Loading…
Botconf 2017 has ended

Log in to bookmark your favorites and sync them to your phone or calendar.

Workshop [clear filter]
Tuesday, December 5
 

14:00 CET

Botnet Tracking and Data Analysis Using Open-Source Tools
Fully understanding a botnet often requires a researcher to go beyond standard reverse-engineering practice and explore the malware’s network traffic. The latter can provide meaningful information on the evolution of a malware’s activity. However, it is often disregarded in malware research due to time constraints and publication pressures.
The workshop is about overcoming such constraints by providing a powerful workflow to conduct quick analysis of malicious traffic. The data science approach presented capitalizes on open-source tools (Wireshark/Tshark, Bash with GNU parallel) and valuable python libraries (ipython, mitmproxy, pandas, matplotlib). During the workshop, participants will do practical technical labs with datasets from our recent botnet investigation. They will learn how to quickly find patterns, plot graphs and interpret data in a meaningful way. Although the exercises will focus on botnet’s data, the tools and skills learned will be useful to all sorts of context. Moreover, to ensure that participants take the most out of the workshop, it will be built in a way to allow them to easily replicate the data-analysis environment at home and reproduce similar analysis with their own traffic data.
Workshop Outline
  • Introduction to the workshop
    • Overview of the Linux/Moose botnet
    • The datasets available: Pcaps and mitmproxy logs
    • Overview of the tools we will use
  • Network traffic and C&C protocol analysis
    • Lab 1: Find the potential victims that have been targeted by the botnet’s scanner
    • Lab 2: Find and extract the C&C traffic in the Pcaps
    • Lab 3: Find the list of proxy clients IPs and evaluate if the list changes through time
  • Decrypted HTTPS traffic data analysis
    • Lab 4: Find the list of websites targeted by the botnet and graph them based on the proxy client IP
    • Lab 5: Graph the total number of requests made per proxy client through time
    • Lab 6: Find whether proxy clients are re-using their fake social media accounts

Speakers
avatar for Olivier Bilodeau

Olivier Bilodeau

Cybersecurity Research Lead, GoSecure
avatar for Masarah Paquet-Clouston

Masarah Paquet-Clouston

Security Researcher, GoSecure
Masarah Paquet-Clouston is a security researcher at GoSecure, a PhD student at Simon Fraser University in criminology and one of Canada’s decorated 150 scientific innovators. With her background in economics and criminology, she specializes in the study of markets behind illicit... Read More →


Tuesday December 5, 2017 14:00 - 18:00 CET
Université de Montpellier (Faculté de droit et science politique) 14 Rue du Cardinal de Cabrières, 34000 Montpellier, France

14:00 CET

Cyber Threat Intel & Incident Response with TheHive, Cortex & MISP
Agenda:
  • Cyber Threat Intel & Incident Response in 2017
  • MISP, TheHive & Cortex Overview,
  • Installing & configuring the product stack
… Bringing it all together
  • An IR case study,
  • Dealing with notifications,
  • How CTI feeds IR,
  • How IR feeds CTI,
  • The CTI-IR cycle: case study

Speakers
avatar for Saâd Kadhi

Saâd Kadhi

A convinced archeofuturist and a true retromodernist with a serious knack for individualistic altruism, I have been working in the wonderful field of Incident Response, Digital Forensics and hubris, er, Threat Intelligence for a decade. I am the leader of TheHive Project and I currently... Read More →
RV

Raphaël VINOT

CERT Operator & MISP core developper, CIRCL
I'm one of the core developer of MISP Threat Sharing and especially working on all the APIs and interactions with 3rd party tools.


Tuesday December 5, 2017 14:00 - 18:00 CET
Université de Montpellier (Faculté de droit et science politique) 14 Rue du Cardinal de Cabrières, 34000 Montpellier, France

14:00 CET

Python and Machine Learning: How to Clusterize a Malware Dataset
The goal of this workshop is to present how to use python to make machine learning. We take examples of security data like malware and we explain how to transform data to use algorithms of machine learning. We detail the different algorithms and the different librairies Scikit-learn and Tensorflow.

The algorithms help to clusterize quickly a database malware to create yara signature for using in Incident Response. The participants will work on little dataset and develop some code based on theses librairies and create yara signature.


Tuesday December 5, 2017 14:00 - 18:00 CET
Université de Montpellier (Faculté de droit et science politique) 14 Rue du Cardinal de Cabrières, 34000 Montpellier, France