Active Defenses have been capturing a large amount of attention in the media lately. There are those who thirst for vengeance and want to directly attack the attackers. There are those who believe that any sort of active response directed at an attacker is wrong. We believe the answer is somewhere in between.

We will first dive into the range of generative AI applications using examples of the openAI ecosystem. This will give the audience an understanding about the fundamental problem of AI from a security perspective. We then offer an insight into the attack surface that those applications have. This will help understand what needs to be secured and what can be secured. In many cases, good old security best practices will be a good start although AI security brings new challenges that we will discuss. In addition we will talk briefly about privacy issues related to AI that we need to consider in the future.

"In this talk I will show you how at Elastic we built advanced automation into our SIEM to reliably detect novel attacks we've seen while protecting a Zero Trust environment without spamming your analysts with false positives. I will show how you can build an automated system with your SIEM that will reliably alert you to the suspicious use of an API token or access key from outside of your environment and other attacks we have seen."

The presentation provides an overview of adversarial threats to space missions, focusing on commercial space systems and why APTs increasingly target them. It introduces use cases for commercial space systems and their high-level architecture before examining the different groups of threats and how they can affect the operations of a space mission. Exploits based on our research are shown, and an outlook on future trends is provided.

Full description:
There is a wide variety of space systems available. We start with more general services like the weather data. Then, we have positioning, navigation, timing (GNSS services), and satellite Internet. Further, we have imaging such as visible, infrared, or synthetic aperture radar, and then we have tailored services, for example, for maritime operations. These services can be grouped into categories of dual-use space systems. Firstly, we have weather data services. Large organisations such as NOAA and EUMETSAT, as well as some commercial players like Spire, are active in the field. While civilian applications are the largest customers of these services, militaries usually do not operate their weather satellites and tap into the data these organisations provide. The next category is earth observation services. For example, ESAs Copernicus constellation and commercial companies such as Planet, Maxar, and Capella provide many civilian applications and services. Next are communication services, such as telephony, data services and global internet access. This field is crowded with commercial providers like Starlink, Iridium, Intelsat, Inmarsat, and ViaSat. Lastly, we have the least commercially competitive field: Position Navigation and Timing. We have the well-known GPS, Galileo, Glonass, and Beidou constellations here. These systems are not commercial since they are seen as strategic assets. Some new commercial players like Xona have started entering the field, but this is new ground. To understand threats to space systems, you first need to learn how they are built. Typically, three segments make up a space system. The space segment includes all spacecraft that are part of the mission. Communication is restricted to using radio frequency and optical connections. The uplink is all information going to the spacecraft, and downlinking is in return from the spacecraft to Earth. There are links to the ground segment to control the satellite and the mission. The ground segment comprises RF equipment in the ground stations and IT infrastructure to operate the spacecraft and services delivered. The third segment is the user segment, which involves direct communication with the satellites or over the Internet with the ground segment. A first example of such a system is Galileo. We can see here how the ground segment is structured, with different types of ground stations, redundant mission control centres, and auxiliary facilities. The map on the right shows one of the challenges in operating such an extensive system, which is global distribution. Leased lines are used to connect to remote locations. With few terrestrial connections in remote locations, they are vulnerable to, for example, underwater cable attacks. The next example is the LRIT system, partially delivered using one of the Iridium constellations. With multiple payloads hosted on the satellites, a wide range of services and customers is used to make the commercial operation viable. They share the same satellite bus even with payload segregation and sometimes independent communication links. I want to provide an overview of the threats to space systems to show why cybersecurity is an area of particular interest. Firstly, we have kinetic physical threats, such as the danger of a satellite getting actively physically damaged. Next, we have non-kinetic physical threats like laser weapons that can permanently damage a spacecraft. Now we come to electromagnetic threats, so the electronic warfighting domain. Lastly, we have cybersecurity threats. The list provided here might need to be completed, but most threats fall into one of these categories. Kinetic physical attacks include attacks on the ground segment, direct ascent anti-satellite weapons, as you have seen with the fighter aircraft earlier, and co-orbital ASAT weapons. The latter is a relatively new group mainly related to using one satellite to grab another. The next group starts with high-altitude nuclear detonations that can be used to generate an EMP or to pollute an orbit permanently with radiation. High-power lasers can damage satellites and their sensors, while lower-power variants can temporarily deny optical imaging with laser blinding. The electronic sensors and transceivers can be damaged or temporarily put out of action using high-power microwave weapons. This leads us to the following field of electromagnetic threats, including signal jamming and spoofing. Here, we can see attacks on ground systems and in the user segment, while the previous targeted the spacecraft. Lastly, we have different threats in the cybersecurity area, from data interception and corruption to gaining control over a spacecraft. I will now rate each of these from a satellite operator perspective for the ability to attribute the attack, if it is reversible, who will be aware of it, if the attacker knows the outcomes, and for collateral damage. All these attacks aim to permanently or temporarily disrupt the service a spacecraft or constellation delivers. With the kinetic attacks, we typically see the ability to attribute them clearly, but the damage can not be reversed; the asset will be lost. It is hard to hide anything you do in space so that it will be internationally recognised. To carry them out, significant resources are required, like the ability to launch a satellite into orbit. The same is mostly true for non-kinetic attacks, which can seriously impact the spacecraft, lead to permanent damage, and potentially produce orbital debris. With laser blinding, the attacker risks permanent damage to the sensor, or there is a temporary denial of service. With electromagnetic threats, the risks for an adversary to cause severe damage to a system are lower. It is possible to target the user segment without the operators awareness. In cybersecurity, it is generally difficult to attribute an attack to an adversary, even if it seems evident from the attacks goal. While these attacks usually do not permanently affect the spacecraft, they can lead to service disruption and data loss and are very accessible to threat actors. Using a cyber attack, there is no need to be able to launch a rocket into orbit from a fighter aircraft or to use physical equipment. The attacks outcome is typically under the attackers control, who can quickly assess the damage caused. This is not a cybersecurity topic, but I want to mention the current impact of electronic warfare on satellite services. We see increased GNSS jamming and spoofing and a waterfall effect on services like AIS and ADS-B. Additionally, there have been recent effects on SAR satellites and TV broadcasting. So, what are the current threats to cybersecurity for space systems? Governmental-backed APTs pose the most significant threat. Commercial operators need to be more aware of their increasing capabilities. In 2023, the Peach Sand Storm and Volt Typhoon targeted companies and infrastructure in the space and defence sector. As I tried to show earlier, it is sometimes unclear what target is classified as dual-use or military and can affect non-military services. Operators share their space and capacity with governmental and private customers, increasing the risk that an attack affects both. One of the problems inherent to space systems is their cost of building and operating. Once built, systems are used for as long as possible, and updates are rolled out usually in small increments, not total redesigns. This leads to many legacy hardware and software systems in the field that operators try to hide behind firewalls and closed networks. This is where the COVID-19 pandemic had a significant impact. Opening these closed systems introduces new attack vectors, while zero trust infrastructure is far from becoming a reality in most spacecraft operations centres. In the past, commercial and non-military space systems were not considered at risk of being targeted by capable adversaries. This led to security by obscurity, which relied on the fact that individuals and small criminal organisations would not be able to cause a serious impact on the systems. This has changed, but the old systems are still operational, and the protocols and software have not been updated to reflect the new reality. Insider threats come from the fact that a lot of the work in the space industry is contracted out to engineering service providers to support the sector and to cut organisational spending. I also want to mention software supply chain attacks. Satellites are controlled using extensive custom-built IT infrastructure with software that sometimes only five people contribute to over a life cycle of 20 years. Updating dependencies and vetting incoming changes from the outside and contractors can be challenging. The following is an example I have chosen to highlight some of the space industrys problems that need to be addressed. In 2014, a white paper highlighted security flaws in various VSAT terminals. The vulnerabilities included what appear to be backdoors, hardcoded credentials, undocumented and, or insecure protocols, and weak encryption algorithms. The authors got frustrated and presented the same topic with more technical details in 2018 at Black Hat USA. They were able to locate several devices deployed in active conflict zones, indicating military use. Fast-forward another four years to 2022, and 5,800 wind turbines from the German operator Energon are taken off the grid. This was a side effect of the large-scale attack on 45,000 ViaSat modems the night before Russia invaded Ukraine. One year later, on the same stage at Black Hat, we see the VP of ViaSat and the NSA talking about the attack and the lessons they learned. They had to rebuild their entire ground infrastructure to make it more resilient to attacks. If you have VSAT terminals in the field, test them and learn how they work. Learn about their implemented custom protocols, how the operators ground segment works, and test their security. We are currently performing vulnerability assessments on open-source spacecraft mission control software, which has never been tested, including those of NASA. The same is usually valid for closed-source space software. Communication protocols by the CCSDS, used by NASA and ESA, all have a security section, and most of them state that no security is foreseen and that it is the users responsibility to implement it. This leads to the closing topic: the trends in space systems. There is an increase in the requirements for space system resilience, especially from a system aspect: multi-orbit, multi-band, and multi-provider. One notable new upcoming service to increase the resilience of the GNSS user segment is OSNMA. The need for manoeuvrability to counter co-orbital ASAT weapons, electronic warfare resistance, and better sensor protection are prevalent in the space segment. On the ground, cloud services are being increasingly used to implement space systems. This has the opportunity to modernise infrastructure, streamline processing, and save costs, but it also opens a whole new spectrum of attacks. There is a decent number of well-established ground-station-as-a-service providers, and larger customers have started using their flexibility. Relying on third-party infrastructure to carry out critical or sensitive tasks is a security risk that must be considered before relying on it. The as-a-service concept has also reached space assets, and customers can now deploy their applications directly to constellations and receive their processed data in the cloud. Lastly, quantum and post-quantum cryptography are hot topics in the space industry. Large satellite-based quantum key distribution projects have started and will be operational in the coming years. As a last word, in many cases, a realistic assessment of the spacecraft currently in orbit and ground segments deployed would conclude that they can no longer be operated safely and should be replaced to meet the requirements of this new reality.

"SAP Attack Surface Discovery, a part of the OWASP Core Business Application Security (CBAS) project, stands as an open-source initiative, purpose-built to equip security professionals and organizations with practical tools essential for the evolution of security for SAP environments and provide the necessary knowledge to identify an attack surface that SAP and non-SAP security professionals can understand.
The session provides a deep dive into identifying, exploiting, and defending SAP environments throughout the different layers of SAP Environments, leveraging tools under the OWASP CBAS project.
This endeavor aims to fortify enterprise resilience and provide tangible value to the security community by addressing the evolving challenges within SAP environments. "

"Threat actor tactics in a classic on-premises environment are well documented and understood. For example, extracting credentials from memory and then pass-the-hash is a common technique to move laterally in Windows. But how do threat actors move laterally between cloud workloads and compute instances? What are the common persistence techniques, and what are the high value targets we need to protect? Alexander is Principal Forensic Consultant at Truesec and will in this session share his learnings from over 10 000 billable hours of enterprise forensics. You will learn how cloud tactics differ from on-premises and see the latest techniques used in real attacks against cloud infrastructure."