Sniffing out lateral movement attack paths: an introduction to Bloodhound for defenders

Hinne Hettema, Mainfreight 

Tech Level: Low - Medium

The lateral movement stage of intrusions depends critically on a limited number of techniques and procedures associated with account and service discovery, account compromises, service exploitation and the mapping of internal services and data stores to identify suitable targets for actions on objectives. Microsoft Active Directory plays a key role in many of these steps. 

Weaknesses in the configuration of Active Directory make a lot of techniques associated with lateral movement feasible. Yet many organisations fail to discover, monitor and address the attack paths that they offer attackers. In this session, we'll consider how to assess attack paths through Microsoft Active Directory. We'll also discuss some of the most common weaknesses found in enterprise installations of Active Directory. I

Tackling imposter syndrome: using psychology to disrupt (cognitive) malicious activity

Shelly Mills,UQ

Tech Level: Low

Do you struggle with Imposter Syndrome? 

Cyber security is wrought with fake imposters. The skills gap and shortage, as well as the ever-changing technology and competitive work environment inherent to the field are just some reasons why many of us struggle with Imposter Syndrome. But that’s #FakeNews: it’s your brain playing tricks on you. 

Heading back, Imposter Syndrome was first coined in 1978 by psychologists Rose Clance and Suzanne Imes to describe how some individuals doubt their skills, talents, or accomplishments, and often hold a persistent fear of being exposed as a fraud. This workshop is here to help shape the future by giving cybersecurity professionals the tools they need to combat Imposter Syndrome. 

Cognitive Behaviour Therapy (CBT) is based on the understanding that psychological problems are shaped, in part, by inaccurate or unhelpful ways of thinking and learned patterns of behaviour. This half-day workshop will work through the key principles and practises of CBT treatment which focus on changing thinking patterns, helping us to see ourselves and the world around us in a more positive, realistic and useful way. 

Attendees will gain hands-on experience in identifying negative narratives about their own success and abilities and then learn how to utilise CBT tools and techniques to dispute the imposter in their mind.

Incident Response with Velociraptor

Mike Cohen, Rapid7

Tech Level: Medium

With the increased prevalence of CyberCrime in recent years the likelihood that your organization will be targeted by organized crime groups has increased dramatically. Professional Cyber criminals are proficient and agile with typical dwell times measured in hours, not weeks or months as was common in the past. An unsuccessful incident response exercise can result in massive losses to the organization with critical data either ransomed or exfiltrated.

Don't worry - Velociraptor has your back! This tutorial will introduce you to this powerful open source framework capable of responding to many thousands of endpoints within minutes. Velociraptor has come onto the scene a few years ago and is getting better all the time. It is now the obvious choice for an open source Digital Forensic and Incident Response (DFIR) tool. 

Velociraptor's superpower is its flexible and powerful query language called VQL. Using VQL we can implement novel detection, hunt for compromise and automate all our response needs. We cover some common use cases such as hunting for ssh keys across large networks or automatic escalation when suspicious events are discovered. We also cover real time monitoring of the endpoint (for example webshell detection via process parent/child analysis) and how VQL can be used to build sophisticated alerting around process execution chains, network connections and even bash instrumentation of the command line, all done at scale with the click of a few buttons.