From the 10th till 14th of March I had the opportunity to attend the Insomni’hack in Lausanne (located on Lake Geneva), a Swiss cybersecurity conference. Trainings were also available for the 2/3 days prior to the conference depending on your selected course.
Trainings
As mentioned before the conference trainings were available the one that I chose was title “Advanced Detection Engineering in the Enterprise training” and was presented by FalconForce.
Well that is only the company that provides the training, the course itself was taught by Olaf Hartong & James Gratchoff. Two folks with great knowledge about detection-engineering and red-teaming. Depending on your background you might have immediately recognised Olaf from the Modular Sysmon Config, one of the two widespread Sysmon Configs.
The instructor-led training focuses on the entire detection engineering cycle. Guiding participants in defining a scope, researching the relevant (sub-)techniques, building the detection analytic, investigating which logs can be utilized, and validating the resilience of the analytic against evasion. https://falconforce.nl/services/training/advanced-detection-engineering-training/
I think the description by FalconForce nails the course content very much. Over the three days (usually it is a four day training) we went through an entire attack chain from initial access over credential dumping to moving into the Azure cloud.
This course is very hands-on you will have lots of opportunities to create your own detections for the attack that you just performed yourself against the test infrastructure. So you are constantly switching from the blue to the read team and vice versa. So even after you created an initial detection you would then work to bypass it and from there strengthen the detection again.
Meaning at the end of the course you will have written quite a lot of Kusto Query Language (KQL) and will have also been taught about common pitfalls when it comes to creating detection with KQL in Azure.
Lab Setup
Due to this training happening before a conference the training lab setup was left in tact for the duration of the two conference days. So if you wanted to you could still experiment with the lab after the training. However even once the environment is “destroyed” most of the labs are rather straight forward to setup in your own lab. The documentation of each lab is also very in-depth to somewhat aid you when setting up. The only lab that this does not apply to is the Active Directory Certificate Services (AD CS) one, as this requires quite a bit of setup if want to replicate it yourself.
You will not only gain pure technical knowledge but also information about a school-of-tought/methodology. About how to structure the detection-engineering process, what it’s core principals are and how/where to automate your workflows. Which is also very well documented meaning you can almost adopt it 1:1 in your organisation if you want to.
Conference
The “smaller” scale of Insomni’hack, when comparing it to Blackhat, was quite welcome. This meant that the vendor floor was quite a bit smaller and resulting in far fewer marketing mails afterwards.
Also there seems to be no restriction on publishing your work before the conference. So you had you some talks, were the speaker already published their work sometime ago and is now presenting it. By no means did this reduce the quality of the talks, all the one I attended were very good and taught me something new.
Almost all of the talks are available on Youtube for you view even after the conference. I quite enjoyed the following talks (in no particular order and also only the ones were a video was published):
Cache Me If You Can: Smuggling Payloads Via Browser Caching Systems - Aurélien Chalot
This talk was a combination of a short primer about red teaming and then showcased/explained how the caching mechanism of web browsers can be abused to download malicious files. Since they are not 1:1 copies of your hosted malware methods of finding and executing the downloaded files were also presented.
Improving Your Hunting And Detection In Entra ID And O365 - John Stoner
One of the penultimate talks of the conference giving you a rapid-fire overview about different attacks targeting Azure services and in which logs you can find information about them. This also nicely highlighted the difference between MS Graph API logs and your “standard” Entra-ID Sign-In Logs. And yet again Microsoft is very good being inconsistent, be key names names in the log or the actual information contained within.
The AI Paradox: Safety Vs Performance - Rachid Guerraoui
Okay, this talk did not heavily focus on cybersecurity, it was nonetheless a very entertaining talk providing ample food-for-thought.
Beyond LSASS: Cutting-Edge Techniques For Undetectable Threat Emulation - Priyank Nigam
This talk will provide you with an introduction into abusing Azure Tokens and were to find them on compromised machine as an alternative to credential dumping via LSASS.
(Personal) Conlusions
Was the training worth it? YES! It is a very comprehensive training both on a technical and methodology level. I would rather take 2-3 trainings of this quality than a SAN course.
Experiment with talks, descriptions and titles are only part of the story. When in doubt just go with your gut feeling. This caused me to visiting some very interesting and entertaining talks about physical security.
Was the conference worth it? Yes, if you are there for the training the price of the conference is rather cheap. So if you can make the time I see no reason not to attend the conference. The quality content of the content combined with the price (and student discounts) make it a great option, even if you have to pay it yourselves. But you should not forget that this event happend in Switzerland, so everything else might be more expensive that you expect it to be.
Again be more social the atmosphere of the event was a lot more relaxed and more “hacker-like”. So you saw lots of people wearing different kinds of merchandise of generally funny cloths related to cybersecurity. Which makes for an excellent segue into conversations. Also you can easily identify other HTB player based on the merchandise.