1.
2016 Honeynet Project Annual Workshop
Focus and Global Trends
The Honeynet Project Taiwan Chapter
Yi-Lang Tsai

2.
Google Me.
Yi-Lang Tsai
The Honeynet Project Taiwan Chapter Leader
1st
5th 6th
3rd 4th
1st
1st
Cloud Security Alliance Taiwan Chapter Founder and Director of Research
http://blog.yilang.org
Facebook: Yi-Lang Tsai
34
Information Security( ) Linux Guide NetAdmin 80
RHCE CCNA CCAI CEH CHFI ACIA ITIL Foundation ISO 27001 LAC ISO 20000 LAC BS10012 LAC CSA STAR Auditing

3.
Outline
The Honeynet Project
Honeynet Project Tools
Honeynet in Taiwan
2016 Annual Workshop update

4.
The Honeynet Project introduction
Non-profit (501c3) organization with Board of Directors.
Funded by sponsors
Global set of diverse skills and experiences.
Open Source, share all of our research and findings at no cost to the public.
Deploy networks around the world to be hacked.
Everything we capture is happening in the wild.
We have nothing to sell.

5.
Honeynet Project Mission
A community of organizations actively researching, developing and deploying
Honeynets and sharing the lessons learned.
Awareness: 增進企業與組織對存在於現⾏網路上的威脅與弱點之了解，進⼀步思考
如何去減輕威脅的⽅法
Information: 除了提供基本的攻擊活動外，進⼀步提供更關鍵性的資料，如: 攻擊動
機，駭客間如何聯絡，駭客攻破主機後下⼀步的攻擊動作
Tools: Honeynet Project 致⼒於發展 Open Source Tools，藉由這些Tools，我們可以
更有效率的佈建誘捕系統了解網路環境攻擊威脅現況

6.
The Honeynet Project Website
http://www.honeynet.org/
45 (Chapters)

7.
Honeypot/Honeynet Technology
What is a Honeynet ?
Low-Interaction / High-interaction Honeypot
It is an architecture, not a product or software
Populate with live systems
Once compromised, data is collected to learn the tools, tactics, and motives of the
Blackhat community
Value of Honeynet
Research : Identify new tools and new tactics, Profiling Blackhats
Early warning and prediction
Incident Response / Forensics
Self-defense

8.
Honeypots
A honeypot is an information system resource whose value lies in
unauthorized or illicit use of that resource.
Has no production value, anything going to or from a honeypot is likely a
probe, attack or compromise.
Primary value to most organizations is information.

9.
Advantage and Risk
Advantage
Collect small data sets of high value.
Reduce false positives
Catch new attacks, false negatives
Work in encrypted or IPv6 environments
Simple concept requiring minimal resources
Risk
Limited field of view (microscope)
Risk (mainly high-interaction honeypots)

10.
Honeynets
High-interaction honeypot designed to capture in-depth informa(on.
Information has different value to different organizations.
Its an architecture you populate with live systems, not a product or software.
Any traffic entering or leaving is suspect.

11.
2016 Annual Workshop Update
San Antonio, TX, USA. May 9-11th, 2016
1 Day Briefing, 2 Days Hands-on Workshop and 2 Days Private Meeting
About 120+ Attendee Join this year

12.
Briefing Topic
17 Years of Community Leadership Lessons Learned (Lance Spitzner)
Keynote: Control Systems Cyberattacks (Kevin Owens)
ICS/SCADA Threats: What Matters and Where Honeypots Can Help (Robert Lee)
Deep-Packet Inspection in Industrial Control Networks (Alvaro Cardenas)
Behavioral Analysis of large amounts of Unknown Files (Lukas Rist)
Shadowserver: Updates and highlights from recent activities (David Watson)
Advancements in Computational Digital Forensics (Nicole Beebe)
Creating Your Own Threat Intel Through Hunting and Visualization (Raffael Marty)
Targeted attacks by Dubnium (Christian Seifert)
Integrating Human Behavior into the Development of Future Cyber terrorism
Scenarios(Max Kilger)
Security and Deception in Industrial Control Systems (Lukas Rist)

13.
Summary
17 Years of Community Leadership Lessons Learned
Lance Spitzner / The Honeynet Project Founder
Why join community projects
meet people smarter then you
a network of friends turns into a network of opportunities
gain new, international perspectives
make a difference and build your reputation
Motivation
we underestimate the power of recognition
create a positive culture ensure people have a voice
help build their reputation / exposure
enable people to learn and grow from others

14.
Summary
Keynote: Control Systems Cyberattacks (Kevin Owens)
Iranians Hacked From Wall Street to New York Dam, U.S. Says
http://www.bloomberg.com/news/articles/2016-03-24/u-s-
charges-iranian-hackers-in-wall-street-cyberattacks-im6b43tt
New wave of cyberattacks against Ukrainian power industry
http://www.welivesecurity.com/2016/01/20/new-wave-
attacks-ukrainian-power-industry/
Updated BlackEnergy Trojan Grows More Powerful
https://blogs.mcafee.com/mcafee-labs/updated-
blackenergy-trojan-grows-more-powerful/

15.
Summary
ICS/SCADA Threats: What Matters and Where Honeypots Can Help (Robert Lee)
ThreatStream
https://www.anomali.com/
Mysterious ’08 Turkey Pipeline Blast Opened New Cyberwar
http://www.bloomberg.com/news/articles/2014-12-10/mysterious-08-turkey-
pipeline-blast-opened-new-cyberwar
The growing cyberthreat from Iran: The initial report of Project Pistachio Harvest
https://www.aei.org/publication/growing-cyberthreat-from-iran/
No, Israel's power grid wasn't hacked, but ransomware hit Israel's Electric Authority
http://www.computerworld.com/article/3026609/security/no-israels-power-grid-
wasnt-hacked-but-ransomware-hit-israels-electric-authority.html
ICS-CERT
https://ics-cert.us-cert.gov/

16.
Summary
Deep-Packet Inspection in Industrial Control Networks (Alvaro Cardenas)
Key Questions
where to deploy network monitors
how deep to look
DFA network protocol,communication patterns, command codes, enough?
protocol specification correct but false info
exact value of sensor and control commands(Can’t model with DFA)

17.
Summary
Behavioral Analysis of large amounts of Unknown Files (Lukas Rist)
database
cloud bridge
sandbox cluster
sample workflow
multiple sample sources flow together
chain of workers with increasing processing cost or time
known/unknown, static analysis FRS, multi AV, emulated sandbox, iVM
plug&analysis system, write your own worker
result based routing rules
cloud watch, TSD, probabilistic data structures

18.
Summary
Shadowserver: Updates and highlights from
recent activities (David Watson)
https://www.shadowserver.org/
The Shadowserver Foundation is continually
seeking to provide timely and relevant
information to the security community at large.
We also seek to increase our level of research
and investigation into the activity we discover.

19.
Summary
Creating Your Own Threat Intel Through Hunting and Visualization (Raffael Marty)
a new architecture -the security data lake
context, IOCs, any data —> Rules —> big data lake —>Hunting —> data sci
Hunting creates internal threat intelligence
Data science in security
simple approaches work
dc(dest), dc(d_port)
what is normal?
use data science / data mining to prepare data. then visualize the output for the human analyst.

20.
Honeypot Update
Monitoring DDoS attacks with DDoSPot (Luka Milković)
criterial:
no dummy services
rate limiting
db storage, state restore and passable logs
simple and note resource-intiensive
statistics
hp feeds

21.
Smart XXX
Risk in Future

22.
Google Self-Driving Car on City Streets

23.
ICT/SCADA
High Risk

24.
Conpot

25.
Malware Knowledge Base in Taiwan
owl.nchc.org.tw
Malware Knowledge Base, hosted by the National Center for High-performance
Computing, is a malware analysis platform that observes and records system behaviors
conducted by analysis objects in a controlled environment with various types of dynamic
analysis tools.
The mission of Malware Knowledge Base is to strengthen malware research and promote
security innovations in both academia and industry.
By providing malware-related resources, Malware Knowledge Base can contribute to
security research and make the Internet a safer place.

26.
Next session… Honeypot Flash Live Show.
Kean Song Tan (Malaysia Chapter)
Ching Hsiung Hsu (Taiwan Chapter)