March 20: Hands-on Tutorial Training


  • Venue Location: 1050 Page Mill Road, Bldg 2, Palo Alto, CA 94304.
  • Date & Time: March 20, 2012 (9:30AM ~ 12:30PM Morning Class) (2:00PM ~ 5:00PM Afternoon Class)
  • 6 hours training price: $380 (Early) / $460 (Regular) / $520 (At the door)
  • 3 hours training price: $190 (Early) / $230 (Regular) / $260 (At the door)
  • Class 4 and Class 8 will teach the same content. Don't register CTF course twice.
  • Class 7 and Class 11 will teach the same content. Don't register CTF course twice.
  • Morning Coffee Break is at 11:00-11:15
  • Lunch will be provided.
  • Afternoon Coffee Break is at 15:30-15:45
  • You will receive a Training Certificates of Completion from The Honeynet Project once you finish the training course.

6 Hours - Hand-on Tutorial Training

Class 1: Class 2: Class 3:
09:30AM ~ 12:30PM Malware Reverse Engineering
(Felix Leder)
Hands on with the Honeywall and virtual honeypots
(David Watson)
Android reverse malware forensics
(Mahmud Ab Rahman)
12:30PM ~ 02:00PM Lunch Time
02:00PM ~ 05:00PM Malware reverse engineering
(Felix Leder)
Hands on with the Honeywall and virtual honeypots
(David Watson)
Android reverse malware forensics
(Mahmud Ab Rahman)

3 Hours - Hand-on Tutorial Training

Class 4: Class 5: Class 6: Class 7:
09:30AM ~ 12:30PM CTF: Hacking for fun and profit
(Angelo Dell'Aera, Mark Schloesser)
Information Visualization-Bridging the Gap Between Tufte and Firewalls
(Raffael Marty)
Cuckoo Sandbox: how deep the bird's nest goes
(Claudio Guarnieri)
Network analysis & forensics
(Guillaume Arcas)
12:30PM ~ 02:00PM Lunch Time
Class 8: Class 9: Class 10: Class 11:
02:00PM ~ 05:00PM CTF: Hacking for fun and profit
(Angelo Dell'Aera, Mark Schloesser)
Visualizing with Parallel Coordinates to find unknown attacks in large volumes
(Sebastien Tricaud)
How to Win at Windows/Linux memory analysis using Volatility
(Matt Erasmus)
Network analysis & forensics
(Guillaume Arcas)

Class 1: Malware Reverse Engineering
Instructor: Felix Leder (Norman)
Instructor bio: Felix Leder is working as an innovation and new technologies architect for Norman ASA. After starting with Nokia he turned to his favourite
field of research: IT-Security. During the time he worked for Fraunhofer and the University of Bonn, he joined into researching botnet mitigation tactics and new methodologies for executable and malware analysis. The
results were successful takedowns.

Felix Leder has given world-wide classes on malware analysis, reverse engineering, and anti-botnet approaches. Participants range from governmental institutions, financial & security industries, to military bodies.
Training summary: Some people say that reverse engineering - and especially malware reverse engineering - is an art. Actually it is not. It is just the selection and application of the right methods and tools for the desired goal. This training contains an introduction to reverse engineering and how to approach suspicious and malicious files. The main focus will be on executable malware. The major properties and identification criteria for malware will be discussed together with the methodology to investigate efficiently. This is complemented by presenting and playing around with state-of-the-art tools in real world excercises. Participants are required to have Windows admin or even development knowledge together with basic understanding of major protocols used in the Internet. Basic programming skills (in an arbitrary language) are required, too. Helpful is a basic understanding of the x86 architecture for the second half of the workshop (but not a requirement).

Attendee takeaways and key learning objectives: * Reverse engineering introduction
* Systematically approaching suspicious applications and files
* The right tools for achieving the desired analysis goal
* Hands-on exercises

Class 2: Hands on with the Honeywall and virtual honeypots
Instructor: David Watson (CRO of The Honeynet Project)
Instructor bio: David Watson is the Chief Research Officer for the Honeynet Project, a non-profit security organization dedicated to sharing its research and findings on cyber threats, and was a Director between 2007 and 2012. As an active security researcher he regularly presents at international conferences or workshops and has contributed to various publications in the field of IT security.

David has been involved with deploying honeypots since 1999 and is currently the project manager and lead developer for the Honeynet Project's Global Distributed Honeynet (GDH/HonEeeBox) initiative, which focuses on analysing data gathered from networks of internationally distributed honeypots. He also leads the UK Honeynet Project Chapter, is the Honeynet Project's Google Summer of Code organizational admin and co-owns growing UK open source software development company Isotoma."

Training summary: A chance to spend some hands on time learning about honeynet technologies in a safe, controlled manner. A brief background to the evolution of honeypots followed by an introduction to the Honeywall, which is one of the primary tools used for honeynet data control and data capture. Extracting high interaction I/O activity using Sebek, analysis of attacks against low and high interaction honeypots, using honeypots for automated malware collection and analysis, and an introduction to client honeypots. Hopefully both informative and fun, aiming to show you how honeypots can be used in the real world to improve information security.

Attendee takeaways and key learning objectives: * Introduction to low and high interaction server and client honeypots and the Honeywall
* Practical hands on experience installing, deploying and using these tools to investigate network attacks
* By the end of the class students should understand the pros/cons/risks of these technologies and feel comfortable either testing such honeynet tools in their own test lab or evaluating research/production deployments

Class 3: Android Reverse Malware Forensics
Instructor: Mahmud Ab Rahman (MyCERT, Cybersecurity Malaysia)
Instructor bio: Mahmud Ab Rahman currently works as Information Security Specialist for Malaysia Computer Emergency and Response Team (MyCERT) under umbrella of CyberSecurity Malaysia. Prior to that, he worked as an Intrusion Analyst at MyCERT department. His education background comprises of Master Degree in Computer Science from National University of Malaysia in 2006. Prior to that, he obtained a Degree in Computer Science from the same university.

Mahmud has been involved in the computer security field for over 5 years. His area of focus and interest is network security, honeynet, botnet monitoring, and malware analysis. He also engages in several large-scale penetration-testing exercises and to provide solutions for any vulnerability detected. Moreover, he is recognized for conducting numbers of training for organizations to talk on advanced security courses.

He is a occasional speaker at conferences such as DEFCON 19, HITCON 2011, FIRST Annual Conference (FIRST-TC), Honeynet Annual Security Conference, HackInTheBox and Infosec.MY. He currently holds a GIAC's GPEN, GREM and CISCO's (CCNA,CCNP). On 2010, he wrote a paper on "Getting Owned By Malicious PDF" for GIAC GPEN Gold certification. He currently is SANS Mentor for GPEN and GREM.

Training summary:
  • Introduces the Android application framework and major software components involved in Android development process.
  • Introduces Android security controls as well as discusses potential security gaps.
  • Provides guidance on analyzing, reverse engineering, and decompiling Android applications.
  • Includes hands-on lab exercises on reverse engineering an Android Malware/application.
Attendee takeaways and key learning objectives:
  • Understand the Android ecosystem and application architecture.
  • Identify specific threats and risks associated with the Android mobile platform.
  • Perform a hands-on analysis and reverse engineering Android malicious applications.

Class 4 & Class 8: CTF: Hacking for fun and profit
Instructor: Mark Schloesser (RWTH Aachen University)
Angelo Dell'Aera (Communication Valley Reply)
Instructor bio: Angelo Dell'Aera is currently employed at Security Reply, a security service
provider located in Italy, working in the Early Warning Team as Senior Threat
Analyst. Moreover he leads Sysenter Honeynet Project Chapter and his
interests are mainly related to botnet tracking, honeyclient technologies and
malware analysis. Angelo started working as an independent researcher in
networking and security research in 1998 focusing his research both on attack
and defense techniques mainly focusing on *NIX platforms. Meanwhile he worked
as researcher in Politecnico of Bari until June 2004 where his main research
argument was TCP congestion control algorithms. His research led to the design
of the TCP Westwood+ algorithm and the implementation of its support in the
official Linux kernel.

Instructor bio: Mark Schloesser is a research assistant at the RWTH Aachen University's
IT security group. His main focus is malware collection and botnet
monitoring, as well as distributed data sharing and processing. In his
free time he runs the malware collection initiative called
" Alliance" and likes to compete in Capture-the-Flag
security contests to learn and improve his skills.

Training summary: Learning by doing - solving challenges and puzzles with time constraints. During the training a selected challenge taken from the Honeynet Project Forensic Challenges series will be analyzed as a practical case of study.
Attendee takeaways and key learning objectives:
  • Network programming
  • quick and efficient scripting
  • offensive hacking techniques
  • approaches to unknown code / systems.

Class 5: Information Visualization - Bridging the Gap Between Tufte and Firewalls
Instructor: Raffael Marty (Pixlcloud)
Instructor bio: Raffael Marty is a SaaS business expert, data visualization practitioner, and security data analyst. Raffael is in the process of starting a visual analytics company, pixlcloud. Prior, he co-founded Loggly, a cloud-based log management company. He has been a long term data analysis and visualization enthusiast and has spent a lot of time building and defining the security visualization space through open source tools, writing books, a number of papers, and speaking at conferences around the world. He is frequently consulting as an industry expert in all aspects of log analysis, computer security, and data visualization. Raffy has held various positions in the log management space at companies like Splunk, ArcSight, and IBM research where he also earned his masters in computer science. In addition to visualization, big data analysis, and computer security, Raffy is working with a number of startups and has an interest in cloud-based business models.
Training summary: This training provides an actionable introduction to the world of information visualization. We are going to learn about visualization theory and see what Tufte's principles are all about. A hands-on visualization life-cycle will guide us on our visualization journey. The discussion of today's visualization technologies will show that there are many tools that can be used, but not all are equally easy to use and flexible in their application. We will cover tools ranging from R to D3, from processing.js to polymaps, from AfterGlow to Gephi, and from WebGL to Canvas, Google Refine or Fusion Tables anyone?
Attendee takeaways and key learning objectives: Attendees will leave this training with an actionable overview of the information visualization space. They will understand the landscape of tools that can be leveraged for their own visualization projects. Visualization is not just a fascinating and fun field, it's one that we can no longer afford to treat like a side project!

Class6: Cuckoo Sandbox: how deep the bird's nest goes
Instructor: Claudio Guarnieri ( iSIGHT Partners )
Instructor bio: Claudio is a Security Researcher at iSIGHT Partners, where he is daily involved with malwares, botnets, cybercrime and general Internet badness.
After work, he usually enjoys some relax time still on malwares and botnets while being core member of The Shadowserver Foundation and of The Honeynet Project.

In the renounced sleep time he develops an open source malware analysis *system* called Cuckoo Sandbox.
Training summary:
  • Introduction to sandboxing
  • Goals of an automated analysis
  • Preparing the analysis environment
  • Setting up Cuckoo Sandbox
  • Using the produced data
  • Cuckoo's internals
  • Using Cuckoo's analysis packages
  • Unconventional uses
  • Brainstorming and discussion
Attendee takeaways and key learning objectives: The attendee will dive into the use of sandboxing for automating malware analysis tasks with hands on a ready-to-use tool. The attendee will acquire the knowledge to setup an analysis environment, tune it and adapt it to his own needs. He'll dive into Cuckoo's internals and understand how a sandbox is designed and developed. He'll understand and master the benefits of automating tedious tasks and to innovate his own malware analysis habits.

Class7: Network analysis & forensics
Instructor: Guillaume Arcas (Sekoia)
Instructor bio: Guillaume works as Threat Analyst since 1997 mainly in Internet/Telco and Banking industry. He is also teacher on Security & Newtork Analysis/Forensics at french ESIEA high school and member of French Honeynet Chapter since 2009.
Training summary:
  • Introduction to network analysis & forensics
  • The tools: Wireshark, snort & other Open Source software
  • Basic Usage 1: How to extract files from PCAPs
  • Basic Usage 2: How to track web surfing from PCAPs
  • Basic Usage 3: How to identify a malware from PCAPs
  • Advanced Usage: Introduction to GSoC plugins
Attendee takeaways and key learning objectives: Attendees will learn how to use Wireshark and Open Source network analysis tools to quickly find key elements in live or dumped network tracks.Training will be based on real-life situation & PCAPs.

Class9: Visualizing with Parallel Coordinates to find unknown attacks in large volumes
Instructor: Sebastien Tricaud (Picviz Labs)
Instructor bio: Sebastien Tricaud is the founder of Picviz Labs. He has more than 15 years’ experience in various intrusion detection & prevention systems implementation. He currently serves as Honeynet Project CTO. Sebastien works for major banks and governments on large volume analysis using mathematics, regular IDS analysis and visualization.

Training summary: This training will put people's hand into real cases of finding unknown attacks in a large log volume. It is focused on parallel coordinates only, as it is the only way to visualize such large volumes with so many dimensions. A short introduction on the theory of parallel coordinates will be given, and we will use it right after to blast and find stuff other cannot! To finish the workshop, we will see how best we can write signatures from visualization so the new attack can be automatically detected with tools such are snort and other.
Attendee takeaways and key learning objectives: You will get a DVD including logs and Picviz to get started. All you need is a bootable machine to run it.
Key learning objectives are:
1) Find unknown attacks using visualization
2) Be able to practice those in real life situations

Class 10: How to Win at Windows/Linux memory analysis using Volatility
Instructor: Matt Erasmus (The Honeynet Project)
Instructor bio: Matt Erasmus works as a security consultant to one of the Big Four auditing firms. In his spare time he likes to wrangle malware, learn new ways to break computers and networks. He heads up the South African chapter of the Honeynet Project with Barry Irwin.
Training summary: I will be going through how I placed in the recent Honeynet Challenge using just Volatility. I will walk through the challenge and show how I answered the questions using the tool. I will also (hopefully) go through some other examples of more useful scenarios with Volatility. This will also include capturing memory dumps on Windows/OS X/Linux.
Attendee takeaways and key learning objectives: (1) How to capture memory from target systems
(2) Using Volatility to pull useful information from memory images.

The 2012 Honeynet Project Security Workshop is sponsored by: