Grab a cup of coffee and boot up Kali Linux! In the workshop “Asset Discovery and Monitoring for Bug Hunters 101”, independent researcher Denis Makrushin will share tools, tactics and techniques that security researchers, software engineers and pentesters will find invaluable.

Static Application Security Testing (SAST) is an important part of the software development cycle, especially when it comes to application security. During SAS 2021, Aleksei Meshcheriakov and Evgenii Protsenko shared their experience of implementing SAST techniques at Yandex, a Russian IT company known for its services and applications. What tools to use, how to improve the analysis quality, how to write rules to automate processes – these questions and many others are covered in the “Company-wide SAST” workshop.

Why did threat actor UNC215 start to write in Farsi? Security researchers Stav Shulman (Mandiant) knows the answer. In her “How do you say ‘Chinese Supply Chain Attack’ in Farsi” talk, she observes a new targeted campaign against multiple Israeli targets in the government, hi-tech and IT sectors. One of the interesting features of this campaign was the presence of false flags – in the malware code there were comments written in Farsi.

The Go language is increasingly used by malware authors, and its binaries cannot be tackled with the usual approach. This combination makes Go malware a tough nut to crack for a reverse engineer. In his ‘Zero-knowledge Go Reverse-engineering’ workshop Ivan Kwiatkowski, Kaspersky’s senior security researcher, shares his experience in dissecting Go binaries and demonstrates how to analyze a real life malware sample.

YARA is a famous tool for malware researchers helping them to identify and classify malware samples. However, what exactly can a specialist do with YARA? In their workshop ‘Writing Better YARA Rules’ Costin Raiu (Kaspersky) and Vicente Diaz (VirusTotal) discuss the effective usage of YARA rules and share some hands-on experiences, including disassembling some real YARA rules and analyzing good and bad examples of them.

Bonus: introduction of KLARA – an open source YARA instrumentation framework.

The popular container orchestration platform Kubernetes is not secure by default, and there are many ways to compromise it. At the same time, the platform has native capabilities to make it secure. For over an hour Diego Comas, Security Engineering manager from Sourcegraph, will be

• discussing the threat matrix and the security aspects of Kubernetes,
• showing statistics of security incidents related to Kubernetes,
• demonstrating how to prevent the platform-related threats,
• sharing useful tips and tricks.

Join him in the ‘Prevent & Detect Security Threats in the Kubernetes Era’ workshop!

As we suggested in the SAS 2021 announcement, the ‘Time to Make the Donuts’ presentation isn’t about actual doughnuts. It is about a much more interesting and complicated topic – supply-chain attacks.
What is a supply-chain attack? Why do cybercriminals choose this type of attack? What are the typical tactics and processes of supply-chain attacks? Kurt Baumgartner of Kaspersky GReAT has prepared a smart overview of major attacks of 2021 and recent years. On the menu there are both famous names, like SolarWinds/Sunburst, ExPetr and Shadowpad, and less known ones, such as MonPass/BountyGlad.

Straight from the sunny UK to the stage of SAS-at-Home 2021, John Southworth (PwC) will be giving some insights about the threat actor APT41, also known as Red Kelpie and Winnti. Starting with APT10 (Red Apollo), the presentation will dance you through the malware used by APT41 – the Motnug loader and its descendant, the ChaCha loader, to some thoughts on the actor’s attribution and the payload, including the infamous CobaltStrike.

Indicators of compromise, YARA rules, and Python scripts for the Kaspersky TheSAS2021 talk “Learning to ChaCha with APT41“: https://github.com/PwCUK-CTO/TheSAS2021-Red-Kelpie

How to build up a fascinating story from a hardcore APT report? Where to find details and how to work with information sources? Sitting by the virtual fireside, Brian Bartholomew (Kaspersky GReAT) and Christopher Bing (Reuters) will discuss how malware researchers and investigative journalists can help each other in their work.

During the ‘Operation Software Concepts: A Beautiful Envelope for Wrapping Weapon‘ talk on SAS-at-Home 2021, Rintaro Koike, Shogo Hayashi and Ryuichi Tanabe from NTT Security (Japan) will cover a new APT campaign named Operation Software Concepts. They will share details about this multi-stage attack campaign targeting Russian and Mongolian governments and defense sector with droppers, RAT and other malware. The researches will also show some connections between the campaign and various APT groups, such as APT31, Tonto and Mofang.