The Briefing, London
Thursday, May 19th, 2022
09:00 – 19:00
County Hall, London, United Kingdom
Our first UK Briefing as WithSecure will take place in London on May 19th. Register your interest to attend.
Join our next in-person UK Briefing for a range of technical and business-related insights shared exclusively by our security experts. Register now to book your seat.
At this full-day event, you can expect:
- Technical and business-related insights
- Practical and actionable tips
- Guidance from cyber-security experts
- The opportunity to network with your peers and discuss your security concerns with our consultants
We will provide refreshments throughout the day, as well as a a sit-down lunch. The event will be followed by a drinks reception.
Please note that your registration will be confirmed by a member of the team.
Agenda:
What is effective ransomware prevention: Insights from the Conti playbook, presented by Arran Purewal
In 2021 and early 2022 technical documents were leaked by disgruntled affiliates from one of the longest running and most successful Ransomware as a Service operators CONTI. Aside from their political leanings and associations with nation states, this gave insights into multiple strands of interest from a Detection and Response perspective, their operator skill, the group’s technical proficiency and their preferred methods of exploitation at each kill chain stage.
This talk will outline the best approach to ransomware prevention and provide valuable insights on the approaches necessary to detect, evict, and prevent ransomware operators from reaching their goals.
This talk is applicable to all organizations concerned about the threat of ransomware or looking to bolster their detection and response program.
The audience will learn:
- The techniques utilised by Conti and other ransomware actors
- The common low-level techniques used by attackers
- The mindset shift required to understand the most important aspects of ransomware prevention
- What good detection & response practice looks like to prevent all threats, not just ransomware actors
Thinking in graphs – data visualization for threat hunting, presented by Tom Barrow & Guilio Ginesi
An adage within the cyber industry is that "Defenders think in lists. Attackers think in graphs". But what happens when Defenders too think in graphs? In this talk, we explore the importance of the way one visualises data in the context of threat hunting, the application of graph theory to this data, and introduce a recently developed data visualisation tool - 'Detectree'.
The audience will:
- Learn why data visualisation is fundamental to threat hunting rather than just a ‘nice to have’
- Understand why ‘Continuous Improvement’ is important within Blue Teams
- Get access to a new tool!
Exploring the macOS endpoint security framework for threat detection, presented by Connor Morley
Endpoint Security Framework (ESF) is the somewhat new security auditing tool that Apple has introduced to provide the security industry with a one-stop shop for all its telemetry needs. The ESF is capable of providing real time telemetry for detection and automated defensive purposes. However, despite this component being introduced in 2019, it wasn’t until late 2020 that most of the industry started taking notice.
This talk will provide an overview of ESF, why it was introduced, how the ESF can be used in active threat detection, the issues with data collection, and an example use case against the Meterpreter agent on macOS 11.2.2.
The audience will learn:
- What the Endpoint Security Framework is and why it was introduced to the macOS.
- How the ESF can be used from a technical perspective and some of the caveats that are involved with its implementation
- An understanding of the sort of telemetry that can be acquired easily via the ESF and its value to detection operations moving forward.
Exploring untraditional attack surfaces, presented by Katie Inns & Jake Knott
Attack surfaces have evolved faster than our techniques for securing them, meaning organisations are now being forced to consider attack paths that would historically have been lower priority. Have you ever wondered how an attacker could enter your corporate network through an employee’s residential broadband?
The rapid implementation of collaborative tooling and remote access solutions in recent years has seen an increase in misconfigurations and sensitive data exposure, creating new potential avenues for compromise.
These types of attack path are often overlooked due to being outside the traditional scope of endpoints, domains and network blocks. However, it's these attack paths that can sometimes offer alternative routes to a foothold.
This talk will look to explore various ways your organisation could be targeted through untraditional means, and how attackers can often gain significant insights prior to gaining a foothold on a corporate network. It will also look to discuss how organisations can identify and reduce these areas of their attack surface.
In this talk, the audience will learn:
- Real examples of untraditional attack paths discovered by the ASM team
- Why an organisation’s attack surface isn't isolated to endpoints, domains, netblocks and assets with sensors
- How organisations can detect and mitigate common untraditional attack surface exposure
- Why traditional vulnerability management can miss realistic attack paths
Mapping and exploring cloud access management at scale, presented by Nick Jones
Tracking and managing access across a cloud estate is one of the biggest security challenges faced by many organizations, particularly as they scale up their cloud usage. The permissions systems implemented by the cloud providers are complex, out of necessity, to provide the required capabilities. However, this makes it very difficult to keep track of what users and systems can manipulate assets within an environment. This can lead to an attacker being able to escalate their privileges within a workload, or pivot from one cloud environment into another, as a result of unintended permissions being granted.
In this talk, Nick will present several different approaches to enumerating and evaluating the true permissions of an entity across an AWS organization, highlight some practical steps an organization can take to immediately identify the most dangerous effective permissions, and discuss how similar techniques could be applied in future across other providers and in multi-cloud estates.
About the speakers
Arran Purewal, Operations Director, D&R
Arran is a Director in the Detection & Response Team at WithSecure. He has experience in Threat Hunting and has responded to incidents deriving from a vast number of threat actors across customer estates. He joined WithSecure in 2017 as a Threat Hunter and played a significant role in shaping the DRT into a leading blue team.
Outside of work Arran enjoys running and spending time with his cat.
Tom Barrow, Threat Hunter
Tom joined WithSecure in July 2020, prior to which he completed a Physics degree at the University of Bristol and worked at several cybersecurity start-ups.
Tom is deeply interested in the application of data science to cyber-security, including novel threat detection and data visualisation. Outside of work his interests include music production, indoor rock climbing and Liverpool FC.
Giulio Ginesi, Threat Hunter
Giulio joined the company in March 2020 prior to which he completed a MSc in Cybersecurity and got involved in several academic research projects. Interests include malware analysis and electronics. Outside of work Giulio’s interests include travelling and reading.
Connor Morley, Senior Researcher
Connor specialises in endpoint security research. He joined WithSecure in 2017, prior to which he completed a Computer Security & Forensics degree at the University of Greenwich. Previously a threat hunter in the DRT team he has since moved to the research team to focus on improving detection capabilities. Interests include malware analysis, reverse engineering, devising and releasing tools for detection on both Windows and MacOS. Outside of work Connor enjoys travelling, gaming, cooking, and reading.
Katie Inns, Security Consultant
Katie's focus is on helping organizations reduce and improve the security across their external attack surface. Katie has 4 years’ experience in the security industry, working in consulting and within an in-house security team focusing on vulnerability management and application security. Outside of work, Katie enjoys dancing and travelling.
Jake Knott, Security Consultant
Jake's experience in cyber security spans both defensive and offensive functions. Jake currently operates within the Attack Surface Management team, which is responsible for continuous external perimeter mapping/monitoring and rapid response to new and emerging threats.
Jake's current specialisms lay in the application of open-source intelligence to proactive cyber defence.
Nick Jones, Global Cloud Security Lead
Nick Jones focuses on AWS security in mature, cloud-native organizations and large enterprises. He has several years’ experience delivering offensive security assessments and helping clients to improve their cloud security, specializing in supporting development of cloud attack detection capabilities. He has previously spoken on the topic at major security conferences like RSA and fwd:cloudsec,. He also maintains WithSecure's open-source cloud attack simulation framework, Leonidas.