2023 was a busy year filled with my first academic publication and a lot of new professional challenges, having switched roles from being a security engineer to a security analyst. A significant amount of my time was spent on retraining myself and switching daily routines, resulting in a long list of personal progress and an even bigger to-do list for the upcoming year(s).

See below for some of my personal IT-Security highlights of the past year.

Conferences

I had the privilege to attend multiple interesting conferences this year, like the local BSides Tallinn and the Swedish SEC-T (including an intensely passionate talk on password cracking by Will Hunt 1). Some conferences like 37C3 are still ongoing as I am writing this, but which I will continue scraping for interesting talks in the coming weeks.

DE&THCon
My favorite event this year was DE&THCon which stands for “Detection Engineering & Threat Hunting”. DEATHCon is a non-profit community event organized by the likes of Olaf Hartong and Randy Pargman and was filled with loads of interesting workshops. Two that I enjoyed most were the following:

  • Beyond OS Credential Dumping: File Auditing in Windows & Linux by Anton Ovrutsky where I got to explore SACL-based detection engineering and play with Snaffler amongst other things.
  • Historically Grown Active Directory Environments by Michael Ritter which provided me with a great excuse to dive a bit into using Bloodhound and Neo4J. See also here for the presentation.

However there were many other workshops to attend that are worth mentioning like a Threat Hunting session using Zeek data in Microsoft Sentinel, as well as some where we got to play with Velociraptor, RPCFirewall and writing my own C2-agent.

Wild West Hackin Fest
While the quality of the talks at WWHF varied quite a lot, some were excellent, thoughtprovoking and fun. Some of my favorites were:

  • Beau Bullock discussed a tool called Graphrunner (see also video below) which was launched during the talk. It explores the Microsoft Graph API for post-exploitation opportunities.
  • Essential guide to Risk-based Alerting was a talk by Haylee Mills discussing how to turn Splunk (or other similar SIEM-solutions) into a UEBA-like, risk-based detection engine to optimize SOC-throughput and combat alert fatigue.
  • The FalconHound project by FalconForce / Olaf Hartong was presented during the conference. The tool aims to add a ‘real-time’ component/enrichment to graphs created by Bloodhound. These are typically only created on a periodic schedule and miss ephemeral context like local group membership and logon session data.

Next to the talks the event had a community vibe, was original and organized in beautiful and welcoming Deadwood, South Dakota.

Books and Articles

I finally managed to get around to reading Brian Krebs' Spam Nation this year which was a thrilling under-the-hood look of how pharmaceutical spammers used-to-work.

While I’ve not finished this book yet, Sönke Ahrens' “How to Take Smart Notes” already started to make me more conscious of how taking notes inform my learning process.

One article that jumped out for me this year was Introduction to Windows tokens for security practitioners by Will Burgess. It hit a sweet spot for me between providing technical details, my ambition to learn more about Windows environments and good writing.

Other

Flangvik is a Norwegian offensive security researcher and streamer whose videos I’ve been watching a bunch the last few months and is definitely worth checking out. See below a stream session discussing his C# loader called ‘NetLoader’.

  1. A free Password Cracking 101+1 Training is available by the same author. ↩︎