Agenda

The Red Team and the Blue Team will be joining forces to improve your organization's cybersecurity capacity. Which team will you play for?

All sessions will be based on actual events and the experiences of our expert teams during real-world incidents.

Select your preferred talks from either of the tracks. There will be enough time to switch rooms between sessions if you want to mix it up a bit.

🇬🇧 All sessions will be presented in English unless otherwise indicated.

Morning Sessions

Welcome to Mälarsalen at Münchenbryggeriet in Stockholm.

You are greeted by a Truesec colleague by the registration desk and will have coffee before we take off. Welcome!

It's time for you to choose which session from the two tracks you would like to attend.

Enjoy a 30-minute break, visit our partners in the exhibit, and grab a cup of coffee and load up with some energy.

Ask the speakers anything in our Experts-corner, challenge yourself in our Purple Team War Room, or listen to our partner Svenska Röda Korset in our Speakers Corner.

Speakers Corner

10:00 Ukraine crisis – The Red Cross response 

Andrei Engstrand Neacsu_SRKThe war in Ukraine has galvanized the attention of world. Yet, few organizations could foresee the escalation of an ongoing five-year conflict.
Engaged on the front lines in Eastern Ukraine since the onset in 2014, the Red Cross continues to respond to a wide range of emergency needs in an extremely challenging environment.
This session will give you a deeper insight on the work of the Red Cross Movement in Ukraine.

Speaker: Andrei Engstrand-Neacsu
Head of Ukraine and impacted countries crisis response, Swedish Red Cross

 

Cyber Incident Cases - Morning Sessions

Are you ready to battle a severe incident, and collaborate with a dedicated incident response team?

When you are the target of a cyber attack, do you know what to do? How to behave? When to act? Simply put, are you prepared to manage an attack against your organization?

Rasmus will with real cases as examples cover multiple methods of how you can prepare for and manage severe attacks against your organization. The dos and don’ts, as well as how to include, collaborate and work together with a dedicated incident response team.

Speaker: Rasmus Grönlund

In the last few years, many organizations have suffered from ransomware attacks. Recovering from a ransomware attack usually requires backups, but in some cases, there are other ways.

Alexander is a Principal Forensic Consultant in Truesec CSIRT. In this session, he will showcase his team’s latest research in ransomware decryption capabilities. The research breaks an entire family of ransomware variants and allows victims to restore encrypted data without obtaining the private keys.

Speaker: Alexander Andersson

Join us on a winding journey where we investigate what has happened during a cyberattack, and who might be behind it.

Threat actors often try to hide where they come from, and it's our job not to be fooled by false leads.

Speaker: David Lilja and Hasain Alshakarti

Build Secure Infrastructure - Morning Sessions

Network security philosophy and firewalls as the primary enforcer of solid IT security have historically been many organizations' sole and major strategy. As traffic patterns change and threats evolve, this strategy is no longer successful.

In this session, network security expert Heresh will share insights about common mistakes from a real-life cyber-incident perspective.

Speakers: Heresh Zaremand

How do VMware vSphere platforms get attacked and encrypted?

We will go through real-world examples from attacks and give you recommendations on how you can protect your environment from getting breached by the new wave of ESXi-targeting ransomware.

Speaker: Anders Olsson

Most backup solutions are not designed for today’s real threat, cybercrime.

Join this session to learn how you should architect your existing solution to protect you from cyberattacks, ransomware, and other threats.

Speaker: Mikael Nyström

Closing Lunch Keynote

By combining reverse engineering of the different malware used and studying the actual war, we can see how the code was affected by different requirements.

Gain deep insight into the technical details of three Russian Wiper malware used in cyberattacks against Ukraine during the conflict, how they were employed, how they differ, and how this relates to the physical war in Ukraine. We will show how the Russian Cyberwar in Ukraine was integrated into the kinetic war, where it succeeded, where it failed, and maybe why we haven’t seen more written about it.

Speakers: Mattias Wåhlén and Nicklas Keijser

Enjoy a long lunch in the exhibit area and listen to our partners presentations in our "Speakers Corner".

Speakers Corner

12:30 The AI Behind Vectra AI

Stijn Rommens-VectraAI, ML, and Data Science have become buzzwords, and are often misunderstood and misused when trying to understand attacker behavior. In this session, Vectra will reveal the true meaning of AI when applied to threat detection. Learn how, with the use of AI, we can reveal a true attack signal that becomes prioritized intelligence helping security teams get ahead and stay ahead of attacks. 

Speaker: Stijn Rommens
Director Security Engineering, Vectra AI 

 

12:50  Why XDR Must Start with EDR

Per_cropped_gsBy building on EDR, XDR can make all telemetry accessible and actionable — incorporating data from across endpoints, cloud workloads, identity, email, network traffic, virtual containers, sensors and more to generate XDR detections.

Speaker: Per Ă–sterberg
Partner Solutions Architect, CrowdStrike

 

13:10  Finding a needle in the haystack with a magnet - An unfair challenge?

Joakim-Sundberg-BaffinBayNetworksIn this talk, we will look at the sequence of events following a ransom DDoS attack
against a Swedish company and how Baffin Bay Networks, through its Threat Data, could
identify all companies globally targeted by the same group.


Speaker: Joakim Sundberg
CTO / Founder Baffin Bay Networks

 

Red Team - Afternoon Sessions

Get the highly appreciated talk from Def Con.

CSRF is (really) dead. SameSite killed it. Browsers protect us. Lax by default!

Sounds a bit too good to be true, doesn't it? We live in a world where browsers get constantly updated with brand-new web features and new specifications. The complexity abyss is getting wider and deeper. How do we know web technologies always play perfectly nice with each other? What happens when something slips?

Speaker: Dongsung "Donny" Kim

Modern IT environments offer passwordless authentication to improve security. Certificate and key-based authentication makes the user's life easier and gives the offensive side an excellent opportunity to obtain versatile credentials.

This technical session will provide detailed demos and discussions about the different attacks and using certificate- and key-based authentication in a Windows environment ranging from certificate services misconfigurations and abuse to Windows Hello for Business keys and sessions.

Speakers: Hasain Alshakarti and Carlo Alberto Scola

Grab a cup of coffee and something sweet and hang out in the exhibition. Ask the Experts anything, challenge yourself in our Purple Team War Room, or listen to our partner Dustin in the Speakers Corner.

Speakers Corner

15:00 Secure and manage devices in its full lifecycle 

Rasmus BurkalManaging and securing a device in its full lifecycle is made easy. It all starts with a touch of one button and ends by securing the device with takeback.
We talk about how managed services can help small and medium-sized companies stay at the forefront by securing the environment, and in cooperating with Truesec, monitoring the device. Ultimately, we ensure that the data is securely handled and recycled sustainably.

Speaker: Rasmus Burkal
Service Product Manager Security, Dustin

Join in on this hands-on, step-by-step demo on how to deploy a complete Remote Access Trojan (RAT) with no detection in a fully monitored Microsoft Defender for Endpoint environment.

Speaker: Mikkel Ole Rømer

In modern software development, CI/CD platforms such as GitHub are often used to store code, test changes, and even deploy to production. This introduces fantastic possibilities in visibility and productivity for the development pipeline. It also means that the platform must have high privileged access to the production environment.

We may have restricted the developers’ direct access to the production environment and be confident we’ve introduced protections in CI/CD to ensure no malicious deploys can happen.

In this session, we’ll look at abusing insecure defaults and common misconfigurations to bypass protections and gain production access from lower privileged access to the platform. Examples are focused on GitHub Actions.

Speaker: Sebastian Olsson

Build Secure Infrastructure - Afternoon Sessions

How do we secure Azure AD administration in a Tiering manner?

Join this session to learn the why, how, and when you should implement this mindset towards the cloud.

Speaker: Viktor Hedberg

Join this session to learn the new cool things about Windows Server 2022 and System Center 2022 features you need to know.

Speakers: Mikael Nyström

Want to know about the features you already have in your Windows Enterprise setup? What can help you prevent ransomware and protect users even without them knowing?

Get to know features like AppLocker, Credential Guard, and Attack Surface Reduction rules. Learn how to use the tools you already have to increase your security posture.

Speakers: Peter Löfgren

Grab a cup of coffee and something sweet and hang out in the exhibition. Ask the Experts anything, challenge yourself in our Purple Team War Room, or listen to our partner Dustin in the Speakers Corner.

Speakers Corner

15:00 Secure and manage devices in its full lifecycle 

Rasmus BurkalManaging and securing a device in its full lifecycle is made easy. It all starts with a touch of one button and ends by securing the device with takeback.
We talk about how managed services can help small and medium-sized companies stay at the forefront by securing the environment, and in cooperating with Truesec, monitoring the device. Ultimately, we ensure that the data is securely handled and recycled sustainably.

Speaker: Rasmus Burkal
Service Product Manager Security, Dustin

Prompt abuse is a real threat. In this session we will cover how to safeguard the MFA registration in Azure AD and stop threat actors from entering their own MFA credentials.

Speakers: Marcus Pettersson and Viktor Hedberg

If your Active Directory gets breached by threat actors, you need to make sure your underlying infrastructure doesn’t also get breached. We will show you how to design and implement segmentation that is both secure and manageable.

Speakers: Jörgen Brandelius and Anders Olsson

Closing Keynote

A problem with "Oceans 11" and other heist movies is that they make it seem like robbing a bank is hard. Human nature does not allow us to be alarmed adequately at threats that seem advanced or extreme. Simply because we like to tell ourselves that would never happen in real life, or they are not worth that kind of effort.

In this closing session, Jayson E Street will execute attacks with minimum effort, technique, or tools. You may not feel the need to worry about a nation-state attacker, but you should be concerned by a random person walking off the street and compromising your systems in less than 30 seconds.

Jayson will take you through a bank robbery in real-time via a hidden camera and show you that people can still be victims of their wrong assumptions even in high-security areas. Most of us have biases, but we may not even be aware of them. Yet, we can still gain skills to spot suspicious behavior. Learn how untrained workers are a severe threat. However, workers educated in Security Awareness can be the biggest asset to a company's security posture.

Speaker: Jayson E. Street

To sum up the day and hang out with attendees, speakers, partners, friends, collegues and exhibitors.