CactusCon

CactusCon13
February 14-15, 2025
Mesa, AZ

DIRE: Renaming Variables in Decompiled Code with Neural Nets

November 03, 2019  /  Jessica Solper

Decompilers transform binaries into high-level source code, and are a critical part of the working hacker's arsenal of tools for malware analysis, reverse engineering, and exploit development. Over time, decompilers have become increasingly sophisticated in reconstructing information lost during the compilation process (e.g., code structure and type information). A longstanding issue is recovering meaningful variable names that correspond to the intent of the original code.

This talk presents DIRE (the Decompiled Identifier Renaming Engine), a new probabilistic technique that uses both lexical and structural information to recover variable names. Where current state-of-the-art tools recover variable names like "a1" or "iVar", DIRE correctly recovers meaningful variable names like "filename". We present our approach for training and evaluating models of decompiled code using a large corpus of 164,632 unique x86-64 binaries mined from C projects on GitHub. We share our results of DIRE's large scale application and show that it can predict variable names identical to the names in the original source code up to 74.3% of the time.

You'll leave this talk with knowledge of new techniques in binary decompilation, and practical tooling for more accurate variable name recovery. You'll also learn about state-of-the-art approaches in decompilation, outstanding challenges, and new ways for addressing these challenges.

Jeremy Lacomis

Jeremy Lacomis is a Ph. D. student in the Institute for Software Research at Carnegie Mellon University. His research interest is in search-based software engineering, automated code and binary transformation, and improving tooling for reverse engineers. Jeremy holds a B.A., Computer Science from the University of Virginia and an A.S., Computer Science from Piedmont Virginia Community College.

categories / 2019-talks
tags / Jeremy Lacomis

Understanding and Analyzing Weaponized Carrier Files

November 03, 2019  /  Jessica Solper

If you plan to attend, please visit the following link to prep: https://github.com/rj-chap/cfworkshop.

Weaponized carrier files, such as PDF and Office docs, are used in various attack campaigns in order to compromise victims. In this workshop, we'll cover the file formats, associated weaponization methods, and analysis techniques of the attack code used with these types of files. We'll pull apart PDF object streams, deobfuscate JavaScript code, and analyze PDf-based attacks. For Office docs, we'll review the OLE file format; take a gander at VBA-based macros; extract, deobufscate, and debug the VBA code; and identify indicators of compromise. We'll be using a Windows-based malware VM along with tools such as oledump, PDFStreamDumper, the MS VBA Editor, and more!

Level: Intermediate

Prerequisites: This workshop will cover the file formats for both PDF and Office (e.g. docx) files. If you've never analyzed such a file for maliciousness, fear not! We'll be covering the basics. If you have programming/scripting experience, great. If not, don’t worry. If you have worked to deobfuscate code, fantastic. If not, meh.

Required Materials: You will want to bring a laptop equipped with the following:

  • The laptop will probably need at least 4GB of RAM, as you'll need to be able to run your host OS (doesn't matter which, I and my room proctors can help with any of them) along with a Windows 10 VM.

  • Please try to have a USB port available. I will have USB 3.0 drives with me the day of the workshop. These drives will be FAT-formatted (nothing fancy) and contain the files required for the workshop. I will also pop the files on to a cloud-based file sharing service well ahead of the workshop for folks whom like to setup early.

  • VM software! You'll need software to run a VM, such as VMware or VirtualBox. Doesn't matter if you're on a Mac with VMware Fusion, Windows, Linux, whatever. As long as you can run a VM (and take at least one snapshot), we're solid!

  • If you do not have a Windows 10 malware analysis machine, please check out https://www.microsoft.com/en-us/evalcenter/evaluate-windows, as you can grab a trial of Windows that will work just fine for this workshop

  • Speaking of MS products, you're going to want (in order to follow along with VBA file debugging), a copy (evaluation version works fine) of MS Office. Version doesn't really matter, but the more recent the better. Again, check out the MS Evaluation center for a copy of Office that you can use: https://www.microsoft.com/en-us/evalcenter/evaluate-office-365-proplus

  • Python! You'll want to have Python installed (2.7.x preferred). I'll have an offline installer available should you need it (make sure you have that USB port available!)

    • I'll be providing some Python-based scripts for analysis, along with some tools such as PDFStreamDumper ahead of the workshop. I will provide direct links to the files as provided by the developers. I will also be providing carrier file samples ahead of time and on the workshop USB.

Ryan Chapman (@rj_chap)

Ryan Chapman is an Incident Response (IR) consultant with a background in host and network forensic analysis; malware analysis; threat intelligence; and all the other fun facets of the blue team realm. Prior to working in IR, Ryan worked as a technical trainer for many years. Outside of work, Ryan spends time with his family, gets tapped on the jiu jitsu mats, and plays plenty of Street Fighter. Hadouken!

categories / 2019-workshops
tags / Ryan Chapman

Deception-NET: Build Your Own Deception

November 03, 2019  /  Jessica Solper

The security of cloud applications using traditional/reactive defense mechanisms such as Signature-based Detection (IDS/IPS), vulnerability scanning and software patching alone are not useful against the intelligent adversary. The reactive security can be bypassed by using variants of known attacks, fragmentation of network traffic, etc. Our framework "Deception-NET" utilizes intelligent learning approach to collect network flows, host, and access logs, IDS alerts to train a model which can detect the different variants of attacks. The game-theoretic decision is used to deceive adversaries. Deception-NET utilizes a situation-aware game-theoretic framework. The deception redirects the persistent adversaries into accessing fake web applications, cryptographic keys and dummy documents. We showcase how cybersecurity practitioners and researchers can set up such a training environment using light-weight and modular services such as Docker ELK, vulnerable docker containers, and docker honeypots. In effect, small scale security providers
will benefit by setting up a modular on-premise deception network instead of using third-party services.

Ankur Chowdhary, PhD Candidate, Arizona State University

Ankur Chowdhary is a PhD Candidate at ASU, and coach for ASU's National Cybersecurity Defense Competition (NCCDC) team. Ankur is co-founder and CEO of cybersecurity startup CyNET LLC. He also co-founded hacking club DevilSec at ASU aimed at teaching offensive and defensive security. He is interested in advancement of Cybersecurity by application of multi-disciplinary approach - Artificial Intelligence, Machine Learning, and Game Theory. Ankur has co-authored one Cybersecurity textbook titled "Software-Defined Networking and Security: From Theory to Practice", and 24 peer-reviewed research papers in the field of Cybersecurity. In past Ankur has worked for Blackberry Ltd. as Security Research Intern (2016) , InfoSec Intern at RSG (2015), and Software Engineer at CSC (2011-13). He received my MS in CSE from ASU in 2015 with specialization in Cybersecurity, and B.Tech in IT from GGSIPU in 2011. Details of his research works and current activities can be found at his website https://www.public.asu.edu/~achaud16/.

categories / 2019-talks
tags / Ankur Chowdhary

Analysis 101 for the Incident Responder

November 03, 2019  /  Jessica Solper

You have a theory about something you have found while roaming the network or conducting your own hackfest, but how do you go about proving it? This workshop will be a hands-on journey deep into the world of analysis. While analysis is a bit of an art form, there are methods that can be applied to make it less of a gut feeling and more of a scientific approach to support your hypothesis. From network forensics to log analysis to endpoint forensics and malware analysis, we will review numerous quick methods to gain context over the data you have gathered and apply critical thinking in an attempt to find the answers. Sometimes, the answers weren’t meant to be found, but we’ll also discuss how to make the best of any conclusion that you reach.

Not required, but bringing your own laptop highly recommended!

Kristy Westphal

Kristy Westphal is a versatile information technology professional with specific experience in providing advisory and management services in the area of information security and risk. She currently runs an incident response team at a large organization in Tempe, AZ. Specializing in leadership and program development, specific expertise in security areas includes: process analysis, risk assessments, security awareness programs, operating system security, network security, incident handling, vulnerability analysis and policy development.

categories / 2019-workshops
tags / Kristy Westphal

Threat Hunting Like a Scientist

November 03, 2019  /  Jessica Solper

As environments become more complex and robust, how do threat hunters stay on their toes to remain quick and effective? The scientific method allows a threat hunter to develop a flow to their working process that ensures they remain on target while deepening their knowledge of the environment they're working in. This presentation will give an overview of how to adapt the scientific method to a threat hunting position on an IT Security defense team, while providing a methodology for more effective detection of malicious actors.

Kimber Duke

As a security analyst working for Stage 2 Security, Kimber's security interests range from social engineering to network defense, with the addition of SDR and IoT manipulation in between. She is a member of DC801, founded Defcon Girl Gang, and is currently developing blue-team curriculum for a community college in Tucson, Arizona.

categories / 2019-talks
tags / Kimber Duke

How To Write Like It's Your Job

November 03, 2019  /  Jessica Solper

You know how to hack all the things, and you do it well, but if you don’t write up your findings coherently, you’re not gonna get paid. If you accidentally insult or confuse your clients, you’ll have to spend time cleaning up messes instead of increasing your skills and advancing your career.

The consultants at Bishop Fox have the Editorial Department to back them up, but most security professionals don’t have an editor on call. So how can you take control of your writing without a dedicated person checking your work? After you write it, you must become the editor.

This talk will equip you with practical skills to clean up your emails today and level up your writing for the long term. Learn how to recognize your strengths and weaknesses as a technical writer, how to start and finish reports on time, and how to fix common typos that spell check won’t catch.

It’s frustrating to redo work. Check yourself before you wreck yourself so you can go home happy.

Brianne Hughes

As a former technical editor and now technical marketing writer for Bishop Fox, Brianne Hughes works with consultants to shape their findings and share their research. She compiled the style guide available at cybersecuritystyleguide.com and hosted SpellCheck: The Hacker Spelling Bee at DEF CON 26 and 27. She is Associate Executive Secretary for the DSNA, an Odd Salon Fellow, and she is on the board of directors at Wordnik.

categories / 2019-talks
tags / Brianne Hughes

Worst-of Cybersecurity Reporting 2019

November 03, 2019  /  Jessica Solper

In this session, two tech writers share the worst tech reporting of 2019 and wildly speculate on what went wrong before these articles went to print. Aside from an excessive use of the word cyber, we’ll also talk about what journalists should do when vetting their sources and fact-checking their scoop to make sure it matches reality.

Yael Grauer and David Huerta

Yael Grauer is an investigative tech reporter covering online privacy and security, digital freedom and mass surveillance. She’s written for Ars Technica, The Intercept, WIRED, Motherboard, Slate, Wirecutter, OneZero and other publications. She’s co-organized events and spoken on panels about digital security, source protection, ethics, and more. She holds a Master of Mass Communication degree from ASU, which was an interesting way to kill time between DEF CONs.

David Huerta is a Digital Security Trainer at the Freedom of the Press Foundation, where he’s working on methods to train journalists to take advantage of privacy-enhancing technology to empower a free press. He’s co-organized hundreds of trainings across the US, including one at the Whitney Museum of American Art as part of Laura Poitras’s Astro Noise exhibition in 2016. He’s also spoken on the subject of usable privacy technology at DEF CON, Radical Networks, Rightscon and random cocktail bars.

categories / 2019-talks
tags / Yael Grauer, David Huerta

Effective Phishing with GoPhish

November 03, 2019  /  Jessica Solper

Social Engineering is one of the most common attack vectors out there. Your users are frequently targeted by convincing campaigns, urging them to enter creds, open files, or otherwise perform an action that can ruin their day. One of the most effective defenses we have is user awareness training - but how do you start a phishing program with little or no budget? In this talk, we'll solve this problem with GoPhish, a popular phishing framework available for free. For blueteamers, we will discuss building and monitoring an effective internal phishing campaign. For redteamers, we'll talk about how to use GoPhish to get creds, send payloads, and pwn your targets. This talk is intended for beginners, but a solid technical background will be helpful.

Jayme Hancock

Jayme is a Senior Network Penetration Tester with BSI AppSec, with a heavy background in systems administration. His interests and experience includes black box penetration testing, social engineering, physical security, open source intelligence gathering, and security control evasion. Jayme entered the security field by building out and implementing a security program in the healthcare space, including user awareness training, internal security control auditing and compliance, and vulnerability management. He has spoken at B-Sides DC, HackWest, Cascadia IT Conference, and teaches the 4-day course "Full Scope Social Engineering and Physical Security Testing" at BlackHat. He holds the GXPN, OSCP, CISSP, and other certifications. Originally from Southern California, Jayme resides in Washington, DC and enjoys astronomy, astrophotography, and good coffee. Twitter: @highmeh

categories / 2019-talks
tags / Jayme Hancock