GCC

Breakfast

08:00 ~ 09:00

Opening / Ethics / Groupwork

09:00 ~ 12:00

Lunch

12:00 ~ 13:00

Introduction to Threat Modelling

13:00 ~ 16:00

"Know thy self, know thy enemy. A thousand battles, a thousand victories." - Sun Tzu
"Prevention is better than cure."

In essence, these two quotes summarise threat modelling.

Threat modelling allows us to understand how threat actors can attack our systems, and how we can pre-empt said threat actors whilst a system is still in the midst of the design phase.

In this course, we begin with an introduction to threat modelling principles, as well as well-known methodologies such as STRIDE-LM and MITRE ATT&CK Framework. We will have hands-on sessions using a threat modelling tool like the OWASP Threat Dragon, and multiple group exercises on both on-premise and cloud environments.

For differentiated learning, the course is packaged in a two-track fashion. There will be a base set of exercises and chapters that will be covered in in-class time. For the faster students, "Extra Mile" exercises will be provided for them to stretch themselves outside class time.

Given sufficient time, some modern topics such as threat modelling in large language models (LLMs) may be discussed.

Trainer: Donavan Cheah (Thales)

Donavan has had almost eight years of cybersecurity expertise in red teaming, penetration testing, threat modelling and risk assessments.

He has contributed to the open-source cybersecurity space, such as his series of deliberately vulnerable machines on Vulnhub 2018 to 2021. He also exhibits significant technical depth through conducting talks at multiple conferences and venues regionally (Mystikcon, Vulncon, Division 0) on various topics like antivirus evasion and deserialization, and also conducts career talks to inspire younger students to consider cybersecurity as a meaningful career option.

In Thales, he has also led a team to create a fully-functional, made in Singapore cybersecurity gamification experience "Defend the Breach" in a short span of three months, which allows players to role-play as CISOs to make cybersecurity decisions such as balancing the cyber budget with cyber investment, dealing with cyber threats and deciding on the types of capabilities required for securing the business.

Recently, Donavan has also provided thought leadership through being a member of the advisory board at VULNCON 2024, as well as moderating a panel with fellow CISO/VP-level cybersecurity executives. His views on cybersecurity have also been quoted in the book "The Pentester Blueprint" written by Phillip L. Wylie and Kim Crawley, as well as his course reviews being quoted by Offensive Security. He is also a member of the Technical Advisory Panel Workshop as part of ISC2's Unified Body of Knowledge (UBK) project, slated to be released in late 2024.

Donavan also possesses multiple certifications ranging from Offensive Security certifications (OSCE3, OSCP), ISC2 (CISSP), ISACA (CRISC) and is currently slated to begin his candidacy for a Masters in Cybersecurity (Online) conducted by Georgia Tech.

Writing a Code Sanitizer

16:00 ~ 19:00

Code sanitizers are compiler tools that find and neutralize bugs in your code. This lecture will teach you how to use them and even build one yourself by tweaking a small compiler named chibicc. You'll discover: 1. How to write secure code with sanitizers, 2. The inner workings of a C compiler, and 3. Static and dynamic analysis techniques for C programs.

Trainer: Mikihito Matsuura

Dinner

19:00 ~ 20:00

Groupwork

20:00 ~ 22:00

Breakfast

08:00 ~ 09:00

Reverse Engineering Malware Written in C++ with IDA and Semi-Automated Scripts

09:00 ~ 12:00

C++ is widely used in a variety of malware, such as RATs and banking Trojans, etc. Since malware written in C++ is often object-oriented, analyzing it requires knowledge and experience with classes and their inheritance, vtable, and basic strings, in addition to knowledge of analyzing malware written in C. In this course, attendees will learn how to quickly find such features and analyze them. In this course, we will use IDA Free for analysis. Although Ghidra, which is popular among CTF players these days, is useful for analyzing simple and/or small programs, and under certain conditions, it is still inferior to IDA in many aspects, such as processing speed, decompiler accuracy, and a variety of third-party scripts and plug-ins. IDA is still the de facto standard reverse engineering tool. In this course, while learning how to use IDA, we will analyze actual malware written in C++, and aim to learn the techniques including the know-how. Afterwards, we will practice the techniques we have learned through CTF-style games, having fun, cooperating and competing with each other.

Trainer: Hiroshi Suzuki / Naoki Takayama (Internet Initiative Japan Inc.)

Hiroshi Suzuki is a malware analyst, a forensic investigator, an incident responder and a researcher, working for a Japanese ISP, Internet Initiative Japan Inc. He is a member of IIJ-SECT, which is the private CSIRT of his company. He is especially interested in targeted attacks, their RATs and their attack tools, such as PlugX, Mimikatz and so on. He has over 19 years dedicated to these areas. He has been a speaker and a trainer for international conferences such as Black Hat (USA, Europe, Asia and Japan), Virus Bulletin, and FIRST conference (Annual and TC) multiple times.

Naoki Takayama is a malware analyst, a forensic investigator, working for a Japanese ISP, Internet Initiative Japan Inc. He is a member of IIJ-SECT, which is the private CSIRT of his company. He has been a speaker and trainer at BSides Tokyo 2023 and Security Camp events at Japan.

Lunch

12:00 ~ 13:00

Reverse Engineering Malware Written in C++ with IDA and Semi-Automated Scripts (Continue)

13:00 ~ 18:00

Dinner

18:00 ~ 19:00

Groupwork

19:00 ~ 22:00

Breakfast

08:00 ~ 09:00

Deep-dive in OT security and attacks

09:00 ~ 12:00

Since 2010 with Stuxnet causing substantial damage to the nuclear program of Iran, ICS security issues have been on the rise.
From then on, industrial control systems and OT environments have become one of the main targets for attackers. In this course, we will begin by analyzing and categorizing malware related to industrial control systems since 2010, explaining the TTPs (Tactics, Techniques, and Procedures) they use. From this, we will extract attack paths, protocol analysis, and attack targets related to OT environments. We will also provide several protocol attacks that simulate malware attack paths to help students understand the current pain points in OT environments within industrial control systems, as well as how to analyze protocols and understand the attack posture of malware.

Trainer: Vic Huang / Sol Yang (UCCU Hacker)

Vic Huang is a security researcher and member of UCCU Hacker, cybersecurity community in Taiwan. He works on Web/Mobile/ICS/Privacy domains. He spoke on several conference such as HITB, CODE BLUE, Ekoparty, ROOTCON, REDxBLUE pill, HITCON, CYBERSEC, DEFCON village.

Sol Yang is security Engineer interested in OT security, Crypto, Malware.

Lunch

12:00 ~ 13:00

Detection Engineering with Threat Intelligence: Techniques of consuming and creating threat intelligence for Detection Engineering

13:00 ~ 16:00

To prevent advanced threat actors from compromising systems and to mitigate similar attacks, it is essential to leverage threat intelligence and detection engineering. Threat intelligence involves the collection, analysis, and dissemination of diverse information about threat actors and their Tactics, Techniques, and Procedures (TTPs). Detection engineering then uses this acquired threat intelligence to enable both prevention and detection efforts. The effectiveness of matured security posture depends heavily on this practice.
Furthermore, by sharing analyzed and generated threat intelligence and detection code both within and outside the organization, we can enhance early warning mechanisms for the industry and cybersecurity communities.

When discussing "attack analysis," security engineers often think of techniques such as malware analysis, vulnerability assessment, and forensics. However, a fundamental question arises: How can we effectively utilize the results of technical analysis to enhance prevention and detection efforts?

In this lecture, we will explore three key areas.

First, we will delve into the foundational principles of threat intelligence and detection engineering, covering various concepts such as the types of intelligence, the threat intelligence cycle, attribution, detection as code, and detection engineering process.

Second, we will focus on analysis techniques and the practical application of threat intelligence. By drawing on information obtained through activities like malware analysis and forensic analysis, we will learn how to leverage frameworks like MITRE ATT&CK to understand TTPs.

Finally, we will explore the process of translating this acquired threat intelligence into actionable prevention and detection measures. We will cover the detection enginering process, how to create Detection as Code, such as YARA and SIGMA, as part of detection engineering, to improve not only existing detection but also threat hunting capabilities.

Trainer: Tomohisa Ishikawa (Tokio Marine Holdings, Inc.)

Tomohisa is the Lead Cyber Security Architect at a global insurance company, where he plays a pivotal role in various security projects and operations. His responsibilities span global security strategy, security architecture, threat intelligence analysis, and digital forensics and incident response (DFIR). In his previous roles, Tomohisa gained extensive experience in red teaming, forensics, and security training. He holds a Doctor of Engineering degree and is certified in numerous cybersecurity domains, including CISSP, CISSP-ISSMP, CCSP, CSSLP, CISA, CISM, CDPSE, PMP, and several GIAC certifications (GWAPT, GPEN, GDAT, GSNA), among others.

Tomohisa has also made significant contributions to the cybersecurity community. He serves on the GIAC Advisory Board, participates in national IT Exam Committees, and acts as a Cyber Security Expert for the Ministry of Internal Affairs and Communications. He is also an accomplished speaker, professional translator, and author. Tomohisa has delivered talks and conducted workshops at prominent conferences, including SANSFIRE (2011 and 2012), DEFCON 24 SE Village, FIRSTCON23, Security Camp 2023 in Japan, Security Camp 2024 in Japan, GCC2024, SINCON2024, and various other security conferences. Additionally, he has authored a book on threat intelligence in Japanese and has translated six DFIR books and one API security book from O'Reilly Japan.

Modern Kernel Exploitation

16:00 ~ 19:00

As the kernel continues to get hardened with novel mitigations, traditional kernel pwn techniques are falling out of favor. This course focuses on two main aspects:
1. Explaining common and novel kernel mitigations, and known ways to bypass them
2. Modern kernel pwn techniques (with hands-on exercises and demonstrations!): Dirtycred, Dirtypipe, User space mapping attack, Dirty Pagetable
Of course, this would not be complete without a sharing of some interesting quirks and funny bugs that have been observed in the kernel over the years :)

Trainer: Cherie-Anne Lee (STAR LABS SG / University of Cambridge)

I am an organic chemist and self-taught security researcher deeply interested in low-level exploitation, especially Linux kernel exploitation. I have reported a bug in the Linux kernel and worked on n-day vulnerability research. In my free time, I play CTFs and write challenges for both local (STANDCON, LNC 4.0) and international events (idekCTF). Getting a root shell by exploiting a kernel bug is one of the best feelings in the world and I would love to share that joy with the CTF community :D

Dinner / Industrial Talk

19:00 ~ 22:00

Breakfast

08:00 ~ 09:00

Introduction to Automotive Cybersecurity & Car Hacking

09:00 ~ 12:00

This introductory automotive cybersecurity training aims to introduce participants to the unique world of automotive security and car hacking, providing guided instruction and an opportunity for students to experience security testing with real automotive hardware. This training offers a valuable opportunity to learn security techniques applicable to not only the automotive industry but also to those of IoT, medical devices, industrial controls, and more. Students that have completed this course in the past have gone on to continue studying automotive cybersecurity, discovering new vulnerabilities and advancing the industry in unique ways.

Trainer: Kamel Ghali (Accenture, Car Hacking Village)

Kamel Ghali is an automotive cybersecurity veteran of over 6 years. He is the Director of Event Outreach for the DEFCON Car Hacking Village and head of the Tokyo branch of the Automotive Security Research Group. He has extensive experience working as a vehicle penetration tester, car hacking trainer, and consultant, with experience working all over the world. He speaks English, Arabic, Japanese, and loves to cook.

Lunch

12:00 ~ 13:00

Introduction to Automotive Cybersecurity & Car Hacking (Continue)

13:00 ~ 18:00

Dinner

18:00 ~ 19:00

Groupwork

19:00 ~ 22:00

Breakfast

08:00 ~ 09:00

Closing / Groupwork Presentation

09:00 ~ 12:00

Lunch

12:00 ~ 13:00