2015 Honeynet Project Workshop
18-20 May 2015 | Stavanger Norway
BRIEFINGS
The Honeynet Project: Then and Now
Speaker: Lance Spitzner
This talk will be about the history of the Honeynet Project, to include how it started and why. The project has a fascinating history with amazing folks involved every step of the way.
What Has Really Changed in Security - And What Has Stayed the Same?!
Speaker: Anton Chuvakin
"Watch this totally new threat!" is as common a statement in our domain of information security ("cyber" for those "on-trend" folks) as password set to "password." So, in this era of cloud, mobile and big data -- but also Windows XP and mainframes -- what has changed (and how) and what stayed the same (and why) in information security. This talk will explore and - where possible - predict what we have been through so far and what may yet to come to our field.
Speaker: Raffael Marty
The extent and impact of recent security breaches is showing that current security approaches are just not working. But what can we do to protect our business? We have been advocating monitoring for a long time as a way to detect subtle, advanced attacks that are still making it through our defenses. However, products have failed to deliver on this promise. Current solutions don't scale in both data volume and analytical insights. In this presentation we will explore what security monitoring is. Specifically, we are going to explore the question of how to visualize a billion log records. A number of security visualization examples will illustrate some of the challenges with big data visualization. They will also help illustrate how data mining and user experience design help us get a handle on the security visualization challenges - enabling us to gain deep insight for a number of security use-cases.
The Dividing Line: What the Tools Can't Tell Us
Speaker: Kara Nance
Mitigating threats is an approachable task after the threat-related behaviors have been identified. The situation is much more challenging when you are not sure what you are looking for. The human mind is highly adept at quickly identifying visual anomalies in large images. As part of a defense-in-depth strategy, these human pattern recognition capabilities can supplement traditional tools to help us see things that the tools can’t tell us.
Using Visualization to Develop Mitigation Strategies
Speaker: Kara Nance
This presentation investigates the application of visualization combined with human abductive reasoning, with the initial goal of identifying some behavioral characteristics associated with a type of card-present fraud. It then demonstrates how this knowledge can be used to guide the evolution of analytical tools to develop mitigation strategies as part of continuous security evolution.
Android malware code reuse: myths and reality
Speaker: Natalia Stakhanova
The appearance of the Android platform and its popularity has resulted in a sharp rise in the number of reported vulnerabilities and consequently in the number of mobile threats. Leveraging the openness of Android app markets and the lack of security testing, malware authors commonly plagiarize Android applications (through code reuse and repackaging) boosting the amount of malware on the markets and consequently the infection rate. In this talk, we will revisit the question of mobile malware repackaging. We examine the reuse practices and present several lightweights methods for its detection.
Mobile Inception: a look inside modern espionage malware
Speaker: Ryan Smith
Mobile devices have become very lucrative targets for cybercrime and cyber espionage in recent years. Attackers are able to remotely gather sensitive information such as location, email, text messages, and even tap phone calls. At the end of 2014 our research team discovered a very sophisticated cyber attack campaign dubbed “Inception", which targeted high level government officials and key industrial sectors across the globe. This campaign included several different components including malware targeting Android, iOS, and BlackBerry as well Windows malware and a network of compromised wifi routers and web servers. This presentation will focus on the mobile malware components of the Inception campaign, specifically the Android malware components. Together we will walk through the analysis process and discover the core components and capabilities of these sophisticated modern wiretapping malware. We will dissect their command and control protocols, custom encryption, and capabilities intended to listen in on phone calls and gather intimate personal details from some of the world’s top leaders.
Smart Attacks: Defending the Changing Landscape
Speaker: Felix Leder
The way we use computers has shifted significantly. Rather than using information technology focused around single devices, we are using a tablets, laptops, smartphones, and others smart components simultaneously. We trust that our data will accessible to us – not only on a single laptop – but anytime and anywhere. Even after the introduction of the first smartphones in the 2000s or the first recognized tablet (iPad) in 2010, cyber criminals have continued to have device-centric focus. Now, that thinking is shifting. There is a clear trend that attackers of all kinds adopt a more holistic approach and follow the data. Single devices have become part of larger and structured campaigns. This presentation includes various war-stories that illustrate the changing threat landscape and how multiple devices are combined into campaigns. These examples help to understand the new attack vectors that security professionals are increasingly facing. Based on this, we discuss various defense mechanisms.
ICS Honeypot Deployment Strategies and Technologies
Speaker: Lukas Rist
Conpot is a low interactive server side Industrial Control Systems honeypot designed to be easy to deploy, modify and extend. The Honeypot comes with a range of common industrial control protocols to build complex infrastructures to deceive an adversary. In this presentation we will give insights into our deployment strategies, which apply to most Honeypot deployments, the data we collect and what we don't see and what happens when you build your own industrial system.
Android Botnets: past, present and future
Speaker: Hugo Gonzalez
This presentation will include a brief discussion of Android platform vulnerabilities, and then a presentation of Android botnet evolution. A deep inspection on the most infamous families will be showed and the differences between the traditional and mobile botnets will be highlighted. Discussion will include AnserverBot, Sandroid, Zitmo, MisoSMS and others. Typical botnets look primarily for resources and secondly for data. In general mobile botnets looks primarily for data, specifically for SMS content, and secondly for resources. The distribution channels are different from the desktop botnets as they rely mostly on social engineering to entice users to install a malicious apk which contains the botnet code. One can identify two trends in mobile botnets distribution: An apk that only contains the malicious code or a legitimate apk infected and repackaged with the malicious component. Although obfuscation and encryption are gaining more usage in the Android malware, these are not currently a huge problem as in the desktop malware yet.
Conducting the perfect crime: the one you cannot detect
Speaker: Per Thorseim
During the past year we have seen an increase in attacks were stolen credentials were used to gain unauthorized access. Technical means may not be sufficient enough to detect them, we may have to involve the human factor as well. So, can you tell me where you are right now, and what you are doing?
Graphing all the Malware: Using Graph Databases to Mine Twitter For Malware
Speaker: Ryan Smith
Graphs are natural data structures to express the inherent relationships
between malware. For example malware may be directly connected through
common code segments, command and control servers, or signatures. Malware
may also be connected indirectly, such as sharing common cloud
infrastructure, domain registrars, distribution channels, or command and
control domains resolving to a common IP address. One of the challenges
of using a graph data structure to store and query all of these direct and
indirect relationships is that traditional data stores, such as relational
databases, are not naturally designed to for such many-to-many operations
at large scale. This is the gap that Graph Databases were designed to
fill. Graph Databases are a type of noSQL database, which are designed to
store, query, and operate on data natively as a graph.
This presentation will provide an overview of Graph Databases, and how
they may be used as an alternative to SQL in certain cases. One
particular use case that will be used to demonstrate the power of GraphDBs
is how they can be used to efficiently search through Twitter data to
identify Android malware distribution channels. This method has been
quite effective in identifying new malware based on its direct or indirect
relationships to known malware, and has been used to identify several
previously unknown malware and identify coordinated malware campaigns.
While graph databases won’t be proposed as the new gold standard of data
stores, the case will be made that for certain use cases graphDBs provide
an efficient way to store and explore your large-scale graph data.
Incident handling of cyber espionage
Speaker: Marie Moe
Incident handling of intrusions related to cyber espionage operations is a complex and challenging task. As a national CERT with a unique national early warning detection system, NSM NorCERT has detected and responded to incidents that vary from traditional incident response and abuse handling to counter-intelligence operations. Based on some real-world examples, this talk will be about incident handling of cyber espionage intrusions. What are the most common pitfalls and how can companies be better prepared?
What You Don't Know Will Hurt You
Speaker: Hanne Moen
The ever-growing use of cloud services and outsourcing partners leads to more complexity, uncertainty and regulatory requirements. What really hides behind the smoke and mirrors of your vendor's service descriptions and SLAs? At the end of the day you still own the information. You can outsource the workload, but the risk remains yours. The key to successful outsourcing partnerships is to assure you are on the same page as your outsourcing partner when it comes to their safeguarding of your information. This presentation shares the experiences, both good and bad (and entertaining), that mnemonic has gathered from performing due diligence and security assessments of service providers based all over the world.
"Who hacked my drone?" Cybersecurity and Digital Forensics in Robotics
Speaker: Francesca Bosco
The expansion of robotics, from their adoption in the defense and medical industries to agriculture and commerce, among other sectors, raises many questions with respect to incident response in the event of a deliberate or accidental malfunction. Figuring out the answers to questions concerning why a robot was attacked, and who attacked it, are vital for developing the proper tools and security measures to tackle emerging threats in this field. This presentation assesses the role of cybersecurity and digital forensics in robotics, examining the potential damage caused by cyber attacks on robots, what can be learned from applying digital forensics to this scenario, and emphasising the necessary standards to be put in place in order to ensure both the protection of robotic assets and human life.
Rethinking Enterprise Security: Lifecycle Defense
Speaker: Felix Leder
Most organizations still try to “protect” themselves from cyber attacks. Following recent attack campaigns, it becomes obvious that the question nowadays is not “if” an organization will be breached but “when”. Relying purely on concepts for protection, makes it very easy to crack the defenses. A single weak spot is enough for the adversary to gain control. Afterwards, protection is just shut off and data exfiltration is unlimited. There are plenty of examples from various sectors and organizations of different sizes. In this presentation, alternative strategies from continuous response to exploiting the knowledge asymmetry are illustrated. We will discuss required resources and types of technology that are required for the implementation. This will be spiced up with real world examples.
Criminality Reinvented: Assessing the Cybercrime Evolution
Speaker: Francesca Bosco
In the last twenty years, the nature of cybercrime has undergone a complete transformation, evolving from simple curiosity on the part of hackers to now encompassing multiple forms of criminality, leading to billions of dollars in damages to the global economy on an annual basis. Today, cyber threats are multiplying at lightening speed, with the development of dark markets, new forms of malware, increasingly sophisticated phishing schemes, and an array of other threats leading the way in this field. Additionally, organized crime groups, both in the traditional sense and those posing as loosely affiliated networks, have claimed their turf in cyberspace, facilitating the spread of crime across borders and contributing to cybercrime's already transnational nature. This presentation assesses cybercrime's evolution in recent years, highlights the entrance of organized criminal groups into this sphere, and addresses a series of case studies pertaining to prominent cybercrime incidents that have taken place in last five years.
Speaker: Kai Roer
In this talk, Kai Roer will share a few of the psychological mechanisms that makes us all exploitable, and how we may protect ourselves from such exploits.
Fighting politically motivated DDoS attacks. When Miners meet HYIPters
Speaker: Arthur Blair
Fighting cyberattacks are an interesting technical challenge that combines the need of deep understanding of internetworking, traffic analysis and mitigation techniques. But as in the story of the blind men and the elephant, specialists that works in security do not seem to agree in what a cyberattack really is. Popular attack metrics hide much more interesting views of cyberwarfare.The presentation will cover three common and recent cyberattacks, its attackers and its victims. The presentation will try to show how cyberarmies and underground "business" work and how the mother of the largest infrastructure attacks recently seen has been implemented.
Speaker: Lasse Andresen
The Internet of Things is more like the Compuserve of Things, the Prodigy of Things, and the AOL of Things today: Devices and services don’t talk to each other, so users are left in the dark – or resort to flipping switches the old-fashioned way.
But identity has the power to make cities a better place to live and improve quality of life for citizens, driven by digital transformation. Identity doesn’t just represent a person; every individual device, machine, appliance, and you-name-it that’s connected to the Internet has an identity. So welcome, citizen, to the smart city, where everything can harness the power of identity. Your utility meter, parking spaces, traffic lights — and even your disaster early warning system — has an identity.
An identity-centric design establishes secure relationships between people, between people and things, and between things themselves. With a focus on identities, it’s easy to connect and build new, secure, personalized user experiences. And when people are in the mix, those relationships can involve consented data sharing so that individuals always stay in control.
This talk will focus best practices and lessons learned through the San Francisco IoT for Cities Initiative.
The softer side of security - how do we build a security culture?
Speaker: Tone Skartveit
IT and Geosicence soultions provider Cegal is known for a strong company culture. How do the culture and the work environment amplify security awareness amongst employees and customers? This talk will provide some thoughts and ideas on how to ensure a culture for conducting security assessments and good decisions. Basically to put security awareness into the spinal cord of an organization.
Speaker: Kristine Beitland
A quiet revolution is taking place in Europe’s classrooms. All across the continent, pioneering teachers, curious children and forward-thinking decision-makers are slowly but surely reshaping how we view the role of technology in education. What is done in Norway to "Creating the next generation of technology innovators (Kodu Cup and Hour of Code)”?
Welcome and The story of Security Divas in Norway
Speakers: Tone Bakås & Renate Thoreid
Tone and Renate has been the programme committee for the Security Diva track. They want to welcome you to Norway and tell the story of Security Divas in Norway.
How Statoil is securing its values
Speaker: Sonja Indrebø
From a business perspective protecting our information and systems can be seen as an overwhelming task given the threat picture today. Statoil's reponse is to adress the challenge from three angles: governance, technology and behaviour. Hear more about what we do and our experience.
T-Pot: Automated Honeypot deployment in less than 30 minutes
Speakers: Marco Ochse & André Vorbach
This talk will give an introduction on the sensor network deployed by Deutsche Telekom and discuss a new open source honeypot platform “T-Pot”, an easy to deploy and maintain honeypot system that is currently in development. The aim of this project is to minimize deployment efforts and maintenance using dockerized honeypots.
A Criminological Perspective on Intrusion Kill Chains and Adaptive Adversaries
Speaker: Aunshul Rege
The Lockheed Martin Corporation created an Intrusion Kill Chain (IKC) model that offered a systematic intrusion process that adversaries employ. The IKC was defined as reconnaissance, weaponization, delivery, exploitation, installation, command and control (C2), and actions on objectives. While this kill chain is important, its focus is on detection, mitigation, and analysis. The proposed talk shares ongoing research that focuses on the human element in the intrusion kill chain as well as on attack progressions and flows to capture the ‘adaptive’ nature of the adversary. Specifically, it seeks to examine how killing the intrusion chain at various stages impacts the adversarial response in terms of technique, movement in the chain, intensity, frequency and duration. It discusses data obtained thus far through a mixed methodology of surveys, interviews and focus groups with hackers, penetration testers, vendors and industry representatives as well as observations from live cybersecurity exercises to offer a criminological take on adaptive adversaries and their possible movements in intrusion chains.
Can you put personal data in the Cloud?
Speaker: Martha Eike
Yes, you can, but do you know what you need to do in advance? The presentation will give you guidance on how to comply with the Personal Data Act and Regulations, what to consider when you choose your Cloud Service Provider, and give you an update on the national and international work within Data Protection and Cloud Computing.
Searching for silver bullets - detecting application layer DoS attacks
Speaker: Natalia Stakhanova
A recent escalation of application layer Denial of Service (DoS) attacks on the Internet has quickly shifted the interest of the research community traditionally focused on network-based DoS attacks. A number of studies came forward showing the potency of attacks, introducing new varieties and discussing potential detection strategies. The underlying problem that triggered all this research is the stealthiness of application layer DoS attacks. Since they usually do not manifest themselves at the network level, these attacks commonly avoid traditional network-layer based detection mechanisms. In this talk we turn our attention to application layer DoS attacks. We explore their effectiveness on modern web servers and discuss potential detection strategies.
Event Partner
