Loading…
FloCon 2018 has ended
Tucson, AZ – January 8-11, 2018

PLEASE NOTE THAT THE CURRENT SCHEDULE IS TENTATIVE. CHANGES TO THE SCHEDULE BELOW MAY OCCUR

Watch this space for details on the technical program for FloCon 2018. In the meantime, see the FloCon website at www.cert.org/flocon.

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Sunday, January 7
 

5:00pm MST

Sunday Networking Event
Network with other Event Attendees and enjoy some light refreshments and hors d'oeuvres. This is a great opportunity for any first time FloCon attendees to get information about the Conference.

Sunday January 7, 2018 5:00pm - 7:00pm MST
TBA

5:00pm MST

Registration
Sunday January 7, 2018 5:00pm - 7:00pm MST
Presidio Desk
 
Monday, January 8
 

7:00am MST

Breakfast
Monday January 8, 2018 7:00am - 8:30am MST
Turquoise III

7:00am MST

Registration
Monday January 8, 2018 7:00am - 5:30pm MST
Presidio Desk

8:30am MST

Morning Track I: How to be an Analyst
Limited Capacity seats available

This two session training covers basic skills necessary to be an effective cyber analyst. Analytic acumen or “how to think” is the topic for the morning session. This session will focus on the underlying analytical skillset. The session will start with an introduction to the analytic process and then cover logical fallacies and awareness of assumptions and biases. Practical application of portions of the analytic process will be the topic of the afternoon session. Here we will step into the shoes of Alex Smith, a SOC team lead for ACME Corporation, as he encounters a number of challenging situations. In each situation, you will dictate what actions Alex takes. These decisions have consequences as their outcomes could save or doom ACME Corporation.


Speakers
avatar for Angela Horneman

Angela Horneman

Network Intelligence Analyst, CERT - Software Engineering Institute
Angela Horneman is a Network Intelligence Analyst for the CERT division of the SEI. Her focus is on helping others understand network cyber security topics and solve related problems. They can then make better decisions, improve their security posture, and better interact in the cyber... Read More →
avatar for Don McKeon

Don McKeon

Junior Network Security Analyst, CERT - Software Engineering Institute
Donald McKeon is a Network Security Analyst for the CERT division of the SEI. His concentration is in developing  ways to have real time situational awareness of assets on any network. In order to properly defend a network, organizations must have a way to identify critical infrastructure... Read More →


Monday January 8, 2018 8:30am - 12:00pm MST
Turquoise I

8:30am MST

Morning Track II: Suricata Training
Limited Capacity seats available

Suricata, the world’s leading IDS/IPS engine, provides the most versatile network security tool available today. Developed and maintained by a core team of developers and an open source community, Suricata is the “Swiss Army Knife” for network security monitoring. This training will demonstrate the latest in Suricata’s dynamic capabilities including:

  • Introduction to the newest version of Suricata
  • Suricata as a passive DNS probe
  • Suricata as an SSL monitor
  • Suricata as a malware detection probe
  • Suricata as a flow probe
  • And some exciting new features…

At the completion of this training, attendees will gain a greater understanding of Suricata’s versatility and power. They will also have the unique opportunity to discuss any questions directly with members of the Suricata development team. 


Speakers
avatar for Eric Leblond

Eric Leblond

Developer, OISF
Eric is an active member of the security and open source communities. He is a Netfilter Core Team member working mainly on communications between kernel and userland. He works on the development of Suricata, the open source IDS/IPS network engine since 2009, and he is one of the... Read More →
avatar for Peter Manev

Peter Manev

QA Lead, OISF
A Suricata core team member - Peter has 15 years experience in the IT industry, including enterprise-level IT security practice. An adamant admirer and explorer of innovative open source security software Peter maintains some additional info points of interest about Suricata: htt... Read More →


Monday January 8, 2018 8:30am - 12:00pm MST
Coronado Ballroom I & II

8:30am MST

Morning Track III: Bro Training
Limited Capacity seats available

Bro is a stateful, protocol-aware, open source, high-speed network monitor with applications such as a next generation intrusion detection system, real-time network discovery tool, historical network analysis tool, real-time network intelligence, and more. With a powerful event-based programming language at its core, the Bro Platform ships with powerful frameworks-signature detection, the ability to extract and analyze files, and the capability to integrate massive amounts of local and external intel—all at incredibly high rates.

This tutorial focuses on helping you understand some of the many tasks that you can accomplish with the Bro Platform using a hands-on Virtual Machine. Beginning with an introduction to the Bro Platform, this fast-paced tutorial helps experienced network operators quickly get up to speed on leveraging the technology. Students work with traffic samples of distributed denial-of-service (DDoS) attacks, deploy large sets of threat intelligence, analyze compromised host traffic, dynamically generate streaming network analytics, and more.

Students should be well versed in TCP/IP and networking fundamentals and come prepared with an x86 x64 workstation (Linux, Windows, or Mac) to run the Bro training VM. A remote SSH-based host will be available for students who cannot run the VM.


Speakers
avatar for Liam Randall

Liam Randall

President, Critical Stack - A Division of Capital One Bank
Liam (@Hectaman) focuses on end-user training, application development, and community outreach. He is the CEO at Critical Stack, develops network solutions around the Bro Platform, and is a frequent speaker at security conferences. You can usually find him training users on the Bro... Read More →


Monday January 8, 2018 8:30am - 12:00pm MST
Turquoise II

1:00pm MST

Afternoon Track I: How to be an Analyst
Limited Capacity seats available

This two session training covers basic skills necessary to be an effective cyber analyst. Analytic acumen or “how to think” is the topic for the morning session. This session will focus on the underlying analytical skillset. The session will start with an introduction to the analytic process and then cover logical fallacies and awareness of assumptions and biases. Practical application of portions of the analytic process will be the topic of the afternoon session. Here we will step into the shoes of Alex Smith, a SOC team lead for ACME Corporation, as he encounters a number of challenging situations. In each situation, you will dictate what actions Alex takes. These decisions have consequences as their outcomes could save or doom ACME Corporation.


Speakers
avatar for Angela Horneman

Angela Horneman

Network Intelligence Analyst, CERT - Software Engineering Institute
Angela Horneman is a Network Intelligence Analyst for the CERT division of the SEI. Her focus is on helping others understand network cyber security topics and solve related problems. They can then make better decisions, improve their security posture, and better interact in the cyber... Read More →
avatar for Don McKeon

Don McKeon

Junior Network Security Analyst, CERT - Software Engineering Institute
Donald McKeon is a Network Security Analyst for the CERT division of the SEI. His concentration is in developing  ways to have real time situational awareness of assets on any network. In order to properly defend a network, organizations must have a way to identify critical infrastructure... Read More →


Monday January 8, 2018 1:00pm - 4:30pm MST
Turquoise I

1:00pm MST

Afternoon Track II: Threat Hunting w/Suricata
Limited Capacity seats available

In "Threat Hunting with Suricata" we will teach various methods and techniques to aid in detecting and hunting for popular threats facing organizations today. This workshop will focus on writing efficient IDS rules for hunting and detecting threats, as well as discussing strategies around leveraging Suricata alerts in this context.

Attendees will gain invaluable insight into the techniques behind creating long lasting efficient rules for Suricata IDS. Lab exercises will train attendees how to analyze and interpret hostile network traffic into agile IDS rules for detecting threats, including but not limited to: Exploit Kits, Ransomware, Phishing Attacks, Crimeware, Backdoors, Targeted Threats, and more. Attendees will leave the class armed with the knowledge of how to write quality Suricata IDS signatures for their environment, enhancing their organization’s ability to respond and detect threats.


Speakers
avatar for Jack Mott

Jack Mott

Security Researcher - Emerging Threats Research Team, OISF Core Team / Emerging Threats
Jack is a Security Researcher on the Emerging Threats Research team at Proofpoint where he spends all day long in packet-land playing with malware and writing comprehensive IDS rules for the ETPRO and OPEN ruleset. In addition to IDS sigs, writes sigs for ClamAV and Yara to hunt... Read More →
avatar for Jason Williams

Jason Williams

Security Researcher - Emerging Threats Research Team, OISF Core Team / Emerging Threats
Jason is a Security Researcher on the Emerging Threats Research team at Proofpoint where he flops around in a metaphorical ball pit of network packets all day and night. He works on the ETPRO and OPEN rulesets, having written thousands of signatures to help defenders protect their... Read More →


Monday January 8, 2018 1:00pm - 4:30pm MST
Coronado Ballroom I & II

1:00pm MST

Afternoon Track III: Bro Training
Limited Capacity seats available

Bro is a stateful, protocol-aware, open source, high-speed network monitor with applications such as a next generation intrusion detection system, real-time network discovery tool, historical network analysis tool, real-time network intelligence, and more. With a powerful event-based programming language at its core, the Bro Platform ships with powerful frameworks-signature detection, the ability to extract and analyze files, and the capability to integrate massive amounts of local and external intel—all at incredibly high rates.

This tutorial focuses on helping you understand some of the many tasks that you can accomplish with the Bro Platform using a hands-on Virtual Machine. Beginning with an introduction to the Bro Platform, this fast-paced tutorial helps experienced network operators quickly get up to speed on leveraging the technology. Students work with traffic samples of distributed denial-of-service (DDoS) attacks, deploy large sets of threat intelligence, analyze compromised host traffic, dynamically generate streaming network analytics, and more.

Students should be well versed in TCP/IP and networking fundamentals and come prepared with an x86 x64 workstation (Linux, Windows, or Mac) to run the Bro training VM. A remote SSH-based host will be available for students who cannot run the VM.


Speakers
avatar for Liam Randall

Liam Randall

President, Critical Stack - A Division of Capital One Bank
Liam (@Hectaman) focuses on end-user training, application development, and community outreach. He is the CEO at Critical Stack, develops network solutions around the Bro Platform, and is a frequent speaker at security conferences. You can usually find him training users on the Bro... Read More →


Monday January 8, 2018 1:00pm - 4:30pm MST
Turquoise II

6:30pm MST

Welcome Reception
Join us for food and refreshments during at our Welcome Reception. Meet fellow attendees and speakers, while enjoying some fun activities. We will have a big-screen TV broadcasing the NCAA National Championship Game

Monday January 8, 2018 6:30pm - 8:30pm MST
The Last Territory & Courtyard
 
Tuesday, January 9
 

7:30am MST

Breakfast
Tuesday January 9, 2018 7:30am - 8:30am MST
Turquoise III

7:30am MST

Registration
Tuesday January 9, 2018 7:30am - 4:00pm MST
Presidio Desk

8:30am MST

Introduction
FloCon 2018 Rachel Kartch will kick off the conference with an introduction.

Speakers
avatar for Rachel  Kartch

Rachel Kartch

Chair, CMU


Tuesday January 9, 2018 8:30am - 9:00am MST
Presidio III, IV, V

9:00am MST

Lessons Learned in Growing a Big Data Capability for Network Defense
The advent of big data and data science presents tremendous opportunities for cyber operations and network security. These opportunities are in great demand within the United States Department of Defense (DoD) with its high operational tempo, sensitive global mission set, and massive inventory of networked systems. For the past three years, the Department of Defense Information Systems Agency (DISA), United States Army, and US Cyber Command have rapidly pioneered development of a state-of-the-art, full stack Big Data Platform to meet this demand. This capability is currently supporting network defense and cyber operations around the globe via multiple Petabyte-scale instances running on hundreds of scalable cloud-based compute nodes. Most importantly, it exists as a government-owned platform architecture built on open-source technology with the express goal of integrating contributions from defense agencies, national labs, industry partners, and academia. This vision is the result of leading-edge DoD thinkers and decision makers who recognized the promise of big data and acted boldly. In this talk, we will discuss the evolution of the Big Data Platform, examples of how it is being used today, and key lessons learned in its development.

Speakers
avatar for Steve Wagner

Steve Wagner

Technical Director, Enlighten IT Consulting
Steve Wagner is the Technical Director of Enlighten IT Consulting where he formulates and leads the company’s day to day technical direction and oversight. He is a recognized subject matter expert on the Big Data Platform and has over 20 years of experience in the architecture... Read More →



Tuesday January 9, 2018 9:00am - 9:30am MST
Presidio III, IV, V

9:30am MST

Optimal Machine Learning Algorithms for Cyber Threat Detection
Seeing the exponential hike in global cyber threat spectrum, organisations are now striving more for utilising new data mining techniques in order to analyse security logs received from their IT infrastructures, to ensure potent cyber threat detection and subsequent incident response. Machine Learning based analysis for security machine data is the next emerging trend in cyber security, aimed at minimising the operational overheads of maintaining conventional static correlation rules in the security-monitoring devices. However, selecting the optimal algorithm with least number of false-positives still remains the impeding factor against the success of data science, especially in the case of any large- scale and global level Security Operations Centre (SOC) environment. This fact brings a dire need for an effective and efficient machine learning based cyber threat detection model. In this research, we are proposing optimal machine learning algorithms for detecting multiple types of cyber threat actors by analytically and empirically comparing gathered results from various anomaly detection, classification and forecasting algorithms. We will also recommend few advanced statical visualisations for security big data that will greatly augment the prevailing threat hunting tools and techniques.

Attendees will learn:
Machine Learning is the latest trend in the Cyber Security detection methodologies. Rapidly increasing versatile threat actors used in attack campaigns are making it extremely difficult for SIEM administrators to create and maintain effective static threat correlation rules. Machine Learning and threat hunting through Advanced Statistical Analytic should now be used by the enterprise SOC analysts in order to perform their routine operational intelligence. This research paper allows SOC individuals to understand how to use machine learning algorithms optimally in order to complement existing conventional threat hunting capabilities.

Speakers
avatar for Hafiz Farooq

Hafiz Farooq

Chief Cyber Security Architect, Saudi Aramco
Hafiz Muhammad Farooq is a Senior Cyber Security Architect for Saudi Aramco's Global Security Operations Centre (SOC). With 16 years of research and professional experience in Cyber and Network Security domain, he is harnessing the first-line-of-defense against a huge spectrum of... Read More →



Tuesday January 9, 2018 9:30am - 10:00am MST
Presidio III, IV, V

10:00am MST

Creating & Sharing Value with Network Activity and Threat Correlation
We examine the key impediments to effective information sharing and explore how network activity and threat correlation can alter cyber economics to diminish threat actor return on investment.
   
Cyber threat management within an organization should include an automated cycle that leverages timely threat intelligence with both automated netflow correlation and packet-based signature detection. Automated netflow inspection can recognize interactions with resources that threat intelligence reports as malicious, alerting analysts as appropriate. Automated signature detection in network packet analysis should identify any new resources participating in malicious activity and inform netflow inspection. Automated techniques for spotting both known malicious behaviors and unknown anomalous patterns should alert analysts to investigate the identified activity. As new behavior patterns, signatures, and participating resources are discovered, these generate feedback into automated detection models.
   
This inside-the-organization cyber threat management cycle can integrate with others via information sharing to create inter-organizational cyber threat management communities that make a huge difference in our collective defense. Unfortunately, there are several impediments to information sharing; concerns about trust, privacy, legal issues, and value creation each play a role. We will delve deeper into each of these issues providing examples and technical action strategies to overcome them both within and between organizations.
   
Finally, we present a framework that integrates network activity, threat information, automated threat correlation, value-sharing networks, rights management, and social trust mechanisms that can overcome the key information sharing impediments and re-align cyber security community incentives towards information sharing and more effective threat mitigation.

Attendees Will Learn:
We will discuss:
   1. The range of cyber security value-creation options that leverage network activity data
   2. How the value from each option synergistically supports the others in a cycle
   3. How organizations can link their network activity value-creation cycles
   4. Why organizations usually refrain from sharing this information
   5. Technical approaches for overcoming these sharing impediments

Speakers
avatar for Jamison Day

Jamison Day

Distinguished Data Scientist, Lookingglass Cyber Solutions
Jamison M. Day is a Decision Science Ph.D. dedicated to improving information sharing among people and organizations. He was selected as 1 of 5 members nation-wide to serve on a Supply Chain Security Team for the U.S. Director of National Intelligence. His interactive analytics products... Read More →



Tuesday January 9, 2018 10:00am - 10:30am MST
Presidio III, IV, V

10:30am MST

Break
Tuesday January 9, 2018 10:30am - 11:00am MST
Presidio I & II

11:00am MST

Keynote #1: Colonel Edward F. Buck Jr, NETCOM
Deputy Commanding Officer Colonel Edward J. Buck, Jr. of NETCOM will provide a Keynote Address

Speakers
avatar for Colonel Edward F Buck Jr

Colonel Edward F Buck Jr

Deputy Commanding Officer - Operations, U.S. Army Network Enterprise Technology Command (NETCOM)
Colonel Ed Buck assumed his current position as the Deputy Commander for Operations in August 2016.Colonel Ed Buck is a native Californian and was commissioned as an Armor Officer 1992 atCalifornia State University, Chico.Colonel Buck’s assignments include Platoon Leader and Company... Read More →


Tuesday January 9, 2018 11:00am - 12:00pm MST
Presidio III, IV, V

12:00pm MST

Lunch
Tuesday January 9, 2018 12:00pm - 1:00pm MST
Turquoise III

1:00pm MST

Panel Discussion: "Current Trends: Cybersecurity Data Analysis and Fusion"

We can all pretty much agree that security devices on our networks are producing large amounts of data. The myriad devices may each represent data in a particular format and for a particular purpose. We need to fuse or combine these data sources to uncover new meaning and insight so that we can bolster our situational awareness and improve our cybersecurity operations.  This panel, Current Trends: Cybersecurity Data Analysis and Fusion, is intended to spark a conversation about what is going on in Industry, Government, and Academia. These trends will no doubt define how we accomplish our cybersecurity initiatives over the next several years.


Moderators
avatar for Bobbie Stempfley

Bobbie Stempfley

Director, CERT - Software Engineering Institute
Roberta G. (Bobbie) Stempfley joined the Carnegie Mellon University Software Engineering Institute as director of the SEI's CERT Division in June 2017. Stempfley previously served as director of cyber strategy implementation at MITRE Corp. and as acting assistant secretary and deputy assistant secretary, Office of Cyber Security and Communications, Department of Homeland Security. In addition to her work at... Read More →

Speakers
avatar for Steve Henderson

Steve Henderson

Lead Data Scientist, Enlighten Information Technology
Dr. Steve Henderson is the Lead Data Scientist at Enlighten Information Technology where he supervises petabyte-scale data science analytics in support of DoD cyber operations for United States Cyber Command (USCYBERCOM), Army Cyber Command (ARCYBERCOM), and the Defense Information... Read More →
avatar for Howard S. Marshall

Howard S. Marshall

Deputy Assistant Director, FBI - Cyber Division
Mr. Marshall was appointed Deputy Assistant Director of the FBI’s Cyber Intelligence, Outreach, and Support Branch in August 2016. In this position, Mr. Marshall supports the Cyber Division’s mission to identify, pursue, and defeat cyber adversaries targeting global U.S. interests... Read More →


Tuesday January 9, 2018 1:00pm - 2:00pm MST
Presidio III, IV, V

2:00pm MST

Break
Tuesday January 9, 2018 2:00pm - 2:30pm MST
Presidio I & II

2:30pm MST

Anomaly Detection in Cyber Networks Using Graph-node Role-dynamics and NetFlow Bayesian Normalcy Modeling
Advanced Persistent Threats (APTs), i.e., “low and slow” cyber-attacks, are difficult to detect using standard network defense tools. APTs typically hide within the noise of normal network operations, and may persist undetected for months or even years. As a result, the warning signs of an APT can easily be lost in the flood of alerts generated by intrusion detection systems (IDSs) and NetFlow data.

This paper describes ongoing research in APT detection. Our approach is two-fold. First, we fuse alerts generated by multiple IDSs (e.g., Snort, OSSEC, and Bro), into a single weighted graph that allows us to identify anomalies across modalities. To detect the anomalies, we apply the role-dynamics algorithm, which has successfully identified anomalies in social media, email, and IP communication graphs. In the cyber domain, each node in the fused IDS-alert graph is assigned a probability distribution across a small set of roles based on that node’s features. A cyber-attack should trigger IDS alerts causing changes in node features, but rather than track every feature for every node individually, roles provide a succinct, integrated summary of those feature changes. We measure changes in each node's probabilistic role assignment over time, and identify anomalies as deviations from expected roles.

Second, we implement a Bayesian dynamic packet flow model to characterize NetFlow patterns within the network. The algorithm provides a probabilistic measure of traffic volatility from which Bayesian inference can be used to forecast expected normal behavior. The model triggers an indication of compromise when deviations from the expected behavior occur, such as during the exfiltration of data.

We test our approach using IDS alerts and NetFlow data generated from a network of virtual machines (workstations, data and print servers, DHCP and DNS servers), virtual switches, and a virtual server that approximates connections to the internet. The simulations include weeks of normal background traffic and APT-like cyber-attacks. The network includes installations of Snort, OSSEC, and Bro, which generated alerts throughout the entire experiment. A NetFlow sensor captured the network traffic during the simulation.

Multi-modal data fusion is a promising avenue for threat intelligence and contextual awareness in network defense. Although we have focused here on APTs, our methods may apply to other forms of cyber-attacks.

This research was developed with funding from the Defense Advanced Research Projects Agency (DARPA). The views, opinions and/or findings expressed are those of the authors and should not be interpreted as representing the official views or policies of the Department of Defense or the U.S. Government.

Attendees will learn:

This talk will describe a novel approach to cyber-anomaly detection. The method includes multi-modal data fusion, advanced graph-based analytics, and Bayesian normalcy modeling, to alert security analysts to anomalous and possibly malicious network activities.

Speakers
avatar for Anthony Palladino

Anthony Palladino

Sr. Research Scientist, Boston Fusion
Anthony Palladino is a senior research scientist at Boston Fusion, where he is principal investigator on several advanced research projects. His current areas of research include multi-modal data fusion, machine learning, and advanced graph-based analytics. Prior to joining Boston... Read More →



Tuesday January 9, 2018 2:30pm - 3:00pm MST
Presidio III, IV, V

3:00pm MST

When Threat Hunting Fails: Identifying Malvertising Domains Using Lexical Clustering
From Java drive-bys to Adobe Flash exploits, low and mid-tier ad networks have traditionally been targeted and popularized as the distribution point for malicious campaigns. The ad network infrastructure enables a variety of distribution methods especially if an attacker understands how to game the ad-exchange. Further, malvertising groups have begun to evolve towards more ambitious campaigns serving ad impressions under the guise of fake software updates and tech support scams.

Defending against and harvesting the fake update and tech support scams is complicated, however, by the fingerprinting and anti-bot technologies of the poorly-vetted ad networks that act as a middle-man and are hidden behind. The actors launching these attacks are also vigilant, launching these attack with fresh registered domains and migrating between hosting infrastructures. The question then becomes, which if any of the traditional threat hunting method can be effective against this new breed of malvertising?

In this talk, we introduce a real-time streaming pipeline built in Kafka to stem the initial attack that is observable in DNS logs by using a scalable clustering technique known as locality sensitive hashing (LSH) over the hostnames to identify the permutations of words and characters from “software”, “update”, “tech”, “support”, and more. We then discuss a novel belief propagation algorithm through a client-hostname bipartite graph that propagates up the related file hosts that lay behind malicious advertisements. Finally, we will disclose the anatomy of a malicious advertising campaign and uncover how the file hosts are often reused in malvertising campaigns.

Attendees will learn:
Attendees will become acquainted with the current malvertising threat landscape: ad networks, exchanges, exploits, and popular infection points. The audience will gain a greater understanding of the need for unsupervised lexical clustering, due to the weaknesses of traditional methods of lexical and semantic analysis, and how these methods can be applied to threat hunting. Finally, we'll show how to leverage commodity hardware and open source technologies to uncover more threats and their related infrastructures.

This talk will demonstrate how to automate data analysis to identify evolving threats where traditional hand-crafted threat research methods may fail or prove inefficient.

Speakers
avatar for Matthew Foley

Matthew Foley

Researcher, Cisco Umbrella
Matt Foley works as an intern researcher at Cisco Umbrella (OpenDNS). His primary research focus is exploit kit mitigation by studying current web exploits and writing custom honey clients. Matt works on building out automated systems at scale to identify new indicators of compromise... Read More →
avatar for Dhia Mahjoub

Dhia Mahjoub

Head of Security Research, Cisco Umbrella
Dr. Dhia Mahjoub is the Head of Security Research at Cisco Umbrella (OpenDNS). He leads the core research team focused on large scale threat detection and threat intelligence and advises on R&D strategy. Dhia has a background in networks and security, has co-authored patents with... Read More →
avatar for David Rodriguez

David Rodriguez

Senior Research Engineer, Cisco Systems, Inc
David Rodriguez works as a Senior Research Engineer at Cisco Umbrella (OpenDNS). He has co-authored multiple pending patents with Cisco in distributed machine learning applications centered around deep learning and behavioral analytics. He has an MA in Mathematics from San Francisco... Read More →



Tuesday January 9, 2018 3:00pm - 3:30pm MST
Presidio III, IV, V

3:30pm MST

May the data stay with you! - Network Data Exfiltration Techniques
Data exfiltration is a process of transmitting data from pwned or infected networks back to the attacker while trying to minimize detection.

During this presentation, we will go through different network exfiltration methods and techniques (DNS, ICMP, TCP, UDP, HTTP, RDP, Cloud-app based and others). I will explain how they work, how easy is to run them and what differences you can find between them from the perspective of different OSI layers. It is a highly interactive presentation (I have dozen short demo's already prepared) where you will be guided through the use of a set of Open Source tools powered by a short-fast theory. The main goal of this presentation, however, is to show you that without:
  • Excellent Network Visibility Based on Multiple Collectors (PH, DNS, TLS, HTTP, Logs, SNMP, Netflows, others)
  • Network Behavior Analytics powered by Hybrid Supervised/Unsupervised Anomaly Detection
  • Active Response Module supporting all your existing security HW/SW you are doing your Network Security just wrong.

May the data stay with you!

Attendees Will Learn: They will learn what kind of Data Exfiltration techniques exist, how easy is to use them. They will learn on the other side how to detect and block such movements and actions. They will learn that only combination of different data sources collection and analytics can give you a real network behavior. They will learn as well that Machine Learning techniques should be connected to active response module - there is not too much time for decisions when ransomware is coming. Basically a nice demo-based combination: defensive vs offensive.

Speakers
avatar for Leszek Mis

Leszek Mis

VP of Cyber Security / IT Security Architect, Collective Sense / Defensive Security
Leszek Miś has over 12 years of experience in IT security technology supporting the largest companies and institutions for implementation, consulting and technical training. Next to that, he has 8 years of experience in teaching and transferring a technical knowledge and experience... Read More →



Tuesday January 9, 2018 3:30pm - 4:00pm MST
Presidio III, IV, V

6:30pm MST

Off-Site Reception at the Biosphere
Join us for our Off-Site Networking Reception at the University of Arizona Biosphere2: http://biosphere2.org/.

Tuesday January 9, 2018 6:30pm - 8:30pm MST
Biosphere2 University Of Arizona Biosphere 2 32540 S. Biosphere Road Oracle, AZ 85623
 
Wednesday, January 10
 

7:30am MST

Breakfast
Wednesday January 10, 2018 7:30am - 8:30am MST
Turquoise III

7:30am MST

Registration
Wednesday January 10, 2018 7:30am - 5:00pm MST
Presidio Desk

8:30am MST

Network Volatility Analysis for Threat Detection
Network usage patterns can vary throughout the day but abrupt and unexpected changes in behavior can be a leading indicator of potentially malicious activity. Pinpointing these unanticipated, temporal events can be problematic, especially when normal, daily fluctuations can be expected. Traditional SQL based queries for these volatile spikes in activity are challenging across large amounts of data. Data resolution, time frame, and various permutations can impact the compute time required and may destroy any early warning advantage that this detection mechanism can provide.
   
Adopting methods from high-frequency, stock trading analysis, we can define appropriate highs and lows that adapt to data as it changes over time. We will demonstrate how to quickly and efficiently detect these volatility spikes for various data inputs. Temporally examining port/protocol usage for volatility lends itself well to help detect and visualize erratic changes in unexpected places. This can be activity that can go unnoticed from new malicious software or unwanted applications. These volatility measures can also be used with other fields as well, such as using IP addresses paired with unsuccessful connection states and can help uncover potentially loud scanning that does not occur over sustained periods of time.
    
Our discussion will focus on approaches and strategies for exploring this flow volatility. We will recount our experiences executing these metrics on real-world, multi-billion record Bro and NetFlow datasets and approaches for dealing with this data at scale. We will also discuss ways analysts can use these metrics and approaches for threat detection, analysis validation, and response.

Attendees will learn:
This talk focuses on the real-world impact of using analytical methods not traditionally reserved for security operations. Using real-world Bro and NetFlow datasets, we demonstrate how mechanisms from high-frequency stock trading analysis lend themselves to detecting potential and adapting network security events at scale. Attendees will learn how these mechanisms can best be applied to network data to detect not only past, but live threats and the methods used for acting on these threats.

Speakers
avatar for Brian Sacash

Brian Sacash

Specialist Senior/Data Scientist, Deloitte
Brian Sacash is a Specialist Senior and data scientist with Deloitte. His primary focus is implementing cyber based analytics for large datasets to identify threats. He traditionally works with high performance computing systems and frameworks such as Apache Spark. He has experience... Read More →


Wednesday January 10, 2018 8:30am - 9:00am MST
Presidio III, IV, V

9:00am MST

InSight2: An Interactive Web-Based Platform for Modeling and Analysis of Large-Scale Argus Network Flow Data
Network monitoring systems are paramount to the proactive detection and mitigation of problems in computer networks related to performance and security. Degraded performance of network equipment and compromised end-nodes can cost computer networks downtime, data loss, and reputation. InSight2 is a web-based platform developed for the purpose of proactive and predictive monitoring of network performance and security aspects and providing intuitive visualizations thereof in organized dashboards in near real time. InSight2 models and analyzes network transactions to provide insight in to the network performance such as current bandwidth utilization, packet rate, packets dropped and the number of nodes online. InSight2 also uses up-to-date emerging threat lists and data analytics to identify denial of service attacks, botnets, ransomware servers, bogons, compromised hosts, spammers, scanners and a host of other types of malicious agents in the network. All data is automatically tagged with geographical, organizational, and other related information for identification and further investigation.
   
InSight2 processes Argus flow records which provide information such as number of bytes and packets transmitted, number of packets lost and retransmitted, jitter, and inter-packet delay for each flow. Emerging threats are extracted from multiple up-to-date repositories to build a threats database which is used to enrich each flow by adding one or more searchable tags. InSight2 utilizes MaxMind GeoIP to add geographical information such as country and city information as well as latitude-longitude coordinates which are used to plot the source and destination nodes in interactive global maps. The Global Science Registry from the GLORIAD project is used to enrich network flows with organizational information. Elasticsearch serves as the back-end database and search engine. An associated Kibana module handles the data visualization. Markov Chains are used to predict network activity based on past behavior.
   
InSight2’s front-end incorporates user authentication, SSL encryption, and isolation of the dashboard controls from the end user by displaying the dashboards in a modern and unified web-interface that allows the network administrator to show customized information based on user privileges. InSight2 runs under any Linux operating system as a system service. An installer is provided that requires minimal user interaction. InSight2 includes a user guide and a video tutorial to get the users up to speed with installation and usage quickly. Development of InSight2 is supported by the National Science Foundation under Grant No. IRNC-1450959.

Speakers
avatar for Angel Kodituwakku

Angel Kodituwakku

Research Associate III, University of Tennessee
Angel Kodituwakku is currently a PhD candidate in Computer Engineering with a concentration in Cybersecurity at the University of Tennessee, Knoxville. He served as a Research Associate for two years on a project funded by the National Science Foundation. He received his MS in Computer... Read More →



Wednesday January 10, 2018 9:00am - 9:30am MST
Presidio III, IV, V

9:30am MST

DNS Analysis at Internet Peering Points
Summary: This talk describes cyber analysis of DNS traffic at the Internet peering points using a streaming data analysis platform and algorithms to create actionable reports in minutes. The implementation is a work in-process after a successfully field based Proof of Concept.
   
   Demanding a new design were the need to:
   • Keep-up with the growth of Internet peering circuits and bandwidth,
   • Increase the analysis performed on collected DNS metadata records,
   • Detect more threat indicators from DNS
   • Report the indicators in minutes with actionable information and
   • Deliver those reports to the right stakeholders.
   
To meet the requirement a different approach and a different architecture was need. We had good successes with a central data center in the past. But the costs of scaling that was becoming less attractive. In the existing architecture we had a DNS Collector, similar to a Netflow Collector, at all the peering points. The DNS Collector parsed DNS packets into metadata records and wrote those records into files for transport to the central repository and processing center.
   
We first looked at duplicating the architecture several times. Creating several data centers and load balancing the metadata over those. It would scale well but had many Operations issues and required multiple levels of analysis.
   
We chose to implement analytics on the network edge in the DNS Collectors. The Collector was updated to a larger server implementing a data in motion (streaming data analysis) platform with the analysis algorithms all running in parallel on separate streams. The Collector architecture went from a single data path to approximately 16 parallel data paths. Each analytical routine generates files which, after white list, block list and interest list filtering are then transported to the central repository for further analysis, selection, correlation and reporting (threat alerts).
   
For the production network based Proof of Concept we implemented:
   •DGA detection
   •Tunneling detection.
   
Key learning from our Proof of Concept.
   •More port 53 abuse than we saw before.
    -We divided these to separate file types: Junk and Malformed.
   •Found good records with small anomalies, which we created new indicators for.
   •Found a small percentage of packets that parsed as good DNS records with a few extra bytes added between legit fields in the DNS message.
   •There are a good number of applications using port 53 which are not DNS but are not malicious or threats. A whitelist was critical to mitigating the false positives.
   •Volumetric anomaly detection detection on DNS currently looks effective as 1st order indicator.

Attendees Will Learn:
Attendees will learn how they could use streaming analysis at the network edge combined with a centralized Hadoop data processing center to detect threats, malicious behaviors and anomalies with DNS and report indicators to various stakeholders and minutes.

Attendees will learn some of the security issues seen with DNS at Internet peering. They will learn about machine learning for a detection algorithm and effective training of the model. They will learn that analysis of DNS can be effective and can scale quite large. They will also learn that there are alternative to simply building a bigger data center.


Speakers
avatar for Fred Stringer

Fred Stringer

Security Systems Engineer/Architect, AT&T
Fred Stringer is an Individual Contributor Engineer in the Threat Intelligence, Analysis and Response Engineering (TIARE) department in AT&T’s Chief Security Office. He is the Architect of the security data acquisition network and the System Engineer defining security analysis tools... Read More →



Wednesday January 10, 2018 9:30am - 10:00am MST
Presidio III, IV, V

10:00am MST

Detecting Malicious IPs and Domain Names by Fusing Threat Feeds and Passive DNS through Graph Inference
How can we tell which domain names will soon be used for delivering bad traffic to us from the Internet? Often, we can answer such questions based on the reputation of their digital neighborhood (guilt by association). This talk considers how to use the Belief Propagation Algorithm (BPA) for performing graph inference in a large network of passive DNS data to identify previously unknown malicious IP addresses and domain names from a seed list of ground-truth known good and bad IPs and domains. Specifically, we use BPA on a bipartite graph of IP addresses and domain names to estimate the likelihood that unknown IP addresses or domain names are malicious. IP addresses and domain names constitute the nodes in the network, and edges exist between nodes if the domain name resolved to that IP address at some point. BPA is used to spread this ground-truth data in the network based on the idea that IP addresses or domains connected to known malicious IP addresses or domains are more likely to also be malicious ("birds of a feather flock together").
   
Our work focuses on how to utilize this algorithm on highly-connected graphs, which can result in underflow and bias concerns for some of the BPA computations. Our highly-connected graph is constructed by mining a large (over a terabyte) publicly available data set on IP addresses and associated DNS names. We provide measures on the connectivity of the network and describe the computational concerns that arise in BPA as a result of this connectivity. We test a number of different approaches for handling underflow and bias, and compare their BPA results. Our approaches include software packages for arbitrary precision, exact transformations of computations using logarithm identities, inflation of intermediary computations, and sampling schemes designed to reduce bias. We compare results using measures of BPA’s performance, such as true positive rate and false positive rate, and computational runtime. We conclude with remarks on recommendations and guidance for employing BPA on similar problems and with limited computational resources.

Attendees Will Learn:
Network security analysts routinely collect large volumes of network and application log data, but the analysis of this data is largely unsophisticated. Threat Feeds inundate analysts with tips on malicious IPs and domain names. Our talk will give security analysts a tool to connect the dots and uncover more malicious activity on their network faster and more accurately.

Speakers
avatar for Eric Harley

Eric Harley

Cyber Security Researcher, Mitre
Eric Harley is a Cyber Security Researcher at The MITRE Corporation in McLean, VA. Mr. Harley leverages his academic background in statistics and high performance computing to advance new analytic techniques for detecting, and containing sophisticated cyber adversaries. He has a MSE... Read More →
avatar for Emily Heath

Emily Heath

Sr. Cyber Security Engineer, Mitre
Dr. Emily Heath is a Senior Cyber Security Engineer at the MITRE Corporation. Her primary research interests are in optimization, machine learning, and analytics, with a focus on applications to problems in cyber security. While at MITRE, she has worked on advanced cyber security... Read More →



Wednesday January 10, 2018 10:00am - 10:30am MST
Presidio III, IV, V

10:30am MST

Break
Wednesday January 10, 2018 10:30am - 11:00am MST
Presidio I & II

11:00am MST

KEYNOTE: Trust, but Verify

Marcel van den Berg will highlight recent and historic examples of botnets, and examine how combining different datasets helps to provide a more complete picture. In this highly visual talk, the keynote will include a look at the recent IoT Reaper and IoT Satori botnet activity, and describe how darknet data can help us better understand this type of threat.


Speakers
avatar for Marcel van den Berg

Marcel van den Berg

Senior Research Fellow, Team Cymru
Marcel van den Berg is a Senior Research Fellow at Team Cymru who has been investigating cyber crime and Internet threats for the past 17 years. At Team Cymru, an non-profit Internet security research firm, Marcel works to keep organizations and the Internet in general safe. When not analyzing threats, Marcel spends his time researching new te... Read More →


Wednesday January 10, 2018 11:00am - 12:00pm MST
Presidio III, IV, V

12:00pm MST

Lunch
Wednesday January 10, 2018 12:00pm - 1:30pm MST
Turquoise III

12:30pm MST

Lunch Table Talk - "How to be a Savvy Machine Learning Consumer"

Over the past few years, the number of network protection technologies that purport to include machine learning (ML) based features has grown exponentially. Unfortunately, most people in purchasing positions for network defense software are unfamiliar with the field of ML. Oftentimes it can be difficult to tell how effectively the software is applying ML, what types of ML is being applied, and whether the software really includes ML at all. On the other side of the spectrum, correctly applied ML can look like magic, and sometimes a healthy dose of skepticism prevents companies from purchasing and applying valid capabilities that can significantly benefit their organization. 

This talk aims to help you become an educated ML consumer. We’ll discuss what constitutes ML and what doesn’t and what types of ML you should expect to see. We’ll give a brief overview of different types of ML capabilities. This will be followed up with a discussion on what capabilities you can expect from different types of software, as well as what may be overselling capabilities. By the end of this discussion I hope that you have a better understanding regarding how ML can (and should!) help you monitor and secure your network.

Note that we will not be reviewing or recommending specific packages, but rather looking at the field as a whole.


Speakers
avatar for Eliezer Kanal

Eliezer Kanal

Technical Manager, CERT Division - Software Engineering Institute
Eliezer Kanal is a technical manager at CERT who focuses on applying machine learning techniques to the cybersecurity domain. His team contributed to a wide variety of projects, including statistical visualization tools to assist with malware reverse engineering, metrics for the efficacy... Read More →


Wednesday January 10, 2018 12:30pm - 1:00pm MST
TBA

1:30pm MST

How to Hunt for Lateral Movement on Your Network
Once inside your network, most cyber-attacks go sideways. They progressively move deeper into the network, laterally compromising other systems as they search for key assets and data. Would you spot this lateral movement on your enterprise network?
   
In this training session, we review the various techniques attackers use to spread through a network, which data sets you can use to reliably find them, and how data science techniques can be used to help automate the detection of lateral movement.
   
Data science is particularly hard in the security domain because of the lack of labeled data and the rate of evolution. Clear examples of attacks are rare, and even with examples there are no guarantees that the next attack will have similar enough characteristics to make training useful. This limits the utility of traditional supervised learning. With a the rate of benign events there is also an extreme dependence on low false positive rates that exceeds many other domains. By structuring our approach to follow TTPs in an attack chain we can leverage a semi-supervised technique that combines unstructured anomaly detection with pattern matching. This allows our technique to automatically adapt to variable field conditions to reduce false positives while detecting a broad set of TTP-related behaviors. Our lateral movement detector applies this general strategy through a combining multivariate bayesian trained classifiers with a message passing algorithm for graph pattern search.
   
In this session, you’ll learn:
  •   How lateral movement works and why attackers carry it out
  •   Which datasets you can use to reliably hunt for it
  •   Common indicators that will often signal evidence of lateral movements
  •   Data science techniques that can be used to help automate its detection

Attendees Will Learn:

As Threat Hunting becomes the prominent proactive security activity for Security Operations across the world, many organizations don’t know where to start or how. In this presentation, we will show the attack stages, the defensive side, and show the data science tools and techniques we use to detect these types of activities. This methodology can be applied to multiple scenarios and attacks and will be something attendees can bring back with them after the conference.


Speakers
avatar for Adam Fuchs

Adam Fuchs

Chief Technology Officer, Sqrrl
As the Chief Technology Officer and co-founder of Sqrrl, Adam Fuchs is responsible for ensuring that Sqrrl is leading the world in Big Data Infrastructure technology. Previously at the National Security Agency, Adam was an innovator and technical director for several database projects... Read More →
avatar for Ryan Nolette

Ryan Nolette

Security Technologist, Sqrrl
Ryan is Sqrrl's primary security technologist and expert. He has previously held a variety of roles including threat research, incident response consulting, and every level of security operations. With over a decade in the infosec field, Ryan has been on the product and operations... Read More →



Wednesday January 10, 2018 1:30pm - 2:00pm MST
Presidio III, IV, V

2:00pm MST

Identification of Malicious SSL Networks by Subgraph Anomaly Detection
Sophisticated attackers use SSL to secure communications to command-and-control domains or provide their clients with secure hosting infrastructure. The goal of this talk is to describe methods to automatically detect threats from SSL scan data without relying on prior seeds. We present a series of statistical graph techniques that allow us to discover botnet and bulletproof hosting IP space by examining SSL distribution patterns from open source data.

SSL data obtained from scanning the entire IPv4 namespace can be represented as a 4 million node bipartite graphs where a x509 common name is connected to either an IP/CIDR/ASN via an edge. The challenge we face is to identify common names that are attached to a malicious subgraph of the larger ASN-CommonName graph. The identification of malicious subgraphs involves splitting the graph into its component pieces and then performing tests of similarity between the various subgraphs. The subgraph comparison requires constructing a distance metric. We use the concept of relative entropy to create a pairwise distance metric between any two common names and any two ASNs. The metric allows us to generalize the concept of regular and anomalous SSL distribution patterns.

Consequently, by setting relative entropy thresholds we can identify anomalous SSL certificates. The measure of relative entropy is useful in identifying domains that have anomalous network structures. The domains we found in this case were related to the Zbot proxy network. The Zbot proxy network contains a structure similar to popular CDNs like Akamai, Google, fbcdn, etc but instead rely on compromised devices to relay their data. We provide evidence collected over a 5 month period that this anomalous network structure is unique botnets and can be used as a signal for identification. Layering these SSL signals with passive DNS data we create a pipeline that can extract Zbot domains with high accuracy.

Attendees will learn:

Attendees will learn about the current ways malicious operators use SSL to secure their command-and-control and IP infrastructure. This includes how bulletproof hosters use SSL to host carding websites and ZBot operators use SSL to protect their C2C servers. They will also learn techniques that are useful for identifying anomalous subgraphs found within a bipartite graph. The algorithms discussed in this talk are not unique to SSL and can be applied to other heavily network intensive datasets.

Speakers
avatar for Dhia Mahjoub

Dhia Mahjoub

Head of Security Research, Cisco Umbrella
Dr. Dhia Mahjoub is the Head of Security Research at Cisco Umbrella (OpenDNS). He leads the core research team focused on large scale threat detection and threat intelligence and advises on R&D strategy. Dhia has a background in networks and security, has co-authored patents with... Read More →
avatar for Thomas Mathew

Thomas Mathew

Security Research - Data, Cisco Umbrella
Thomas Mathew is a Senior Security Researcher at Cisco Umbrella (OpenDNS) where he works on implementing pattern recognition algorithms to classify malware and botnets. His main interest lies in using various time series techniques on network sensor data to identify malicious threats... Read More →



Wednesday January 10, 2018 2:00pm - 2:30pm MST
Presidio III, IV, V

2:30pm MST

Tactical Threat Map: Methodology for Tracking and Documenting Cyber Campaigns

The Tactical Threat Map (TTM) is a collective behavioral profile of Determined Human Actors (DHA) and their associated cyber campaigns. It is an analytical and reporting methodology developed by analysts on the NCCIC (National Cybersecurity & Communications Integration Center) HIRT (Hunt & Incident Response Team) to support the tracking and documentation of campaigns that stretch across multiple disparate locations. The desired outcome was to centralize and consolidate large quantities of forensic data (host and network based) from these disparate sites that were collected during onsite incident response engagements. The fundamental concepts that encompass the TTM are the ability to preserve context around Indicators of Compromise (IOCs), the capacity to map complex intrusion sets and their behavioral TTPs, and the capability to visualize incident response data that is meaningful to both analysts and leadership alike.


Speakers
avatar for Casey Kahsen

Casey Kahsen

Northrop Grumman
Casey has over 8 years of experience in digital forensics and cyber operations. He has been supporting the Department of Homeland Security with Northrop Grumman for over three years. During this time he has supported projects including cyber hygiene and threat reporting, automated... Read More →


Wednesday January 10, 2018 2:30pm - 3:00pm MST
Presidio III, IV, V

3:00pm MST

Demo and Poster Session

Wednesday January 10, 2018 3:00pm - 5:00pm MST
Presidio I & II
 
Thursday, January 11
 

8:00am MST

Breakfast
Thursday January 11, 2018 8:00am - 9:00am MST
Turquoise III

8:00am MST

Registration
Thursday January 11, 2018 8:00am - 2:45pm MST
Presidio Desk

9:00am MST

Identifying Anomalies in Bipartite Network Data
Graph analysis can capture relationships between IPs and can be used to identify and rank anomalous IPs from NetFlow data. If NetFlow data is collected at the edge of the network, as often is the case, internal and external roles of IPs and relationships between them are either unknown or incomplete. Inferred relationships between the external IPs can add context that can provide insights of this coordination between the nodes.

This paper will focus on scalable and flexible techniques for applying graph analytics on various types of logs that have bipartite structure, as well as methodologies to further narrow returned results to anomalous/outlier cases that may be indicative of a cyber security event. Examples of this type of data include internal/external IP addresses, client-server data, and/or user-service data. Operational use-cases that leverage these techniques with bro logs conn view, SMTP view, RDP view, and Kerberos view will be presented. A specific use case with internal/external IP flow data is the ability to identify IPs and infer their roles that are involved in Distributed Denial of Service (DDOS) attack where a large number of nodes are synchronized to collectively send small packets to a target service. These nodes often send small enough packets to make it past firewall and intrusion detection system barriers to disrupt a service that is provided by the network. Project Chanology conducted by Anonymous [1], Project Rivolta conducted by Mafiaboy [2], and the attack on the website of the Georgian President by Russia in 2009 [3] are examples of famous DDOS attacks on enterprise, high-profile networks.

The specific algorithms presented that infer relationships and highlight anomalous IPs or users, henceforth referred to as nodes, include unipartite graph projections, community detection, page rank, and other first order graph features. The nearest neighbor algorithm is used to identify the most anomalous nodes in a particular community or across an entire network. A novel framework for building directional graphs from unipartite graph projections first infers the relationships between the nodes. Community detection is then used to identify groups of nodes that are more similar to each other than the rest of the network. Finally, first order graph features such as page rank, projected degree, and community size are fed to the nearest neighbor algorithm to identify anomalous nodes across the network. Post-processing methods on the set of anomalous nodes discovered in this manner to develop explanations of the anomalies will also be presented.

Attendees Will Learn: Automated methods to identify anomalies in cyber networks with data collected at the edge of a network (or other bipartite network)

Speakers
avatar for Mohammed Eslami

Mohammed Eslami

Chief Data Scientist, Netrias, LLC
Dr. Eslami is currently the Chief Data Scientist and Co-Founder of Netrias, provides data science solutions in cyber security and the life sciences. He is a performer on DARPA’s Network Defense program that seeks to develop distributed machine learning algorithms to identify anomalies... Read More →



Thursday January 11, 2018 9:00am - 9:30am MST
Presidio III, IV, V

9:30am MST

EternalBlue and You: Detecting & Trending SMB Vulnerabilities and Exploitation Activity
The Server Message Block (SMB) protocol had a big year in 2017. While a fairly ubiquitous networking protocol with a long history of vulnerabilities and best-practice guidance, it came to the forefront of headlines when the Shadow Brokers group released ExternalBlue, an exploit that takes advantage of a vulnerability in Microsoft’s SMBv1 server implementation. EternalBlue gained notoriety during the record-breaking WannaCry ransomware attack and later its use in the Petya/NotPetya ransomware attacks. Are we vulnerable to such attacks? Are we being targeted and do we have any current infections? What can we do to ensure our infrastructure is protected from these threats? These are all questions that immediately come to mind for IT managers and network defenders. The NCCIC/US-CERT Technical Analysis Branch leveraged the National Cybersecurity Protection System (NCPS), better known as EINSTEIN, to answer these questions for U.S. Federal Government entities.

This presentation will begin with an overview of EternalBlue and the prominent campaigns in which it was used. Next we will present the analysis methodology that we employed, leveraging netflow to profile SMB traffic and identify potentially vulnerable SMB servers. We will also discuss content-based network traffic analysis and how we detected and trended this threat activity. Finally, we will discuss ways to protect yourself from future SMB exploits and lessons-learned.

Speakers
avatar for Kevin Breeden

Kevin Breeden

Network Security Analyst, Northrop Grumman
Kevin Breeden is a network security analyst currently supporting the United States Computer Emergency Readiness Team (US-CERT) Network Analysis branch. Kevin's primary responsibilities are network traffic analysis through various proactive and reactive analysis techniques centered... Read More →


Thursday January 11, 2018 9:30am - 10:00am MST
Presidio III, IV, V

10:00am MST

Break
Thursday January 11, 2018 10:00am - 10:30am MST
Presidio I & II

10:30am MST

The Future of Cybersecurity Needs Eyes and AIs on the Inside
This presentation will address why and how enterprises need to shift focus from the edges and endpoints of their network to the inside of their network. This is where adversaries are able to do the most damage, and where security teams’ capabilities to detect and expel are currently extremely limited.
   
The volume, complexity and uniqueness of the internal data environment exceeds human capabilities. However, this rich data can serve as the foundation for the application of artificial intelligence to surface malicious behavior and enhance security teams’ ability to investigate and thwart cyber threats.
   
AI establishes an understanding of “network normal” behavior, then identifies the sets of behaviors that adversaries must use, but which are statistically improbable for legitimate users and systems to accidentally perform in the course of normal operations. Applying AI within this adversary mission-focused framework enables organizations to cut through network noise and highlight only the critical threats that warrant immediate investigation.
   
Instead of manually sifting through alerts or even packets, security professionals can see the whole picture of an adversary’s campaign. By focusing human analysts on deciding how best to confront threats, security teams significantly amplify their ability to get positive results and protect their businesses without corresponding increases in staffing or other expensive resources.
   
The addition of AI to provide visibility and correlation across all systems promises to be the greatest opportunity for network defenders to take back the upper hand against adversaries now and into the future.

Attendees Will Learn:
Attendees will gain a broad understanding of how AI-powered analysis of internal network traffic can complement and enhance the ability of experienced humans to successfully investigate and mitigate cyber threats.
   
Three basic concepts for improving security operations will be introduced:
   
   (1) The use of AI to establish a dynamic understanding of “network normal” behavior specific to your environment
   (2) The use of AI for detection and cross-data-source correlation of suspicious behaviors in that environment
   (3) How a mission-focused framework dramatically reduces false-positives and highlights only the critical threats that warrant immediate investigation

Speakers
avatar for Jason Kichen

Jason Kichen

Director of Cybersecurity Services, Versive
Mr. Jason Kichen serves as the Director of Cybersecurity Services at Versive, formerly known as Context Relevant. Mr. Kichen had a 13-year career as an intelligence officer at the Department of Defense and in the intelligence community as an expert in technical and offensive cyber... Read More →


Thursday January 11, 2018 10:30am - 11:00am MST
Presidio III, IV, V

11:00am MST

Eliminating Barriers to Automated Tensor Analysis for Large-scale Flows
ENSIGN is a high-performance tensor decomposition suite that enables the unsupervised discovery of deep patterns in multidimensional network metadata. Operating the past three years in the Security Operations Center (SOC) at SCinet – the large-scale research network stood up each year in support of Supercomputing (SC) – ENSIGN has analyzed metadata collected for more than one-billion flows. From that data, ENSIGN has separated normal and off-normal patterns in a way that has led to the discovery of anomalous or alarming behavior, including:
   
   * Distributed port scans evolving to machine takeover
   * DNS-based data exfiltration/insider threat
   * Abuse of control and/or backchannel message streams
   * Network policy violations
   * Exploitation of application-specific port vulnerabilities
   * Patterns of traffic indicative of scans for printers or IoT devices
   * Broken and/or misconfigured network services
   
Tensor decompositions represent a new paradigm in network threat identification – one where pattern discovery is the starting point rather than the end goal of the analysis. In this presentation, we move beyond exploratory proof-of-concept experiments and present progress toward an automated tensor-based cyber analytics workflow. We address three critical barriers to practical deployment. First, we describe the development of a library of cyber tensors. This consolidated knowledge on tensor formation transforms decomposition methods from an approach based on accidental discovery to an approach that intentionally covers a range of detectable behavior. Second, we introduce a streaming decomposition method. This capability permits nearer to real-time updates of decompositions and tightens the analysis loop for the discovery of emergent behavior. Finally, we present an approach to automating classification of tensor components (discovered patterns). Component overload is a critical barrier to application for large-scale flows. Automating the classification process means that threat hunting can begin from coherent, prioritized, actionable reports. Taken together, these innovations represent a significant maturation of tensor methods - in scale, timeliness, and usability - bringing the approach closer to meeting the needs of enterprise environments.
   
This end-to-end workflow builds on R-Scope, a scalable and hardened network security sensor and Splunk as a metadata access store. We show how this combination of ENSIGN and R-Scope with automation, classification, and search support provides a powerful workflow capable of assisting network security professionals in capturing and visualizing – and ultimately comprehending – the patterns contained within the vast volumes of traffic on a large-scale network.

Attendees Will Learn:
Attendees will receive an introduction to tensor decompositions as a tool for network flow analysis. This will include insight into tensor methods as a rapidly evolving technology - one that provides an approach to unsupervised machine learning that discovers coherent patterns and is well-suited to rich network metadata. Attendees will also gain an understanding of recent progress toward addressing barriers to deploying the technology in enterprise environments. The intent is to improve security operations by informing professionals of the current state-of-the-art as a way to foster feedback on, and engagement with, tensor methods as a complement to existing threat hunting approaches.

Speakers
avatar for James Ezick

James Ezick

Associate Directing Engineer, Reservoir Labs
James Ezick is the lead for Reservoir's Analytics, Reasoning, and Verification Team. Since joining Reservoir in 2004, he has developed solutions addressing a broad range of research and commercial challenges in verification, compilers, cyber security, software-defined radio, high-performance... Read More →



Thursday January 11, 2018 11:00am - 11:30am MST
Presidio III, IV, V

11:30am MST

Lunch
Thursday January 11, 2018 11:30am - 1:00pm MST
Turquoise III

12:00pm MST

Lunch Table Talk - "A Model of Analytic Development: Structure and Application"
This presentation walks through a three-part model of analytic development and applies it to a series of analytic problems. The first part is single-path development, directly suited to triage and incident-response-related problems, where query and summarization provide a focused series of results. The second part is multi-path development, where different pools of data must be separately queried and analyzed, then integrated into the results of interest – a process which is more suited to capabilities estimation, both on the aggressive and defensive sides. The third part is exploratory development, where dynamic associations must be constructed and applied in both a conditional and iterative manner to isolate behavior of interest – a process which is more suited to identification of unknown threats and clarifying new network behaviors. Through a series of examples, ranging from network flow data, network inventory data, and passively-collected domain data, this presentation will both clarify this model and apply it to several sorts of data relevant to network security. Taken together, this model provides a structure by which the effort involved in analytic development can be regularized and organized. Such structure can permit application of maturity models, whereby more predictable, repeatable, and manageable effort can be applied. It can also identify cases where the currently-established processes may not be sufficient to meet the need in analytical development.

What will attendees learn?
The presentation will aid attendees by providing a structure in which the effort involved in developing analytics can be scoped, structured, and tracked. This will help to make this effort more organized and more manageable.


Speakers
avatar for Timothy Shimeall

Timothy Shimeall

The only person to make 11 consecutive appearences at FloCon, Tim Shimeall is the Senior Network Situational Awareness Analyst of the CERT Program at the Software Engineering Institute (SEI). Shimeall is responsible for the development of methods to support decision making in security... Read More →


Thursday January 11, 2018 12:00pm - 12:30pm MST
Agave I

1:00pm MST

Multi-Dimensional Network Anomaly Detection with Machine Learning

With the growth in the amount of network traffic and the increased sophistication of network-based attacks such as DDoS, Botnets, and advanced persistent threats, identifying and responding to all possible threats can be overwhelming for security analysts. Furthermore, the multi-dimensional nature of network traffic makes it difficult for analysts to accurately identify and rank the most important threats using each network source in isolation.  

Detecting advanced threats requires correlating observations of multiple types of data including DNS, Flow, HTTP, TLS, etc.  No single data type is sufficient on its own. However, as we combine more types of data, there are more variables to search for correlation, individually and in combination. This "curse of dimensionality" can result in faulty statistical reasoning leading to an increase in false positives and missed opportunities to identify and stop threats.

In this talk, we describe how recent multi-dimensional anomaly detection algorithms from machine learning can be used to combine traffic from multiple sources, while addressing the curse of dimensionality. Then, using an open-source platform of YAF, Apache Spark, and Apache Spot (incubating), we show how these algorithms can be used to provide effective focus for analysts and improve network outcomes

Attendees will learn:
Attendees will be introduced to the state of the art in machine learning anomaly detection and gain some insight into techniques to limit the errors of statistical approaches

Speakers
avatar for Randy Caldejon

Randy Caldejon

CTO & Co-Founder, CounterFlow AI, Inc.
As CTO of CounterFlow AI, Randy Caldejon leads the company's innovation and product development. Prior to CounterFlow, Randy was the CTO of Enterprise Forensics at FireEye. He is a widely-respected authority in network security monitoring and sensor technology. A military veteran... Read More →
avatar for Andrew Fast

Andrew Fast

Chief Data Scientist, CounterFlow AI, Inc
Andrew Fast is the Chief Data Scientist and co-founder of CounterFlow AI, where he leads the implementation of streaming machine learning algorithms on CounterFlow AI's ThreatEye cloud-native analytics platform for Encrypted Traffic Analysis. Previously, Dr. Fast served as the Chief... Read More →



Thursday January 11, 2018 1:00pm - 1:30pm MST
Presidio III, IV, V

1:30pm MST

Automated Detection and Analysis of IoT Network Traffic Through Distributed Open Source Sensors and Citizen Scientists

The Internet of Things (IoT) is revolutionizing how we think of computing. Between home automation and wearable technology more and more low power devices are being deployed at an accelerated rate.  Unfortunately, it seems we have not learned from security mistakes of the past. Major attacks like the Marai Botnet were possible because of simple mistakes in software design. As the market has not yet reacted to demand that security be built in from the ground up what can we do to protect the IoT?

This talk will cover securing the Internet of Things (IoT) through network based detection leveraging low cost distributed sensing, machine learning and citizen scientists. The platforms, communications and use cases of IoT are varying enough that traditional IDS signatures are not the right solution. Behavioral based approaches will be required to catch the ever-changing attacks on the IoT.

Using citizen scientists to deploy open platform sensors users can help to detect and monitor IoT threats in real time. By enpowering the citizen scientist through local visualization that is performed on an interactive touch screen on the sensor we can create more situational awareness around the security of their networks.

Through the collection of NetFlow, DNS and IP reputation data at the sensor, initial triage is performed before being sent to a cloud based machine learning environment.  The machine learning environment is also fed information from a system of distributed IoT honeypots to ensure attack data is continually analyzed by the cloud.

Through this system we will secure the end users IoT devices and create additional awareness around information security.  The data is also available for researchers to assist is additional study.

Attendees will learn: This talk will challenge security researchers to think outside the box of our research community and how we can better work to educate end users about security issues.


Speakers
avatar for Joe McManus

Joe McManus

Professor, University of Colorado
Joe McManus is an expert in the field of information security with years of experience in research and industry. Joe leads the Network Security masters program in the ITP department at CU Boulder. Prior to joining ITP, Joe was a researcher at CERT, part of the Software Engineering... Read More →



Thursday January 11, 2018 1:30pm - 2:00pm MST
Presidio III, IV, V

2:00pm MST

CyGraph: Big-Data Graph Analysis and Visualization for Cybersecurity and Mission Resilience
Because of complex interdependencies among networked systems, risks associated with individual hosts, vulnerabilities, and events should not be considered in isolation. Moreover, complex mission systems and systems-of-systems are deployed across a multitude of networked cyber assets. In such contexts, both the likelihood and impact aspects of cyber risk are not determined by individual hosts, threats, vulnerabilities, or alerts. Rather, they are emergent properties of the patterns of relationships among such entities.

MITRE’s CyGraph is a methodology and tool for improving network security posture, maintaining situational awareness in the face of cyberattacks, and focusing on protection of mission-critical assets. Employing a multi-relational property graph formalism, CyGraph combines data from numerous sources to build a unified graph representation for network infrastructure, security posture, cyber threats, and mission dependencies. This forms an enterprise resilience knowledge base for remediating attack vulnerability paths and responding to intrusion events, focused on protecting mission-essential cyber assets. We leverage our previous work in topological vulnerability analysis for mapping known vulnerability paths through a network, along with capabilities for mapping enterprise mission dependencies on cyber assets. We then extend this by discovering and prioritizing risky multi-step patterns among traffic flows, alerts, and vulnerabilities.

CyGraph leverages big-data NoSQL graph database technology to capture the complex and large-scale relationships among entities in the cybersecurity domain. It employs graph queries for identifying risky patterns with prioritization of the matched subgraph clusters. Domain-specific CyGraph Query Language (CyQL) is compiled to the query language native to the backend graph database. CyGraph provides interactive graph visualization in the browser for navigating the results of CyQL queries. In this way, CyGraph discovers and prioritizes risky patterns among multi-step relationships in network data, and guides proactive remediation and reactive mitigation. CyGraph analytic queries support use cases such as prioritizing vulnerability paths for remediation and responding to intrusion incidents, while focusing on the protection of key cyber assets.

Attendees will learn:
Combining data from disparate sources into a unified graph knowledge base provides powerful capabilities for cyber risk assessment and analysis of system, mission, and enterprise resilience. For example, security professionals can apply such a knowledge base for mapping vulnerability paths, understanding mission dependencies on cyber assets, and detecting multi-step patterns of risk among traffic flows, alerts, and vulnerabilities. The combination of NoSQL graph database technology with domain-specific query language and interactive graph visualization provides a flexible and scalable solution for graph-centric cyber analytics.

Speakers
avatar for Steven Noel

Steven Noel

Cybersecurity Researcher, MITRE
Dr. Steven Noel is a researcher in MITRE’s Cyber Security Technical Center. He supports a range of government sponsors, both civilian and military, particularly in the areas of cyber situational awareness, cyber resilience engineering, mission mapping, graph analytics, visualization... Read More →



Thursday January 11, 2018 2:00pm - 2:30pm MST
Presidio III, IV, V

2:30pm MST

Conference Close
Speakers
avatar for Sam Salinas

Sam Salinas

Co-Chair, CMU
I am the FloCon 2018 Co-Chair. Let me know how I can help you!


Thursday January 11, 2018 2:30pm - 2:45pm MST
Presidio III, IV, V