orangecon

Ellen Mok

Keynote: Digital Sovereignty

Ellen Mok is the founder of De Digitale Doetank, a mission-driven consultancy focused on digital sovereignty. As a former employee of the Dutch General Intelligence and Security Service (AIVD), specializing in cyber threats from China and Russia, she brings expertise to the table on the use and abuse of technology in our society. Ellen operates at the intersection of technology and politics, two key pillars of digital sovereignty. Her keynote will explore not only why we need to become more digitally independent, but also how on earth we can make that happen.

Marco Balduzzi

Keynote: Geeks to Giants - The Journey from Hacking Subculture to Modern Cybersecurity

Modern cybersecurity, as we all know today, is the result of years of transformation. It was back in the 80s when pioneering hacking enthusiasts began aggregating in self-organized communities, exploring the boundaries and capabilities of computer systems and networks. These individuals, often seen as alternative personalities who struggled to fit into an increasingly globalized and controlled society, found their freedom within the hacking subculture. Driven by passion and curiosity, this movement rapidly grew, creating digital communication platforms for virtual connections, and organizing hacking camps and conferences for social gatherings. Naturally, this initial wave of pioneering geeks matured, with many transitioning into responsible adults. Some went on to establish businesses, offering security services and developing products to meet the growing demands of a growing security market.

In this keynote, we explore this significant social transformation and reflect on its current state: a cybersecurity realm dominated by large-scale multinational corporations where individuals are not necessarily viewed as like-minded enthusiasts driven by passion and curiosity, but as part of a workforce that can be replaced by autonomous systems to cut costs and maximize profits.

Tijme Gommers

In Memory of In-Memory Detection

Pack, obfuscate, or encrypt your malware as much as you want to prevent detection. This works reasonably well, but ultimately your malware always runs somewhere in the memory of a computer. This is an inherent problem with all of the aforementioned techniques. At some point during execution, the payload that you have tried to hide as much as possible is decrypted to plain text, because only then can it be executed properly.

Learn more about the hurdles of such polymorphic malware and how to detect it; the concept of modern metamorphic malware and how this type of malware circumvents static and in-memory detection; how static in-memory detection is now completely dead, and we can no longer rely on it, especially when practical implementations of metamorphic malware become publicly available.

As the icing on the cake, I publish such a practical implementation: Dittobytes. Dittobytes is a project for true metamorphic cross-compilation of C-code to Truly Position Independent Code (PIC). Malware compiled with Dittobytes runs everywhere natively - in any process, on Windows, Mac, and Linux, and both on X86 and ARM64. The best part? It's different every time you compile it!

Talha Ucar
Juriaan Spierenburg

Inside NCSC’s CTI Team: Tracking Threat Actors Targeting the Netherlands

From covert state-backed espionage to financially motivated cybercrime, from politically charged hacktivism to digital sabotage—threat actors targeting the Netherlands come in many forms, and their tactics are constantly evolving. In this talk, the Cyber Threat Intelligence (CTI) team of the Dutch National Cyber Security Centre (NCSC) shares a behind-the-scenes look at how they track and analyze these threats to protect the Dutch government and critical infrastructure. Real-world case studies illustrate how the team identifies, classifies, and contextualizes threat activity across a broad spectrum of actors.

The presentation also introduces Pharos, a powerful in-house tool developed by the NCSC to proactively detect malicious infrastructure online. By tapping into external sources like Censys, Shodan, and VirusTotal, Pharos uses custom queries to flag suspicious IPs, domains, and certificates—often before they’re weaponized. Join us for a deep dive into the operational world of national CTI: where strategic intelligence meets technical investigation, and where safeguarding the digital security of the Netherlands is a daily mission.

Nikos Mantas

Workshop: AWS Enumeration for Purple Teams

Designed for both Blue and Red teams, this hands-on workshop is designed to equip participants with a deep dive into AWS enumeration techniques and detection opportunities. Through guided labs, attendees will learn how attackers can use policy misconfigurations to identify paths to their objectives. For defenders, we will discuss real-world detection opportunities, log sources, and effective monitoring strategies to identify suspicious enumeration activity before it escalates into full-blown compromise.

Along the way we introduce dAWShund, a new tool designed to map and visualize AWS resource relationships, helping Red Teams identify attack paths and Blue Teams strengthen defenses to help put a leash on naughty permissions. This is an interactive workshop, fostering and encouraging discussions among participants.

Didier Stevens

Workshop: Analyzing Cobalt Strike Beacons, Servers and Traffic

In this workshop, we will use tools developed by Didier Stevens to deal (analysis & traffic decryption) with malicious Cobalt Strike beacons.

There used to be a time, that a blue teamer could say: "this sample I just analyzed is a Cobalt Strike beacon: I'm sure this is a pentest". That is no longer the case: Cobalt Strike has become very popular with common criminals, and even some APT crews. Nowadays, if you encounter a Cobalt Strike sample, your organization is more likely to be under real attack than under simulated attack.