Another year, another Australian Information Security Association (AISA) CyberCon in Melbourne! Always super excited to head down and watch the talks of what the cyber people have uncovered over the past 12 months.
Although I didn’t get to nearly as many talks as I would have liked, with so many streams it was hard to pick and choose. However this post will share the insights that I learned and overall takeaways from the three day conference.
DAY 1
The first day of the conference saw a large focus on Artificial Intelligence (AI) and Large Language Models (LLMs), at least in the talks that I attended.
A talk by Roberto Rodriguez (@Cyb3rWard0g), discussing Empowering security teams with generative AI was very insightful. A point of discussion that intrigued me was the potential to add additional datasets for offline or on-premises LLMs such as GPT – including data past 2021 which is a limitation of the free online version of ChatGPT. This process, which is known as Retrieval Augmented Generation, or ‘RAGing’, could provide Machine Learning (ML) capabilities in an offensive cyber context. For example, with a model provided 200 emails, flagged as malicious or benign, test emails could be sent to the model in real-time and provide a confidence rating for malicious content or intent.
Continuing on the AI bandwagon, an excellent talk by Jana Dekanovska discussed the Evolving modern tradecraft: How ChatGPT and Analogous AI Engines are leveraged in nation-state and eCrime cyber attacks. Jana is from CrowdStrike’s Threat Intelligence team, and she discussed the use of AI by adversaries; something I have personally been looking for more and more during incidents. Which has been apparent in the form of better constructed, and grammatically correct phishing emails. But I was to know how TAs are going to elevate this!
The short answer is it’s difficult to assess the use of AI in the attack chain on endpoints monitored. eCrime individuals are likely using AI to increase the efficiency and velocity of their attacks, whilst nation-states are almost certainly using AI for parsing and determining meaningful knowledge from the vast datasets collected during espionage activities. However, AI use is likely occurring outside of the compromised environment, so visibility of the use and methodology is minimal to threat intelligence analysts.
Another talk I saw, by Tony Jarvis, discussed the use of Living of The Land Binaries (LoLBins) in the attack chain.
This attack method provides threat actors the ability to conduct malicious activities under the guise of an Administrator – an authorised user managing the environment, such as your IT staff. This methodology is effective in bypassing Endpoint Detection & Response (EDR) technologies. Interestingly in the case study incident discussed in the talk, 22GB of data was confirmed as exfiltrated. The presenter confirmed with me that this event was verified via network traffic packet analysis through their Security Information and Event Management (SIEM) platform. A data source that is extremely difficult to come by in my experience, due to retention of these logs, or whether they are being recorded in the first place. We are assisting organisations with cyber incidents who rarely have budget for a SIEM, or extensive logging retention configured on their network perimeter firewalls.
DAY 2
Andrew Lawrence (de.iterate) discussed The intersection of Data Privacy and Data Security. He shared that 116 changes are proposed to the Australian Privacy Act, scheduled for implementation in 2024. This will catch Australia up with the rest of the world 🌎.
One notable change included removing the small business (with some exceptions) exemption from the Privacy Act.
It is great to see some changes coming to protect consumers’ data. However, I will be interested to see if platforms and cyber vendors will be able to affordably service this new requirement for the approx 80% of Australian businesses with less than 25 employees that fit under this category.
Learning about adversaries targeting Hypervisors was great from Anurag Khanna of CrowdStrike.
Log sources discussed were expected, and similar outcomes seen as I have seen in cases involving hypervisors impacted by ransomware. I did pick up some interesting tips, such as the vpxuser being an easy target for threat actors. This is a user account VMware report to users to never change the password. The credentials for this account are rotated every 30 days by VMware.
However, Anurag’s presentation, which is available here; https://threathunting.dev/aisa.pdf, displays an example of how a threat actor might abuse this configuration. Providing root (admin) privileges to the hypervisor host.
It was fantastic seeing Cathy Freeman up on stage, discussing the challenges faced and overcome leading up to her gold medal win at the 2000 Sydney Olympics.
DAY 3
Attendance for the final day was delayed by some incidents requiring some attention in the morning. I was genuinely excited to start the day with some insights from Cloud Incident Response, however the speakers were no-shows…
In any event, there were some interesting discussions on Service Account Keys by Stefan Avgoustakis and the impact if appropriate Identity and Access Management (IAM) controls are not put in place. He demonstrated an incident investigated by Mandiant’s IR team showcasing the impact.
Jason Kent gave an excellent talk on Application Programming Interface (API) security, and common security mistakes he’s encountered.
This was very relevant considering the certain large telco who in 2022 saw an API abused to their demise.The final day of CyberCon was topped off with a talk for the well known physicist Brian Cox.
Until next year CyberCon! 👋👋👋
NPD4n6: Nicks DFIR blog 
Leave a comment