Lucene search

avleonovAlexander LeonovAVLEONOV:44DF3C4B3D05A7DC39FB6314F5D94892
HistoryJun 11, 2022 - 12:46 a.m.

PHDays 11: towards the Independence Era

Alexander Leonov
positive technologies
phdays 11
ctf competition
cybersecurity talks





Hello everyone! In this episode, I want to talk about the Positive Hack Days 11 conference, which took place on May 18 and 19 in Moscow. As usual, I want to express my personal opinion about this event.

Alternative video link (for Russia): <;

As I did last year, I want to start talking about this conference with a few words about the sanctions. US sanctions against Positive Technologies, the organizers of Positive Hack Days, were introduced a year ago. At that time it seemed very serious and extraordinary. But today, when our country has become the most sanctioned country in the world, those sanctions against Positive Technologies seem very ordinary and unimportant. In fact, it even seems to benefit the company somehow.

Positive Technologies

At the end of last year, Positive Technologies became a public company with a strong focus on the domestic market and the market of friendly countries. The financial results are very impressive. The company's marketing is better than ever, especially everything related to video production. And, of course, their products are in even greater demand, because Western vendors have left the Russian market.

PHDays 11

As for the event, it is still the most important information security conference in Russia. In fact it was the most visited PHDays. 10,000+ guests at the Moscow World Trade Center, 130,000+ viewers of online broadcasts. I was only on the second day, when it was not as crowded as the first day of the conference. The atmosphere at the event was not the same as at a regular conference. It was more like a nightclub. Subdued lights, music, a lot of screens and all sorts of lighting effects. Very unusual.

The Standoff

The main show of the conference is the CTF competition of hackers and blue teams, The Standoff. The toy city, which displays the infrastructure of the virtual state of F, has become really huge. Entire sectors of the economy were represented there: metallurgy, electric power industry, oil industry, transport, banking system, housing management. etc. All this is interconnected. An attack on one object can cause a butterfly effect that affects the entire state. Very impressive!


The PHDays 11 program included about 100 talks, which were attended by more than 250 speakers. One of them was me. It makes no sense to list all the talks, but logically I would highlight out 3 of them.

  1. Sergey Golovanov "01111111day" (rus). He spoke about the attacks on Russian organisations after February 23rd. To summarize all that has been said, the number of attacks has become much greater. The source of the attacks is clear. Most of the attacks were simple and it was hacktivism, but they get more complicated with time. The main attacks are DDoS and penetration into the infrastructure for further data theft and destruction. Phishing is one of the commonly used penetration channels.
  2. Alexander Goncharov "CVE-2021-40444: why it is important" (rus). Microsoft MSHTML Remote Code Execution Vulnerability. This is not the newest vulnerability, one of many. But in fact, it continues to be actively exploited, and mainly through phishing. Why? Since users are susceptible to phishing, hosts are not updated and hardened (disabling ActiveX, preventing office applications from creating child processes). And all this, of course, needs to be implemented in organizations. But one of the interesting questions is: can we now trust vendor updates that fix vulnerabilities? Alexander replied that we can, because enterprise IT vendors like Microsoft will not disable anything in terms of functionality. Simply because it will be a blow to their reputation.
  3. And my presentation was just about this topic of trust. "The new reality of information security and vulnerability management" (rus). You can watch the video in my YouTube channel in Russian and with simultaneous translation. Simultaneous translation is difficult to do, especially in the fast track, so I will also make an extended English version of this report for VMconf 22. By the way, you can also submit a video about Vulnerability Management there if you want. So what was my report about. The new reality of information security (TNRoIS) began in February 2022. In this new reality, global vendors and open source software are less trusted than before. What was only recently viewed as a competitive product or service, has become a means of pressure, a Trojan horse, a threat to corporate information security. The new reality sets new requirements for key corporate processes, including the choice of IT products and information security solutions, security analysis, and update management. The forced de-Westernization of the IT infrastructure of Russian companies will not happen overnight. This is a long and difficult process. For example, is it true that by 2025 there will be no Microsoft software in Russian companies and everything will work on Russian Linux distributions? Now it seems too ambitious. Most likely we will see some kind of hybrid mode with a complex process of supporting unstable Western IT solutions and a simplified process for stable, mainly Russian IT solutions. Of course, it will be much more difficult than it was before, but there is a challenge in these difficulties. The problems faced by the Russian organizations in extreme form are relevant to much of the world, which means that certain terminology, approaches, and solutions can be successfully exported.

What could be better on PHDays 11?

Well, there were few speeches about Vulnerability Management. For my taste. There was my presentation, there were a couple of speeches about specific vulnerabilities and rootkits, there was a basic interview about Vulnerability Management (rus) and an interview about MaxPatrol O2 (rus). But it was very fragmented. It seems to me that the main conference of the leading Russian Vulnerability Management vendor should have a session or maybe even a track about Vulnerability Management. At least 2-3 hours. It would be nice to have a program that would resemble Qualys QSC. After all, they talk about VM all day, why is it not possible on PHDays? Ideally, if there would be 80% about interesting practical cases and processes and 20% about how to solve them using Positive Technologies products (as a demonstration). That would be really cool and that would be right.

It may sound silly, but I missed bag chairs and sofas. There were far fewer of them. In past years, I liked to sit on them, relax and talk with colleagues. This time all the conversations were on the feet and it was not very convenient.

It seems like PHDays needs more space. There were practically no seats left in the halls. The fast track where I performed was in a tiny hall, which is not so easy to find. The organizers said that it did not happen on purpose. The schedule was changed at the last moment and the Fast Track had to be moved from a more convenient place. It's a bit sad, but the fact that full-length reports are a priority is right. And in our post-COVID time, the most important thing is video broadcasting, and it was at a very high level. My presentation went well, the audience was friendly, there were some very interesting questions.

Many thanks to the organizers and participants. Until the next PHDays!