logo The Honeynet Project Annual Workshop 2024
Copenhagen, Denmark — May 27th–29th, 2024

Conference Program

The Honeynet Workshop is the leading forum for early warning systems, cyber deception, and open source security tools to improve internet security. The workshop program consists of one day of invited talks and two days of trainings, held by a diverse set of experienced international speakers and trainers.

Monday, May 27th
8:00–9:00
Registration
9:00–18:00
Briefings
Tuesday, May 28th
8:00–9:00
Registration
9:00–17:30
Trainings
Wednesday, May 29th
8:30–9:00
Registration
9:00–17:30
Trainings

Briefing Day

Our talk schedule is still under construction - here's a first sneak peek of confirmed talks!

Time Topic Speaker
Keynote: Red Teaming LLMs
Photo of
Dragos Ruiu
Keynote: TBA
Photo of
Kara Nance
Understanding Current and Future Emerging Threat Actors and Threats

My mission in life for the last 20 years or so has been to help develop a better, more comprehensive understanding of the relationships between people and digital technology from a national security perspective. I will cover this topic from three distinct levels: micro, meso and macro perspectives. Consider this talk a dim sum of theory and research taken from various publications I have authored or co-authored over the years that you can sample from and decide what might interest you most. Acquiring a foundational knowledge in this subject matter area is useful for policymakers as well as infosec professionals in understanding not only current threats but also in building scenarios of future emerging threats in the digital domain.

Photo of
Max Kilger
Decoding Galah: An LLM-Powered Web Honeypot

Honeypots are invaluable tools for monitoring internet-wide scans, providing insights into the tactics, techniques, and new exploits used by attackers. However, without effectively masquerading as authentic targets to deceive these attackers, we often end up dealing with a multitude of repetitive scans that offer little novel information.

Traditional low-interaction web honeypots rely on a manual and limited method of emulating numerous web applications or vulnerabilities. Enter Galah, an LLM (Large Language Model)-powered web honeypot designed to mimic various applications with a single prompt! This LLM-powered honeypot dynamically crafts relevant (and occasionally foolish) responses, including HTTP headers and body content, to arbitrary HTTP requests, effectively mimicking various web applications.

During this talk, I will share insights gained from Galah’s three-month deployment and attempt to address the following key questions:

  1. How do different large language models (LLMs) perform when tasked with analyzing and generating HTTP messages?
  2. Does the delivery of authentic-looking HTTP responses enhance attackers’ engagement with the honeypot?
Photo of
Adel Karimi
Using AI to Create Realistic Content and Behaviour for Honeypots

Producing and maintaining the levels of honeypot realism needed to entice, confuse, delay and extract intelligence from adversaries has always been a challenge for researchers and those interested in threat intelligence. This talk demonstrates how to use available AI to generate more realistic content for honeypots. We also show how to use AI to make bots that can interact with the services in realistic ways.

Photo of
Ben Whitham
Photo of
Simon Whittenbury
(topic to be announced)
Photo of
Natalia Stakhanova
Parsing arbitrary honeypot traffic using Spicy

Most server-side honeypots face the same set of problems: Accept network connection, receive arbitrary traffic or send a service banner, receive the next packet, decide how to respond, rinse, and repeat. You are most likely dealing with binary payloads. You probably don’t know the protocol. You are writing your protocol implementations, you need to also implement a vulnerability fingerprint or make very deliberate choices in the packet payloads.
Receiving malicious traffic isn’t the challenge anymore, being able to quickly replicate a vulnerable system and protocol is what will deliver value. In my many years of creating honeypots, I’ve over and over again replicated work that was already done for me.
Network security monitors like Zeek have solved the “parse arbitrary traffic” problem and they provide the solution in a neat package in the form of Spicy. In this talk, I will demonstrate how you can combine Spicy with the server-side honeypot Glutton to ingest, parse, and handle arbitrary, malicious network traffic.

Photo of
Lukas Rist
Honeypot Fingerprinting

Honeypots are decoy systems that lure attackers by presenting them with a seemingly vulnerable system. They provide an early detection mechanism as well as a method for learning how adversaries work and think. However, over the past years, several researchers have shown methods for fingerprinting honeypots. This significantly decreases the value of a honeypot; if an attacker is able to recognize the existence of such a system, they can evade it. In this talk, I will present a holistic framework for honeypot fingerprinting and summarize some of the primitive techniques proposed by researchers.

Photo of
Shreyas Srinivasa
HoneyIO: Advanced High Interaction Honeypot for MQTT Protocol

The Internet of Things (IoT) has revolutionized the way we interact with devices, leading to the widespread adoption of the Message Queuing Telemetry Transport (MQTT). As a de-facto protocol, MQTT plays a vital role in facilitating lightweight and efficient communication between IoT devices, enabling high performance real-time data exchange and remote control. However, this growing popularity also exposes MQTT to various security vulnerabilities, making it a prime target for malicious actors.

To better understand the modern attack on one of the core components of IoT, we built HoneyIO, an advanced high interaction honeypot designed for the MQTT. This talk starts with an overview of MQTT, highlighting its architecture, security model and key security issues. We then delve into the design and implementation of HoneyIO, explaining how the high interaction honeypot should be designed so it can effectively capture attacker behavior through enhanced authentication, access control and logging mechanisms. We also discuss the techniques employed to camouflage the honeypot to enhance its realism and effectiveness.

Based on HoneyIO, we developed a network of MQTT honeypot nodes, enabling us to simulate a MQTT network to better attract potential attackers. We will share our experience and findings derived from deploying our system on the public internet for an extended period of time, providing insights into the tactics, techniques, and procedures used by malicious attackers targeting MQTT.

Photo of
Nguyen Anh Quynh
Photo of
Liu Yanzhao
Google Summer of Code at the Honeynet Project

Since 2009, Google has sponsored students to work on security tools and research at the Honeynet Project. With a relatively small budget, this program enabled the creation of now industry-leading tools such as Cuckoo Sandbox. In this session, Max will briefly explain the Google Summer of Code program and show recent achievements. Finally, we discuss how you can get involved and work with students on cutting-edge research!

Photo of
Maximilian Hils
Introduction to the Workshop

Introduction to The Honeynet Project from the CEO.

Photo of
Ali Ikinci
Closing Remarks
Photo of
Emmanouil Vasilomanolakis

Trainings

Our trainings schedule is still under construction - here's a first sneak peek of confirmed trainings.

Slot Training Trainer
½ day
Using HoneyTokens to Create Insider Threat, Supply Chain and Data Breach Detection Campaigns

Honeypots can be challenging to deploy on to production systems, especially when you do not have a proven track record of previous deployments in your organization. HoneyTokens (honeyfiles, honeyrecords, honeytables, honeycredentials) can be a much easier first step. This training will teach you about how to set up a deception campaign in your organization. We will guide you through 3 different scenarios - Insider Threats, Supply Chain validation and data breach detection, making and deploying your own different types of honeytokens.

Photo of
Ben Whitham
Photo of
Abbie Smith
Claire Quinlan
1 day
Reverse Engineering with Ghidra

This course provides a hands-on introduction to using Ghidra for software reverse engineering, taught by co-author of The Ghidra Book: The Definitive Guide. Learn how to use and customize Ghidra to fit your SRE workflow, all presented with hands-on examples and plenty of crackme challenges. Whether you are new to the field of reverse engineering or just new to Ghidra, this course provides you with the opportunity to explore the capabilities of this powerful open source reverse engineering tool suite to understand how it can enhance your reverse engineering process. Hands-on labs will provide flexibility for students to choose between basic and challenge assignments to ensure that everyone has something interesting to explore in context (and we never run out of crackmes!).

Photo of
Kara Nance
Brian Hay
½ day
Honeypot 101: Build a honeypot from scratch with zero programming knowledge

Starting is the most challenging part when building a honeypot. In this training session we will learn together how you can build a honeypot with no prior knowledge of honeypots, programming or the targeted protocol or applications.

I’ve brought a couple of protocols with me that I would like to explore with the students:

  • HTTP: Many out of the box tools, interesting attack surface, crypto wallets, bitcoin mining rigs?
  • Telnet: Ubiquitous and we can easily get to the payload, very high traffic from Mirai and friends.
  • The Simple Service Discovery Protocol (SSDP): Interesting when we have a closer look at UDP packets.

We will build a very simple service, receiving and accepting the initial packet. We parse the packet and make a decision what to reply. Goal is to get at least to a second packet. Depending on the protocol, we will also get to the payload stage of the attack and do some basic analysis.

We will use Zeek (formerly Bro) and it’s protocol parsing language Spicy to get an understanding of our protocol.

The class will be held in Python (mostly). If you want to code along, make sure you have a working Python 3.12 available.

Photo of
Lukas Rist
½ day
Introduction to Network Forensics

This training is an introduction to network forensics combining theoretical parts and practical exercises. Several tools are introduced during the training and attendees can get brief overview of their usage and usefulness for different types of data.

Topics of main focus are:

  • types of data for analysis
  • flow records, PCAP, logs, contextual information, …
  • analytical tools: CLI, Wireshark, “SIEM”, Arkime, …

After completing the training, the participants should have a basic overview of which data are suitable for answering investigative questions and in which tools they can analyze these data.

Photo of
Stanislav Bárta
½ day
From zero to IntelOwl!

IntelOwl is an Open Source solution for management of Threat Intelligence at scale, created by security analysts for security analysts.

In this training you’ll learn how you can use this powerful application to enhance your day-to-day activities as an analyst or to help your cyber security research.

First we’ll make a tour of the reasons why we created this tool and how it can help. Then we’ll guide the audience in the installation and configuration of the tool. Ultimately we’ll guide the audience in using the tool by mimicking real use cases.

A Debian-like OS (Ubuntu if possible) is preferred so please arrive at the training with a computer or a VM with that OS already installed and available. Be generous with the VM resources because the platform can easily exhaust them. We don’t guarantee that the training can be followed if you use other operating systems.

No prior knowledge is required. However, knowledge of Docker and experience in either threat intelligence or incident response are welcome.

Photo of
Matteo Lodi
Simone Berni
Daniele Rosetti
½ day
Customize IntelOwl! Bring your own use cases!

This training starts where the “from zero to IntelOwl!” training left the audience.

In this half-day training the focus is in leveraging the power of the IntelOwl framework to customize it for specific use cases.

We’ll guide the audience in writing new Plugins. We’ll bring some exercises to do but we encourage the audience to bring their own use cases. Let’s say you want to integrate your own project or a service that you love…let’s do that! Here you have the chance to work with the maintainers of the project to bring this to life.

Basic knowledge of Python and Object Orienting Programming is required to participate in this training.

Photo of
Matteo Lodi
Simone Berni
Daniele Rosetti
both days
Capture the Flag (CTF)

Capture the Flag (CTF) events are games where participants are awarded points for finding flags (i.e., specific pieces of data) within the environment. This exploration is largely guided by challenges such as gaining access to an account, or finding some hidden information within a service. This gentle guided introduction to CTF focuses on challenges designed to explore various security concepts in both Linux and Windows environments without requiring specialized tools. No prior system knowledge (or software) is expected or required to participate.

More experienced CTF participants will still find the environment challenging.

Photo of
Kara Nance
Brian Hay

Platinum Sponsors

Gold Sponsors

Silver Sponsors