Schedule

Workshop 2016

/* * Custom CSS For Timetable */ #sched-schedule-4-2044784678 .sched-column-header { background: #e8e8e8; color: #3f3f3f; } #sched-schedule-4-2044784678 .sched-column-header:after { background: #ffffff; } #sched-schedule-4-2044784678 .sched-columns .sched-column:last-child .sched-column-header:after { background: #e8e8e8; } #sched-schedule-4-2044784678 .sched-column-bg-block { background: #ffffff; border-color: #e8e8e8; } #sched-schedule-4-2044784678 .sched-column-bg-block:after { background: #f5f5f5; } #sched-schedule-4-2044784678 .sched-row-no-title .sched-column .sched-column-bg { box-shadow: 0 -1px 0 #e8e8e8; } #sched-schedule-4-2044784678 .sched-title { color: #3f3f3f; } #sched-schedule-4-2044784678 .sched-time-value { color: #3f3f3f; } #sched-schedule-4-2044784678 .sched-event .sched-event-inner { color: #ffffff; text-align: center; } #sched-schedule-4-2044784678 .sched-event.sched-event-invert .sched-event-inner { } /*#sched-schedule-4-2044784678 a.sched-event.sched-event-sort-hidden { opacity: 0; }*/ #sched-schedule-4-2044784678 .sched-sort .sched-sort-current .sched-sort-current-label { width: 100px; } #sched-schedule-4-2044784678 .sched-sort.sched-sort-open .sched-sort-dropdown .sched-sort-current .sched-sort-current-label { width: 180px; } /* * Custom CSS Event Popup */ #sched-schedule-4-2044784678-popup .sched-popup-description { } #sched-schedule-4-2044784678-popup .sched-popup-description .sched-meta a, #sched-schedule-4-2044784678-popup .sched-popup-description .sched-popup-description-text a { color: #18bc9c; } #sched-schedule-4-2044784678-popup .sched-popup-description .sched-meta, #sched-schedule-4-2044784678-popup .sched-popup-description .sched-popup-description-text { color: #535353; background: #ffffff; } /* * List */ #sched-schedule-4-2044784678-list .sched-list-title { color: #3f3f3f; } #sched-schedule-4-2044784678-list .sched-list-column-title { color: #3f3f3f; } #sched-schedule-4-2044784678-list .sched-list-event { color: #3f3f3f; } #sched-schedule-4-2044784678-list .sched-list-event:hover { color: #000; } #sched-schedule-4-2044784678-list .sched-list-event-description { color: #666; } #sched-schedule-4-2044784678-list .sched-list-event-title { font-weight: bold; ; }

Check the schedule per days

09:00
10:00
11:00
12:00
13:00
14:00
15:00
16:00
17:00
May 9-10 (Monday/Tuesday)
May 11 (Wednesday)
Check the schedule per days
May 9-10 (Monday/Tuesday)

 

/* * Custom CSS For Timetable */ #sched-schedule-1-1374529252 .sched-column-header { background: #e8e8e8; color: #3f3f3f; } #sched-schedule-1-1374529252 .sched-column-header:after { background: #ffffff; } #sched-schedule-1-1374529252 .sched-columns .sched-column:last-child .sched-column-header:after { background: #e8e8e8; } #sched-schedule-1-1374529252 .sched-column-bg-block { background: #ffffff; border-color: #e8e8e8; } #sched-schedule-1-1374529252 .sched-column-bg-block:after { background: #f5f5f5; } #sched-schedule-1-1374529252 .sched-row-no-title .sched-column .sched-column-bg { box-shadow: 0 -1px 0 #e8e8e8; } #sched-schedule-1-1374529252 .sched-title { color: #3f3f3f; } #sched-schedule-1-1374529252 .sched-time-value { color: #3f3f3f; } #sched-schedule-1-1374529252 .sched-event .sched-event-inner { color: #ffffff; text-align: center; } #sched-schedule-1-1374529252 .sched-event.sched-event-invert .sched-event-inner { } /*#sched-schedule-1-1374529252 a.sched-event.sched-event-sort-hidden { opacity: 0; }*/ #sched-schedule-1-1374529252 .sched-sort .sched-sort-current .sched-sort-current-label { width: 100px; } #sched-schedule-1-1374529252 .sched-sort.sched-sort-open .sched-sort-dropdown .sched-sort-current .sched-sort-current-label { width: 180px; } /* * Custom CSS Event Popup */ #sched-schedule-1-1374529252-popup .sched-popup-description { } #sched-schedule-1-1374529252-popup .sched-popup-description .sched-meta a, #sched-schedule-1-1374529252-popup .sched-popup-description .sched-popup-description-text a { color: #18bc9c; } #sched-schedule-1-1374529252-popup .sched-popup-description .sched-meta, #sched-schedule-1-1374529252-popup .sched-popup-description .sched-popup-description-text { color: #535353; background: #ffffff; } /* * List */ #sched-schedule-1-1374529252-list .sched-list-title { color: #3f3f3f; } #sched-schedule-1-1374529252-list .sched-list-column-title { color: #3f3f3f; } #sched-schedule-1-1374529252-list .sched-list-event { color: #3f3f3f; } #sched-schedule-1-1374529252-list .sched-list-event:hover { color: #000; } #sched-schedule-1-1374529252-list .sched-list-event-description { color: #666; } #sched-schedule-1-1374529252-list .sched-list-event-title { font-weight: bold; ; }

THP Workshop Full Schedule

08:00
08:30
09:00
09:30
10:00
10:30
11:00
11:30
12:00
12:30
13:00
13:30
14:00
14:30
15:00
15:30
16:00
16:30
17:00
17:30
18:00
18:30
19:00
19:30
20:00
20:30
21:00
May 9 (Monday)
REGISTRATION
Registration of attendees

Registration of attendees

REGISTRATION

Introduction to Capture the Flag
(Kara Nance & Lucas McDaniel)

Location Description Trainer
Training room 1 Capture the Flag (CTF) events are games where participants are awarded points for finding flags (i.e., specific pieces of data) within the environment. This exploration is largely guided by challenges such as gaining access to an account, or finding some hidden information within a service. This gentle introduction to CTF focuses on challenges designed to explore various security concepts without requiring specialized tools. No prior knowledge (or software) is expected or required to participate.  Kara Nance & Lucas McDaniel

Automate your exploitation and reverse engineering with SMT
(Cornelius Aschermann)

Location Description Trainer
Training room 3 You want to crack crypto? You want to find vulnerabilities and create exploits? Or do you enjoy working on code obfuscation and de-obfuscation?

With the right tools, this can be like a walk in the park. SMT solvers should be in everybody's toolbox because they can automate your hunt. Readily available solvers can be used very efficiently on a wide variety of problems: analyzing crypto, payload & ROP chain generation, automatic exploit generation, obfuscation & deobfuscation, optimization, triggering certain codepaths, and many more.

This training will be a non-academic, hands-on introduction to SMT solving with a focus on real world exploitation and reverse engineering scenarios. We will be using SMT solvers to crack custom crypto, prove the correctness of deobfuscations and find easy-to-miss signedness bugs in C code. It will give you the knowledge needed to transform common problems into an SMT query that can then be solved by off-the-shelf SMT solvers.

You will need no prior experience with python or SMT solvers.
Cornelius Aschermann

Introduction to Honeypots or: How I Learned to Stop Worrying and Love My Enemies
(Guillaume Arcas)

Location Description Trainer(s)
 Training room 4 This introductory non-technical 4-hours workshop will present the basics of Honeypot and their history, the different types of honeypots, how to deploy and manage them, the pros and cons of using honeypots, etc. It is intended for technical or non-technical people who want to know everything about honeypots before using its but were afraid to ask. Guillaume Arcas

Lunch

Lunch

Educational Capture the Flag Experience
(Kara Nance and Lucas McDaniel)

Location Description Trainer
Training room 1  This Capture the Flag (CTF) serves as a more technical introduction to common security tools.  Staged in a James Bond-themed environment, participants will be tasked with attacking various SPECTRE services in order to find flags.  Challenges will focus on common tools and techniques to perform network reconnaissance, digital forensics, web application pentests, identify service misconfigurations, and more.  No prior knowledge (or software) is required to participate. Kara Nance & Lucas McDaniel

Malicious PDF analysis with peepdf
(Jose Miguel Esparza)

Location Description Trainer
Training room 2 PDF exploits are still used as attack vector in order to execute code in the victims' computers. They are still included in some Exploit Kits nowadays, but are usually chosen to perform targeted attacks too. This session will show you how to distinguish a malicious PDF file from a harmless one, how to extract and analyze all the relevant elements like Javascript code and shellcodes, and how to automate the analysis using peepdf. Attendees will learn helpful tricks to analyze those documents and they will not get scared by opening a PDF document anymore. Jose Miguel Esparza

A look under the hood of the Honeypots CONPOT and SNARE
(Lukas Rist)

Location Description Trainer
Training room 4 Synopsis: The ICS/SCADA honeypot Conpot is used to attract and collect attacks against industrial control systems. We will give in insight into the challenges of developing an industrial honeypot, how we deploy Conpot and how to do proper configuration and extension.

SNARE is a next generation web application honeypot and successor of Glastopf. We introduce what's new and how we emulate thousands of known and unknown web vulnerabilities. While doing so we will write our own honeypot and learn about PHP sandboxing.
Lukas Rist

May 10 (Tuesday)
REGISTRATION

Introduction to Machine Learning for Malware Classification
(Brian Hay)

Location Description Trainer
Training room 1 This workshop will provide an introduction to malware classification using Python. No prior machine learning knowledge is required, and a brief introduction to Python will be provided for those more familiar with other languages. During the workshop we will begin by building simple classifiers, and work towards a classifier that can be trained to identify live malware samples. Brian Hay

Malicious PDF Analysis with peepdf
(Jose Miguel Esparza)

Location Description Trainer
Training room 2 PDF exploits are still used as attack vector in order to execute code in the victims' computers. They are still included in some Exploit Kits nowadays, but are usually chosen to perform targeted attacks too. This session will show you how to distinguish a malicious PDF file from a harmless one, how to extract and analyze all the relevant elements like Javascript code and shellcodes, and how to automate the analysis using peepdf. Attendees will learn helpful tricks to analyze those documents and they will not get scared by opening a PDF document anymore. Jose Miguel Esparza

Network Analysis and Forensics
(Guillaume Arcas)

Location Description Trainer
Training room 3  This tutorial will include the following basic components:
1. Introduction to network analysis & forensics
2. Tools: Wireshark, snort & other open source software
3. Basic Usage 1: How to extract files from PCAPs
4. Basic Usage 2: How to track web surfing from PCAPs
5. Basic Usage 3: How to identify a malware from PCAPs
6. Advanced Usage: Introduction to GSoC plugins
7. Attendees will learn how to use Wireshark and Open Source network analysis tools to quickly find key elements in live or dumped network traffic. Training will be based on real-life situations & PCAPs.
Guillaume Arcas

Defending Industrial Control Systems (ICS)
(Kevin Owens)

Location Description Trainer
Training room 4 In this workshop, you will learn what an industrial control system (ICS) is, along with the components that make up an ICS. Students will learn about the threats to ICS and what steps can be taken to protect the ICS. At the conclusion of the class, students will have a tabletop exercise, pitting the red team (malicious actors/attackers) against the blue team (defenders). Kevin Owens

Lunch

A look under the hood of the Honeypots CONPOT and SNARE
(Lukas Rist)

Location Description Trainer
Training room 1 Synopsis: The ICS/SCADA honeypot Conpot is used to attract and collect attacks against industrial control systems. We will give in insight into the challenges of developing an industrial honeypot, how we deploy Conpot and how to do proper configuration and extension.

SNARE is a next generation web application honeypot and successor of Glastopf. We introduce what's new and how we emulate thousands of known and unknown web vulnerabilities. While doing so we will write our own honeypot and learn about PHP sandboxing.
Lukas Rist

Introduction to Memory Analysis
(Golden Richard)

Location Description Trainer
Training room 2 Traditionally, digital forensics was concerned primarily with data stored on non-storage devices, such as hard drives, floppies, thumb drives, etc. Recently, interest in memory forensics has increased, because it allows digital forensics investigators, incident response personnel, and malware analysts to incorporate the analysis of running systems and volatile memory into their investigations. Memory forensics can be used not only to focus traditional storage forensic investigations by helping to pinpoint actionable evidence, but also to substantially expand the scope and quality of an inquiry to include enumeration of both legitimate and hidden processes, network connections, open files, volatile registry contents, clipboard data, cached files, command line history, detection and scrutiny of user and kernel-level malware, recovery of encryption keys, and more. This session provides an introduction to fundamental techniques in memory forensics, concentrating on Windows, Linux, and Mac OS X. The primary tool used in the class is the open source Volatility memory forensics framework. Golden Richard

Educational Capture the Flag Experience
(Kara Nance and Lucas McDaniel)

Location Description Trainer
Training room 3  This Capture the Flag (CTF) serves as a more technical introduction to common security tools.  Staged in a James Bond-themed environment, participants will be tasked with attacking various SPECTRE services in order to find flags.  Challenges will focus on common tools and techniques to perform network reconnaissance, digital forensics, web application pentests, identify service misconfigurations, and more.  No prior knowledge (or software) is required to participate. Kara Nance & Lucas McDaniel

None

May 11 (Wednesday)
REGISTRATION

Welcome
Max Kilger and Faiz Shuja

Welcome speech and presentation of sponsors

17 Years of Community Leadership Lessons Learned
( Lance Spitzner )

Location Description Trainer
Main room After 17 years of leading different community efforts, I’ve made every mistake possible. I’ll be sharing my lessons learned on how to create highly motivated and effective community efforts. You will learn how to motivate people and make the most of their time, resources and interests. Lance Spitzner 

Keynote: Control Systems Cyberattacks
(Kevin Owens)

Location Description Trainer
Main room You may have heard about cyberattacks on industrial control systems (ICS) in the news. Come learn what these ICS are and their importance, and listen to a perspective on these “attacks.” Then learn security steps you can implement to protect your ICS from these threats, including discussions on the potential use of honeypots. Kevin Owens 

Morning break

ICS/SCADA Threats: What Matters and Where Honeypots Can Help
(Robert Lee)

Location Description Trainer
Main room The kinds of threats that face ICS/SCADA networks that operate infrastructure such as power grids, water utilities, manufacturing facilities, and more are different than your normal IT network threats. Additionally, insight into ICS/SCADA networks is far less available than enterprise environments. This creates an opportunity for honeypot research to identify previously unknown attack vectors and contribute to the security of these networks. However, there are pitfalls and prioritizations that researchers must be aware of to make this research effective. This talk will cover what ICS/SCADA networks are, the threats that have been observed before, and recommendations regarding ICS honeypots. Robert Lee 

Deep-Packet Inspection in Industrial Control Networks
(Alvaro Cardenas)

Location Description Trainer
Main room In this talk we will summarize our experience working with industrial control protocols such as Modbus/TCP and EtherNet/IP and discuss some challenges and lessons learned. In particular we show how to extract semantically-rich information from these industrial networks that can be used to develop better intrusion detection tools by monitoring the physical properties of the process. Alvaro Cardenas 

Behavioral Analysis of large amounts of Unknown Files
(Lukas Rist)

What does it take to analyze hundred of thousands of files every day, store the results and make it accessible? Insights into a system build to get a static and behavioral analysis of a large amount of unknown files. We will talk about the surrounding infrastructure, technologies used, pitfalls and lessons learned.

Lunch

Shadowserver: Updates and highlights from recent activities
David Watson

The Shadowserver Foundation The 501c3 non-profit Shadowserver Foundation collects many types of large scale security data sets and provides free daily infection data to network owners for remediation purposes. It regularly works with national CERTs, ISPs/hosting companies and law enforcement agencies combating malware, botnets and cybercrime activities. David Watson (UK) David is the Chief Research Officer of the 501c3 non-profit Honeynet Project, helping to co-ordinate the development and deployment of honeynet related security tools worldwide, and has also been a Director for most of the past decade. He has been a member of the Shadowserver Foundation since 2008, is one of their Directors, and has build and operated large scale distributed honeynet sensor systems for them. David regularly presents and teaches hands on training classes at international information security events, and is passionate about helping network owners and cybercrime victims to defend themselves using tools and information sources that do not necessarily come with huge price tags.

Advancements in Computational Digital Forensics
(Nicole Beebe)

Speaker: Nicole Beebe
Computational Forensics is an emerging research domain that concerns the investigation of forensic problems using advanced analytics and computational methods, such as modeling, simulation, machine learning, etc. The application of tools and techniques that employ computational forensics allows investigators to detect things that once went undetected, analyze data in a more effective and efficient manner, and find forensic artifacts that are otherwise "lost". This talk will provide insights into research, tools, and techniques in this area, so that you can learn how to employ them in your security operations and forensic investigations.

Creating Your Own Threat Intel Through Hunting and Visualization
(Raffael Marty)

Location Description Trainer
Main room The security industry is talking a lot about threat intelligence; external information that a company can leverage to understand where potential threats are knocking on the door and might have already perpetrated the network boundaries. Conversations with many CERTs have shown that we have to stop relying on knowledge about how attacks have been conducted in the past and start 'hunting' for signs of compromises and anomalies in our own environments.
In this presentation we explore how the decade old field of security visualization has emerged. We show how we have applied advanced analytics and visualization to create our own threat intelligence and investigated lateral movement in a Fortune 50 company.
Visualization. Data science. No machine learning. But pretty pictures.
What is internal threat intelligence? Check out
http://www.darkreading.com/analytics/creating-your-own-threat-intel-through-hunting-and-visualization/a/d-id/1321225
Raffael Marty 

Afternoon break

Targeted attacks by Dubnium
(Christian Seifert)

Location Description Trainer
Main room Microsoft's advanced threat hunting team tracks numerous activity groups that selectively attack individuals and organizations. One such group is Dubnium (as per Microsoft's internal practice of associating chemical element names to these groups.) In this talk, Dubnium is going to be the focus: what is this group after, how do they accomplish their goals, and what toolset does this activity group use. Christian Seifert

Integrating Human Behavior into the Development of Future Cyberterrorism Scenarios
(Max Kilger)

Location Description Trainer
Main room The development of future cyber terrorism scenarios is a key component in building a more comprehensive understanding of cyber threats that are likely to emerge in the near to mid-term future. While developing concepts of likely new, emerging digital technologies is an important part of this process, this talk suggests that understanding the psychological and social forces involved in cyber terrorism is also a key component in the analysis and that the synergy of these two dimensions may produce more accurate and detailed future cyber threat scenarios than either analytical element alone. Max Kilger

Security and Deception in Industrial Control Systems
(Lukas Rist)

Location Description Trainer
Main room Their change of exposure and the rise in sophistication and state sponsored attacks, requires operators of industrial facilities to change their prioritization of IT security, risk assessment and maintenance life cycles. In this talk, we will discuss how much ICS specific IT security is required compared to general, common methods.

We also investigate how knowledge of the adversary’s operations can help to understand possible intent, sophistication, capabilities and familiarity with the ICS, which combined can help to measure risk.
Lukas Rist 

RECEPTION and Student Poster Session

Reception
&
Student Poster Session

THP Workshop Full Schedule

Subscribe to our mailing list and receive more information about the workshop