While our CFP is still running, we’ve started sending out a few acceptance mails and have already received some feedback. Here a short sneak preview!
Stefan Hager: The attacker’s view
One of the first phases of targeted attacks always is reconnaissance. The crafty attacker tries various methods to gather as much information as they can about their destination before striking. This phase is often overlooked by defenders, because seemingly there is nothing that can be done against it, and it’s also hard to detect. Yet analysing what’s left in the open and getting a proper understanding of how a company looks to an attacker gives valuable information to the defenders, even if the gathered information is stuff that can’t be fixed; it still gives helpful information what to look out for.
Defenders have a disadvantage, which can be somewhat softened by putting themselves in the footsteps of an adversary to discover the same information an attacker would use. The gathered information can be used to tweak logging alerts, set up honeytokens, or even to remove critical information from the public to reduce possible attack vectors or to get alerted quickly when something is up.
Get a jump start on how to research the digital presence of your company from network level to social media without any inside information (and no big budgets).
Sergej ‘winnie’ Schmidt: Automated and Architecture-Agnostic Extraction of Message Formats
AAAXMF (Automated and Architecture-Agnostic eXtraction of Message Formats) is a network message analyzer based on the PANDA Analysis Framework. Through dynamic binary analysis it monitors incoming network messages. The corresponding message buffers are tainted in order to track all instructions which access the packets. Through further analysis of memory access patterns of instructions AAAXMF makes it possible to infer fields and field boundaries such as delimiters, length and static fields. The latter is based on inference methods introduces by the work “Polyglot: Automatic Extraction of Protocol Message Format using Dynamic Binary Analysis” by Caballero et al. This work’s novelty is that it implements the analysis on LLVM intermediate language, rather then platform-specific Assembly. Thereby it is possible to infer network messages agnostic to a program’s platform.