2013 Honeynet Project Workshop
10-12 Feb 2013 | Dubai

Training Agenda - Feb 11-12 2013

In 2013, we will offer hands-on tutorials trainings where we will be running six classes, three of which are 1-day in length and four which are 2-day. The Honeynet Project ensures that training courses meet the highest expectations and levels of professionalism.

The trainings will be hands-on and you are required to bring a laptop.

Trainings will start at 9:00 and end at 17:00. Registration desk opens at 8:30.

1 Day - Hands-on Training

Track 1: Track 2:
Feb 11thConfiguring an Environment for Threat Assessment
(Mark Schloesser)
Network Analysis and Forensics
(Guillaume Arcas)
Feb 12thVirtualization Security
(Brian Hay)
Network Analysis and Forensics (repeat)
(Guillaume Arcas)

2 Day - Hands-on Training

Track 3: Track 4:
Feb 11th-Feb 12thMalware Reverse Engineering
(Felix Leder)
Understanding and Mitigating Botnets
(Brett Stone-Gross, Tillmann Werner)

Class 1: Configuring an Environment for Threat Assessment
Instructor:Mark Schloesser
Instructor bio:Mark Schloesser is a research assistant at the RWTH Aachen University’s IT security group. His main focus is malware collection and botnet monitoring, as well as distributed data sharing and processing.
Training summary:This training will be focused on deploying, using and integrating a set of open-source tools with the common goal of building a functional and centralized threat intelligence framework. We are going to learn how to use different types of collection systems, how to analyze the data and how to consume such data to gather additional intelligence. The contents have the goal to provide you with both basic and detailed information on all the single components and techniques we are going to deal with.
The work flow will be flexible - we start from the ground and go deeper according to the perception and interest shown by the attendees. As the instructor also is a developer for most of the tools presented, it is possible to occasionally deviate from the original schedule and adapt to the ongoing training.
The activities will be structured in a challenge-based fashion, where the attendees will be required to actively solve some exercises of gradually increasing complexity.

Prerequisites:knowledge of a programming language (preferably python) ;basic administrative skills (networking / command line)
What to bring:virtualization capable laptop with VirtualBox installed

Class 2: Virtualization Security
Instructor:Brian Hay
Instructor bio:Brian Hay is a researcher with Security Works and specializes in virtualization and virtual machine intro- spection. He is the author of the VIX virtual machine introspection toolkit and a frequent speaker and trainer at security conferences.
Training summary:This course will provide an introduction to virtualization, virtualization architectures, and virtualization platforms, with an emphasis on how they are used in enterprise environments. It will also cover the security implications of using virtualization, including the ways in which virtualization can be used to address security challenges, the different risks that arise when using virtualized environments, and mitigation strategies for the security related issues that can arise as a result of using virtualization.

Prerequisites:Participants should have at least basic system administration skills, and some basic knowledge about networking. Previous understanding of virtualization is not required.
What to bring:A windows laptop with the latest vSphere client installed.

Class3: Network analysis & forensics
Instructor:Guillaume Arcas (Sekoia)
Instructor bio:Guillaume works as Threat Analyst since 1997 mainly in Internet/Telco and Banking industry. He is also teacher on Security & Newtork Analysis/Forensics at french ESIEA high school and member of French Honeynet Chapter since 2009.
Training summary:
  • Introduction to network analysis & forensics
  • The tools: Wireshark, snort & other Open Source software
  • Basic Usage 1: How to extract files from PCAPs
  • Basic Usage 2: How to track web surfing from PCAPs
  • Basic Usage 3: How to identify a malware from PCAPs
  • Advanced Usage: Introduction to GSoC plugins
Attendee takeaways and key learning objectives: Attendees will learn how to use Wireshark and Open Source network analysis tools to quickly find key elements in live or dumped network tracks.Training will be based on real-life situation & PCAPs.

Class 4: Malware Reverse Engineering
Instructor:Felix Leder (Norman)
Instructor bio:Felix Leder is working as an innovation and new technologies architect for Norman ASA. After starting with Nokia he turned to h\ is favourite field of research: IT-Security. During the time he worked for Fraunhofer and the University of Bonn, he joined into researching botnet mitigation tactics and new methodologies for executable and malware \ analysis. The results were successful takedowns.
Felix Leder has given world-wide classes on malware analysis, reverse engineering, and anti-botnet approaches. Participants range from governmental institutions, financial & security industries, to milit\ ary bodies.
Training summary:Some people say that reverse engineering - and especially malware reverse engineering - is an art. Actually i\ t is not. It is just the selection and application of the right methods and tools for the desired goal. This training contains an introduction to reverse engineering and how to approach suspicious and ma\ licious files. The main focus will be on executable malware. The major properties and identification criteria for malware will be discussed together with the methodology to investigate efficiently. This \ is complemented by presenting and playing around with state-of-the-art tools in real world excercises. Participants are required to have Windows admin or even development knowledge together with basic un\ derstanding of major protocols used in the Internet. Basic programming skills (in an arbitrary language) are required, too. Helpful is a basic understanding of the x86 architecture for the second half of\ the workshop (but not a requirement).

Attendee takeaways and key learning objectives: * Reverse engineering introduction
* Systematically approaching suspicious applications and files
* The right tools for achieving the desired analysis goal
* Hands-on exercises
What to bring:A windows laptop with the latest vSphere client installed.

Class 5: Understanding and Mitigating Botnets
Instructor:Tillmann Werner
Instructor bio:Tillmann Werner works for CrowdStrike as a Senior Research Scientist where his duties include the in- depth analysis of targeted attacks. He has a passion for proactive defense strategies like honeypots and botnet takeovers. Tillmann is actively involved with the global IT security community and is a regular speaker on the international conference circuit.
Instructor:Brett Stone-Gross
Instructor bio:Dr. Brett Stone-Gross is a senior security researcher on the Dell SecureWorks Counter Threat Unit (CTU) research team. He has collaborated with many leading security experts to disrupt large-scale cybercriminal operations, including botnets that were used for financial theft, click-fraud, spam and fake antivirus software. Stone-Gross specializes in malware analysis, reverse engineering, and attack attribution authoring more than 10 publications presented at top computer security conferences around the world.
Training summary:Botnets, remote-controlled collectives of infected machines, are today.s number one cyberweapon on the Internet and used by criminals for various purposes. In this training, attendees will take the role of a botmaster and construct their own botnet using the latest exploit kits to load custom built malware onto a victim.s machine. They will then learn how this setup is used in the cyber underground to monetize these resources by conducting DDoS attacks, running spam campaigns, stealing personal information, etc. The hands-on exercises will be complemented by a discussion of the techniques used in modern botnets to improve resilience to mitigation efforts. Building upon this knowledge, we will introduce techniques to take down several types of botnets. We will cover all modern botnet architectures, ranging from old-school centralized IRC botnets to advanced peer-to-peer topologies.

Prerequisites and what to bring:
laptop with Windows virtual machine; familiar with their virtualization setup; basic programming skills preferred

Register Now!

Contact: events@honeynet.org