8:30AM | Ouverture des portes et café
9:00AM – 9:05AM | Mot d’ouverture
9:05AM – 11:00AM | Workshop “Intro to Windows Forensics for Insider Threat”
9:05AM – 9:30AM | Reconsidering Cybercriminal Expertise Through Their Behavior With Command-Line Interface vs Graphical User Interface
Andréanne Bergeron
9:30AM – 9:55AM | Beyond Interactions: Hacking Chatbots Like A Pro
Naveen Konrajankuppam Mahavishnu & Mohankumar Vengatachalam
9:55AM – 10:20AM | Deciphering Threat Modeling: Balancing Tools and Manual Approaches For Effective Security
Niharika Gehani
10:20AM – 10:45AM | Dump Me If You Can – Hardware Hacking
Adrien Lasalle
10:45AM – 11:00AM | PAUSE CAFÉ
11:00AM – 11:25AM | Persona Theory: Infiltration & Deception of Emerging Threat Groups
Tammy Harper
11:25AM – 11:50AM | Hide And Seek: Chasing Cybercriminals Around The World
Constance Prevot
11:50AM – 12:15PM | MacOS Red Team On Corporate Scenarios
L0gan
12:15PM – 1:15PM | DINER FOURNI SUR PLACE
1:15PM – 4:15PM | Workshop “Recon Like an Adversary: Uncovering Modern Techniques in Attack Surface Management”
1:15PM – 1:40PM | La roue des changements de comportement en cybersécurité
Mélina Girard
1:40PM – 2:05PM | Maslow’s Pyramid To Craft An Efficient Cybersecurity Spending Strategy
Anne-Marie Faber & Julien Turcot
2:05PM – 2:30PM | Applying Edward Tufte’s Design Principles in Cybersecurity and OSINT Reporting
Zuzanna Chociej
2:30PM – 2:55PM | Experience Report: Running A Cybersecurity Camp For 13-15-year-olds In Maine
Gary Cantrell, Scott Valcourt & Lindsay Jamieson
2:55PM – 3:10PM | PAUSE CAFÉ
3:10PM – 3:35PM | Panorama des menaces numériques liées à la Chine
Mathieu Tartare & Matthieu Faou
3:35PM – 4:00PM | Versus Killnet
Alex Holden
4:00PM – 4:25PM | Cybersécurité et triche dans les jeux vidéo : un danger insoupçonné
Jonathan Nomed
4:25PM – 4:50PM | Protégez vos pipelines CI/CD dans Github Actions avec Bullfrog
François Allard & Mathieu Larose
4:50PM – 4:55PM | Mots de fermeture
4:55PM – 8:00PM | Cocktail
Le facteur humain est souvent identifié comme l’un des maillons les plus vulnérables en matière de cybersécurité. Les recherches sur l’efficacité à long terme de la formation en cybersécurité chez les utilisateurs donnent des résultats mitigés. Certaines études indiquent que les programmes d’éducation, de formation et de sensibilisation à la sécurité (SETA) peuvent, dans un premier temps, réduire la susceptibilité au phishing et diminuer les taux de clics. Cependant, l’impact de ces programmes diminue souvent au bout d’un mois, soulevant des questions sur leur efficacité à long terme et sur la nécessité de méthodes alternatives pour induire des comportements sécuritaires durables chez les utilisateurs. Une approche innovante pour comprendre et influencer ces comportements en cybersécurité est l’application de la roue des changements de comportement (Behavior Change Wheel, BCW). Cette présentation explore comment cet outil conceptuel, couramment utilisé dans les domaines de la santé publique et des sciences comportementales, pourrait être utilisé pour améliorer la sécurité numérique. La BCW se compose de trois couches principales, offrant une approche holistique et structurée pour changer un comportement : la source du comportement, les interventions et les politiques. En analysant la source du comportement (COM-B), nous comprenons les capacités, les opportunités et les motivations nécessaires au changement. Les interventions sont ensuite conçues spécifiquement pour cibler ces déterminants, et des politiques appropriées sont mises en place pour soutenir et maintenir les changements de comportement. Cette approche intégrée garantit que les interventions sont non seulement bien ciblées mais aussi soutenues par des structures et des politiques solides. En appliquant la BCW à la cybersécurité, nous pouvons maximiser les chances de succès des changements de comportement, renforçant ainsi la résilience des organisations face aux menaces numériques et favorisant une culture de sécurité proactive.
Mélina Girard est une étudiante au doctorat en criminologie à l’Université de Montréal. Elle est récipiendaire de la prestigieuse bourse du Fonds de recherche du Québec – Société et culture (FRQSC) et a remporté le Trophée Cyber-Talent 2023 dans la catégorie académique. Elle s’intéresse particulièrement aux recherches en sources ouvertes ainsi qu’aux aspects sociaux de la cybersécurité, observant les facteurs individuels et de groupe qui peuvent influencer ou expliquer certains comportements. Mélina suit également des cours de pentesting durant son temps libre afin de renforcer ses compétences techniques dans le domaine de la cybersécurité. Le contenu de cette présentation est inspiré de la note de synthèse que Mélina a réalisée pour la Chaire de recherche en prévention de la cybercriminalité (CRPC), et qui sera publiée prochainement sur leur site web.
The infamous Russian hacktivist group, Killnet, operated as a clandestine cyber army, orchestrated by a select few to create chaos and inflict harm. Despite its notoriety, investigating the true operators behind Killnet proved to be a significant challenge, given its checkered history and inconsistent behavior. However, through an in-depth investigation and direct confrontation with the gang, we shed the veil of secrecy shrouding the group and will share a compelling personal account detailing how we disrupted Killnet, plunging it into a death spiral. Our strategy to dismantle this cyber army hinded on identifying a critical vulnerability – its connection to the Russian illegal drug marketplace – Solaris. By exposing this nefarious link and diverting proceeds from the Russian drug operation to support a Ukrainian charity, we triggered widespread questioning of Killnet’s leadership and actions. This created an instability and within the group and beyond, ultimately leading to loss of support of the Russian government and breaking of financial ties. Delving deeper, we will explore the true identity of Killnet’s leader, KillMilk, and explore his dark and criminal past. This will allow you to see some of the Killnet’s actions in a different light and interpret the public events and actions associated with Killnet. Our successful efforts to undermine Killnet’s leadership have led to a spectacular downfall and disintegration of the entire collective. As of the beginning of this year, Killnet changed drastically, leaving behind remnants of a group once synonymous with disruptive hacktivism. Our small push against Killnet set forth a chain of events changing the trajectory of the group and leaving it far removed from its former destructive pursuits. Join me as I unravel the complex narrative of Killnet, offering insights into the evolution of cyber warfare and the enduring struggle to combat malicious actors in the world of cyber warfare and disruptive hacktivism.
Alex Holden is the founder and Chief Information Security Officer (CISO) of Hold Security, LLC. Under his leadership, Hold Security played a pivotal role in information security and threat intelligence becoming one of the most recognizable names in its field. Mr. Holden researches minds and techniques of cyber criminals and helps our society to build better defenses against cyber-attacks. Mr. Holden has been credited in uncovering high-profile breaches such as Adobe Systems, Target, J.P. Morgan Chase, parts of the Equifax breach, and many others. Mr. Holden has spearheaded efforts to infiltrate, monitor, and disrupt various ransomware gangs, including Trickbot and Conti. As an expert in his field, Alex Holden is continuously sharing his original research at numerous cybersecurity conferences and has provided expert commentary in prominent media outlets including CNN, The New York Times, Forbes Magazine, and The Wall Street Journal. His insights into current cybersecurity events and the evolving threat landscape are regularly featured in lectures available on Hold Security’s channel on the BrightTalk platform.
Approaching its tenth year of funding by the United States National Security Agency, the GenCyber Camp program seeks to create the next generation of cybersecurity stars through an investment in summer camp programs for students and teachers across the US. In the summer of 2024, the speakers developed and presented two one-week residential camps for 13–15-year-old children focused on cybersecurity concepts. These camps were funded through the GenCyber program, and were held in Portland, Maine, USA for children from any area in Maine with no restriction on knowledge and experience levels before camp. This camp was the first of its kind ever held in Maine. One week of the camp was open to all, the other was specifically focused on underrepresented groups in Computer Science and cybersecurity. The funding agency also required a pre-camp and post-camp activity to coincide with the week-long camp program. These pre-camp activities had a vision and objectives for learning and observations from these activities will also be presented. We will reflect on the experience and share lessons learned at the camp including those specific to the resources available in Maine and those that may appeal to any location. Our presentation reflections will include an overview of the key cybersecurity concepts covered at the camp as well as demonstrations of activities that worked well and those that need to be revisited. Speakers will include cookbooks with procedures and materials needed to replicate those activities, allowing anyone to use our learning approaches in their own outreach endeavors. We will discuss the differences observed by the organizers in the two weeks of camp and provide some insights as to observable considerations that ought to be adhered when planning a similar program. The speakers will address the objectives, which were met, and which were not met, and any reflections as to adjustments that would need to be made for a subsequent program delivery.
Gary Cantrell is a native of the Deep South. He was born and raised in the northeast corner of Mississippi. He spent many years moving around the state going between two different careers. He spent 4 years as a computer scientist working for the US government. This includes time working for the Navy, the Army, and a few months for the Air Force. The rest of his career has been spent in computer science and digital forensics education including over 4 years training law enforcement with the National Forensic Training Center at Mississippi State University. After reaching ABD(All But Dissertation) status in 2010, he took a job with Dixie State University in southern Utah. After a year he received his Ph.D. in computer science and remained at DSU as a tenure track professor. During this time he was instrumental in establishing the DSU Computer Crime Institute. With the DSU-CCI he consulted on digital forensics exams and trained law enforcement, but his main role was the developer and principle faculty for Dixie State University’s digital forensics academic programs. After spending 2 years as a tenured professor at DSU Gary decided to expand out from digital forensics and searched for an opportunity teaching in core computer science. This prompted a move to nearby Southern Utah University where he served as a tenure track faculty member for the Computer Science and Information Systems, CSIS, department. In the summer of 2022, he moved to Portland Maine where he teaches for Northeastern University at the Roux Institute. He teaches in the amazing align program helping students who do not have BS degrees in CS cross train and earn a MS degree in CS. In addition, he teaches electives in Software Engineering, Security, and Digital Forensics. Dr. Cantrell’s primary teaching experiences include: Java I,II, C++, software engineering, computational theory, capstone courses, computational theory, operating system basics, digital forensics, computer crime, hardware basics, file systems, coding, using digital forensics tools (FTK, X-Ways, and various open source tools), small device forensics, and using Linux to make life easier. His research interests include digital forensics, digital triage, digital forensics education, steganography, and computer security.
Scott Valcourt is an associate teaching professor within the Khoury College of Computer Sciences at Northeastern University’s the Roux Institute in Portland, ME. He serves as the Global Network Course Coordinator for the CS Align course CS5008 Algorithms, Data Structures, and their Applications in Computer Systems. As a national research leader in cyberinfrastructure, Valcourt has been part of the development of more than a dozen worldwide networking technologies, causing NetworkWorld magazine to name him “one of the most powerful people in networking” in 2001. Valcourt began as a student and eventually became the second director of the world-renowned University of New Hampshire InterOperability Laboratory (UNH-IOL) from 1993-2004. He served as the principal investigator (PI) in 2010-2014 of Network NH Now, a collaboration of public and private partners that constructed critically needed broadband expansion across NH through more than 750 miles of new and existing fiber and microwave technologies. Simultaneously, Valcourt was the co-PI of the New Hampshire Broadband Mapping and Planning Program (NHBMPP) which continues to focus on NH broadband mapping. Valcourt has developed and managed over $100 million in grant funds focused on the creation of next generation infrastructure and applications utilizing broadband across the region. His current research areas involve data analysis and broadband expansion in support of smart communities and telehealth. Valcourt has a BA in computer science with a mathematics emphasis, cum laude, from Saint Anselm College in Manchester, NH. He also has a Master’s of Science in computer science and a PhD in engineering: systems design with a Cognate in College Teaching from the University of New Hampshire.
Lindsay Jamieson is a teaching professor at the Khoury College of Computer Sciences at Northeastern University. Her area of research focuses on algorithms and theory. Additionally, Jamieson is a part of the Executive Committee for ACM-W North America, which supports, celebrates and advocates internationally for the full engagement of women in all aspects of the computing field. Jamieson earned her doctorate in computer science from Clemson University and her bachelor’s in computer science from DePauw University. Prior to joining Northeastern in 2021, she was an associate professor of computer science at St. Mary’s College of Maryland.
François Allard est un ingénieur en fiabilité de site accompli avec une solide expérience en ingénierie logicielle et en meilleures pratiques de DevSecOps. Il est reconnu pour son expertise en ingénierie de la sécurité, la sécurité des pipelines CI/CD ainsi que la sécurité de l’infrastructure cloud. Bullfrog est le projet open-source le plus important de François à ce jour. Il est diplômé en ingénierie logicielle de Polytechnique de Montréal et a obtenu une maîtrise en commerce électronique à HEC Montréal.
Mathieu Larose est un professionnel chevronné de la technologie avec plus de dix ans d’expérience dans l’industrie du logiciel. Il se spécialise dans la construction de systèmes back-end sécurisés, robustes et évolutifs, en s’appuyant sur ses connaissances approfondies pour stimuler l’innovation et l’efficacité dans le développement de logiciels. Il est titulaire d’un baccalauréat et d’une maîtrise en informatique, ainsi que d’un DESS en gestion.
Embark on our ‘Maslow’s Pyramid for Efficient Cybersecurity Spending’ journey, inspired by grocery shopping, prioritizing cybersecurity. Explore the Pyramid, optimize spending, enhance user-centric security, and fortify digital defenses. This session offers practical guidance for a cost-effective, strong cybersecurity strategy. In the dynamic realm of cybersecurity resource management, our session presents a novel blend of Abraham Maslow’s psychological theory and cybersecurity strategies. This innovative approach redefines how organizations safeguard their digital assets efficiently.
Join us for this transformative session, bridging psychological theory, practical cybersecurity applications, and the familiar grocery shopping experience. Gain actionable insights to revolutionize your organization’s cybersecurity posture, making it robust, cost-effective, and aligned with your digital ecosystem’s fundamental needs.
Julien Turcot is a recognized Information Security executive leader with more than 20 years of experience in driving large scale technology security initiatives, cyber resiliency programs and risk management. He has helped organizations, large and small and across the public and private sector, to understand risk posture and put in place strategies and the right architecture to manage it. He is widely acknowledged as an industry thought leader and experienced practitioner, capable of translating technology challenges into actionable business solutions and is a renowned public speaker at international cyber security conferences. Results oriented and highly motivated, Mr. Turcot has effectively positioned and deployed industry leading IT solutions across all major verticals throughout Canada. Leveraging his experience and business acumen, he has helped organizations significantly increase their Security and Data Center efficiencies, while at the same time effectively reduce their TCO. Mr. Turcot is a natural leader and a very positive individual. He loves to be challenged as he is performing very well under pressure. He has the ability to lead multiple projects and tasks simultaneously. He deeply believes that all problems do have solutions and he is interested in helping you and your organization to reach maturity in the IT Security. With his strong background in Next Generation Platforms and Software Defined Data Centres, and unique ability to identify and understand the needs of his clients, he has effectively built up the brand and territories for every organization he has been a part of. Specialties: Complex Sales – Consistently deliver over target results – Enterprise solution sales – Territory development – Channel Marketing and Management – Executive Presentations – Public Speaking.
As the Chief Marketing Officer at GoSecure, a leading provider of cybersecurity solutions, Anne-Marie Faber leverages her 15+ years of experience in the IT industry and her MBA degree to drive the company’s growth and differentiation in the market. I have a proven track record of helping various companies evolve into market leaders with double digit revenue growth, thanks to my strategic planning and business strategy skills. I oversee all aspects of GoSecure’s marketing strategy, including corporate messaging, branding, communications, digital demand generation, field and channel marketing. I believe in the importance of a close partnership with all sales channels, direct and indirect, and the ability to think creatively and differently than competitors. I also lead a talented and diverse team of marketing professionals who share my passion and vision for security innovation and customer success. GoSecure is a cybersecurity enterprise that specializes in providing managed Extended Detection and Response (MXDR) solutions as well as expert advisory services. The company offers integrated security solutions through their GoSecure Titan suite, delivering multi-vector protection to combat contemporary cyber threats.
In today’s digital age, AI-driven chatbots have become an integral part of our daily routines, seamlessly blending into various aspects of our lives. The arrival of Large Language Models (LLMs) has revolutionized the field of conversational AI, enabling chatbots to engage users in more natural and contextually relevant conversations. This advancement has empowered businesses to deliver enhanced customer experiences and streamline their operations. However, amidst the convenience and innovation, it is crucial to recognize the inherent risks associated with these AI-powered chatbots. In this submission, we aim to dive into the realm of LLM chatbot hacking, shedding light on the vulnerabilities and potential exploits associated with these advanced systems. By dissecting the underlying mechanisms of LLM-based chatbots, we seek to raise awareness about the security risks they pose and equip participants with the knowledge to mitigate these threats effectively. During our tech talk, we will embark on a journey through the fundamentals of AI, providing attendees with a comprehensive understanding of the underlying principles driving chatbots. We will then pivot to an exploration of common vulnerabilities encountered in AI chatbots, highlighting the top two categories most susceptible to exploitation. Through a combination of live hacking demonstrations and real-world attack scenarios, we will illustrate how malicious actors leverage these vulnerabilities to compromise sensitive information, infringe upon users’ privacy, and propagate misinformation. By immersing participants in simulated hacking scenarios, we aim to provide a hands-on learning experience that will enhance their understanding of the evolving threat landscape. Furthermore, we will explore a range of security measures designed to mitigate these risks and promote a more secure integration of AI chatbots into our daily lives. We will discuss practical strategies for safeguarding chatbot systems against potential threats. By the conclusion of our talk, participants will have gained a deeper awareness of the challenges inherent in securing AI chatbots and will be equipped with actionable insights to bolster their defenses. We will also extend an invitation to participants to use our lab, where they can further explore and exploit additional attack paths beyond those covered in the talk.
Naveen Konrajankuppam Mahavishnuis a Security Researcher with over 7 years of expertise specializing in AI, application, and cloud security. He possesses extensive knowledge in all aspects of product security, including threat modeling, DevSecOps, API security, and penetration testing. He is passionate about integrating security into the SDLC from design to deployment, ensuring the early detection and mitigation of vulnerabilities.
Mohan Vengatachalam is a security leader with over a decade of experience in security architecture, engineering, and operations. He has a strong interest in developing security programs and a proven track record of creating proactive security roadmaps and strategies aligned with business objectives. He constantly seeks ways to elevate security processes and culture to the next level.
I would like to discuss a rather technical but essential topic in this field: the extraction, analysis, and exploitation of firmware in embedded devices. First, I will explain the main concepts and definitions of how these devices operate, emphasizing that they are more vulnerable than one might think, with techniques used for vulnerability research (with or without having the device in hand). It is also important to discuss the different components found in these devices, their functionalities/specifications, and the secrets that attackers can exploit. Then, it’s also important to talk about all the tools and requirements that would be necessary if you want to dive into this amazing field. Next, I will talk about several methods of firmware extraction, ranging from downloading the binary file from the manufacturer’s website, which remains the most effective method but is starting to have its limitations with the latest “cloud” update methods, to extraction requiring physical access to a device using communication ports like UART or JTAG. The final method involves extracting the firmware directly from the Flash chip. Depending on the setup, I am willing to perform a live demonstration for each method that I talk about with different devices and tools. Of course, this talk aims to demonstrate the basics for those who wish to embark on this adventure. I will guide participants as best as possible with documented methods while addressing the risks associated with hardware hacking, both from an ethical and safety perspective, especially regarding the handling of electrical components or the use of a soldering iron.
Formerly a firefighter volunteer in France for 4 years, Adrien Lasalle decided to pursue my passion for IT and especially offensive cybersecurity. I’m now working as an Offensive Security Advisor in Desjardins and an active member of the hacking community with many talks and volunteer work at different events. I am gradually specializing in internal network intrusion testing but also in Hardware Hacking a domain that I particularly appreciate for its technical nature, but also for the diversity of possible research and exploitation combining several skills in offensive security. Do not hesitate to check my work and post (be aware of memes) on my LinkedIn profile, My personal blog or some of my cybersecurity related project on my Github Account : https://alrikrr.github.io/. Sharing our passion for this field, whether for awareness or education, is an important mission for me!
En tant que pentester et ancien analyste au CERT, j’ai une passion pour la cybersécurité et les jeux vidéo. Mon expérience m’a permis de voir de près l’évolution des menaces et des technologies dans ces domaines. Aujourd’hui, je souhaite partager mes connaissances sur un sujet crucial: la triche dans les jeux vidéo et son impact sur la cybersécurité. Tout d’abord la triche dans les jeux vidéo a évolué de simples modifications de scores à des attaques sophistiquées affectant la cybersécurité. Les premières tentatives impliquaient des modifications de scores, signalant la nécessité d’une protection. Avec l’évolution des jeux en ligne, les attaques se sont diversifiées, exploitant la relation serveur-client pour des cheats comme les aimbots et wallhacks. Les attaquants n’hesitent pas à cibler des plateformes comme PSNetwork pic Games et Steam. De plus, pour contrer ces menaces, des méthodes avancées de détection de triche ont été développées. Valve Anti-Cheat, Easy Anti-Cheat, BattlEye et bien d’autres jouent un rôle crucial, bien que confrontés à des défis constants dus à l’évolution des méthodes de triche et aux impacts sur les performances des jeux. Les conséquences de la triche vont au-delà des jeux, affectant la confiance des utilisateurs et les finances des développeurs. Les techniques de triche se transforment en cybercrimes plus graves, menaçant la sécurité globale. Pour illustrer mes propos je présenterai également une étude de cas. Enfin, des contre-mesures innovantes montrent l’importance de l’ingéniosité dans la lutte contre la triche. L’exemple de Counter-Strike, où les développeurs ont utilisé des méthodes créatives pour contrer les tricheurs, et le cas de Game Dev Tycoon, illustrent ces efforts. En conclusion, la bataille contre la triche est un enjeu majeur pour la cybersécurité. Il est essentiel de rester vigilant et de développer des solutions innovantes pour protéger les jeux et les plateformes.
En tant que pentester et ancien analyste au sein d’un CERT, Jonathan Nomed a développé une passion profonde pour la cybersécurité ainsi que pour les jeux vidéo. Mon parcours professionnel m’a permis d’observer de près l’évolution rapide et constante des menaces et des technologies dans ces domaines passionnants. Pendant ces années, j’ai acquis une expertise précieuse en observant l’identification des vulnérabilités et des stratégies pour les contrer. Bien que je n’aie pas encore eu l’opportunité de partager mes connaissances à travers des conférences, je suis fermement déterminé à débuter dans ce domaine. Je souhaite communiquer sur un sujet crucial : la triche dans les jeux vidéo et son impact sur la cybersécurité. Cette question, souvent sous-estimée, mérite une attention particulière car elle touche à la fois les joueurs et les infrastructures de sécurité numérique. Mon objectif est de sensibiliser, informer et éduquer un large public sur les dangers réels et potentiels de la triche dans les jeux vidéo. En explorant comment ces pratiques peuvent compromettre la sécurité globale des systèmes informatiques, j’espère contribuer à une prise de conscience.
In the ever-evolving landscape of cybersecurity, threat modeling has become a cornerstone for identifying, assessing, and mitigating potential security risks. The process involves various techniques, each with its own set of advantages and limitations. This talk, titled “Deciphering Threat Modeling: Balancing Tools and Manual Approaches for Effective Security,” delves into the intricacies of threat modeling by exploring both automated tools and manual methodologies. We will begin by examining the core principles of threat modeling and its significance in today’s security ecosystem. This section will emphasize how threat modeling improves security and distinguishes itself from other security testing methodologies such as SAST and DAST. The discussion will then pivot to the indispensable value of manual threat modeling techniques. We will explore scenarios where human intuition and expertise are paramount, and how manual techniques can uncover nuanced threats that automated tools might overlook. This section will explain the benefits of adhering to the basic, straightforward nature of threat modeling, which has become complex over time, giving rise to automated tools. Conversely, the talk will also address the efficiency of the automated approach using the latest tools available, highlighting their capabilities in streamlining and enhancing the threat modeling process. Participants will gain insights into how these tools can automate complex tasks, increase accuracy, and save valuable time. Following this, we will demonstrate the complementary nature of both methods. While manual approaches may overlook certain threats, automated tools can generate excessive information or noise, leading to the de-prioritization of risks and an ineffective remediation strategy. Attendees will leave with a comprehensive understanding of how to effectively integrate tools and manual approaches to build a robust threat modeling strategy. This balanced approach ensures a more resilient security posture, capable of adapting to diverse and sophisticated threats. Join us to decipher the art and science of threat modeling, and learn how to strike the perfect balance between technological innovation and human insight for superior security outcomes.
Niharika Gehani is a seasoned cybersecurity professional with over 10 years of experience in application security and a deep interest in security threat modeling. Currently residing in Ottawa, Canada, she works with EPAM Systems as a Senior Security Systems Engineer. In her current role, Niharika conducts threat modeling for applications in the healthcare industry, addressing unique challenges and ensuring robust security measures. Her work involves analyzing potential threats, identifying vulnerabilities, doing risk analysis, and implementing effective security strategies to protect sensitive healthcare data. Throughout her career, Niharika has developed a comprehensive understanding of the complexities involved in securing applications and mitigating potential threats. Her passion for threat modeling has driven her to explore both manual and automated approaches, striving to create a resilient security posture that adapts to the evolving threat landscape. This is my first time as a speaker, and I am excited to share my knowledge and insights with a broader audience. I hope that my talk will provide valuable perspectives and practical strategies to enhance security practices in today’s rapidly evolving digital landscape. My goal is to help others understand the importance of threat modeling and how it can be effectively integrated into their security frameworks to protect against sophisticated cyber threats.
This presentation explores the prevalent notion of cyber attackers’ mastery of terminal-based operations. Departing from conventional portrayals, which often depict attackers as skilled coders and command-line virtuosos, our research offers a nuanced perspective on the actual sophistication and capabilities of these individuals. We created a dataset composed of 454 remote desktop protocol connections initiated by attackers on our honeypots, spanning an extensive timeframe from January 2020 to March 2022. This exhaustive examination, encompassing over 100 hours of video footage, aims to uncover unforeseen trends and behavioral patterns. Notably, our findings challenge prevailing assumptions, revealing that a mere fraction—just 8%—of recorded sessions involved the use of command-line interface. This revelation disrupts long-standing notions about attackers’ heavy reliance on command prompt rather than graphical user interfaces, drawing a fundamental reevaluation of existing perceptions. Our in-depth analysis resulted in the observations of disparities between the actions undertaken within terminal sessions and those executed in environments exclusively utilizing graphical user interfaces. While certain common actions such as password changes remain prevalent across both sets, terminal sessions exhibit a distinct emphasis on tasks such as seeking IP information, accompanied by a notable reduction in reliance on automated tools. This suggests a simpler, less mechanized approach to attacks within terminal-based environments. Moreover, our sophistication scoring system, designed to assess the level of expertise demonstrated by attackers, illuminates a conspicuous absence of highly proficient individuals. Instead, the majority of attackers exhibit rudimentary skills, with only a minority demonstrating moderate levels of sophistication. This groundbreaking study challenges entrenched assumptions regarding attackers’ technical prowess and underscores the paramount importance of nuanced understanding within the realm of cybersecurity research. While proficiency in coding and terminal operations undoubtedly offers certain advantages, our findings suggest that a considerable number of attackers operate at a less sophisticated level than commonly perceived, necessitating a recalibration of prevailing perspectives.
Andréanne Bergeron, PhD, is the director of research at GoSecure, specializing in online attackers’ behaviors. Her expertise delves into the intersection of criminology and cybersecurity. In addition, Andréanne holds an esteemed position as an affiliated professor in the Department of Criminology of Montreal University, bridging academia and industry. Her commitment to provide a unique perspective on the human element behind digital threats reflects a holistic approach, enriched by theoretical depth and real-world applicability. While her PhD thesis focused on applying game theory to understand the dynamics of police interrogation with online offenders, her research extended to encompass a broader scope, including investigations into cryptomarkets, cybersecurity, and the behavior of malicious hackers. Andréanne has showcased her research at prestigious conferences such as BlackHat USA, Defcon, CypherCon, and ShmooCon. Active in her community, Andréanne serves as one of the board members of the Canadian Cybersecurity Network and holds the position of co-Vice President of Engagement and Outreach at NorthSec.
In this research businesses and organizations continue to adopt more advanced security measures to protect against cyber-attacks on your macOS endpoints, attackers are constantly evolving their techniques to bypass these measures. In this presentation, we will demonstrate real-world attack scenarios and reveal common vulnerabilities, as well as provide insights on how to exploit them. “macOS Red Team on Corporate Scenarios” is the result of years of research and dedicated work in testing macOS environments. Its main objective is to provide a comprehensive view of the security surrounding Apple’s operating system, demonstrating how potential vulnerabilities can be exploited. The adopted approach assumes the perspective of an insider attacker or during a Red Team simulation. The research will delve into various security features embedded within macOS, such as SIP (System Integrity Protection), TCC (Transparency, Consent, and Control), FileVault, SSV (System Software Version), Gatekeeper, XProtect, and Secure Boot. These components play crucial roles in safeguarding the integrity, privacy, and overall security posture of the macOS operating system. The research will also delve into the tactics, techniques, and procedures (TTPs) recommended by the MITRE ATT&CK framework for macOS systems to assist in conducting red team simulations. This exploration aims to provide insights into the methodologies and strategies employed by attackers, enhancing the effectiveness of defensive strategies and improving overall cybersecurity posture in macOS environments. At the conclusion of the presentation, we will demonstrate how to perform a bypass of a vulnerability discovered in the macOS Transparency, Consent, and Control (TCC) framework. This vulnerability has been reported to Apple for investigation and mitigation. We will also discuss the process of how Apple has handled the vulnerability disclosure and the steps taken by the company to address the issue.
L0gan is a security researcher with extensive experience in enterprise networks and enthusiastic on malware research, pentest and reverse engineering. I have been focused on the last years in research for vulnerability and malware for macOS environment. For many years I have worked with solutions like: Siem solutions for real-time correlation, threat hunting and triage advanced persistent threats to mitigation and endpoint protection. I also have worked with development and design of vulnerability scanner and code analysis with open source tools for automation of the task. In the recent years of my career (last 3 years), I have been serving as a manager of an of-fensive security and application security (AppSec) team. I have been speaking at several security conferences like H2HC (Hackers to Hackers Con-ference (SP Brazil), Ekoparty(Argentina), Andsec(Argentina), BsideSP(SP Brazil), Roadsec(CE Brazil), BHack(MG Brazil), Nullbyte(BA Brazil).In Brazil, I am part of the staff for some security conferences organizations such as H2HC (Hackers to Hackers Conference, BsideSP and SlackShow/Slackzine Community. In 2019 I helped to organize a bug bounty program for BYOS Company in Las Vegas during Defcon event. I am also a Member of the CTF team RTFM (Red Team Freakin’ Maniacs), we are playing a lot of CTF and organizing CTFs in Brazil, Argentina and Chile.
Our personas are fabrications and constructions of our inner self that we project outwards. We do this through various means and influences such as race, gender, sex, ability, age, culture, religion, norms, class, and status. For the “real world” aka “irl” we do all this by expression in our clothing, makeup, hairstyling, our hobbies, our network of friends, colleagues, and acquaintances. We leverage all of these facets and we create masks, personas, that we think will best interact with the world around us. The same concepts apply when creating personas for infiltrating online communities. In this talk we will take a look at what makes a good persona and what makes a bad persona. Persona’s can vary wildly in quality, many factors contribute to the quality of a persona, for example how tailor is it to the mission, how good is the operational security of the account, how good are you at managing it and leveraging it to establish yourself in a community. We will also look at understanding what you can construct and where limitations lie. If you know nothing about the community you are trying to infiltrate you will have a hard time establishing a foothold even more so any significant persistence in the community. Third, we will look at tools, OpSec, and timezone shifting. We will go over some tools that will help you create, build, and maintain quality personas on the dark web. Finally, we will look at what is your mission, and executing your mission. It is just as important to know how to exit as it is how to infiltrate. For example, do you want to keep your persona in good standing so it can be reused on another mission? Are you going to burn it? Knowing when to retire a persona is a good skill to have.
Tammy Harper is a Senior Threat Intelligence Researcher and Certified Dark Web Investigator at Flare and studied Advanced Cybersecurity at York University in Toronto, Ontario. She is currently an admin and volunteer researcher for the open-source project RansomLook and a contributor to the DeepDarkCTI open-source research project. Since 2022, she’s been volunteering at her local Women in Tech group, helping mentor women in cybersecurity, threat intelligence, and the dark web. When she isn’t researching communities on the deep and dark web, she listens to techno/ambient music and sips a delicious matcha latte. Her other hobbies include photography, reading, googology (the study of really really large numbers), astronomy, and listening to true crime podcasts. Tammy was featured on the June 2023 Privacy Files Podcast: Dark Web Crimes Episode (available on most podcast streaming platforms), where she discussed cybercrime, major breaches in the news, and how the threat landscape is evolving at an ever-accelerating pace.
Attributing the geographic identities of online attackers poses significant challenges due to their use of various proxy technologies that obfuscate true locations. These proxies, which range from Virtual Private Networks (VPNs) and Tor nodes to compromised endpoints, effectively blur attribution efforts by masking the original IP addresses of the attackers. This obfuscation technique is a key strategy employed by cybercriminals to evade detection and complicate tracing efforts. The complexity of this issue is further compounded by inconsistencies among different IP information sources, making the identification process highly unreliable and challenging for cybersecurity professionals. In this study, we undertake a comprehensive comparison of information from three primary sources: government-provided data, paid commercial databases, and freely accessible open-source information. Each of these sources has its own strengths and weaknesses in accurately determining the geographic origins of cyberattacks. Government data, while often comprehensive, may be limited in scope or accessibility. Paid commercial databases offer extensive data but come with significant costs and potential biases. Open-source information, on the other hand, is widely available but may lack the precision and reliability needed for accurate attribution. By critically evaluating these sources, we aim to identify the most reliable approach for geographic attribution, considering factors such as accuracy, cost, and accessibility. Subsequently, we delve into the analysis of attack techniques, demonstrating that these techniques exhibit distinct patterns based on the geographic origins of IP addresses. Our findings reveal intriguing insights, such as certain hacking tools and methodologies being commonly shared among countries. This suggests possible cooperation or shared resources in cyberattacks, highlighting the global and collaborative nature of modern cyber threats. The insights gained from this research not only enhance our understanding of the cyber threat landscape but also underscore the importance of improved methodologies in geographic attribution. By refining these attribution techniques, we can better identify and respond to cyber threats, ultimately bolstering cybersecurity defenses on a global scale. This study not only provides a clearer picture of how attackers operate across different regions but also offers practical recommendations for leveraging diverse data sources to achieve more accurate geographic attribution. These advancements are crucial for developing more effective strategies to combat cybercrime and enhance international cybersecurity collaboration.
Constance Prevot is an undergraduate student pursuing Software Engineering at Concordia University in Montreal, with a keen interest in cybersecurity. Currently engaged in a part-time role at a SOC following her initial internship there, she has also gained experience at GoSecure’s research department during the Summer of 2024. Actively involved in Montreal’s cybersecurity community, Constance has competed in numerous CTFs, including notable events like NorthSec, Hackfest, and Cyber-Sci’s national edition in the Women’s team. She has further contributed to the community by organizing events such as UnitedCTF, @hackCTF, and the 2024 CS Games. Committed to promoting equality, she has served as a mentor for WomenInEngineering at Concordia. Finally, she now leads as President of SCS Concordia, ensuring the club’s strong presence and participation in various events.
This project was completed as part of a summer research internship at GoSecure. During this internship, Constance played a pivotal role, leveraging her specialized skill set to gather extensive information about IP addresses from across the internet. She adeptly managed and processed massive datasets, meticulously analyzing various sources of IP information to uncover patterns and inconsistencies.
Edward Tufte is a statistician and professor emeritus of political science, statistics, and computer science at Yale University. He is best known for his work in the field of data visualization and information design. Tufte is the author of several influential books on data visualization, including “The Visual Display of Quantitative Information,” “Envisioning Information,” “Visual Explanations,” and “Beautiful Evidence.” These books are significant drivers of impact in the fields of information design, data visualization, and statistical graphics. The principles of his work – clarity, simplicity, and effectiveness – have applications across fields of expertise and impact the actionability of research on a global scale. He advocates for the use of minimalistic design, clear labeling, and maximizing the data-ink ratio to create visualizations that effectively convey complex information to viewers. Visualizations in the field of cybersecurity, which I am taking to include general industry reporting as well as the user interfaces of cybersecurity platforms, often reflect an overwhelming amount of information that can mar relevance and impede actionability. Other challenging features of software and reporting are listed below.
– Overwhelming Complexity: Dashboards may become cluttered with too much information, making it difficult for users to identify critical issues amidst the noise.
– Lack of Context: Visualizations may lack context or fail to provide sufficient explanation of the data, leading to misinterpretation or confusion among users.
– Poor Data Quality: Inaccurate or incomplete data can undermine the credibility of dashboard visualizations and lead to incorrect conclusions or ineffective decision-making.
– Limited Interactivity: Dashboards that lack interactive features or drill-down functionality may restrict users’ ability to explore data further and gain deeper insights into security issues.
– Ineffective Visualization Choices: Poorly chosen visualization types or ineffective use of color, layout, and labeling can hinder understanding and make it harder for users to extract meaningful insights from the data.
– Failure to Prioritize Actionable Insights: Dashboards may fail to highlight actionable insights or prioritize critical security issues, leading to a lack of focus and dilution of attention on less important metrics.
– Inadequate Customization: Lack of customization options can limit the relevance of dashboard visualizations to specific user roles or organizational priorities, reducing their effectiveness in driving action.
– Insufficient Integration with Workflow: Dashboards that do not integrate seamlessly with users’ workflow or existing tools may fail to facilitate timely response to security incidents or vulnerabilities.
– Poor Performance and Reliability: Dashboards that are slow to load or prone to technical issues can undermine user trust and discourage regular usage.
– Failure to Align with User Needs: Dashboards may not adequately address the needs and preferences of their intended audience, resulting in low user adoption and limited impact on decision-making processes.
This session will focus on Tufte’s design principles and their utility in cybersecurity reporting. We will explore how the applications of these principles can help bridge the gap between technical findings and actionable insights. By presenting information clearly, providing context, and encouraging intuitive engagement with visualizations, cybersecurity reports can empower stakeholders to make informed decisions and take proactive measures to improve cybersecurity posture and resilience.
Zuzanna Chociej is a Manager with MNP’s Forensic and Litigation Support Services practice in Toronto. She is an accomplished open-source investigator with a passion for information security and open-source analysis. With a deep understanding of technology and a keen eye for detail, she specializes in gathering, analyzing, and interpreting open-source intelligence (OSINT) to provide valuable context and insight for informed risk mitigation. With over a decade of experience, Zuzanna has worked in an intelligence and research capacity for various government and private sector organizations. This is in addition to her experience in the private sector as a risk analyst and investigator. Zuzanna communicates her findings through a systems-oriented perspective, which you will find reflected in her cyber threat and OSINT work at MNP. Her increasing proficiency with penetration testing, red teaming and vulnerability assessment further add to the insightfulness of her intelligence products. Zuzanna has supported clients across industries, focusing on the public sector, business and professional services, and finance. In addition to holding several GIAC certifications (GCIH, GSEC, GFACT), she holds a Master of Arts in Philosophy from McMaster University, as well as a post-graduate diploma from the United Nations University – Institute for Water Environment and Health.
Dans les dernières années, l’ingérence chinoise au Canada a été au cœur de l’actualité. Du côté numérique, les groupes d’attaquants « APT » liés à la Chine ont été particulièrement actifs, conduisant de nombreuses opérations de cyberespionnage. Les chercheurs d’ESET – un fournisseur majeur de solutions de sécurité ayant un bureau de recherche à Montréal – ont acquis une expertise dans l’analyse et le renseignement des cyberattaques attribuées à la Chine. Nous avons ainsi identifié des opérations de cyberespionnage contre des gouvernements, des entreprises stratégiques (secteur de la défense ou de hautes technologies par exemple) et des individus liés aux « cinq poisons » (militants pour l’indépendance de Taïwan, les Ouïghours, les Tibétains, le Falun Gong et les militants prodémocratie). Les groupes d’attaquants liés à la Chine sont particulièrement actifs en Asie et en Europe, mais également en Amérique du Nord. Dans cette présentation, nous allons faire un panorama des menaces des groupes liés à la Chine, à partir de plusieurs études de cas où nous évoquerons différents groupes APT et leurs spécificités. En particulier, nous nous intéresserons à des groupes ciblant différents secteurs ou groupes d’individus et nous exposerons les différents modes opératoires employés afin de mener à bien leurs opérations. Nous présenterons également l’écosystème cyber auquel appartiennent ces groupes. En effet, les opérations de cyberespionnage chinois sont menées essentiellement en lien avec trois entités distinctes ayant différentes responsabilités et objectifs : l’armée populaire de libération (PLA), le ministère de la Sécurité d’État (MSS) et le ministère de la Sécurité publique (MPS). Nous montrerons comment ces organisations sous-traitent une partie de leurs opérations de cyberespionnage à des entreprises privées en revenant notamment sur le cas de la récente fuite de documents internes de la compagnie i-Soon sur GitHub. Cette fuite a mis en lumière les activités de cyberespionnage de cette compagnie spécialisée dans la sécurité informatique, sous-traitant pour l’appareil sécuritaire chinois. Par ailleurs, nous attribuons à i-Soon les campagnes menées par le groupe APT Fishmonger, dont nous avons documenté les activités dès 2020 lors d’une campagne ciblant les universités hongkongaises lors des manifestations de 2019.
Mathieu Tartare est chercheur senior en logiciels malveillants à ESET où il a commencé sa carrière en cybersécurité en 2018 après avoir obtenu son doctorat en astrophysique et travaillé dans le calcul haute performance. Ses recherches actuelles portent principalement sur les groupes de cyberespionnage en lien avec la Chine et il dirige une des équipes de recherche du centre de R & D d’ESET à Montréal.
Matthieu Faou est chercheur senior en logiciels malveillants chez ESET où il se spécialise dans l’analyse des attaques ciblées. Ses principales tâches comprennent le suivi de groupes de cyberespionnage et la rétro-ingénierie de logiciels malveillants. Il a complété sa maîtrise en informatique à l’École Polytechnique de Montréal et à l’École des Mines de Nancy en 2016. Dans le passé, il a présenté à plusieurs conférences, notamment Black Hat USA, BlueHat, Botconf, CYBERWARCON, RECON et Virus Bulletin.
Dave Lewis | 1Password Julien Richard | Lastwall Networks
Marc-Etienne Léveillé | ESET Masarah Paquet-Clouston | Université de Montréal Mathilde Conseil | BDC Pierre-Marc Bureau | Google Canada