orangecon

Ellen Mok

Keynote: Digital Sovereignty

Ellen Mok is the founder of De Digitale Doetank, a mission-driven consultancy focused on digital sovereignty. As a former employee of the Dutch General Intelligence and Security Service (AIVD), specializing in cyber threats from China and Russia, she brings expertise to the table on the use and abuse of technology in our society. Ellen operates at the intersection of technology and politics, two key pillars of digital sovereignty. Her keynote will explore not only why we need to become more digitally independent, but also how on earth we can make that happen.

Marco Balduzzi

Keynote: TBA

Marco Balduzzi is a principal researcher and team leader in computer and network security, currently serving as technical research lead at Trend Micro. With a Ph.D. in system security from Télécom ParisTech and an M.Sc. in computer engineering from the University of Bergamo, he brings over two decades of international experience in both academia and industry. His work focuses on real-world security issues including web security, malware detection, cybercrime, online privacy, and threats to industrial control systems.

Tijme Gommers

In Memory of In-Memory Detection

Pack, obfuscate, or encrypt your malware as much as you want to prevent detection. This works reasonably well, but ultimately your malware always runs somewhere in the memory of a computer. This is an inherent problem with all of the aforementioned techniques. At some point during execution, the payload that you have tried to hide as much as possible is decrypted to plain text, because only then can it be executed properly.

Learn more about the hurdles of such polymorphic malware and how to detect it; the concept of modern metamorphic malware and how this type of malware circumvents static and in-memory detection; how static in-memory detection is now completely dead, and we can no longer rely on it, especially when practical implementations of metamorphic malware become publicly available.

As the icing on the cake, I publish such a practical implementation: Dittobytes. Dittobytes is a project for true metamorphic cross-compilation of C-code to Truly Position Independent Code (PIC). Malware compiled with Dittobytes runs everywhere natively - in any process, on Windows, Mac, and Linux, and both on X86 and ARM64. The best part? It's different every time you compile it!

Talha Ucar
Juriaan Spierenburg

Inside NCSC’s CTI Team: Tracking Threat Actors Targeting the Netherlands

From covert state-backed espionage to financially motivated cybercrime, from politically charged hacktivism to digital sabotage—threat actors targeting the Netherlands come in many forms, and their tactics are constantly evolving. In this talk, the Cyber Threat Intelligence (CTI) team of the Dutch National Cyber Security Centre (NCSC) shares a behind-the-scenes look at how they track and analyze these threats to protect the Dutch government and critical infrastructure. Real-world case studies illustrate how the team identifies, classifies, and contextualizes threat activity across a broad spectrum of actors.

The presentation also introduces Pharos, a powerful in-house tool developed by the NCSC to proactively detect malicious infrastructure online. By tapping into external sources like Censys, Shodan, and VirusTotal, Pharos uses custom queries to flag suspicious IPs, domains, and certificates—often before they’re weaponized. Join us for a deep dive into the operational world of national CTI: where strategic intelligence meets technical investigation, and where safeguarding the digital security of the Netherlands is a daily mission.

Nikos Mantas

Workshop: AWS Enumeration for Purple Teams

Designed for both Blue and Red teams, this hands-on workshop is designed to equip participants with a deep dive into AWS enumeration techniques and detection opportunities. Through guided labs, attendees will learn how attackers can use policy misconfigurations to identify paths to their objectives. For defenders, we will discuss real-world detection opportunities, log sources, and effective monitoring strategies to identify suspicious enumeration activity before it escalates into full-blown compromise.

Along the way we introduce dAWShund, a new tool designed to map and visualize AWS resource relationships, helping Red Teams identify attack paths and Blue Teams strengthen defenses to help put a leash on naughty permissions. This is an interactive workshop, fostering and encouraging discussions among participants.

Didier Stevens

Workshop: Analyzing Cobalt Strike Beacons, Servers and Traffic

In this workshop, we will use tools developed by Didier Stevens to deal (analysis & traffic decryption) with malicious Cobalt Strike beacons.

There used to be a time, that a blue teamer could say: "this sample I just analyzed is a Cobalt Strike beacon: I'm sure this is a pentest". That is no longer the case: Cobalt Strike has become very popular with common criminals, and even some APT crews. Nowadays, if you encounter a Cobalt Strike sample, your organization is more likely to be under real attack than under simulated attack.