Developing a Comprehensive Cybersecurity Evaluation Framework: Insights from Slovenia’s Experience
Mihael Plevnik
In the ever-evolving digital landscape, cybersecurity is a fundamental pillar of national security and organizational resilience. Assessing the effectiveness and maturity of cybersecurity frameworks is critical for identifying strengths, addressing weaknesses, and ensuring a proactive security posture. This talk presents the Comprehensive Cybersecurity Evaluation Framework (CCEF), a structured methodology designed to evaluate cybersecurity governance, capacity-building efforts, legal frameworks, and cooperation mechanisms. Drawing from Slovenia’s experience, this session will outline how CCEF provides a holistic and systematic approach to measuring cybersecurity maturity across various sectors, focusing on four core categories: cybersecurity governance and standards, which include national strategies, security measures, and cyber defense planning; capacity building and awareness, covering cybersecurity exercises, incident response capabilities, and public-private sector engagement; law and regulation, which examines the protection of critical infrastructure, cybercrime legislation, and incident reporting mechanisms; and collaboration, highlighting public-private partnerships, intergovernmental cooperation, and international engagements. Through case studies and real-world applications, attendees will gain insights into Slovenia’s cybersecurity landscape, learning about its successes, challenges, and areas for improvement, while also exploring how CCEF can be adapted to other nations and organizations to provide a roadmap for strengthening cybersecurity resilience. By attending this talk, participants will understand the importance of a structured evaluation methodology for cybersecurity, learn about Slovenia’s cybersecurity policies and strategies in addressing modern cyber threats, and gain practical insights into how CCEF can be applied to improve cybersecurity postures across different domains. This presentation is ideal for cybersecurity professionals, policymakers, researchers, and practitioners seeking to enhance their evaluation frameworks and adopt best practices in cyber resilience.
Catching hashes for fun and profit
Milan Gabor
In this presentation, we will dive into the mechanics and security implications of password hashes, with a special focus on NTLM hashes — still widely used in many enterprise environments. We will explain the role of NTLM in Windows authentication, how these hashes are generated, and why they remain a high-value target for attackers despite modern security advancements.
We’ll explore techniques for capturing NTLM hashes both passively and actively, including methods like LLMNR/NBT-NS poisoning, SMB and HTTP relay attacks, pass-the-hash techniques, and credential extraction from systems (e.g., SAM database, LSASS memory dumps). Special attention will be given to how network misconfigurations and default behaviors in Windows domains expose opportunities for hash interception.
The session will then move into cracking NTLM hashes, covering strategies from basic brute-force attacks to more optimized dictionary and rule-based attacks using tools like Hashcat. We’ll discuss why NTLM hashes are particularly vulnerable to offline attacks, what makes password cracking easier or harder, and how attackers prioritize their efforts based on password complexity and reuse patterns.
Finally, to make things practical, we will demonstrate a real-world tool for catching NTLM hashes on a live network, showing just how easily credentials can be captured if systems are not properly hardened.
Attendees will leave with an in-depth understanding of how NTLM hashes are targeted and what defensive measures are essential to protect against these common but critical threats.
Avala — Exploit development and deployment framework for attack-defense CTF competitions
Dušan Lazić
Avala is a Python-based framework built to support exploit development and deployment workflows in fast paced attack-defense CTF competitions. It addresses the operational challenges of running scheduled attacks against a large number of opponent teams’ services, offering automated handling of exploit execution, configuration and monitoring. While optimized for Python scripts, Avala also supports executing exploits written in other languages. The tool allows teams to rapidly develop and test their exploits, manually or automatically pick their targets, configure exploits for efficient resource utilization, and deploy and monitor their performance. The framework has been adopted by the Serbian national ECSC team and battle-tested in multiple AD competition environments, including ECSC 2024.
CSRF Attacks in Modern Web Applications
Mateo Hanžek
Cross-Site Request Forgery (CSRF) has long been a high severity threat to web applications, enabling attackers to execute unauthorized actions on behalf of authenticated users. While traditional CSRF mitigation techniques, such as anti-CSRF tokens and SameSite cookies, have improved web security, different application architectures and new research from the community introduced new challenges that can lead to overlooked vulnerabilities.
This talk explores the evolution of CSRF attacks in the context of modern web technologies, such as Single Page Applications and GraphQL APIs, and some other connected concepts that are inherently flawed in the web. We will analyze emerging attack vectors, bypass techniques for contemporary defenses, and real-world exploitation scenarios. Additionally, the talk will assess how browser security mechanisms protect their users against CSRF attacks and how to potentially bypass them.
Managing and enforcing security practices in development and deployment process in containerized environmentss
Matic Rupnik
This talk explores how to embed robust security practices into the software development and deployment lifecycle for containerized environments. By addressing the challenges of vulnerability management, security enforcement, and risk communication, we provide actionable insights into building secure systems while meeting deadlines and maintaining customer trust.
We will dive into open-source tools like Grype and Trivy for vulnerability scanning and demonstrate how to integrate their results into platforms like DefectDojo for streamlined management. Additionally, the session will guide attendees on creating an adaptable threat model that balances efficiency with customer satisfaction.
Key points of discussion:
– Understanding what security aspects development teams prioritize.
– The role of management in enforcing security policies and practices.
– Communicating the presence of residual vulnerabilities (CVEs) in the final product to customers and ensuring transparency about the associated risks.
This session bridges the gap between developers, management, and end customers, offering a practical roadmap to secure containerized environments without sacrificing agility or user confidence.
SOC – lessons learned
Andrej Napotnik
As a cybersecurity analyst, I led the design and deployment of a Security Operations Center (SOC) tailored for a small but growing corporation with roughly 150 employees. The primary goal was to establish a cost-effective, scalable security monitoring solution that could detect, respond to, and mitigate cyber threats in real-time without overextending the company’s resources.
I began by assessing the organization’s existing infrastructure, identifying critical assets, data flows, and potential vulnerabilities. From there, I developed a SOC strategy that included implementing a SIEM (Security Information and Event Management) system—specifically, a cloud-based solution for easier deployment and lower maintenance overhead. I integrated data sources such as firewalls, antivirus logs, endpoint detection tools, and authentication systems to create a unified security visibility layer.
With the SIEM in place, I configured alerting rules, correlation logic, and built dashboards to visualize key security metrics. I also implemented log retention policies to meet compliance requirements. To complement the technology, I created incident response playbooks, ensuring that both IT and leadership knew how to act during a breach.
Given the lean team, I automated routine alert triage using playbook scripts and set up a basic ticketing system for incident tracking and escalation. I also ran security awareness training sessions to reduce human error risks.
Within three months, the SOC was operational and effectively reduced the mean time to detect (MTTD) and respond (MTTR) to incidents, giving leadership confidence in the company’s cyber resilience.
Meshtastic PKI bypass
Tilen Komel
In the previous academic year, a professor at FRI in the Security of Systems class assigned us the task of writing a paper about the field and its related exploits. Over the last two years, I have been very active in the Slovenian Meshtastic community, which inspired me to examine exploits within Meshtastic and deliberate use cases that might expose vulnerabilities. Meshtastic is open-source firmware for inexpensive LoRa-transmitting devices (such as ESP32 and RAK Wisblock) that enables the creation of an ad hoc mesh network over long distances.
While researching previous exploits and insecure practices, I began to wonder why not push the investigation further. Less than a year after Meshtastic introduced PKI-encrypted private messages, I decided to send a private message programmatically via an MQTT server from my computer. I developed the code and populated the sender and receiver details in the packet without encrypting it. On the first attempt, the packet failed, and the device at the other end detected it as malformed. However, on the second try, the device accepted the packet as entirely valid. I reported the finding via a GitHub security advisory, and within a few days, it was assigned CVE-2025-21608.