logo The Honeynet Project Annual Workshop 2024
Copenhagen, Denmark — May 27th–29th, 2024

Conference Program

The Honeynet Workshop is the leading forum for early warning systems, cyber deception, and open source security tools to improve internet security. The workshop program consists of one day of invited talks and two days of trainings, held by a diverse set of experienced international speakers and trainers.

Monday, May 27th
8:00–9:00
Registration
9:00–18:00
Briefings
19:30
Social Dinner
Tuesday, May 28th
8:00–9:00
Registration
9:00–17:30
Trainings
Wednesday, May 29th
8:30–9:00
Registration
9:00–17:30
Trainings

Briefing Day

Time Topic Speaker
09:00–09:15
Introduction to the Workshop

Introduction to The Honeynet Project from the CEO.

Photo of
Ali Ikinci
09:15–10:00
Keynote: Red Teaming LLMs

This keynote addresses key security challenges associated with Large Language Models (LLMs). Topics include various attack vectors like adversarial prompt crafting, data poisoning, model inversion, and jailbreaking techniques. We will discuss current defense mechanisms, including semantic-based filtering, real-time anomaly detection, and adaptive defense systems. The presentation also covers interdisciplinary approaches, ethical considerations, and the use of explainable AI (XAI) techniques. By examining testing methodologies, standardized datasets, and evaluation criteria, this talk aims to provide researchers and practitioners with insights to improve the robustness and resilience of LLMs against security threats.

Photo of
Dragos Ruiu
10:00–10:45
Keynote: Future-Proofing Your Toolbox: Strategies for Sustainable Innovation

Everyone who uses a computer relies on technical tools to help solve problems. Initially, it might be challenging to understand how a particular tool can address the problem at hand. However, there often comes a moment when you truly connect with a particular technology. This bond deepens as you discover new ways to leverage the tool for increasingly complex challenges. You begin to push its boundaries, applying it to tasks it was never designed for, as it becomes an integral part of your problem-solving arsenal. Yet, as our challenges evolve, so must our tools. Many of us find ourselves at a crossroads where innovation meets tradition. This talk will explore when and how to update our technology toolkits, while preserving the deep expertise we’ve developed. Our aim is to foster a vibrant discussion on when and how to integrate new ideas into our technical workflows.

Photo of
Kara Nance
Coffee Break
11:10–11:40
Decoding Galah: An LLM-Powered Web Honeypot

Honeypots are invaluable tools for monitoring internet-wide scans, providing insights into the tactics, techniques, and new exploits used by attackers. However, without effectively masquerading as authentic targets to deceive these attackers, we often end up dealing with a multitude of repetitive scans that offer little novel information.

Traditional low-interaction web honeypots rely on a manual and limited method of emulating numerous web applications or vulnerabilities. Enter Galah, an LLM (Large Language Model)-powered web honeypot designed to mimic various applications with a single prompt! This LLM-powered honeypot dynamically crafts relevant (and occasionally foolish) responses, including HTTP headers and body content, to arbitrary HTTP requests, effectively mimicking various web applications.

During this talk, I will share insights gained from Galah’s three-month deployment and attempt to address the following key questions:

  1. How do different large language models (LLMs) perform when tasked with analyzing and generating HTTP messages?
  2. Does the delivery of authentic-looking HTTP responses enhance attackers’ engagement with the honeypot?
Photo of
Adel Karimi
11:40–12:10
Using AI to Create Realistic Content and Behaviour for Honeypots

Producing and maintaining the levels of honeypot realism needed to entice, confuse, delay and extract intelligence from adversaries has always been a challenge for researchers and those interested in threat intelligence. This talk demonstrates how to use available AI to generate more realistic content for honeypots. We also show how to use AI to make bots that can interact with the services in realistic ways.

Photo of
Ben Whitham
Photo of
Simon Whittenbury
12:30–12:45
Lightning Talks

Do you want to share some cool new research, a little tool you wrote, or a fancy job opportunity? Give a one minute lightning talk just before the lunch break!

To sign up, please send an email to denmark2024@honeynet.org with your name, lightning talk title, and (optionally) 1-2 slides. Maximum talk length is two minutes, lightning talks are meant to be teasers only. First come first served.

Lunch Break
13:45–14:25
Understanding Current and Future Emerging Threat Actors and Threats

My mission in life for the last 20 years or so has been to help develop a better, more comprehensive understanding of the relationships between people and digital technology from a national security perspective. I will cover this topic from three distinct levels: micro, meso and macro perspectives. Consider this talk a dim sum of theory and research taken from various publications I have authored or co-authored over the years that you can sample from and decide what might interest you most. Acquiring a foundational knowledge in this subject matter area is useful for policymakers as well as infosec professionals in understanding not only current threats but also in building scenarios of future emerging threats in the digital domain.

Photo of
Max Kilger
14:25–15:05
What did you expect? A dire state of PKI ecosystem

The insecurities of public-key infrastructure (PKI) on the Internet have been the focus of research for over a decade. The extensive presence of broken, weak, and vulnerable cryptographic keys has been repeatedly emphasized by many studies. Analyzing the security implications of cryptographic keys’ vulnerabilities, several studies noted the presence of public key reuse. In this talk, we explore this phenomenon. We investigate the presence of duplicate X.509 certificates and reused RSA public keys across PKI ecosystem, analyze their cryptographic weaknesses, and investigate the sources of reuse.

Photo of
Natalia Stakhanova
14:55–15:25
Media Effects used in Influence Operations

Over the past 5-6 years, the InfoSec community has had a miopic focus on some of the technical components of influence operations such as twitter bots. At the same time they show marginal, if any, understanding of the underlying social and media theories used in influence operations. In this talk we cover some of the basics that have worked for hundreds of years before social media existed. It focuses on the Media Effects such as two-step flow of information, gatekeeping, agenda-setting, priming, framing, spiral of silence, echo chambers, and cultivation, used to conduct those operations.

The talk itself is an introduction and highlights particular theories, and provides links for further reading. It will briefly also cover Bezmenov’s Subversion Model to provide a frame for the explanation of the social division we have been observing over the past few years, as well as support the thesis with a sociometric study showing the effects.

Photo of
Krassimir Tzvetanov
Coffee Break
15:50–16:10
Parsing arbitrary honeypot traffic using Spicy

Most server-side honeypots face the same set of problems: Accept network connection, receive arbitrary traffic or send a service banner, receive the next packet, decide how to respond, rinse, and repeat. You are most likely dealing with binary payloads. You probably don’t know the protocol. You are writing your protocol implementations, you need to also implement a vulnerability fingerprint or make very deliberate choices in the packet payloads.
Receiving malicious traffic isn’t the challenge anymore, being able to quickly replicate a vulnerable system and protocol is what will deliver value. In my many years of creating honeypots, I’ve over and over again replicated work that was already done for me.
Network security monitors like Zeek have solved the “parse arbitrary traffic” problem and they provide the solution in a neat package in the form of Spicy. In this talk, I will demonstrate how you can combine Spicy with the server-side honeypot Glutton to ingest, parse, and handle arbitrary, malicious network traffic.

Photo of
Lukas Rist
16:10–16:30
Google Summer of Code at the Honeynet Project

Since 2009, Google has sponsored students to work on security tools and research at the Honeynet Project. With a relatively small budget, this program enabled the creation of now industry-leading tools such as Cuckoo Sandbox. In this session, Max will briefly explain the Google Summer of Code program and show recent achievements. Finally, we discuss how you can get involved and work with students on cutting-edge research!

Photo of
Maximilian Hils
Photo of
Manuel Meitinger
Photo of
Aristofanis Chionis
16:30–17:00
Honeypot Fingerprinting

Honeypots are decoy systems that lure attackers by presenting them with a seemingly vulnerable system. They provide an early detection mechanism as well as a method for learning how adversaries work and think. However, over the past years, several researchers have shown methods for fingerprinting honeypots. This significantly decreases the value of a honeypot; if an attacker is able to recognize the existence of such a system, they can evade it. In this talk, I will present a holistic framework for honeypot fingerprinting and summarize some of the primitive techniques proposed by researchers.

Photo of
Shreyas Srinivasa
17:00–17:30
HoneyIO: Advanced High Interaction Honeypot for MQTT Protocol

The Internet of Things (IoT) has revolutionized the way we interact with devices, leading to the widespread adoption of the Message Queuing Telemetry Transport (MQTT). As a de-facto protocol, MQTT plays a vital role in facilitating lightweight and efficient communication between IoT devices, enabling high performance real-time data exchange and remote control. However, this growing popularity also exposes MQTT to various security vulnerabilities, making it a prime target for malicious actors.

To better understand the modern attack on one of the core components of IoT, we built HoneyIO, an advanced high interaction honeypot designed for the MQTT. This talk starts with an overview of MQTT, highlighting its architecture, security model and key security issues. We then delve into the design and implementation of HoneyIO, explaining how the high interaction honeypot should be designed so it can effectively capture attacker behavior through enhanced authentication, access control and logging mechanisms. We also discuss the techniques employed to camouflage the honeypot to enhance its realism and effectiveness.

Based on HoneyIO, we developed a network of MQTT honeypot nodes, enabling us to simulate a MQTT network to better attract potential attackers. We will share our experience and findings derived from deploying our system on the public internet for an extended period of time, providing insights into the tactics, techniques, and procedures used by malicious attackers targeting MQTT.

Photo of
Nguyen Anh Quynh
Photo of
Liu Yanzhao
17:30–17:35
Closing Remarks
Photo of
Emmanouil Vasilomanolakis
19:30
Social Dinner
Food Club, Vesterbrogade 6E, 1620 København.
(200 meters walking distance from Copenhagen Central Station)

Training Schedule

Trainings

Slot Training Trainer
Early Tue
Honeypot 101: Build a honeypot from scratch with zero programming knowledge

Starting is the most challenging part when building a honeypot. In this training session we will learn together how you can build a honeypot with no prior knowledge of honeypots, programming or the targeted protocol or applications.

I’ve brought a couple of protocols with me that I would like to explore with the students:

  • HTTP: Many out of the box tools, interesting attack surface, crypto wallets, bitcoin mining rigs?
  • Telnet: Ubiquitous and we can easily get to the payload, very high traffic from Mirai and friends.
  • The Simple Service Discovery Protocol (SSDP): Interesting when we have a closer look at UDP packets.

We will build a very simple service, receiving and accepting the initial packet. We parse the packet and make a decision what to reply. Goal is to get at least to a second packet. Depending on the protocol, we will also get to the payload stage of the attack and do some basic analysis.

We will use Zeek (formerly Bro) and it’s protocol parsing language Spicy to get an understanding of our protocol.

The class will be held in Python (mostly). If you want to code along, make sure you have a working Python 3.12 available.

Photo of
Lukas Rist
Late Tue
T-Pot 101 Workshop - Your Gateway into the world of Cyber Deception and Honeypots

Welcome to T-Pot 101, an hands-on workshop crafted for those looking to dive into the vast capabilities of the All-In-One honeypot platform - T-Pot. Tailored for beginners, this workshop is the first step towards mastering setup, installation, and basic configuration of a deception system.

🌐 What We Offer:

  • A detailed walkthrough for the installation of T-Pot.
  • Placement of T-Pot and first usage.
  • Distributed setup with sensor and hive.
  • Utilizing T-Pot dashboards for event analysis.
  • Best practices for daily operation and keeping your system updated.

Join us for learning and exploration, conducted by the authors of T-Pot.

Photo of
Marco Ochse
Photo of
André Vorbach
Early Wed
Using HoneyTokens to Create Insider Threat, Supply Chain and Data Breach Detection Campaigns

Honeypots can be challenging to deploy on to production systems, especially when you do not have a proven track record of previous deployments in your organization. HoneyTokens (honeyfiles, honeyrecords, honeytables, honeycredentials) can be a much easier first step. This training will teach you about how to set up a deception campaign in your organization. We will guide you through 3 different scenarios - Insider Threats, Supply Chain validation and data breach detection, making and deploying your own different types of honeytokens.

Photo of
Ben Whitham
Photo of
Abbie Smith
Claire Quinlan
Late Wed
Introduction to Network Forensics

This training is an introduction to network forensics combining theoretical parts and practical exercises. Several tools are introduced during the training and attendees can get brief overview of their usage and usefulness for different types of data.

Topics of main focus are:

  • types of data for analysis
  • flow records, PCAP, logs, contextual information, …
  • analytical tools: CLI, Wireshark, “SIEM”, Arkime, …

After completing the training, the participants should have a basic overview of which data are suitable for answering investigative questions and in which tools they can analyze these data.

Photo of
Stanislav Bárta
Wed
(one day)
Reverse Engineering with Ghidra

This course provides a hands-on introduction to using Ghidra for software reverse engineering, taught by co-author of The Ghidra Book: The Definitive Guide. Learn how to use and customize Ghidra to fit your SRE workflow, all presented with hands-on examples and plenty of crackme challenges. Whether you are new to the field of reverse engineering or just new to Ghidra, this course provides you with the opportunity to explore the capabilities of this powerful open source reverse engineering tool suite to understand how it can enhance your reverse engineering process. Hands-on labs will provide flexibility for students to choose between basic and challenge assignments to ensure that everyone has something interesting to explore in context (and we never run out of crackmes!).

Photo of
Kara Nance
Brian Hay
Early Tue
From zero to IntelOwl!

IntelOwl is an Open Source solution for management of Threat Intelligence at scale, created by security analysts for security analysts.

In this training you’ll learn how you can use this powerful application to enhance your day-to-day activities as an analyst or to help your cyber security research.

First we’ll make a tour of the reasons why we created this tool and how it can help. Then we’ll guide the audience in the installation and configuration of the tool. Ultimately we’ll guide the audience in using the tool by mimicking real use cases.

A Debian-like OS (Ubuntu if possible) is preferred so please arrive at the training with a computer or a VM with that OS already installed and available. Be generous with the VM resources because the platform can easily exhaust them. We don’t guarantee that the training can be followed if you use other operating systems.

No prior knowledge is required. However, knowledge of Docker and experience in either threat intelligence or incident response are welcome.

Photo of
Matteo Lodi
Photo of
Simone Berni
Daniele Rosetti
Late Tue
Customize IntelOwl! Bring your own use cases!

This training starts where the “from zero to IntelOwl!” training left the audience.

In this half-day training the focus is in leveraging the power of the IntelOwl framework to customize it for specific use cases.

We’ll guide the audience in writing new Plugins. We’ll bring some exercises to do but we encourage the audience to bring their own use cases. Let’s say you want to integrate your own project or a service that you love…let’s do that! Here you have the chance to work with the maintainers of the project to bring this to life.

Basic knowledge of Python and Object Orienting Programming is required to participate in this training.

Photo of
Matteo Lodi
Photo of
Simone Berni
Daniele Rosetti
Tue–Wed
(join anytime)
Capture the Flag (CTF)

Capture the Flag (CTF) events are games where participants are awarded points for finding flags (i.e., specific pieces of data) within the environment. This exploration is largely guided by challenges such as gaining access to an account, or finding some hidden information within a service. This gentle guided introduction to CTF focuses on challenges designed to explore various security concepts in both Linux and Windows environments without requiring specialized tools. No prior system knowledge (or software) is expected or required to participate.

You may join for any of the sessions, you do not have to participate from the start. More experienced CTF participants will still find the environment challenging.

Brian Hay
Photo of
Kara Nance

Platinum Sponsors

Gold Sponsors

Silver Sponsors