2013 Honeynet Project Workshop
10-12 Feb 2013 | Dubai

Briefing Agenda - Feb 10 2013

The first day is a one-day set of briefings whose purpose is to bring together security experts to share their experiences and expertise in security technologies with other local and regional information security professionals.

Time Presentation Topic Speaker Video Link
08:00 ~ 09:00 Registration
09:00 ~ 09:30 Welcome Hosts
09:30 ~ 10:30 Keynote Address: Security 2020 Anton Chuvakin
10:30 ~ 10:50 Morning Tea Break
10:50 ~ 11:10 Protecting Ourselves From USB Threats Sebastian Popleau YouTube
11:10 ~ 11:30 Seeing Everything: Circumventing Cryptography in Virtual Environments Brian Hay
11:30 ~ 12:00 Advanced Botnet Sinkholing Tillmann Werner
12:00 ~ 12:30 How Big Data, Data Mining, and Visualization Enable Security Intelligence Raffael Marty YouTube
12:30 ~ 14:00 Lunch
14:00 – 14:30 Secure Exploit Payload Staging…or how we did not kill an 0day at Defcon Georg Wicherski
14:30 ~ 15:00 GCC Honeynet Ahmad Alajail, Mounir Moustafa Kamal, Haitham Al Hajri
15:00 – 15:30 Reversing Malicious Flashy Flash Mahmud Ab Rahman YouTube
15:30 – 15:50 Afternoon Tea Break
15:50 – 16:20 Honeypots: State of the Practice Piotr Kijewski YouTube
16:20 – 16:50 Lord of the Rings – Monitoring malware behavior on all layers Felix Leder YouTube
16:50 – 17:00 Training Preview/Closing Remarks The Honeynet Project


Keynote Address: Security 2020, Anton Chuvakin
Speaker Bio:
Anton Chuvakin is a recognized security expert in the field of log management, SIEM and PCI DSS compli- ance. He is an author of the books “Security Warrior” and “PCI Compliance”.

Protecting Ourselves From USB Threats, Sebastian Popleau
USB devices, in particular flash drives, pose a threat to any computer environment due to the risk of malware using them for propagation. We'll discuss possible strategies to detect attacks and mitigate the risk in a corporate environment. Also, we'll examine some technical details of Ghost, our implementation.
Speaker Bio:
Sebastian Poeplau is the lead developer of the Ghost USB Honeypot, a detection system for USB malware. He is currently a student of Computer Science at Bonn University in Germany and an active member of the Honeynet Project.

Seeing Everything: Circumventing Cryptography in Virtual Environments, Brian Hay
Speaker Bio:
Brian Hay is a researcher with Security Works and specializes in virtualization and virtual machine intro- spection. He is the author of the VIX virtual machine introspection toolkit and a frequent speaker and trainer at security conferences.

Advanced Botnet Sinkholing, Tillmann Werner
Speaker Bio:
Tillmann Werner works for CrowdStrike as a Senior Research Scientist where his duties include the in- depth analysis of targeted attacks. He has a passion for proactive defense strategies like honeypots and botnet takeovers. Tillmann is actively involved with the global IT security community and is a regular speaker on the international conference circuit.

How Big Data, Data Mining, and Visualization Enable Security Intelligence, Raffael Marty
Speaker Bio:
Raffael Marty is one of the world's most recognized authorities on security data analytics. The author of Applied Security Visualization and creator of the open source DAVIX analytics platform, Raffy is the founder and ceo of PixlCloud, a next-generation data visualization application for big data. With a track record at companies including IBM Research and ArcSight, Raffy is thoroughly familiar with established practices and emerging trends in data analytics. He has served as Chief Security Strategist with Splunk and was a co-founder of Loggly, a cloud-based log management solution. For more than 12 years, Raffy has helped Fortune 500 companies defend themselves against sophisticated adversaries and has trained organizations around the world in the art of data visualization for security.

Secure Exploit Payload Staging…or how we did not kill an 0day at Defcon, Georg Wicherski
Binary remote exploitation of an unprivileged service often requires an additional local exploit to elevate to root privileges. Even if your target is running as root already, you may want to preserve your exquisite backdoor from being analyzed.
This talk presents a case study of multiple shellcode stages to make sure your payload is not caught, even if the traffic is sniffed all the time and a disk dump is taken right after exploitation (we cannot avoid being caught in a physical memory dump, though). This is achieved by polymorphic obfuscation, proper public key cryptography and not touching the disk at all (while still being able to run any statically linked ELF payload).
The described code has been successfully used in the Defcon 2011 CTF to deliver a FreeBSD local 0day without disclosing it to the playing teams (or so we'd like to believe). A Honeynet Project Forensic Challenge was to analyze this code, now we can present the real code.
Speaker Bio:
Georg Wicherski is a Senior Security Researcher with CrowdStrike, mostly analyzing advanced targeted threats. He loves to work on a low level, abandoning all syntactic sugar that HLL offer and working on instructions or bytecode. Recently, he has developed an interest for the ARM architecture in addition to his old x86 adventures. He runs a sporadically updated blog

GCC Honeynet, Ahmad Alajail, Mounir Moustafa Kamal, Haitham Al Hajri

Speaker Bios:
Mounir Moustafa Kamal (Section Manager – Incident Handling and Digital Forensics) Mounir has more than 15 years of professional Information systems security, digital forensics, incident handling and audit experience plus more years as a security passionate. Mounir worked for several multinational firms in the communication, government and professional services sectors. His last assignment was heading the information security function for Alcatel-Lucent in the MENA region.
Mounir helped launching and then managing the state-of-the-art digital forensics lab and QLAB for malware analysis on behalf of the Supreme Council of Information and Communications Technology, Mounir develop a program for Botnet eradication on national level and develop Botnet investigation training workshop. Mounir present in FIRST 2012 in MALTA and write some articles in different security magazine (Hakin9, Bluekaizen). Mounir is a Carnegie Mellon CERT/CC Certified Incident Handler, Certified Information Systems Auditor (CISA), CEH, CHFI, and CREA

Ahmad Alajail currently works as an Information Security Intelligence and Threat Analysis for United Arab Emirates Computer Emergency and Response Team (aeCERT). His areas of focus are new cyber-security research, malware analysis, honeypot deployment and enhancement.

Haitham AL Hajri is currently holding a position of Incident Response and Digital Forensics Specialist at Oman National CERT, also responsible of the Training Development and Awareness of Government Departments & National Infrastructure within Oman IT SEC governance. Areas of interest are Cyber Crimes, Hacktivism and Digital Investigations.

Reversing Malicious Flashy Flash, Mahmud Ab Rahman
Speaker Bio:
Mahmud Ab Rahman currently works as an Information Security Specialist for Malaysia Computer Emergency and Response Team (MyCERT) under the umbrella of CyberSecurity Malaysia. His areas of focus are network security,botnet monitoring, and malware analysis.

Honeypots: State of the Practice, Piotr Kijewski
Speaker Bio:
Piotr Kijewski is the Head of the CERT Polska team at NASK. His main interests in the computer and network security field include threat intelligence, intrusion detection, honeypot technologies and network forensics. Piotr is the author of multiple threat monitoring systems and a frequent speaker at security conferences.

Lord of the Rings – Monitoring malware behavior on all layers, Felix Leder
Monitoring the behavior of malware as it is executed is essential for processing and reverse engineering malicious files. It is used in various projects for investigation, classification, and detection. The Blackboxing and Sandboxing systems use various techniques for achieving this monitoring. This talk explains the different techniques from “Ring 3” to “Ring -1” with real-world examples. This includes a discussion about evasion and anti-evasion techniques.
Speaker Bio:
Felix Leder works as an innovation and new technolo- gies architect for Norman ASA. He has has presented classes around the world on malware analysis, reverse engineering, and anti-botnet approaches.

Register Now!

Contact: events@honeynet.org