2013 Honeynet Project Workshop
10-12 Feb 2013 | Dubai
Briefing Agenda - Feb 10 2013
The first day is a one-day set of briefings whose purpose is to bring together security experts to share their experiences and expertise in security technologies with other local and regional information security professionals.
Keynote Address: Security 2020, Anton Chuvakin Speaker Bio:
Anton Chuvakin is a recognized security expert in the field of log management, SIEM and PCI DSS compli- ance. He is an author of the books “Security Warrior” and “PCI Compliance”.
Protecting Ourselves From USB Threats, Sebastian Popleau USB devices, in particular flash drives, pose a threat to any computer environment due to the risk of malware using them for propagation. We'll discuss possible strategies to detect attacks and mitigate the risk in a corporate environment. Also, we'll examine some technical details of Ghost, our implementation.
Sebastian Poeplau is the lead developer of the Ghost USB Honeypot, a detection system for USB malware. He is currently a student of Computer Science at Bonn University in Germany and an active member of the Honeynet Project.
Seeing Everything: Circumventing Cryptography in Virtual Environments, Brian Hay Speaker Bio:
Brian Hay is a researcher with Security Works and specializes in virtualization and virtual machine intro- spection. He is the author of the VIX virtual machine introspection toolkit and a frequent speaker and trainer at security conferences.
Advanced Botnet Sinkholing, Tillmann Werner Speaker Bio:
Tillmann Werner works for CrowdStrike as a Senior Research Scientist where his duties include the in- depth analysis of targeted attacks. He has a passion for proactive defense strategies like honeypots and botnet takeovers. Tillmann is actively involved with the global IT security community and is a regular speaker on the international conference circuit.
How Big Data, Data Mining, and Visualization Enable Security Intelligence, Raffael Marty Speaker Bio:
Raffael Marty is one of the world's most recognized authorities on security data analytics. The author of Applied Security Visualization and creator of the open source DAVIX analytics platform, Raffy is the founder and ceo of PixlCloud, a next-generation data visualization application for big data. With a track record at companies including IBM Research and ArcSight, Raffy is thoroughly familiar with established practices and emerging trends in data analytics. He has served as Chief Security Strategist with Splunk and was a co-founder of Loggly, a cloud-based log management solution. For more than 12 years, Raffy has helped Fortune 500 companies defend themselves against sophisticated adversaries and has trained organizations around the world in the art of data visualization for security.
Secure Exploit Payload Staging…or how we did not kill an 0day at Defcon, Georg Wicherski Binary remote exploitation of an unprivileged service often requires an additional local exploit to elevate to root privileges. Even if your target is running as root already, you may want to preserve your exquisite backdoor from being analyzed.
This talk presents a case study of multiple shellcode stages to make sure your payload is not caught, even if the traffic is sniffed all the time and a disk dump is taken right after exploitation (we cannot avoid being caught in a physical memory dump, though). This is achieved by polymorphic obfuscation, proper public key cryptography and not touching the disk at all (while still being able to run any statically linked ELF payload).
The described code has been successfully used in the Defcon 2011 CTF to deliver a FreeBSD local 0day without disclosing it to the playing teams (or so we'd like to believe). A Honeynet Project Forensic Challenge was to analyze this code, now we can present the real code.
Georg Wicherski is a Senior Security Researcher with CrowdStrike, mostly analyzing advanced targeted threats. He loves to work on a low level, abandoning all syntactic sugar that HLL offer and working on instructions or bytecode. Recently, he has developed an interest for the ARM architecture in addition to his old x86 adventures. He runs a sporadically updated blog
GCC Honeynet, Ahmad Alajail, Mounir Moustafa Kamal, Haitham Al Hajri
Mounir Moustafa Kamal (Section Manager – Incident Handling and Digital Forensics) Mounir has more than 15 years of professional Information systems security, digital forensics, incident handling and audit experience plus more years as a security passionate. Mounir worked for several multinational firms in the communication, government and professional services sectors. His last assignment was heading the information security function for Alcatel-Lucent in the MENA region.
Mounir helped launching and then managing the state-of-the-art digital forensics lab and QLAB for malware analysis on behalf of the Supreme Council of Information and Communications Technology, Mounir develop a program for Botnet eradication on national level and develop Botnet investigation training workshop. Mounir present in FIRST 2012 in MALTA and write some articles in different security magazine (Hakin9, Bluekaizen). Mounir is a Carnegie Mellon CERT/CC Certified Incident Handler, Certified Information Systems Auditor (CISA), CEH, CHFI, and CREA
Ahmad Alajail currently works as an Information Security Intelligence and Threat Analysis for United Arab Emirates Computer Emergency and Response Team (aeCERT). His areas of focus are new cyber-security research, malware analysis, honeypot deployment and enhancement.
Haitham AL Hajri is currently holding a position of Incident Response and Digital Forensics Specialist at Oman National CERT, also responsible of the Training Development and Awareness of Government Departments & National Infrastructure within Oman IT SEC governance. Areas of interest are Cyber Crimes, Hacktivism and Digital Investigations.
Reversing Malicious Flashy Flash, Mahmud Ab Rahman Speaker Bio:
Mahmud Ab Rahman currently works as an Information Security Specialist for Malaysia Computer Emergency and Response Team (MyCERT) under the umbrella of CyberSecurity Malaysia. His areas of focus are network security,botnet monitoring, and malware analysis.
Honeypots: State of the Practice, Piotr Kijewski Speaker Bio:
Piotr Kijewski is the Head of the CERT Polska team at NASK. His main interests in the computer and network security field include threat intelligence, intrusion detection, honeypot technologies and network forensics. Piotr is the author of multiple threat monitoring systems and a frequent speaker at security conferences.
Lord of the Rings – Monitoring malware behavior on all layers, Felix Leder Monitoring the behavior of malware as it is executed is essential for processing and reverse engineering malicious files. It is used in various projects for investigation, classification, and detection. The Blackboxing and Sandboxing systems use various techniques for achieving this monitoring. This talk explains the different techniques from “Ring 3” to “Ring -1” with real-world examples. This includes a discussion about evasion and anti-evasion techniques.
Felix Leder works as an innovation and new technolo- gies architect for Norman ASA. He has has presented classes around the world on malware analysis, reverse engineering, and anti-botnet approaches.