2014 Honeynet Project Workshop
12-14 May 2014 | Warsaw
Briefings & Demo Sessions Agenda - May 12-13 2014
Briefings: a two-days set of presentations combined with special demonstration sessions whose purpose is to bring together security experts to share their experiences and expertise in security technologies with other local and regional information security professionals.
Demo sessions: this year we will bring out eight real demonstration sessions to demonstrate our mature projects and tools that have been developed by Project members. These sessions give workshop participants the opportunity to see the software tools used and explained live, often by the actual authors of the tool. There are four parallel tracks with 4 demos, each 20 mins and repeated 3 times, in a hour. Attendees are free to choose their favourites.
Day 1: (Main Room – Room ABC)
| 18:30 | Social EventA reception dinner for all attendees will be held atRestaurant VapianoThe restaurant is located near the workshop venue at a 10 min walk distance |
|
Day 2: (Main Room – Room ABC)
| TIME | AGENDA | SPEAKERS(S) |
|---|---|---|
| 09:30 ~ 09:45 | A look forward to Day 2 | Kara Nance |
| 09:45 ~ 10:30 | Tales of an Open Source developer | Claudio Guarnieri (The Honeynet Project) |
| 10:30 ~ 11:00 | Threat intelligence: Why you should consider Visual Analytics in your arsenal of tools | Olivier Thonnard (Symantec Research Labs, Europe) |
| 11:00 ~ 11:20 | The Heatmap - Why is Security Visualization so hard? | Raffael Marty |
| 11:20 ~ 11:40 | Coffee Break | |
| 11:40 ~ 12:00 | Malicious Document Evolution | Mahmud ab Rahman (The Honeynet Project) |
| 12:00 ~ 12:30 | Malware Information Sharing Platform - NATOs' approach to cyber threat information exchange | Andrzej Dereszowski (NATO NCIRC) |
| 12:30 ~ 12:50 | Cyber Counter Intelligence: An attacker-based deception approach with “honey controls” |
Gadi Evron (Kaspersky) |
| 12:50 ~ 14:00 | Lunch Break | |
| 14:00 ~ 15:00 | DEMO SESSIONS 1 (4 parallel tracks, 20 mins each, each demo repeated 3 times) | |||
|---|---|---|---|---|
| Thug 101 Angelo Dell'Aera |
Conpot Lukas Rist |
Ghost - detecting infections with USB malware Sebastian Poeplau |
HPfeeds - honeynet data sharing tools David Watson |
|
| 15:00 ~ 15:10 | Short Break | ||
| 15:10 ~ 16:10 | DEMO SESSIONS 2 (4 parallel tracks, 20 mins each, each demo repeated 3 times) | |||
|---|---|---|---|---|
| Slaying SSL dragons with mitmproxy Maximilian Hils |
Visualize it Yourself - DAVIX 2014 Raffael Marty |
Androguard and Droidbox: detecting maliciousness in Android apps Hugo Gonzalez |
Cuckoo Sandbox: a quick walkthrough Jurriaan Bremer |
|
| 16:10 ~ 16:30 | Coffee Break | |
| 16:30 ~ 17:15 | Updates from Shadowserver | Richard Perlotto (Shadowserver) |
| 17:15 ~ 17:30 | Final remarks | |
The Botnet Researcher's Guide To The Galaxy
Speaker: Tillmann Werner (The Honeynet Project)
Tillmann Werner is a researcher at CrowdStrike where his duties include the in-depth analysis of targeted attacks. He has a passion for proactive defense
strategies like honeypots and botnet takeovers. Mr. Werner is actively involved with the global IT security community and is a regular speaker on the international conference circuit.
Abstract: A specter is haunting cyberspace. Botnets have evolved from toys to
infrastructures operated by professional criminals. They are designed to
resist any takedown attempt. In this presentation, we will review how
the botnet landscape has changed in the last decade and discuss the
implications. We will analyze attempts that have been made to neutralize
botnets by technical means and show that a lasting effect is almost
non-existent. Even worse, the reaction is an evolution towards multi
resistant structures that are almost impossible to contain. This talk is
a call to action: let's be more creative and less tentative in our fight
against botnets!
Adventures in Cybercrime
Speaker: Piotr Kijewski CERT Polska/NASK)
Piotr Kijewski is the Head of CERT Polska, a part of NASK. Previously
for many years he was in charge of multiple projects and security
research in the CERT Polska team. His interests include threat
intelligence, malware analysis, botnets and honeypots. Piotr has
engaged in many different innovative network security projects, both
at the national and international level (including EU FP7, NATO and
ENISA projects). Active in incident response, Piotr also orchestrated
and coordinated the takedown of multiple botnets. Author of a couple
of dozen publications and articles on network security, as well as
frequent speaker and panelist at conferences both in Poland and abroad
(including FIRST, NATO Cyber Defense Workshop, Honeynet Project
Workshop, Microsoft Digital Crimes Consortium, MSRA and APWG eCrime).
In 2011, Piotr set up the Polish Chapter of the Honeynet Project.
Abstract: The talk will cover various cybercrime operations analysed by CERT
Polska. These primarily involved various forms of malware and botnets
which used Polish network properties for C2 purposes or that was
specifically targeting Polish users. The botnets themselves were
varied - from the large, 300k node, centrally managed Virut botnet
that used pay-per-install and rent-a-botnet schemes as its business
model to smaller web-inject banking malware Citadel instances aimed at
financial theft. Some also had mobile components, aimed at stealing
transaction authentication codes used to verify transactions. We will
also give an overview of our ZeuS P2P analysis and recent
VMZeuS/PowerZeuS/KINS investigations, as well as how we identified and
took down a rogue registrar that was abusing the .pl TLD namespace to
support botnet operators.
Tales of an Open Source developer
Speaker: Claudio Guarnieri (The Honeynet Project)
Claudio is a hacker, security researcher and civil rights advocate.
He's a core member of The Honeynet Project and The Shadowserver
Foundation. He's a devoted open source developer, created Cuckoo Sandbox
and runs Malwr.com. He presented at conferences such as BlackHat, Hack
In The Box, and the Chaos Communication Congress and his research on
cyber espionage and surveillance has been reported by the likes of the
New York Times, Wall Street Journal, Washington Post, Bloomberg, Wired
and many others.
Abstract: Working on an open source project is an exhausting but
satisfying adventure filled with challenges, obstacles and rewards. I
joined the Honeynet Project as a Google Summer of Code student working
on the premature version of what have become the Cuckoo Sandbox that
exists now. Few years later Cuckoo has grown a lot and has earned a
solid spot in the open source security space. It wasn't easy, here's
some lessons learned.
Tracking and Characterizing Botnets Using Automatically Generated Domains
Speakers: Stefano Zanero - Federico Maggi (Politecnico di Milano)
Federico Maggi is an Assistant Professor at Politecnico di Milano, working with the NECST Laboratory (Novel, Emerging Computing System Technologies Laboratory), co-led together with Prof. Marco Santambrogio and Stefano Zanero. Federico's research interests revolve around collecting data from public sources to analyze and explain malicious activities. These include Android malware, botnets, and web service and social network abuses, on which he has published tenths of peer-reviewed articles at international venues.
During his PhD, obtained in 2010 at Politecnico di Milano, he studied and made contributions in the field of anomaly-based intrusion detection, developing and evaluating machine-learning based approaches to detect unexpected network payload at the network and application (e.g., HTTP) layer, and on the Linux kernel (e.g., system calls).
Stefano Zanero received a PhD in Computer Engineering from Politecnico di Milano, where he is currently an assistant professor with the Dipartimento di Elettronica, Informazione e Bioingegneria. His research focuses on mobile malware, malware analysis, and systems security. Besides teaching “Computer Security” at Politecnico, he has an extensive speaking and training experience in Italy and abroad. He co-authored over 50 scientific papers and books. He is an associate editor for the “Journal in computer virology and hacking techniques”. He's a Senior Member of the IEEE (covering volunteer positions at national and regional level), the IEEE Computer Society (for which he is a member of the Board of Governors), and a lifetime senior member of the ACM. Stefano co-founded the Italian chapter of ISSA(Information System Security Association), of which he is a senior member. He sits in the International Board of Directors of the same association. A long time op-ed writer for magazines (among which “Computer World”), Stefano is also a co-founder and chairman of Secure Network, a leading Italian information security consulting firm, and a co-founder of 18Months, a cloud-based ticketing solutions provider.
Abstract: Modern botnets rely on domain-generation algorithms (DGAs) to build resilient command-and-control infrastructures. Recent works focus on recognizing automatically generated domains (AGDs) from DNS traffic, which potentially allows to identify previously unknown AGDs to hinder or disrupt botnets' communication capabilities. The state-of-the-art approaches require to deploy low-level DNS sensors to access data whose collection poses practical and privacy issues, making their adoption problematic. We propose a mechanism that overcomes the above limitations by analyzing DNS traffic data through a combination of linguistic and IP-based features of suspicious domains. In this way, we are able to identify AGD names, characterize their DGAs and isolate logical groups of domains that represent the respective botnets. Moreover, our system enriches these groups with new, previously unknown AGD names, and produce novel knowledge about the evolving behavior of each tracked botnet. We used our system in real-world settings, to help researchers that requested intelligence on suspicious domains and were able to label them as belonging to the correct botnet automatically. Additionally, we ran an evaluation on 1,153,516 domains, including AGDs from both modern (e.g., Bamital) and traditional (e.g., Conficker, Torpig) botnets. Our approach correctly isolated families of AGDs that belonged to distinct DGAs, and set automatically generated from non-automatically generated domains apart in 94.8 percent of the cases.
Paper: http://arxiv.org/abs/1311.5612
Darknet and blackhole monitoring - a journey into typographic errors
Speaker: Alexandre Dulaunoy (CIRCL)
The simple bio is the following:
Enjoy when human are using machines in unexpected ways. I break stuff
and I do stuff.
The long bio is:
Alexandre encountered his first computer in the eighties, and he
disassembled it to know how the thing works. While pursuing his logical
path towards information security and free software, he worked as senior
security network consultant at different places (e.g. Ubizen, now
Cybertrust). He co-founded a startup called Conostix specialized in
information security management, and the past 6 years, he was the
manager of global information security at SES, a leading international
satellite operator. He is now working at the national Luxembourgian
Computer Security Incident Response Team (CSIRT) in the research and
operational fields. He is also lecturer in information security at
Paul-Verlaine University in Metz and the University of Luxembourg.
Alexandre enjoys working on projects where there is a blend of ?free
information?, innovation and a direct social improvement. When not
gardening binary streams, he likes facing the reality of ecosystems
while gardening or doing nature photography.
Abstract: The Internet void is an interesting place. In normal condition, the Internet void is empty and we should not see anything. But if you take the time to look deeply into "black-hole" monitoring dataset, you might find and identify surprising results from badly configured systems to effects of unknown attacks along with various unexplained events. This talk will introduce you to a journey into the noise of Internet network monitoring along with all the opportunities for the researchers and the attackers
Demystifying Honeynet Project Membership
Speaker: Max Kilger (The Honeynet Project)
Max Kilger is one of the founding members of the Honeynet Project and has been formally been the chief membership officer for the Project for the last six years and before that was heavily involved in membership issues.
Max also serves as one of the Project's behavioral profilers and is a former member of the board of directors. He is a frequent national and international speaker and is a co-author of the recent book Reverse Deception: Organized Cyber Threat Counter-Exploitation.
His areas of expertise include motivations for malicious online actors, the social structure of the hacking community and issues surrounding cyberterrorism.
Abstract: The Honeynet Project is one of the largest single non-profit all-volunteer information security organization in the world with 52 teams of experts in 42 countries. This growth over the years have been fueled both by new chapters has well as new members within chapters. This lightning talk provides a bit of history about membership, chapters as well as providing information about how membership and chapters evolve currently.
Honeynet Project Research and Development in Google Summer of Code
Speaker: David Watson (The Honeynet Project)
David Watson is the Chief Research Officer for the Honeynet Project and was a Director between 2007-2012, and is again from 2013. As an active security researcher he regularly presents at international conferences or workshops and has contributed to various publications in the field of IT security. David has been involved with deploying honeypots since 1999, was the project manager and lead developer for the Honeynet Project's Global Distributed Honeynet (GDH/HonEeeBox) initiatives, which focused on analysing data gathered from networks of internationally distributed honeypots, and is currently working on a larger scale international distributed sensor project. He leads the UK Honeynet Project Chapter and is the Honeynet Project's Google Summer of Code organizational admin.
Abstract: In this less formal session David will review the kind of R&D projects undertaken by Google Summer of Code (GSoc) funded students over the past few years. There will be examples of recent research and the opportunity to ask questions about how to get involved in GSoC in the future.
Thug: low-interaction honeyclient
Speaker: Angelo Dell'Aera (The Honeynet Project)
Angelo Dell’Aera is currently Chief Executive Officer of the Honeynet Project. His interests are botnet tracking, honeyclient technologies and malware analysis. His previous research on TCP congestion control algorithms led to the design of the TCP Westwood+ algorithm and the implementation in the official Linux kernel. He’s the lead developer of the low-interaction honeyclient Thug.
Abstract: The number of client-side attacks has grown significantly in the past few years shifting focus on poorly protected vulnerable clients. Just as the most known honeypot technologies enable research into server-side attacks, honeyclients allow the study of client-side attacks. A complement to honeypots, a honeyclient is a tool designed to mimic the behavior of a user-driven network client application, such as a web browser, and be exploited by an attacker’s content. The talk will describe the Honeynet Project low-interaction honeyclient (project name "Thug") and how to effectively use it in order to analyze malicious websites and detect potential exploit kits.
References:
https://www.honeynet.org/sites/default/files/files/HPAW2012-Thug.pdf
http://www.youtube.com/watch?v=nU-hr4oQ_bA
Execute this! Looking into code-loading techniques on Android
Speaker: Sebastian Poeplau (The Honeynet Project)
Sebastian Poeplau is the lead developer of the Ghost USB Honeypot, a detection system for USB malware. He is an IT security enthusiast and a full member of the Honeynet Project. He has studied in Bonn, Germany, and Santa Barbara, CA, and works with Lastline.
Abstract: Android apps can load arbitrary code once they run on a user's device. Given the centralized nature of malware protection in the Android ecosystem, this has some severe security implications. In the talk, we'll look at how malicious apps can use code-loading techniques to evade detection by centralized malware analysis systems. We'll also see how benign apps inadvertently inroduce severe vulnerabilities by using loading techniques. Finally, we'll cover ideas how to mitigate the threat.
SDN: Migrate now...think about security later
Speaker: Kara Nance (The Honeynet Project)
Kara Nance is a Professor of Computer Science at the University of Alaska Fairbanks and runs a computer security consulting firm. She also serves on the Honeynet Project Board of Directors.
Her research interests include digital forensics, data systems, network dynamics, visualization, and computer security. She is the founder and director of the Advanced Systems Security Education,
Research and Training (ASSERT) Center, which is a multidisciplinary center to address computer security issues and provides an isolated networked computer environment suitable for computer security education,
research, and training that is used by institutions around the world. She serves on a Senior-Executive Advisory Board for the Office of the Director of National Intelligence and is a frequent speaker on cybersecurity.
Abstract: Software Defined Networking (SDN) is rapidly moving from the research and academic worlds into widely used networking equipment that powers production LAN and WANs. By allowing the flow of traffic
throughout a network to be managed by SDN controllers the hope is networks can become highly programmable, meeting the needs of the specific environment rather than being limited to the capabilities of current network devices
(e.g., that traffic can be routed more efficiently, effective QoS can be implemented at the network scale, new protocols can be developed and deployed to support capabilities such as location or performance based routing,
and networks can recover more quickly from failure conditions). SDN, primarily in the form of OpenFlow, is already a reality, with Google having perhaps the largest production deployment on their datacenter-to-datacenter
production network infrastructure. This talk will provide an introduction to SDN, and provide some insight into the security implications and opportunities that SDN offers.
Caught in the honeypot: (almost) a year in review
Speaker: Łukasz Siewierski (CERT Polska)
Łukasz Siewierski is a specialist in the Security Projects Team at CERT Polska. Member of the Polish chapter of the Honeynet Project since 2013. Responsible for
managing the server honeypots. His main interest is analysis of malware dedicated for Windows and Android operating systems. While working in the Security Projects Team he participates in creation of multiple projects, e.g. Honeyspider Network - highly-scalable system integrating multiple client honeypots to detect malicious websites. He holds an MSc in Computer Science and BSc in Mathematics from the Nicolaus Copernicus University in Toruń.
Abstract: When I became a member of the Polish chapter of the Honeynet Project, my colleagues assigned me a task of deploying server honeypots. I did several deployments with dionaea and kippo on board. The talk will present the results of this experiment. Perhaps the most interesting was the discovery of a new DDoS botnet made for both Linux and Windows operating systems.
From "Fog security" to "58 58 c3" gadgets
Speaker: Felix Leder (The Honeynet Project)
Felix Leder is the director for malware research at Blue Coat. Several malware analysis solutions, like Cuckoo box and Norman's Malware Analyzer G2, have been initiated
by and grown around him. After starting in the mobile space with companies like Nokia, he turned to his favourite field of research IT-Security. During the time he worked
for Fraunhofer and the University of Bonn, he joined into researching botnet mitigation tactics and new methodologies for executable and malware analysis. The results were successful
takedowns and a PhD. Felix Leder is a reverse engineer and tool developer by heart. He has given world-wide classes on malware analysis, reverse engineering, and anti-botnet approaches.
Participants range from governmental institutions, financial & security industries, to military bodies.
Abstract: The IT security market is flooded with new buzz words over and
over. Ambiguous marketing terms are mixed with technology descriptions
and create a jungle of confusion for IT professionals. Instead of guiding to best practices, the result is a distraction and irritation
of those who have to use technology to defend their IT infrastructure. This talk takes the most common buzz words, discusses their ambiguity
and sheds light into how the combination of selected terms make sense in a real-world defence.
Cyber Counter Intelligence: An attacker-based deception approach with
“honey controls”
Speaker: Gadi Evron (Kaspersky)
Gadi is VP of Cybersecurity Strategy at Kaspersky and the Chairman of
the Board of the Israeli CERT. He is widely recognized for his work in
internet security operations and global incident response, considered
the first botnet expert. He specializes in corporate security, cyber
intelligence and cyber crime. He previously led the PwC Cyber Security
Center of Excellence, located in Israel. Prior to that Gadi was CISO
for the Israeli government Internet operation, founder of the Israeli
Government CERT and is a research fellow at the Yuval Ne`eman Workshop
for Science, Technology and Security, at Tel Aviv University, working
on cyber warfare projects. Gadi authored two books on information
security, organizes global professional working groups, chairs
worldwide conferences, and is a frequent lecturer.
Abstract: Honeypots are a critical tool in cyber security, but more than that, they are a part of how corporate security should be managed.
Rather than talking about honey pots as a technology which works well for research purposes, honeypots should also be treated as a
methodology in corporate security - adding another layer of controls. This is an attacker rather than attack-based approach, where a
detection would mean an attacker has been found with no likely false positives. Philosophically this approach means that the defence in information
security, which has up to this point been considered inferior to attack, can become manoeuvrable, increasing the attackers' risk and
cost, and the defence a much more interesting occupation. In this talk we will discuss how such a new layer of deception
controls would look like, what its benefits would be, and how honeypots are key to making it happen.
Threat intelligence: Why you should consider Visual Analytics in your arsenal of tools
Speaker: Olivier Thonnard (Symantec Research Labs, Europe)
Dr. Olivier Thonnard is a Principal Research Engineer at Symantec Research Labs (SRL), Symantec's global research organization, which is focused on technology innovation and thought leadership in many aspects of computer and network security. His R&D activities are focused on data mining, machine learning, information visualization and Big Data analytics for security applications. In the recent years Dr Thonnard has worked mainly in research & prototyping of new technologies and systems to enhance Symantec's ability to identify and generate intelligence on notable cyber attacks and cyber crime activities.
Abstract: Visual Analytics is an emerging discipline that provides technology to combine the strengths of human and automated data processing, drawing tools from both the information-visualization and data-mining communities. In this talk we will show how visual analytics technologies can augment our arsenal of tools used for threat intelligence. We will perform a demo in which we will be using Symantec TRIAGE, an in-house developed threat intelligence and attack investigation framework that leverages data mining and visualization to help security analysts gain insights into cyber attacks. In particular we will analyze a series of notable targeted attack campaigns sent through spear phishing emails, like Elderwood, CommentCrew, and some others. We will use different visualizations to highlight similarities and differences in the tactics, techniques, and procedures (TTP’s) used by attackers involved in these different malware campaigns.
A short preview of TRIAGE is available on Youtube at http://youtu.be/cx-J68yjQrk
The Heatmap - Why is Security Visualization so hard?
Speaker: Raffael Marty (The Honeynet Project)
Raffael Marty is one of the world's most recognized authorities on security data analytics. The author of Applied Security Visualization and creator of the open source DAVIX analytics platform, Raffy is the founder and ceo of PixlCloud, a next-generation data visualization application for big data. With a track record at companies including IBM Research and ArcSight, Raffy is thoroughly familiar with established practices and emerging trends in data analytics. He has served as Chief Security Strategist with Splunk and was a co-founder of Loggly, a cloud-based log management solution. For more than 12 years, Raffy has helped Fortune 500 companies defend themselves against sophisticated adversaries and has trained organizations around the world in the art of data visualization for security.
Abstract: The extent and impact of recent security breaches is showing that current approaches are just not working. But what can we do to protect our business? We have been advocating monitoring for a long time as a way to detect subtle, advanced attacks. However, products have failed to deliver on this promise. Current solutions don't scale in both data volume and analytical insights.
In this presentation we will explore why it is so hard to come up with a security monitoring (or shall we call it security intelligence) approach that helps find sophisticated attackers in all the data collected. We are going to explore the question of how to visualize a billion events. To do so, we are going to dive deeply into heatmaps - matrices - as an example of a simple type of visualization. While these heatmaps are very simple, they are incredibly versatile and help us think about the problem of security visualization. They will help illustrate how data mining and user experience design help us get a handle of the security visualization challenges - enabling us to gain deep insight for a number of security use-cases.
Malicious Document Evolution
Speaker: Mahmud ab Rahman (The Honeynet Project)
Abstract: Malicious documents are getting more commons in cyber attack nowadays. The form of direct control of the execution is evolving into a complex combination of techniques to control EIP, smashing the vulnerable application while avoiding detection. These are the main ingredients in the malicious document secret recipe. During the talk, we'll examine security protections bypassing and detection avoidance techniques, using malicious document samples discovered in-the-wild.
Malware Information Sharing Platform - NATOs' approach to cyber threat information exchange
Speaker: Andrzej Dereszowski (NATO NCIRC)
The author has over 10 years of experience in IT security. He currently works as a Senior Forensic Analyst at NATO Computer Incident Response Capability (NCIRC) and his day-to-day duties include digital forensics, malware and threat analysis. He is also a technical leader of the MISP development team on NATO side and an occasional speaker on security conferences. His contribution to the community includes reverse engineering tools and malware analysis blog posts.
Abstract: The presentation will introduce the audience into the MISP. MISP answers the need of sensitive information sharing between different organizations facing similar cyber threats. It provides an automated way of exchanging IOCs, malware samples, analysis data between organizations with different level of trust. MISP can automatically correlate similar events and can export data in a format usable for perimeter devices (Surricata, OpenIOC, CSV files etc.) and can also be used for threat analysis too. The presentation will include a live demo of the application.
Inside Virustotal pants
Speaker: Emiliano Martinez (Virustotal)
Emiliano Martinez is a software engineer at VirusTotal (http://www.virustotal.com) where he mainly focuses on data storing and data mining oriented to both the public and private portions of VirusTotal.
He co-develops the private VirusTotal Intelligence portal and works hard to present a holistic picture of the files submitted to VirusTotal (what do they do, where do they come from, how wide-spread they are,
how do they relate to other files, etc.). In the past, prior to VirusTotal's acquisition by Google, he was heavily involved in understanding and tracking banking malware and the cybercrooks behind it.
Abstract: Users tend to see VirusTotal.com exclusively as an aggregate antivirus scanner, ignoring many of the public and private features the service incorporates (advanced android information,
execution behaviour report, sample clustering, relationships between binaries, etc.). This talk will shed some light into some of the less known features of VirusTotal, paying special attention to its researcher portal,
VirusTotal Intelligence, and highlighting the new projects we are working on in order to improve malware hunting capabilities and extend the knowledge we have about the files submitted to the service.
Hopefully, after the presentation, users will understand that there is much more information to extract from VirusTotal reports than just the antivirus detections.
Demo #1: Thug 101
Speaker: Angelo Dell'Aera (The Honeynet Project)
Angelo Dell’Aera is currently Chief Executive Officer of the Honeynet Project. His interests are botnet tracking, honeyclient technologies and malware analysis. His previous research on TCP congestion control algorithms led to the design of the TCP Westwood+ algorithm and the implementation in the official Linux kernel. He’s the lead developer of the low-interaction honeyclient Thug.
Abstract: The demo will describe how to properly use the Honeynet Project low-interaction honeyclient (project name "Thug") in order to analyze malicious websites. Some advanced Thug features which are useful for detecting and analyzing exploit kits will be presented. Moreover the demo will show how the tool collects result data and how to effectively analyze such data.
Demo #2: Conpot
Speaker: Lukas Rist (The Honeynet Project)
Lukas Rist is a software engineer with Blue Coat Norway where he develops behavioral malware analysis systems. In his spare time, he creates web application and ICS/SCADA honeypots and botnet monitoring tools under the umbrella of the Honeynet Project. He recently developed an interest in industrial security and automated SQL
statement classification.
Twitter: @glaslos
Abstract: Conpot is a low interactive server side Industrial Control Systems honeypot designed to be easy to deploy, modify and extend. By providing a range of common industrial control protocols, we created
the basics to build your own system, capable to emulate complex infrastructures to convince an adversary that he just found a huge industrial complex. To improve the deceptive capabilities, we also provided the possibility to server a custom human machine interface to increase the honeypots attack surface. The response times of the
services can be artificially delayed to mimic the behaviour of a system under constant load. Because we are providing complete stacks of the protocols, Conpot can be accessed with productive HMI's or extended with real hardware. Conpot is developed under the umbrella of the Honeynet Project and on the shoulders of a couple of very big giants.
See more at http://conpot.org
Demo #3: Ghost - detecting infections with USB malware
Speaker: Sebastian Poeplau (The Honeynet Project)
Sebastian Poeplau is the lead developer of the Ghost USB Honeypot, a detection system for USB malware. He is an IT security enthusiast and a full member of the Honeynet Project. He has studied in Bonn, Germany, and Santa Barbara, CA, and works with Lastline.
Abstract: Some malware families are able to propagate from one computer to others via infected USB storage devices. Stuxnet, for example, allegedly used this capability to reach a high-security air-gapped computer system. Ghost is a software that is designed to detect infections with such malware on Windows machines in order to mitigate the threat before it starts spreading. In this demo session, I will explain the basic idea behind Ghost's detection mechanism and show how to use the tool.
Demo #4: HPfeeds - honeynet data sharing tools
Speaker: David Watson (The Honeynet Project)
David Watson is the Chief Research Officer for the Honeynet Project and was a Director between 2007-2012, and is again from 2013. As an active security researcher he regularly presents at international conferences or workshops and has contributed to various publications in the field of IT security. David has been involved with deploying honeypots since 1999, was the project manager and lead developer for the Honeynet Project's Global Distributed Honeynet (GDH/HonEeeBox) initiatives, which focused on analysing data gathered from networks of internationally distributed honeypots, and is currently working on a larger scale international distributed sensor project. He leads the UK Honeynet Project Chapter and is the Honeynet Project's Google Summer of Code organizational admin.
Abstract: The demo session will show how various honeypot and communication tools developed by the Honeynet Project and others can be deployed and connected together to improve data sharing, either within a single organization or across organisational boundaries. David will demonstrate distributed sensor deployments with multiple types of live honeypots feeding central systems using the HPFeeds system, and will also introduce how the Honeynet Project uses HPFriends to extend this capability with a social sharing model.
Demo #5: Slaying SSL dragons with mitmproxy
Speaker: Maximilian Hils (The Honeynet Project)
Maximilian Hils (@maximilianhils) is a student of Information Systems at WWU Münster, Germany. He is one of the two core developers of mitmproxy, on which he started to work on during his Honeynet Google Summer of Code project in 2012. In his spare time, he develops web applications and slays SSL dragons whereever he finds them. Recently, he developed an interest in Cloud Storage Security and Security Usability.
Abstract: mitmproxy is an open source man-in-the-middle HTTPS proxy. It can be used as an interactive proxy to intercept and modify requests or as a passive proxy to act like tcpdump for HTTP. It is highly extensible using a simple Python scripting interface. In this hands-on demo, we will demonstrate how to use mitmproxy to analyze SSL traffic from Android applications and tamper their requests. Moreover, we will show how you can perform simple statistical analysis of captured traffic in Python.
References:http://mitmproxy.org/
Demo #6: Visualize it Yourself - DAVIX 2014
Speaker: Raffael Marty (The Honeynet Project)
Raffael Marty is one of the world's most recognized authorities on security data analytics. The author of Applied Security Visualization and creator of the open source DAVIX analytics platform, Raffy is the founder and ceo of PixlCloud, a next-generation data visualization application for big data. With a track record at companies including IBM Research and ArcSight, Raffy is thoroughly familiar with established practices and emerging trends in data analytics. He has served as Chief Security Strategist with Splunk and was a co-founder of Loggly, a cloud-based log management solution. For more than 12 years, Raffy has helped Fortune 500 companies defend themselves against sophisticated adversaries and has trained organizations around the world in the art of data visualization for security.
Abstract: Have you looked at log files lately? Was it for incident response or were you trying to understand how your applications are behaving? Malware infected machines that you want to isolate? Are you also of the impression that it should’t be that hard to analyze all of this data? Maybe you should try to visualize your data. But you have probably tried that and you are struggling with the available tools. What tool should you use and how do you get the tools installed and compiled? What data format do they require the visualize the data?
We have gone through the same struggles and decided to solve some of those problems by building the Data Analysis and VIsualization linuX. DAVIX is a live CD for data analysis and visualization. It brings the most important free tools for data processing and visualization to your desk. There is no hassle with installing an operating system or struggle to build the necessary tools to get started with visualization. You can completely dedicate your time to data analysis.
We will launch a brand new version of DAVIX during this talk - DAVIX 2014.
Demo #7: Androguard and Droidbox: detecting maliciousness in Android apps
Speaker: Hugo Gonzalez (The Honeynet Project)
Hugo Gonzalez (@hugo_glez) is a full member of the Honeynet Project,
and now is pursuing his PhD at University of New Brunswick, working at
the Information Security Centre of Excellence. His research interest
include Malware Authorship Attribution, Android Malware and
Application Layer DoS attacks.
Abstract:Android malware is going more sophisticated and widespread, but we
have great tools to help on our analysis effort. This demo will cover
how to use androguard to perform an static analysis, and how we can
help us with some script automatization. Then Droidbox will be covered
to perform dynamic analysis and at the end we will put all this
information together to make sense of the maliciousness of the app.
Demo #5: Cuckoo Sandbox: a quick walkthrough
Speaker: Jurriaan Bremer (The Honeynet Project)
Jurriaan is a freelance security researcher and software developer
from the Netherlands interested in the fields of reverse engineering,
malware analysis, mobile security, and the development of software to
aid in security analysis. Jurriaan is one of the Core Developers of
Cuckoo Sandbox, a member of The Honeynet Project, and occasionally plays
so-called Capture The Flag games as a member of Eindbazen CTF Team.
Abstract: In this short demonstration of Cuckoo Sandbox you will get a complete
introduction to sandboxing - what can it do and what can't it do. You'll
become familiar with the general usage of Cuckoo Sandbox, get to take a
quick peek at the reports that are generated, understand how the reports
are generated, and what you can take away from them when analyzing a
potentially malicious sample. If you're already a Cuckoo user then feel
free to ask a quick question - everybody learns from that.
Updates from Shadowserver
Speaker: Richard Perlotto (Shadowserver)
Richard Perlotto is one of three directors running the Shadowserver Foundation,
an all volunteer watchdog group of security professionals that gather, track, and report on
malware, botnet activity, and electronic fraud. Richard is an Information Security Adviser for Cisco Systems providing
assistance and guidance on Information, Internet Risks and Threats to Cisco and their Customers.
Previously he ran Security Operations worldwide for all of Cisco for almost four years. He
is a 16-year Cisco veteran.
Abstract: Shadowserver will go over new sources of information and related statistics which will
include Spam activity, scanning project, and how big data and analysis can fit together.
CONTACT US
Do you have specific questions? Contact us via [email protected]
The 2014 Honeynet Project Workshop is sponsored by:
