
Details

Date:

September 24, 2015

The post GET IN THE RING0 appeared first on Portcullis Labs.