Fatih Ozavci
[Independent Infosec Professional]
Fatih Ozavci is a multidisciplinary security manager, engineer and researcher with two decades of experience on offensive and defensive security technologies.

He has managed several international security assessment and research projects focused on various technologies including service provider networks, unified communications, application security and embedded systems. He shared his researches, tools, advisories and vulnerabilities in major security conferences such as Black Hat USA, DEF CON and HITB.

He’s author of Viproy VoIP Pen-Test Kit, Petaq Purple Team C2 and Malware, TA505+ Adversary Simulation Project and C2Gate Malware Traffic Simulator.

Nowadays, he combines his skillsets to perform realistic adversary simulations and defence exercises for larger organisations. Fatih is also studying Master of Cyber Security (Advanced Tradecraft) at University of New South Wales at Australian Defence Force Academy.

Key Skills & Career Interests:

• Leading Security Assurance Practice & Red Team Ops
• Building Offensive and Defensive Capabilities
• Adversary Simulations (CORIE/CBEST/TIBER/iCAST Standards)
• Long-term Security Research Projects
• International Public Speaker and Instructor

Malware Traffic Generation to Improve Security Incident Detections

Distributed and larger networks are always harder to monitor for security incidents and events. Especially custom malware communication channels and persistent threat actors may slip through the normal daily user activities. Though, most of the threat actors stay in the target networks more than a couple of months which may give sufficient time to identify the communication channels. On the other hand, malware communication channels and captured traffic are not easy to simulate as using real malware or known tools (e.g. Cobalt Strike, PowerShell Empire) would be problematic in production.

In this presentation, the malware communication channels, known hiding techniques and popular ways to blend into the normal network traffic will be discussed. C2Gate is a new defensive tool developed to simulate malicious traffic without malware, but with full customisation options such as sample keywords, custom instructions in communications, various network protocols and cloud integration. So, using this tool or an alternative, the traffic sample extracted from malware can be used to build a custom and distributed malicious activities simulation. Through this, the malicious activity or an activity gathered from Threat Intelligence can be simulated on non-compromised networks and systems safely. This would mainly assist blue teams to build up better detections, measuring cyber analytics rules or training the machine learning based defence products. Purple team exercises can also benefit this approach to simulate multiple threat actors and their communication channels at the same time.

Tutorial: Weaponising C# for Red and Purple Teaming

In this Enterprise Detection and Response (EDR) age, threat actors are increasingly using custom tradecraft to make their initial attacks unique and to hide their tracks. Hence, Red Teams need to simulate these cutting-edge tradecraft during their exercises with, potentially, limited resources. In addition, Purple Teams have responsibilities to replicate cutting-edge individual attacks to test defence solutions and understand the IOCs.

C# and .NET Framework’s popularity is increasing in the security community, who are responsible to simulate adversaries, due to its operating system integration capabilities and easy to develop features. Through this, it’s easier for offensive and defensive security researchers to provide custom tradecraft targeting specific Windows features and security controls. Security researchers have already released numerous custom Red Team tools and Mitre Att&ck tests using C#, to be operated by popular and custom Command & Control implementations.

During this workshop, we will discuss about the fundamentals and offensive advantages provided by .NET Framework with practical examples. In addition, some of the Mitre Att&ck concept implementations will be analysed to understand its use. Through the exercises, the participants will learn how they can read code samples, write their own code, compile using various options, calling .NET assemblies through PowerShell, integrate Windows APIs to existing samples to expand the features, and finally make their own application. To operate Red Teaming tasks against a target platform remotely; the participants will actively read and repurpose existing Proof-of-Concept tools, and develop their own custom tools using C#.

Secure your place today!