Botconf 2018 Talks
Keynote(s)
- Colonel Jean-Dominique NOLLET, Head of the C3N – Gendarmerie’s national cybercrime fighting unit
- “Chess with Pyotr”, Tillmann WERNER and Brett STONE-GROSS
Presentations
- [Paper] “Swimming in the Cryptonote Pools”, Emilien LE JAMTEL, CERT-EU
- [Paper] “Code Cartographer’s Diary”, Daniel PLOHMANN, Steffen ENDERS and Elmar PADILLA
- [Paper] “In-depth Formbook Malware Analysis”, Rémi JULLIAN
- [Paper] “Collecting Malicious Particles from Neutrino Botnets”, Jakub SOUČEK, Jakub TOMANEK and Peter KÁLNAI
- [Paper] “Automation and structured knowledge in Tactical Threat Intelligence”, Ronan MOUCHOUX and Ivan KWIATKOWSKI
- “Hunting for Silence”, Rustam MIRKASYMOV
- “Internals of a Spam Distribution Botnet, Jose Miguel ESPARZA
- “The Dark Side of the ForSSHe”, Romain DUMONT and Hugo PORCHER
- “Mirai: Beyond the Aftermath”, Rommel JOVEN, David MACIEJAK and Jasper MANUEL
- “Leaving no Stone Unturned – in Search of HTTP Malware Distinctive Features”, Piotr BIAŁCZAK
- “Stagecraft of Malicious Office Documents – A Look at Recent Campaigns”, Dr. Nirmal SINGH
, Deepen DESAI and Tarun DEWAN - “Let’s Go with a Go RAT!”, Yoshihiro ISHIKAWA and Shinichi NAGANO
- “Judgement Day”, Thomas SIEBERT
- “Tracking Actors through their Webinjects”, James WYKE
- “Triada: the Past, the Present and the (Hopefully not Existing) Future”, Łukasz SIEWIERSKI
- “The Snake Keeps Reinventing Itself”, Matthieu FAOU and Jean-Ian BOUTIN
- “How many Mirai variants are there?”, Ya LIU and Hui WANG
Short presentations
- [Paper] “APT Attack against the Middle East: The Big Bang”, Aseel KAYAL and Lotem FINKELSTEIN
- [Paper] “Cutting the Wrong Wire: how a Clumsy Attacker Revealed a Global Cryptojacking Campaign”, Renato MARINHO
- [Paper] “How Much Should You Pay for your own Botnet ?”, Antoine REBSTOCK, Pierre-Edouard FABRE, Emmanuel BESSON
- [Paper] “Botception: Botnet distributes script with bot capabilities”, Jan SIRMER and Adolf STREDA
- “Trickbot, The Trick is On You!”, Floser BACURIO Jr. and Joie SALVIO
- “Hunting and Detecting APTs using Sysmon and PowerShell Logging”, Tom UELTSCHI
- “Everything Panda Banker”, Dennis SCHWARZ
- “WASM Security Analysis and Reverse Engineering”, Zhao GUANGYUAN and Wu TIEJUN
- “Red Teamer 2.0: Automating the C&C Set up Process”, Charles IBRAHIM
Workshops – Tuesday December 4th 2018 – Don’t forget to make a separate registration for workshops
- WS1 – “ExtREme Malware Analysis”, Maciej KOTOWICZ – 6h workshop (schedule: 11:00-13:00 / 14:00-18:00)
- Reverse Engineering is not an easy task, especially when dealing with malware. A bug hunter may spend some quality time with a nice functions, but a malware researcher that deals with tens or hundreds of samples in a short time frame cannot get distracted and must be able to cut fast and precisely into the heart of the malware! This training is aimed to teach our approach to fast and effective malware reversing, demonstrating some not-so-cutting-edge technologies and tricks that are drastically speeding up a reversing process. After a completion of this course, attendees should be able in matter of hours assess if given malware is a new thing or belongs to some known family (and say to which one), what data it does carry, and how it communicates with its C&C.
- WS2 – “Introducing a new Cyber Threat Detection System: How Threat Intelligence Halts Tomorrow’s Botnets”, Solomon SONYA – 4h workshop (schedule: 14:00-18:00)
- The cyber attack landscape is constantly evolving. Botnets are increasingly pervasive to detect and irradiate. This is because malicious adversaries have advanced techniques used to exploit enterprise networks. Previous paradigms have failed to adequately prevent, detect, respond, and recover from new attacks. As such, the paradigm we use to hunt and eradicate new threats must adapt as well. The purpose of this talk is to introduce a new cyber threat detection system that merges threat intelligence with advanced host, network, and memory forensics to create a better protection paradigm at detecting and preventing new botnet and network command and control activity.Developing a robust framework as this one is not trivial, nor is understanding how to engineer a real-life actionable cyber threat intelligence engine that we will create during the course. In fact, this requires a holistic approach in order to understand how to enhance the paradigm. This hands-on workshop first teaches the participant how to perform host and network forensics. We will learn how to create new distributed network sensors and work with a new tool I am releasing called Themis Network Analyzer. We move into hands-on exercises to learn advanced memory forensics and work with another new tool I am releasing to the community called Xavier Memory Forensics Framework. From here, we pivot into malware analysis to extract pertinent artifacts from the infected host. Next, we take this knowledge into engineering a new threat intelligence engine and intrusion detection that validates our new concept. We finally conclude this workshop with a robust hands-on capstone exercise.
Many new tools are created and released for this workshop. Participants will walk away from this workshop with new concepts and capabilities to better hunt for malicious actors and botnet activity across the protected enterprise network.
- The cyber attack landscape is constantly evolving. Botnets are increasingly pervasive to detect and irradiate. This is because malicious adversaries have advanced techniques used to exploit enterprise networks. Previous paradigms have failed to adequately prevent, detect, respond, and recover from new attacks. As such, the paradigm we use to hunt and eradicate new threats must adapt as well. The purpose of this talk is to introduce a new cyber threat detection system that merges threat intelligence with advanced host, network, and memory forensics to create a better protection paradigm at detecting and preventing new botnet and network command and control activity.Developing a robust framework as this one is not trivial, nor is understanding how to engineer a real-life actionable cyber threat intelligence engine that we will create during the course. In fact, this requires a holistic approach in order to understand how to enhance the paradigm. This hands-on workshop first teaches the participant how to perform host and network forensics. We will learn how to create new distributed network sensors and work with a new tool I am releasing called Themis Network Analyzer. We move into hands-on exercises to learn advanced memory forensics and work with another new tool I am releasing to the community called Xavier Memory Forensics Framework. From here, we pivot into malware analysis to extract pertinent artifacts from the infected host. Next, we take this knowledge into engineering a new threat intelligence engine and intrusion detection that validates our new concept. We finally conclude this workshop with a robust hands-on capstone exercise.
- WS3 – “Detect, Investigate and Respond using MISP, TheHive & Cortex”, Danni CO, Raphaël VINOT and Saâd KADHI – 4h workshop (schedule: 14:00-18:00)
- This workshop will take participants through a journey to familiarise themselves with common activities related to incident response, digital forensics, and cyber threat intelligence using the popular FOSS stack composed of MISP, the Malware Information Sharing Platform, TheHive, a Security Incident Response Platform, and Cortex, a powerful observable analysis and automated response engine.The workshop organisers will briefly walk participants through the guiding principles of DFIR and CTI and describe the software stack that will be used throughout the workshop. Participants will then have to work on an incident and try to investigate and respond to it by analyzing various artifacts and leveraging cyber threat intelligence.
Participants are expected to bring laptops running either VMware Workstration/Fusion or VirtualBox. Laptops must be powerful enough to run two VMs simultaneously. Limited familiarity with Python is a plus to work on advanced case where automation will be used to speed up the investigation.
- This workshop will take participants through a journey to familiarise themselves with common activities related to incident response, digital forensics, and cyber threat intelligence using the popular FOSS stack composed of MISP, the Malware Information Sharing Platform, TheHive, a Security Incident Response Platform, and Cortex, a powerful observable analysis and automated response engine.The workshop organisers will briefly walk participants through the guiding principles of DFIR and CTI and describe the software stack that will be used throughout the workshop. Participants will then have to work on an incident and try to investigate and respond to it by analyzing various artifacts and leveraging cyber threat intelligence.
