May 11 (Wednesday)

08:00 09:00 Registration
09:00 09:30 Welcome Welcome speech and presentation of sponsors Max Kilger and Faiz Shuja
09:30 10:00 17 Years of Community Leadership Lessons Learned After 17 years of leading different community efforts, I’ve made every mistake possible. I’ll be sharing my lessons learned on how to create highly motivated and effective community efforts. You will learn how to motivate people and make the most of their time, resources and interests. Lance Spitzner 
10:00 11:00 Keynote: Control Systems Cyberattacks You may have heard about cyberattacks on industrial control systems (ICS) in the news.  Come learn what these ICS are and their importance, and listen to a perspective on these “attacks.”  Then learn security steps you can implement to protect your ICS from these threats, including discussions on the potential use of honeypots. Kevin Owens
11:00 11:20    Morning break  
11:20 11:50 ICS/SCADA Threats: What Matters and Where Honeypots Can Help The kinds of threats that face ICS/SCADA networks that operate infrastructure such as power grids, water utilities, manufacturing facilities, and more are different than your normal IT network threats. Additionally, insight into ICS/SCADA networks is far less available than enterprise environments. This creates an opportunity for honeypot research to identify previously unknown attack vectors and contribute to the security of these networks. However, there are pitfalls and prioritizations that researchers must be aware of to make this research effective. This talk will cover what ICS/SCADA networks are, the threats that have been observed before, and recommendations regarding ICS honeypots. Robert Lee
11:50 12:20 Deep-Packet Inspection in Industrial Control Networks  In this talk we will summarize our experience working with industrial control protocols such as Modbus/TCP and EtherNet/IP and discuss some challenges and lessons learned. In particular we show how to extract semantically-rich information from these industrial networks that can be used to develop better intrusion detection tools by monitoring the physical properties of the process.  Alvaro Cardenas
12:20 12:50 Behavioral Analysis of large amounts of Unknown Files What does it take to analyze hundred of thousands of files every day, store the results and make it accessible? Insights into a system build to get a static and behavioral analysis of a large amount of unknown files. We will talk about the surrounding infrastructure, technologies used, pitfalls and lessons learned. Lukas Rist
12:50 13:50  Lunch  
13:50 14:20 Shadowserver: Updates and highlights from recent activities The 501c3 non-profit Shadowserver Foundation collects many types of large scale security data sets and provides free daily infection data to network owners for remediation purposes. It regularly works with national CERTs, ISPs/hosting companies and law enforcement agencies combating malware, botnets and cybercrime activities. David Watson
14:20 15:20 Advancements in Computational Digital Forensics Computational Forensics is an emerging research domain that concerns the investigation of forensic problems using advanced analytics and computational methods, such as modeling, simulation, machine learning, etc. The application of tools and techniques that employ computational forensics allows investigators to detect things that once went undetected, analyze data in a more effective and efficient manner, and find forensic artifacts that are otherwise “lost”. This talk will provide insights into research, tools, and techniques in this area, so that you can learn how to employ them in your security operations and forensic investigations. Nicole Beebe
15:20 15:50 Creating Your Own Threat Intel Through Hunting and Visualization The security industry is talking a lot about threat intelligence; external information that a company can leverage to understand where potential threats are knocking on the door and might have already perpetrated the network boundaries. Conversations with many CERTs have shown that we have to stop relying on knowledge about how attacks have been conducted in the past and start ‘hunting’ for signs of compromises and anomalies in our own environments. In this presentation we explore how the decade old field of security visualization has emerged. We show how we have applied advanced analytics and visualization to create our own threat intelligence and investigated lateral movement in a Fortune 50 company.
Visualization. Data science. No machine learning. But pretty pictures.What is internal threat intelligence?
Check out
Raffael Marty
15:50 16:10    Afternoon break  
16:10 16:40 Targeted attacks by Dubnium Microsoft’s advanced threat hunting team tracks numerous activity groups that selectively attack individuals and organizations. One such group is Dubnium (as per Microsoft’s internal practice of associating chemical element names to these groups.) In this talk, Dubnium is going to be the focus: what is this group after, how do they accomplish their goals, and what toolset does this activity group use.  Christian Seifert
16:40 17:10 Integrating Human Behavior into the Development of Future Cyber terrorism Scenarios The development of future cyber terrorism scenarios is a key component in building a more comprehensive understanding of cyber threats that are likely to emerge in the near to mid-term future. While developing concepts of likely new, emerging digital technologies is an important part of this process, this talk suggests that understanding the psychological and social forces involved in cyber terrorism is also a key component in the analysis and that the synergy of these two dimensions may produce more accurate and detailed future cyber threat scenarios than either analytical element alone. Max Kilger
17:10 17:40 Security and Deception in Industrial Control Systems Their change of exposure and the rise in sophistication and state sponsored attacks, requires operators of industrial facilities to change their prioritization of IT security, risk assessment and maintenance life cycles. In this talk, we will discuss how much ICS specific IT security is required compared to general, common methods. We also investigate how knowledge of the adversary’s operations can help to understand possible intent, sophistication, capabilities and familiarity with the ICS, which combined can help to measure risk. Lukas Rist
17:40 19:30 Reception and Student Poster Session