CRESTCon Australia 2021 Schedule
08:30 – 09:15 Registration, coffee and pastries
09:15 – 09:45 Welcome: Nigel Phair, CREST Australia & Ian Glover, President, CREST International
09:45 – 10:15 KEYNOTE – The CORIE Framework: Tim Dillon, Director of Professional Services APAC, NCC Group APAC
10:20 – 10.50 Cyber-alchemy, turning lead into gold – how threat intelligence and architectural design transform into cyber-security strategy: Dr Dave Ormrod, Global Head of Cyber – Terra Schwartz General Manager
This presentation will provide a methodology and explanation that links cyber-security technical assessments to strategy. Contemporary approaches to organisational risk and strategy as they pertain to cyber-security generally remain dislocated and poorly aligned to technical artefacts and processes, such as penetration tests, architectural design and threat intelligence products. Dave will explain how this gap can be addressed and present a practical, real-world approach, which has been successfully implemented to address the challenges of linking the operational technical level to strategic design and objectives.
Dr Dave Ormrod is Terra Schwartz’s Head of Cyber, with 24 years of international experience. Dave has experience in Defence, Government, Telecommunication and Academic sectors. Dave adopts a risk-based, intelligence-led and mission-focused approach, as a trusted partner for strategic cyber-security advice against various threats and across different ecosystems. Dave has a PhD in Computer Science, in addition to various post-graduate qualifications and certifications, including a Masters of Information Management, inclusion in the Australian Information Security Registered Assessors Program (IRAP), Certified Information Systems Security Professional (CISSP) and Certified Information Security Auditor (CISA). Dave enjoys collecting Scotch Whisky and books between adventures.
10.55 – 11:25 Breaking out of restricted Unix shells: Michal Knapkiewicz, Manager, Advanced Security Centre, EY
Hardware vendors often limit some of the capabilities available to an interactive user through the use of restricted Unix shells. They are designed to prohibit usage of some of the most common command line utilities and aim to only allow users to run very limited, specific set of commands.
As penetration testers we always aim to obtain unrestricted, fully privileged access to the underlying system and, as such, we need to know how to bypass, or “break out” of, restricted shell environments.
This talk will cover basic methodology and common techniques of breaking out of restricted Unix shells, such as rbash or rksh, which are commonly found in routers, network appliances, IoT devices and other commercial off-the-shelf hardware.
The presentation will briefly discuss what restricted Unix shells are, their different types, how and why they are used. Finally, will uncover and demo some of the presenter’s favourite (and quite often, most reliable) ways of breaking out, discovered through real-world engagements and techniques identified within CTF challenges.
11:25 – 11:55 Coffee & networking
11:55 – 12:25 Adversary simulation in modern environments: Nadeem Salim, Principal Security Consultant, NCC Group
We are seeing a shift in companies moving to a BeyondCorp model with MacOS and Chromebook endpoints using cloud services to run their operations. Adversary simulations have traditionally focused on Windows Active Directory privilege escalation and exploitation to act on objectives. This talk will discuss how attacks to modern environments translate to the older attack paradigm and how attackers are adapting to this shift. The talk will also provide practical guidance on improving detection capabilities and responding to intrusions.
Nadeem Salim is a Principal Security Consultant leading the NCC Group’s technical practice in Melbourne. He has extensive experience in managing and leading complex security assessments. Nadeem specialises in adversary simulations, web and mobile application security, infrastructure, cloud, container and security architecture. He also holds the CREST CCT Inf, OSCE and OSCP certifications.
12:30 – 13:00 The benefits of Infrastructure as Code for adversary simulation: Benjamin McMillan, Senior Consultant, Privasec
APRA has “fast-tracked due to urgency of threat” the CPS 234 standard that requires Australian financial institutions to systematically test their resilience against cyber threats. Red Teaming by way of a “no holds barred” pen test is not going to be an effective way to demonstrate a security capability commensurate with real-world threats.
Red Team infrastructure needs to be purpose-built, which can take significant time if it’s to be tailored to the characteristics of an APT, in addition to being modular, disposable, time & cost efficient, and resistant to human error.
This presentation will attempt to clarify modern Red Team requirements and detail some benefits of Infrastructure as Code solutions for adversary simulation, including a crash course in Terraform.
Benjamin is a Senior Consultant in the Privasec RED team. He is an offensive security generalist with capabilities across internal and external infrastructure, “assumed breach” scenarios, web application, Wi-Fi, and mobile testing. He has a passion for adversary simulation and post-exploitation of Windows domain networks. He holds the CREST CRT, OSCP, and CISSP certifications.
13:00 – 14:00 Lunch
14:00 – 14:30 How to conduct an effective red and blue team exercise: Chathura Abeydeera, Associate Director, KPMG
An effective red and blue team exercise will test the organisation’s defenses, attack detection and its incident response capabilities. On occasion this goal-based attack stratagem may be intelligence lead, or hybrid approach with intelligence fused with different adversarial modelling. In Australia, I have delivered a number of red teams with a focused goal of simulating an APT across multiple industries such as critical infrastructure, governments, etc. This presentation will focus on providing insights based on few real (anonymized) recent (2019 and 2020) case studies on how a red team works in a complex client environment and how the blue team could respond to these threats. I’ll be covering how COVID impacted our red teams’ engagements and how we evolved our Tools Tactics and Procedures (TTP) from pre COVID to the post OCVID world. Most importantly, I’ll be also discussing how red teamers could create a diversion and lead the blue team / SOC / Managed SOC way down on a rabbit hole. If you are a red teamer you could take a few tips to make your red-voodoo better next time, if you are a blue teamer, you could pick up some tips to make those red ninjas’ life harder.
Chathura Abeydeera is a CREST Certified Infrastructure Tester, a red teamer based in Melbourne, Australia. He is an Associate Director within Cyber Defense services in KPMG Australia; with more than 15 years of hands-on industry experience in cyber security. He has worked with clients across the State & Federal Government, Power & Energy, Mining, Telco and FSI sectors, specializing in red teaming and objective based penetration testing.
14:35 – 15:05 Network Evasion – Hiding in plain sight, James Anderson, Consultant, FireEye
Domain fronting gave red-teams the best tool they needed to conduct operations and maintain stealth. But with cloud providers removing this type of access and SSL fingerprinting becoming more prevalent the landscape has changed. This coupled with modern IPS/IDS utilising network pattern analyses through metadata and machine learning without the need for decryption are starting to have an impact.
We introduce novel techniques beyond Domain Fronting to hide traffic in plain sight and evade network detection from a red-team perspective. The focus being on methods to hide and redirect traffic, packet encapsulation and methods to slow down defensive teams if caught and how these techniques can be integrated into existing frameworks.
James Anderson is a Mandiant Red Team consultant within FireEye. His background as a Security Engineer, Reverse Engineer and Network specialist within the Australian Cyber Security Centre has provided a diverse viewpoint of offensive and defensive techniques and methods to both attack and detect compromises. In his pastime he enjoys pulling apart software to research for potential exploits and new offensive techniques for red teaming.
15:10 – 15:40 Monitoring the monitors: a path to keeping the SOC in check, Edward Farrell, Director, Mercury ISS
Outsourcing security monitoring has become popular and it makes sense; the cost of building an internal team is excessive and scouting the right talent can prove difficult. Having stated this, Outsourcing is also problematic when there is a high demand, low supply and inadequate validation that the SOC, MSSP or outsourced security service is doing what it promised. Since June 2019, my team & I have seen a greater occurrence of inadequate security capabilities or misunderstanding of roles and responsibilities that introduce more risk than they seek to address. This talk will provide a walkthrough of outsourced security providers, the important role they play, inadequacies we’ve encountered as part of our validation service and paths to addressing the shortfalls.
Edward Farrell is a security consultant with over five years’ experience in information security and ten years’ experience in the IT industry. As the director of Mercury ISS, he has conducted or overseen the delivery of 500 security assessment activities and incident responses in the past 6 years. His professional highlights include lecturing at the Australian Defence Force Academy, being rated in the top 200 bug bounty hunters in 2015 and running an awesome team of security professionals.
15:40 – 16:00 Closing remarks followed by networking drinks sponsored by Triskele
For information on our COVIDSafe plan please go to: https://www.crestcon.org/au/covidsafe/