Workshop: The Situation Room
by Bojan Alikavazović

Do you want to test your decision-making abilities to see how well you manage crisis situations? This room will provide a unique educational opportunity that will guide you through key moments in a cyber incident on critical infrastructure. Whether you are from a technical or management world this workshop is the place to be! We are not looking for your technical skills, but decision-making skills!

Bojan Alikavazović is a senior consultant for information security in Diverto d.o.o. He is a member of Security Operation Center (SOC), responsible for monitoring, processing and managing security incidents in different business environments. He is experienced in penetration tests, reverse engineering of the malicious code, security hardening, revision of network architecture for the security improvement, as well as in integrating various solutions for detection and blocking of cyber-attacks.

Workshop: Capture the Flag
by Filip Rapaić

Capture the Flag (CTF) is a competition where the entrants are solving different tasks from the fields of information technology and information security. The tasks are usually interesting and educative, requiring from the entrants to find certain parts of the text, called the flag. It might be hidden on a server, at a page or wherever an information could be hidden. CTF is open for all, there are no pre-requirements for entering it, so there is no reason why you shouldn’t try to participate, even in anonymous mode. It is also worth to participate knowing that the best entrant can earn some valuable prizes.

Filip Rapaić is an information security consultant in Diverto d.o.o. He is a member of the Security Operation Center (SOC), an entity responsible for monitoring, processing and handling the security incidents in various business environments. His fields of expertise are the incident responding and malicious code analysis. At Diverto he is also a specialist for Capture the Flag (CTF).

Presentation: ML Security Evasion Competition 2020
by Zoltan Balazs | .ops

Research attacking ML-based image classifiers is common, but it is less frequent to see a study on how someone can bypass ML-based malware detection. Authors of presentation are Zoltan Balazs and Hyrum Anderson. In 2019, they organized a contest where participants had to modify Windows malware in a way where the provided three ML engines do not detect it. However, the modified sample is still functionally equivalent to the original binary. As it turned out, it is not that hard to come up with a generic solution which can bypass all three engines. In this presentation, we will discuss the details of the contests from 2020 and 2019, some of the techniques used by the participants (packing, overlays, adding sections), and information on the defensive tracks.

Zoltan Balazs (@zh4ck) is the Head of Vulnerability Research Lab at CUJO AI, a company focusing on smart home security. Before joining CUJO AI he worked as a CTO for an AV Tester company, as an IT Security expert in the financial industry for five years, and as a senior IT security consultant at one of the Big Four companies for two years. His primary areas of expertise are penetration testing, malware analysis, computer forensics and security monitoring. He released the Zombie Browser Tool that has POC malicious browser extensions for Firefox, Chrome and Safari. He is also the developer of the Hardware Firewall Bypass Kernel Driver (HWFWBypass), the Encrypted Browser Exploit Delivery tool (#IRONSQUIRREL) and the Sandbox tester tool to test Malware Analysis Sandboxes.

He found and disclosed a vulnerability in IP cameras, and this vulnerability was exploited by the Persirai botnet, running on ˜600 000 cameras.
He has been invited to give presentations at information security conferences worldwide including DEF CON, SyScan360, SAS2018, Virusbulletin, Disobey, Deepsec, Hacker Halted USA, Botconf, AusCERT, Nullcon, Hackcon, Shakacon, OHM, Nopcon, Hacktivity, and Ethical Hacking.

Presentation: implementation of PAM solution in Fina
by Ivan Poljak | .ops

An analysis of how the PAM solution was implemented in Fina system, presented by one of the key people who were involved in that process. Case study of PAM implementation in an extremely complex environment with huge number of systems and different access levels.

Ivan Poljak is one of the leading Fina engineers for cyber and IT security. He was involved in setting up of different security solutions (SIEM, DAM, APT, DLP, PAM) and actively contributes to ongoing development of different services within Fina, due to his vast experience. He graduated at FER and works at Fina since 2008., as system architect, security administrator, security analyst and security team leader at diverse Fina projects. He is actively involved in CERT’s work on recognition and blocking of security threats within FINA.

Presentation: IT vs. OT: We are Much More Similar than We are Different - Comparing Process Control Room and SOC Operations
by Marina Krotofil | .tech

Critical infrastructure protection has been a high-profile topic for at least a decade. One reason for this is the growing exposure of industrial environments to security threats through the use of the Internet as well as through the use of standard hardware and software, from which they were historically isolated. Another reason is that the potential impact of attacks on critical infrastructures can no longer be ignored. In the past years, IT security experts became increasingly more involved with the protection of industrial control systems against cyber-threats and becoming responsible for establishing consolidated IT-OT SOCs. However, the harmonization of modern IT security approaches and the traditional process control culture is far from reality. The purpose of this presentation is to help IT security experts understand the specifics of OT environments as well as the associated vocabulary and mindset.
Using the example of monitoring functions of IT infrastructures and industrial processes, as well as two seemingly very different job functions such as SOC Analyst (IT) and Control Room Operator (OT), it will be shown that the operational tasks of both job functions are fundamentally very similar. During the presentation, the similarities and specifics will be discussed in the context of key areas such as vocabulary, types of anomalies/events/threats, SIEM vs. HMI applications, alarm configuration and management, anomaly detection, event logging, and SOPs. Additionally, on the example of a real security incident, it will be shown how IT and OT teams can interact and work better together.
After this presentation, IT security experts will have a much better understanding of daily OT operations and its ecosystem, understand IT-OT synergies, and identify opportunities for cross-functional learning. But more importantly, IT experts will be able to better communicate with OT colleagues and ultimately achieve the much discussed "IT-OT Convergence".

Marina Krotofil is a Cyber Security Product Owner, Industrial Technologies: Connected Vessels, Terminals and Warehouses at A.P. Moller – Maersk in UK, with a decade of experiences in advanced methods for securing Industrial Control Systems (ICS). She is also an experienced Red/Blue Teamer who contributed research on novel attack vectors and advanced exploitation techniques, incident response, forensic investigations and ICS malware analysis. Previously, Marina worked as a Cyber Security Lead at ABB (UK), Senior Security Engineer at BASF (Germany), Principal Analyst and Subject Matter Expert (SME) in the Cyber-Physical Security Group at FireEye (USA), Lead Cyber Security Researcher at Honeywell (USA) and a Senior Security Consultant at the European Network for Cyber Security (Netherlands). She authored more than 25 academic articles and book chapters on ICS Security and is a regular speaker at the leading conference stages worldwide. She is also a frequent reviewer of academic manuscripts and talk proposals including Black Hat and USENIX WOOT. Marina holds an MBA in Technology Management, MSc in Telecommunications, and MSc in Information and Communication Systems.

Three million new jobs and how to become part of it? | .lead

Can Croatia be competitive in information security knowledge and experience needed for a booming industry? More than three million new jobs in that sector are expected to be created within next few years. An interesting subject will be discussed by dean of Faculty of Organization and Informatics prof. dr. sc. Nina Begičević Ređep, vice dean of Zagreb University of Applied Sciences mr.sc. Marinko Žagar, head of Laboratory for information security and privacy at Faculty of Electrical Engineering and Computing doc. dr. sc. Stjepan Groš, as well as our experts, Marko Grbić from Avola and Alen Delić from SpotMe.

Presentation: Dissecting IoT Malware, why and how? - by Dr. Boldizsár Bencsáth | .tech

After IoT devices started to spread out throughout the internet, malware-based abuses of those devices are on the rise.

From our malware repository we copied 150,000 samples of IoT related malware for analysis. We obtained initial analysis results (how A/V software classified them) and analysed them to have similarity information. These initial steps let us have a first classification of the samples, resulting plausible classes of similar samples. We started to analyse samples both automatically and manually and found some interesting insights. For example, some malware samples built on the leaked source code contained symbol information, and that helps us a lot to identify functions in malware samples that do not have such symbol information incorporated. Also, we can investigate evolution of some functionality by looking up the code parts in the evolution of the samples.

Ultimately, scaling of code level analysis of IoT malware samples is something possible and can help us to better detection and better understanding of the situation. In addition to the previous topic, I will try to give some insight about installing emulation-based environment, a "sandbox", for which we already see malware samples to build detection and anti-analysis efforts.

I will shortly talk about building such sandbox environments and how to avoid malware to circumvent analysis in the environment.

Dr. Boldizsár Bencsáth received the M.Sc. and Ph.D. degrees in Computer Science from the Budapest University of Technology and Economics (BME) in 2000 and 2009, respectively. He also earned the M.Sc. degree in economics from the Budapest University of Economics. From 1999, he is member of the Laboratory of Cryptography and Systems Security (CrySyS) of BME. His research interests are in network security, including DoS attacks, spam, malware, botnets, and cyber-physical system security.

Among other things, Boldizsár also works in multiple start-up companies of the lab and participates in a number of consulting projects in the field of ethical hacking, security design and forensics. Boldizsár led the team in the CrySyS lab that investigated the Duqu malware and later worked on a number of other well-known APT attacks and currently works on actual questions of malware-based attacks, cyber-physical system security (including cars, factories, nuclear power plants), and other related topics.

Friend or enemy? - hunting for dual usage tools | .tech

It's difficult to read any information security news lately without learning about large corporations being extorted by cyber criminals. In today's threat landscape, organisations increasingly rely on red teams to identify risks and mitigate vulnerabilities in their infrastructure, so much so that an entire industry exists around tools to help facilitate this effectively and efficiently as possible.

Dual-use tools are developed to assist administrators in managing their systems or assist during security testing or red-teaming activities. Unfortunately, many of these same tools are often co-opted by threat actors attempting to compromise systems, attack networks, or otherwise adversely affect companies. This talk discusses the topic of dual-use tools and how they have historically been used in various attacks. We dig deeper in dual-use tools detection to try to find out who could hide behind them - a friendly red team member or a real attacker?

Vanja Švajcer works as a Technical Leader for Cisco Talos. He is a security researcher with more than 20 years of experience in malware research and detection development. Prior to joining Talos, Vanja worked as a Principal researcher for SophosLabs and led a Security Research Team at Hewlett Packard Enterprise.

Vanja enjoys tinkering with automated analysis systems, reversing binaries and analysing mobile malware. He thinks time spent scraping telemetry data to find indicators of new attacks is well worth the effort. He presented his work at conferences such as Virus Bulletin, RSA, CARO, AVAR and many others.

Daniel Gruss from Graz University of Technology confirmed as one of DEEP presenters | .tech

Our great roaster of DEEP presenters has a very interesting recent addition. Daniel Gruss (@lavados) is an Assistant Professor at Graz University of Technology and will be one of the presenters at DEEP .tech track. Specialized in hottest, up-to-date security issues, he will announce the theme only shortly before the conference, deciding on what is the most actual and important by then. We’re looking forward to that!

He finished his PhD with distinction in less than three years. He has been involved in teaching operating system undergraduate courses since 2010. Daniel's research focuses on side channels and security on the hardware-software boundary. His research team was involved in several vulnerability disclosures, including Meltdown and Spectre. He has co-authored more than 20 top-tier academic publications in the past five years and received several prizes for his research.

Presentation: ATT&CK or !ATT&CK that is the question
by Robert Petrunić| .ops

This presentation is addressing some of really important questions in our business.

What is it about and is it significant for you? Let’s check:

Do you use MITRE ATT&CK framework?

If you are a red teamer, blue teamer or incident handler - you should. To make it simpler, if you are an X teamer - you should definitely use it. If you are an adversary - you probably already are using it.

So, what's the point behind it?

Released to the public in 2015, MITRE ATT&CK framework gives the context to the attack. Instead of trying to identify tools and malware used in adversary campaigns, the focus is on techniques (how) and tactics (why). If you want to learn about MITRE ATT&CK framework and how to use it in your incident handling or X teaming - this is the right lecture for you. Or, if you just want to see the process a decent hacker would go through (DEMO: from initial foothold to persistence), you should join us too.

Of course, Robert will do the talk on the basis of vast personal experience. He works as a senior information security consultant in Eduron IS, the company dedicated to IT security education, penetration testing and computer forensics. He is also a lecturer in most successful Croatian private college Algebra - university college for applied computer engineering, where he has designed several courses related to computer security and forensics.

Robert is Microsoft certified trainer since 2002, EC-Council certified trainer since 2008 and ISC2 certified trainer since 2014. He works mainly in security field starting 2004, and Microsoft acknowledged this at 2008, assigning him Microsoft most valuable professional recognition for nine years in a row. For the last sixteen years Robert is working on programs related to ethical hacking and IT security awareness for systems administrators, developers and IT security consultant. He is also often a lecturer at regional IT conferences.