BruCON 0x0A

BruCON is an annual IT-security conference, held in the historical lecture hall of the University of Gent in October. As a smaller-scale conference without focus on a specific topic, it aims to improve the general state of the information security industry. This year marked the 10th anniversary of its current form, based on the motto “Hacking for Beer” which was supported by its own brew of beer, infused with whisky. As a funny side note, the conference badge included a breathalyzer.

Talks – for a better state of enterprise security

The first day of the conference consisted only of so-called retro talks. These are community selected talks, starting with an introduction given by the current organizational crew and the founding members reminiscing about BruCON’s history.

The talks covered many security-related topics like the security of autonomous vehicles, how to break WiFi security, social engineering and penetration testing/red-teaming. A personal highlight was the talk given by “Zoz” during which he talked about flaws in mobile autonomous devices and the different ways they could be exploited. The second highlight of the day was the social engineering talk from Sharon Conheady during which she explored in detail the methods of social engineering attacks and also gave ideas about what to look for as a defense. In the evening, a Google-sponsored mentor/mentee event was held, which was meant to bring together seasoned information security professionals with people who are inexperienced and new to the field. The overall message of the day was that we should all be focusing more on advancing the information security field without looking down on those who are less savvy about cybersecurity and instead help them to improve.

The second day marked the “real” start of the conference with actual talks and the “official” keynote, held by Haroon Meer. He followed up on with message addressed the day before regarding obstacles encountered when working in the information security field and elaborated on how professionals should continuously try to improve the overall state of security.

The highlight talk this time was about new ways for improving your threat hunting capabilities regarding less established intrusion methods and how to write better signatures against them as well as where to look for related artifacts. This talk enjoyed a great response among the community and was largely discussed and recommended on twitter.

A conference-accompanying CTF challenge was hosted by elttam, a security firm from Australia, and contained a bunch of overall security-related challenges of varying difficulty, starting from a misconfigured Linux instance, in which the flag was only readable by the “FLAG” user or the root administrator and programming code assessment through to exploitation of applications.

The third day was the “hangover” day, following the second day’s evening party. The highlight of this day was actually the last talk on the schedule, which highlighted the usage of “blue-team” techniques and tools for “red-team” penetration testers, including the presentation of the RedELK tool, an ELK-stack based tool for monitoring of blue-team activities in red-teaming scenarios.

CTFs focused on security of OT networks

One of the ICS CTFs was prepared by InSecurity, an industrial security research group. The CTF represented a factory setting with a press, dosing station and furnace. The devices used in this setting came from representative manufactures, namely Schneider Electric, Siemens, Phoenix Contact and Beckhoff, to name just a few.

The first challenge for participating in this CTF was to hack the Wifi in order to get a foothold in the “factory network”. To make this initial challenge easier, a network capture cap file was made available for download. Once successfully connected to the network, the main tasks included searching the network for ICS devices, developing creative ways to break into the devices and getting the actual flags stored on those systems. By doing so, the CTF included a full life cycle of an actual hacker, from reconnaissance and creation of an initial foothold as well as exploitation through to exfiltration of relevant data from the target network. As the conference targets various levels of experience, tools (e.g., for scanning the network for specific OT devices), cheat sheets and general help were provided by the staff on demand.

Other types of physical challenges included picking a lock on a box with a flag, as well as a social engineering “challenge” which simply was just to ask the right staff member.

An additional, online-only CTF was offered at https://cyberot.ninja and focused mainly on challenges in OT-related network traffic analysis, knowledge of protocols used in respective production environments and provided remotely-available, vulnerable devices. This platform was supported by well-known vendors in OT-related defense, including Claroty and Airbus.

Facing a rising wave of OT related attacks, understanding techniques and vectors of adversaries is necessary in order to protect your production assets effectively. These challenges also provided a great opportunity to gain more insight about potential obstacles when defending your network, such as physical security of assets, network segmentation and overall security awareness of staff members, among other things. Furthermore, such insight supports the evaluation of OT-focused security vendors with regard to the relevance of and need for respective solutions.

Apart from various talks and the stated challenges, this year also featured a number of free-of-charge workshops, which focused primarily on (network) forensic topics:

  • The Bro workshop taught basics on how to filter live traffic and traffic recordings with the Bro network analysis tool. Besides teaching network filtering skills, there was also an indepth look at the scripting engine of Bro.
  • The Malware triage workshop focused primarily on dynamic malware analysis with some impulses and hints about how to de-obfuscate malware code. The aim of this workshop was to give the analyst the ability to assess the functionality and severity of given malware.
  • The Network forensic workshop covered the fundamentals of network record analysis with tshark and tcpdump, assessing the severity of network captures with the Security Onion Linux distribution and big-data analysis of network captures with SANS developed SOF-ELK.

All in all, visiting BruCON was both a fun-filled and informative experience. Even though it is a small-scale event, it covers a broad range of topics addressed in talks, workshops, and training accompanied by CTFs and great beer. Even more important, it provides an atmosphere for professionals and security-newbies to get together and exchange ideas and experiences.

A playlist of most of the talks can be found here.

Who we are
The “Technology Scouting & Evaluation” (TSE) service identifies and evaluates promising IT security solutions. With this service, DCSO supports companies in staying ahead of a dynamic and ever-changing market. The centralized and unbiased evaluation process is supplemented with the experience of all community members.