Adversary Village

Or Yair

Security researcher at SafeBreach labs

Or is a security researcher with over 4 years of experience in cyber security. Currently a researcher in SafeBreach Labs, he started his professional career in the IDF. Most of his work focused on Platform Research, including Linux kernel components and some Android as well. For over a year, Or has been drawn to the Windows world and focuses on low level components research.

Lightning Talk: Modern techniques used by Advanced Persistent Threat actors for discovering 0-day vulnerabilities
Adversary Tradecraft

Advanced Persistent Threat (APT) actors have a lot of resources and motivation for reaching their targets. In many cases they pick specific targets very carefully. Unlike regular threat actors, APTs are covert and difficult to track. They are not likely to try 1-day vulnerabilities to find just any target; their targets are likely to have the latest security updates. Most APTs carry out cyber attacks with only unknown vulnerabilities (0-days). They need to find their own new 0-days in order to breach their target environment. To succeed in the long run, they probably need to find many 0-days, so they can minimize the number of times each one is used in the wild and the risk of exposing it. The top APTs will aim for kernel vulnerabilities where they can alter what users see in user-space, be persistent, and generally have much more control over the system.

They may also aim for hypervisor vulnerabilities to attack cloud services based on virtualization. While the search for new vulnerabilities may be done manually, APTs may prefer to use automation for better results and longer term usage. One type of automation APTs are likely to use is fuzzing! In this talk, I will present the main components of fuzzing, different fuzzing strategies, and provide a quick look at kernel / hypervisor fuzzing - the most delicate fuzzing arena of them all.