S4x25 Pre-Event Training

Past S4 attendees have asked us to bring back the pre and post event training. We’ve listened and have three great 2-day courses that will be held the Sunday and Monday before S4x25 (February 9 & 10). The courses are limited to 30 students, so there is yet another reason to get your S4 ticket early.

Course 1: Applied Hardware Attacks: Embedded and IOT Systems

Instructor Joe FitzPatrick of SecuringHardware.com

Cost: $3500 + tax

This hands-on course will introduce you to the common interfaces on embedded systems and IoT devices, and how to exploit physical access to grant yourself software privilege via UART, JTAG, or SPI.

This course focuses on UART, JTAG, and SPI interfaces. For each, we’ll do a brief architectural overview, followed by hands-on labs identifying, observing, interacting, and eventually exploiting each interface. We’ll also do basic analysis and manipulation of firmware images.

Designed for newcomers to hardware, over 70% of our time will be hands-on with current off-the-shelf hardware, supported by lectures to fill in the background. This is why the classes we developed have sold out at Black Hat every year.

This two-day course prepares you with the skills and comfort needed to get started working with embedded systems. It pairs well and leads right into Applied Hardware Attacks 2: Hardware Pentesting.

UART: Once we’ve learned a little bit about it, we will use a logic analyzer to find a UART on our target device. Once we’ve done that, we’ll hook up the proper cable to communicate with it, find out what’s inside, and see what’s exposed.

SPI: After a brief introduction, we’ll look for clues to tell us how to connect to the SPI device on our system. We’ll use a logic analyzer to observe what’s going on, then use a dedicated SPI adapter to extract firmware from our system.

Firmware Analysis and Modification: Using the firmware we previously extracted, we’ll use the firmware image to guide simple patches to the device’s memory, make simple changes to the firmware image to permit further access to the system, and do some basic binary analysis to help us find some remotely vulnerable issues.

JTAG: As soon as we’ve covered a bit of background information, we’ll connect a JTAG adapter to our system and use it to examine the contents of memory. Once we get over that thrill, we’ll see how easy it is to attach a debugger to the kernel and take control of the system.

JTAG Exploitation: Once we’ve got full debugger access to the system over JTAG, we’ll test out a few methods of escalating privilege on the system to enable a root shell.

Key Takeaways

  • Comfort and confidence when looking at hardware devices.
  • Understanding of the current tools and techniques, including their limitations.
  • Appreciation of how and when leveraging physical hardware attacks can inform and enable software attacks.

Who Should Take This Course

This course is geared toward pen testers, red teamers, exploit developers, and product developers who wish to learn how to take advantage of physical access to systems to assist and enable other attacks. In addition, security researchers and enthusiasts unwilling to ‘just trust the hardware’ will gain deeper insight into how hardware works and can be undermined.

Student Requirements

No hardware or electrical background is required. Computer architecture knowledge and low-level programming experience helpful but not required. Familiarity with Linux command line allows students to focus on the tools being used instead of struggling with the command line itself.

What Students Should Bring

A lab computer or laptop running native Ubuntu 20.04+ with administrator rights, 2 usb ports, and an ethernet port. USB-Ethernet adapters will suffice.

Note: OSX and other Linux systems may suffice. Windows or virtualization will not work and we won’t be able to help debug issues.

What Students Will Be Provided With

  • A kit of hardware hacking tools and target hardware for the class.
  • A script to install all the necessary tools and utilities for the class.
  • Access to all course materials and pre-recorded lecture videos after the course.

Trainer

Joe FitzPatrick (@securelyfitz) is an Instructor and Researcher at SecuringHardware.com. Joe started his career working on low-level silicon debug, security validation, and penetration testing of CPUS, SOCs, and microcontrollers. He founded SecuringHardware.com and has spent decades developing and leading hardware security-related training, instructing hundreds of security researchers, pen-testers, hardware validators worldwide. When not teaching classes on applied physical attacks, Joe is busy developing new course content or working on contributions to the NSA Playset and other misdirected hardware projects, which he regularly presents at all sorts of fun conferences.

Course 2: Conducting Threat, Vulnerability, & Risk Assessments for ICS

Instructor: Joel Langill of Industrial Control Systems Cyber Security Institute

Cost: $3,500 + tax

This mission critical, hands-on course focuses on one of the most important skills in securing operational technologies and their connected physical systems from threats aiming to cause harm – Risk. This is accomplished through three cohesive activities that “assess” risk, “manage” risk, and deploy security controls that target and “mitigate” risk.

It introduces processes and methodologies based on decades of field activities and data to look at operational systems from a risk point-of-view emphasizing the consequences or impact to critical services and functions rather than component or system level vulnerabilities that often do not map to operational targets. This course is taught using a realistic multi-zone architecture based on modern technologies and ICS platforms. The content provides a balanced combination of brief educational lectures reinforced with a combination of individual and group exercises.

Students learn and practice how to programmatically identify assets and create hardware and software inventories. They learn how to characterize system operation and develop data flow tables and then apply these flows in the analysis of firewall configuration data. Discovery of asset weaknesses leverages modern vulnerability management tools to evaluate software vulnerabilities alongside system configuration using industry benchmarks. Students will learn how vulnerability management tools can be customized to perform vital asset data collection.

The format of the course leverages “learning by doing” to minimize traditional lecture sessions with interactive group activities that include case studies, discussions, and hands-on exercises. Students are encouraged to work in groups to amplify learning and retention through active interaction with other students in an environment that mimics real-life engagements.

Who Should Attend

Staff and personnel responsible for understanding, implementing and evaluating the impact to operational systems and their directed consequences on service availability, safety, environmental responsibility, and business profitability. This is performed through the identification, collection, evaluation and prioritization of threats and vulnerabilities and the calculation of unmitigated and residual risk of the cyber-physical ecosystem.

Typical student profiles include: automation engineers (OT), process / manufacturing engineers (OT), facility operations and maintenance, finance, procurement, corporate compliance, system administrators (IT), network managers (IT), security officers, and facility management.

Course Requirements

Students must supply their own computer with a modern web browser installed to connect to the instructor’s learning management system. Internet access will be provided by the training venue. There are no further course requirements. It is beneficial if students have a working knowledge of Windows and Linux operating systems including their shell environments (e.g., command prompt, PowerShell, bash, etc.). It is also helpful if students have some exposure to manufacturing processes and the industrial control systems used to automate these processes.

Trainer

Joel Langill has been involved in industrial automation and control his entire life. For more than four decades, Joel has been responsible for the design of automation solutions in multiple industry sectors across all corners of the globe. His roles included product development, new product training, system testing, and site migration. He worked for more than two decades designing automation technologies and solutions for some of the largest infrastructure projects in the world before shifting his focus entirely to cyber security more than 15 years ago.

In 2010, Joel launched the popular website SCADAhacker.com that focused on information sharing targeting ICS. He also developed one of the first training programs focusing on defensive skills for ICS. He created the Industrial Control System Cyber Security Institute in 2020 to provide a platform for the continued development and delivery of industrial cyber security programs and services. He launched one of the largest test ranges in the world to provide firsthand training of ICS cyber security offensive and defensive methods on realistic industrial architectures. He supervises an innovative industrial control system data center built in close cooperation with solution leaders in the industrial security sector for education, new product testing and evaluation.

Joel served as an adjunct professor at Texas A&M University where he taught and worked along with RELLIS campus research facility on advanced defensive cyber operations for industrial systems. Joel has published numerous articles on industrial security risk and mitigation, is credited with various vulnerability disclosures, and has been a distinguished speaker at public and private conferences globally. He was the co-author of the best-selling book “Industrial Network Security” along with several books in the works. He is a graduate of the University of Illinois receiving a Bachelor of Science degree with University Honors in Electrical Engineering.

Course 3: Cyber Threat Intelligence (CTI) plus
Detection Engineering and Threat Hunting (DE&TH)

Trainer: Joe Slowik of Paralus

Cost: $3,000 + tax

The Paralus Technical Cyber Threat Intelligence (CTI) plus Detection Engineering and Threat Hunting (DE&TH) training is designed to be an intensive introduction to these concepts combining quick theoretical overview with in-depth technical exploration. By working through topics in a rapid, focused nature, students will quickly gain familiarity with core principles behind CTI work and how this applies to and informs subsequent DE&TH operations. These outcomes are applicable to both practitioners looking to complete their understanding of intelligence-driven security operations outcomes and leaders seeking to build effective, sustainable security programs.

This workshop is designed to be highly interactive and conversational, with opportunities to test out and explore concepts within the material to ensure the greatest possible immersion into critical CTI and DE&TH ideas. Participation is not optional but mandatory to get the most out of the material, particularly in the extended two-day, in-person edition of this course that allows for greater interaction and discussion. Core to the workshop are two case studies that students will follow along from CTI to detection engineering to threat hunting perspectives to determine how practitioners can appropriately and effectively deal with real-life, sophisticated threat actor operations.

Trainer

Joe Slowik has over 15 years of experience across multiple information security disciplines. Joe currently performs extensive threat research and analysis for the MITRE Corporation on critical infrastructure environments, while also leading CTI functions for the MITRE ATT&CK project. Previously, Joe has led and built teams performing operations-focused CTI support, detection engineering, and threat hunting actions across multiple private sector organizations and Los Alamos National Laboratory.

OT & ICS Security Free Video Training

S4 is designed for the advanced OT and ICS Security professional. Part of our Create The Future mission includes growing the number of people with these skills and experiences. At previous S4 events we have offered full day courses taught by the luminaries and top talent in the sector. You can see these training videos, at your own pace on the S4 Events YouTube channel.

Our advice is everyone new to OT and ICS Security should watch the OnRamp and the Highway. Then take a look at the topics in the 301 Level Autobahn series and see if any are applicable for you.