PHDays 11 talks: bootkit infection, sanitizers for the Linux kernel, the new face of OSINT, and phishing on official websites

Positive Hack Days 11 will begin in a matter of weeks. This international forum on practical security will be held on May 18–19 in Moscow. The red and blue teams for The Standoff have already been formed, and we are putting the finishing touches to the cyberrange infrastructure and the conference program.

As per tradition, PHDays will have three big tracks dedicated to countering attacks (defensive), protection through attack (offensive), and the impact of cybersecurity on business. It is our pleasure to present the first talks.

How to detect 95% of attacks covering 5% of threat actors' techniques

Oleg Skulkin, Head of Digital Forensics and Incident Response Team, Group-IB, will analyze a short list of techniques (used by almost all threat actors, no matter their sophistication) based on real-world attack scenarios. This provides detection opportunities even if there is very little data.

IoC scoring

When dealing with indicators of compromise, analysts need to quickly understand the danger posed by the object in question. For this purpose, a special threat intelligence score is used. How exactly the vendor calculates it is often a commercial secret. Nikolay Arefiev, co-founder of RST Cloud, will explain how scoring works using the example of open indicators.

If you have bootkits

When a computer is infected with viruses at the user level, you can use known methods of counteraction that rely on the kernel API. And what if the OS kernel itself or the firmware is compromised? Anton Belousov, Senior Specialist at Malware Detection, Positive Technologies, will talk about potential vectors of infecting BIOS- and UEFI-based systems with bootkits, and explain how to use the Xen–LibVMI–Drakvuf bundle to monitor malware behavior and what events or signs are indicative of an attempt to introduce a bootkit.

Sanitizing the Linux kernel

In his report, independent information security researcher Andrey Konovalov will focus on KASAN implementation and practical usage, but will also briefly cover other sanitizers—the main tools for detecting bugs in the Linux kernel. KASAN detects memory safety issues: out-of-bounds and use-after-free bugs in slab, page_alloc, vmalloc, stack, and global memory.

Open-source intelligence

Andrey Masalovich, CEO, Inforus, will cover 20 practical OSINT techniques leveraging the opportunities of the digital age: image search using neural networks, collecting information from the dark web, detecting cloud storage leaks, tracking a user's digital footprint.

Qualcomm BootROM

Vulnerabilities in BootROM, the most important component of hardware and software security, can lead to attackers gaining full control over the device. Independent researcher Dmitry Artamonov will discuss the role of BootROM in the Android smartphone boot chain. He will also talk about BootROM vulnerabilities of various mobile device vendors, share his experience of getting access to the JTAG interface in a Qualcomm smartphone, explain how to use it to extract the BootROM image from a modern device, and demonstrate successful exploitation of a one-day vulnerability in BootROM.

Phishing on official websites

It is generally believed that fake websites are used for phishing. And if the site is genuine? What specific issues can lead to such consequences as website hacking? Independent information security researcher Aleksandr Kolchanov will give a number of examples of not just small companies easily falling victim to such phishing attacks, but large banks and airlines too. He will talk about common and lesser-known problems, including subdomain takeover and attacks on administrators of external services and on URL shorteners.

The co-organizer of PHDays 11 and The Standoff cyberbattle is the Innostage Group. The business partners of the forum are Security Vision, a developer of cybersecurity solutions, Rostelecom-Solar, a national provider of information security services and technologies, and MONT, a distributor of software for any business. The technological partner is Azbuka Vkusa. The partners of PHDays 11 are Axoft, Fortis, ICL System Technologies, InfoWatch, Marvel Distribution, R-Vision, Gazinformservice, Pangeo Radar, Jet Infosystems, Liberum Veritas, IBS Platformix, and USSC.

Stay tuned for more updates!