Detailed schedule of the Briefings on Wednesday, November 15th 2017.

Conference briefings

Broad TopicAbstractSpeaker 
IntroductionWelcome and conference administrationConference Chair (Craig Davies)
IntroductionCEO CommentsFaiz Shuja (The Honeynet Project CEO)
Cyber Deception ToolsThe honeypot, what it was, what is coming

This talk will present an overview of the current state of deception technologies: from research to enterprise products. The talk will provide practical examples and applications of their use in the field of Internet of Things and Industrial Security. The talk will close with an outlook on what we can expect from the future of honeypots.

Lukas Rist
09501010Cyber Deception ToolsGoogle Summer of Code Research and Development at the Honeynet Project

Since 2009, Google have sponsored students to work on new security tools and research as part of their Google Summer of Code (GSoC) program. Examples include Cuckoo and MITMP. In this session, Max will briefly explain the program, show recent GSoC achievements, and talk about which role GSoC has for the Honeynet Project. Finally, we talk about how you_ can get involved with GSoC and work with students on cutting-edge research!

Maximilian Hils
10101030Implementing Cyber Deception
Implementing Cyber DeceptionKeynote: Shell Games: Cowrie in the honeypot arms race

Cowrie is the leading SSH/Telnet Honeypot system. It gained traction over the last three years as the actively maintained successor to Kippo. During this period, honeypot detection improved, and Cowrie had to implement new ways to avoid detection. Parallel to this, attackers started to use attack vectors like direct-tcipip forwarding to proxy traffic anonymously through vulnerable SSH servers. In this talk we’ll discuss how Cowrie was developed, honeypot improvements over the years, how findings from running honeypots influence development and the technology arms race between honeypot builders, attackers and security researchers.

Michel Oosterhof
Catching malicious activityCatching WannaCry using Cyber Deception

This talk outlines the changes that we made to the open source Dionaea honeypot to collect SMB traffic associated with the WannaCry ransomware, EternalBlue, "Kill Switch" and SambaCry during the outbreak in May 2017. These modifications [1] [2] provide an example of the types of actions that can be taken on your production systems to understand the activities on your organisation’s network when the next outbreak arrives.

Tan Kean Siong
Implementing Cyber DeceptionRunning Deception at Scale - Lessons from Implementing HDFS and machine learning to hunt malicious activity

As the amount of data generated by systems and networks has increased, so has the need for systems to be able to analyze and process this information. With the introduction of big data frameworks, we have the ability to capture, curate, manage, and process data in a reasonable timeframe.

This talk will focus on the real world implementation of this system to analyze and detect trends. Leveraging HDFS and Spark, we are able to quickly query and analyze data to feed into machine learning classifiers. Additionally, we leverage a variety of machine learning approaches in order to detect variances in our data sets that are indicative of system misconfigurations or malicious activity in the network.

Using this system, we are able to process tens of gigabits of traffic per second across tens of thousands of servers in a dozen datacenters, analyzing this traffic to detect and alert on any deviations that exist in the environment.

Rusty Bower
Implementing Cyber DeceptionPractical Experience with Honeypots and How to Integrate Them into your Environment

I’ve been tinkering with honeypots for almost 10 years now. In this talk, I’ll share my experiences with honeypots, and provide practical tips, tricks to get the best out of your deployments. The talk will include demonstrations of how to integrate these systems with Cyber Threat Intelligence (CTI) and Dev(Sec)Ops. I’ll also share frameworks I’ve developed in these projects, which you can use on your own environment.

Emil Tan
Implementing Cyber DeceptionEnriching Honeypot results with Cuckoo Sandbox

Jurriaan is one of the lead developers for the open source Cuckoo Project and a member of the Honeynet Project. In this talk he will demonstrate the best methods to integrate honeypots into Cuckoo. He will also give an insight into the Cuckoo Project and what new additions we might see in the future.

Jurriaan Bremer
Implementing Cyber DeceptionOperating large-scale honeypot sensor networks for fun and (non)profit

To gain insight into new incident outbreaks on the Internet, it is critical to quickly deploy new honeypot sensors on a large scale. The talk will cover Shadowserver’s efforts at building, deploying and maintaining such large-scale honeypot networks. It will describe the unique challenges encountered and lessons learned whilst attempting to automate the process as much as possible. Data collected from these networks is shared with the security community (National CERTs, network owners etc) as part of the free Shadowserver victim remediation feeds. We will present data analysis results of such deployments, also as part of a new EU Horizon 2020 Project - SISSDEN - that we are involved in. How can the HNP community be involved?

Piotr Kijewski
Aussie Cyber Deception ProjectsKeynote: The emergence of commercial cyber deception services to degrade (your) hostile cyber actors

Active Cyber Defence (ACD) techniques include the use of honeypots, canary tokens and deception operations designed to get inside the intelligence lifecycle of hostile cyber actors… and mess with them. Paul Nevin is a long-time believer of using ACD methods to learn the capability and intent of cyber actors; going back to the late 1990s. He now runs a commercial security company that specialises in running cyber deception operations to disrupt and degrade hostile cyber teams targeting Australian networks. This talk will explore some of the techniques used, early successes (and failures) of these commercial services.

Paul Nevin
Aussie Cyber Deception ProjectsSpreading honey around: Using honeybits to mislead attackers

Although honeypots are used by security researchers to study the attackers’ tools, techniques and motives for many years, they still have not been widely accepted and deployed in production environments. One reason is that the traditional implementation of honeypots is static and success is based on an attacker discovering it. This talk will introduce a new open source tool called “honeybits”, a simple tool designed to enhance the effectiveness of your traps by spreading breadcrumbs across your production servers and workstations to lure the attacker toward your honeypot(s).

Adel Karimi
Aussie Cyber Deception ProjectsBaiting with realistic and enticing honeyfile content

Often the artefacts used to bait insiders and external attackers are not realistic enough to sustain the deception. Random content and content pulled from external sources rarely matches the environment and real material can lead to the loss of sensitive material. This talk will show how to generate fake content using machine learning.

Ben Whitham
Adversary Cyber DeceptionUnmasking Deception in Malicious Code and Attacks

Cyber deception is not just for the defenders. This talk provides an overview of the deceptive techniques used to evade detection. The talk will provide examples and demonstrations of deceptive malware as well as techniques used by network infiltrators found from honeypot collections. The talk will conclude with ideas of how to improve your defensive cyber deceptions as a counter-counter to these techniques.

Felix Leder
Adversary Cyber DeceptionBehind the scenes of botnet takedowns

Taking down botnets is a challenging and complex process, requiring not just long-term technical analysis of the threat but also cross-border and cross-jurisdiction cooperation, involving many different (types) of actors. A successful operation culminates in a quick shutdown of cybercriminal operations, and lots of media attention. But what happens behind the scenes to make that possible? In this talk, we will describe Shadowserver’s first-hand experiences in assisting recent takedown operations, such as Avalanche, Dridex and Kelihos. We will identify the main problems facing the takedown teams and how these were overcome. And finally - what role did honeypots and honeypot related technologies play in that process?

David Watson
Adversary Cyber DeceptionDeception in malware authorship attribution

With software being distributed and shared widely on the web, anonymity becomes priceless. Modern day malware writers employ advanced obfuscation techniques to hide their identities. Open-source authors often also strive for anonymity. Yet, recent advances in security technology allow us to uncover some of the developer’s identity on the fly. Most of these efforts leverage authorship attribution domain. Well-established in social science, authorship attribution offers a broad spectrum of techniques that allows author characterization based on the analysis of the textual features of documents and an author’s writing style. The underlying assumption of the author attribution approach is based on the premise that every author has a distinctively unique writing style which can be effectively used to identify the writer of a specific malware. With these recent advances in the field of author attribution, is it even possible to remain anonymous on the Internet? If not, can we possibly deceive author attribution?

Natalia Stakhanova
Adversary Cyber Deception
16401700Catching malicious activityCyber Jihad and Deception

Over the past fifteen years there has been an exponential increase in the use of digital communications by terrorist organizations. The Internet has significantly enhanced the ability of these organizations to promote their ideologies, recruit new members, instill fear in targeted populations, provide attack vectors for Western targets and provide secure communications among its members. Rather than focusing on an interminable description of numerous instances of these activities, this discussion involves examining the theoretical foundations that make these effective strategies involving deception.

Max Kilger
17001710CloseClosing RemarksConference Chair
17102000Reception drinks and Student Poster Session
Schedule of Talks in Canberra 2017 Honeynet Workshop