logo The Honeynet Project Annual Workshop 2019
Innsbruck, Austria — July 1st–3rd, 2019

Conference Program

The Honeynet Workshop is the leading forum for early warning systems, cyber deception, and open source security tools to improve internet security. The workshop program consists of one day of invited talks and two days of trainings, held by a diverse set of experienced international speakers and trainers.

Monday, July 1st
8:00–9:00
Registration
9:00–18:00
Briefings
18:30
Social Dinner
Tuesday, July 2nd
8:00–9:00
Registration
9:00–17:30
Trainings
Wednesday, July 3rd
8:30–9:00
Registration
9:00–17:30
Trainings

Briefing Day

Time Topic Speaker
TBA
Photo of Claudio Guarnieri
Claudio Guarnieri
Shadowserver: Updates and highlights from recent activities

The 501c3 non-profit Shadowserver Foundation collects many types of large scale security data sets and provides free daily infection data to network owners for remediation purposes. It regularly works with national CERTs, ISPs/hosting companies and law enforcement agencies combating malware, botnets and cybercrime activities.

Photo of Piotr Kijewski
Piotr Kijewski
David Watson
Coffee Break
T-Pot, PEBA, Sicherheitstacho - Fighting evil forces by running a large scale honeypot installation

Deutsche Telekom AG is running one of the bigger honeypot networks globally. In this talk the developers (T-Pot, backend, …) will share their experiences over the past years.

Photo of André Vorbach
André Vorbach
Photo of Marco Ochse
Marco Ochse
Hiding in the Shadows: Empowering ARM for Stealthy Virtual Machine Introspection

Stealthy Virtual Machine Introspection (VMI) is an obligation to successfully analyze and proactively mitigate sophisticated malware. Yet, ARM lacks the foundation required for VMI. In this talk, we closely examine the ARM architecture to identify shortcomings and develop novel techniques necessary for effective virtualization-based dynamic malware analysis.

Photo of Sergej Proskurin
Sergej Proskurin
Can I be you, please? Deception with code attribution

With software being distributed and shared widely on the web, anonymity becomes priceless. Modern day malware writers employ advanced obfuscation techniques to hide their identities. Open-source authors often also strive for anonymity. Yet, recent advances in security technology allow us to uncover some of the developer’s identity on the fly. Most of these efforts leverage authorship attribution domain. Well-established in social science, authorship attribution offers a broad spectrum of techniques that allows author characterization based on the analysis of the textual features of documents and an author’s writing style. The underlying assumption of the author attribution approach is based on the premise that every author has a distinctively unique writing style which can be effectively used to identify the writer of a specific malware. With these recent advances in the field of author attribution, is it even possible to remain anonymous on the Internet? If not, can we possibly deceive author attribution?

Photo of Natalia Stakhanova
Natalia Stakhanova
Lunch Break
Dave Dittrich
Tales from the CRYPT(3): Stories from the early Honeynet Project years

Hear stories about events from the early HP days, told by someone who was there: Who had trouble getting into the NSA FAN-X building? Who was best/worst shot with a MP-5 rifle at Quantaco? How uncomfortable is explaining to DoJ CCIPS prosecutors how we were NOT wiretapping? How quickly do black hats turn on each other when cold called by Dean Turner (Security Focus News)?

Dave Dittrich
Google Summer of Code at the Honeynet Project

Since 2009, Google has sponsored students to work on security tools and research at the Honeynet Project. With a relatively small budget, this program enabled the creation of now industry-leading tools such as Cuckoo Sandbox. In this session, Max will briefly explain the Google Summer of Code program and show recent achievements. Finally, we discuss how you can get involved and work with students on cutting-edge research!

Photo of Maximilian Hils
Maximilian Hils
SNARE/TANNER: The evolution of web application based honeypots

We are presenting the evolution of web application based medium interaction honeypots. The medium interaction levels are achieved by implementing page cloning and SQL emulation. The important part of the system is the analyzing subsystem: applying heuristics allows to assign certain likelihood to the user type for each session.

Photo of Evgeniia Tokarchuk
Evgeniia Tokarchuk
Virtual Machine Introspection Based SSH Honeypot

The problem of current honeypot implementations is that attackers can easily detect that they are interacting with a honeypot and stop their activities immediately. In this talk, we introduce Sarracenia, a VMI based SSH honeypot which improves the stealthiness of monitoring.

Photo of Stewart Sentanoe
Stewart Sentanoe
Coffee Break
Default/Weak Passwords and Their Impact on Cyber(In)Security

Default and/or weak admin passwords have been plaguing the computer security field since before it was a named area of work. This talk presents some of the problems that come with default or weak (admin) passwords and some of the resulting changes that aim to deter organizations from using default passwords when shipping products.

Photo of Katherine Carpenter
Katherine Carpenter
TBA
Kara Nance
FATTpot: Fingerprinting All the Things

Network fingerprinting is a useful technique to profile the attackers and their tools. But most, if not all, of the honeypots don’t log the protocol fields or messages you need for fingerprinting. In this talk, I will explore some profiling methods, and show you how I used these techniques (that can also be used against the honeypots!) to identify some interesting attempts to avoid fingerprinting

Photo of Adel Karimi
Adel Karimi
19:00
Social Dinner
Stiftskeller Innsbruck, Stiftsgasse 1–7, 6020 Innsbruck, Austria.
(300 meters walking distance from the conference hotel)

Training Schedule

Trainings

Slot Training Trainer
Tue–Wed
(two day)
Applying Machine Learning to Cyber Security

This is a zero to hero course. We will start with no (or little) knowledge about machine learning and end the day with creating our custom APT detection that matches commercial grade tools.

Along the way, we will look at different types of machine learning, explore their limitations, and discuss typical problems. We will answer relevant questions, like how to identify that the machine has really learned something useful, how to deal with resource constraints, perform feature selection, and how to fine tune towards our goal.

The whole course is filled with real-world applications: After playing with artificial data, we will create a classifier for a polymorphic malware family, and end the day with your own threat prevention AI that uses features from ClamAV.

Photo of Felix Leder
Felix Leder
Brian Hay
Tue
(one day)
Introduction to Honeypots Or: How I Learned to Stop Worrying and Love My Enemies
Photo of Miguel Bautista
Miguel Bautista
Late Tue
(preliminary)
Ben Whitham
Simple and Effective Breach Notification Using Cyber Traps
Ben Whitham
Early Wed
(preliminary)
Introduction to Capture the Flag

Capture the Flag (CTF) events are games where participants are awarded points for finding flags (i.e., specific pieces of data) within the environment. This exploration is largely guided by challenges such as gaining access to an account, or finding some hidden information within a service. This gentle guided introduction to CTF focuses on challenges designed to explore various security concepts in both Linux and Windows environments without requiring specialized tools. No prior system knowledge (or software) is expected or required to participate.

Kara Nance
Late Wed
(preliminary)
Educational Capture the Flag Experience

This Capture the Flag (CTF) serves as a more technical introduction to common security tools. Staged in a James Bond-themed environment, participants will be tasked with attacking various SPECTRE services in order to find flags. Challenges will focus on common tools and techniques to perform network reconnaissance, digital forensics, web application pentests, identify service misconfigurations, and more. No prior knowledge (or software) is required to participate as guidance and hints are available. More experienced CTF participants will still find the environment challenging.

Kara Nance
Early Tue
(preliminary)
Threat Hunting - Revealing the Unknown

Threat hunting, considered as a part of a modern cyber defence, is a proactive process of finding an adversary on the network with presumption an unknown asset is already compromised. In this class attendees will go through the basic threat hunting principles and practice hunting in hands-on labs using IDS, machine learning and visualization techniques.

Photo of Marcin Szymankiewicz
Marcin Szymankiewicz
Late Tue
(preliminary)
Photo of Katherine Carpenter
Katherine Carpenter
David Dittrich
Ethics in Computer Security Research and Operations

Ethics is not like porn (“you know it when you see it.”) Ethics is based on philosophies, principles, and evaluation approaches defined by philosophers or codified by regulations or international conventions. We will cover all this and practice evaluating real world situations faced by Honeynet members, computer security researchers & security operators in the public and private sector.

Photo of Katherine Carpenter
Katherine Carpenter
David Dittrich
Early Wed
(preliminary)
Advanced Honeypot Development: Customizing the Glutton

Prerequisites: In order to follow the hands-on training, programming knowledge, working Golang setup and a recent Linux distribution are expected.

Photo of Lukas Rist
Lukas Rist
Tue
(one day)
TBA
Introduction to Cryptocurrency Forensics
TBA
Hosted by
Silver Sponsors
Bronze Sponsors