2013 Honeynet Project Workshop
10-12 Feb 2013 | Dubai
Training Agenda - Feb 11-12 2013
In 2013, we will offer hands-on tutorials trainings where we will be running six classes, three of which are 1-day in length and four which are 2-day. The Honeynet Project ensures that training courses meet the highest expectations and levels of professionalism.
The trainings will be hands-on and you are required to bring a laptop.
Trainings will start at 9:00 and end at 17:00. Registration desk opens at 8:30.
1 Day - Hands-on Training
2 Day - Hands-on Training
| Class 1: Configuring an Environment for Threat Assessment |
| Instructor: | Mark Schloesser |
| Instructor bio: | Mark Schloesser is a research assistant at the RWTH Aachen University’s IT security group. His main focus is malware collection and botnet monitoring, as well as distributed data sharing and processing.
|
| Training summary: | This training will be focused on deploying, using and integrating a set
of open-source tools with the common goal of building a functional and
centralized threat intelligence framework. We are going to learn how to
use different types of collection systems, how to analyze the data and
how to consume such data to gather additional intelligence.
The contents have the goal to provide you with both basic and detailed
information on all the single components and techniques we are going to
deal with.
The work flow will be flexible - we start from the ground and go deeper
according to the perception and interest shown by the attendees. As the
instructor also is a developer for most of the tools presented, it is
possible to occasionally deviate from the original schedule and adapt to
the ongoing training.
The activities will be structured in a challenge-based fashion, where
the attendees will be required to actively solve some exercises of
gradually increasing complexity.
|
| Prerequisites: | knowledge of a programming language (preferably python) ;basic administrative skills (networking / command line)
|
| What to bring: | virtualization capable laptop with VirtualBox installed
|
| Class 2: Virtualization Security |
| Instructor: | Brian Hay |
| Instructor bio: | Brian Hay is a researcher with Security Works and specializes in virtualization and virtual machine intro- spection. He is the author of the VIX virtual machine introspection toolkit and a frequent speaker and trainer at security conferences.
|
| Training summary: | This course will provide an introduction to virtualization, virtualization architectures, and virtualization platforms, with an emphasis on how they are used in enterprise environments. It will also cover the security implications of using virtualization, including the ways in which virtualization can be used to address security challenges, the different risks that arise when using virtualized environments, and mitigation strategies for the security related issues that can arise as a result of using virtualization.
|
| Prerequisites: | Participants should have at least basic system administration skills, and some basic knowledge about networking. Previous understanding of virtualization is not required.
|
| What to bring: | A windows laptop with the latest vSphere client installed.
|
| Class3: Network analysis & forensics
|
| Instructor: | Guillaume Arcas (Sekoia) |
| Instructor bio: | Guillaume works as Threat Analyst since 1997 mainly in Internet/Telco and Banking industry. He is also teacher on Security & Newtork Analysis/Forensics at french ESIEA high school and member of French Honeynet Chapter since 2009.
|
| Training summary: |
- Introduction to network analysis & forensics
- The tools: Wireshark, snort & other Open Source software
- Basic Usage 1: How to extract files from PCAPs
- Basic Usage 2: How to track web surfing from PCAPs
- Basic Usage 3: How to identify a malware from PCAPs
- Advanced Usage: Introduction to GSoC plugins
|
| Attendee takeaways and key learning objectives: |
Attendees will learn how to use Wireshark and Open Source network analysis tools to quickly find key elements in live or dumped network tracks.Training will be based on real-life situation & PCAPs.
|
| Class 4: Malware Reverse Engineering |
| Instructor: | Felix Leder (Norman) |
| Instructor bio: | Felix Leder is working as an innovation and new technologies architect for Norman ASA. After starting with Nokia he turned to h\
is favourite
field of research: IT-Security. During the time he worked for Fraunhofer and the University of Bonn, he joined into researching botnet mitigation tactics and new methodologies for executable and malware \
analysis. The
results were successful takedowns.
Felix Leder has given world-wide classes on malware analysis, reverse engineering, and anti-botnet approaches. Participants range from governmental institutions, financial & security industries, to milit\
ary bodies.
|
| Training summary: | Some people say that reverse engineering - and especially malware reverse engineering - is an art. Actually i\
t is not. It is just the selection and application of the right methods and tools for the desired goal. This training contains an introduction to reverse engineering and how to approach suspicious and ma\
licious files. The main focus will be on executable malware. The major properties and identification criteria for malware will be discussed together with the methodology to investigate efficiently. This \
is complemented by presenting and playing around with state-of-the-art tools in real world excercises. Participants are required to have Windows admin or even development knowledge together with basic un\
derstanding of major protocols used in the Internet. Basic programming skills (in an arbitrary language) are required, too. Helpful is a basic understanding of the x86 architecture for the second half of\
the workshop (but not a requirement).
|
| Attendee takeaways and key learning objectives: |
* Reverse engineering introduction
* Systematically approaching suspicious applications and files
* The right tools for achieving the desired analysis goal
* Hands-on exercises
|
| What to bring: | A windows laptop with the latest vSphere client installed.
|
| Class 5: Understanding and Mitigating Botnets |
| Instructor: | Tillmann Werner |
| Instructor bio: | Tillmann Werner works for CrowdStrike as a Senior Research Scientist where his duties include the in- depth analysis of targeted attacks. He has a passion for proactive defense strategies like honeypots and botnet takeovers. Tillmann is actively involved with the global IT security community and is a regular speaker on the international conference circuit.
|
| Instructor: | Brett Stone-Gross |
| Instructor bio: | Dr. Brett Stone-Gross is a senior security researcher on the Dell
SecureWorks Counter Threat Unit (CTU) research team. He has collaborated
with many leading security experts to disrupt large-scale cybercriminal
operations, including botnets that were used for financial theft,
click-fraud, spam and fake antivirus software. Stone-Gross specializes
in malware analysis, reverse engineering, and attack attribution
authoring more than 10 publications presented at top computer security
conferences around the world. |
| Training summary: | Botnets, remote-controlled collectives of infected machines, are today.s
number one cyberweapon on the Internet and used by criminals for various
purposes. In this training, attendees will take the role of a botmaster
and construct their own botnet using the latest exploit kits to load
custom built malware onto a victim.s machine. They will then learn how
this setup is used in the cyber underground to monetize these resources
by conducting DDoS attacks, running spam campaigns, stealing personal
information, etc. The hands-on exercises will be complemented by a
discussion of the techniques used in modern botnets to improve
resilience to mitigation efforts. Building upon this knowledge, we will
introduce techniques to take down several types of botnets. We will
cover all modern botnet architectures, ranging from old-school
centralized IRC botnets to advanced peer-to-peer topologies.
|
| Prerequisites and what to bring: |
laptop with Windows virtual machine; familiar with their virtualization setup; basic programming skills preferred |
