Workshops

Structure

All these workshops are structured in a Capture-The-Flag format. Each participant works at their own pace. The techniques will be demonstrated, with complete step-by-step instructions to lead beginners through the easy challenges. There are also harder challenges for more experienced participants. We will help participants as needed, to ensure that everyone learns new techniques.

Participants need a computer that can run virtual machines, or a credit card and a few dollars to rent cloud servers. We will use Linux and Windows systems. All the tools we will use are freely available, and all the training materials will remain available to everyone after the workshop ends.

These workshops can be presented in public settings, like colleges or conventions, for general audiences, or customized to form private classes for enterprises. The private classes can focus on the particular tools and techniques appropriate to that business, and discuss internal matters in confidence.

All these workshops can be performed remotely or face-to-face, with class sizes from 6 to over 100.

Beginner

Introduction to Machine Learning
Operational Technology Security
Cryptography and Blockchain Security
Wireshark CTF
Violent Python 3
Securing Web Apps
Go the Wrong Way
COBOL CTF

Intermediate

Secure Coding
Full-Stack Incident Response
Introduction to Attack Techniques
Threat Hunting with Splunk

Advanced

Windows Internals
Malware Analysis
Introduction to Exploit Development
Security Auditing Android and iOS Apps

Introduction to Machine Learning

Level: Beginner

Covers machine learning functionality, attacks and defenses. We'll attack public Large Learning Models (LLMs) with prompt injection, and make custom machine learning models with Python. We'll create various models including LLMs, Retrieval Augmented Generation systems, regression, classification, and image classification systems. We'll evaluate the performance of these systems, perform attacks on them, and deploy defenses. Projects include computer vision, breaking a CAPTCHA, deblurring images, regression, and classification tasks.

No experience with programming or machine learning is required, and the only software required is a Web browser. We will use TensorFlow and SecML on free Google Colab cloud systems.

All materials and challenges are freely available at samsclass.info, and will remain available after the workshop ends.

Learning Objectives

  • Deploy simple machine learning models for classification, regression, and generative tasks
  • Perform the main machine learning attacks and implement defenses against them
  • Describe the fundamental techniques and components used in current machine learning systems

Detailed Outline

Challenges on all these topics will be available to all participants throughout the session. We will demonstrate each of these topics briefly, and assist participants individually as needed. More advanced participants will be able to skip ahead to focus on the topics of greatest interest. All the materials will remain available after the workshop to anyone who wants to use them.

1. Machine Learning Security
   a. Overview of machine learning systems
   b. NIST Artificial Intelligence Risk Management Framework
   c. GCHQ's Principles for the security of machine learning
   d. OWASP Top Ten Machine Learning Risks
2. Public LLMs
   a. Prompt injection attacks
   b. Risks and current policies
   c. Securing Microsoft Copilot
3. Building LLMs
   a. Running an LLM locally
   b. Evaluating LLM performance
   c. Building Retrieval Augmented Generation systems
4. Machine Learning with TensorFlow
   a. Fitting a line with a single neuron
   b. Fitting a curve with a single neuron
   c. Fitting a complex curve with hidden neural layers
   d. Effects of varying the input data, adding noise, and changing the hidden layers
5. Computer vision: sorting garment images
   a. Designing a network with many input pixels and several output categories
   b. Training and testing the network
   c. Understanding its errors
6. Breaking a CAPTCHA
   a. Downloading and processing input images, scaling intensities of pixels
   b. Creating a model and training
   c. Measuring model performance
7. Deblurring images
   a. Downloading and importing the images
   b. Creating training and test sets
   c. Encoding and decoding the images
   d. Training a model with 34 million parameters
   e. Evaluating the results
   f. Using more training and smaller data sets
8. Analyzing input data
   a. Understanding input parameters
   b. Statistical summaries
   c. Correlations and histograms
   d. Biased sampling
   e. Stratified sampling
   f. Visualizing data
   g. Scatter plots
   h. Creating composite inputs
   i. Filtering out bad data
9. Data poisoning attacks
   a. Mislabelling training images
   b. The effect of various levels of poisoning
10. Evasion attacks
   a. Changing test images to fool trained models
   b. Using subtle variations
   c. The Cleverhans attack library
11. Deep Neural Rejection (DNR)
   a. Understanding malicious inputs 
   b. Using Compact Abating Probability (CAP) to rate class membership
   c. Testing the defensive power of DNR against real attacks
12. Linear and polynomial regression
13. Overfitting and underfitting

References

Textbook: "AI and Machine Learning for Coders: A Programmer's Guide to Artificial Intelligence" 1st Edition, by Laurence Moroney, ASIN:‎ B08KYN45H

Textbook: "Hands-On Machine Learning with Scikit-Learn, Keras, and TensorFlow" 3rd Edition, by Aurélien Géron, ASIN‏: B0BHCFNY9Q

Github: SecML: Secure and Explainable Machine Learning in Python, https://github.com/pralab/secml

Operational Technology Security

Level: Beginner

Operational Technology (OT) is hardware and software that controls physical processes like factories and power plants. These processes are far more efficient when networked services monitor, control, and automate them, but also are exposed to network attacks. The primary OT protocols, such as Modbus and DNP3, are decades old and lack security features. This class covers the risks of OT installations and how to secure them.

No experience with programming or hardware is required. It's recommended to have familiarity with networking at the Network+ level.

Cryptography and Blockchain Security

Level: Beginner

Learn how blockchains, cryptocurrency, coin offerings, and smart contracts work in a series of challenges. We will also cover the underlying cryptography: hashes, symmetric encryption, and asymmetric encryption. We will configure wallets, servers, and vulnerable smart contracts, and exploit them.

We will configure systems using Bitcoin, Ethereum, Hyperledger, Multichain, Stellar, and more. We will perform exploits including double-spend, reentrancy, integer underflow, and logic flaws.

No previous experience with coding or blockchains is required.

Detailed Outline

Format

The workshop is structured in a CTF format, so each participant can work at their own pace. The techniques will be demonstrated, with complete step-by-step instructions to lead beginners through the easy challenges. There are also harder challenges for more experienced participants. We will help participants as needed, to ensure that everyone learns new techniques.

Participants need a credit card and a few dollars to rent Cloud servers, or a host machine that can run virtual machines. We will use Linux and Windows systems. All the tools we will use are freely available, and all the training materials will remain available to everyone after the workshop ends.

The challenges include:

1. Basic blockchain concepts
   a. Simple conceptual blockchain on Github
   b. Hashes, collisions, and Pollard's Rho method
2. Wallets
   a. MetaMask and Ethereum
   b. Prepraring an Android emulator
   c. MetaMask mobile wallet
3. Smart Contracts
   a. Making a Solidity Contract
   b. Making a Coin with Solidity
   c. Exploiting a contract with a reentrancy attack
   d. Winning an auction by exploiting a logic flaw
   e. Hacking PoWHCoin with an underflow
   f. Performing a double-spend (51%) attack on Bitcoin
4. Servers
   a. Preparing a Linux cloud machine
   b. Making a private Ethereum blockchain
   c. Making a Node on the Kovan Proof-of-Authority Testnet
   d. MetaMask with Local Testnet
   e. Hyperledger IROHA (from IBM)
   f. Using Multichain
5. Essential Cryptography
   a. Symmetric encryption
      i. Substitution ciphers
      ii. One-time pad and Two-time pad
      iii. AES in ECB and CBC modes
      iv. AES-GCM with Libsodium
   b. Asymmetric encryption
      i. RSA
      b. Elliptic-curve cryptography with Libsodium
6. Cryptographic attacks
   a. Padding oracle attack
   b. Existential forgery
   c. Finding large primes
   d. Factoring large numbers
   e. Baby-step, giant-step attack on the Discrete Logarithm Problem (DLP)
   f. Pollard-Rho attack on the DLP
7. Madness
   a. Quantum computing
   b. Homomorphic encryption with Microsoft's SEAL
   c. IBM's homomorphic encryption

Wireshark CTF

Level: Beginner

Analyze packet captures to identify protocols, recover passwords and files, identify malicious traffic, and more.

No previous experience with Wireshark is required.

Violent Python 3

Level: Beginner

Even if you have never programmed before, you can quickly and easily learn how to make custom hacking tools in Python. We build tools that perform port scanning, brute-force attacks, crack password hashes, and XOR encryption. Python is among the top three programming languages in the world, for good reason: it's the easiest language to use for general purposes.

This workshop is structured as a CTF, so each participant can proceed at their own pace. The techniques will be briefly demonstrated, and we will provide tips and help as needed to make sure everyone is able to solve at least some of the challenges.

Participants need only a computer and a Web browser.

Securing Web Apps

Level: Intermediate

Participants will attack Web applications with: command injection; SQL injection; Cross-Site Request Forgery; Cross-Site Scripting; cookie manipulation; and Server-Side Template Injection. We will also exploit Drupal and SAML. We will then implement network defenses and monitoring agents. We will use Burp, Splunk, and Suricata. Prerequisites: participants should know basic security and networking. Experience with Web development is helpful but not necessary.

Go the Wrong Way

Level: Beginner

Good developers study documentation carefully and thoroughly understand their language. However, some people just want to code fast, break into things, and skip over the details. This CTF is for them.

Even if you've never programmed before, you can make simple attack tools in Go. We'll peform port scans, HTTP requests, brute-force logins, crack password hashes, and perform encryption using XOR and AES.

COBOL CTF

Level: Beginner

The world runs on COBOL! 95% of ATM swipes rely on COBOL, but few people know how to use it. Let's fix that!

In this workshop, participants will learn basic COBOL programming and solve challenges including building HTTP requests, processing strings, file I/O, ASCII encoding, modular arithmetic and RSA encryption. We will use free Google cloud servers and a real public IBM mainframe.

The workshop is structured in a CTF format. Each participant works at their own pace. The techniques will be demonstrated, with complete step-by-step instructions to lead beginners through the easy challenges. There are also harder challenges for more experienced participants. We will help participants as needed, to ensure that everyone learns something new.

Participants need a Debian Linux virtual machine, or a few dollars to rent a cloud server, . All the tools we will use are freely available, and all the training materials will remain available to everyone after the workshop ends.

Party like it's 1959! COBOL will never die!

Secure Coding

Abstract

Learn how to find vulnerabilities in code and fix them. First we will discuss threat analysis and how to prioritize risks using the STRIDE model and the CVSS scoring system. Then participants will examine insecure apps written in PHP, NodeJS, and C. They will use three methods to find flaws: static analysis (scanning source code, dynamic analysis (scanning a running app), and manual testing. We will use several free vulnerability scanning tools, including SonarQube, Codacy, Semgrep, Snyk, and Nessus. They will then fix those flaws, winning points on an automated CTF scoring system by proving that the app is no longer vulnerable.

Prerequisites: participants should have some experience coding apps in any language, and bring a laptop with Internet access.

Full-Stack Incident Response

OVERVIEW

Class structure: A live CTF scoreboard will be running so participants can compete to solve challenges. The instructor will briefly explain the principles and demonstrate the attacks, but workshop participants will spend most of their time performing hands-on projects. Complete instructions will guide participants through beginning projects, and a series of challenges of escalating difficulty are presented to encourage each participant to progress to their appropriate level of accomplishment. This way, novices can gain awareness of the tools, techniques, and results of each activity, and more advanced participants can delve deeply into the details. Our goal is to make sure each participant learns useful, new things in their area of interest. We will have several instructors available to tutor participants one-on-one as needed.

We will cover these topics:

MITRE ATT&CK

We will begin with a high-level view of attacks: Groups, Tactics and Techniques in the ATT&CK matrix, and attribution. We will use Caldera to simulate all the stages of an attack and test defenses.

Network Security Monitoring

We will cover centralized security monitoring in detail, using Splunk and Suricata to find and analyze attacks.

We will use a pre-installed Splunk server with archived attack data to find and analyze attacks including vulnerability scans, brute force attacks, ransomware, Web site defacement.

Then we will analyze network traffic with Wireshark, Virus Total, and Packet Total to find suspicious traffic, reconstruct the attacker's actions, and recover downloaded files. We will generate attack traffic with Scapy and monitor traffic with simple Python scripts.

We will practice using Zeek, the powerful network security monitor formerly called Bro. We'll practice writing simple code to customize Zeek, using it to analyze captured traffic, and then install it on a cloud server and use it to detect live attacks.

Defending Windows

We will use many techniques to defend Windows systems, including detecting ransomware with Sysmon and Splunk, RAM analysis, detecting known malware with yara, and prefetch forensics.

We will use Velociraptor extensively for threat hunting on Windows systems, finding malware and persistence mechanisms, scanning for indicators of compromise, and capturing traffic remotely.

Windows Internals and Malware Analysis

We'll use many techniques to analyze the behavior of malware to find indicators of compromise and understand the harm it does. We'll use simple static analysis with strings, PE file analysis tools, and packers. Then we'll perform dynamic analysis with debuggers, disassembly with IDA Pro, and decompiling with Ghidra.

We will explore the structure of Windows executable files and the operating system itself, to better understand programs, services, malware, and defenses. We will explore the import table, perform DLL injection and DLL proxying, and examine Windows API calls in userland and the kernel in detail.

Projects include: cheating at games, building malicious DLL libraries, stealing passwords from the API, building a keylogger, debugging a driver, and writing custom shellcode. Tools used include pestudio, API Monitor, Visual Studio, OllyDbg, IDA Pro, Ghidra, WinDbg, and the Keystone Engine.

We will examine the MBR and a simple bootkit.

Prior Knowledge and Equipment Requirements

Previous experience with C and assembly language is helpful but not required. Participants will need a laptop with a Web browser and two monitors. We will provide cloud servers for participants who don't want to run the machines locally.

KEY TAKEAWAYS

  • Understanding of threat actors and the ATT&CK matrix
  • Experience with network monitoring tools and Splunk
  • Thorough understanding of the Windows API and malware analysis methods

WHO SHOULD TAKE THIS COURSE

Analysts and executives responsible for protecting enterprises who wish to understand threat groups, defenses in overview, and the granular details of Windows exploits and defenses.

AUDIENCE SKILL LEVEL

Beginner/Intermediate

WHAT PARTICIPANTS NEED

Participants will need a laptop with a Web browser and two monitors. We will provide cloud servers for participants who prefer not to run the machines locally.

WHAT STUDENTS WILL BE PROVIDED WITH

Access to the challenges, complete instructions, and a live running scoreboard. They will remain available after the workshop concludes, and they are all free to use with a Creative Commons license.

Introduction to Attack Techniques

Level: Beginner

Learn fundamental tools and techniques used to attack and defend Windows and Linux systems. Topics include Linux and Windows command-line, command injection and SQL injection, network scanning, traffic analysis, and cryptography. Tools used include Nmap, Metasploit, PowerShell, Splunk, and Python.

No previous experience with programming or attacking is required.

Threat Hunting with Splunk

Level: Beginner

Splunk is "Google for log data" and it is the leader in network security monitoring. Learn how to find attackers, identify malware, and attribute attackers to real-world APT groups. We will use cloud servers running the free version of Splunk, with open-source network data from Splunk's "Boss of the SOC" contest.

This workshop is structured as a CTF, so each participant can proceed at their own pace. The techniques will be briefly demonstrated, and we will provide tips and help as needed to make sure everyone is able to solve at least some of the challenges.

Participants need only a computer with a Web browser.

Windows Internals

Level: Beginner

Abstract

Explore the structure of Windows executable files and the operating system itself, to better understand programs, services, malware, and defenses. Projects include: cheating at games, building malicious DLL libraries, stealing passwords from the API, building a keylogger, and debugging a driver. Tools used include FLARE-VM, pestudio, API Monitor, Visual Studio, OllyDbg, IDA Pro, Ghidra, and WinDbg.

No previous experience with programming is required.

Details

Format

The workshop is structured in a CTF format, so each participant can work at their own pace. The techniques will be demonstrated, with complete step-by-step instructions to lead beginners through the easy challenges. There are also harder challenges for more experienced participants. We will help participants as needed, to ensure that everyone learns new techniques.

Participants need a credit card and a few dollars to rent Cloud servers, or a host machine that can run virtual machines. We will use Linux and Windows systems. All the tools we will use are freely available, and all the training materials will remain available to everyone after the workshop ends.

We will provide a prebuilt FLARE-VM virtual machine based on Windows 10 for participants to use.

The challenges include:

1. Basic static analysis of malware
   a. Using VirusTotal for an overview of its function
   b. Using PEview to see the structure of a PE file
   c. Identifying the development language with PEiD
   d. Identifying packers
   e. Extracting strings with BinText
   f. Identifying library usage with Dependency Walker
2. Packed code
   a. Using UPX to unpack a packed executable
   b. Building a custom version of UPX
   c. Manual unpacking with OllyDbg and pestudio
3. Disassembly
   a. Using assembly language in the Jasmin emulator
   b. Disassembling with IDA Pro
   c. Recognizing C constructs in assembly code
   d. Disassembling and decompiling code with Ghidra
4. Windows libraries
   a. Examining the Import Address Table (IAT)
   b. Repairing and rebuilding the IAT
   c. DLL hijacking with companion trojans 
   d. Building a keylogger with Visual Studio
   e. Building a DLL proxy
   f. Stealing passwords with API Monitor
5. Debugging in user-land
   a. Modifying a windows EXE with OllyDbg
   b. Hacking minesweeper
   c. Source-level debugging
6. Debugging the kernel
   a. Examining Kernel structures with a single computer
   b. Kernel debugging with breakpoints and two machines
   c. Debugging a device driver
7. Bootkits
   a. Bootkit analysis with Bochs
   b. Understanding the MBR and a malicious MBR
8. The .NET Framework
   a. Common Language Runtime
   b. Building .NET Apps in Visual Studio
   c. Reversing .NET apps with .NET Reflector and other tools 
9. Assembly language coding
   a. Basic coding
   b. Printing and simple debugging
   c. Using ASCII
   d. Debugging with gdb
   e. Using files
   f. Encryption with the Caesar cipher
   g. XOR encoding 

Malware Analysis

Analyze malware to find indicators of compromise using static and dynamic techniques. We will use PEstudio, IDA Pro, Ghidra, OllyDbg and other tools. Familiarity with programming in C and assembler is helpful but not necessary.

We will use Windows 2016, FLARE-VM, and harmless malware samples. Some projects can be done on free cloud servers, but for the best experience, participants should prepare a FLARE-VM in advance as explained here:

https://samsclass.info/126/proj/PMA40.htm

Introduction to Exploit Development

Level: Intermediate

Learn how to take control of Windows and Linux servers running vulnerable software, in a hands-on CTF-style workshop. We begin with easy command injections and SQL injections, and proceed through binary exploits incuding buffer overflows on the stack and the heap, format string vulnerabilities, and race conditions.

After this workshop, you will understand how memory is used by software, and why computers are so easily tricked into executing bytes as code that entered the system as data.

We will exploit 32-bit and 64-bit Intel systems, and also ARM-based systems. We will examine modern Windows defenses in detail and how to defeat them, including ASLR, DEP, stack cookies, and SEHOP. We will also design custom shellcode with the Keystone Engine.

Previous experience with C and assembly language is helpful but not required. P

WHAT PARTICIPANTS NEED

Participants will need a laptop with a Web browser. The capacity to run local VMware machines is helpful but not necessary. We will provide cloud servers for participants who prefer not to run the machines locally.

Security Auditing Android and iOS Apps

Level: Intermediate

Practice finding flaws in real Android and iOS apps in this workshop, and you will be ready to avoid making similar security errors in your own apps.

Android apps are very easy to unpack, analyze, modify, and repack; partly because of the open nature of the system, and partly because most companies neglect basic security measures. In this workshop, participants will hack apps from the Bank of America, IBM, Harvard, Home Depot, the Indian government, and other large organizations. We will find insecure network transmissions, broken cryptography, improper logging, and pervasive lack of binary protections. We will also analyze the way iOS apps use network transmissions, and observe serious vulnerabilities in iOS apps from major companies.

Participants need a laptop that can run VirtualBox to run Android emulators. To audit iOS apps, particpants will need a Mac laptop. We will bring some loaner iPhones to use.

Updated 5-21-24