WithSecure Consulting at Disobey 2024

Jump to

    Published:
     WithSecure Consulting
    Share

    Disobey 2024, what an event. And one where we had five of our expert consultants speaking across four different sessions. Something we’re incredibly proud of.  

    If you weren’t able to join us this year, we’ve summarised our talks below for you!

    Identifying cross-account attack paths in AWS environments at scale

    Aleksi Kallio

    Cross-account IAM role trust relationships can create complex attack paths in AWS environments. These relationships could allow attackers to cross security boundaries and move laterally in the environment.

    In large AWS organizations, mapping such paths manually is practically impossible due to the different IAM configurations involved. But what if we could simplify such analysis a bit?

    This talk outlines how attackers could exploit AWS IAM role trust relationships and demonstrate how to reveal the routes attackers could take inside your AWS environment. The tooling presented in this talk is open-sourced.

    “Identifying Cross-Account Attack Paths in AWS Environments at Scale” by Aleksi Kallio

    How much dirty laundry are your smart home devices airing about you?

    Jack Fitzsimmons

    Smart home technology allows us to turn on our heating so it’s nice and warm before we get through the door, or control all the lights, TVs, and speakers in the house. It can even tell us when the fridge is running low on something, or when the laundry cycle has finished.

    But, by embracing these conveniences, how much personal data are we giving up in the process via the apps they need to function? And is it worth the trade off?

    Using two different brands of smart watch we looked at privacy policies, application permissions, and the traffic of each application to see how up front they are about the data that gets collected, who it gets shared with/sold to, and where it goes. Ultimately you’ll learn more about which third parties also get to know you in the process.

    “How much dirty laundry are your smart home devices airing about you?” by Jack Fitzsimmons

    Smoke and Mirrors: How to hide in Microsoft Azure

    Christian Philipov & Aled Mehta

    As organizations develop their cloud usage, and mature their cloud security operations; attackers have had to identify and develop methods to avoid detection.

    Our talk explored techniques that would allow attackers to use different management APIs to evade enumeration and reconnaissance activity from being logged. In addition, we presented an example method to enable malicious actions to blend in with legitimate activity by abusing the ways that certain services interact with other Azure services.

    “Smoke and Mirrors: How to hide in Microsoft Azure” by Christian Philipov and Aled Mehta

    I was almost a cybercriminal

    Sergey Ichtchenko

    Many teenagers have exceptional technical ability, lots of free time, and unlimited curiosity. This is a recipe for either

    1. A highly successful career in cyber security or 
    1. A highly successful career in cybercrime. 

    Unfortunately, many youngsters pick the latter choice, starting off as innocent script kiddies and progressing bit by bit, each time getting a little more risky. In the end, some become full-blown cyber criminals. The steps along the way can seem small and insignificant, but picking up on them, stopping the person in time, and redirecting them more towards option 1 is critical.

    This presentation was done in collaboration with Testausserveri Ry, an organization dedicated to helping young people in Finland develop as ethical hackers and programmers, as well as KRP, the Finnish National Bureau of Investigation. Both are very aware of the problem and have worked together to figure out how to motivate kids away from going into cybercrime at a young age.

    The presentation explains our work, and gives useful advice to parents, companies, and youngsters on how to move forward with this societal issue.

    “I was almost a cybercriminal” by Sergey Ichtchenko

    What we loved this year…

    “The event was a really fun gathering of people from all sorts of backgrounds in the cyber security space. An excellent event for both presenters and viewers to be able to take in the atmosphere and learn something new and exciting…” Christian Philipov

    “Disobey 2024 was a great experience where I got to learn many new things and discover some new areas of interest in terms of research. The community village was also great to explore and a good way to chat with people of similar interests. As a speaker it was an honour that so many wanted to come see my talk, and I appreciated the great questions that came up during the Q&A. I’m really looking forward to going back next year!” Jack Fitzsimmons 

    Check out our latest research on WithSecure Labs

    For techies, by techies – we share knowledge and research for public use within the security community. We offer up-to-date research, quick updates, and useful tools.

    Go to WithSecure Labs

    Our accreditations and certificates

    Contact us!

    Our team of dedicated experts can help guide you in finding the right solution for your unique issues. Complete the form and we are happy to reach out as soon as possible to discuss more.