CactusCon

CactusCon13
February 14-15, 2025
Mesa, AZ

Filtering by Category: 2019-workshops

Attacking and Defending Kubernetes Clusters: A Guided Tour

November 03, 2019  /  Jessica Solper

Is your Kubernetes cluster able to resist the most common attacks? And, are all the necessary detection mechanisms in place to know if a security issue did occur?

In this hands-on workshop, we will dive into the art and science of Kubernetes security through a series of interactive attack and defense scenarios. Attendees will learn through instructor-led exercises how to identify and exploit realistic misconfigurations in Kubernetes clusters to achieve full cluster compromise. Each attack step will be matched with hardening measures and specific methods for detection and response workflows.

Each workshop attendee will be provided with a pre-configured Kubernetes cluster running realistic workloads in a cloud-based lab environment. The tools and methodologies covered by these exercises will directly help attendees secure their own organization's clusters.

Jimmy Mesta

Jimmy is a security leader that has been working in AppSec and Infrastructure Security for over 10 years. He founded and led the OWASP Santa Barbara chapter and co-organized the AppSec California security conference. Jimmy has taught at private corporate events and security conferences worldwide including AppSec USA, LocoMocoSec, SecAppDev, RSA, and B-Sides. He has spent significant time on both the offense and defense side of the industry and is constantly working towards building modern, developer-friendly security solutions.

categories / 2019-workshops
tags / Jimmy Mesta

Security Operations with PowerShell Core

November 03, 2019  /  Jessica Solper

Following along with the spirit of powershelling all of the things, open-source PowerShell and PScore 7+ supported all OS platforms; it is time to learn multi-platform PowerShell security operations. Stopping there? No way! With information coming from every source imaginable, you need a way to collect and analyze that information. Which is a perfect job for everyone's favorite open source database/interface solution, the Elastic Stack. Powershell is either already in place or allowed by default in many restricted environments and makes and makes for a ubiquitous living on the land binary for defensive cyber operators.

Whether performing continuous monitoring, intermittent threat hunting, or incident response, having access to the devices and resources available in your respective enterprise is a success condition. In this workshop, you learn how to install PowerShell cor 7 (current release) on Windows, Linux, and macOS devices through different local and remote install options. Next, you learn to leverage winRM for windows and ssh remoting for nix/osx devices to create power shell remote connections to each device. With PowerShell remote sessions established to every device, everything is pretty familiar. Pull net connections, query running process, and several other available queries useful for identifying malicious activity and pull that back to your centralized “security operations” endpoint. If you don't have the flexibility to create an elasticsearch service in your environment, don't sweat it. Aggregating, analyzing, and reporting interesting findings with nothing more than PowerShell is the perfect tool for your toolbelt. But, for when the opportunity arises, you will learn to quickly spin up a cloud instance, convert your freshly procured security opeartions data into json, ingest ,and analyze in kibana with ease and dashboard creating swag over 9000.

  • Setting Up your PowerShell Environment 15 min

  • Powershell Network Discover and Enumeration 20 min

  • Deploying PowerShell core 7 on dissimilar OS's 15 min

  • Creating Powershell Remoting Sessions with Winrm and SSH 20 min

  • Running OS information queries across your Environment 20 min

  • Collecting and Analyzing Information with PowerShell 10 min

  • Analyzing Powershell Collected Information with the Elastic Stack 20 min

Pre-Requirements: Create an elasticsearch cloud trial account, have 1 of each a Linux OS and 1 Windows OS, VM, or hard box prepared. If you also are virtualizing these on a Mac, then that is helpful, but we will have a Mac device for you to connect to if you like (be nice).

Aaron Rosenmund and Brandon DeVault

Aaron M. Rosenmund is a cyber security operations and incident response subject matter expert, with a background in federal and business system administration, virtualization and automation. Leveraging administration and automation experience, Aaron has contributed to multiple open and closed source security operation platform projects and continues to create tools and content to benefit the community, his efforts as an educator/researcher at Pluralsight, and advance the capabilities of the Air National Guard where he serves part time on a Cyber Mission Defense Team. Understanding the need for the cyber security workforce to be dynamically learning to keep pace with the ever changing cyber threat landscape, he has dedicated himself to researching,
teaching and sharing experiences and capabilities with the community to fill the knowledge gap that currently exists.

Brandon DeVault is a security analyst, incident responder, and educator. Background in network administration and hardware hacking. Previous experience with Special Operations Command (SOCOM) on deployable communication teams. Part-time member of the Air National Guard on a Mission Defense Team (SOC) defending North America’s air tracks. Currently working as an Engineer for Elastic performing security consulting and education.

categories / 2019-workshops
tags / Aaron Rosenmund, Brandon DeVault

Exploiting Bluetooth Low Energy 101

November 03, 2019  /  Jessica Solper

Bluetooth, especially Bluetooth Low Energy (BLE), has become the ubiquitous backbone that modern devices use to interact with each other. From mobile, to IoT, to Auto, most smart devices now support Bluetooth connections, meaning that the attack vector is becoming an increasingly important aspect of security testing. This class will breakdown various phases of Bluetooth “hacking” with an emphasis on sniffing BLE connections, spoofing devices, and exploiting GATT services. We will cover some history behind Bluetooth and the evolution of the protocol stack, the tools and setup required to start testing BLE in your home or as part of a Bluetooth Pentest, and demonstrate that all you need to start test BLE is a Android or iOS device.

Maxine Filcher

Maxine is a US Army Veteran, currently attending the University of Washington – Tacoma as a Senior pursuing a degree in Information Assurance and Cybersecurity. She has experience as a Security Analyst hunting wireless threats and vulnerabilities, and currently works for IOActive as a Security Consultant applying her knowledge to help companies identify wireless risks within their environments. She has also served as a Teaching assistant for the UWT CPES program, which builds and delivers cybersecurity focused curricula for K-12 students, where she focused on wireless security and RF concepts. Maxine was selected for the SANS Women’s Immersion Academy 2018 Cohort and holds the GSEC, GCIH, and GPEN GIAC certifications.

categories / 2019-workshops
tags / Maxine Filcher

Understanding and Analyzing Weaponized Carrier Files

November 03, 2019  /  Jessica Solper

If you plan to attend, please visit the following link to prep: https://github.com/rj-chap/cfworkshop.

Weaponized carrier files, such as PDF and Office docs, are used in various attack campaigns in order to compromise victims. In this workshop, we'll cover the file formats, associated weaponization methods, and analysis techniques of the attack code used with these types of files. We'll pull apart PDF object streams, deobfuscate JavaScript code, and analyze PDf-based attacks. For Office docs, we'll review the OLE file format; take a gander at VBA-based macros; extract, deobufscate, and debug the VBA code; and identify indicators of compromise. We'll be using a Windows-based malware VM along with tools such as oledump, PDFStreamDumper, the MS VBA Editor, and more!

Level: Intermediate

Prerequisites: This workshop will cover the file formats for both PDF and Office (e.g. docx) files. If you've never analyzed such a file for maliciousness, fear not! We'll be covering the basics. If you have programming/scripting experience, great. If not, don’t worry. If you have worked to deobfuscate code, fantastic. If not, meh.

Required Materials: You will want to bring a laptop equipped with the following:

  • The laptop will probably need at least 4GB of RAM, as you'll need to be able to run your host OS (doesn't matter which, I and my room proctors can help with any of them) along with a Windows 10 VM.

  • Please try to have a USB port available. I will have USB 3.0 drives with me the day of the workshop. These drives will be FAT-formatted (nothing fancy) and contain the files required for the workshop. I will also pop the files on to a cloud-based file sharing service well ahead of the workshop for folks whom like to setup early.

  • VM software! You'll need software to run a VM, such as VMware or VirtualBox. Doesn't matter if you're on a Mac with VMware Fusion, Windows, Linux, whatever. As long as you can run a VM (and take at least one snapshot), we're solid!

  • If you do not have a Windows 10 malware analysis machine, please check out https://www.microsoft.com/en-us/evalcenter/evaluate-windows, as you can grab a trial of Windows that will work just fine for this workshop

  • Speaking of MS products, you're going to want (in order to follow along with VBA file debugging), a copy (evaluation version works fine) of MS Office. Version doesn't really matter, but the more recent the better. Again, check out the MS Evaluation center for a copy of Office that you can use: https://www.microsoft.com/en-us/evalcenter/evaluate-office-365-proplus

  • Python! You'll want to have Python installed (2.7.x preferred). I'll have an offline installer available should you need it (make sure you have that USB port available!)

    • I'll be providing some Python-based scripts for analysis, along with some tools such as PDFStreamDumper ahead of the workshop. I will provide direct links to the files as provided by the developers. I will also be providing carrier file samples ahead of time and on the workshop USB.

Ryan Chapman (@rj_chap)

Ryan Chapman is an Incident Response (IR) consultant with a background in host and network forensic analysis; malware analysis; threat intelligence; and all the other fun facets of the blue team realm. Prior to working in IR, Ryan worked as a technical trainer for many years. Outside of work, Ryan spends time with his family, gets tapped on the jiu jitsu mats, and plays plenty of Street Fighter. Hadouken!

categories / 2019-workshops
tags / Ryan Chapman

Analysis 101 for the Incident Responder

November 03, 2019  /  Jessica Solper

You have a theory about something you have found while roaming the network or conducting your own hackfest, but how do you go about proving it? This workshop will be a hands-on journey deep into the world of analysis. While analysis is a bit of an art form, there are methods that can be applied to make it less of a gut feeling and more of a scientific approach to support your hypothesis. From network forensics to log analysis to endpoint forensics and malware analysis, we will review numerous quick methods to gain context over the data you have gathered and apply critical thinking in an attempt to find the answers. Sometimes, the answers weren’t meant to be found, but we’ll also discuss how to make the best of any conclusion that you reach.

Not required, but bringing your own laptop highly recommended!

Kristy Westphal

Kristy Westphal is a versatile information technology professional with specific experience in providing advisory and management services in the area of information security and risk. She currently runs an incident response team at a large organization in Tempe, AZ. Specializing in leadership and program development, specific expertise in security areas includes: process analysis, risk assessments, security awareness programs, operating system security, network security, incident handling, vulnerability analysis and policy development.

categories / 2019-workshops
tags / Kristy Westphal