Silvio La Porta
Silvio La Porta is CEO and Co-Founder at RETooling defining and developing Threat Actor emulation platform enabling red team to recreate a realist attack scenario. Previously he was a Senior Cyber Security Architect designing security products and researching advanced detection technology for complex malware/APT. Silvio previously was a lead research scientist with EMC Research Europe based in the Centre of Excellence in Cork, Ireland. His primary research focus areas were real-time network monitoring and data analysis in smart grids to detect malware activity in SCADA systems and corporate networks. He was also leading Security Service Level Agreement (Sec-SLA) and end user security/privacy protected data store projects for hybrid Cloud environment. He is a frequent speaker in professional and industry conferences. Before joining EMC, Silvio worked as a Malware Reverse Engineer in Symantec’s Security Response team in Dublin, Ireland. Silvio holds a PhD in Computer Network Security from the University of Pisa, Italy.
Sessions
Go beyond static artifacts and canned simulations. This workshop introduces a next-level threat actor emulation, immersing you in a live fire dissection experience against implants inspired by Advanced Persistent Threat (APT) TTPs. You'll execute these multi-stage implants within your analysis VM and watch them interact live with our custom, controlled C2 infrastructure – a rarity in typical analysis. Decrypt actual network traffic, reverse dynamically delivered payloads, and unravel the entire kill chain as it happens. Prepare for a hands-on CTF challenge analyzing a uniquely realistic, sophisticated, and interactive threat.
One of the most challenging aspects of adversary emulation is replicating the custom implants used by threat actors. To accurately assess security measures, emulated implants must not only mimic functionalities and quirks but also reproduce the obfuscation techniques of the original malware. This talk presents our re-implementation of APT41’s Scatterbrain obfuscator, including instruction dispatchers that disrupt control flow and import protection mechanisms leveraging Linear Congruential Generator (LCG)-based encryption.
To validate our approach, we tested our sample against Mandiant’s deobfuscation tool for the original Scatterbrain. The results demonstrated that our re-implementation could be correctly deobfuscated, confirming its accuracy. However, we took this a step further—by slightly modifying the obfuscation, we successfully broke the deobfuscator’s heuristics, creating a variant that required new tools to analyze while still maintaining strong structural similarity to the original.
Go beyond static artifacts and canned simulations. This workshop introduces a next-level threat actor emulation, immersing you in a live fire dissection experience against implants inspired by Advanced Persistent Threat (APT) TTPs. You'll execute these multi-stage implants within your analysis VM and watch them interact live with our custom, controlled C2 infrastructure – a rarity in typical analysis. Decrypt actual network traffic, reverse dynamically delivered payloads, and unravel the entire kill chain as it happens. Prepare for a hands-on CTF challenge analyzing a uniquely realistic, sophisticated, and interactive threat.