CRESTCon Australia 2020 Schedule
08:30 – 09:15 Registration, coffee and pastries
09:15 – 09:35 Welcome: Nigel Phair, CREST Australia Chapter
09:40 – 10:25 An update on CREST in Australia and globally: Ian Glover, President CREST International
10:30 – 11.00 Red Team OpSec Considerations and Implant Design for Speed and Stealth: Sajal Thomas, Senior Consultant, Mandiant Services
The talk aims to cover the operational decisions that red teamers are required to make during each phase of the attack lifecycle based on the risk vs reward trade-off. From the trenches, red teamers have to make routine decisions such as picking the right initial access vectors, choosing the most attractive phishing lure themes, drawing payload design considerations, performing post exploitation with stealth, making lateral movement blend in as normal traffic and completing the mission by exfiltrating data without ringing alarm bells.
Red teamers today are required to be fully aware of the trail the leave behind as forensic artefacts. The talk highlights the important detection opportunities for each adversary decision. The talk also covers implant design considerations that allow red teamers to operate with speed and stealth.
Sajal Thomas is a senior consultant at Mandiant. He works in the Mandiant Red Team in the Asia Pacific region. Sajal has simulated adversaries and helped secure customers around the globe. In his free time, Sajal enjoys brewing coffee, watching football and reading about nation-state cyber espionage tradecraft.
11.00 – 11:30 Coffee & networking
11:30 – 12:15 Monitoring the monitors – A path to keeping the SOC in check: Edward Farrell, Director, Mercury ISS
Outsourcing security monitoring has become popular and it makes sense; the cost of building an internal team is excessive and scouting the right talent can prove difficult. Having stated this, Outsourcing is also problematic when there is a high demand, low supply and inadequate validation that the SOC, MSSP or outsourced security service is doing what it promised.
Since June 2019, Edward and his team have seen a greater occurrence of inadequate security capabilities or misunderstanding of roles and responsibilities that introduce more risk than they seek to address. This talk will provide a walkthrough of outsourced security providers, the important role they play, inadequacies they have encountered as part of their validation service and paths to addressing the shortfalls.
Edward Farrell is a security consultant with over five years’ experience in information security and ten years’ experience in the IT industry. As the director of Mercury ISS, he has conducted or overseen the delivery 300 security assessment activities and incident responses in the past 5 years. His professional highlights include lecturing at the Australian Defence Force Academy, being rated in the top 200 bug bounty hunters in 2015 and running an awesome team of security professionals.
12:20 – 12.50 Network evasion: James Anderson, Consultant – Red Team, FireEye
Domain fronting gave red teams the best tool they needed to conduct operations and maintain stealth. But with cloud providers removing this type of access and SSL fingerprinting becoming more prevalent the landscape has changed. This coupled with modern IPS/IDS utilizing network pattern analyses through metadata and machine learning without the need for decryption are starting to have an impact.
This presentation highlights alternative methods beyond Domain Fronting to hide traffic in plain sight and evade network detection from a red-team perspective. The focus on methods to obscure and redirect traffic, packet encapsulation and techniques to slow down defensive teams if caught and how these techniques can be integrated into existing frameworks.
James Anderson is a Mandiant red team consultant within FireEye. His background as a Reverse Engineer, Security Engineer and Network specialist within the Australian Cyber Security Centre has provided a diverse viewpoint of offensive and defensive techniques and methods to both attack and detect compromises. In his pastime he enjoys pulling apart software to research for potential exploits and new offensive techniques for red teaming.
12:50 – 14:00 Lunch
14:00 – 14:45 Insights into an effective red and blue team exercise: Chathura Abeydeera, Associate Director, KPMG Australia
An effective red and blue team exercise will test the organisation’s defenses, attack detection and its incident response capabilities. On occasion this goal-based attack stratagem may be intelligence lead, or hybrid approach with intelligence fused with different adversarial modelling.
This presentation will focus on providing insights based on few recent case studies on how a red team work in a complex client environment and how the blue team could respond to these treats; most importantly, I’ll be also discussing how red teamers could create a diversion and lead the blue team / SOC / Managed SOC way down on a rabbit hole. If you are a red teamer you could take few tips to make your red-voodoo better next time, if you are a blue teamer, you could pick up some tips to make those red ninjas’ life harder.
Chathura Abeydeera is a CREST Certified Infrastructure Tester, a red teamer based in Melbourne, Australia. He is an Associate Director within Cyber Defense services in KPMG Australia; with more than 15 years of hands-on industry experience in cyber security. He has worked with clients across the State & Federal Government, Power & Energy, Mining, Telco and FSI sectors, specializing in objective based penetration testing, red teaming and cyber security training.
14:50 – 15:20 Living off the Land, Jack Rutherford, Senior Cyber Security Consultant and Penetration Testing Team Lead, and Manish Kumar, Senior Penetration Tester, Triskele Labs
As the Windows operating system has evolved over the past few decades, it has become increasingly secure. The same can be said for Windows domains. In addition, cyber security has been thrust into the spotlight with the growing frequency of data breaches and the real-world consequences of these affecting more and more individuals and businesses. As a result of this trend, in general, organisations are more aware of the threats posed to an internal Windows domain and protections are often implemented to mitigate the associated risks. This has resulted in security products often being deployed on Windows domains, such as AntiVirus (AV), Intrusion Detection and Prevent Systems (IDS/IPS), and endpoint and network monitoring solutions.
These products and the increasing security protections implemented by Windows operating systems and domains pose a challenge to penetration testers and red teams alike, as traditional Tools, Techniques and Procedures (TTPs) are more difficult to use while avoiding detection. As such, security experts have discovered and detailed methods for utilising in-built Windows tools and binaries to perform the operations usually performed by tools that might now be flagged as malicious. This method of using inbuilt tools for compromising an internal domain is known as Living off the Land (LOTL). This is not a new technique – attackers have been utilising these tools for many years; however, the importance of using inbuilt tools to avoid being detected has increased. This has given rise to an increase in the use of these techniques.
This presentation will discuss numerous LOTL techniques, from simple examples to more advanced, real world examples and techniques. The intention is also to provide the audience with resources they can take away and utilise in their own endeavours to hack and penetrate Windows networks.
Balancing his duties at Triskele Labs as both the Senior Cyber Security Consultant and the Penetration Testing Team Lead, Jack boasts a wealth of experience in the cybersecurity industry in Australia, coming from a background in both the public and private sectors. Before committing his skill and expertise to Triskele Labs in February 2018, Jack worked at the Australian Taxation Office in the Vulnerability Management and Research Team. Prior to that, he was a Cyber Security Engineer for the Department of Defence. His certifications span CREST, SANS and Offensive Security and he is particularly experienced in infrastructure penetration testing. Manish is a Senior Penetration Tester at Triskele Labs and boasts around 7 years of international, information security consulting experience with several major companies. Before he started working at Triskele Labs in September 2019, Manish was a Senior Specialist in risk advisory at Deloitte, a Summer Intern and then a Security Consultant for the Advanced Security Centre at EY, and an Information Security Consultant and an Associate Consultant, before that, at Protiviti Middle East Member Firm in Kuwait. Manish holds several certifications spanning CREST, Offensive Security, Cisco and EC-Council, as well as holding his ISC2.
15:20 – 16:00 Coffee & networking
16:00 – 16:45 Panel Session – TBC
16.45 – 17:15 Closing remarks Ian Glover, president of CREST & Nigel Phair CREST Australia Chapter
17.30 – 20:00 Networking drinks – Sponsored by https://triskelelabs.com/