1

CFP GuidelinesSubmit proposals on the Call for Papers (CFP) submission portal at aka.ms/bhilcfp2018.

All applicants must read and agree to the call for papers submission guidelines and requirements prior to making a submission. All submissions must be received by November 14, 2017 at 23:59 PT.

* Terms and times are subject to change.

IMPORTANT DATES

Call for papers closesNov 14, 2017

Notifications to authors By Dec 4, 2017

CFP Topics of InterestSome possible themes we’re interested in seeing abstracts on are:

◾ Virtualization & cloud-based research, exploits and defense

◾ How customers are getting owned (case studies and research)

◾ New exploit techniques

◾ Anti-exploitation techniques

◾ Emerging threats & trends

◾ Social engineering & defense

◾ Identity & authentication research, exploits and defense

◾ Infrastructure & IoT security research, exploits and defense

◾ Security analytics based on machine learning

◾ Honeypots, honeynets & deception

◾ Forensics & anti-forensics research

A limited number of speaking slots are available, and all submissions will be reviewed by the content advisory board on a rolling basis until all speaking slots are filled.

2 2

Submission Requirements & Process

01 Each submission must be completed in its entirety.

02Session Length - your presentation should target the 30-minute or 45-minute format, including approximately 5-10 minutes for Q&A at the end of the presentation.

03The original author(s) of a presentation must submit for the CFP. Third parties such as PR firms or speaker representatives may not submit materials on behalf of a potential speaker or speaking team.

04 No more than three researchers are permitted to present on stage.

05BlueHat IL does not accept product or vendor-related pitches. A sales or marketing pitch MUST be avoided when preparing your talk

06Submissions should clearly detail the concepts, ideas, findings, and solutions a researcher or speaking team plans to present.

07Speakers may submit more than one proposal but each proposal must be submitted through a separate submission form.

08Each submission should acknowledge prior work in the space, distinguishing or highlighting how your presentation is different.

09Individuals submitting a proposal will receive a “Your submission for BlueHat IL 2018 has been received” email notification within 48-72 hours of receipt of the submission.

10 BlueHat IL’s selection process is competitive. Members of the BlueHat IL content advisory board score each submission.

11Speakers will be contacted directly if content advisory board members have any questions about a submission.

12After selections have been completed, all submitters will receive an email confirmation of acceptance or rejection (by Dec 4, 2017).

13 BlueHat IL will cover up to $1500 USD air travel (economy-class, round-trip airfare for one speaker) and one hotel room for three nights (Jan 22, 23 and 24).

14BlueHat IL will provide all necessary audio & visual equipment.

15If you have any questions regarding your submission, please contact bluehati@microsoft.com

3

How to Submit Your Paper

Step 1

Go to aka.ms/bhilcfp2018

Step 2

Login to the submission portal – If you’re a Microsoft employee, click “Microsoft Login” otherwise click “Login” for an existing account or “Create Account”.

Step 3

Click “Create New Submission”. The new submission page will prompt you to enter the following:

◾ Talk Title – This is the talk title that will be posted on the website schedule.

◾ Abstract – Provide us with an abstract about what you will be presenting at the conference (2000 characters maximum). This is the abstract that will be posted on the conference website, so please make sure it’s in complete sentences written in the third person.

◾ Authors – List all the individuals who have contributed to this proposal. Provide us with each author’s name, email address, and the company/organization name. You will need to identify no more than THREE presenters in the section below.

◾ Subject Areas – Select the topics that best represent the content of your proposal.

◾ Files – Upload your presentation slides or supportive files (optional).

◾ Call to Action – The heart of the BlueHat IL conference is the practical and innovative content. It would be extremely beneficial to our attendees if the speakers can offer a couple of actionable takeaways.

◾ Presenter(s) – Provide us with each presenter’s name, organization, title, and biography. Talks with more than three presenters will not be accepted.

◾ Experience Level – Identify the knowledge level of your targeted attendee (Beginner, Intermediate, Advanced, Any).

◾ Additional requirements – List any technical requirements that you have for your presentation beyond the standard projector, screen and wireless Internet.

If you have any questions regarding the submission process, please don’t hesitate to contact us at bluehati@microsoft.com

4

Here are Some Good Examples of Abstracts from BlueHat IL 2017

The Enemy Within: Stopping Advanced Attacks Against Local UsersTal Be’ery & Marina Simakov | Microsoft

Advanced targeted attackers utilize compromised credentials in order to move laterally within their victims' network. These compromised credentials may consist of either domain or local credentials. Local credentials, especially those of local admins, are a lucrative target for the attackers as they are less managed (password complexity and change policy) and less monitored (no traffic and logs besides the specific computer). In this talk, we will cover how advanced attackers are abusing local users' credentials in their attacks, including real examples as captured "in the wild". We would follow with suggested new methods and tools to detect and prevent such attacks.

Most notably, we'd expose a tool that implements a method which allows visibility to local users' activity without installing an agent on the monitored machine. The visibility is based on periodic scans of the local users' directory, the Windows Security Account Manager (SAM), using the standard SAM-Remote (SAMR) protocol, messages and APIs. Using these methods defenders gain visibility to local users' logons, group membership, password change among others. Security applications enabled by this visibility include but are not limited to, abnormal logons detection, abnormal group additions and removal detection and abnormal password changes detection.

Device Guard Attack Surface, Bypasses, and Mitigations Matthew Graeber & Casey Smith | Veris Group

As organizations begin to embrace application whitelisting solutions, it becomes imperative that they not implicitly trust all applications signed with a Microsoft code signing certificate. Solutions such as AppLocker and Device Guard go a long way to provide increased defense. As with any whitelisting solution however, attackers can leverage signed tools to execute arbitrary, unsigned code. This talk will describe the attack surface, our methodology for discovering application whitelisting bypasses, as well as the development of effective bypass mitigations. Antivirus solutions simply can't keep pace with the unique samples deployed on a daily basis. Application whitelisting solutions are the ideal preventive mechanism but organizations must be realistic about its limitations.

Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To) D""e`Tec`T 'Th'+'em' Daniel Bohannon | Mandiant

The very best attackers hide their commands from A/V and application whitelisting technologies using encoded commands and memory-only payloads to evade detection. These techniques thwart Blue Teams from determining what was executed on a target system. However, network defenders are catching on, and state-of-the-art detection tools now monitor the command line arguments for powershell.exe either in real-time or from event logs.

5

This talk will highlight a dozen never-before-seen techniques for obfuscating PowerShell command line arguments. Incident responders at Mandiant have already seen attackers use a handful of these methods to evade basic command line detection mechanisms.

This presentation will introduce three new layers of obfuscation that can be applied to any PowerShell command or script. One can use each layer independently, or stack them together to prevent any one technique becoming an easy signature for defenders. The first layer directly manipulates PowerShell and .Net cmdlets, functions and arguments. The second string manipulation layer can then be applied to a single command or an entire script. The final layer consists of several techniques for content execution using PowerShell command input parameters that hide command line arguments from appearing for powershell.exe.

Attempting to detect every possible obfuscated version of particular commands is not an efficient means of detection. Updated PowerShell event logging mitigates many of the detection challenges that obfuscation introduces. However, many organizations do not enable this PowerShell logging and rely primarily on command line logging.

This presentation will conclude with a demonstration of Invoke-Obfuscation. This open source tool applies the aforementioned obfuscation techniques to user-provided PowerShell commands and scripts to evade command line argument detection mechanisms.

Blinded Random Block CorruptionRodrigo Rubira Branco, Intel & Prof. Shay Gueron | Intel & Haifa University

Protecting users' privacy in virtualized cloud environments is an increasing concern for both users and providers. A hypervisor provides a hosting facility administrator with the capabilities to read the memory space of any guest VM. Therefore, nothing really prevents such an administrator from abusing these capabilities to access users' data. This threat is not prevented even if the whole memory is encrypted with a single (secret) key. Guest VM's can be isolated from the administrator if each guest VM has its memory space encrypted with a unique per-VM key. Here, while the hypervisor's memory access capabilities remain unchanged, reading a VM memory decrypts the VM's encrypted data with the wrong key and therefore gives no advantage to the attacker. This is indeed the motivation behind some newly proposed technologies that are planned in future processors.

However, this presentation argues that the privacy claim of any technology that uses different encryption keys to isolate hypervisor administrators from guest VM's cannot be guaranteed. To show this, we explain and demonstrate a new instantiation of a "Blinded Random Corruption Attack". Under the same scenario assumptions that the per-VM keying method addresses, our attack allows the cloud provider administrator to use the capabilities of a (trusted) hypervisor in order to login to a guest VM. This completely compromises the user's data privacy.

This shows, once again, that memory encryption by itself, is not necessarily a defense-in-depth mechanism against attackers with memory read/write capabilities. A better guarantee is achieved if the memory encryption includes some authentication mechanism.

If you are not sure about your abstract, reach out to us at bluehati@microsoft.com and we will be more than happy to work with you on your proposal.

Thank you!The BlueHat IL team