Agenda (Eastern Timezone)#




Opening Remarks

Roberto Rodriguez @Cyb3rWard0g, Principal Security Researcher Manager, Microsoft


Keynote - Barn Raising: Building a Community Around Jupyter Notebooks for DFIR, SecOps, and Detection Engineering Teams

This talk is a retrospective on how my organization grew a community of notebook users across DFIR, SecOps, and detection engineering teams and how notebooks became core to our workflows. We will share some of the challenges when trying to convince an organization to adopt Jupyter notebooks and the paved roads that were helpful to support the range of use-cases. Lastly, we will evaluate the positive and negative impacts from operationalizing notebooks at scale.

Ryan Marcotte Cobb @detectdotdev, Principal Security Researcher, Secureworks




Graphing Ransomware & Data Leak Sites Trends with Plotly

This talk delves into analytics of data leak sites using RansomWatch’s open-source data. We employ Plotly for crafting high-quality, interactive visualizations, such as heatmaps, to uncover trends in ransomware attacks and examine group rebrandings.

Colin Cowie @th3_protoCOL, Threat Intelligence Analyst, Sophos


Threat Hunting in Three Dimensions

Threat hunting often demands capabilities beyond the scope of traditional SIEM platforms. This presentation showcases a threat hunting workflow that leverages Jupyter for rapid, iterative, and visual analysis of complex data. By tapping into humans’ innate understanding of three dimensions, we will demonstrate how to calculate and re-calculate metrics and distances between data points. Specifically, we focus on comparing attributes of Google Chrome Extensions for similarity in Euclidean space, allowing interactive exploration of data and a deeper understanding of relationships between data points. This approach helps uncover instances of masquerading within the extensions.

Ryan Fetterman @iknowuhack, Security Researcher, Splunk


Hacking Proprietary Protocols with Pandas

Proprietary protocols are typically a mystery to many practitioners. Vendors across many industries develop them for very specific purposes and technologies. We see them in everything from the Internet of Things (IOT), to Industrial Controls Systems (ICS), to medical devices and more. Since there is generally no public Request for Comments (RFC) or public disclosure on how they work, they present an opportunity for attackers and a challenge for defenders. In this presentation, Ismael Valenzuela, will present how defenders can tackle these unknown protocols to detect or flag unusual behavior in this traffic, using Jupyter notebooks and Python libraries like pandas, Numpy and Matplotlib, for data exploration and visualization.

Ismael Valenzuela @aboutsecurity, VP Threat Research & Intelligence, Blackberry




Red Teaming LLMs with Jupyter Notebooks: A Practical Guide

Large language models (LLMs) are powerful tools for natural language generation and understanding, but they also pose significant challenges and risks. To ensure the safety and reliability of LLMs, it is essential to test them on various security and safety aspects. However, testing LLMs manually can be time-consuming and inefficient. In this talk, we present an approach for red teaming LLMs using Jupyter Notebooks. We show how Jupyter Notebooks can be used to iterate and vary attack techniques to maximize coverage, as well as connect to LLMs to help in developing attacks. We discuss the benefits and limitations of our approach, as well as the best practices and recommendations for red teaming LLMs via Jupyter Notebooks.

Pete Bryan @PeteABryan, Principal AI Security Researcher, Microsoft


From Idea to Action: Building Data-Driven Security Tools with Streamlit

In the rapidly evolving landscape of cybersecurity, the ability to prototype and deploy effective tools swiftly has become increasingly important. Thit talk will delve into the power of Streamlit, a versatile Python framework, in accelerating the development of data-driven security tools and prototypes. Streamlit offers a streamlined approach to building interactive web applications without the complexities often associated with traditional development methods. In this session, we will explore how Streamlit differs from conventional tools like Jupyter Notebook, highlighting its advantages in terms of speed and usability. The core of the discussion will revolve around leveraging Streamlit to rapidly set up data-driven tools for Security Operations Centers (SOC). We will delve into practical use cases where Streamlit can be employed to enhance SOC operations, from visualizing real-time threat intelligence to simplifying incident response workflows. To provide a holistic understanding of Streamlit’s capabilities, we will conclude the talk with an end-to-end practical use case related to security. This case study will illustrate how to conceptualize, design, and deploy a security tool using Streamlit, offering attendees actionable insights that they can immediately apply to their security projects.

Ashwin Patil @ashwinpatil, Senior Security Researcher, Microsoft




Guardians of Identity: OKTA’s Underworld

Threat Hunting OKTA Logs at Scale using Jupyter. I’ll be discussing some strategies which could be adopted by a matured SOC to start looking for threats in their IAM environment. The notebook would contain detections and some ideas about looking at logs using Visualizations.

Kai Iyer @kaiiyer, Senior Security Engineer, EY Canada


Comparison of collaboration methods between MSTICpy and Splunk SIEM

Method 1 is simply to use msticpy’s Query Provider and Uploader. Method 2 is to use Splunk DSDL App for data transfering to Jupyter, and msticpy for only analysis. There are advantages and disadvantages in case by case. On the other hand, We have no worry about the choice in MS Sentinel which has the highly compatible method by using “Microsoft Sentinel ML Notebooks”. Audiences can take away about Splunk DSDL mechanism and the pros/cons for these Methods.

Tatsuya Hasegawa @T_8ase, Threat Hunter, GoAhead


Ghostly privileged - Tale of Transitive privileges on Azure

Abstract: In today’s complex IT environments, it’s not enough to simply limit access to resources. Transitive relationships between resources can create hairline vulnerabilities that can be exploited by attackers. That’s why we propose to share the importance of access check relationships inside Azure services and demonstrate how we can use them to proactively detect potential security vulnerabilities. For instance, user A has access to a VM [MSI] and this MSI has access to a Keyvault. It’s hard to identify that User A has access to Keyvault (or any other resource). However, if not properly managed, they can create unintended access paths and increase the risk of privilege escalation attacks. We’ll show how to use already present data to identify and manage these relationships to reduce the risk of security breaches. The notebook that will be presented can be used to identify transitive relationships that end up being high privileged. This is done using Graph (python network graphing module), pandas (for data structuring), Azure API (for fetching data).

Pallavi Kumari Jha, SEC DETECTION & ANALYTICS ENG, Microsoft


Jupyter Universe: Buckle Up for Notebooks Exploration!

Throughout the past few years, Jupyter has become a popular tool within the security community because it can easily be used by others to leverage different capabilities. Notebooks are shareable and reusable, and they improve collaboration and workflow. There are many use cases available, and for sure, there is one for you. In this talk, I want to offer the community the key to start or improve their journey with notebooks. Welcome to the Jupyter Universe!

Thomas Roccia @fr0gger_, Senior Security Researcher, Microsoft


Closing Remarks

Roberto Rodriguez @Cyb3rWard0g, Principal Security Researcher Manager, Microsoft




Opening Remarks

Roberto Rodriguez @Cyb3rWard0g, Principal Security Researcher Manager, Microsoft


Infosec Generative AI: Python Notebooks are Dead, Long Live Python Notebooks!

To predict the generative AI future of notebooks and Python in the SOC and for security operations in general, this talk first looks into the past. Project Jupyter is celebrating its first decade, and their success with Jupyter Notebooks has been an inspiring journey in helping teams more easily adopt automation, GPUs, data science, and open source. With many teams facing priorities like security data lakes, SOAR automation, threat hunting visibility & IR playbooks, better detection engineering, and overall “do more with less”, incorporating Python-powered methodologies has become an even more important enabler. However, the effectiveness of notebooks in the SOC - and Python in general - has all too often been limited to a limited number of code-centric teams and a frustratingly small number of workflows within a deployment. This talk explores the challenges we’ve experienced in the field, and connects them to what is happening in generative AI and how tools like http://Louie.AI are prompting a reassessment of foundational assumptions in how we use Python. Focusing on field stories and live demos, the talk should give a concrete view of the new emerging era for Python and notebooks in security operations.

Leo Meyerovich @lmeyerov, CEO & Founder, Graphistry




Cleaning time: A defensive journey through Active Directory with Bloodhound CE, Jupyter and Python

Delve into an investigation of Active Directory missconfigurations utilizing a Jupyter notebook and Python, interfacing with Bloodhound CE APIs. This research addresses the challenges of identifying and prioritizing security risks in AD, shedding light on the historically manual and often impractical nature of these tasks. Learn about the efforts to streamline and automate the process, making domain cleanup more feasible and efficient.

Luis F Monge Martinez @Lukky86, Endpoint and Active Directory Security Lead, European External Action Service


Unveiling the Power of Google Dorks: A Stealthy Approach to Employee and Email Discovery in OSINT

Advanced Google search queries (dorks) unveil an untapped realm for OSINT exploration. This lightning talk delves into the nuances of this powerful information-gathering technique, offering insights beyond conventional approaches.

Xavier Marrugat @hck4fun, Cybersecurity Engineer, i2Cat


Hunting the Yeti on Jupyter: A practical exploration of the YETI platform using notebook for Threat Intelligence

YETI is an open source threat intelligence platform storing data in a graph database. It implements a REST API giving access to all stored data which can then be reused in your hunting notebook to then build nice visualisation graph. This short presentation will demo what’s possible to achieve with Yeti in a notebook and highlight some nice Python libraries to play with graph data.

Fred Baguelin @udgover, Senior Security Researcher, Datadog




MISP playbooks, common use-cases to interact with the MISP threat intelligence platform

This talk is about the MISP playbooks. These playbooks address common use-cases encountered by SOCs, CSIRTs or CTI teams to detect, react and analyse specific intelligence received by MISP. They are published on MISP/misp-playbooks. The MISP playbooks combine PyMISP (Python library) with Jupyter notebooks and MISP. This talk will have these sections - 6’ Introduction. Introduction to MISP, PyMISP, MISP modules and how MISP playbooks glue this together. Overview of what’s available on the GitHub repository (playbooks and documentation). - 3’ Getting started. What do you need? Structure/format/skeleton of a playbook. - 6’ Demo of using MISP playbooks. How to query for data in MISP. Create a MISP threat event via a notebook. Update data in MISP. Use the MISP extension modules in a notebook. The demo is done against a local MISP instance filled with OSINT threat data.

Koen Van Impe @cudeso, Security Analyst,


Applying Risk scoring to Atomic Signals

In a traditional Security Monitoring Use Case Development framework, the detection signals are often written with limited criteria, lacking context of the entity or threat. This makes it challenging to correlate individual alerts, evaluate their impact and risk, and ultimately leads to a failure in detecting genuine threats and formulating effective response actions. To address this challenge, we will implement a risk scoring model that assigns scores to organizational assets, identities, entities, or custom attributes. This scoring will be based on a metric system using a simple formula that considers three variables: severity, impact on the asset or identity, and a risk modifier. The risk modifier takes into account factors such as admin user privileges, presence of an IOC (Indicator of Compromise), prevalence score of a binary, or a known attacker tool. By decorating the alerts with the calculated risk score and the factors that influenced it, along with additional metadata about the asset, identity, or other relevant data types, we can transform the alert information. This transformed alert data can then be utilized to develop detections based on exceeding a threshold score within a specified timeframe (e.g., x days or hours) for a specific object like a risk factor or an entity (e.g., hostname, IP, asset ID/name, username, etc.). Implementing this approach will result in high-fidelity detections that enable prioritization of triage and response efforts, ensuring a more effective and efficient security response.

Swarup Pattnaik @swaruppattnaik, Leader Cyber Defense Operations, BrightDrop




Enable Vulnerabilities with Audit Vulnerabilities

Organizations must recognize that even vulnerabilities with lower severity ratings can be critical in a chain of attacks. Adversaries often use a combination of low and medium severity vulnerabilities to create a pathway for more significant exploits. Therefore, it’s essential to address these vulnerabilities promptly and incorporate them into regular security training and adversary simulation exercises. By simulating attacks that exploit these vulnerabilities, organizations can better understand potential attack vectors and strengthen their defenses accordingly. This proactive approach is key to maintaining robust security in an ever-evolving threat landscape.

Reza Rashidi @rezaduty, Security Researcher, Hadess


Cybersecurity: Data, the Seeds of Chaos

This talk is about our recently published book (the third one) “Cybersecurity: Data, the Seeds of Chaos”. The objective is to present to the audience the five open-source projects that are included in each chapter of the book. Some of the projects that are going to be presented are a chatbot for gathering information from OSINT tools, an example of prompt hacking, and an adversarial machine-learning model for ransomware. All the projects were developed using Python and Jupyter Notebook and can be found in the next URL i2tResearch/Ciberseguridad_web. The book is free and can be found here

Christian Camilo Urcuqui Lopez @ulcamilo, Senior Data Scientist, Globant




Winbindex Oracle - Predicting Windows Binary Download Links with Jupyter Notebooks

Microsoft provides the ability to download individual binaries directly from Microsoft to support debugging via a public symbol server. Winbindex is an open-source project that indexes these download links for Windows OS binaries. Winbindex can generate these links by parsing Microsoft binaries, as links can be generated if specific attributes of a binary (build date, hash, etc.) are known. As a security researcher, having the ability to download an arbitrary Microsoft binary with a specific version enables research techniques such as patch diffing. What if these links could be generated without having to download the actual binaries? What if we could create a Winbindex oracle? Come find out how we can combine partial file information from Microsoft Update Manifest Files and leverage Jupyter Notebooks to predict file download links to enable security research.

John McIntosh @clearbluejar, Security Researcher, ClearSec Labs