July 9, 2018 (Monday)

These are the scheduled briefings of the The Honeynet Project Workshop 2018.

08:00 - 09:00Registration
09:00 - 09:20Welcome to Taiwan from CSA and Taiwan ChapterYi-Lang Tsai
09:20 - 09:40Honeynet Project CEO opening talkIntroduction to The Honeynet Project and Trends in Honeypots TechnologyFaiz Shuja
09:40 - 10:00A generic approach to low interaction server honeypotsIn this talk we are presenting a generic approach to server side honeypots. Our solution provides an easy way to handle arbitrary traffic, get insight into novel attack vectors and provides a platform for more advanced interactions.Lukas Rist
10:00 - 10:20Google Summer of Code Research and Development at the Honeynet ProjectSince 2009, Google has sponsored students to work on security tools and research at the Honeynet Project. In this session, Max will briefly explain the Google Summer of Code program and show recent achievements. Finally, we discuss how you can get involved and work with students on cutting-edge research!Maximilian Hils
10:20 - 10:40Break
10:40 - 11:20T-Pot, PEBA, Sicherheitstacho – Fighting evil forces by running a large scale honeypot installationDeutsche Telekom AG is running one of the bigger honeypot networks globally. In this talk the developers (T-Pot, backend, ...) will share their experiences over the past years.Marco Ochse & Markus Schmall
11:20 - 11:40Writing honeypots in a snap of fingersThis talk will share how anyone can reliably create a network based honeypot. As protocols can vary, a lot of work is redundant anytime one want to start a new honeypot for a particular use case. How about reusing work already done and just add the things that are specific to what you need?Sebastien Tricaud
11:40 - 12:20honeyTLS: Profiling and Clustering SSL/TLS Scans with JA3Identifying groups of attackers with similar tools or behaviors is useful for profiling and discovering the connections between them. This talk will explore how I collect JA3, a SSL/TLS client fingerprint, to profile attackers and internet-wide SSL/TLS scans. The talk will provide some interesting observations and probably the first identified attempt to evade JA3!Adel Karimi
12:20 - 13:30Lunch Break
13:30 - 13:50Honeypots for employee information security awareness and education trainingBased on the publication Honeypots for employee information security awareness and education training: A conceptual EASY training model (reference: This talk explore how honeypot can be used in employee information security awareness and education training. Christopher Lek
13:50 - 14:30Cybercriminals, TCOs and Facilitating Access to Weapons of Mass DestructionTransnational criminal organizations (TCOs) have been making connections with the cybercrime community. This talk examines a particular national security threat–the synergy between TCOs and cybercriminals in obtaining knowledge and materials of weapons of mass destruction. This talk discusses these issues in my latest book chapter in the recent book The Handbook of Technology, Crime and Justice.Max Kilger
14:30 - 15:10Proactive Honeypoting: Real-time monitoring of Necurs botnetWhat could be more fun that pro-active interactive honeypots? In this presentation, the researchers will share their experience and findings on proactively
interacting with one of the largest SPAM botnets. This unique ability gave the researchers a unique insight on inner workings of the Necurs botnet, including the distribution, conducted operations, node software updates and targets as well as some of the interesting insights from day-to-day ops of the botnet herders.
Rubio Wu & Anita Hsieh
15:10 - 15:30Tea Break
15:30 - 15:50IoT Army — Poking Botnets with a HoneypotInternet of Things attacks on the rise. In this session, we will share interesting stories about battling IoT Botnets with a home-based honeypot.

With the mark and stains, we traced the attacks to different bot herders behind the scene, discovered interesting command and control interfaces and leak of source code file. We observed sneaky evasive tricks, funny commands, mis-configured Botnet, etc.
Tan Kean Siong
15:50 - 16:10Development of Honeynet Projects in APCERTAPCERT, which is the largest international CERT organization in Asia Pacific region, has a vision to create a safe, clean and reliable cyber space in the Asia Pacific region through global collaboration. To achieve the goal, APCERT initialed numerous working groups to develop the ability within CERTs. TSUBAME WG and Malware Mitigation WG are working groups which deployed honeypot in APCERT member’s country. The two WGs focus on different perspective, but both of them help to find the potential or existed threats of the region.

In this presentation, a brief introduction and the achievement of the WGs will be introduced.
Lo Wen-Ling
16:10 - 16:50The Application of Physical and Low-interaction HoneypotNowadays, hackers combine many existing network scanning services (such as Shodan) with reconnaissance stage. New-style cyber-attacks become more difficult to be trapped. The low-interaction honeypot can trap a large scale of attacks in safe but the detailed information in advanced attacks. Therefore, we have designed and deployed a physical honeypot to overcome the disadvantages of low-interaction honeypots. In this talk, we will discuss (1) physical honeypot access control, and (2) correlated data analysis with the low-interaction honeypot, finally (3) a case study in physical honeypot.Cheng Yi Lin & Chia Hung Lin
16:50 - 17:00Closing remarksYi-Lang Tsai