Portcullis Labs » conference https://labs.portcullis.co.uk Research and Development en-US hourly 1 http://wordpress.org/?v=3.8.5 Security Engineering – A manifesto for defensive security https://labs.portcullis.co.uk/presentations/security-engineering-a-manifesto-for-defensive-security/ https://labs.portcullis.co.uk/presentations/security-engineering-a-manifesto-for-defensive-security/#comments Fri, 28 Jun 2019 06:27:47 +0000 https://labs.portcullis.co.uk/?p=6858 Presentation on the need to re-examine how we engineer systems (taking service providers as an example) and the implications on how we quantify cyber risk if we want to take this message into the board room (as given at BT’s SnoopCon 2019 and Cisco’s June 2019 Knowledge Network webinar for service providers). Having delivered security […]

The post Security Engineering – A manifesto for defensive security appeared first on Portcullis Labs.

]]>
Presentation on the need to re-examine how we engineer systems (taking service providers as an example) and the implications on how we quantify cyber risk if we want to take this message into the board room (as given at BT’s SnoopCon 2019 and Cisco’s June 2019 Knowledge Network webinar for service providers).

Having delivered security consultancy as part of Portcullis/Cisco for over 15 years, I’ve seen a variety of shades of broken. Since I recently spent some time on secondment to one of our customers to help them design, build and operationalise security as part of their digital transformation programme, I got to thinking: what would I do if I wanted to get projects delivered right? With apologies to grsec, Jericho Forum, BeyondCorp and Trusted Computing, what followed was part philosophy, part technical brain dump, the result being my take on security engineering and how to build defensible systems. This talk includes the following hits:

  • Helping the blue team – a case study in 3 parts…
  • Blue doesn’t have the man power to adopt gift wrapped improvements let alone offensive research thrown over the wall
  • Static passwords – why the hell are we still using them?
  • Vulnerability management – didn’t we say blacklists were bad?
  • Forget about penetration testing – what are your controls?
  • Is there another way to report – why don’t businesses listen to us?
  • Monetising MITRE – can we make money out of CVEs?
SEAMFDS
SEAMFDS.pdf
June 28, 2019
311.8 KiB
MD5 hash: 185701fbc113ca2a676e802b61df53e2
Details

The post Security Engineering – A manifesto for defensive security appeared first on Portcullis Labs.

]]>
https://labs.portcullis.co.uk/presentations/security-engineering-a-manifesto-for-defensive-security/feed/ 0
So you want to build a SOC: Lessons from the front line https://labs.portcullis.co.uk/presentations/so-you-want-to-build-a-soc-lessons-from-the-front-line/ https://labs.portcullis.co.uk/presentations/so-you-want-to-build-a-soc-lessons-from-the-front-line/#comments Thu, 20 Jun 2019 14:06:57 +0000 https://labs.portcullis.co.uk/?p=6855 Presentation on building an effective operational security capability (as given at Cisco Live US/Talos Threat Research Summit 2019). This talk will not help you build a SOC in only 60 minutes, but it will help you build a functional security operation over time. Building a SOC can be daunting. This talk will look at how […]

The post So you want to build a SOC: Lessons from the front line appeared first on Portcullis Labs.

]]>
Presentation on building an effective operational security capability (as given at Cisco Live US/Talos Threat Research Summit 2019).

This talk will not help you build a SOC in only 60 minutes, but it will help you build a functional security operation over time.

Building a SOC can be daunting. This talk will look at how to pick your fights and the key battles (authentication, logging, etc.) that any operational security team needs to win. The session will discuss how to ensure you formalize existing good practices and just as importantly what gaps may exist in the team’s processes. The session will look at the next steps that any organization intending to set off down this road ought to consider.

TTRS19SYWTBASLFTFL
TTRS19SYWTBASLFTFL.pdf
June 20, 2019
1.6 MiB
MD5 hash: 9fd544a63fcac10688d82d4cec24df44
Details

The post So you want to build a SOC: Lessons from the front line appeared first on Portcullis Labs.

]]>
https://labs.portcullis.co.uk/presentations/so-you-want-to-build-a-soc-lessons-from-the-front-line/feed/ 0
Is that really you? The importance of identity in breach response and recovery https://labs.portcullis.co.uk/presentations/is-that-really-you-the-importance-of-identity-in-breach-response-and-recovery/ https://labs.portcullis.co.uk/presentations/is-that-really-you-the-importance-of-identity-in-breach-response-and-recovery/#comments Tue, 18 Jun 2019 08:56:23 +0000 https://labs.portcullis.co.uk/?p=6848 Presentation on Zero Trust and the importance of identity in breach response and recovery (as given at InfoSec Europe 2019 on the tech talk track). Richard Dean, Cisco’s EMEAR Head Of Security Advisory Services looks at Cisco’s approach to zero trust. This talk discusses the need to monitoring your users’ access and privileges and how […]

The post Is that really you? The importance of identity in breach response and recovery appeared first on Portcullis Labs.

]]>
Presentation on Zero Trust and the importance of identity in breach response and recovery (as given at InfoSec Europe 2019 on the tech talk track).

Richard Dean, Cisco’s EMEAR Head Of Security Advisory Services looks at Cisco’s approach to zero trust.

This talk discusses the need to monitoring your users’ access and privileges and how securing them as they interact with the Internet is core to a Zero Trust approach to cybersecurity. Richard doesn’t just stop there though but rather moves on to look at what happens if you’re facing a deliberate attempt to steal your users’ identities in order to take advantage of these privileges? In this talk, you’ll learn how to manage identity effectively, as well as the importance of software defined networks in the drive to zero trust and rapid threat containment.

Learning outcomes:

  1. Learn how to manage identity and access management effectively
  2. The importance of software defined networks in enabling rapid threat containment
  3. The first steps an organisation should take to start on the Zero Trust journey
  4. Aligning corporate and personal security practices to get better adoption from staff, identify and password management
  5. The importance of Software defined networks in the drive to Zero Trust
I2019ITRYTIOIIBR&R
I2019ITRYTIOIIBRR.pdf
June 18, 2019
1.6 MiB
MD5 hash: 14981f12020f7774971ef61b8229188a
Details

The post Is that really you? The importance of identity in breach response and recovery appeared first on Portcullis Labs.

]]>
https://labs.portcullis.co.uk/presentations/is-that-really-you-the-importance-of-identity-in-breach-response-and-recovery/feed/ 0
Discover the secrets of the SOC https://labs.portcullis.co.uk/presentations/discover-the-secrets-of-the-soc/ https://labs.portcullis.co.uk/presentations/discover-the-secrets-of-the-soc/#comments Tue, 18 Jun 2019 08:39:26 +0000 https://labs.portcullis.co.uk/?p=6846 Presentation on building effective SOCs (as given at InfoSec Europe 2019 on the interactive workshop track). Simon Crocker, Cisco’s EMEAR lead for SOC Advisory looks at what goes into making a SOC work effectively. This talk discusses the core SOC requirements around monitoring and incident response function, but also touches on some of the other […]

The post Discover the secrets of the SOC appeared first on Portcullis Labs.

]]>
Presentation on building effective SOCs (as given at InfoSec Europe 2019 on the interactive workshop track).

Simon Crocker, Cisco’s EMEAR lead for SOC Advisory looks at what goes into making a SOC work effectively.

This talk discusses the core SOC requirements around monitoring and incident response function, but also touches on some of the other services that SOCs can also provide.

Learning outcomes:

  1. The challenges that SOCs face and approaches to overcome them
  2. The array of services that SOCs provide
  3. The roadmap to build a SOC
  4. Learn how to threat hunt proactively to root out hidden threats
  5. Discover best practice on threat hunting from the largest non government threat intelligence team
I2019DTSOTC
I2019DTSOTC.pdf
June 18, 2019
925.6 KiB
MD5 hash: 904adc3b1b54f73227ad53807bac5004
Details

The post Discover the secrets of the SOC appeared first on Portcullis Labs.

]]>
https://labs.portcullis.co.uk/presentations/discover-the-secrets-of-the-soc/feed/ 0
An offensive introduction to Active Directory on UNIX https://labs.portcullis.co.uk/blog/an-offensive-introduction-to-active-directory-on-unix/ https://labs.portcullis.co.uk/blog/an-offensive-introduction-to-active-directory-on-unix/#comments Thu, 06 Dec 2018 09:18:36 +0000 https://labs.portcullis.co.uk/?p=6805 By way of an introduction to our talk at Black Hat Europe, Security Advisory EMEAR would like to share the background on our recent research into some common Active Directory integration solutions. Just as with Windows, these solutions can be utilized to join UNIX infrastructure to enterprises’ Active Directory forests. Background to Active Directory integration […]

The post An offensive introduction to Active Directory on UNIX appeared first on Portcullis Labs.

]]>
By way of an introduction to our talk at Black Hat Europe, Security Advisory EMEAR would like to share the background on our recent research into some common Active Directory integration solutions. Just as with Windows, these solutions can be utilized to join UNIX infrastructure to enterprises’ Active Directory forests.

Background to Active Directory integration solutions

Having seen an uptick in unique UNIX infrastructures that are integrated into customers’ existing Active Directory forests, the question becomes, “Does this present any concerns that may not be well understood?” This quickly became “What if an adversary could get into a UNIX box and then breach your domain?”
Within a typical Active Directory integration solution (in this case SSSD), the solution shares a striking similarity to what a user might see on Windows. Notably, you have:

  • DNS – Used for name resolution
  • LDAP – Used for “one-time identification” and assertion of identity
  • Kerberos – Used for ongoing authentication
  • SSSD – Like LSASS
  • PAM – Like msgina.dll or the more modern credential providers

You can see a breakdown of this process here. Unlike Windows, there is no Group Policy for the most part (with some exceptions), so policies for sudo et al. are typically pushed as flat files to hosts.

Our research

Realistically, the threat models associated with each part of the implementation should be quite familiar to anyone securing a heterogeneous Windows network. Having worked with a variety of customers, it becomes apparent that the typical UNIX administrator who does not have a strong background in Windows and Active Directory will be ill-equipped to handle this threat. While we’ve been talking about successful attacks against components such as LSASS and Kerberos for quite some time, Mimikatz dates back to at least April 2014, and dumping hashes has been around even longer. Pwdump, which dumped local Windows hashes, was published by Jeremy Allison in 1997). However, no one has really taken a concerted look at whether these attacks are possible on UNIX infrastructure, nor how a blue team might spot an adversary performing them.

As a result of this research, we were able to develop tactics, tools, and procedures that might further assist an attacker in breaching an enterprise, and we began documenting and developing appropriate strategies to allow blue teams to appropriately detect and respond to such incursions. The Black Hat EU slides can be found here and whilst the tools we developed can be found on our GitHub repo.

The post An offensive introduction to Active Directory on UNIX appeared first on Portcullis Labs.

]]>
https://labs.portcullis.co.uk/blog/an-offensive-introduction-to-active-directory-on-unix/feed/ 0
Where 2 worlds collide: Bringing Mimikatz et al to UNIX https://labs.portcullis.co.uk/presentations/where-2-worlds-collide-bringing-mimikatz-et-al-to-unix/ https://labs.portcullis.co.uk/presentations/where-2-worlds-collide-bringing-mimikatz-et-al-to-unix/#comments Thu, 06 Dec 2018 08:04:06 +0000 https://labs.portcullis.co.uk/?p=6806 Presentation on Active Directory integration solutions for UNIX (as given at Black Hat Europe 2018). Over the past fifteen years there’s been an uptick in “interesting” UNIX infrastructures being integrated into customers’ existing AD forests. Whilst the threat models enabled by this should be quite familiar to anyone securing a heterogeneous Windows network, they may […]

The post Where 2 worlds collide: Bringing Mimikatz et al to UNIX appeared first on Portcullis Labs.

]]>
Presentation on Active Directory integration solutions for UNIX (as given at Black Hat Europe 2018).

Over the past fifteen years there’s been an uptick in “interesting” UNIX infrastructures being integrated into customers’ existing AD forests. Whilst the threat models enabled by this should be quite familiar to anyone securing a heterogeneous Windows network, they may not be as well understood by a typical UNIX admin who does not have a strong background in Windows and AD. Over the last few months we’ve spent some time looking a number of specific Active Directory integration solutions (both open and closed source) for UNIX systems and documenting some of the tools, tactics and procedures that enable attacks on the forest to be staged from UNIX.

This talk describes the technical details regarding our findings. It includes Proof of Concepts (PoC) showing real-world attacks against AD joined UNIX systems. Finally, potential solutions or mitigation controls are discussed that will help to either prevent those attacks or at the very least to detect them when they occur.

Tools referenced in this talk include:

Eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX
724.9 KiB
MD5 hash: cc712c5e46b16fbff22a2566b1248a91
Details

The post Where 2 worlds collide: Bringing Mimikatz et al to UNIX appeared first on Portcullis Labs.

]]>
https://labs.portcullis.co.uk/presentations/where-2-worlds-collide-bringing-mimikatz-et-al-to-unix/feed/ 0
Playback: A TLS 1.3 story https://labs.portcullis.co.uk/presentations/playback-a-tls-1-3-story-2/ https://labs.portcullis.co.uk/presentations/playback-a-tls-1-3-story-2/#comments Mon, 13 Aug 2018 06:28:32 +0000 https://labs.portcullis.co.uk/?p=6781 Presentation on 0-RTT in TLS 1.3 (as given at DEF CON 26 and Black Hat 2018). TLS 1.3 is the new secure communication protocol that should be already with us. One of its new features is 0-RTT (Zero Round Trip Time Resumption) that could potentially allow replay attacks. This is a known issue acknowledged by […]

The post Playback: A TLS 1.3 story appeared first on Portcullis Labs.

]]>
Presentation on 0-RTT in TLS 1.3 (as given at DEF CON 26 and Black Hat 2018).

TLS 1.3 is the new secure communication protocol that should be already with us. One of its new features is 0-RTT (Zero Round Trip Time Resumption) that could potentially allow replay attacks. This is a known issue acknowledged by the TLS 1.3 specification, as the protocol does not provide replay protections for 0-RTT data, but proposed countermeasures that would need to be implemented on other layers, not at the protocol level. Therefore, the applications deployed with TLS 1.3 support could end up exposed to replay attacks depending on the implementation of those protections.

This talk will describe the technical details regarding the TLS 1.3 0-RTT feature and its associated risks. It will include Proof of Concepts (PoC) showing real-world replay attacks against TLS 1.3 libraries and browsers. Finally, potential solutions or mitigation controls would be discussed that will help to prevent those attacks when deploying software using a library with TLS 1.3 support.

Tools referenced in this talk include:

Us-18-GarciaAlguacil MurilloMoya-Playback A TLS 1.3 Story  V6
2.6 MiB
MD5 hash: c56f49adfbda571c9c32f5860d6f9319
Details

The post Playback: A TLS 1.3 story appeared first on Portcullis Labs.

]]>
https://labs.portcullis.co.uk/presentations/playback-a-tls-1-3-story-2/feed/ 0
Playback: A TLS 1.3 story https://labs.portcullis.co.uk/blog/playback-a-tls-1-3-story/ https://labs.portcullis.co.uk/blog/playback-a-tls-1-3-story/#comments Wed, 08 Aug 2018 14:00:00 +0000 https://labs.portcullis.co.uk/?p=6776 Secure communications are one of the most important topics in information security and the Transport Layer Security (TLS) protocol is currently the most used protocol to provide secure communications on Internet. For example, when you are connecting to your online banking application, your favorite instant message application or social networks, all those communications are being […]

The post Playback: A TLS 1.3 story appeared first on Portcullis Labs.

]]>
Secure communications are one of the most important topics in information security and the Transport Layer Security (TLS) protocol is currently the most used protocol to provide secure communications on Internet. For example, when you are connecting to your online banking application, your favorite instant message application or social networks, all those communications are being transmitted using TLS. With TLS the information sent by the browser and the service is secured and encrypted, meaning that the information cannot be modified or tampered with by an attacker. Moreover the communications are verified to ensure that the browser is connected to the right endpoint (e.g. Wikipedia).

TLS was born as a substitute of the ancient Secure Sockets Layer (SSL) protocol, which was showing its age and being susceptible to multiple attacks. The first version of TLS, 1.0, was created in 1999 and it was based on SSLv3. Since then TLS 1.1 (2006) and TLS 1.2 (2008) were created to improve previous versions of the protocol, solving some of the security weaknesses that security researchers discovered in the last two decades.

TLS 1.3 is the new protocol version. It is not officially released yet, but it is in the final stage, just waiting for the final approval. In any case, some important vendors and open source projects are currently supporting it. The TLS 1.3 Working Group released multiple iterations (drafts) that refined and improved the protocol in the last four years. One of the outcomes of that hard work is that TLS 1.3 has been simplified compared to previous versions of the protocol and it is not vulnerable to previous known attacks that were affecting previous versions. For example, in TLS 1.2 the number of ciphers supported was high, maybe there were too many, and the Working Group has decided to limit this new version to support only five ciphers. Another example is that with TLS 1.3, forward secrecy is not optional, so, in the case that an attacker manages to steal the private keys of one server, he will not be able to decrypt previous communications as he would not be able to obtain the session keys used to encrypt previous messages.

TLS 1.3 has also introduced a new feature to improve the performance for new connections. The name of this feature is 0-RTT (Zero Round Trip Time Resumption) and it allows to have a fast session resumption that can push data to the server without needing to wait for a server confirmation. This is possible as 0-RTT reuses cryptographic information obtained in the first connection to the server. The following diagram shows how TLS 1.3 0-RTT resumption works:

0RTT handshake state diagram
image-6777

0RTT handshake state diagram

This is an interesting functionality from the point of view of the performance, but it has some known security implications.

Cisco security consultants Alfonso Garcia Alguacil and Alejo Murillo Moya will deliver a presentation about some of the known security implications of using 0-RTT and will show Proof of Concepts (PoCs) of some attacks in real world environments. The intent is to raise awareness across the security community about that new feature. The presentation is named “Playback: A TLS 1.3 story” and it will be presented at Black Hat USA 18 and DEF CON 26. Attendees will learn about TLS 1.3 0-RTT, see some examples about how an attacker could take advantage of that new feature and finally get an understanding of the security implications of enabling the featu

You can find the slides and tool from this presentation here:

The post Playback: A TLS 1.3 story appeared first on Portcullis Labs.

]]>
https://labs.portcullis.co.uk/blog/playback-a-tls-1-3-story/feed/ 0
Secrets of the motherboard https://labs.portcullis.co.uk/presentations/secrets-of-the-motherboard/ https://labs.portcullis.co.uk/presentations/secrets-of-the-motherboard/#comments Fri, 16 Feb 2018 10:13:07 +0000 https://labs.portcullis.co.uk/?p=6443 Presentation on “interesting” features of the Intel x86[_64] platform (as given at 44CON 2017). A lot of recent work has gone into the discovery, analysis, and (on occasion) marketing of hardware weaknesses in the Intel x86[_64] platform particularly with respect to how it is often implemented as part of specific motherboard designs. Some, such as […]

The post Secrets of the motherboard appeared first on Portcullis Labs.

]]>
Presentation on “interesting” features of the Intel x86[_64] platform (as given at 44CON 2017).

A lot of recent work has gone into the discovery, analysis, and (on occasion) marketing of hardware weaknesses in the Intel x86[_64] platform particularly with respect to how it is often implemented as part of specific motherboard designs. Some, such as the recent speculative execution borne attacks, are issues in the architecture itself. Other issues, however, affect individual implementations. This talk will take a wide-coverage “state of play” look at x86[_64] platform security covering:

  • Architectural failings in hardware design
  • Identifying security issues with modern computer hardware (treat it just like IoT devices!)
  • Attempts at restoring privacy, ownership, and security
  • Code and data persistence
  • How secure hardware can be re-used
44CSOTM
44CSOTM.pptx
February 16, 2018
5.7 MiB
MD5 hash: 912badf9570eef6597578674e52bbb9d
Details

The post Secrets of the motherboard appeared first on Portcullis Labs.

]]>
https://labs.portcullis.co.uk/presentations/secrets-of-the-motherboard/feed/ 0
SSL/TLS Hipsterism https://labs.portcullis.co.uk/presentations/ssltls-hipsterism/ https://labs.portcullis.co.uk/presentations/ssltls-hipsterism/#comments Fri, 17 Nov 2017 10:44:40 +0000 https://labs.portcullis.co.uk/?p=6147 Presentation on finding implementation* bugs outside the mainstream (as given at Securi-Tay 2017). A lot of fantastic work has gone into the discovery, analysis, and (on occasion) marketing of SSL/TLS vulnerabilities. Some, such as BEAST and LUCKY13, are issues in the protocol itself. Other bugs, however, affect individual implementations of this complicated and nuanced protocol. […]

The post SSL/TLS Hipsterism appeared first on Portcullis Labs.

]]>
Presentation on finding implementation* bugs outside the mainstream (as given at Securi-Tay 2017).

A lot of fantastic work has gone into the discovery, analysis, and (on occasion) marketing of SSL/TLS vulnerabilities. Some, such as BEAST and LUCKY13, are issues in the protocol itself. Other bugs, however, affect individual implementations of this complicated and nuanced protocol. This talk will discuss an approach for identifying security bugs in SSL/TLS server implementations, outside the mainstream well-publicised issues that we all know so well.

Tools referenced in this talk include:

STHST
STHST.pptx
November 16, 2017
1.0 MiB
MD5 hash: 503a77150111d59a0352c27a62195c4c
Details

The post SSL/TLS Hipsterism appeared first on Portcullis Labs.

]]>
https://labs.portcullis.co.uk/presentations/ssltls-hipsterism/feed/ 0