Detailed schedule of the Briefings on Wednesday, November 15th 2017.
|0900||0910||Introduction||Welcome and conference administration||Conference Chair (Craig Davies)|
|0910||0925||Introduction||CEO Comments||Faiz Shuja (The Honeynet Project CEO)|
|0925||1000||Cyber Deception Tools||The honeypot, what it was, what is coming|
This talk will present an overview of the current state of deception technologies: from research to enterprise products. The talk will provide practical examples and applications of their use in the field of Internet of Things and Industrial Security. The talk will close with an outlook on what we can expect from the future of honeypots.
|1000||1020||Cyber Deception Tools||Google Summer of Code Research and Development at the Honeynet Project|
Since 2009, Google have sponsored students to work on new security tools and research as part of their Google Summer of Code (GSoC) program. Examples include Cuckoo and MITMP. In this session, Max will briefly explain the program, show recent GSoC achievements, and talk about which role GSoC has for the Honeynet Project. Finally, we talk about how you_ can get involved with GSoC and work with students on cutting-edge research!
|1050||1110||Implementing Cyber Deception||Keynote: Shell Games: Cowrie in the honeypot arms race|
Cowrie is the leading SSH/Telnet Honeypot system. It gained traction over the last three years as the actively maintained successor to Kippo. During this period, honeypot detection improved, and Cowrie had to implement new ways to avoid detection. Parallel to this, attackers started to use attack vectors like direct-tcipip forwarding to proxy traffic anonymously through vulnerable SSH servers. In this talk we’ll discuss how Cowrie was developed, honeypot improvements over the years, how findings from running honeypots influence development and the technology arms race between honeypot builders, attackers and security researchers.
|1110||1130||Catching malicious activity||Catching WannaCry using Cyber Deception|
This talk outlines the changes that we made to the open source Dionaea honeypot to collect SMB traffic associated with the WannaCry ransomware, EternalBlue, "Kill Switch" and SambaCry during the outbreak in May 2017. These modifications   provide an example of the types of actions that can be taken on your production systems to understand the activities on your organisation’s network when the next outbreak arrives.
|Tan Kean Siong|
|1130||1150||Implementing Cyber Deception||Running Deception at Scale - Lessons from Implementing HDFS and machine learning to hunt malicious activity|
As the amount of data generated by systems and networks has increased, so has the need for systems to be able to analyze and process this information. With the introduction of big data frameworks, we have the ability to capture, curate, manage, and process data in a reasonable timeframe.
|1150||1210||Implementing Cyber Deception||Practical Experience with Honeypots and How to Integrate Them into your Environment|
I’ve been tinkering with honeypots for almost 10 years now. In this talk, I’ll share my experiences with honeypots, and provide practical tips, tricks to get the best out of your deployments. The talk will include demonstrations of how to integrate these systems with Cyber Threat Intelligence (CTI) and Dev(Sec)Ops. I’ll also share frameworks I’ve developed in these projects, which you can use on your own environment.
|1210||1230||Implementing Cyber Deception||Enriching Honeypot results with Cuckoo Sandbox|
Jurriaan is one of the lead developers for the open source Cuckoo Project and a member of the Honeynet Project. In this talk he will demonstrate the best methods to integrate honeypots into Cuckoo. He will also give an insight into the Cuckoo Project and what new additions we might see in the future.
|1330||1350||Implementing Cyber Deception||Operating large-scale honeypot sensor networks for fun and (non)profit|
To gain insight into new incident outbreaks on the Internet, it is critical to quickly deploy new honeypot sensors on a large scale. The talk will cover Shadowserver’s efforts at building, deploying and maintaining such large-scale honeypot networks. It will describe the unique challenges encountered and lessons learned whilst attempting to automate the process as much as possible. Data collected from these networks is shared with the security community (National CERTs, network owners etc) as part of the free Shadowserver victim remediation feeds. We will present data analysis results of such deployments, also as part of a new EU Horizon 2020 Project - SISSDEN - that we are involved in. How can the HNP community be involved?
|1350||1420||Aussie Cyber Deception Projects||Keynote: The emergence of commercial cyber deception services to degrade (your) hostile cyber actors|
Active Cyber Defence (ACD) techniques include the use of honeypots, canary tokens and deception operations designed to get inside the intelligence lifecycle of hostile cyber actors… and mess with them. Paul Nevin is a long-time believer of using ACD methods to learn the capability and intent of cyber actors; going back to the late 1990s. He now runs a commercial security company that specialises in running cyber deception operations to disrupt and degrade hostile cyber teams targeting Australian networks. This talk will explore some of the techniques used, early successes (and failures) of these commercial services.
|1420||1440||Aussie Cyber Deception Projects||Spreading honey around: Using honeybits to mislead attackers|
Although honeypots are used by security researchers to study the attackers’ tools, techniques and motives for many years, they still have not been widely accepted and deployed in production environments. One reason is that the traditional implementation of honeypots is static and success is based on an attacker discovering it. This talk will introduce a new open source tool called “honeybits”, a simple tool designed to enhance the effectiveness of your traps by spreading breadcrumbs across your production servers and workstations to lure the attacker toward your honeypot(s).
|1440||1500||Aussie Cyber Deception Projects||Baiting with realistic and enticing honeyfile content|
Often the artefacts used to bait insiders and external attackers are not realistic enough to sustain the deception. Random content and content pulled from external sources rarely matches the environment and real material can lead to the loss of sensitive material. This talk will show how to generate fake content using machine learning.
|1520||1545||Adversary Cyber Deception||Unmasking Deception in Malicious Code and Attacks|
Cyber deception is not just for the defenders. This talk provides an overview of the deceptive techniques used to evade detection. The talk will provide examples and demonstrations of deceptive malware as well as techniques used by network infiltrators found from honeypot collections. The talk will conclude with ideas of how to improve your defensive cyber deceptions as a counter-counter to these techniques.
|1545||1610||Adversary Cyber Deception||Behind the scenes of botnet takedowns|
Taking down botnets is a challenging and complex process, requiring not just long-term technical analysis of the threat but also cross-border and cross-jurisdiction cooperation, involving many different (types) of actors. A successful operation culminates in a quick shutdown of cybercriminal operations, and lots of media attention. But what happens behind the scenes to make that possible? In this talk, we will describe Shadowserver’s first-hand experiences in assisting recent takedown operations, such as Avalanche, Dridex and Kelihos. We will identify the main problems facing the takedown teams and how these were overcome. And finally - what role did honeypots and honeypot related technologies play in that process?
|1610||1635||Adversary Cyber Deception||Deception in malware authorship attribution|
With software being distributed and shared widely on the web, anonymity becomes priceless. Modern day malware writers employ advanced obfuscation techniques to hide their identities. Open-source authors often also strive for anonymity. Yet, recent advances in security technology allow us to uncover some of the developer’s identity on the fly. Most of these efforts leverage authorship attribution domain. Well-established in social science, authorship attribution offers a broad spectrum of techniques that allows author characterization based on the analysis of the textual features of documents and an author’s writing style. The underlying assumption of the author attribution approach is based on the premise that every author has a distinctively unique writing style which can be effectively used to identify the writer of a specific malware. With these recent advances in the field of author attribution, is it even possible to remain anonymous on the Internet? If not, can we possibly deceive author attribution?
|1635||1700||Catching malicious activity||Cyber Jihad and Deception|
Over the past fifteen years there has been an exponential increase in the use of digital communications by terrorist organizations. The Internet has significantly enhanced the ability of these organizations to promote their ideologies, recruit new members, instill fear in targeted populations, provide attack vectors for Western targets and provide secure communications among its members. Rather than focusing on an interminable description of numerous instances of these activities, this discussion involves examining the theoretical foundations that make these effective strategies involving deception.
|1700||1710||Close||Closing Remarks||Conference Chair|
|1710||2000||Reception drinks and Student Poster Session|