SlideShare a Scribd company logo
Why defensive research is sexy too..
… and a real sign of skill
and 21 subliminal* facts about NCC
Before we begin…
Hopefully not a lesson
in sucking eggs
Before we begin… Who is NCC?
• 100 million GBP revenue FTSE company
• Cyber Security Assurance Practice
• 180 UK technical assurance consultants
• applied research
• technical security assessments
• cyber forensics incident response
• 50 UK risk / audit consultants
• 90 US technical assurance consultants
• Escrow & Software Assurance = sister BUs
Offence v Defense
Why Offensive Research is Easy*
• Time, money, capability
• Usability
• Technology diversity / fragmentation
• Technology mono-cultures / near mono-cultures
• Technology life-cycles
• Developers
• Implementers / Integrators
• End-users
Fact 1: NCC has games consoles and/or arcade machines in all technical offices!
Why We do Defensive Research
• Drive down costs
• Keep aggressors out
• system / software design, build and operate
• Minimize the impact when that fails
• defence in depth / resilience / aid clean-up
• Know what happened and clean up
• audit, forensics, loss measurement and recovery
• Understand what is happening
• threat intel / exposure etc.
Fact 2: the author of !exploitable v2 works for NCC in Cheltenham
Applied Defensive Research can be* Reactive
• Tangible threat / needs
• organisations / users feeling pain
• demonstrated financial / data loss / compromise
• Easiest to demonstrate ROI for
• addresses concerns / gaps
• known market to sell solutions for
• Pro-active
• academia**
• domain of the few
Fact 3: author of the browser hackers handbook works for NCC in Australia
Applied Defensive Research is Broad
• Hardware
• Operating systems
• Programming languages
• Compilers
• Libraries / frameworks
• Features / integration
• Human sciences
• Models and data analysis
• Algorithmic
• Standards
• Design patterns
• Implementation
• Build
• Deployment
• Sustainment
Fact 4: we have a massive UK tech team (> 150) which only results in awesome!
Examples of the Arms Race
Defence v Offense
XSS
• Types
• traditional (basic?) XSS
• domXSS – example of refinement
• Game of: source v sink
• Solutions thus far:
• Internet Explorer XSS protection feature*
• Content Security Policy*
• DOMPurify**
Status: PARTIALLY SOLVED
Fact 5: NCC works on everything from SCADA to ATMs to cars to web apps
SQL Injection
• Input validation
• black-listing / white-listing
• Non verbose error messages*
• blind etc.
• Parameterisation
• Abstraction / NoSQL
Status: PARTIALLY SOLVED
Fact 6: 1K GBP bonuses for publishing whitepapers at NCC
Malicious Code
• Malicious code arrives
• Signature AV
• metamorphism / packers
• rootkit / bootkits
• Signature AV, unpackers, rootkit detection
• signing of binaries
• in process injection
• Behaviour monitoring
• fragmented behaviour
• Reputation – stolen identity
Fact 7: you get utilisation credits (like client work) for research at NCC
Memory Corruption
• Stack
• cookies / variable re-ordering / multi stack / NX
• Heap
• cookies / out of band* / NX
• SafeSEH
• compatibility holes
• ASLR
• compatibility holes
• weak entropy / exhaustion
• information leaks*
Fact 8: NCC loves publishing its tools as open source - http://github.com/nccgroup
Memory Corruption
• Kernel executing code from userland
• SMEP – Supervisor Mode Execution Prevention*
• Kernel access data in userland
• SMAP – Supervisor Mode Access Protection*
• ROP
• call flow analysis
• gadget less code
• Plus many more
• PaX, EMET, BlueHat prize etc.
Fact 9: suits are for client sites not our offices.. unless you want to of course!
Code Review
• Grep / Lint
• comedy basic, false positives, noisy
• Taint analysis
• compilation / parsing of code
• procedural / intra-procedural
• Gamification
• formal verification
• http://www.cs.washington.edu/verigames/
Status: PARTIALLY SOLVED
Fact 10: the early Samba domain protocol breakthrough was done by an NCCer
Sandboxing
• Constrain a process not to do bad stuff*
• chroot escapes etc.
• Many levels
• File system
• Network
• IPC
• System calls
• Whilst maintaining compatibility*
Status: PARTIALLY SOLVED
Fact 11: we employed 7 graduates last year, we’re aiming for 20 this year
Protective Monitoring
• IDS / IPS
• stream reconstruction
• OS specific fragmentation behaviours
• many methods of encoding
• encryption
• maintaining pace with network speeds
• .. etc
Status: PARTIALLY SOLVED
Fact 12: we have internal training for infra to web apps to threat modelling to code
Response / Threat Intel: Forensics
• Physical versus logical acquisition
• many devices OS
• Memory forensics
• Structured / unstructured data analysis and
correlation
• Application of expert systems / inference engines
• Non fancy name of AI (includes knowledge
bases)
Status: PARTIALLY SOLVED
Fact 13: we don’t have time sheets! and our expenses are electronic!
Threat Intel: Honey Pots
• Make them discoverable
• darknets / seeding
• Make them attackable
• network, web, mobile etc.
• Make them look real enough
• emulate, real-tin, simulate, virtualize
• Make them tempting enough
• Make them indistinguishable
Fact 14: all of the first two grades of management are ex technical doers*
Hot Patching
• How to patch security vulns without restarts
• Research
• Code injection*
• Compiled function structure
• MOV EDI, EDI – two byte NOP
• Security
Status: PARTIALLY SOLVED
Fact 15: we work with our US and Australian teams jointly on projects
DRM
• Software based DRM
• cracks
• Geography specific based DRM
• cracks but constrained
• Hardware augmented DRM
• crack
• Hardware DRM / CAC
• cracks / duplication
Status: PARTIALLY SOLVED
Fact 16: NCC has tech offices in Manchester, Leatherhead, Chelly and Milton Keynes
Brain Food
…
Challenges
• User and consumer cyber security awareness
• Practical cyber security in start-ups and other
resource constrained environments
• Cyber incident remediation, clean-up, impact
measurement and quantification
Fact 17: we have two service-lines launching this year designed by consultants
Phishing
• Human science
• Humans just want to get stuff done
• Humans are nosey
• Humans like flattery
• Smart(er) technology
• When baysien filters fail
etc..
Fact 18: each office has a monthly techy presentation afternoons & social evenings
Forensics
• Storage Reduction for Network Captures
• High Performance Captured Network Meta Data
Analysis
• Network Capture Visualization
• Automated Net Flow Heuristic Signature Production
• Forensic Memory Resident Password Recovery
• Application of Location Services in Data Forensics
Investigations
Fact 19: you get free fruit* at work - *we wish it was chocolate
Throw Away Home Automation
• Cheap embedded systems
• some shown to have backdoors
• Range of impacts if owned
• danger to life*
• privacy
• security
• financial
Fact 20: we may be big but that comes with certain benefits (e.g. lab admins)
…. everything else .…
• stopping Terry from using sprintf*
• automatic CSP generation and refinement
• attack surface mapping / visualisation
• micro virtualized OS secure design
• defensive software defined networking
• anti-anti-forensics
• making Linux security features useable
for low skilled vendors
etc..
Fact 21: we love CVs e-mail colin.gillingham@nccgroup.com (he’ll thank me later)
The Reward for Doing Defensive Research…
…many…
• No BBC articles
• Frustration when
people don’t use it
and then get
owned
• Maybe 200k from
Microsoft Bluehat*
• No trips to Vegas
• No world wide con
tour
• People
complaining when
it does work
because they
didn’t read the
manual
Summary
• Defensive research is one of the most rewarding areas
• you don’t need to be an academic
• you don’t need to solve world hunger
• Lots of defensive ideas come and go
• The trick is making / getting them:
• implemented
• practical
• scalable
• cost effective
• adopted
An Example
TL;DR: Intel implements UDEREF
equivalent 6 years after PaX, PaX
will make use of it on amd64 for
improved performance.
http://forums.grsecurity.net/viewtopic.php?f=7&t=3046
Liked this? BSides Manchester is coming..
Almost Final Thought
“We may be at the point of diminishing returns by
trying to buy down vulnerability, maybe it’s time to
place more emphasis on coping with the
consequences of a successful attack, and trying
to develop networks that can “self-heal” or “self-
limit” the damages inflicted upon them”
Gen. Michael Hayden (USAF-Ret.), former head of the NSA and the CIA
Final Thought
start small, learn, practice, improve, fail, start
again, get better, fail again, start once more,
get even better and maybe win!
The future (in an alternate universe)
Defendercon 2015
Showcasing applied defensive research with
the pizazz of offensive including the
defend2spend competition…
UK Offices
Manchester - Head Office
Cheltenham
Edinburgh
Leatherhead
London
Milton Keynes
North American Offices
San Francisco
Atlanta
New York
Seattle
Austin
Australian Offices
Sydney
European Offices
Amsterdam - Netherlands
Munich – Germany
Zurich - Switzerland
Thanks? Questions?
Ollie Whitehouse
ollie.whitehouse@nccgroup.com

More Related Content

What's hot

Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Black Duck by Synopsys
 
Webinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in ReviewWebinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in Review
Synopsys Software Integrity Group
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Synopsys Software Integrity Group
 
Smart Phones Dumb Apps
Smart Phones Dumb AppsSmart Phones Dumb Apps
Smart Phones Dumb Apps
Denim Group
 
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Black Duck by Synopsys
 
Securing and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 bSecuring and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 b
lior mazor
 
Preventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodePreventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from Code
DevOps.com
 
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...
Black Duck by Synopsys
 
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Synopsys Software Integrity Group
 
Forensic
ForensicForensic
The Case for Continuous Open Source Management
The Case for Continuous Open Source ManagementThe Case for Continuous Open Source Management
The Case for Continuous Open Source Management
Black Duck by Synopsys
 
The Cloud Security Landscape
The Cloud Security LandscapeThe Cloud Security Landscape
The Cloud Security Landscape
Peter Wood
 
Why Pentesting is Vital to the Modern DoD Workforce
Why Pentesting is Vital to the Modern DoD WorkforceWhy Pentesting is Vital to the Modern DoD Workforce
Why Pentesting is Vital to the Modern DoD Workforce
Global Knowledge Training
 
Emerging Threats and Attack Surfaces
Emerging Threats and Attack SurfacesEmerging Threats and Attack Surfaces
Emerging Threats and Attack Surfaces
Peter Wood
 
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
centralohioissa
 
Shmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotShmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshot
jstnkndy
 
Positive Hack Days 7 - Ransomware forensiсs
Positive Hack Days 7 - Ransomware forensiсsPositive Hack Days 7 - Ransomware forensiсs
Positive Hack Days 7 - Ransomware forensiсs
Mona Arkhipova
 
Vulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldVulnerability Management In An Application Security World
Vulnerability Management In An Application Security World
Denim Group
 
Risks vs real life
Risks vs real lifeRisks vs real life
Risks vs real life
Mona Arkhipova
 
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarHow iOS and Android Handle Security Webinar
How iOS and Android Handle Security Webinar
Denim Group
 

What's hot (20)

Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
 
Webinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in ReviewWebinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in Review
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical Apps
 
Smart Phones Dumb Apps
Smart Phones Dumb AppsSmart Phones Dumb Apps
Smart Phones Dumb Apps
 
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
 
Securing and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 bSecuring and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 b
 
Preventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodePreventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from Code
 
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...
 
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
 
Forensic
ForensicForensic
Forensic
 
The Case for Continuous Open Source Management
The Case for Continuous Open Source ManagementThe Case for Continuous Open Source Management
The Case for Continuous Open Source Management
 
The Cloud Security Landscape
The Cloud Security LandscapeThe Cloud Security Landscape
The Cloud Security Landscape
 
Why Pentesting is Vital to the Modern DoD Workforce
Why Pentesting is Vital to the Modern DoD WorkforceWhy Pentesting is Vital to the Modern DoD Workforce
Why Pentesting is Vital to the Modern DoD Workforce
 
Emerging Threats and Attack Surfaces
Emerging Threats and Attack SurfacesEmerging Threats and Attack Surfaces
Emerging Threats and Attack Surfaces
 
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
 
Shmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotShmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshot
 
Positive Hack Days 7 - Ransomware forensiсs
Positive Hack Days 7 - Ransomware forensiсsPositive Hack Days 7 - Ransomware forensiсs
Positive Hack Days 7 - Ransomware forensiсs
 
Vulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldVulnerability Management In An Application Security World
Vulnerability Management In An Application Security World
 
Risks vs real life
Risks vs real lifeRisks vs real life
Risks vs real life
 
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarHow iOS and Android Handle Security Webinar
How iOS and Android Handle Security Webinar
 

Viewers also liked

Agile software security assurance
Agile software security assuranceAgile software security assurance
Agile software security assurance
Ollie Whitehouse
 
Threat Intelligence - Routes to a Proactive Capability
Threat Intelligence - Routes to a Proactive CapabilityThreat Intelligence - Routes to a Proactive Capability
Threat Intelligence - Routes to a Proactive Capability
Ollie Whitehouse
 
NCC Group C Suite Cyber Security Advisory Services
NCC Group C Suite Cyber Security Advisory ServicesNCC Group C Suite Cyber Security Advisory Services
NCC Group C Suite Cyber Security Advisory Services
Ollie Whitehouse
 
Smart grid in the Critical National Infrastructure
Smart grid in the Critical National InfrastructureSmart grid in the Critical National Infrastructure
Smart grid in the Critical National Infrastructure
Ollie Whitehouse
 
Designing and building post compromise recoverable services
Designing and building post compromise recoverable servicesDesigning and building post compromise recoverable services
Designing and building post compromise recoverable services
Ollie Whitehouse
 
From Problem to Solution: Enumerating Windows Firewall-Hook Drivers
From Problem to Solution: Enumerating Windows Firewall-Hook DriversFrom Problem to Solution: Enumerating Windows Firewall-Hook Drivers
From Problem to Solution: Enumerating Windows Firewall-Hook Drivers
Ollie Whitehouse
 
Secure App Aspirations: Why it is very difficult in the real world
Secure App Aspirations: Why it is very difficult in the real worldSecure App Aspirations: Why it is very difficult in the real world
Secure App Aspirations: Why it is very difficult in the real world
Ollie Whitehouse
 
Finding The Weak Link in Windows Binaries
Finding The Weak Link in Windows BinariesFinding The Weak Link in Windows Binaries
Finding The Weak Link in Windows Binaries
Ollie Whitehouse
 
Securing your supply chain & vicarious liability (cyber security)
Securing your supply chain & vicarious liability (cyber security)Securing your supply chain & vicarious liability (cyber security)
Securing your supply chain & vicarious liability (cyber security)
Ollie Whitehouse
 
Countering the Cyber Threat
Countering the Cyber ThreatCountering the Cyber Threat
Countering the Cyber Threat
Ollie Whitehouse
 
NCC Group Pro-active Breach Discovery: Network Threat Assessment
NCC Group Pro-active Breach Discovery: Network Threat AssessmentNCC Group Pro-active Breach Discovery: Network Threat Assessment
NCC Group Pro-active Breach Discovery: Network Threat Assessment
Ollie Whitehouse
 
Red Teaming and the Supply Chain
Red Teaming and the Supply ChainRed Teaming and the Supply Chain
Red Teaming and the Supply Chain
Ollie Whitehouse
 
Assuring the Security of the Supply Chain - Designing best practices for cybe...
Assuring the Security of the Supply Chain - Designing best practices for cybe...Assuring the Security of the Supply Chain - Designing best practices for cybe...
Assuring the Security of the Supply Chain - Designing best practices for cybe...
Ollie Whitehouse
 
Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems
Ollie Whitehouse
 
Technical Challenges in Cyber Forensics
Technical Challenges in Cyber ForensicsTechnical Challenges in Cyber Forensics
Technical Challenges in Cyber Forensics
Ollie Whitehouse
 
Cyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics LectureCyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics Lecture
Ollie Whitehouse
 
Private sector cyber resilience and the role of data diodes
Private sector cyber resilience and the role of data diodesPrivate sector cyber resilience and the role of data diodes
Private sector cyber resilience and the role of data diodes
Ollie Whitehouse
 
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersIntroduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Ollie Whitehouse
 

Viewers also liked (18)

Agile software security assurance
Agile software security assuranceAgile software security assurance
Agile software security assurance
 
Threat Intelligence - Routes to a Proactive Capability
Threat Intelligence - Routes to a Proactive CapabilityThreat Intelligence - Routes to a Proactive Capability
Threat Intelligence - Routes to a Proactive Capability
 
NCC Group C Suite Cyber Security Advisory Services
NCC Group C Suite Cyber Security Advisory ServicesNCC Group C Suite Cyber Security Advisory Services
NCC Group C Suite Cyber Security Advisory Services
 
Smart grid in the Critical National Infrastructure
Smart grid in the Critical National InfrastructureSmart grid in the Critical National Infrastructure
Smart grid in the Critical National Infrastructure
 
Designing and building post compromise recoverable services
Designing and building post compromise recoverable servicesDesigning and building post compromise recoverable services
Designing and building post compromise recoverable services
 
From Problem to Solution: Enumerating Windows Firewall-Hook Drivers
From Problem to Solution: Enumerating Windows Firewall-Hook DriversFrom Problem to Solution: Enumerating Windows Firewall-Hook Drivers
From Problem to Solution: Enumerating Windows Firewall-Hook Drivers
 
Secure App Aspirations: Why it is very difficult in the real world
Secure App Aspirations: Why it is very difficult in the real worldSecure App Aspirations: Why it is very difficult in the real world
Secure App Aspirations: Why it is very difficult in the real world
 
Finding The Weak Link in Windows Binaries
Finding The Weak Link in Windows BinariesFinding The Weak Link in Windows Binaries
Finding The Weak Link in Windows Binaries
 
Securing your supply chain & vicarious liability (cyber security)
Securing your supply chain & vicarious liability (cyber security)Securing your supply chain & vicarious liability (cyber security)
Securing your supply chain & vicarious liability (cyber security)
 
Countering the Cyber Threat
Countering the Cyber ThreatCountering the Cyber Threat
Countering the Cyber Threat
 
NCC Group Pro-active Breach Discovery: Network Threat Assessment
NCC Group Pro-active Breach Discovery: Network Threat AssessmentNCC Group Pro-active Breach Discovery: Network Threat Assessment
NCC Group Pro-active Breach Discovery: Network Threat Assessment
 
Red Teaming and the Supply Chain
Red Teaming and the Supply ChainRed Teaming and the Supply Chain
Red Teaming and the Supply Chain
 
Assuring the Security of the Supply Chain - Designing best practices for cybe...
Assuring the Security of the Supply Chain - Designing best practices for cybe...Assuring the Security of the Supply Chain - Designing best practices for cybe...
Assuring the Security of the Supply Chain - Designing best practices for cybe...
 
Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems
 
Technical Challenges in Cyber Forensics
Technical Challenges in Cyber ForensicsTechnical Challenges in Cyber Forensics
Technical Challenges in Cyber Forensics
 
Cyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics LectureCyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics Lecture
 
Private sector cyber resilience and the role of data diodes
Private sector cyber resilience and the role of data diodesPrivate sector cyber resilience and the role of data diodes
Private sector cyber resilience and the role of data diodes
 
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersIntroduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
 

Similar to Why defensive research is sexy too.. … and a real sign of skill

Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3
ShivamSharma909
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course content
ShivamSharma909
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security Practitioner
Adrian Sanabria
 
Supercharged graph visualization for cyber security
Supercharged graph visualization for cyber securitySupercharged graph visualization for cyber security
Supercharged graph visualization for cyber security
Cambridge Intelligence
 
Career Domain 2022-23.pptx
Career Domain 2022-23.pptxCareer Domain 2022-23.pptx
Career Domain 2022-23.pptx
Janani S
 
How Cloud Computing will change how you and your team will run IT
How Cloud Computing will change how you and your team will run ITHow Cloud Computing will change how you and your team will run IT
How Cloud Computing will change how you and your team will run IT
Peter HJ van Eijk
 
Security analytics
Security analyticsSecurity analytics
Security analytics
Simon Bennett
 
The hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsThe hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignments
n|u - The Open Security Community
 
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentBeyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Damon Small
 
Design challenges in IoT
Design challenges in IoT Design challenges in IoT
Design challenges in IoT
Emertxe Information Technologies Pvt Ltd
 
Design Summit - User stories from the field - Chris Jung
Design Summit - User stories from the field - Chris JungDesign Summit - User stories from the field - Chris Jung
Design Summit - User stories from the field - Chris Jung
ManageIQ
 
How To Start Your InfoSec Career
How To Start Your InfoSec CareerHow To Start Your InfoSec Career
How To Start Your InfoSec Career
Andrew McNicol
 
Cybersecurity Roadmap for Beginners
Cybersecurity Roadmap for BeginnersCybersecurity Roadmap for Beginners
Cybersecurity Roadmap for Beginners
Sanjeev Kumar Jaiswal
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
Christopher Grayson
 
How to create a secure IoT device
How to create a secure IoT deviceHow to create a secure IoT device
How to create a secure IoT device
Abhijeet Rane
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeter
Ben Rothke
 
16370 cics project opening and project update f
16370  cics project opening and project update f16370  cics project opening and project update f
16370 cics project opening and project update f
nick_garrod
 
Accomplishments Proposal
Accomplishments ProposalAccomplishments Proposal
Accomplishments Proposal
ep41788
 
DevOpsCon 2015 - DevOps in Mobile Games
DevOpsCon 2015 - DevOps in Mobile GamesDevOpsCon 2015 - DevOps in Mobile Games
DevOpsCon 2015 - DevOps in Mobile Games
Andreas Katzig
 
Securing Your Containers is Not Enough: How to Encrypt Container Data
Securing Your Containers is Not Enough: How to Encrypt Container DataSecuring Your Containers is Not Enough: How to Encrypt Container Data
Securing Your Containers is Not Enough: How to Encrypt Container Data
Mirantis
 

Similar to Why defensive research is sexy too.. … and a real sign of skill (20)

Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course content
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security Practitioner
 
Supercharged graph visualization for cyber security
Supercharged graph visualization for cyber securitySupercharged graph visualization for cyber security
Supercharged graph visualization for cyber security
 
Career Domain 2022-23.pptx
Career Domain 2022-23.pptxCareer Domain 2022-23.pptx
Career Domain 2022-23.pptx
 
How Cloud Computing will change how you and your team will run IT
How Cloud Computing will change how you and your team will run ITHow Cloud Computing will change how you and your team will run IT
How Cloud Computing will change how you and your team will run IT
 
Security analytics
Security analyticsSecurity analytics
Security analytics
 
The hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsThe hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignments
 
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentBeyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability Assessment
 
Design challenges in IoT
Design challenges in IoT Design challenges in IoT
Design challenges in IoT
 
Design Summit - User stories from the field - Chris Jung
Design Summit - User stories from the field - Chris JungDesign Summit - User stories from the field - Chris Jung
Design Summit - User stories from the field - Chris Jung
 
How To Start Your InfoSec Career
How To Start Your InfoSec CareerHow To Start Your InfoSec Career
How To Start Your InfoSec Career
 
Cybersecurity Roadmap for Beginners
Cybersecurity Roadmap for BeginnersCybersecurity Roadmap for Beginners
Cybersecurity Roadmap for Beginners
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
 
How to create a secure IoT device
How to create a secure IoT deviceHow to create a secure IoT device
How to create a secure IoT device
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeter
 
16370 cics project opening and project update f
16370  cics project opening and project update f16370  cics project opening and project update f
16370 cics project opening and project update f
 
Accomplishments Proposal
Accomplishments ProposalAccomplishments Proposal
Accomplishments Proposal
 
DevOpsCon 2015 - DevOps in Mobile Games
DevOpsCon 2015 - DevOps in Mobile GamesDevOpsCon 2015 - DevOps in Mobile Games
DevOpsCon 2015 - DevOps in Mobile Games
 
Securing Your Containers is Not Enough: How to Encrypt Container Data
Securing Your Containers is Not Enough: How to Encrypt Container DataSecuring Your Containers is Not Enough: How to Encrypt Container Data
Securing Your Containers is Not Enough: How to Encrypt Container Data
 

Recently uploaded

(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
Priyanka Aash
 
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite SolutionIPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Networks
 
Amul milk launches in US: Key details of its new products ...
Amul milk launches in US: Key details of its new products ...Amul milk launches in US: Key details of its new products ...
Amul milk launches in US: Key details of its new products ...
chetankumar9855
 
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
Priyanka Aash
 
How RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptxHow RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptx
SynapseIndia
 
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptxIntroduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
313mohammedarshad
 
WPRiders Company Presentation Slide Deck
WPRiders Company Presentation Slide DeckWPRiders Company Presentation Slide Deck
WPRiders Company Presentation Slide Deck
Lidia A.
 
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - MydbopsScaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Mydbops
 
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptxUse Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
SynapseIndia
 
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
sunilverma7884
 
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
digitalxplive
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
Google Developer Group - Harare
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
Matthias Neugebauer
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Kunal Gupta
 
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
Kief Morris
 
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
Edge AI and Vision Alliance
 
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc
 
Calgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptxCalgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptx
ishalveerrandhawa1
 
WhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring AppsWhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring Apps
HackersList
 
Data Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining DataData Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining Data
Safe Software
 

Recently uploaded (20)

(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
 
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite SolutionIPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite Solution
 
Amul milk launches in US: Key details of its new products ...
Amul milk launches in US: Key details of its new products ...Amul milk launches in US: Key details of its new products ...
Amul milk launches in US: Key details of its new products ...
 
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
 
How RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptxHow RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptx
 
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptxIntroduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
 
WPRiders Company Presentation Slide Deck
WPRiders Company Presentation Slide DeckWPRiders Company Presentation Slide Deck
WPRiders Company Presentation Slide Deck
 
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - MydbopsScaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
 
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptxUse Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
 
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
 
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
 
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
 
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
 
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
 
Calgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptxCalgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptx
 
WhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring AppsWhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring Apps
 
Data Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining DataData Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining Data
 

Why defensive research is sexy too.. … and a real sign of skill

  • 1. Why defensive research is sexy too.. … and a real sign of skill and 21 subliminal* facts about NCC
  • 2. Before we begin… Hopefully not a lesson in sucking eggs
  • 3. Before we begin… Who is NCC? • 100 million GBP revenue FTSE company • Cyber Security Assurance Practice • 180 UK technical assurance consultants • applied research • technical security assessments • cyber forensics incident response • 50 UK risk / audit consultants • 90 US technical assurance consultants • Escrow & Software Assurance = sister BUs
  • 5. Why Offensive Research is Easy* • Time, money, capability • Usability • Technology diversity / fragmentation • Technology mono-cultures / near mono-cultures • Technology life-cycles • Developers • Implementers / Integrators • End-users Fact 1: NCC has games consoles and/or arcade machines in all technical offices!
  • 6. Why We do Defensive Research • Drive down costs • Keep aggressors out • system / software design, build and operate • Minimize the impact when that fails • defence in depth / resilience / aid clean-up • Know what happened and clean up • audit, forensics, loss measurement and recovery • Understand what is happening • threat intel / exposure etc. Fact 2: the author of !exploitable v2 works for NCC in Cheltenham
  • 7. Applied Defensive Research can be* Reactive • Tangible threat / needs • organisations / users feeling pain • demonstrated financial / data loss / compromise • Easiest to demonstrate ROI for • addresses concerns / gaps • known market to sell solutions for • Pro-active • academia** • domain of the few Fact 3: author of the browser hackers handbook works for NCC in Australia
  • 8. Applied Defensive Research is Broad • Hardware • Operating systems • Programming languages • Compilers • Libraries / frameworks • Features / integration • Human sciences • Models and data analysis • Algorithmic • Standards • Design patterns • Implementation • Build • Deployment • Sustainment Fact 4: we have a massive UK tech team (> 150) which only results in awesome!
  • 9. Examples of the Arms Race Defence v Offense
  • 10. XSS • Types • traditional (basic?) XSS • domXSS – example of refinement • Game of: source v sink • Solutions thus far: • Internet Explorer XSS protection feature* • Content Security Policy* • DOMPurify** Status: PARTIALLY SOLVED Fact 5: NCC works on everything from SCADA to ATMs to cars to web apps
  • 11. SQL Injection • Input validation • black-listing / white-listing • Non verbose error messages* • blind etc. • Parameterisation • Abstraction / NoSQL Status: PARTIALLY SOLVED Fact 6: 1K GBP bonuses for publishing whitepapers at NCC
  • 12. Malicious Code • Malicious code arrives • Signature AV • metamorphism / packers • rootkit / bootkits • Signature AV, unpackers, rootkit detection • signing of binaries • in process injection • Behaviour monitoring • fragmented behaviour • Reputation – stolen identity Fact 7: you get utilisation credits (like client work) for research at NCC
  • 13. Memory Corruption • Stack • cookies / variable re-ordering / multi stack / NX • Heap • cookies / out of band* / NX • SafeSEH • compatibility holes • ASLR • compatibility holes • weak entropy / exhaustion • information leaks* Fact 8: NCC loves publishing its tools as open source - http://github.com/nccgroup
  • 14. Memory Corruption • Kernel executing code from userland • SMEP – Supervisor Mode Execution Prevention* • Kernel access data in userland • SMAP – Supervisor Mode Access Protection* • ROP • call flow analysis • gadget less code • Plus many more • PaX, EMET, BlueHat prize etc. Fact 9: suits are for client sites not our offices.. unless you want to of course!
  • 15. Code Review • Grep / Lint • comedy basic, false positives, noisy • Taint analysis • compilation / parsing of code • procedural / intra-procedural • Gamification • formal verification • http://www.cs.washington.edu/verigames/ Status: PARTIALLY SOLVED Fact 10: the early Samba domain protocol breakthrough was done by an NCCer
  • 16. Sandboxing • Constrain a process not to do bad stuff* • chroot escapes etc. • Many levels • File system • Network • IPC • System calls • Whilst maintaining compatibility* Status: PARTIALLY SOLVED Fact 11: we employed 7 graduates last year, we’re aiming for 20 this year
  • 17. Protective Monitoring • IDS / IPS • stream reconstruction • OS specific fragmentation behaviours • many methods of encoding • encryption • maintaining pace with network speeds • .. etc Status: PARTIALLY SOLVED Fact 12: we have internal training for infra to web apps to threat modelling to code
  • 18. Response / Threat Intel: Forensics • Physical versus logical acquisition • many devices OS • Memory forensics • Structured / unstructured data analysis and correlation • Application of expert systems / inference engines • Non fancy name of AI (includes knowledge bases) Status: PARTIALLY SOLVED Fact 13: we don’t have time sheets! and our expenses are electronic!
  • 19. Threat Intel: Honey Pots • Make them discoverable • darknets / seeding • Make them attackable • network, web, mobile etc. • Make them look real enough • emulate, real-tin, simulate, virtualize • Make them tempting enough • Make them indistinguishable Fact 14: all of the first two grades of management are ex technical doers*
  • 20. Hot Patching • How to patch security vulns without restarts • Research • Code injection* • Compiled function structure • MOV EDI, EDI – two byte NOP • Security Status: PARTIALLY SOLVED Fact 15: we work with our US and Australian teams jointly on projects
  • 21. DRM • Software based DRM • cracks • Geography specific based DRM • cracks but constrained • Hardware augmented DRM • crack • Hardware DRM / CAC • cracks / duplication Status: PARTIALLY SOLVED Fact 16: NCC has tech offices in Manchester, Leatherhead, Chelly and Milton Keynes
  • 23. Challenges • User and consumer cyber security awareness • Practical cyber security in start-ups and other resource constrained environments • Cyber incident remediation, clean-up, impact measurement and quantification Fact 17: we have two service-lines launching this year designed by consultants
  • 24. Phishing • Human science • Humans just want to get stuff done • Humans are nosey • Humans like flattery • Smart(er) technology • When baysien filters fail etc.. Fact 18: each office has a monthly techy presentation afternoons & social evenings
  • 25. Forensics • Storage Reduction for Network Captures • High Performance Captured Network Meta Data Analysis • Network Capture Visualization • Automated Net Flow Heuristic Signature Production • Forensic Memory Resident Password Recovery • Application of Location Services in Data Forensics Investigations Fact 19: you get free fruit* at work - *we wish it was chocolate
  • 26. Throw Away Home Automation • Cheap embedded systems • some shown to have backdoors • Range of impacts if owned • danger to life* • privacy • security • financial Fact 20: we may be big but that comes with certain benefits (e.g. lab admins)
  • 27. …. everything else .… • stopping Terry from using sprintf* • automatic CSP generation and refinement • attack surface mapping / visualisation • micro virtualized OS secure design • defensive software defined networking • anti-anti-forensics • making Linux security features useable for low skilled vendors etc.. Fact 21: we love CVs e-mail colin.gillingham@nccgroup.com (he’ll thank me later)
  • 28. The Reward for Doing Defensive Research… …many… • No BBC articles • Frustration when people don’t use it and then get owned • Maybe 200k from Microsoft Bluehat* • No trips to Vegas • No world wide con tour • People complaining when it does work because they didn’t read the manual
  • 29. Summary • Defensive research is one of the most rewarding areas • you don’t need to be an academic • you don’t need to solve world hunger • Lots of defensive ideas come and go • The trick is making / getting them: • implemented • practical • scalable • cost effective • adopted
  • 30. An Example TL;DR: Intel implements UDEREF equivalent 6 years after PaX, PaX will make use of it on amd64 for improved performance. http://forums.grsecurity.net/viewtopic.php?f=7&t=3046
  • 31. Liked this? BSides Manchester is coming..
  • 32. Almost Final Thought “We may be at the point of diminishing returns by trying to buy down vulnerability, maybe it’s time to place more emphasis on coping with the consequences of a successful attack, and trying to develop networks that can “self-heal” or “self- limit” the damages inflicted upon them” Gen. Michael Hayden (USAF-Ret.), former head of the NSA and the CIA
  • 33. Final Thought start small, learn, practice, improve, fail, start again, get better, fail again, start once more, get even better and maybe win!
  • 34. The future (in an alternate universe) Defendercon 2015 Showcasing applied defensive research with the pizazz of offensive including the defend2spend competition…
  • 35. UK Offices Manchester - Head Office Cheltenham Edinburgh Leatherhead London Milton Keynes North American Offices San Francisco Atlanta New York Seattle Austin Australian Offices Sydney European Offices Amsterdam - Netherlands Munich – Germany Zurich - Switzerland Thanks? Questions? Ollie Whitehouse ollie.whitehouse@nccgroup.com