The 2014 Honeynet Project Workshop was held in Adgar Plaza Conference Centre in Warsaw, Poland from 12 – 14 May 2014. The workshop was organised by The Honeynet Project in coordination with CERT Polska under NASK (Research and Academic Computer Network).
Welcome Remarks by Angelo Dell’Aera
Caught in the Honeypot: (Almost) a Year in Review by Lukasz Siwierski
When I became a member of the Polish chapter of the Honeynet Project, my colleagues assigned me a task of deploying server honeypots. I did several deployments with Dionaea and Kippo on board. The talk will present the results of this experiment. Perhaps the most interesting was the discovery of a new DDoS botnet made for both Linux and Windows operating systems.
Thug: Low-Interaction Honeyclient by Angelo Dell’Aera
The number of client-side attacks has grown significantly in the past few years shifting focus on poorly protected vulnerable clients. Just as the most known honeypot technologies enable research into server-side attacks, honeyclients allow the study of client-side attacks. A complement to honeypots, a honeyclient is a tool designed to mimic the behaviour of a user-driven network client application, e.g. a web browser, and be exploited by an attacker’s content. The talk will describe the Honeynet Project low-interaction honeyclient (“Thug”) and how to effectively use it in order to analyse malicious websites and detect potential exploit kits.
Thug 101 (Demonstration Session) by Angelo Dell’Aera
The demonstration describes how to properly use the Honeynet Project low-interaction honeyclient (project name “Thug”) in order to analyse malicious Websites. Some advanced Thug features which are useful for detecting and analysing exploit kits will be presented. Moreover the demonstration will show how the tool collects result data and how to effectively analyse such data.
Conpot (Demonstration Session) by Lukas Rist
Conpot is a low interactive server side Industrial Control Systems (ICS) honeypot designed to be easy to deploy, modify and extend. By providing a range of common industrial control protocols, we created the basics to build your own system, capable to emulate complex infrastructures to convince an adversary that he just found a huge industrial complex. To improve the deceptive capabilities, we also provided the possibility to serve a custom human machine interface (HMI) to increase the honeypots attack surface. The response time of the services can be artificially delayed to mimic the behaviour of a system under constant load. Because we are providing complete stacks of protocols, Conpot can be accessed with productive HMI’s or extended with real hardware. Conpot is developed under the umbrella of the Honeynet Project and on the shoulders of a couple of very big giants.
Slaying SSL Dragons with mitmproxy (Demonstration Session)
mitmproxy is an open source man-in-the-middle HTTPS proxy. It can be used as an interactive proxy to intercept and modify requests or as a passive proxy to act like tcpdump for HTTP. It is highly extensible using a simple Python scripting interface. In this hands-on demonstration, we will demonstrate how to use mitmproxy to analyse SSL traffic from Android applications and tamper their requests. Moreover, we will show how you can perform simple statistical analysis of capture traffic in Python.
Inside VirusTotal’s Pants by Emiliano Martinez
Users tend to see VirusTotal.com exclusively as an aggregate antivirus scanner, ignoring many of the public and private features the service incorporates (advanced Android information, execution behaviour report, sample clustering, relationship between binaries, etc.). This talk will shed some light into some of the less known features of VirusTotal, paying special attention to its researcher portal, VirusTotal Intelligence, and highlighting the new projects we are working on in order to improve malware hunting capabilities and extend the knowledge we have about the files submitted to the service.
Tracking & Characterising Botnets using Automatically Generated Domains by Federico Maggi
Modern botnets rely on domain-generation algorithms (DGAs) to build resilient command-and-control infrastructures. Recent works focus on recognising automatically generated domains (AGDs) from DNS traffic, which potentially allows identifying previously unknown AGDs to hinder or disrupt botnets’ communication capabilities. The state-of-the-art approaches require deploying low-level DNS sensors to access data whose collection poses practical and privacy issues, making their adoption problematic. We propose a mechanism that overcomes the above limitations by analysing DNS traffic data through a combination of linguistic and IP-based features of suspicious domains. In this way, we are able to identify AGD names, characterise their DGAs and isolate logical groups of domains that represent the respective bonnets. Moreover, our system enriches these groups with new, previously unknown AGD names, and produce novel knowledge about the evolving behaviour of each tracked botnet. We used our system in real-world settings, to help researchers that requested intelligence on suspicious domains and were able to label them as belonging to the correct botnet automatically. Additionally, we ran an evaluation on 1,153,516 domains, including AGDs from both modern and traditional botnets. Our approach correctly isolated families of AGDs that belonged to distinct DGAs, and set automatically generated from non-automatically generated domains apart in 94.8% of the cases.
Darknet & Blackhole Monitoring – A Journey into Typographic Errors by Alexandre Dulaunoy
The Internet void is an interesting place. In normal condition, the Internet void is empty and we should not see anything. But if you take the time to look deeply into “black-hole” monitoring dataset, you might find and identify surprising results from badly configured systems to effects of unknown attacks along with various unexplained events. This talk will introduce you to a journey into the noise of Internet network monitoring along with all the opportunities for the researchers and the attackers.
Software Defined Networking: Migrate now… Think about Security later by Kara Nance
Software Defined Networking (SDN) is rapidly moving from the research and academic worlds into widely used networking equipment that powers production LAN and WANs. By allowing the flow of traffic throughout a network to be managed by SDN controllers the hope is networks can become highly programmable, meeting the needs of the specific environment rather than being limited to the capabilities of current network devices (e.g. that traffic can be routed more efficiently, effective QoS can be implemented at the network scale, new protocols can be developed and deployed to support capabilities such as location or performance based routing, and networks can recover more quickly from failure conditions). SDN, primarily in the form of OpenFlow, is already a reality, with Google having perhaps the largest production deployment on their datacentre-to-datacentre production network infrastructure. This talk provides an introduction to SDN, and some insight into the security implications and opportunities that SDN offers.
Looking into Code-Loading Techniques on Android by Sebastian Poeplau
Android apps can load arbitrary code once they run on a user’s device. Given the centralised nature of malware protection in the Android ecosystem, this has some severe security implications. This talk look at how malicious apps can use code-loading techniques to evade detection by centralised malware analysis systems, how benign apps inadvertently introduce severe vulnerabilities by using loading techniques, and how to mitigate the threat.
From “Fog Security” to “58 58 C3” Gadgets by Felix Leder
The IT security market is flooded with new buzz words over and over. Ambiguous marketing terms are mixed with technology descriptions and create a jungle of confusion for IT professionals. Instead of guiding to best practices, the result is a distraction and irritation of those who have to use technology to defend their IT infrastructure. This talk takes the most common buzz words, discusses their ambiguity and sheds light into how the combination of selected terms make sense in a real-world defence.