Hello Readers, here is my wrap-up of the second day. Usually, the second day is harder in the morning due to the social events but, at TROOPERS, they organize the hacker run started at 06:45 for the most motivated of us. Today, the topic of the 3rd track switched from SAP to Active Directory. But I remained in track #1 and #2 to follow a mix of offensive vs defensive presentations. By the way, to have a good idea of the TROOPERS’ atmosphere here is their introduction video for 2018:

 As usual, the second day started also with a keynote which was assigned to Rossella Mattioli, working at ENISA. She’s doing a lot of promotion for this European agency across multiple security conferences but it’s special with TROOPERS because their motto is the same: “Make the world (the Internet) a safer place”. ENISA’s rule is to remove the gap between industries, the security community and the EU Member States. Rossella reviewed the projects and initiatives promoted by ENISA like the development of papers for all types of industries (power, automation, public transports, etc). To demonstrate the fact that today, the security must be addressed at a global scale, she gave the following example: Think about your journey to come to TROOPERS and list all the actions that you performed with online systems. The list is quite long! Another role of ENISA is to make CSIRT’s work better together. Did you know that they are 272 different CSIRST’s in the European Union? And they don’t always communicate in an efficient way. That’s why ENISA is working on common taxonomies to help them. Their website has plenty of useful documents that are available for free, just have a look!

After a short coffee break and interesting chats with peers, I move to the defensive track to follow Matt Graeber who presented “Subverting trust in Windows”. Matt warned that the talk was a “hands-on” edition of his complete research that is available online. Today’s presentation focuses more on live demos. First, what is “trust” in the context of software?

But what is the intent of code signing? To attest the origin and integrity of software.  It is NOT an attention of trust or intent! But, it can be used to enforce the mechanism for previously established trust. Some bad assumptions reported by Matt:

• Signed == trusted
• Non-robust signature verification
• No warning/enforcement of known bad certs

Then, I switched back to the offensive track to listen to Salvador Mendoza and Leigh-Anne Galloway who presented “NFC payments: The art of relay and replay attacks“. They started with a recap of the NFC technology. Payments via NFC are not new: The first implementation was in 1996 in Korea (public transports). In 2015, ApplePay was launched. And today, 40% of non-cash operations are performed over NFC! Such attacks are also interesting because the attacker can gain easily some money, banks are accepting the risk to lose a percentage of transactions, some limits on the amount are higher in other countries and finally, there is no additional card holder identification. The explained two types of attacks: the replay and relay. Both are based on RFC readers coupled with Raspberry devices. They tried to perform live demos but it failed (it’s always touchy to play live with NFC). Hopefully, they had pre-recorded videos. Demos are interesting but, in my opinion, there was a lack of details for people who don’t play with NFC every day, just like me!

After the lunch, Matt Domko and Jordan Salyer started the last half-day with an interesting topic: “Blue team sprint: Let’s fix these 3 thinks on Monday”. Matt presented a nice tool last year, called Bropy. The idea was to automatically detect unusual traffic on your networks. This year, he came back with more stuff. The idea of the talk was: “What to do with a limited amount of resources but in a very effective way?“. Why? Many companies don’t have the time, the stuff and/or the budget to deploy commercial solutions. The first idea was to answer the following question: “What the hell is on my network?”. Based on a new version of his tool, rewritten in Python3 and now supported IPv6 (based on last year comments). The next question was: “Why are all my client systems mining bitcoin?”. Jordan explained how to deploy AppLocker from Microsoft to implement a white-list of applications that can be executed on a client computer.  Many examples were provided, many commands based on PowerShell. I recommend you to have a look at the slide when they will be available online. Finally, the 3rd question to be addressed was the management of logs based on an ELK stack… classic stuff! Here, Matt gave a very nice tip when you’re deploying a log management solution. Always split the storage of logs and the tools used to process them. This way, if you deploy a new tool in the future, you won’t have to reconfigure all your clients (ex: if you decide to move from ELK to Splunk because you got some budget).

If Matt is using Bro (see above), the next speaker too. Joe Slowik presented “Mind the gap, Bro: using network monitoring to overcome lack of host visibility in ICS environments“. What does it mean? Monitoring of hosts and networks are mandatory but sometimes, it’s not easy to get a complete view of all the hosts present on a network. Environments can be completely different: a Microsoft Windows-based network does not have the behaviour of an ICS network. The idea is to implement Bro to collect data passing across the wire. Bro is very powerful to extract files from (clear-text) protocols. As said Joe: “If you can see it, Bro can read it“. Next to Bro, Joe deployed a set of YARA rules to analyze the files carved by Bro. This is quite powerful. Then, it presented some examples of malware impacting ICS networks and how to detect them with his solution (Trisis, Dymalloy and CrashOverride). The conclusion of the presentation was that reducing the response time can limit an infection.

The last time slot for me was in the offensive track where Raphaël Vinot, from CIRCL.lu, presented “Ads networks are following you, follow them back”. Raphaël presented a tool he developed to better understand how many (to not say all) websites integrate components from multiple 3rd party providers. If the goal is often completely legit (and to gain some revenue), it has already been discovered that ads networks were compromized to distribute malicious content. Based on this, we can consider that any website is potentially dangerous. The situation today as described by Raphaël: