Level: Tehnical

Abstract:
Your security team has just painted a grim picture of cyber threats, and you’re aware that your web application is a full of vulnerabilities. Fixing these seems like it will take between forever and never.

But wait! There’s a solution, a Web Application Firewall, which catches common vulnerabilities like script injection and Distributed Denial of Service (DDoS). No coding needed. You just direct all web traffic to the WAF; the WAF inspects all HTTPS requests, and blocks the dangerous ones.

In my talk, I will explain how a WAF works, and tell some stories from my experience showing why you probably don’t want one, and when it can provide value anyway.

WAFs often block legitimate users by mistaking normal activity for an attack. When an ecommerce firm saw that a quarter of potential new customers couldn’t even see the web-app, that was good reason to abandon the WAF. But these false positives are accompanies by false negatives: attacks that are let through. There is no way to catch them all: The variety of possible attacks is beyond the imagination of WAF designers and yours; but not of the hackers. I’ll describe a tricky hack aimed at the specific weaknesses of a web-app; there was no way to handle it but thoughtfully secure coding. I will describe some cases in which, with a WAF in place, development teams became more complacent about proper security practices.

Despite these drawbacks, there are situations where using a WAF might be a good idea.

When my customers were asked for a WAF as a specific auditing requirement, they had no choice: But of course, in that case the WAF was not for security. And in rare cases where an enterprise deployed a not-so-secure third-party web-app whose code they couldn’t fix, the WAF added a bit of security.

That said, there is one good security reason to use a WAF: DDoS protection. Unlike string-matching, the DDoS is pretty effective, particularly with modern machine-learning based pattern detection.

This talk will leave you with the sense that the WAF is a lot less useful than you thought, but also with an understanding of when it’s the right choice to protect your systems.

Bio:
Joshua Fox has been a software architect in innovative technology companies for 20 years. Now, he advises tech startups and growth companies about Google Cloud Platform and Amazon Web Services; also writing open source and publishing and speaking to cloud engineers.

He has PhD from Harvard University and a BA in math from Brandeis.

Level: Advance Subject Matter

Abstract:
Binary instrumentation involves inserting code into compiled executables to monitor, analyze, or modify their behavior either at runtime (dynamic) or before execution (static) without altering the original source code. Static binary instrumentation (SBI) injects code before a binary runs, typically by modifying the file on disk, whereas dynamic binary instrumentation (DBI) operates in memory while the program runs. These techniques are widely used for profiling, debugging, tracing, security analysis, and reverse engineering.

Modern malware analysis often encounters obstacles when using traditional static or interactive methods. Dynamic Binary Instrumentation (DBI) offers an alternative by allowing researchers to monitor and modify a program’s instructions during runtime. This talk will introduce DynamoRIO, a framework designed for this purpose. It functions by intercepting code before it reaches the processor, providing a transparent view of malicious behavior that might otherwise be hidden by packing or obfuscation.

The presentation will cover the practical application of the framework, starting with its built-in tools for tasks such as code coverage and memory monitoring. We will then examine the process of writing custom clients using the provided API. This allows for the creation of specialized scripts that can automate the extraction of payloads or the logging of specific system calls, making the analysis process more efficient when dealing with complex samples.

A significant portion of the discussion will focus on how DynamoRIO performs when faced with common anti-analysis techniques. Malware frequently employs methods to detect debuggers or virtual environments to prevent execution. We will look at how the framework handles these challenges, specifically its ability to bypass timing-based checks and other detection mechanisms. This evaluation is based on research into the transparency of the instrumentation process and its effectiveness in maintaining a steady analysis environment.

By the end of the session, attendees will have a functional understanding of how to integrate DBI into their analysis workflows. The talk aims to provide a clear view of the framework’s capabilities and its practical use cases in the context of threat research. Participants will be familiar with the methods needed to deploy and customize DynamoRIO for their own investigative requirements.

Bio:
Vanja Svajcer works as a Threat Researcher at Cisco Talos. Vanja enjoys tinkering with automated analysis systems, reversing binaries and analysing mobile malware. He thinks time spent scraping telemetry data to find indicators of new attacks is well worth the effort. He presented his work at conferences such as FSec, Bsides, Virus Bulletin, RSA, CARO, AVAR, BalcCon and others.

Level: Advance Subject Matter

Abstract:
Today’s mobile banking landscape is a paradox: customers expect instant, frictionless access to their finances, yet the systems behind that convenience must withstand increasingly sophisticated threats. In this presentation, we explore how secure mobile banking development has evolved under the pressure of regulatory requirements, adversarial creativity, and rapid technological change.

To ground the discussion, we begin with a deceptively simple example: a mobile banking application protected by a four digit PIN. On the surface, this seems like a standard, even familiar, security measure. But as we will see, the PIN – encrypted but ultimately cracked – reveals how legacy authentication mechanisms can become liabilities when attackers exploit predictable patterns, weak cryptographic implementations, or insufficient threat modelling. This case study is not just a cautionary tale; it is a lens through which we can examine the broader ecosystem of mobile banking security.

Regulators worldwide have raised the bar for financial institutions, demanding stronger authentication, robust encryption, continuous monitoring, and demonstrable risk based security design. At the same time, new technologies, such as hardware backed key storage, behavioural biometrics, secure enclaves, and AI driven anomaly detection, offer powerful tools to mitigate the weaknesses exposed by our cracked PIN example.

Our goal today is to connect these threads:

• How regulatory frameworks shape secure development practices;
• What threat modelling teaches us about real world attack paths;
• How emerging technologies can transform a vulnerable four digit PIN into a multi layered, resilient defence strategy.

By the end of the session, you’ll see how modern mobile banking security is not about replacing one mechanism with another, but about building a holistic, adaptive architecture, capable of protecting users even when a single layer, like a simple PIN, fails.

Bio:
Grega Prešeren has been the CTO and lead ethical hacker at the co-founded company Carbonsec d.o.o. since 2017. He is one of the pioneers of security testing in Slovenia and has been involved in this field since the very beginning of his career. He kicked off his pentester’s career in 2010 and has been leading and performing security audits of networks, IT services, web, mobile, and other applications, as well as industrial or SCADA systems, for various organizations in Slovenia and abroad ever since. He holds several professional certificates in information and application security, as well as in information networks. He is also an active lecturer and trainer in the field of application security. His technical knowledge is underpinned by a strong understanding of regulations and standards, making him a sought-after advisor for developing cybersecurity strategies.

Level: Low tech

Abstract:
How to go about implementing an Incident response and recording system in smaller organizations. Focus will be on creating a system that can handle large number of incidents without the need to hire a separate team and minimize impact on current internal experts.
What will be covered:

• How to define goals of a Incident response system
• What should be included in a incident “event” ticket
• How to integrate incident response into existing internal expert teams
• How to learn from your incidents
• What NIS2/ZInfV1 require (or how to report the really bad cybersecurity incidents)

Bio:
Dino Memović – DevOps, sysadmin nowadays mostly in charge of cybersecurity and ISO 27001 implementation. Talk is mostly based on multi-year handling of incident response.

Level: Tehnical

Abstract:
How do threat actors build sophisticated, anonymous attack infrastructure for less than $10? This presentation demonstrates the complete attack chain using only legitimate services—Namecheap, Cloudflare Zero Trust, and Crypto—to create credible phishing campaigns with persistent remote access.
The Attack Chain ($6.98 + fees):
Modern attackers don’t need expensive infrastructure. By leveraging “Living off the Land” techniques with trusted cloud services, they can:

• Purchase legitimate domains anonymously via Bitcoin
• Create professional email infrastructure that bypasses spam filters
• Establish encrypted tunnels through Cloudflare’s CDN (evading firewall detection)
• Maintain persistent SSH access through trusted network traffic
• Launch convincing spear-phishing campaigns

Technical Deep Dive:
This talk walks through each phase with live demonstrations and code examples:

• Domain Acquisition: Namecheap registration with Bitcoin, DNS configuration (SPF/DKIM/DMARC)
• Cloudflare Zero Trust Exploitation: Importing domains, creating tunnels, establishing encrypted C2 channels
• Persistent Access: Configuring cloudflared daemon, SSH key deployment, automatic reconnection
• Phishing Delivery: Social engineering tactics, bash script delivery, full kill chain demonstration

Why This Matters:
These techniques evade traditional security controls because they:

• Use trusted services (Cloudflare, legitimate domains) that bypass most detection
• Require minimal technical skill and investment (<$10)
• Scale easily across multiple campaigns
• Provide reliable, long-lasting access channels
• Offer strong anonymity through crypto and legitimate infrastructure

Defensive Focus:
While demonstrating offensive techniques, this talk emphasizes practical defense strategies:

• Detection methods for malicious use of legitimate services
• Monitoring unusual Cloudflare tunnel activity
• Email security best practices for sophisticated phishing
• Network segmentation to limit compromise impact
• User awareness training based on real social engineering tactics

Target Audience:

• SOC analysts
• Threat intelligence researchers
• Penetration testers
• Incident responders, and anyone interested in understanding modern, low-cost attack techniques and how to defend against them.

Educational Purpose:
All demonstrations are conducted in isolated lab environments. This presentation aims to raise awareness and improve defensive capabilities, not to encourage malicious activity.

Bio:
Sérgio Costa is a Cyber Threat Intelligence Researcher at Axur. He is a veteran of the Brazilian Marine Corps, he holds EC-COUNCIL CTIAv2 certification and graduated in Cyber Defense from FIAP. His research focuses on threat actor methodologies, counterintelligence, and offensive security techniques that help defenders understand and mitigate modern attacks.