Talk 1: Using the “bloodhound” for good and evil
Abstract: Mature companies rate their information and the systems storing this information. I guess everyone agrees that a Domain Controller has a higher criticality (CIA) than a small system hosting a cantina food-plan webserver. But what if an attacker is able to get from this uncritical system to the domain controller in just a few hops using lateral movement and targeted mimikatz to scratch passwords from memory? Also would you solve a vulnerability faster if you would better understand this risk? Within this talk I will show you how to visualise this risk with the tool Bloodhound and how Red Teamers can exploit this knowledge.
Talk 2: Managing Team Secrets Effectively
Abstract: People did a great job in making our deployments secure. We already use automated and secured build pipelines and our Clusters and VMs are locked in.
But there is another integral part which often does not get the appropriate attention: the local developer workflow. Whenever we integrate with 3rd Party APIs or multiple services, credentials of any form are necessary. Surely saving these passwords in plaintext inside a github repository won’t fit the purpose. But would an on premise hosted wiki be safe enough? Or passing around a sticky note with a handwritten password on it?
Any secret that’s ever written to disk or on paper is another attack vector. Not just on production servers or continuous integration, but especially in the developer workflow. If your unencrypted laptop gets stolen or your private source code repository appears to be not so private after all, you’d hope your project’s secrets wouldn’t be compromised.
In this hands-on talk I will show the way we approached this challenge in real world projects using a few simple and automation friendly commandline tools.
-------------- additional information at http://www.trustintech.eu/ --------------