My experiences at infosec conference TROOPERS 2017

In: Security, Travel
Published on 2017-04-14
Written from the perspective of a computer security analyst.

Last month, I visited TROOPERS17, a conference in Heidelberg, Germany. It was the first infosec conference I've attended, so I didn't really know what to expect. The website showed photos of geeky people in hoodies, a soldering table, lots of club mate and weird LED badges. I figured I could fit right in, and when I saw the training program I was even more motivated to register.

In the two days before the conference, I followed a training about network forensics. Earlier this week I wrote about the Rinse and Repeat technique I learned there, which can help you find the interesting network activity in a large PCAP-file.

Beautiful view and smart students in the #TR17 Network Forensics Training at 11'th floor of the PMA. pic.twitter.com/ngfyMtwvsi

— NETRESEC (@netresec) March 21, 2017

Atmosphere

With only 400 visitors, TROOPERS is a friendly and casual conference. What really surprised me: I met many different people and everybody was SO approachable and NICE! As one of the attendees put it: "TROOPERS is the only family where your parents don't ask you to fix the WiFi". Networking, which (in my head) evokes images of smooth talking and sprinkling business cards, was never so easy. I ended up sharing stories with incident responders, CEO's, security officers, programmers, policy makers, students, consultants and pentesters.

The open and welcoming atmosphere reminded me of the Chaos Computer Congress in Hamburg, although TROOPERS focuses specifically on information security.

THX 2 ALL!#TR17 pic.twitter.com/jWalWB9Le2

— Giaco (@giaco127001) March 23, 2017

Talks

The tracks consisted of a nice mixture of the different aspects of computer security. There was a track on attack and research, a track on defense and management, a sponsored track that focused on the security of SAP products (day 1) and a wildcard track for talks that don't fit a specific category (day 2).

I didn't attend a talk at every possible time slot. I tried to find the right balance between talks, hanging out at "lobby-con", talking to people, exploring the various extra activities at the conference and enjoying a nice cappuccino every now and then.

.@verovaleros found >70% of companies are infected by adware, and don't understand the extent of data exfil'd or how much it's worth #TR17 pic.twitter.com/XRjWncYb63

— Kelly Shortridge (@swagitda_) March 22, 2017

I can definitely recommend the following talks:

• Veronica Valeros talked about threat hunting. Valeros works at Cognitive Threat Analytics, a research department that is part of Cisco Systems. In her presentation, she talked about her methods for finding the needle (malicious activity) in a haystack (large amount of network traffic). She also shared a case study from her own work: it appears that adware can have a higher negative impact than most people expect, since adware is often used to exfiltrate sensitive data (such as browsing history) from infected computers. In some cases, the adware will communicate unencrypted with the ad server, which results in sensitive data being transmitted in plain text over the network!
• Matthew Domko gave this talk about BroPy, a Python tool that can automatically generate a baseline for network traffic that. This baseline can subsequently be used as input for Bro, as a definition of normal network activity. Of course, it's required that the system is completely free of malware when you run BroPy, otherwise malicious activity will end up in your baseline. I liked this idea, but I'm sceptical whether this approach will work for existing systems.
• There was a very good presentation about the North Korean Red Star operating system and the way it can be used to track unwanted media files within the country to monitor dissidents.
• @TheGrugq gave a surprise talk about intelligence services.
• A surprisingly good and critical talk by Mara Tam about cybersecurity policy. Worth watching for her story about submarines.
• Pentester @_Staaldraad gave a great talk in which he explains a very interesting persistence and post-exploitation technique: tackling persistence in a organisation after compromising one of their workstations by burrowing in the organisations Exchange server. I was impressed by the way he explained the technique: it was accessible and clear without being overly simple. Worth watching if you ever use Exchange. This talk will make you freaking paranoid. ;)

Events and extras

On Wednesday night there was a social dinner, with Packet Wars (CTF) immediately afterwards. I ended up joining the WizardsOfDos, CTF team of Hackerspace Darmstadt, who were one person short for their team. It certainly was a lot of fun and we ended up winning the Packet Wars!

The #packetwars at #TR17 has begun ... pic.twitter.com/E9dXBo2vXD

— Sam Flynn (@l0x2a) March 22, 2017

The CTF challenges revolved around a fake Donald Trump twitter account, which we had to compromise in order to obtain different kinds of evidence. The first challenge was OSINT-based. A writeup is available here. The second challenge consisted of sending a spearphishing email to the fake account to compromise the underlying workstation. If you want to see some of the hilarious phishing emails that were sent during this challenge, be sure to check the closing talk of TROOPERS17 on Youtube.

Other activities and stuff worth mentioning:

Good food.

Decent coffee.

Refridgerators with club mate and club mate cola everywhere.

A vintage pinball machine and donkey kong arcade machine (AWESOME)!

My very first weird geeky conference badge gadget! The TROOPERS17 badge was made by @BadgeWizard and consisted of a custom Arduino-board paired with an (ancient & refurbished) Nokia 3310. Sadly, my battery was as good as dead, so I didn't use it much during the conference. However, the badge was a great conversation starter and also doubled as an attribute for one of the conference challenges. Nicely done, TROOPERS!

Just a random heap of #TR17 badges prior @WEareTROOPERS . @0x4045494650 @net0SKi @welectronic pic.twitter.com/sFsMLY8rxw

— Brian (@BadgeWizard) April 5, 2017

Verdict

Long story short: I would definitely recommend visiting TROOPERS. I hope to visit again next year and meet even more interesting people.

The end...The end of a great conference! See you in TR18 #tr17 pic.twitter.com/OgWxcsw4PE

— Cr0wTom (@serbinhio) March 23, 2017

Further reading:

• TROOPERS18 will take place from 12th to 16th March 2018.
• Security blogger Xavier Mertens made extensive writeups of the two conference days, and the IoT and IPv6 event prior to the conference.