logo The Honeynet Project Annual Workshop 2019
Innsbruck, Austria — July 1st–3rd, 2019

Conference Program

The Honeynet Workshop is the leading forum for early warning systems, cyber deception, and open source security tools to improve internet security. The workshop program consists of one day of invited talks and two days of trainings, held by a diverse set of experienced international speakers and trainers.

Monday, July 1st
8:00–9:00
Registration
9:00–18:00
Briefings
19:00
Social Dinner
Tuesday, July 2nd
8:00–9:00
Registration
9:00–17:30
Trainings
Wednesday, July 3rd
8:30–9:00
Registration
9:00–17:30
Trainings

Briefing Day

Time Topic Speaker
09:00–09:15
Introduction to the Workshop

Introduction to The Honeynet Project from the CEO.

Photo of Faiz Shuja
Faiz Shuja
09:15–10:00
Keynote: The Changing Landscape of Cybercrime

In a draft chapter for the third edition of my book “Security Engineering”, I survey the main online threats – state actors, cybercrime, and other abuses. We know a lot about cybercrime, as we run a centre that collects data and makes it available to other researchers; see for example our paper on the changing costs of cybercrime, which recently appeared at WEIS. I’ll discuss this as an example of what can be achieved by a broad academic collaboration. This then leads to the question of whether we should collaborate to try to learn more about state actors. There are many defence think tanks that study conventional conflict and maintain some kind of historical and situational awareness as a service to people outside the major governments’ national-security teams. But there are almost no independent scholars of cyber conflict. Perhaps people who operate honeypots and collect relevant data might help build such expertise.

Photo of Ross Anderson
Ross Anderson
10:00–10:45
Keynote: Securing Civil Society

While through the decades of experiences in the information security industry we have built a comprehensive literature on security practices and designed technologies to defend corporations and public institutions, structured efforts to protect civil society from digital attacks have so far been lacking. Because of civil society’s very different and peculiar operational, financial and technological characteristics, traditional security practices do not apply well. In this talk, we try analyze the existing challenges and identify opportunities and possible creative solutions.

Photo of Claudio Guarnieri
Claudio Guarnieri
Coffee Break
11:10–11:40
Can I be you, please? Deception with code attribution

With software being distributed and shared widely on the web, anonymity becomes priceless. Modern day malware writers employ advanced obfuscation techniques to hide their identities. Open-source authors often also strive for anonymity. Yet, recent advances in security technology allow us to uncover some of the developer’s identity on the fly. Most of these efforts leverage authorship attribution domain. Well-established in social science, authorship attribution offers a broad spectrum of techniques that allows author characterization based on the analysis of the textual features of documents and an author’s writing style. The underlying assumption of the author attribution approach is based on the premise that every author has a distinctively unique writing style which can be effectively used to identify the writer of a specific malware. With these recent advances in the field of author attribution, is it even possible to remain anonymous on the Internet? If not, can we possibly deceive author attribution?

Photo of Natalia Stakhanova
Natalia Stakhanova
11:40–12:15
Default/Weak Passwords and Their Impact on Cyber(In)Security

Default and/or weak admin passwords have been plaguing the computer security field since before it was a named area of work. This talk presents some of the problems that come with default or weak (admin) passwords and some of the resulting changes that aim to deter organizations from using default passwords when shipping products.

Photo of Katherine Carpenter
Katherine Carpenter
12:15–12:45
T-Pot, PEBA, Sicherheitstacho - Fighting evil forces by running a large scale honeypot installation

Deutsche Telekom AG is running one of the bigger honeypot networks globally. In this talk the developers (T-Pot, backend, …) will share their experiences over the past years.

Photo of André Vorbach
André Vorbach
Photo of Marco Ochse
Marco Ochse
Lunch Break
13:45–14:15
Tales from the CRYPT(3): Stories from the early Honeynet Project years

Hear stories about events from the early HP days, told by someone who was there: Who had trouble getting into the NSA FAN-X building? Who was best/worst shot with a MP-5 rifle at Quantaco? How uncomfortable is explaining to DoJ CCIPS prosecutors how we were NOT wiretapping? How quickly do black hats turn on each other when cold called by Dean Turner (Security Focus News)?

Photo of David Dittrich
David Dittrich
14:15–14:35
Google Summer of Code at the Honeynet Project

Since 2009, Google has sponsored students to work on security tools and research at the Honeynet Project. With a relatively small budget, this program enabled the creation of now industry-leading tools such as Cuckoo Sandbox. In this session, Max will briefly explain the Google Summer of Code program and show recent achievements. Finally, we discuss how you can get involved and work with students on cutting-edge research!

Photo of Maximilian Hils
Maximilian Hils
14:35–14:45
SNARE/TANNER: The evolution of web application based honeypots

We are presenting the evolution of web application based medium interaction honeypots. The medium interaction levels are achieved by implementing page cloning and SQL emulation. The important part of the system is the analyzing subsystem: applying heuristics allows to assign certain likelihood to the user type for each session.

Photo of Evgeniia Tokarchuk
Evgeniia Tokarchuk
14:45–14:55
Virtual Machine Introspection Based SSH Honeypot

The problem of current honeypot implementations is that attackers can easily detect that they are interacting with a honeypot and stop their activities immediately. In this talk, we introduce Sarracenia, a VMI based SSH honeypot which improves the stealthiness of monitoring.

Photo of Stewart Sentanoe
Stewart Sentanoe
14:55–15:25
Hiding in the Shadows: Empowering ARM for Stealthy Virtual Machine Introspection

Stealthy Virtual Machine Introspection (VMI) is an obligation to successfully analyze and proactively mitigate sophisticated malware. Yet, ARM lacks the foundation required for VMI. In this talk, we closely examine the ARM architecture to identify shortcomings and develop novel techniques necessary for effective virtualization-based dynamic malware analysis.

Photo of Sergej Proskurin
Sergej Proskurin
Photo of Ulrich Fourier
Ulrich Fourier
Coffee Break
15:50–16:30
Revealing the Deceivers by Fingerprinting All the Things

One of the main honeypot use-cases is to learn about the attackers and their tools. Network fingerprinting methods such as JA3 and HASSH are useful techniques that can be used to profile the attackers and tools. But most, if not all, of the honeypots don’t log the protocol fields or messages you need for fingerprinting. In this talk, I will review some profiling methods and then introduce FATT, a tool that can be used beside your honeypots to log additional data and client fingerprints. This talk will explore how I used these techniques to cluster internet-wide scans and identify some interesting attempts to avoid fingerprinting. I will also show how these techniques can be used against the honeypots!

Photo of Adel Karimi
Adel Karimi
16:30–17:10
Reasoning With Security Data

Mitigating threats is an approachable task after the threat-related behaviors have been identified. The situation is much more challenging when you are not sure what you are looking for. The human mind is highly adept at quickly identifying visual anomalies in large datasets. As part of a defense-in-depth strategy, these human pattern recognition capabilities can be applied to drive the evolution and refinement of threat identification and detection mechanisms. This presentation investigates the application of visualization combined with human abductive reasoning, with the goal of using this knowledge to guide the evolution of analytical tools to help protect our digital assets.

Kara Nance
17:10–18:00
Shadowserver: Updates and highlights from recent activities

The 501c3 non-profit Shadowserver Foundation collects many types of large scale security data sets and provides free daily infection data to network owners for remediation purposes. It regularly works with national CERTs, ISPs/hosting companies and law enforcement agencies combating malware, botnets and cybercrime activities.

Photo of Piotr Kijewski
Piotr Kijewski
David Watson
19:00
Social Dinner
Stiftskeller Innsbruck, Stiftsgasse 1–7, 6020 Innsbruck, Austria.
(300 meters walking distance from the conference hotel)

Training Schedule

Trainings

Slot Training Trainer
Tue
(one day)
Introduction to Cryptocurrency Forensics

Blockchain technology empowers virtual cryptocurrencies to enable decentralized payment systems. This course gives an introduction of the underlying technology and takes deep dives into privacy aspects of Bitcoin, as an example of virtual currencies. The use of virtual currencies as a major payment channel for criminal operations can provide additional data to identify attacking entities. We will introduce and discuss possibilities to follow the money through a virtual currency network using various techniques.

During the day, participants solve practical challenges and learn to analyze blockchain activities. Participants will receive and send Bitcoin and grasp how payments are settled on the chain. Discussions will reveal how users can protect their privacy and their virtual currency funds effectively.

Participants both with and without any background in virtual currencies are welcome. Please bring a laptop for the hands-on.

Photo of Thomas Gloe
Thomas Gloe
Photo of Jakob Hasse
Jakob Hasse
Tue–Wed
(two day)
Applying Machine Learning to Cyber Security

This is a zero to hero course. We will start with no (or little) knowledge about machine learning and end the day with creating our custom APT detection that matches commercial grade tools.

Along the way, we will look at different types of machine learning, explore their limitations, and discuss typical problems. We will answer relevant questions, like how to identify that the machine has really learned something useful, how to deal with resource constraints, perform feature selection, and how to fine tune towards our goal.

The whole course is filled with real-world applications: After playing with artificial data, we will create a classifier for a polymorphic malware family, and end the day with your own threat prevention AI that uses features from ClamAV.

Photo of Felix Leder
Felix Leder
Brian Hay
Tue
(one day)
Honeypots and IDS 101

This is an introductory class to understand basic technologies like Honeypot and IDS (Intrusion Detection System), how they are used and deployed to detect potential threats and how they can protect a network infrastructure from bad actors. In this class we’ll consider the most common types of Honeypots and IDS, including both open source and commercial tools, and the environments where they are commonly deployed in. We’ll also collect and analyze some generated data using custom automation techniques.

In the first part of the class we’ll cover Honeypots, their history, types and objectives, including the development and configuration of a basic Honeypot. Then we’ll dive deeper into Intrusion Detection Systems, their purpose and benefits, with a special focus on the open source IDS Snort.

Attendees are required to bring a laptop capable of running the provided Linux Virtual Machine with either VMware or VirtualBox.

Photo of Miguel Bautista
Miguel Bautista
Early Wed
Simple and Effective Breach Notification Using Cyber Traps

This is an introductory level class to demonstrate the value of cyber traps in detecting and tracking network intruders. Cyber traps provide low numbers of high value alerts. If placed correctly can provide valuable information about the intruder. The class will learn about the elements of a cyber trap and explore a number of different cyber traps that can be applied to breach detection, including breadcrumbs, honeypots, honeyfiles and honey tokens. The focus of the tutorial will be to look at how to make content that is enticing and tailored to your environment. Participants will be provided a CentOS VM to be run on either VMWare or VBox.

Photo of Ben Whitham
Ben Whitham
Late Wed
Getting Started with T-Pot

T-Pot is the fastest growing all-in-one honeypot platform currently available as open source. It includes industry leading honeypots such as Conpot, Cowrie, Dionaea, Glutton, Heralding, Honeytrap, Snare & more and uses the ELK stack to beautifully render events to preconfigured dashboards. The workshop will cover a cloud-based installation, setup within your organization / network, how to use T-Pot to your advantage, events data, configuration adjustments, daily usage and updates. We will also discuss the importance of event sharing, Sicherheitstacho and PEBA (Python EWS Backend API). Take your chance and join the T-Pot 101 workshop held directly by its authors!

Photo of Marco Ochse
Marco Ochse
Photo of André Vorbach
André Vorbach
Early Wed
Introduction to Capture the Flag

Capture the Flag (CTF) events are games where participants are awarded points for finding flags (i.e., specific pieces of data) within the environment. This exploration is largely guided by challenges such as gaining access to an account, or finding some hidden information within a service. This gentle guided introduction to CTF focuses on challenges designed to explore various security concepts in both Linux and Windows environments without requiring specialized tools. No prior system knowledge (or software) is expected or required to participate.

Kara Nance
Late Wed
Educational Capture the Flag Experience

This Capture the Flag (CTF) serves as a more technical introduction to common security tools. Staged in a James Bond-themed environment, participants will be tasked with attacking various SPECTRE services in order to find flags. Challenges will focus on common tools and techniques to perform network reconnaissance, digital forensics, web application pentests, identify service misconfigurations, and more. No prior knowledge (or software) is required to participate as guidance and hints are available. More experienced CTF participants will still find the environment challenging.

Kara Nance
Early Tue
Threat Hunting – Revealing the Unknown

Threat hunting, considered as a part of a modern cyber defence, is a proactive process of finding an adversary on the network with the presumption that an unknown asset is already compromised. In this class attendees will go through the basic threat hunting principles and will test them in a practice hands-on lab using IDS, machine learning and visualization techniques.

Photo of Marcin Szymankiewicz
Marcin Szymankiewicz
Late Tue
Ethics in Computer Security Research and Operations

Ethics is not like porn (“you know it when you see it.”) Ethics is based on philosophies, principles, and evaluation approaches defined by philosophers or codified by regulations or international conventions. We will cover all this and practice evaluating real world situations faced by Honeynet members, computer security researchers & security operators in the public and private sector.

Photo of Katherine Carpenter
Katherine Carpenter
Photo of David Dittrich
David Dittrich
Early Wed
Advanced Honeypot Development: Customizing the Glutton

Prerequisites: In order to follow the hands-on training, programming knowledge, working Golang setup and a recent Linux distribution are expected.

Photo of Lukas Rist
Lukas Rist
Late Wed
Static and Dynamic Android Malware Analysis Using Open-Source Tools

Android malware analysis hands on training will focus on static and dynamic method to understand the maliciousness of the sample. While static analysis could reveal enough information from many samples, the trend now is to increase the difficulty to understand the behaviour or extract meaningful information. Malware authors are increasing the level of sophistication of their work, here is when dynamic analysis came to the rescue to better understand malicious samples. Using open source tools attendants will perform guided analysis, from basic to medium level complexity. Attendants should have basic knowledge on linux command line usage, a computer with virtualisation support and VirtualBox installed.

Photo of Hugo Gonzalez
Hugo Gonzalez
Hosted by
Silver Sponsors
Bronze Sponsors
Supported by