Intelligence-led Penetration Testing Webinars
Date and time
Location
Online event
A day of panel sessions and webinars focused on Intelligence-led Penetration Testing
About this event
The Agenda is below and please go to the online event page to get the log in details for the individual sessions you want to attend.
08:00 – 08:30
Presenters: Alistair Greaves & Andy Gill – Pen Test Partners
Nijushio - A Year Targeting Nippon
Synopsis: Andy and Alistair have spent the good part of a year on Intelligence led Red Team engagements against some of the biggest organisations in Japan. They will cover some of their major successes and failures covering topics such as:
- Intelligence led phishing and utilising smishing as entry vectors;
- The importance of Pen Testing proficiency in particular build reviews when conducting Red Teams in foreign languages; - The difficulties of Red Teaming in foreign languages and how to overcome those challenges; and
- What happens when the Red Team goes Blue. Red Team led Threat Hunting.
09:00 - 09:45 Panellists: Neil Fowler-Wright, - Hitachi Rail Europe; Tracey Jones – Bank of England; Pete Cooper – Cabinet Office; - NCSC; Simon Clow – STAR Penetration Testing Focus Group Chair Rob Dartnall – CREST Threat Intelligence Professionals Group Vice Chair
The importance of Intelligence-Led Penetration Testing frameworksSynopsis: A panel of experts including government and regulators will discuss the importance of intelligence-led penetration testing frameworks for the assurance of critical functions that maybe subject to sophisticated and persistent attacks.
There will be an opportunity to put your questions to the panel. Please send any questions you may have in advance to marketing@crest-approved.org. Alternatively there will an opportunity to ask questions during the session using the question panel.
10:00 -10:30
Presenter: Ian Glover – CREST President
An update on CREST & Intelligence-Led Penetration Testing Globally
Ian Glover will give an update on current CREST projects and what is happening on the global stage.
10:30 – 11:00 BREAK
11:00 – 11:45
Presenter: Paul Laine – Context Information Security
DynamicWrapperEx – Registration-Free In-Process COM Automation Server
Synopsis: Anyone that has ever been working with Windows systems must have heard of Component Object Model (COM), and most of the time in bad terms. Additionally, despite being a revolutionary specification when it appeared in 1995, there is still a large veil of mystery around it.
In 1998, Jeff Strong released a blog post named “An Automation Object for Dynamic DLL Calls” to showcase an OLE Automation server written in C++. This component would allow dynamic invocation of methods within dynamic-link libraries (DLL) from Windows Script Host, such as JSCript and VBScript. Later in 2008, Yuri Popov (Юрий Попов) released a tool named DynamicWrapperX inspired by Jeff’s work. Yuri wrote the tool in GoAsm assembly but never provided the source code.
Over the years multiple threat actors, malware and subsequently persons working on simulated attack operations used DynamicWrapperX for first stage malware delivery. To name a few:
• zerosum0x0’s Koadic C3 COM Command & Control - JScript RAT
• RAA JCcript ransomware and stealer
• HWorm/Houdine VBS Loader
Nowadays, many signatures and rules for DynamicWrapperX exists. The objective of this presentation is to explain how to develop your own registration-free In-Process COM Automation server. This will be archived by going through the following topics:
• A brief history of COM
• COM Interface & Component
• COM Automation & Dynamic Methods
• x64 and __stdcall Calling Conventions
• Component Activation via ActCtx
• Shellcode Execution Example
Limitation, Caveats and Operational Security Consideration
12:00 – 13:00 Lunch
13:00 – 13:45
Presenter: Oliver Fairbank – Orpheus-Cyber & CREST Threat Intelligence Professionals
Towards Active Reconnaissance
Synopsis: Oliver Fairbank from Orpheus will present the current CTIPS paper regarding the restrictions on Active Reconnaissance as part on intelligence-led security testing frameworks. The presentation and subsequent discussion will build upon the Three-Tier Acquisition Model work led by Andy Flood of Nettitude.
14:00 – 14:45
Presenter: Aaron Dobie - KPMG
Red Teaming Techniques
Synopsis: Aaron from KPMG will present on a variety of red team techniques he has been working on over the past 6 months. This has included investigating and producing a DLL hijacking teams implant, migration of macro guardrails from the endpoint to block reverse engineering, and some basic hardware hacking.
15:00 – 15:30
Presenter: Samantha Alexander & Nigel Harrison – CREST
An Update on the CREST Cyber Security Global Ecosystem Project
Samantha Alexander will provide an update on the project CREST is doing in 8 countries in Africa and Asia (Bangladesh, Ethiopia, Indonesia, Kenya, Nigeria, Pakistan, Tanzania, Uganda)
15:30 – 16:00 Break
16:00 – 16:45 APT using COVID content for targeted attacks
Presenter: Jason Smart – PwC & CREST Threat Intelligence Professionals
Throughout 2020 the world has been bombarded with COVID-19 information - from government notifications, public health warnings, to everyday organisations telling us their COVID SAFE plans. In all of this information overload, threat actors with a range of motivations have taken the opportunity to use COVID and information to conduct campaigns. This presentation will touch on a few threat actors that PwC’s Threat Intelligence team have observed using COVID-19 in lures and infrastructure.