CanSecWest: Security Masters Dojo Vancouver
| Next Session Dates: | March 14-17 2009 |
| Venue: |
Sheraton Wall Center Vancouver, Canada |
| Duration: |
1,2, or 4 Day Courses. Sessions begin at 10:00 a.m. and go to 6 p.m. |
|
Registration Maximum: |
10 Students per course session. |
| Price: |
~CAD$1800 Full day course Price varies by course. See registration system for exact details. Discounts available on early registrations before Jan 31. Extra fee for late/door registrations. |
Course: Advanced Honeypot Tactics
Instructor:
Thorsten Holz <thorsten.holz@mmweg.rwth-aachen.de>
Register For This Course
Description
Honeypots and honeynets are very much en vogue nowadays. This course explains what honeypots are, what they are good for, when they can bring rapid ROI to an organization deploying them, and when they are only of academic interest.
This class will teach how to setup different types of honeypots and how to learn more about the tools, tactics, and motives of attackers, but also to swiftly detect and react to malware outbreaks in an organization. We will also show how honeypot technology can be used to estimate risks in a way management understands. The main focus of the course lies on learning more about autonomous spreading malware and botnets. We focus on different low-interaction honeypot solutions and honeyclients since these two tools can often be easily integrated into an existing infrastructure. We show how to use these tools together with CWSandbox, a malware analysis tool, to study botnets in detail and how to mitigate this threat within an organziation or a bigger network.
The course will be a mix of lectures and hands-on exercises, with a focus on practical techniques that have proven successful in the real world. The exercises involve for example setting up a honeypot, analyzing packet dumps, analyzing a given binary or shellcode, or extracting information from a given analysis report.
PREREQUISITE WARNING Each class has prerequisites for software loads and a laptop is mandatory. These individual class guides will list material the students are expected have knowledge about coming in and software tools that need to be pre-installed before attending so you get the maximum benefit from the focused intermediate or advanced level course. Please pay particular attention to the prerequisites, as the material listed there will not be reviewed in the courses, and will be necessary to get the maximum benefit out of these educational programs.
Topics:
You will learn during the course:
- In-depth introduction to honeypots and honeynets
- Overview of classical honeypots and honeyclients
- Setting up different kinds of honeypots
- Analyzing the collected information
- Collecting malware with honeypots
- Analyzing collected malware in an automated way
- In-depth overview of current bots and botnets
- Using honeypots to recognize infected machines
- Protecting a network with the help of honeypots
Prerequisites
Students should be familiar with basic honeypot concepts and have a good understanding of TCP/IP networking and analysis tools like Wireshark. Basic understanding of the Windows OS and malware analysis are a bonus.
Prerequisite material
Students need to bring a computer configured with VMware and powerful enough to run two VMware sessions at once. Students also need to have an IRC client and the Python programming language installed. All additional tools will be provided during the course.
