Loading…
FloCon 2022 has ended

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Tuesday, January 11
 

10:00am EST

Conference Introduction and Welcome
Conference Chair Joshua Fallon welcomes FloCon 2022 attendees and opens the conference with information pertaining to how our online delivery options will operate.


Speakers
avatar for Joshua Fallon

Joshua Fallon

Network Defense Analyst, CERT Division - SEI/CMU
Dr. Joshua Fallon is the FloCon 2022 chair. He is a network defense analyst with the CERT Situational Awareness team, where he participates in analysis of network security and resilience and supports the development of tools and methods for network security analysts and trains analysts... Read More →


Tuesday January 11, 2022 10:00am - 10:15am EST

10:15am EST

Keynote Presentation: NIDS is Dead, Long Live NIDS!
Thomas Schreck, Professor for IT-Security at Munich University of Applied Sciences, will provide a Keynote Address to begin FloCon 2022.

Speakers
avatar for Thomas Schreck

Thomas Schreck

Professor of IT-Security, Munich University of Applied Sciences
Thomas Schreck is a Professor for IT-Security at the Munich University of Applied Sciences. Prior he was a Principal Engineer for IT-Security at Siemens and the Head of Siemens CERT. He served on the Board of Directors of Forum of Incident Response and Security Teams between 2015... Read More →


Tuesday January 11, 2022 10:15am - 11:15am EST

11:15am EST

Discord Breakout Sessions and Networking
Join the conversation in Discord. Network with attendees, visit sponsor rooms, and join the extended Q&A Session with our Keynote Speaker.

Information on how to join was provided in the information emails provided to registered attendees.

Tuesday January 11, 2022 11:15am - 11:30am EST

11:30am EST

Quantifying the Impact of Encrypted DNS for Network Defenders
DNS-layer security is often used by incident response teams to enforce policy and gain visibility. Privacy enhancing protocols, such as DNS-over-HTTPS (DoH) and DNS-over-QUIC (DoQ), encrypt DNS requests and responses, increasing the user’s privacy at the expense of traditional security functions. In this presentation, we examine the prevalence and impact of encrypted DNS in a modern enterprise environment, which is particularly important given the role encrypted DNS plays in other privacy enhancing protocols such as Encrypted Client Hello (ECH) and Multiplexed Application Substrate over QUIC Encryption (MASQUE). With this analysis, we show that while a few major encrypted DNS providers dominate, there exists a long tail of less popular encrypted DNS servers with several new servers coming online weekly. Our dataset includes network and endpoint information from enterprises and malware sandboxes. The presentation highlights how unsanctioned DoH and DoQ can evade traditional DNS policy enforcement. Furthermore, we examine the set of client processes, including malware, that use these evasion techniques. Finally, we present a methodology and open-source tools to identify encrypted DNS servers given passively collected network data, Internet-wide scan data, and targeted scans.

Attendees Will Learn:
In this talk, the audience will learn about the mechanics of encrypted DNS, the visibility challenges introduced by encrypted DNS, the effectiveness of DNS-layer security, and leveraging a big data system to systematically identify and track encrypted DNS servers using multiple data sources.

Speakers
avatar for Blake Anderson

Blake Anderson

Senior Technical Leader, Cisco
Blake Anderson currently works as a Senior Technical Leader in Cisco’s Cloud and Network Security Group. Since starting at Cisco in early 2015, he has participated in and led projects aimed at encrypted network traffic analysis, which has resulted in open source projects, academic... Read More →



Tuesday January 11, 2022 11:30am - 12:00pm EST

12:00pm EST

Improving Cyber Resiliency through Microsegmentation Policy Optimization
This talk examines an approach for improving cyber resilience through the synthesis of optimal microsegmentation policy for a network. By leveraging microsegmentation security architecture, we can reason about fine-grained policy rules that enforce access for given combinations of source address, destination address, destination port, and protocol. Our approach determines microsegmentation policy rules that limit adversarial movement within a network according to assumed attack scenarios and mission availability needs. For this problem, we formulate a novel optimization objective function that balances cyberattack risks against accessibility to critical network resources. Given the application of a particular set of policy rules as a candidate optimal solution, this objective function estimates the adversary effort for carrying out a particular attack scenario, which it balances against the extent to which the solution restricts access to mission-critical services. We then apply artificial intelligence techniques (evolutionary programming) to learn microsegmentation policy rules that optimize this objective function.

Attendees Will Learn:
The attendees will learn a novel approach for formulating optimal access-control policy that allows a tunable tradeoff between thwarting adversarial scenarios and maintaining mission-critical network access.

Speakers
avatar for Steven Noel

Steven Noel

Principal Cybersecurity Scientist, The MITRE Corporation
Dr. Steven Noel is a Principal Cybersecurity Researcher in MITRE’s Cyber Solutions Innovation Center. He earned his PhD in Computer Science from the University of Louisiana at Lafayette in 2001. For 20+ years, he has led multi-disciplinary teams conducting advanced research in cybersecurity... Read More →



Tuesday January 11, 2022 12:00pm - 12:30pm EST

12:30pm EST

Discord Breakout Sessions and Networking
Join the conversation in Discord. Information on how to join was provided in the information emails provided to registered attendees.


Tuesday January 11, 2022 12:30pm - 1:00pm EST

1:00pm EST

Track I: Insider Threat Analyst Training (Day 1)
Limited Capacity seats available

This course presents strategies for collecting and analyzing data to prevent, detect, and respond to insider activity. It discusses various techniques and methods for designing, implementing, and measuring the effectiveness of various components of an insider threat data collection and analysis capability.

Course Objectives
At the completion of the course, learners will be able to:
  • Work with raw data to identify concerning behaviors and activity of potential insiders
  • Identify the technical requirements for accessing data for insider threat analysis
  • Develop insider threat indicators that fuse data from multiple sources
  • Apply advanced analytics for identifying insider anomalies
  • Measure the effectiveness of insider threat indicators and anomaly detection methods
  • Navigate the insider threat tool landscape
  • Describe the policies, practices, and procedures needed for an insider threat analysis process
  • Outline the roles and responsibilities of insider threat analysts in an insider threat incident response process

Topics
The course covers topics such as:
  • Strategies on identifying risks to assets from insiders
  • Building a data collection and analysis function for both technical and behavioral data
  • Identifying data sources for insider threat analysis
  • Prioritizing data sources to include in an analysis function
  • Developing insider threat indicators from raw data
  • Advanced analytics for insider threat mitigation
    - Correlating data from disparate sources
    - Resolving multiple accounts to single entities
    - Indicator patterns and sequences
    - Insider threat anomaly detection methods
  • Measuring the effectiveness of insider threat controls
  • Features and functionality of tools used in insider threat mitigation
  • CERT's methodology for insider threat tool testing
  • Developing an insider threat data collection and analysis process
    - Triage
    - Escalation
    - Referral
    - Continuous improvement
  • Developing an insider threat incident response process

Speakers
avatar for Luke Osterriter

Luke Osterriter

Insider Risk Researcher, CERT Division - SEI/CMU
Mr. Luke Osterritter is a Cyber Security Researcher and Member of the Technical Staff with the Enterprise Threat & Vulnerability Management team at the CERT division of Carnegie Mellon University's Software Engineering Institute. He is also a doctoral researcher with the Center for... Read More →
avatar for Derrick Spooner

Derrick Spooner

Information Systems Security Analyst, CERT Division - SEI/CMU
Derrick Spooner is a member of the Enterprise Threat & Vulnerability Management team in the CERT Division of the Carnegie Mellon Software Engineering Institute. Derrick designs, develops, and transitions tools, algorithms, and exercises that enhance organizations’ abilities to detect... Read More →
avatar for Austin Whisnant

Austin Whisnant

Insider Risk Researcher, CERT Division - SEI/CMU
Austin Whisnant is a Member of the Technical Staff with the CERT Program at the Software Engineering Institute, a unit of Carnegie Mellon University (CMU). Her research interests include large-scale network traffic analysis, risk analysis, modeling and simulation, and national cybersecurity... Read More →


Tuesday January 11, 2022 1:00pm - 4:00pm EST

1:00pm EST

Track II: Introduction to Data Science - Concepts & Techniques (Day 1)
Limited Capacity seats available

Day 1 Session
This course provides an accessible introduction to foundational data science concepts, terminology, and approaches using cybersecurity examples and use cases. Data science is rapidly becoming an integral part of the network security industry. Although widespread applications of data science in network security are relatively recent, data science has roots going back decades. Due to its depth and technical complexity, Data Science is often considered to be indistinguishable from magic. This course is intended to break the illusion and help attendees harness the true power of data science to defend networked systems.

The morning session will answer important questions, including:
  • Are data science and machine learning truly different from artificial intelligence?
  • Is this product really using machine learning or just faking it?
  • How can I tell timeseries and graph data apart?
  • What makes “deep” learning different from other approaches?
  • How can I effectively work with others in my organization to achieve data science success?

Day 2 Session
The course continues by providing a hands-on introduction to foundational data science techniques and algorithms using cybersecurity examples and use cases. Data science is rapidly becoming an integral part of the network security industry. For both practitioners and managers, applying data science to cybersecurity applications can be a challenge. This course is intended to demystify data science and show how specific data science techniques can be applied to network data.

The afternoon session answers important questions including:
  • What tools do I need to get started with data science?
  • Where can I get data for exploring particular algorithms?
  • I managed to choose an algorithm; now how do I make it work?
  • What does a working data science model look like?
  • I (finally) got a model, how do I know if it performs well?

Intended Audience: Practitioners, managers, and/or executives who are curious about data science and want to strengthen their understanding of data science concepts and techniques in a hands-on, introductory setting. Experience with applied math, statistics, and/or coding is beneficial, but not required.

Speakers
avatar for Andrew Fast

Andrew Fast

Chief Data Scientist, CounterFlow AI, Inc
Andrew Fast is the Chief Data Scientist and co-founder of CounterFlow AI, where he leads the implementation of streaming machine learning algorithms on CounterFlow AI's ThreatEye cloud-native analytics platform for Encrypted Traffic Analysis. Previously, Dr. Fast served as the Chief... Read More →
avatar for Don Rude

Don Rude

Principal Data Scientist, CounterFlow AI, Inc.
Don Rude brings an extensive background in machine learning, computer science, network management, and software engineering to CounterFlow AI. Mr. Rude has over 20 years of hands-on software development experience across a variety of industries, research areas, and both local and... Read More →


Tuesday January 11, 2022 1:00pm - 4:00pm EST

1:00pm EST

Track III: Intrusion Analysis and Threat Hunting with Open Source Tools (Day 1)
Limited Capacity seats available

In today’s threat landscape, sophisticated adversaries have routinely demonstrated the ability to compromise enterprise networks and remain hidden for extended periods of time. In Intrusion Analysis and Threat Hunting with Open Source Tools, you will learn how to dig deep into network traffic to identify key evidence that a compromise has occurred, learn how to deal with new forms of attack, and develop the skills necessary to proactively search for evidence of new breaches. We will explore key phases of adversary tactics and techniques - from delivery mechanisms to post-infection traffic - to get hands-on analysis experience. Open-source tools such as Suricata and Moloch will be utilized to generate data, perform exhaustive traffic analysis, and develop comprehensive threat hunting strategies. By the end of this workshop, you will have the knowledge and skills necessary to discover new threats in your network.

To help you prepare for this workshop, we recommend that you are familiar with the basics of network security monitoring, IDS/IPS systems and Linux environments. Familiarization with IDS rules is recommended, but not required. We also recommend the following readings:

Speakers
avatar for Josh Stroschein

Josh Stroschein

Director of Training, Open Information Security Foundation - OISF
Josh is a subject matter expert in malware analysis, reverse engineering and software exploitation. He is the Director of Training for the Open Information Security Foundation (OISF), where he leads all training activity for the foundation and is also responsible for academic outreach... Read More →
avatar for Peter Manev

Peter Manev

QA / Training lead, Open Information Security Foundation - OISF
Peter has been involved with Suricata IDS/IPS/NSM from its very early days in 2009 as QA and training lead.  He is currently a Suricata executive council member. Peter has 15 years of experience in the IT industry, including as an enterprise-level IT security practitioner.SELKS maintainer... Read More →


Tuesday January 11, 2022 1:00pm - 4:00pm EST
 
Wednesday, January 12
 

10:00am EST

Introduction and Welcome
Conference Chair Joshua Fallon welcomes FloCon 2022 attendees for the day with information pertaining to how our online delivery options will operate.


Speakers
avatar for Joshua Fallon

Joshua Fallon

Network Defense Analyst, CERT Division - SEI/CMU
Dr. Joshua Fallon is the FloCon 2022 chair. He is a network defense analyst with the CERT Situational Awareness team, where he participates in analysis of network security and resilience and supports the development of tools and methods for network security analysts and trains analysts... Read More →


Wednesday January 12, 2022 10:00am - 10:15am EST

10:15am EST

ML-Driven New Account Fraud Early Detection System
The Australian Competition and Consumer Commission's (ACCC) through “Scamwatch” (scamwatch.gov.au) reported that in 2020, Australians lost a reported $851 million to fraud, up by 23.1 per cent compared to 2019. Investment frauds accounted for more than a third of total losses. The greatest challenge faced by online financial products is the increase in identity theft. As reported by the Australian Institute of Criminology (AIC), one in four Australians have been a victim of personal identifiable information misuse of some sorts. As rule-based detection systems are becoming less effective, the on-going challenge of fraud and financial crime requires innovative and effective approaches.

In response, we focused our R&D effort on detecting new account fraud activities that usually follow identify theft incidences or synthetic identity creation and use. The explicit business goals were to reduce false positives rate, improve true fraud detection rate, and enable the business to detect fraud cases before any monetary outflows by striking the fraudsters earlier in the Fraud “Kill-Chain”.
As part of our data transformation process, we leveraged the capabilities of graph databases to model the customer “360” view of existing relationships, and to implement “guilt-by-association” logic to unearth fraud networks no matter how deep or how hard they try to hide. Another key technical demand was the application of the imbalanced data handling techniques during model tuning process when facing 1000:1 normal to fraud data ratio.

When viewed from the business perspective, we were able to achieve over 80% reduction in false positive cases, thereby removing a significant portion of negative impact to customer relationships. The model also resulted in more true positive predictions. In some cases, the model was able to catch fraudsters’ attempts to evade existing detection systems trying to launder multi-million-dollar assets.

Attendees Will Learn:
The sharing of successful adoption of some of the front-line non-proprietary techniques we applied in our new account fraud detection research will lift all boats and help our industry peers to collectively defend against organized criminal groups, opportunistic fraud attacks and other illicit actors; restricting their funding sources, diminishing their overall capabilities and ultimately deterring on-going fraud and financial crimes to the benefit of Vanguard and the wider financial services sector.

Speakers
avatar for Will Li

Will Li

Senior Architect, Vanguard
Will Li is a senior technical leader in risk and security space at Vanguard. His current focus is on promoting the adoption of analytics and machine learning across the many sub-domains of enterprise risk, security, and fraud management. Prior to that, Mr. Li has had a long and diverse... Read More →
avatar for Jose Martins

Jose Martins

Senior Fraud Detection and Monitoring Lead, Vanguard
Jose is currently the Senior Fraud Detection and Monitoring lead at Vanguard Australia. In his current role he is responsible for developing and maintaining fraud detection, investigation, and mitigation strategies to support the operation of several online trading platforms. Jose... Read More →



Wednesday January 12, 2022 10:15am - 10:45am EST

10:45am EST

Traditional and Advanced Techniques for Network Beacon Detection
Software that calls home at a regular interval is referred to as “beaconing”. Beaconing can be similar to normal network traffic, but there is uniqueness that we can look for as part of threat hunt. Our particular focus is on the timing of the communications for a unique connection. Our work shows techniques for targeting the top candidates on a network that may be exhibiting beaconing behavior by using several machine learning clustering models on the communication delta times.

Attendees Will Learn:
Attendees will come to understand beaconing software, how to analyze the connections between machines using standard python machine learning libraries, and how to think about utilizing ML in general for their day-to-day operations.

Speakers
avatar for Dustin Updyke

Dustin Updyke

Cybersecurity Researcher, CERT Division - SEI/CMU
Dustin Updyke is a Cybersecurity Researcher at the CERT Division of Carnegie Mellon University’s Software Engineering Institute. After previously serving with multiple industries in an array of technology roles, Dustin transitioned into security and now supports cyber workforce... Read More →
avatar for Tom Podnar

Tom Podnar

Cyber Security Engineer, CERT Division - SEI/CMU
Tom currently is a Cyber Security Engineer at the CERT division of SEI at Carnegie Mellon. He works with the United States Army researching, architecting, implementing, and delivering elite cyber warfare exercises. He also is an adjunct professor at La Roche University, where he teaches... Read More →



Wednesday January 12, 2022 10:45am - 11:15am EST

11:15am EST

Discord Breakout Sessions and Networking
Join the conversation in Discord. Information on how to join was provided in the information emails provided to registered attendees.


Wednesday January 12, 2022 11:15am - 11:45am EST

11:45am EST

What Do We Mean by a Science of Security?
The ever-expanding scale of digital infrastructure has necessitated automation. Data-driven methods to detect and remediate threats have brought some hope to increasingly belabored defenders. However, debates linger as to the efficacy of data-driven automation.

Security solutions often are purely engineering-driven. As well, many security operations lack the time and resources to strongly validate security systems. Substantiating the efficacy of emerging methods is challenged to the degree there are weak practices for establishing scientific proof in the security domain.

This presentation seeks to stimulate insight and discussion concerning the distinction between security engineering solutions and scientific insights. Whereas engineering solutions establish new techniques, deeper insights concerning the fundamental dynamics underlying network behaviors are often lacking. As a result, we are often left with a difficult-to-manage set of black box solutions and methodological toolkits. Marketing, hype, and commercial noise increases such confusion.

To highlight the distinction between engineering and science in security, insights from research literature and interviews with practitioners are cited. Through distinguishing engineering and scientific practice, a set of recommendations concerning integrating the two approaches concludes the presentation.

The presentation summarizes research-based insights from the new book ‘Cybersecurity Data Science: Best Practices in an Emerging Profession’, published by Springer and written by the presenter. The project was centrally motivated and informed by participating in the FloCon conference from 2017 to the present.

Attendees Will Learn:
This presentation seeks to profile the distinction between engineering and scientific approaches to security. An attempt is made to highlight the benefits of scientific insights versus engineered techniques. The goal is to raise consciousness concerning both the challenges to and benefits of scientific approaches in security. Attendees will:
  • Gain insights on how to distinguish security engineering from science
  • Benefit from insights extrapolated from both research and practitioner interviews
  • Understand practical approaches to bootstrap scientific inquiry in security operations
This presentation offers perspectives on data-driven security approaches to security professionals, managers, policy stakeholders, educators, and researchers.

Speakers
avatar for Scott Mongeau

Scott Mongeau

Google Cloud Engineer, Google
Scott Mongeau PhD is a Principal at SARK7 (sark7.com). He has three decades of experience designing and deploying data intensive solutions in a range of industries. Active globally, his book "Cybersecurity Data Science: Best Practices in an Emerging Profession was recently released... Read More →



Wednesday January 12, 2022 11:45am - 12:15pm EST

12:15pm EST

SPONSORED TALK: Improve Threat Intelligence Scoring While Optimizing Precious Resources
This session discusses how the enrichment of network flow data can improve threat identification scoring to reduce false positive and the investigative fatigue associated with them. Network data is only one component in threat scoring, yet advanced processing techniques enable additional Indicators of Compromise strengthening threat detection for both clear and encrypted traffic. The discussion will also highlight potential strategies that leverage enriched flow data using rules based and machine learning to optimize the overall tool chain.

Sponsors
avatar for NetQuest

NetQuest

We provide professional, scalable network visibility solutions for both cyber intelligence and network security applications for service providers, large enterprisesand government agencies.


Wednesday January 12, 2022 12:15pm - 12:25pm EST

12:25pm EST

Lightning Talks - Poster Presentation Preview
Lightning Talks previewing the content that will be covered during our Poster Session will be presented.

Enriching Honeypot Data Using Cyber Threat Intelligence
Speaker: Caitlin Allen
Cybersecurity is a rapidly growing field that becomes more complex as time goes on. There are numerous aspects of security that branch out into their own equally complex fields. Many companies and organizations struggle to properly prepare for attacks against them, and fail to utilize threat intelligence or offensive security measures to mitigate these attacks.
This project aims to take data gathered by honeypots to enrich reports that can be provided to cybersecurity experts to improve their security posture. While honeypots and threat intelligence are properly established in the field and have copious research behind their workings and capabilities, the knowledge around applying them to a readable format is limited. This research aims to bridge that gap between threat intelligence and security hardening. The project will be accomplished by creating a virtual network that emulates an enterprise network. Offensive security mechanisms will be installed on these machines in the appropriate sections to produce the results needed for enriching reports.

Cloud Maturity Benchmarking Survey
Speaker: Anokhy Desai
The COVID-19 pandemic has forced businesses to consider a shift from in-person work and managed operations to remote work and cloud-based operations. These changes put companies’ cloud capabilities to the test, as every business that uses the cloud wants to ensure a secure cloud-based working environment. On top of individual business requirements, industry requirements for cloud services vary by industry and even by business function. Therefore, it has become increasingly important for organizations to benchmark their cloud capabilities with other organizations in their industry in order to make adjustments, identify gaps, and note improvements to make between their current state and target future state. To capture this shift to the cloud and help organizations identify their cloud-related improvement areas, we were tasked with creating a benchmarking survey to help our client better understand the extent to which their clients were aware of, trained for, and have implemented strategies for cloud usage. In order to create that benchmarking survey, we had to develop a fitting cloud maturity model to provide survey respondents with their position within that model. After researching available cloud maturity models and their primary functions and audiences, we ultimately created a hybrid maturity model based primarily on Microsoft Azure’s and Open Alliance’s cloud maturity models. Our maturity model provides four stages that a survey respondent's organization would be matched to, from least to most proactive: preliminary, defined, quantitatively managed, and optimized. To determine the maturity level of the respondent’s organization, the survey is created to evaluate the organization’s transition to cloud in relation to its people, process and innovation. Upon taking the survey, respondents will be able to see where they stand at an appropriate maturity level overall and among their industry. Ideally, respondents would be matched to the highest maturity stage relative to their industry. If not, our client company would be able to view their clients’ outcomes and provide transformation services based on these results.

Application Labeling Using Time-Based Network Flow Features as an Alternative to Packet Payload-Based Methods 
Speaker: Anusha Sinha
Application labels have been used by network administrators and analysts to optimize and defend networks for decades. We created a pipeline to generate labeled data and train supervised classifiers to assign application labels to flow data. We used this pipeline to train a model using time-based flow features and compare it to the performance of a model trained directly on packet payload strings. We used these comparisons to draw conclusions on the importance of payload data for the characterization of 18 different application protocols. We also provided public access to the large labeled data-set used in our work.

A Taxonomy of Cyber Attacks in Smart Manufacturing Systems Through the Perspective of the NIST Cybersecurity Framework Manufacturing Profile
Speaker: Bethanie Williams
A revolution in manufacturing systems is underway with smart manufacturing becoming an integral component of the broader push towards Industry 4.0. As the modern manufacturing industry continues to bridge digital and physical environments through the use of Internet of Things (IoT), cloud systems, data analytics, and machine learning, this integration has led to an increase in cyber-physical attacks with ongoing discovery of new security challenges. We present a comprehensive study of the common security challenges and attacks faced by smart manufacturing systems today and use the NIST Cybersecurity Framework Manufacturing Profile as a guideline to address cyber incidents that have occurred within the manufacturing sector. The attack taxonomy we present identifies, defines, and classifies cyber-attacks in the smart manufacturing sector and will aid both researchers and manufacturers to determine which business function(s) is/are at risk as a result of such attacks and take protective measures accordingly.

Speakers
avatar for Anusha Sinha

Anusha Sinha

Associate Machine Learning Research Scientist, CERT Division - SEI/CMU
Anusha Sinha is an Associate Machine Learning Research Scientist in the CERT Division of Carnegie Mellon University's Software Engineering Institute. She began working at CERT in 2018 and has contributed to the design and development software used to monitor and defend large networks... Read More →
avatar for Caitlin Allen

Caitlin Allen

Security Operations Analyst, Stripe
Caitlin M. Allen is a graduate from Champlain College with a degree in Computer Networking & Cybersecurity now working for Stripe as a Security Ops Analyst. Prior to making the transition to working in financial technology, Caitlin worked for Managed Services provider, NuHarbor Security... Read More →
avatar for Anokhy Desai

Anokhy Desai

Master's Student, Carnegie Mellon University
Anokhy Desai is an Information Security Policy and Management Master's student at Carnegie Mellon University and a law student at the University of Pittsburgh. She will be presenting with Abhilash Kashyap (Deloitte) and Pavithra Pradip (Intuit), both recent alums of the Information... Read More →
avatar for Pavithra Pradip

Pavithra Pradip

Security Analyst, Intuit
Pavithra is a Security Analyst in the Governance, Risk and Compliance group at Intuit. She graduated from Carnegie Mellon University with a Master’s in Information Security Policy and Management in 2021. Her bachelor’s degree was in Finance and Technology Management from Indiana... Read More →
avatar for Abhilash R Kashyap

Abhilash R Kashyap

Deloitte
Abhilash is a Deloitte Advisory Analyst in the Model Risk Management practice. He graduated from Carnegie Mellon University with Master’s in Information Security Policy Management in 2021. His bachelor’s degree was in Computer Science with Data Science specialization from PES... Read More →
avatar for Bethanie Williams

Bethanie Williams

Research Assistant, Tennessee Technological University
As a CyberCorps SFS Scholar and graduate student attending Tennessee Tech, Marena Soulet is currently researching security in smart manufacturing. In her spare time she enjoys hiking and swing dancing.Bethanie Williams is also a graduate student at Tennessee Tech. She is a full-time... Read More →


Wednesday January 12, 2022 12:25pm - 12:45pm EST

12:45pm EST

Discord Poster and Networking Session
Posters will be presented via dedicated Discord channels. Attendees will have the opportunity to network with each other, discuss poster content with presenters, and continue conversations with speakers.

Enriching Honeypot Data Using Cyber Threat Intelligence
Speaker: Caitlin Allen
Cybersecurity is a rapidly growing field that becomes more complex as time goes on. There are numerous aspects of security that branch out into their own equally complex fields. Many companies and organizations struggle to properly prepare for attacks against them, and fail to utilize threat intelligence or offensive security measures to mitigate these attacks.
This project aims to take data gathered by honeypots to enrich reports that can be provided to cybersecurity experts to improve their security posture. While honeypots and threat intelligence are properly established in the field and have copious research behind their workings and capabilities, the knowledge around applying them to a readable format is limited. This research aims to bridge that gap between threat intelligence and security hardening. The project will be accomplished by creating a virtual network that emulates an enterprise network. Offensive security mechanisms will be installed on these machines in the appropriate sections to produce the results needed for enriching reports.

Cloud Maturity Benchmarking Survey
Speaker: Anokhy Desai
The COVID-19 pandemic has forced businesses to consider a shift from in-person work and managed operations to remote work and cloud-based operations. These changes put companies’ cloud capabilities to the test, as every business that uses the cloud wants to ensure a secure cloud-based working environment. On top of individual business requirements, industry requirements for cloud services vary by industry and even by business function. Therefore, it has become increasingly important for organizations to benchmark their cloud capabilities with other organizations in their industry in order to make adjustments, identify gaps, and note improvements to make between their current state and target future state. To capture this shift to the cloud and help organizations identify their cloud-related improvement areas, we were tasked with creating a benchmarking survey to help our client better understand the extent to which their clients were aware of, trained for, and have implemented strategies for cloud usage. In order to create that benchmarking survey, we had to develop a fitting cloud maturity model to provide survey respondents with their position within that model. After researching available cloud maturity models and their primary functions and audiences, we ultimately created a hybrid maturity model based primarily on Microsoft Azure’s and Open Alliance’s cloud maturity models. Our maturity model provides four stages that a survey respondent's organization would be matched to, from least to most proactive: preliminary, defined, quantitatively managed, and optimized. To determine the maturity level of the respondent’s organization, the survey is created to evaluate the organization’s transition to cloud in relation to its people, process and innovation. Upon taking the survey, respondents will be able to see where they stand at an appropriate maturity level overall and among their industry. Ideally, respondents would be matched to the highest maturity stage relative to their industry. If not, our client company would be able to view their clients’ outcomes and provide transformation services based on these results.

Application Labeling Using Time-Based Network Flow Features as an Alternative to Packet Payload-Based Methods 
Speaker: Anusha Sinha
Application labels have been used by network administrators and analysts to optimize and defend networks for decades. We created a pipeline to generate labeled data and train supervised classifiers to assign application labels to flow data. We used this pipeline to train a model using time-based flow features and compare it to the performance of a model trained directly on packet payload strings. We used these comparisons to draw conclusions on the importance of payload data for the characterization of 18 different application protocols. We also provided public access to the large labeled data-set used in our work.

A Taxonomy of Cyber Attacks in Smart Manufacturing Systems Through the Perspective of the NIST Cybersecurity Framework Manufacturing Profile
Speaker: Bethanie Williams
A revolution in manufacturing systems is underway with smart manufacturing becoming an integral component of the broader push towards Industry 4.0. As the modern manufacturing industry continues to bridge digital and physical environments through the use of Internet of Things (IoT), cloud systems, data analytics, and machine learning, this integration has led to an increase in cyber-physical attacks with ongoing discovery of new security challenges. We present a comprehensive study of the common security challenges and attacks faced by smart manufacturing systems today and use the NIST Cybersecurity Framework Manufacturing Profile as a guideline to address cyber incidents that have occurred within the manufacturing sector. The attack taxonomy we present identifies, defines, and classifies cyber-attacks in the smart manufacturing sector and will aid both researchers and manufacturers to determine which business function(s) is/are at risk as a result of such attacks and take protective measures accordingly.

Speakers
avatar for Caitlin Allen

Caitlin Allen

Security Operations Analyst, Stripe
Caitlin M. Allen is a graduate from Champlain College with a degree in Computer Networking & Cybersecurity now working for Stripe as a Security Ops Analyst. Prior to making the transition to working in financial technology, Caitlin worked for Managed Services provider, NuHarbor Security... Read More →
avatar for Anokhy Desai

Anokhy Desai

Master's Student, Carnegie Mellon University
Anokhy Desai is an Information Security Policy and Management Master's student at Carnegie Mellon University and a law student at the University of Pittsburgh. She will be presenting with Abhilash Kashyap (Deloitte) and Pavithra Pradip (Intuit), both recent alums of the Information... Read More →
avatar for Abhilash R Kashyap

Abhilash R Kashyap

Deloitte
Abhilash is a Deloitte Advisory Analyst in the Model Risk Management practice. He graduated from Carnegie Mellon University with Master’s in Information Security Policy Management in 2021. His bachelor’s degree was in Computer Science with Data Science specialization from PES... Read More →
avatar for Pavithra Pradip

Pavithra Pradip

Security Analyst, Intuit
Pavithra is a Security Analyst in the Governance, Risk and Compliance group at Intuit. She graduated from Carnegie Mellon University with a Master’s in Information Security Policy and Management in 2021. Her bachelor’s degree was in Finance and Technology Management from Indiana... Read More →
avatar for Anusha Sinha

Anusha Sinha

Associate Machine Learning Research Scientist, CERT Division - SEI/CMU
Anusha Sinha is an Associate Machine Learning Research Scientist in the CERT Division of Carnegie Mellon University's Software Engineering Institute. She began working at CERT in 2018 and has contributed to the design and development software used to monitor and defend large networks... Read More →
avatar for Bethanie Williams

Bethanie Williams

Research Assistant, Tennessee Technological University
As a CyberCorps SFS Scholar and graduate student attending Tennessee Tech, Marena Soulet is currently researching security in smart manufacturing. In her spare time she enjoys hiking and swing dancing.Bethanie Williams is also a graduate student at Tennessee Tech. She is a full-time... Read More →


Wednesday January 12, 2022 12:45pm - 1:15pm EST

1:30pm EST

Track I: Insider Threat Analyst Training (Day 2)
Limited Capacity seats available

This course presents strategies for collecting and analyzing data to prevent, detect, and respond to insider activity. It discusses various techniques and methods for designing, implementing, and measuring the effectiveness of various components of an insider threat data collection and analysis capability.

Course Objectives
At the completion of the course, learners will be able to:
  • Work with raw data to identify concerning behaviors and activity of potential insiders
  • Identify the technical requirements for accessing data for insider threat analysis
  • Develop insider threat indicators that fuse data from multiple sources
  • Apply advanced analytics for identifying insider anomalies
  • Measure the effectiveness of insider threat indicators and anomaly detection methods
  • Navigate the insider threat tool landscape
  • Describe the policies, practices, and procedures needed for an insider threat analysis process
  • Outline the roles and responsibilities of insider threat analysts in an insider threat incident response process

Topics
The course covers topics such as:
  • Strategies on identifying risks to assets from insiders
  • Building a data collection and analysis function for both technical and behavioral data
  • Identifying data sources for insider threat analysis
  • Prioritizing data sources to include in an analysis function
  • Developing insider threat indicators from raw data
  • Advanced analytics for insider threat mitigation
    - Correlating data from disparate sources
    - Resolving multiple accounts to single entities
    - Indicator patterns and sequences
    - Insider threat anomaly detection methods
  • Measuring the effectiveness of insider threat controls
  • Features and functionality of tools used in insider threat mitigation
  • CERT's methodology for insider threat tool testing
  • Developing an insider threat data collection and analysis process
    - Triage
    - Escalation
    - Referral
    - Continuous improvement
  • Developing an insider threat incident response process

Speakers
avatar for Luke Osterriter

Luke Osterriter

Insider Risk Researcher, CERT Division - SEI/CMU
Mr. Luke Osterritter is a Cyber Security Researcher and Member of the Technical Staff with the Enterprise Threat & Vulnerability Management team at the CERT division of Carnegie Mellon University's Software Engineering Institute. He is also a doctoral researcher with the Center for... Read More →
avatar for Derrick Spooner

Derrick Spooner

Information Systems Security Analyst, CERT Division - SEI/CMU
Derrick Spooner is a member of the Enterprise Threat & Vulnerability Management team in the CERT Division of the Carnegie Mellon Software Engineering Institute. Derrick designs, develops, and transitions tools, algorithms, and exercises that enhance organizations’ abilities to detect... Read More →
avatar for Austin Whisnant

Austin Whisnant

Insider Risk Researcher, CERT Division - SEI/CMU
Austin Whisnant is a Member of the Technical Staff with the CERT Program at the Software Engineering Institute, a unit of Carnegie Mellon University (CMU). Her research interests include large-scale network traffic analysis, risk analysis, modeling and simulation, and national cybersecurity... Read More →


Wednesday January 12, 2022 1:30pm - 4:00pm EST

1:30pm EST

Track II: Introduction to Data Science - Concepts & Techniques (Day 2)
Limited Capacity seats available

Day 1 Session
This course provides an accessible introduction to foundational data science concepts, terminology, and approaches using cybersecurity examples and use cases. Data science is rapidly becoming an integral part of the network security industry. Although widespread applications of data science in network security are relatively recent, data science has roots going back decades. Due to its depth and technical complexity, Data Science is often considered to be indistinguishable from magic. This course is intended to break the illusion and help attendees harness the true power of data science to defend networked systems.

The morning session will answer important questions, including:
  • Are data science and machine learning truly different from artificial intelligence?
  • Is this product really using machine learning or just faking it?
  • How can I tell timeseries and graph data apart?
  • What makes “deep” learning different from other approaches?
  • How can I effectively work with others in my organization to achieve data science success?

Day 2 Session
The course continues by providing a hands-on introduction to foundational data science techniques and algorithms using cybersecurity examples and use cases. Data science is rapidly becoming an integral part of the network security industry. For both practitioners and managers, applying data science to cybersecurity applications can be a challenge. This course is intended to demystify data science and show how specific data science techniques can be applied to network data.

The afternoon session answers important questions including:
  • What tools do I need to get started with data science?
  • Where can I get data for exploring particular algorithms?
  • I managed to choose an algorithm; now how do I make it work?
  • What does a working data science model look like?
  • I (finally) got a model, how do I know if it performs well?

Intended Audience: Practitioners, managers, and/or executives who are curious about data science and want to strengthen their understanding of data science concepts and techniques in a hands-on, introductory setting. Experience with applied math, statistics, and/or coding is beneficial, but not required.

Speakers
avatar for Andrew Fast

Andrew Fast

Chief Data Scientist, CounterFlow AI, Inc
Andrew Fast is the Chief Data Scientist and co-founder of CounterFlow AI, where he leads the implementation of streaming machine learning algorithms on CounterFlow AI's ThreatEye cloud-native analytics platform for Encrypted Traffic Analysis. Previously, Dr. Fast served as the Chief... Read More →
avatar for Don Rude

Don Rude

Principal Data Scientist, CounterFlow AI, Inc.
Don Rude brings an extensive background in machine learning, computer science, network management, and software engineering to CounterFlow AI. Mr. Rude has over 20 years of hands-on software development experience across a variety of industries, research areas, and both local and... Read More →


Wednesday January 12, 2022 1:30pm - 4:00pm EST

1:30pm EST

Track III: Intrusion Analysis and Threat Hunting with Open Source Tools (Day 2)
Limited Capacity seats available

In today’s threat landscape, sophisticated adversaries have routinely demonstrated the ability to compromise enterprise networks and remain hidden for extended periods of time. In Intrusion Analysis and Threat Hunting with Open Source Tools, you will learn how to dig deep into network traffic to identify key evidence that a compromise has occurred, learn how to deal with new forms of attack, and develop the skills necessary to proactively search for evidence of new breaches. We will explore key phases of adversary tactics and techniques - from delivery mechanisms to post-infection traffic - to get hands-on analysis experience. Open-source tools such as Suricata and Moloch will be utilized to generate data, perform exhaustive traffic analysis, and develop comprehensive threat hunting strategies. By the end of this workshop, you will have the knowledge and skills necessary to discover new threats in your network.

To help you prepare for this workshop, we recommend that you are familiar with the basics of network security monitoring, IDS/IPS systems and Linux environments. Familiarization with IDS rules is recommended, but not required. We also recommend the following readings:

Speakers
avatar for Peter Manev

Peter Manev

QA / Training lead, Open Information Security Foundation - OISF
Peter has been involved with Suricata IDS/IPS/NSM from its very early days in 2009 as QA and training lead.  He is currently a Suricata executive council member. Peter has 15 years of experience in the IT industry, including as an enterprise-level IT security practitioner.SELKS maintainer... Read More →
avatar for Josh Stroschein

Josh Stroschein

Director of Training, Open Information Security Foundation - OISF
Josh is a subject matter expert in malware analysis, reverse engineering and software exploitation. He is the Director of Training for the Open Information Security Foundation (OISF), where he leads all training activity for the foundation and is also responsible for academic outreach... Read More →


Wednesday January 12, 2022 1:30pm - 4:00pm EST
 
Thursday, January 13
 

10:00am EST

Introduction and Welcome
Conference Chair Joshua Fallon welcomes FloCon 2022 attendees for the day with information pertaining to how our online delivery options will operate.


Thursday January 13, 2022 10:00am - 10:15am EST

10:15am EST

Generating Known Unknowns through Known Knowns
There are multiple tools available that will build infrastructure for you, then, simulate attacks on the newly built infrastructure. Your job as an analysts is to leverage this data to test your detections and defenses. What if there were a simpler way? What if you could simply generate log events with specific characteristics, then ingest the data into your analytic tool of choice? In this talk we will go over a python framework to simplify data generation simulating specific attacks and attack chains without the need for infrastructure.

Attendees Will Learn:
Attendees will learn how to leverage an open source tool to generate synthetic attack events allowing them to easily generate adversarial activity without the need to build infrastructure.

Speakers
avatar for Marcus LaFerrera

Marcus LaFerrera

Staff Security Strategist, Splunk
Marcus has been in the security field longer than he'd like to admit. Most of his experience before joining Splunk as a Security Strategist has been supporting various government agencies. He has done everything from leading SOCs, to building threat hunting teams, to research and... Read More →



Thursday January 13, 2022 10:15am - 10:45am EST

10:45am EST

Above our Heads: How Attackers are Leveraging the Cloud
It is well established that with an increase in cloud resource availability, individuals and enterprises are empowered to create and host more content than ever. This talk highlights how attackers continue to abuse pre-existing cloud services by delivering malware, conducting phishing and extorting victims at every stage of the kill chain. The presenters will examine the role of the cloud in various recent attacks, how attackers are leveraging cloud infrastructure to conduct these attacks and identify various popular misused services. From team productivity apps for facilitating trade and collaboration to social media to organize command and control routines to unexpected document hosting, the underpinnings of modern malware operations are increasingly bright and efficient. This talk will attempt to narrow the areas of focus for students, researchers and professionals when understanding the breadth of cloud attacks. Participants will leave with outcomes of the findings of these services used by attackers that correlate to popular attacks or proof of concepts in which they were used, along with resources to learn more about cloud security.

Attendees Will Learn:
  • How attackers deliver malware, conduct phishing and extortion attacks, by leveraging pre-existing cloud services, and why they continue to abuse these services.
  • How existing data can give insight into how attackers are leveraging cloud infrastructure to conduct these attacks and identify various popular misused services. 
  • The outcomes of the findings of these services used by attackers that correlate to popular attacks or proof of concepts in which they were used, along with resources to learn more about cloud security.

Speakers
avatar for Remi Cohen

Remi Cohen

Senior Threat Intelligence Engineer, F5
Remi Cohen is a Senior Threat Intelligence Engineer with F5, serving as a technical lead for enterprise Threat Intelligence and Investigations. Prior to F5 she worked for a large national laboratory leading penetration tests and vulnerability assessments. She also conducted research... Read More →
avatar for Kim Huynh

Kim Huynh

Security Program Manager, Microsoft
Kim Huynh supports Microsoft's Threat Intelligence team within security research as a Security Program Manager. Prior to that, she worked in healthcare as a Cybersecurity Engineer focusing on threat intelligence and response. Kim's prior research was dedicated to the adoption of a... Read More →



Thursday January 13, 2022 10:45am - 11:15am EST

11:15am EST

Discord Breakout Sessions and Networking
Join the conversation in Discord. Information on how to join was provided in the information emails provided to registered attendees.


Thursday January 13, 2022 11:15am - 11:45am EST

11:45am EST

Keynote Presentation: Journey to Protecting Data & Information Networks
Melissa Vice, Interim Director for the Vulnerability Disclosure Program (VDP) at the DoD Cyber Crimes Center (DC3), will deliver a Keynote Address for FloCon 2022.

Speakers
avatar for Melissa Vice

Melissa Vice

Interim Director, DoD Cyber Crimes Center (DC3) Vulnerability Disclosure Program (VDP)
Melissa S. Vice is the Interim Director in the Vulnerability Disclosure Program (VDP) at the DoD Cyber Crimes Center (DC3), an Air Force Field Operating Agency (FOA). The DoD VDP was formed as follow-up to the Hack the Pentagon bug bounty program in 2016 to triage, validate, and mitigate... Read More →


Thursday January 13, 2022 11:45am - 12:45pm EST

12:45pm EST

Discord Breakout Sessions and Networking
Join the conversation in Discord. Network with attendees, visit sponsor rooms, and join the extended Q&A Session with our Keynote Speaker.

Information on how to join was provided in the information emails provided to registered attendees. .


Thursday January 13, 2022 12:45pm - 1:00pm EST

1:00pm EST

Self-Modulating Endpoint Observability
Modern micro-services leverage native cloud capabilities to automatically manage workload deployment and scalability. In this model, end-to-end visibility becomes more complex, endpoint-centric, and difficult to execute, especially when deployment and upgrades are continuous. Endpoint monitors, therefore, need to adapt to unpredictable workloads without jeopardizing the performance and stability of the production environment.

Typically, these monitors collect system telemetry data, such as application logs or system calls. Collecting system call data is advantageous because it can provide a detailed view of each process running on a host. Unfortunately, this data is often too large to store and analyze in any meaningful way, forcing practitioners to write complex filtering rules to make the telemetry footprint more manageable. Such filters require constant tuning as new applications and updates are deployed, and often result in important contextual attack data being filtered out needlessly. Telemetry formats such as SysFlow make data collection more palatable by lifting raw system call information into a more semantic summarization of system behaviors. However, SysFlow does not maintain enough system state to further reduce away noisy, redundant process behaviors that can occlude security analyses and create long-term storage headaches.

In this talk, we describe a new system graph data model that encodes process behaviors into hierarchical summarized views of system activity and demonstrate how such data structure can be used to implement a self-modulating telemetry stream that adapts to the monitored environment, and drastically reduces event fatigue, optimizes storage, and provides important contextual information for security investigations.

Attendees Will Learn:
- Challenges in system telemetry for distributed cloud endpoints
- A data modeling approach to address event fatigue in system call monitoring
- Design principles for cloud-native observability

Speakers
avatar for Frederico Araujo

Frederico Araujo

Research Scientist, IBM Research
Dr. Frederico Araujo is a Research Scientist at IBM Research, where he leads the team's efforts on cloud-native security. He's an active contributor to open source and a maintainer of the SysFlow project. He's also a contributor to CNCF's Falco project. His work has been featured... Read More →
avatar for Teryl Taylor

Teryl Taylor

Research Staff Member, IBM Research
Dr. Teryl Taylor is a Research Staff Member in the Cognitive Cybersecurity Intelligence Group at IBM Research. He has ten years of experience in cybersecurity-related research, including NetFlow based analytics, system telemetry and analytics, security visualization and cyber deception... Read More →



Thursday January 13, 2022 1:00pm - 1:30pm EST

1:30pm EST

Sensing in Hybrid Clouds
This presentation will discuss multiple options (with strengths and weaknesses) for sensing network behavior in hybrid clouds. A hybrid cloud is an environment that mixes both off-premises and on-premises computing resources. The presentation will cover cloud-vendor options, third-party vendor options, and organization-deployed options.

Attendees Will Learn:
Attendees will learn about the range of cloud sensing options, and how these might be both effective and limited in a hybrid cloud environment. This will allow attendees to be more intelligent consumers of cloud services while maintaining network situational awareness.

Speakers
avatar for Tim Shimeall

Tim Shimeall

Senior MTS, CERT Divsion - SEI/CMU
The only person to make 15 consecutive appearences at FloCon, Tim Shimeall is the Senior Situational Awareness Analyst of the CERT Program at the Software Engineering Institute (SEI). Shimeall is responsible for the development of methods to support decision making in security at... Read More →



Thursday January 13, 2022 1:30pm - 2:00pm EST

2:00pm EST

Discord Breakout Sessions and Networking
Join the conversation in Discord. Information on how to join was provided in the information emails provided to registered attendees.


Thursday January 13, 2022 2:00pm - 2:30pm EST

2:30pm EST

Managing Cyber Risks: Express Control Impact and Risk Analysis (ECI & RA)
Organizations are aiming to change how they address cyber risks, from endless frameworks, checklists, and broadly complex maturity models to a more pragmatic risk management approach. There is currently no practical framework or method to help organizations determine how to strengthen their security practices given a specific security budget and compliance requirements. Partnering with the Software Engineering Institute at Carnegie Mellon University, we devised a novel cyber risk tool that will ease CISOs life, helping them manage cyber risks. The ECI & RA method (Express Control Impact and Risk Analysis) can be applied to any organization to provide CISOs with an express control impact and concise compliance prioritization strategy. The project’s main objective is to provide a more practical and methodological approach to efficiently allocate CISOs budget, resources, investments, projects, and efforts. The ECI & RA method will also aid CISOs to effectively justify their budget allocation to executives by creating a novel synergy between several renowned frameworks. Lastly, our method will provide the organization with a clear roadmap to manage cyber risks and comply with regulations and industry standards.

The ECI & RA method combines the following frameworks and resources:
FAIR
OCTAVE Allegro
TARA - MITRE
CMMC
NIST CSF
NIST SP 800-53

Our ECI & RA method combines several techniques and strategies implemented by renowned organizations like the International Monetary Fund (IMF) Strategy and Netflix’s Risk Quant Project - both of which provide support for using log-normal distribution for impact. ECI & RA accomplishes a loss exceedance curve calculation, which is the quantitative expression of risk, that is then used to recommend a prioritized set of NIST controls in alignment with the organization’s specific needs and constraints (e.g., budget, compliance requirements). Our method possesses three main stages: Risk Appetite determination, Risk Analysis, and Risk Mitigation Optimization. Each stage contains its own unique activities to achieve an effective express control impact and risk analysis strategy.

We provide an express control impact and risk analysis method to help any organization manage their risk according to their custom-tailored appetite, budgetary constraints, compliance requirements, and cybersecurity strategy. Our project aims to guide organizations to select mission-critical controls based on renowned frameworks that consider threat capabilities, current controls, and vulnerability factors. ECI & RA will help organizations to drive their cybersecurity strategy based on risk decision-making and framework compliance, setting organizations into the path of cyber risk automation.

Attendees Will Learn:
A novel and pragmatic approach to solve the complex issues that CISOs face every day: How to manage risks while optimizing resources and investments to minimize those risks effectively? The combination of MITRE cyber kill-chain, FAIR risk quantification, and CMMC & NIST CSF maturity landscapes allows our method to aid CISOs to change their suit-it-all strategies based on rigid best practices to actually addressing their organizations risks in a custom-tailor approach. We will help cybersecurity professionals to acquire a new path to automate cyber risk and control impact management, prioritize NIST 800-53 controls to enhance mission-critical controls that address the organization main risks.

Speakers
avatar for Muhammad Bin Oiad

Muhammad Bin Oiad

Supervisor of ICS Cybersecurity Risk, Saudi Aramco
Muhammad is a Cybersecurity Specialist with a 10-year experience in IT and OT in private andpublic sectors. Muhammad is currently the Supervisor of ICS Cybersecurity Risk in theInformation Security Department at Saudi Aramco.
avatar for Fabio Beltran

Fabio Beltran

Electronic Engineer, Central Bank of Colombia
Fabio is a highly experienced cybersecurity professional with special interest in cybersecurityrisk quantification. He is an electronic engineer, Master in Business and InformationTechnologies and Master of Science in Information Security Policy & Management. He iscurrently working... Read More →
avatar for Lucas Falivene

Lucas Falivene

ISO Expert, ISO
Lucas is a highly experienced cybersecurity professional with a solid base in business, information systems, information security, and government cybersecurity policy-making. A former Fulbright scholar with a Master of Science degree in Information Security Policy and Management at... Read More →
avatar for Sarah Sha

Sarah Sha

Consultant, PwC Consulting
Sarah is a recent graduate of Carnegie Mellon’s Information Security Policy & Managementprogram and holds a B.S. in Computer Science from Indiana University. She is currently workingfor PwC Consulting in the Cybersecurity, Privacy, & Forensics practice.
avatar for Yaman Yu

Yaman Yu

Privacy and Security Researcher, University of Illinois Urbana-Champaign
Yaman is a privacy and security researcher at the University of Illinois Urbana-Champaign. Shemainly works on proposing inclusive mechanisms for protecting privacy and improving userexperience.



Thursday January 13, 2022 2:30pm - 3:00pm EST

3:00pm EST

Collaborative Botnet Detection through Large-scale Network Traffic
A botnet is a group of malware-infected devices which are used for various cyber attacks. Recently, botnets have evolved to employ globally distributed architectures. To comprehensively detect botnets, collaborations among multiple ISPs are required. However, this is challenging, since each ISP has different techniques and threat intelligence (TI). Existing collaborations are limited to information exchanges.

As joint experiments, NTT and Orange introduce new approaches for deeper collaborations among ISPs. The approaches enrich and extend TI with different traffic data mutually while preserving the privacy and confidentiality of communications.

At NTT, machine learning (ML) is promising for traffic analysis and botnet detection. However, when applying conventional techniques to real-world traffic, we faced the challenges of the sheer amount of input data and the wide variety of output features to represent global access patterns. To address the challenges, NTT has developed Piper, an ML pipeline that consolidates diversified ML applications efficiently. With proposed sampling techniques and global traffic features, Piper can process traffic data faster and detect malicious hosts more accurately.

At Orange, TI has become a major concern, necessary to protect the core network as well as enterprise and consumer markets. While big data offers major advances in this area, it also raises key issues regarding the ability to accurately contextualize and calculate the lifespan of threats for real-time detection. To cope with these issues, the Voodoo project proposes a novel hybrid approach that combines several techniques (fast-data analysis, machine/deep learning, expert system and reinforcement learning). Using historical and real-time threat data, Voodoo trains models that are used to track malicious activity and proactively discover malicious servers on the Internet. The hybrid AI then filters and produces valuable TI, which can be exported as a network indicator threat stream.

Details of new approaches are as follows.
-Exchange: Orange shares Voodoo’s malicious IP addresses with NTT.
-Enrich: After checking third-party reputations, NTT uses Piper to extract traffic-based behavioral features (e.g., bytes/packet) for shared malicious IP addresses, and send features back to Voodoo for enrichment.
-Predict: NTT uses Voodoo’s malicious IP addresses as labels and extracts traffic-based features to build a classifier and predict unknown IP addresses. After double-checking, NTT shares new malicious IP addresses back to Voodoo.

The feedback from NTT will be used by Voodoo to improve the models generated and the data produced through reinforcement learning, thus leading to a virtuous circle of collaboration.

Attendees Will Learn:
Botnets have become a serious threat to the whole Internet. As a common goal, many network operators and ISPs have developed their own techniques to detect botnets. To comprehensively detect botnets, a collaborative approach to involve multiple network operators and ISPs is required. However, it is difficult to align with different types of techniques and intelligence among operators and ISPs. Existing collaborations are limited to information exchanges.

This presentation shares new approaches to cybersecurity collaborations with attendees. Through the collaborations, we hope attendees can unite to enrich and extend threat intelligence together for more comprehensive detection.

Speakers
avatar for Fabien Bignon

Fabien Bignon

Research Engineer in Cybersecurity, Orange
Fabien Bignon works as an R&D engineer and security expert in the Security Department of Orange Labs in Normandy, France.After obtaining a master's degree in Bioinformatics, he joined Orange Labs in 2011.As a Research engineer, in the past years, he has mainly worked on Cyber Threat... Read More →
avatar for Bo Hu

Bo Hu

Senior Research Engineer, NTT
Bo Hu received an M.S. in wireless network engineering from Osaka University in 2010 and joined NTT the same year. He has mainly been engaged in researching network security, machine learning, graph mining, and inter-cloud technology. He has developed a machine learning pipeline for... Read More →
avatar for Karel Mittig

Karel Mittig

Research Engineer, Orange
Karel Mittig works as an R&D engineer and security expert in the Security Department of Orange Labs in Normandy, France. After obtaining a master's degree in computer science from the University Pierre et Marie Curie in Paris, he joined Orange R&D in 2000, where he has worked on and... Read More →



Thursday January 13, 2022 3:00pm - 3:30pm EST

3:30pm EST

Conference Close



Speakers
avatar for Joshua Fallon

Joshua Fallon

Network Defense Analyst, CERT Division - SEI/CMU
Dr. Joshua Fallon is the FloCon 2022 chair. He is a network defense analyst with the CERT Situational Awareness team, where he participates in analysis of network security and resilience and supports the development of tools and methods for network security analysts and trains analysts... Read More →


Thursday January 13, 2022 3:30pm - 3:45pm EST