In this talk, Daniel covers how defend your Security Program from AI consultancies. In other words, how to use AI to help run your program—before someone else does. It goes over how to build an AI-based structure for understanding your Security Program, and how to use AI to manage said program over time. Attendees will leave with not only a new way of thinking about AI, but a new way of thinking about security programs as well.

Daniel Miessler discusses the transformative potential of AI in security programs, emphasizing the need for organizations to adopt AI-driven approaches to remain competitive and efficient. He introduces 'fabric', an open-source tool for managing security programs with AI, and highlights the broader implications of AI in automating business processes.

AI in Security, Fabric Tool, Business Automation, Security Program Management, Open Source

The current unstable geopolitical situation has once again, after many years, brought back the everlasting threat of a nuclear conflict. This talk is intended to contribute further to a better understanding of the different cyber-physical attacks that may impact nuclear facilities, driven from the perspective of hypothetical, but realistic, state-sponsored operations. One of the novel aspects of this research is that it is based on the analysis of specific digital Instrumentation and Control equipment (Class 1E), that is currently deployed in multiple Nuclear Power Plants across Europe (including Swiss NPP such as Beznau or Gösgen), USA, Russia, or China.

Ruben Santamarta discusses hypothetical cyber-physical attacks on nuclear reactors, emphasizing the importance of education and transparency in dispelling myths about nuclear security. He explores the vulnerabilities and potential attack vectors within nuclear power plant safety systems, particularly focusing on the digital reactor protection system Teleperm XS. Santamarta's research includes a case study on simulating an attack that could lead to a partial meltdown, highlighting the complex interplay between safety systems and the potential for cyber threats.

Cyber-Physical Attacks, Nuclear Reactors, Teleperm XS, Safety Systems, Cyber Security

Technology and AI have the potential to reshape propaganda and disinformation tactics, enabling new capabilities in both creation and dissemination. I explore how modern propaganda operations may benefit from content generation technologies like large language models to spread disinformation broadly. I will discuss the use of deepfakes, AI-fueled personas, and how they may be employed by state and non-state actors to influence public opinion, undermine institutions, fuel information warfare, or enhance scams. Additionally, I will introduce a systematic approach to analyzing influence campaign content to classify these threats, a process that may also be enhanced by AI/LLMs.

Cyber insurance polarizes. Some view it as the one measure that will keep their company afloat after a cyber incident, others are convinced that it will not pay out in any case. Who is right? In our discussion we will cover what cyber insurance is, what it is not and where the big open questions are.

Maya Bundt and Fabian Willi discuss the complexities and considerations surrounding cyber insurance, including its effectiveness, coverage limitations, and the role it plays in cybersecurity strategy. They explore scenarios where cyber insurance has been beneficial and others where it has fallen short, emphasizing the importance of understanding policy details and the evolving nature of cyber threats.

Cyber Insurance, Coverage Limitations, Cybersecurity Strategy, Policy Details, Evolving Threats

Large language models can be manipulated through language - and that means: Social engineering works with chatbots! This is good news, because it helps us to use large language models for our purposes (and possibly differently than they are intended). But at the same time this is bad news, because the bad actors can also do this. The talk uses examples from my recent research to explain how large language models can be manipulated. I show how I got them to reveal their dark secrets - like manipulative initial prompts - and thus exposed the companies behind them and their shady activities. Or how they helped me with investigative research, developed and explained the best Google Dorks, removed redactions and revealed things that they are not supposed to reveal. This is a lot of fun. But it also shows: LLMs will always leak our data, they can be manipulated and they will always say things they are not supposed to say.

Eva Wolfangel discusses the dual-edged sword of AI chatbots, focusing on their potential for manipulation and the extraction of sensitive information. Through her investigative research, she reveals how chatbots can be socially engineered to divulge data they're not supposed to, including private email addresses and even methods for illicit activities. Wolfangel's presentation underscores the importance of ethical considerations and security measures in AI development and usage.

Artificial Intelligence, Prompt Injection, AI manipulation, chatbots, social engineering, data extraction, security

AI Security has been researched for almost two decades. Yet, existing, frequently studied threat models have never been tested in terms of real-world usage of AI. In this talk, we discuss a survey with 271 real-world AI practitioners, whose description of AI usage we match with existing threat models. While we find that all threat models do exist, there are also significant mismatches where research is too generous with the attacker.

Your metrics are boring and dangerous. Recycled slides with meaningless counts of alerts, incidents, true and false positives… SNOOZE. Even worse, it’s motivating your team to distort the truth and subvert progress. This talk is your wake-up call to rethink your detection and response metrics. Metrics tell a story. But before we can describe the effectiveness of our capabilities, our audience first needs to grasp what modern detection and response is and its value. So, how do we tell that story, especially to leadership with a limited amount of time? Measurements help us get results. But if you’re advocating for faster response times, you might be encouraging your team to make hasty decisions that lead to increased risk. So, how do we find a set of measurements, both qualitative and quantitative, that incentivizes progress and serves as a north star to modern detection and response? Metrics help shape decisions. But legacy methods of evaluating and reporting are preventing you from getting the support and funding you need to succeed. At the end of this talk, you’ll walk away with a practical framework for developing your own metrics, a new maturity model for measuring detection and response capabilities, data gathering techniques that tell a convincing story using micro-purple testing, and lots of visual examples of metrics that won’t put your audience to sleep.

Allyn Stott, a staff engineer at Airbnb, discusses the common pitfalls in security metrics, emphasizing the importance of choosing the right metrics to guide decision-making in security operations. He introduces the SABER framework and the Threat Detection and Response (TDR) maturity model to help organizations measure and improve their security posture effectively.

Security Metrics, SABER Framework, TDR Maturity Model, Detection and Response, Metric Improvement

Cybersecurity is on the verge of a radical transformation, driven by the rise of Generative AI (GenAI). Within the next five years, human-led penetration testing will give way to AI-powered solutions, and offensive security actions will be teleoperated or fully automated. GenAI companies are already undermining the security capabilities in their models to avoid public backlash, leaving critical gaps in defense.* In this talk, Víctor Mayoral Vilches will present his groundbreaking work on the „Levels of Autonomy in Cybersecurity,” a framework that maps the shift from human-led pentesting to fully autonomous Cybersecurity AIs. He begins with PentestGPT, an open-source AI tool launched in 2023 that assists with offensive security planning and sparked widespread controversy. From there, Víctor will explore semi-automated tools before introducing the Robot Immune System (RIS), a cutting-edge, AI-driven security solution. RIS employs Artificial Intelligence and Game Theory to autonomously understand, predict, and mitigate cyber threats in real time, evolving dynamically to meet the ever-changing cybersecurity landscape. Originally developed for robotics, RIS has expanded its reach to IT and OT environments, fueled by the latest advances in GenAI. Víctor will conclude with insights into his team’s current research, which is focused on advancing these Cybersecurity AIs to comply with the European Union’s NIS2 and AI Act, paving the way for a future where AI not only defends but outsmarts cyber adversaries.

Víctor Mayoral Vilches discusses the evolution of cybersecurity in robotics, from the development of PentestGPT to the creation of a robot immune system (RIS) that provides endpoint protection for robots. He highlights the challenges of securing robots, the potential of AI in cybersecurity, and the future direction of AI-powered cybersecurity systems.

Robotics, Cybersecurity, AI, PentestGPT, Robot Immune System

John Graham-Cumming, CTO of Cloudflare, discusses the evolution of web application firewalls (WAFs) as a model for AI in general. He has championed the integration of machine learning into WAFs, and the challenges of adapting to new and evolving web attacks. His presentation explores the history of spam filtering as an analogy for the potential of machine learning in enhancing WAF effectiveness, while also cautioning against the potential for attackers to use machine learning for evasion: This is the beginning of a new era, the cat-and-mouse game is changing, but it’s far from over.

You have an AI project, but are stuck with getting legal approval? David will share some insights on how to deal with lawyers and legal departments with regard to AI. What are the aspects they are looking for? What helps you getting the green light? How to do in terms of governance?

David Rosenthal discusses the intersection of AI technology and legal frameworks, emphasizing the importance of understanding both technical and legal perspectives for effective AI implementation. He highlights the challenges lawyers face with AI, including compliance, risk management, and the need for education on AI technologies. Rosenthal suggests a collaborative approach between tech professionals and legal teams to navigate the complexities of AI in a legal context.

AI, Legal Frameworks, Risk Management, Lawyer Education, Compliance

Language models are currently near the peak of the hype curve. Their application to cybersecurity has been a topic of academic research for a while. In this talk we present the results of our efforts to put one of the many proposed architectures into production. We explain how and where AI can fit into security systems and detail the approach we took. We also elaborate on the problems we faced and detail why there is a big gap between what researchers put out and what is feasible and useful in practice.

Emanuel Seemann presents research on using AI for defense, specifically through unnatural language processing to improve intrusion prevention systems and web application firewalls. The talk covers the development and testing of AI models that can automatically adapt to new attacks by analyzing abnormal patterns in web traffic. Seemann discusses the challenges of training these models with quality data and the trade-offs between model performance and operational efficiency.

Defensive AI, Intrusion Prevention, Natural Language Processing, Model Training, Operational Efficiency

As we try to understand LLMs and AI in general, navigating its potential benefits and the myriad of security challenges it presents, one fundamental question emerges: What do we, both as individuals and as democratic societies, truly desire? More crucially, how can we collaborate to fortify our digital ecosystems, ensuring they not only realize our aspirations but also safeguard our democratic values, human rights and the integrity of our society? This talk introduces the current political initiative of the Pirate Party Zürich titled „For A Fundamental Right To Digital Integrity”, which seeks to address these core concerns by advocating for a legal framework that not only promotes safety and human-centric AI but also underpins our collective security.

Monica Amgwerd discusses the interplay between innovation and regulation in AI, emphasizing the need for a legal framework to ensure AI's safe and human-centric development. She advocates for public participation in this discourse, highlighting the importance of balancing AI's benefits against its risks. Amgwerd references Isaac Asimov's laws of robotics and introduces the initiative for a fundamental right to digital integrity, focusing on privacy rights in the digital age.

AI Regulation, Digital Integrity, Privacy Rights, Public Participation, Isaac Asimov

Traditional security strategies often face resistance. This is not due to human failings. It is due to a lack of understanding of the socio-dynamics at play within organizations and human beings. This talk explores how purpose-driven security can overcome resistance. It can transform security efforts from a source of friction to a wellspring of action. We can unlock a powerful force for change. True motivation comes from a sense of purpose and shared goals. When people see how their work fits into the big picture, they want to help protect the company’s future. They understand that security safeguards that vision. You’ll learn, through real world examples and a step-by-step guide, to understand and use socio-dynamics. You can create a purpose-driven security culture.

Ida Hameete discusses the importance of purpose-driven security, emphasizing the role of human resilience and socio-dynamics in cybersecurity. She explores how understanding and aligning with a company's purpose can significantly enhance security measures and reduce resistance to them. Hameete uses examples from healthcare and IT to illustrate her points, advocating for a deeper integration of purpose in security strategies.

Purpose-Driven Security, Socio-Dynamics, Cybersecurity, Human Resilience, Company Purpose

APIs are a foundational technology in today’s app-driven world and increasingly becoming the main target for attackers. How do you protect yourself? This talk will walk you through the techniques attackers use against APIs like broken object level authorization (BOLA) by following a typical API pen testing methodology. For each phase and attack, the tables are turned by covering how the attack looks from the defender’s point of view including proactive ways to catch attacks early. You’ll understand how attackers find and exploit vulnerabilities and gain insight into why many traditional AppSec approaches fall short for APIs. The goal is to provide a complete overview of API vulnerabilities from both attack and defense perspectives so you can ramp up your testing and protection of all the new APIs in your AppSec life.

Matt Tesauro discusses the importance of API security, highlighting the ubiquity of APIs and their complexity in real-world applications. He emphasizes the unique challenges in securing APIs, such as specific vulnerabilities and the need for specialized controls beyond traditional application security measures. Tesauro also covers various attack vectors, including broken object level authorization, broken user authentication, and excessive data exposure, providing insights into both attacking and defending APIs.

API Security, Vulnerabilities, Defensive Measures, Attack Vectors, OWASP

Let’s rethink our approach to human factors in information security amidst emerging AI threats. This session advocates a human-centred approach, placing people and processes at the core of security design. Common pitfalls in managing human risk will be highlighted, particularly with the rise of AI-driven hacking techniques. Current practices will be examined through the latest research, focusing on the evolving threat landscape.

Cornelia Puhze discusses the importance of integrating human elements into cybersecurity, emphasizing the need for human-centered security in the face of new AI-driven threats. She highlights the challenges of social engineering, the role of awareness and training, and the necessity of adapting security measures to be more intuitive and user-friendly. Puhze advocates for a shift towards understanding and influencing human behavior to improve security outcomes.

Human-Centered Security, AI Threats, Artifical Intelligence, Awareness, Awareness Training, Social Engineering, Deepfakes, Security Awareness, Behavioral Change

This talk will explore the key developmental phases of building a successful Security Champions Program and how it can transform into a security powerhouse. We’ll cover how to identify the right candidates, structure the program, foster engagement and growth, and use data-driven strategies to gain leadership buy-in. Attendees will gain practical insights into creating a Security Champions Program that strengthens security culture across the organization.

To protect against the increasing frequency and sophistication of cybercrime, organizations are deploying a variety of security solutions. This increases the complexity and scale of the security landscape, especially as today both environments (on-premises and multi-cloud) need to be protected. Learn what BAS is and how it helps improve cybersecurity, how it is implemented at the customer site, and how BAS supports the incident response process.

Raphael Ruf discusses the importance and methodology of breach and attack simulation for continuous security validation. He explains the architecture, deployment, and benefits of using automated validation tools like SafeBreach to ensure security controls are correctly configured and effective against current threats. The talk includes a demonstration of the SafeBreach platform, highlighting its ability to simulate real attacks, integrate with security controls for comprehensive validation, and provide actionable insights for improving security posture.

Breach and Attack Simulation, Continuous Security Validation, SafeBreach, Cybersecurity, Security Controls

Since generative AI became available to the public, there has been a sharp rise in successful phishing campaigns and ransomware attacks. Cybercrime is becoming even faster, more automated and more professional. In one recent case, encryption occurred within just 8 seconds of initial access. However, machine learning and deep learning are also empowering defenders. These technologies are enabling early detection and mitigation, significantly enhancing cybersecurity solutions. In this talk, I will share striking insights from real-world cyberattacks, discuss the recent work of our CSIRT, and explore the evolving landscape of threat actors. Finally, I will delve into current challenges, trends, and the growing role of AI in cyber defense.

Sandro Bachmann discusses the dual role of AI in cybersecurity, highlighting its use in both offensive and defensive strategies. He shares insights from his experience at InfoGuard, focusing on incident response, the effectiveness of AI-driven tools like EDRs in detecting and blocking attacks, and the evolving landscape of cyber threats including ransomware and phishing. Bachmann emphasizes the need for rapid response and recovery strategies in the face of increasingly sophisticated attack

AI in Cybersecurity, Incident Response, EDR, Ransomware, Phishing

Most organizations are in the process of preparing for a high impact incident. Our focus as a security community is now on developing the right processes, having the right tools, and getting everyone involved. Looking back over seven years of responding to major security incidents, I keep coming back to the same observation: We need to make sure that we keep the human side of incidents in mind. We must ensure that we prepare and act in a way that considers the people involved in responding to an incident, those affected by an incident and their wider communities. If we don’t, we will miss and fail to address an important impact. In this talk, I invite you to challenge your incident response management system to ensure that the human side of the response is as well prepared as all the other important elements.

Gregor Wegberg discusses the importance of considering the human aspect in cybersecurity, particularly in incident response to ransomware attacks. He emphasizes the need for organizations to understand their purpose, communicate effectively during crises, and ensure the well-being of their employees. Wegberg advocates for a comprehensive approach that includes technical, emotional, and human factors in cybersecurity strategies.

Cybersecurity, Human Aspect, Incident Response, Ransomware, Organizational Culture

Although the TPM sniffing attack has been known and utilized for nearly five years, it has evolved significantly since its introduction. The attack process has become simpler and more generalized, resulting in increased speed and reliability. This presentation will first share insights gained from using this attack on dozens of machines over the years, highlighting key factors that can enhance its execution. The reduction in complexity and attack time now makes it possible to compromise a machine in just a few minutes, infect it, and then restore it before the owner even realizes it was gone. Secondly, the presentation will explore the multi-factor authentication provided by BitLocker. While multi-factor authentication is crucial for maintaining a baseline level of security, various attack scenarios remain possible even with this configuration. For instance, a malicious user could use TPM sniffing to escalate privileges on a machine if they know the second authentication factor. Although this possibility has been discussed in several publications, Microsoft’s documentation on BitLocker is only partial, and some mechanisms remain unexplored. No existing tool has been able to execute this attack when BitLocker is not in transparent mode. This part of the presentation will delve into the operating system’s inner workings, examining the Windows bootloader and its interactions with the TPM. The goal is to understand how multi-factor authentication works and how it might be bypassed, enabling to decrypt the disk and gain high-privileged access to the operating system.

AI poses data security, compliance, and privacy challenges for organizations that, if not addressed properly, can slow down adoption of the technology. Due to a lack of visibility and controls to protect data in AI, organizations are pausing or in some instances even banning the use of AI out of abundance of caution. To prevent business critical data being compromised and to safeguard their competitive edge, reputation, and customer loyalty, organizations need integrated data security and compliance solutions to safely and confidently adopt AI technologies and keep their most important asset – their data – safe. Michael and Umberto are excited to share how Microsoft significantly invests into cybersecurity and help empower customers to protect and govern their data. We approach data protection in various ways, and Microsoft Purview plays a key role that provides a set of comprehensive, innovation driving solutions – addressing data security, compliance and privacy.

The presentation by Michael Landolt and Umberto Annino from Microsoft at SCS2024 focuses on the challenges of data protection and security in the age of AI. They discuss Microsoft's approach to security, the importance of data governance, and the tools Microsoft offers to help manage and protect data in an AI-driven world. The talk emphasizes the need for organizations to prioritize security and data governance to safely leverage AI technologies.

Data Security, AI, Microsoft, Data Governance, Cybersecurity

Bruno Blumenthal will provide an overview of the critical frameworks and upcoming regulations, shaping AI governance. This presentation highlights key compliance requirements, including ISO standards, FINMA regulations, and the EU AI Act. Attendees will gain essential insights into current standards and emerging regulatory trends, helping them to navigate the complex AI compliance landscape effectively.

Bruno Blumenthal discusses AI compliance, standards, and regulations from a cybersecurity perspective. He highlights the importance of understanding AI in the context of information security and offers insights into ISO and NIST standards relevant to AI risk management. Blumenthal also touches on the EU AI Act and its implications for AI applications, emphasizing the need for organizations to manage AI risks proactively.

AI Compliance, Cybersecurity, ISO Standards, NIST Framework, EU AI Act

As more businesses move further towards a cloud environment we often find ourselves in a hybrid world with servers on both sides of the cloud and clients which needs to function in both worlds. This is something that cyber criminals take advantage of and is one of the biggest problems now. In this keynote we will discuss for example if macOS more secure than Windows? And what about the roles that clients have in a cloud-based digital world? In a cloud-based digital world, clients play a vital role in cybersecurity. By using cloud services, clients entrust their data to third-party providers. As a result, clients must follow best practices and stay vigilant against potential threats. In the macOS attack chain context, clients can be an entry point for attackers if they are not adequately secured By understanding the fundamentals of how cyber criminals actually attack us and how our digital transformation can invent security problems will allow us to build better preventive measures. This keynote will also explain the attack chain and the tools used by hackers. We will also talk about adequate security measures, such as multi-factor authentication, encryption, and endpoint protection.

Targeting, profiling, and weaponizing psychology against key individuals within organizations has started becoming a go-to methodology employed by cybercriminals and social engineers. It is a low-cost, low-risk and highly successful approach used to infiltrate organizations in the public and private sectors, steal sensitive information, recruit insiders, and help threat actors acquire illicit access to assets and systems. We have been observing threat actors performing thorough reconnaissance on targets, building relationships with them online or offline, and actively exploiting or recruiting them. This talk provides insights into the mechanisms and the methodology of today’s targeted social engineering attacks and weaponized psychology. It discusses how attackers tailor their approach in order to compromise specific people in key positions. The tricks they use to build trust and elicit information that assist them in strategizing, initiating, or delivering an attack. In addition to the modus operandi of these attacks, the presentation will discuss the lessons learned and the defence mechanisms we can employ to detect and deter targeted social engineering attacks. Do individuals that have privileged access to information or systems require a more carefully planned security strategy? What do they need to know? What can we, the professionals in security positions do to ensure the safety of those individuals and our organizations but also where does our responsibility end? The presentation will include real-life case studies from current threat intelligence.

Historically, threat intelligence analysts viewed adversaries as having particular, specific „fingerprints” or operational tendencies in cyber operations. While this perspective worked historically, subsequent evolution in adversary tradecraft and operational security has muddled matters significantly. At present, adversaries coalesce around a common set of behaviors or tradecraft: credential phishing or exploitation of unpatched vulnerabilities, credential capture and re-use, and leveraging one of several post-exploitation frameworks, most notably Cobalt Strike. On the one hand, this makes threat intelligence and attribution significantly harder given the great convergence of tradecraft. On the other, defenders have the benefit of operating against a common set of techniques and behaviors to secure networks and evict adversaries. In this presentation, we will explore the convergence of cyber operations, its implications for threat analysis and intelligence, and what this means for network defenders in concrete fashion.

Based on an in-depth academic study performed across 18 different commercial organisations, this session will explore what it means to be a CISO in practice. This includes the conflicted, often contradictory role CISOs play, stopping people ‘having fun’ and yet protecting the organisation from potentially catastrophic impacts. CISOs are both precarious and powerful, educator and scaremonger, enforcer and cleric. It will also explore the language that is used in cyber-security practice, how this involves concepts of mysticism, morality, and masculinity, and how these can be problematic.

Although today passwords are still the first factor used for authentication, since many years the information security market has been informing corporations about the risks associated with their vulnerabilities and those deriving from the use of legacy MFA. Join this session to understand the real risks of adopting some of the most common MFA systems used to access your critical systems and how to begin the journey towards secure passwordless and phishing-resistant authentication.

With the growing complexity of the IT hardware and software stack, with a move from bare-metal to virtual machines & containers, with the prevalent usage of shared central computing resources for Internet-facing services, provisioning of (internal) user services but also the need for serving industrial control systems (OT) in parallel, the design of data center architectures and in particular its networks can become more and more challenging. This presentation will introduce the dilemma of creating a highly agile and flexible computer center set-up while still trying to maintain security perimeters within. It is bound to fail.

More than 80% of cyber incidents involve a human element, yet security investments continue to paint technology as a panacea. Cyber resilience requires a more balanced approach that considers the people that use and deploy technology, and the processes they follow. This talk will provide some high-level solutions that cyber leaders like you can use to address the human factor in security; that which technology can’t.

Although researchers have characterized the bug-bounty ecosystem from the point of view of platforms and programs, minimal effort has been made to understand the perspectives of the main workers: bug hunters. To improve bug bounties, it is important to understand hunters’ motivating factors, challenges, and overall benefits. We address this research gap with three studies: identifying key factors through a free listing survey (n=56), rating each factor’s importance with a larger-scale factor-rating survey (n=159), and conducting semi-structured interviews to uncover details (n=24). Of 54 factors that bug hunters listed, we find that rewards and learning opportunities are the most important benefits. Further, we find scope to be the top differentiator between programs. Surprisingly, we find earning reputation to be one of the least important motivators for hunters. Of the challenges we identify, communication problems, such as unresponsiveness and disputes, are the most substantial. We present recommendations to make the bug-bounty ecosystem accommodating to more bug hunters and ultimately increase participation in an underutilized market.

How often have you heard about humans being the weakest link? Is there really no way for us to design technologies and processes that are resilient to human error? The past two decades have shown that when technologies are designed without considering how they can be misused, they provide a very low barrier of entry for threat actors. Though some have learned the lessons from the past, there are still those that continue to build new technologies with the same mindset as before, that is build fast -> exploit arises -> fix bug. By now, we should already have enough lessons to draw from to get as close to secure-by-design as possible. The presenter will be sharing examples on how to approach this so that more organizations get onboard to deliver technologies and processes that are user-friendly while raising the bar for security.

Cyber risks are particularly dangerous for financial institutions. Successfully fighting them is beyond the resources of a single bank or insurance company. That’s why they have decided to collaborate within the industry and with federal agencies such as the National Cyber Security Center, the Swiss National Bank, FINMA and the State Secretariat for International Financial. Together, on April 5, 2022, they established the Swiss FS-CSC association, a public-private partnership that provides information sharing, threat intelligence, crisis management support and prevention activities. For it has become clear to all stakeholders that pooling resources is essential to success.

As numerous recent examples have shown, executing unknown binaries carries inherent risks; even those originating from seemingly trustworthy sources can, in fact, contain malicious code. For reverse engineers, determining the presence of such malicious elements within software poses significant challenges. This talk aims to address these challenges by discussing a range of strategies designed to extract potential malicious behavior from complex binaries. Initially, our presentation outlines common methods for identifying malicious behavior, such as signature-based checks, string analysis, identification of suspicious API calls and packer detection. However, in recent years, more sophisticated malware has often evaded detection by these traditional strategies. To address this, we introduce various techniques and heuristics for analyzing and navigating more sophisticated binaries. Throughout the talk, we examine the advantages and disadvantages of these heuristics, along with their potential applications. By employing these strategies, we tackle various use cases, such as identifying state machines, command and control (C&C) server communication, and string decryption routines in malware. Furthermore, we delve into the detection of API functions in statically-linked executables, detection of obfuscated code, and pinpointing cryptographic algorithms.

We have been reading for decades that the world is changing faster and faster. Numerous business literature and academic literature is available on how to improve the business continuity, implement risk management and secure your software development. Still businesses are impacted by unforeseen data leaks, misuse of functionality and disrupted business services to their clients. The introduction of cloud did not slow this down. We created a complex global system of chaos. Don’t try to get out of this, embrace it, but how?

Join me as we explore the world of Coordinated Vulnerability Disclosure (CVD). This presentation is tailored to cater to cybersecurity enthusiasts of all skill levels. Together, we will demystify the concepts surrounding CVD and delve into the challenges faced by its participants. Most notably, we will unearth insights into potential solutions to overcome these challenges. Whether you are embarking on your cybersecurity journey or are a seasoned expert, this talk will provide you with the knowledge necessary to navigate the landscape of CVD.

We have become accustomed to the fact that our own infrastructure is under constant attack. That’s why we are constantly working on technical and organizational measures to protect ourselves and be prepared for these threats. But what if it happens to one of our partners, service providers, or suppliers? What do we do when we find out? In this presentation, you will get a brief insight into two supply chain attacks that put several Swiss companies at risk. The focus will be on the actions taken by these companies and the lessons learned from dealing with this risk to be better prepared next time! As an attendee, you will be able to use these lessons to prepare your own organization for similar supply chain attacks.

Strong authentication has long been considered a topic without need for innovation. Recently the spotlight is on strong authentication again as new treats have emerged, NIST raised the requirements for government agencies and FIDO took leadership for security and standardization. In this speech, we will have a look at the challenges of strong authentication as point-in-time action and focus on emerging solutions such as continuous authentication or continuous adaptive trust (CAT).

Cybersecurity is no longer an IT/office issue but is becoming increasingly prevalent in the service and production sectors. In the past, classic awareness measures were usually dumped on all those „affected” with a watering can. However, in times of increasing cyber threats combined with tight budgets and production step optimizations, it is necessary to focus on relevance. Cybersecurity is now omnipresent, but not equally pronounced everywhere. Phishing, for example, is more prevalent in everyday office life than in a production plant with technical equipment. Nevertheless, there is also a need for awareness measures there, but adapted to the respective working environment. Jörg Jungblut, SBB AG, and Markus Günther, TEMET AG, show their way to a decentralized controlled awareness, which consists of more than just sending phishing e-mails.

The InfoGuard Penetration Testing Team has explored the topic of user enumeration on public platforms in more detail. We show the many ways in which this attack target can be achieved, the extent to which artificial intelligence helps an attacker to do this, and the unexpected effects this seemingly inconspicuous vulnerability can have.

Multi-factor authentication, even based on WebAuthn, won’t protect you from device code phishing attacks. As such, they pose a significant risk within the Microsoft 365 (M365) ecosystem. This sophisticated form of cyber-attack involves malicious actors attempting to trick users into revealing their access tokens for M365 services such as Office 365, Teams, or SharePoint Online. Successful adversaries can hijack Azure AD user accounts, compromising emails, documents, and potentially sensitive corporate data. The consequences can be severe, including unauthorized data access, data breaches, identity theft, financial loss, reputational damage, and even regulatory non-compliance. To mitigate these risks, it is critical to implement strong conditional access policies, regular security awareness training, and vigilant monitoring of suspicious activity within the M365 environment. Felix will walk you through the nifty details of the attack, demonstrate a piece of custom Compass middleware that simplifies the execution of device code phishing exercises, and discuss the limits of common mitigations.

In recent years, ransomware has been, and still is, one of the main cyber threats for organizations of all sizes across the world by causing availability disruption and producing elevated financial costs. Ransomware groups are structured as modern organizations with departments, specific roles assigned to every operator, and a clear chain of command. The attacks are performed actively by humans and are indeed named human-operated ransomware attacks. In cyber security, we often talk about humans as the weakest link for organizations because, without doing enough awareness activities, all the money spent on technologies and processes has a low impact on the overall security posture. However, we rarely discuss the human factor behind threat actors and how we can leverage it to better protect ICT infrastructures. The talk will discuss one of the major ransomware gangs, Black Basta, and how the techniques adopted by the threat actors behind the group can be detected and prevented by also exploiting the weakest link of every organization, including criminal ones… the human factor.

Immerse yourself in the fascinating real-life examples of actual security incidences and how the actions that companies are taking along those incidents are predicted by the top trends of industry analysts! Learn more about the shift in the market and how organizations and cybersecurity professionals can gain valuable insights from these market shifts. Don’t miss this opportunity to enhance your own security service by us pro-actively “leaking” our experience!

Estonia is a small country in the Baltics; however, it has been on the forefront of technology for many years. This keynote provides a story from Estonia’s independence in 1991 to its current use of digital identities for the systems that allow the citizens to vote, check online banking, e-residency, tax returns and the lessons learned from the various incidents that happened along the way. What does the future hold and the impact of when you add a bit of AI into the digital society. Learning Objectives:

• Discover the needs and values for government identity management
• What to do when things go wrong
• Key Take aways from CyberWar lessons
• What can AI do for you and your digital identity

This talk examines the evolution of how Russia leverages the digital domain to disrupt, spy, and degrade the adversary. Cyber operations remain a potent modern manifestation of political warfare expanding competition short of war. Yet, during Russo-Ukrainian war (2022- ), we witness rather limited cyber operations that did not demonstrate severe or significant attacks directed at an adversary during what might be characterized by total war. There is also very limited evidence for coordination between the military and cyber operators while Russia’s vaunted information operations have had little effect on the conflict. Despite a dramatic uptick in cyber operations during the war, there remains little evidence that cyber capabilities change the course of war and rather remain an adjacent capability that can be used to shape but not defeat the opposition.

This talk will cover some of the publicly disclosed vulnerabilities by Sven and his team. Common mistakes and vulnerabilities will be discussed and ways to avoid them are shown. Furthermore, we will dive into the lighthouse project digital COVID-Certificate Switzerland that has been assessed by the National Test Institute for Cybersecurity (NTC) and discuss some challenges and the learnings of this project.

There is a general consensus around the financial motivation behind ransomware campaigns. While this holds true, by analyzing a series of unusual ransomware campaigns, Ippolito Forni, EclecticIQ’s Threat Intelligence Consultant & Senior CTI Analyst, will demonstrate that nation-states have jumped on the ransomware bandwagon and are increasingly using it as a smokescreen for purposes other than financial gain, such as espionage and sabotage. In these ransomware campaigns, nation-states can plausibly deny their involvement by hiding their identity and true goals behind a financially motivated ransomware threat actor. Takeaways:

• Being able to spot indicators of anomalous ransomware activity
• Impact and consequences to organizations
• Diplomatic and LEO challenges
• Anti-Ransomware best practices

Passkeys are an exciting new technology, built on top of FIDO2, which promises to replace passwords, this time for good. In this talk we will present passkeys and what they bring to the table, for moving to a passwordless future.

Designing for privacy is seen many times as designing to minimize the collection of users’ data. In this talk we will discuss that designing for privacy goes beyond minimization and in most cases it means to limit the ways in which the collected data can be used. We will also discuss what this design philosophy means for the use of (digital) identities when engineering privacy-preserving systems.

Artificial intelligence has found its way into our everyday lives in a more or less conspicuous way, whether through smart speakers, facial recognition, or the TV program and music selection, all promising the maximum potential for us humans. But in addition to the complex technical and legal challenges associated with developing and deploying AI systems, there is another challenge: humans. Humans have a remarkable tendency to humanize non-human entities from deities to chatbots, that is why we cannot help but treat these digital entities as social actors. This comes with a plethora of opportunities, like more efficient user interaction but also challenges, like manipulating users by humanized design. This is one reason, why „trustworthy AI” is on a rise and debated across the globe. Despite the plethora of expert guidance on the development and implementation of „trustworthy AI,” there is still a surprising amount of disagreement about what constitutes user trust in AI - is it the same as trust in a human? Can we, do we or should we trust AI, just like we place our trust in humans? Moreover, the topic of overtrust is also widely neglected. Since the level of trust influences how users interact with technology, overtrust and over-reliance as subsequent behavior - leads to a faulty human-automation relationship: like the Tesla Driver Walter, who unfortunately died as he trusted the “auto-pilot” so much, eventually hitting a barrier, crashing with two other vehicles. It is long overdue that we talk about how to develop an „appropriate” level of trust for better and safer interactions with non-human agents, which are after all - just man-made machines.

Attackers are increasingly abusing popular cloud applications for command and control (C2). C2 over cloud apps is less likely to be detected since abusing a popular cloud application has the advantage of blending in with everyday traffic and evading traditional C2 defenses. Techniques like domain and URL blocklists that detect attacker controlled servers aren’t effective because there is no attacker controlled infrastructure to identify. Then how do you defend against cloud C2? In this talk, we will explore this new threat landscape and outline a set of detections that use behavioral patterns and anomalies to identify malicious C2 communication from otherwise benign servers. The approach uses novel strategies like unusual cloud entity detection as well as established approaches like JA3 to identify unusual and malicious communication to a cloud application. We will ground all of these concepts in a demo of a Python-based application that uses these signals to identify cloud C2 communication from compromised machines, and thus, equip the listener with the information to spot these attacks.

We are on the cusp of the next quantum revolution, where advances in our understanding of quantum mechanics paves the way for new technologies that promise an era of scientific breakthroughs. However, these same technologies could potentially lead to upheaval in the way that we deploy secure communications across the internet. As a result of which we need to think of appropriate mitigation and build in the necessary transition time to afford everyone a post quantum secure future. We will examine both the opportunity as well as the threats in this arena and suggest pragmatic ways forward.

Every decade or so there’s a new technology that entrenches itself in our everyday lives – almost with no discernible effects to the public. If the previous decade was “the cloud”, this decade could certainly go to AI and Machine Learning. Seemingly every week, a new state of the art model is released that allows life-like recreations of synthetic content. However, these systems are ripe for abuse - attackers have incredible new tools at their disposal no matter what their preferred social engineering vector. In this talk we will explore what arbitrary creation of synthetic content means for systems of trust. From logging into your computer (Windows Hello for Business) to getting help from customer service, machine learning models are already being used to make decisions that have implications for trust. We will discuss some of the risks to be considered when implementing or using these systems, what detections might look like, and how we might be better prepared to defend than it seems.

Healthcare is a critical societal service but it is also one of the most cyberattacked today. In this domain, digital identities are very diverse and there are many challenges pertaining to the appropriate measures to protect them. From the high value of a health record, to the low budget and low expertise in the area of cybersecurity, together with the stress caused by the pandemic, the healthcare domain is facing now, a cyberattack pandemic. Digital identities in healthcare need to be more adaptable, dynamic, resilient and, most importantly, Risk-Aware. From identification, to authorization and access control, creating and managing digital identities need to be performed according to the characteristics and requirements of a specific healthcare ecosystem, and the risk it encompasses, at a specific moment. Moreover, can we make digital identities in healthcare Risk-Aware, as well as Trust-Centered?

Memory forensics allows first responders to extract relevant information from RAM. Interesting information, like the URL of an attackers command & control server is often obfuscated while the program is stored on disk. The information is decoded, while the program is running. A thorough analysis of the computers RAM will not reveal an IOC like command servers URL, but also other artefacts of an attackers activity. This presentation shows how Volatility can be used for an analysis. Results include, but are not limited to artefacts of DLL injection, network connections, API hooks.

According to European legislation 80% of the electricity meters rolled out to consumers by 2024 are required to be smart meters, as a part of the ‘smart grid’ concept. While the deployment of the electrical ‘smart grid’ infrastructure increases its functionality, at the same time the risk associated with its operation increases i.e. through substantial extension of potential cyberattack surface. Hence the security testing of such solutions as Advanced Metering Infrastructure (AMI) and Smart Meters as well as their security controls must be of the highest standards. The presentation goes through cybersecurity control mechanisms that act as a countermeasure for most common and critical misconfigurations and vulnerabilities in Advanced Metering Infrastructure. Based on recent engagements’ results security research team prioritized, designed and verified efficiency of security capabilities that when introduced to Advanced Metering Infrastructure and Smart Metering project scope and architecture design are able to mitigate risks stemming from overall solution complexity and fragmentation.

Can we avoid blaming the user by stopping a phishing campaign before it is even launched? Well, this talk will discuss multiple techniques to detect and block the attack before the mail lands in the inbox of your employee. By first analyzing how Red Teams and adversaries set up phishing campaigns, we zoom in on what OPSEC mistakes can be used to the advantage of Blue teams. We define techniques to detect malicious domains that are targeting your organization and further use NetLoc intelligence to correlate these to related threat infrastructure. Based on the defense in depth principles Blue Teams can implement additional security controls to prevent mails from reaching the inbox of their organization. Through practical demos and real-life examples, attendees will learn how to block adversaries during multiple stages of a phishing campaign.

The INSIEME project of the Federal Tax Administration (ESTV) was stopped in 2012 after 12 years and an investment of 116 million CHF. Studying the news coverage and the official reports leads to a déjà-vu: All the problems listed in the report are familiar to somebody who has worked on IT projects for many years: INSIEME was not a unique desaster, it was just a manifestation of known problems that are cross-sector and systemic in nature.

Security projects are at least as complex as „normal” IT projects. The challenges include project and people management, strategic governance as well as framework conditions. Security projects are therefore subject to similar or even identical mechanisms and difficulties as other IT projects. Working out typical mistakes and omissions of failed Swiss IT projects can help your work as CISO, security officer or tech lead in IT security projects.

Digital identities have evolved from the proverbial audible challenge that was called from the castle gates, “Who goes there?” There was little to be able to discern the validity of the identities provided. Jumping through time to 1962 we saw the advent of the password protected system. We were still in a state of being unable to verify the user identity of the password. Moving to biometrics, multi-factor authentication and passwordless technology has demonstrated that tools to authenticate digital identities are improving. When we factor nefarious technologies such as deep fakes and conversely future looking technology such as DNA data storage, we see that the need for governments to take the lead on digital identities is of paramount importance.

Stephan Berger, Head of Investigations at InfoGuard, will share insights from recent InfoGuard CSIRT security incidents and present the seven biggest security failures of companies that still open the door to attackers far too often.

We have grown used to reading about cyberattacks on a daily basis: stolen data sets, encrypted files and backups, business interruptions and payment of ransoms. Companies have been made aware that they must continuously develop their protective measures and nonetheless prepare for the worst-case scenario. Establishing incident response plans and recovery plans and practicing them in tabletop exercises is becoming the norm. Now is exactly the time to engage with the topic of resilience in the context of cyber incidents. Do we really have to switch everything off in an emergency? Doing so will certainly lead to the disruption of all business processes if this is not yet the effect of the attack. Isn’t there a way to think in advance about how (limited) operations can continue despite a compromise to make sure that you don’t have to send all your employees home? This would at least reduce the extent of the damage. In this presentation, I’ll show you what we’ve learned from several cyber incidents we’ve assisted with to help you improve your resilience and preparedness.

In the cybersecurity space we see more and more automation tools that promises to identify and prevent malicious threats. They do a great job at automatising repetitive and boring tasks but most of the time they fail to give a complete picture of the threat and some criminals leverage this for their gain. In this talk we will have a look at how we can combine automated analysis tool and manual analysis to have more insight on the actual threat. It will include some techniques used by criminals to bypass automated defence mechanism and the steps an analysts can follow to fully eradicated the threat. Automated analysis tools are not a silver bullet, just one more weapon in the defence arsenal of your company that needs to be yielded by trained soldiers.

Most Security Operation Center work with use-cases to manage their detection and response capabilities. When it comes to the use-case development many organizations turn to the MITRE ATT&CK Framework as a starting point. Even though ATT&CK is not a use-case framework, as it was originally developed as a taxonomy tool for threat intelligence. But it has a valuable information we can use to identify and prioritize potential detection use-cases. Identifying the use-cases is an important first step. But how are we ensure the use-cases are implemented in a timely fashion. We then need to prioritize and ensure that we adapt our prioritization to changes in the threat landscape and the business environment. This is where methods and principles of the agile software development can help us. In this talk I will show you how to combine a data-based method to prioritize ATT&CK techniques with ideas from the agile software development for their implementation. With this approach you can ensure an efficient use of your resources and focus on the right use-cases at the right time. The agile methods will allow you to constantly grow and evolve your detection capabilities.

Attacker perspectives, as well as the methods used by hackers, will be discussed. The possible execution paths and results of phishing campaigns, physical intrusions, compromises of applications and infrastructure are presented with real-life examples. All these different options are reconciled within the different stages of hacking large organizations.

The number and complexity of cyberattacks have increased rapidly in recent years. Cybercriminals are always finding ways to penetrate corporate networks, whether through malware, third-party applications, legacy systems, or phishing emails to employees. In order to uncover security vulnerabilities and stop cyberattacks before the organisation is harmed, enterprises require reliable detection solutions. In this regard, Network Detection and Response (NDR) is a holistic approach to monitor network traffic and detect anomalies that indicate potential cyberattacks. Exeon’s NDR solution uses AI-driven metadata analytics to monitor the entire IT/IoT/OT network, automatically detect cyber threats, and provide an early response to incidents in on-premises or cloud environments – completely hardware-free, deployable in hours, and proven in global enterprise networks.

Zero days, vulnerabilities, threat actors and APT groups - day by day new threat actors and sophisticated attack procedures evolve. Depending on the motivation and high-level goals, threat actors might target their attacks to specific or as many targets as possible. Easy access to the required tools makes it even feasible for non- professional threat actors to get into the business. Proactive hunting for threats and patterns is crucial to the initial detection of ongoing attacks. In this session, we will outline the main aspects of threat hunting and identify post-detection steps to pursue a Security professional’s main goal; to turn the table and become the hunter instead of the hunted.