Briefings

Since 2009, Google have sponsored students to work on new security tools and research as part of their Google Summer of Code (GSoC) program. Examples include Cuckoo and MITMP. In this session, Max will briefly explain the program, show recent GSoC achievements, and talk about which role GSoC has for the Honeynet Project. Finally, we talk about how you_ can get involved with GSoC and work with students on cutting-edge research!

Cowrie is the leading SSH/Telnet Honeypot system. It gained traction over the last three years as the actively maintained successor to Kippo. During this period, honeypot detection improved, and Cowrie had to implement new ways to avoid detection. Parallel to this, attackers started to use attack vectors like direct-tcipip forwarding to proxy traffic anonymously through vulnerable SSH servers. In this talk we’ll discuss how Cowrie was developed, honeypot improvements over the years, how findings from running honeypots influence development and the technology arms race between honeypot builders, attackers and security researchers.

As the amount of data generated by systems and networks has increased, so has the need for systems to be able to analyze and process this information. With the introduction of big data frameworks, we have the ability to capture, curate, manage, and process data in a reasonable timeframe.

This talk will focus on the real world implementation of this system to analyze and detect trends. Leveraging HDFS and Spark, we are able to quickly query and analyze data to feed into machine learning classifiers. Additionally, we leverage a variety of machine learning approaches in order to detect variances in our data sets that are indicative of system misconfigurations or malicious activity in the network.

Using this system, we are able to process tens of gigabits of traffic per second across tens of thousands of servers in a dozen datacenters, analyzing this traffic to detect and alert on any deviations that exist in the environment.

Jurriaan is one of the lead developers for the open source Cuckoo Project and a member of the Honeynet Project. In this talk he will demonstrate the best methods to integrate honeypots into Cuckoo. He will also give an insight into the Cuckoo Project and what new additions we might see in the future.

To gain insight into new incident outbreaks on the Internet, it is critical to quickly deploy new honeypot sensors on a large scale. The talk will cover Shadowserver’s efforts at building, deploying and maintaining such large-scale honeypot networks. It will describe the unique challenges encountered and lessons learned whilst attempting to automate the process as much as possible. Data collected from these networks is shared with the security community (National CERTs, network owners etc) as part of the free Shadowserver victim remediation feeds. We will present data analysis results of such deployments, also as part of a new EU Horizon 2020 Project - SISSDEN - that we are involved in. How can the HNP community be involved?

Although honeypots are used by security researchers to study the attackers’ tools, techniques and motives for many years, they still have not been widely accepted and deployed in production environments. One reason is that the traditional implementation of honeypots is static and success is based on an attacker discovering it. This talk will introduce a new open source tool called “honeybits”, a simple tool designed to enhance the effectiveness of your traps by spreading breadcrumbs across your production servers and workstations to lure the attacker toward your honeypot(s).

Taking down botnets is a challenging and complex process, requiring not just long-term technical analysis of the threat but also cross-border and cross-jurisdiction cooperation, involving many different (types) of actors. A successful operation culminates in a quick shutdown of cybercriminal operations, and lots of media attention. But what happens behind the scenes to make that possible? In this talk, we will describe Shadowserver’s first-hand experiences in assisting recent takedown operations, such as Avalanche, Dridex and Kelihos. We will identify the main problems facing the takedown teams and how these were overcome. And finally - what role did honeypots and honeypot related technologies play in that process?

Over the past fifteen years there has been an exponential increase in the use of digital communications by terrorist organizations. The Internet has significantly enhanced the ability of these organizations to promote their ideologies, recruit new members, instill fear in targeted populations, provide attack vectors for Western targets and provide secure communications among its members. Rather than focusing on an interminable description of numerous instances of these activities, this discussion involves examining the theoretical foundations that make these effective strategies involving deception.