Head of Cyber Threat & Product Defense Center at TXOne Networks
2
Talks Delivered
2
Events Spoken At
2
Countries Visited
2
Years Speaking
2
Total Talks Given
Mars Cheng leads TXOne Networks' PSIRT and Threat Research Team as their Threat Research Manager, where he coordinates product security initiatives and threat research efforts. He also holds the position of Executive Director for the Association of Hackers in Taiwan, facilitating collaboration between enterprises and the government to bolster the cybersecurity landscape. Additionally, Mars serves as a Cybersecurity Auditor for the Taiwan Government. His expertise spans ICS/SCADA systems, malware analysis, threat intelligence, and hunting, as well as enterprise system security. Mars has made significant contributions to the cybersecurity community, including authoring more than ten CVE-IDs and publishing in three SCI journals on applied cryptography.
Mars is a frequent speaker and trainer at numerous prestigious international cybersecurity conferences, including Black Hat USA/Europe/MEA, RSA Conference, DEF CON, CODE BLUE, SecTor, Troopers, FIRST, HITB, ICS Cyber Security Conference Asia and USA, HITCON, NoHat, ROOTCON, SINCON, CYBERSEC, and many others. He plays an instrumental role as the General Coordinator for the HITCON CISO Summit 2024 and has successfully organized several past HITCON events including HITCON CISO Summit 2023, HITCON PEACE 2022, HITCON 2021, and HITCON 2020, demonstrating his commitment to advancing the field of cybersecurity.
Active Directory (AD) is widely used by enterprises for centralized management of digital assets such as accounts, machines, and access rights. AD is always the primary target for adversaries since compromising AD also grants control over an entire enterprise’s network. Furthermore, AD attacks techniques are mostly in the form of leveraging the privilege, configuration settings, or designed mechanism, that are also commonly called the abuse primitive.
In this talk, we will discuss how real-world adversaries abuse these attack techniques that are chained as attack paths to compromise Active Directory by demonstrating 4 attack paths. We will dive into these AD attack techniques abuse configuration settings and discuss the methodology such as enumeration, consideration, tactical goal, and how to evade blue team detection to make success operation.
In addition, attack paths demonstrated includes new AD abuse primitives such as diamond ticket, U2U ticket, or Shadow Credential. We will discuss how an attack path is formed from the abuse primitives in the AD environment with the explanation of root cause, implementation methods, and operational guidance. All 4 attack paths shared will also be shared with video demonstration from an adversary’s perspective using a C2 not only for a realistic experience of offensive operation but to make the impact easier to understand.
Industrial Control Systems / Supervisory Control and Data Acquisition (ICS/SCADA) are both the lifeblood of any critical infrastructure, and play an important role in any operation’s ability to communicate between various ICS components, relay sensitive data, or manage critical sensors and equipment. Due to the specific and unique needs within the industrial control industry, more and more ICS vendors are making the decision to use either public network protocols, or creating private proprietary protocols based on the different needs of programmable logic controller (PLC) vendors. Despite the need to balance both security concerns and operational requirements with the decision to use public and private ICS protocols, each protocol has their own potential risk profile, and we will review them one by one.
In our research, we analyze six ICS protocols (three public and three private) which are widely used in the critical infrastructure sectors of power, water, transportation, petroleum, manufacturing or kinds of. In each of the public and private ICS protocols, we found some common flaws which allow attacker can easy sniff ICS protocols traffic without communication encryption and perform ICS protocol attacks which like command injection or response injection on PLC without authentication and authorization. Also, we provide 4 attack demos in one public and one private protocol, prove those common flaws will cause huge impacts to ICS.
