2nd Rounds of TROOPERS16 Talks

Here’s the second round of TROOPERS16 talks. For more information  check out our website: TROOPERS

Happy Holidays and all the best for 2016 to everybody!



Ivan Pepelnjak: Real-life Software-Defined Security

Vendors, pundits, and industry media love to talk about Software-Defined Everything, but nothing ever changes in the enterprise world, right? Wrong. Some engineers are already solving security problems with a software-defined approach to networking and security, be it microsegmentation in NSX or OpenStack environment, building scale-out IDS clusters, or respond to DoS or intrusion events in real-time… and we’ll cover all these ideas in this fast-paced presentation

Bio: Ivan Pepelnjak, CCIE#1354 Emeritus, has been designing and implementing large-scale service provider and enterprise networks as well as teaching and writing books about advanced technologies since 1990. He’s the author of several Cisco Press books, prolific blogger and writer, occasional consultant, and creator of a series of highly successful webinars.


Marion Marschalek & Raphaël Vinot:THE KINGS IN YOUR CASTLE – All the lame threats that own you but will never make you famous

It is the same question being directed to audiences around the security conference scene: How many people in the room can tell their machine or network is currently not compromised? No hand has been seen to rise in answer.  APT has been fashion five years ago and still rocks the most-feared charts on every cyber threat survey. While tabloid press is generally after the latest most-sophisticated-threat, the analyst community has long resorted to talk about threats that are advanced and persistent.. enough. In terms of sophistication targeted attacks show all shades of grey, on average though tend to be rather shallow. On the other hand, security products all have a single weak spot in common that they will always rely on patterns; whether patterns that are there, like signatures, or patterns that are not there, like anomalies. This enables attackers to evade detections with shallow, but unknown tools which manage to fly under the radar.

The proposed talk will take on the APT myths by formulating hypotheses based on a set of APTs documented in the MISP platform. MISP stands for Malware Information Sharing Platform and is used by hundreds of organizations to share data on APT events. It is possible to split the content of the information shared between reports of vendors and events seen by the users of the platform.

Having this information in one single place allows to correlate (supposedly) new threats reported by vendors with existing events seen in the wild now or in the past. MISP currently holds information about more than 2.000 events.

The data contained helps understand the overall nature of the threats, the tools of trade, the preferred approaches of the attackers, and their evolution. It potentially even allows for actor tracking as the correlation of attributes reveals hidden treasures.

The gathered events from MISP are pre-classified by threat level. We will concentrate on targeted threats and conduct a survey on the nature of malware and infrastructure used therein. How much of the analyzed malware is custom made, how much off-the-shelf or simply installs legitimate RATs in a second phase? How much of it is packed or crypted? Does the fact that malware is not crypted allow conclusions on whether it is used for targeted attacks? How often are exploits used in attack and are 0-day exploits used, like, ever? Does the use of exploits imply more sophisticated tools as the attacker is expected to dispose of higher resources?

Out of the ‘big data’ at hand the presenters pick a number of case studies to go deeper, as could be for example Sofacy/APT28, BlackEnergy, Potao Express or various cases involving PlugX, XTremeRAT or similar plug and play RATs. The background information of the dedicated events, binary analysis and infrastructure correlation will help paint a picture how targeted attacks operate, how they fail sometimes and what the binaries give away in terms of code reuse, common capabilities and implementation efforts.

Bio: Marion Marschalek is a Security Researcher, focusing on the analysis of emerging threats and exploring novel methods of threat detection. Marion started her career within the anti-virus industry and also worked on advanced threat protection systems where she built a thorough understanding of how threats and protection systems work and how both occasionally fail. Next to that Marion teaches malware analysis at University of Applied Sciences St. Pölten and frequently contributes to articles and papers. She has spoken at international conferences around the globe, among others Blackhat, RSA, SyScan, and Troopers. Marion came off as winner of the Female Reverse Engineering Challenge 2013, organized by RE professional Halvar Flake. She practices martial arts and has a vivid passion to take things apart. Preferably, other people’s things.

Bio:Raphaël is a CERT operator at CIRCL, the CERT for the private sector, communes and non-governmental entities in Luxembourg.

His main activity is developing or participating to the development of tools[1] [2] [3] [4] to improve and ease the day-to-day incident response capabilities of the CSIRT he works for but also for other teams doing similar activities.

Another big part of his activities is to administrate the biggest MISP instance in Europe [5] with >150 companies, 400 users and more than 250.000 attributes. This is the source used in this research project.


Christopher Truncer: Passive Intelligence Gathering and Analytics – It’s all Just Metadata!

When it comes to defending our networks or operational environment, it requires more information than just understanding the tactics, techniques, and procedures used against us.  To fully prepare for an attack, an invaluable resource would include having the ability to gather intelligence against potential threats.  This talk will introduce Just-Metadata, a framework that can be used to gather a large amount of information from multiple freely available sources while also performing intelligent analytics to extrapolate data about potential threats.

The presentation will start with the different types of data that’s gathered by Just-Metadata, the sources it draws from, and the development of new intelligence gathering modules.   I’ll then cover analytical modules and highlight how they can be used to give meaning to data that’s been gathered by easily identifying unnoticed relationships between potential threats.  The analytical modules are what will provide the most amount of value to users.

Just-Metadata’s goal is to make it easy for users to gather useful passive intelligence from a variety of open sources, to do so quickly, and to highlight meaningful information and/or identify hidden relationships.  But hey, we’re not performing mass data collection, we’re only looking at the metadata!

Bio: Christopher Truncer is a red teamer with Mandiant.  He is a co-founder and current developer of the Veil-Framework, a project aimed to bridge the gap between advanced red team and penetration testing toolsets.  Chris began developing toolsets that are not only designed for the offensive community, but can enhance the defensive community’s ability to defend their network as well.

I’ve been published in the Russian Magazine Xakep on Antivirus Evasion with the Veil-Framework.  Tool and techniques I develop or research are typically released on my personal blog (


Casey Smith: Mind The Gap – Exploit Free Whitelisting Evasion Tactics

More and more entities are deploying Application Whitelisting to prevent malware and detect sophisticated intruders. Is this a viable defense? What are the mechanisms that can be used to evade detection and achieve action on objectives? How can an attacker circumvent this control? These are questions that we will explore in this talk. We have discovered a number of evasion tactics that cannot be patched. These techniques put organizations that deploy Whitelisting at risk. We will focus on techniques used in Windows Environments.

Bio: Casey Smith @subTee is a Threat Intelligence Analyst in the Financial Industry. He has a passion for understanding and testing defensive systems.


Ashley Shen: Let’s Play Hide and Seek In the Cloud – The APT Malware Favored in Cloud Services

Defending against Advanced Persistence Threat (APT) attacks has become a blooming topic in recent years. Organizations, enterprises, and specially governments have all been designated targets of APT attacks. Since APT attacks are well crafted with advanced tactics, potential targets of APT attacks should understand how to detect, prevent, and respond to these cyber attacks. A newfangled trend that has been affecting people’s lives is the cloud service technology. Almost everybody enjoys the cost efficient and convenient features of cloud services. Yes, almost everybody, including actors. Hackers love cloud services just as much as you do, and probably even more so. When sophisticated hackers recognize the benefits of cloud services on their attack infrastructure, a second front is opened. In this talk, I will present APT malware which leverage several cloud services (including numerous blog services provided by multiple platforms, and cloud storage services such as Dropbox, Google Drive, Cloudme etc) as their attack infrastructure. I will introduce our analysis of malware and

explain how actors perform their attacks through the cloud. Additionally, I will explain the advantages malware brings with cloud services and how to respond to these threats. Furthermore, I will also uncover potential targets of these trojans, which might be a bigger concern to the audience.

This talk purports to provide more insight on unobtrusive APT malware, and bring people’s attention to potential breach of their property.

Bio: Chi-en Shen (Ashley) is senior cyber threat analyst at Team T5 Inc.. Her major areas of research include malicious document, malware analysis and Advance Persistence Threat (APT). She is in charge of campaign tracking in the team and has been tracking several cyber espionage groups for years. During her MSc, she design and implement a flexible framework for malicious open XML document detection against APT attacks. Ashley is also a core member and speaker of HITCON GIRLS, the first security community for women in Taiwan.


Keep checking back for more updates, and as always you can see more details and sign-up  for TROOPERS16 here!