16:00 |
Opening Remarks
Roberto Rodriguez @Cyb3rWard0g, Principal Security Researcher Manager, Microsoft
|
16:10 |
Keynote - Barn Raising: Building a Community Around Jupyter Notebooks for DFIR, SecOps, and Detection Engineering Teams
This talk is a retrospective on how my organization grew a community of notebook users across DFIR, SecOps, and detection engineering teams and how notebooks became core to our workflows. We will share some of the challenges when trying to convince an organization to adopt Jupyter notebooks and the paved roads that were helpful to support the range of use-cases. Lastly, we will evaluate the positive and negative impacts from operationalizing notebooks at scale.
Ryan Marcotte Cobb @detectdotdev, Principal Security Researcher, Secureworks
|
16:45 |
Break
|
16:50 |
Graphing Ransomware & Data Leak Sites Trends with Plotly
This talk delves into analytics of data leak sites using RansomWatch’s open-source data. We employ Plotly for crafting high-quality, interactive visualizations, such as heatmaps, to uncover trends in ransomware attacks and examine group rebrandings.
Colin Cowie @th3_protoCOL, Threat Intelligence Analyst, Sophos
|
17:10 |
Threat Hunting in Three Dimensions
Threat hunting often demands capabilities beyond the scope of traditional SIEM platforms. This presentation showcases a threat hunting workflow that leverages Jupyter for rapid, iterative, and visual analysis of complex data. By tapping into humans’ innate understanding of three dimensions, we will demonstrate how to calculate and re-calculate metrics and distances between data points. Specifically, we focus on comparing attributes of Google Chrome Extensions for similarity in Euclidean space, allowing interactive exploration of data and a deeper understanding of relationships between data points. This approach helps uncover instances of masquerading within the extensions.
Ryan Fetterman @iknowuhack, Security Researcher, Splunk
|
17:30 |
Hacking Proprietary Protocols with Pandas
Proprietary protocols are typically a mystery to many practitioners. Vendors across many industries develop them for very specific purposes and technologies. We see them in everything from the Internet of Things (IOT), to Industrial Controls Systems (ICS), to medical devices and more. Since there is generally no public Request for Comments (RFC) or public disclosure on how they work, they present an opportunity for attackers and a challenge for defenders. In this presentation, Ismael Valenzuela, will present how defenders can tackle these unknown protocols to detect or flag unusual behavior in this traffic, using Jupyter notebooks and Python libraries like pandas, Numpy and Matplotlib, for data exploration and visualization.
Ismael Valenzuela @aboutsecurity, VP Threat Research & Intelligence, Blackberry
|
18:05 |
Break
|
18:10 |
Red Teaming LLMs with Jupyter Notebooks: A Practical Guide
Large language models (LLMs) are powerful tools for natural language generation and understanding, but they also pose significant challenges and risks. To ensure the safety and reliability of LLMs, it is essential to test them on various security and safety aspects. However, testing LLMs manually can be time-consuming and inefficient. In this talk, we present an approach for red teaming LLMs using Jupyter Notebooks. We show how Jupyter Notebooks can be used to iterate and vary attack techniques to maximize coverage, as well as connect to LLMs to help in developing attacks. We discuss the benefits and limitations of our approach, as well as the best practices and recommendations for red teaming LLMs via Jupyter Notebooks.
Pete Bryan @PeteABryan, Principal AI Security Researcher, Microsoft
|
18:30 |
From Idea to Action: Building Data-Driven Security Tools with Streamlit
In the rapidly evolving landscape of cybersecurity, the ability to prototype and deploy effective tools swiftly has become increasingly important. Thit talk will delve into the power of Streamlit, a versatile Python framework, in accelerating the development of data-driven security tools and prototypes. Streamlit offers a streamlined approach to building interactive web applications without the complexities often associated with traditional development methods. In this session, we will explore how Streamlit differs from conventional tools like Jupyter Notebook, highlighting its advantages in terms of speed and usability. The core of the discussion will revolve around leveraging Streamlit to rapidly set up data-driven tools for Security Operations Centers (SOC). We will delve into practical use cases where Streamlit can be employed to enhance SOC operations, from visualizing real-time threat intelligence to simplifying incident response workflows. To provide a holistic understanding of Streamlit’s capabilities, we will conclude the talk with an end-to-end practical use case related to security. This case study will illustrate how to conceptualize, design, and deploy a security tool using Streamlit, offering attendees actionable insights that they can immediately apply to their security projects.
Ashwin Patil @ashwinpatil, Senior Security Researcher, Microsoft
|
19:05 |
Break
|
19:10 |
Guardians of Identity: OKTA’s Underworld
Threat Hunting OKTA Logs at Scale using Jupyter. I’ll be discussing some strategies which could be adopted by a matured SOC to start looking for threats in their IAM environment. The notebook would contain detections and some ideas about looking at logs using Visualizations.
Kai Iyer @kaiiyer, Senior Security Engineer, EY Canada
|
19:30 |
Comparison of collaboration methods between MSTICpy and Splunk SIEM
Method 1 is simply to use msticpy’s Query Provider and Uploader. Method 2 is to use Splunk DSDL App for data transfering to Jupyter, and msticpy for only analysis. There are advantages and disadvantages in case by case. On the other hand, We have no worry about the choice in MS Sentinel which has the highly compatible method by using “Microsoft Sentinel ML Notebooks”. Audiences can take away about Splunk DSDL mechanism and the pros/cons for these Methods.
Tatsuya Hasegawa @T_8ase, Threat Hunter, GoAhead
|
19:50 |
Ghostly privileged - Tale of Transitive privileges on Azure
Abstract: In today’s complex IT environments, it’s not enough to simply limit access to resources. Transitive relationships between resources can create hairline vulnerabilities that can be exploited by attackers. That’s why we propose to share the importance of access check relationships inside Azure services and demonstrate how we can use them to proactively detect potential security vulnerabilities. For instance, user A has access to a VM [MSI] and this MSI has access to a Keyvault. It’s hard to identify that User A has access to Keyvault (or any other resource). However, if not properly managed, they can create unintended access paths and increase the risk of privilege escalation attacks. We’ll show how to use already present data to identify and manage these relationships to reduce the risk of security breaches. The notebook that will be presented can be used to identify transitive relationships that end up being high privileged. This is done using Graph (python network graphing module), pandas (for data structuring), Azure API (for fetching data).
Pallavi Kumari Jha, SEC DETECTION & ANALYTICS ENG, Microsoft
|
20:10 |
Jupyter Universe: Buckle Up for Notebooks Exploration!
Throughout the past few years, Jupyter has become a popular tool within the security community because it can easily be used by others to leverage different capabilities. Notebooks are shareable and reusable, and they improve collaboration and workflow. There are many use cases available, and for sure, there is one for you. In this talk, I want to offer the community the key to start or improve their journey with notebooks. Welcome to the Jupyter Universe!
Thomas Roccia @fr0gger_, Senior Security Researcher, Microsoft
|
20:30 |
Closing Remarks
Roberto Rodriguez @Cyb3rWard0g, Principal Security Researcher Manager, Microsoft
|
