FloCon 2020: Full Schedule

5:00pm EST

Early Registration "Regiception"

Join us for this unique registration/reception combo to get you in the FloCon spirit. Get your name badge, meet our helpful staff and introduce yourself to the new faces you'll be learning alongside for the next three days. Light refreshments will be provided.

Sunday January 5, 2020 5:00pm - 7:00pm EST
Regency Ballroom Foyer

Networking

5:00pm EST

Registration

Registration will be open on Sunday from 5-7PM for anyone that arrives the night before our Training Sessions begin.

Sunday January 5, 2020 5:00pm - 7:00pm EST
Regency Ballroom Foyer

Registration

7:00am EST

Breakfast

Monday January 6, 2020 7:00am - 8:30am EST
Regency Ball Room B-C

Meals

7:00am EST

Registration

Monday January 6, 2020 7:00am - 7:00pm EST
Regency Ballroom Foyer

Registration

8:30am EST

Track I Morning Session - Introduction to Data Science for Cybersecurity: Concepts

This course provides an accessible introduction to foundational data science concepts, terminology, and approaches using cybersecurity examples and use cases. Data science is rapidly becoming an integral part of the network security industry. Although widespread applications of data science in network security are relatively recent, data science has roots going back decades. Due to its depth and technical complexity, Data Science is often considered to be indistinguishable from magic. This course is intended to break the illusion and help attendees harness the true power of data science to defend networked systems.
The morning session will answer important questions, including:

Are data science and machine learning truly different from artificial intelligence?
Is this product really using machine learning or just faking it?
I have a data science model, now what do I do?
How can I tell timeseries and graph data apart?
What makes “deep” learning different from other approaches?

Intended Audience: Practitioners, managers, and/or executives who are curious to strengthen their understanding of data science concepts and techniques in an accessible, introductory setting. There are no prerequisites for this course; however, an understanding of math, statistics, and coding is helpful.

Speakers

Andrew Fast

Chief Data Scientist, CounterFlow AI, Inc

Andrew Fast is the Chief Data Scientist and co-founder of CounterFlow AI, where he leads the implementation of streaming machine learning algorithms on CounterFlow AI's ThreatEye cloud-native analytics platform for Encrypted Traffic Analysis. Previously, Dr. Fast served as the Chief... Read More →

Don Rude

Principal Data Scientist, CounterFlow AI, Inc

Don Rude brings an extensive background in machine learning, computer science, network management, and software engineering to CounterFlow AI. Mr. Rude has over 20 years of hands-on software development experience across a variety of industries, research areas, and both local and... Read More →

Monday January 6, 2020 8:30am - 12:00pm EST
Regency A

Training

8:30am EST

Track II Morning Session - AI is not Magic

AI has infused the network security landscape, fundamentally changing how network security is practiced. This course is intended to help managers and decision makers understand this new reality. We will cover a number of topics relevant to organizational leaders, including:

How AI provides value to the field of network security
Differentiating between AI-enabled capability and traditional security tools (many of which still work great!)
Understanding fundamental AI limitations
How to effectively build, manage, and succeed with an integrated data science / network security team

The morning session will focus on understanding AI capability.

Intended Audience: This course is targeted for cyber analysts who are interested in transitioning from analysis to data science at a level that should not require any statistical or machine learning background. The goal is to introduce foundational data science concepts and prepare attendees to scope a new AI/ML project. Managers or individuals planning to fund such a project will gain practical insight into the difference in organizing a data science project.

Speakers

Eliezer Kanal

Technical Manager, CERT Division - Software Engineering Institute

Eliezer Kanal is a technical manager at CERT who focuses on applying machine learning techniques to the cybersecurity domain. His team contributed to a wide variety of projects, including statistical visualization tools to assist with malware reverse engineering, metrics for the efficacy... Read More →

Lena Pons

Machine Learning Research Scientist, CERT Division - Software Engineering Institute

Lena Pons is a Machine Learning Research Scientist in the CERT division of the Software Engineering Institute, where she uses computational linguistics and natural language processing techniques to aid analysts in cybersecurity incident response. Lena earned her MA in Computer Science... Read More →

Pons FloCon 20 pdf

Monday January 6, 2020 8:30am - 12:00pm EST
Regency D-F

Training

12:00pm EST

Lunch

Monday January 6, 2020 12:00pm - 1:00pm EST
Regency Ball Room B-C

Meals

1:00pm EST

Track I Afternoon Session - Introduction to Data Science for Cybersecurity: Techniques

This course provides an accessible introduction to foundational data science techniques and algorithms using cybersecurity examples and use cases. Data science is rapidly becoming an integral part of the network security industry. Although widespread applications of data science in network security are relatively recent, data science has roots going back decades. Due to its depth and technical complexity, data science is often considered to be indistinguishable from magic. This course is intended to demystify data science and show how specific data science techniques can be applied to network data.
The afternoon session answers important questions including:

What is data science, anyways? (short version)
I don’t have enough data. What do I do? Or worse, I have too much data! What do I do?
Too many algorithms, which one do I choose (if any)?
I managed to choose an algorithm; now how do I make it work?
I (finally) got a model, did I do it right?

Intended Audience: Practitioners, managers, and/or executives who are curious to strengthen their understanding of data science concepts and techniques in an accessible, introductory setting. Experience with applied math, statistics, and/or coding is beneficial, but not required.

Speakers

Andrew Fast

Chief Data Scientist, CounterFlow AI, Inc

Don Rude

Principal Data Scientist, CounterFlow AI, Inc

Monday January 6, 2020 1:00pm - 4:30pm EST
Regency A

Training

1:00pm EST

Track II Afternoon Session - AI is not Magic

How AI provides value to the field of network security
Differentiating between AI-enabled capability and traditional security tools (many of which still work great!)
Understanding fundamental AI limitations
How to effectively build, manage, and succeed with an integrated data science / network security team

The afternoon session will dive into team-building and management.

Intended Audience: This course is targeted for cyber analysts who are interested in transitioning from analysis to data science at a level that should not require any statistical or machine learning background. The goal is to introduce foundational data science concepts and prepare attendees to scope a new AI/ML project. Managers or individuals planning to fund such a project will gain practical insight into the difference in organizing a data science project.

Speakers

Eliezer Kanal

Technical Manager, CERT Division - Software Engineering Institute

Lena Pons

Machine Learning Research Scientist, CERT Division - Software Engineering Institute

Pons FloCon 20 pdf

Monday January 6, 2020 1:00pm - 4:30pm EST
Regency D-F

Training

6:30pm EST

Welcome Reception

Join us for food and refreshments during our Welcome Reception. Meet fellow attendees and speakers, while enjoying some fun activities.

Sponsors

NetQuest Corporation

Since its inception in 1987, NetQuest Corporation has provided innovative signals intelligence (SIGINT) and network monitoring solutions to customers around the world. Today, NetQuest is a proven leader in the cyber intelligence community.The company’s product history in monitoring... Read More →

Monday January 6, 2020 6:30pm - 8:30pm EST
East Harborside Ballroom

Networking

7:00am EST

Breakfast

Tuesday January 7, 2020 7:00am - 8:30am EST
East Harborside Ballroom

Meals

7:00am EST

Registration

Tuesday January 7, 2020 7:00am - 4:30pm EST
Regency Ballroom Foyer

Registration

8:30am EST

Conference Introduction

Conference chair Timur Snoke welcomes FloCon 2020 attendees and opens the conference with Savannah writer Jessica Leigh Lebos.

Speakers

Timur Snoke

Sr. Network Defense Analyst, CERT Division - Software Engineering Institute

Timur Snoke is a member of the technical staff and the Situational Awareness team in SEI’s Monitoring and Response Directorate. His primary focus is identifying gaps in network security capabilities to support the research and development of new sources and methods for network... Read More →

Jessica Leigh Lebos

Author

Jessica Leigh Lebos has been writing about interesting people, vexing issues and majestic places for over 25 years. She is the author of Savannah Sideways: A Collection of Observations and has won some fancy awards, including First Prize for Humor from the National Society of Newspaper... Read More →

Tuesday January 7, 2020 8:30am - 9:00am EST
Regency Ballroom Hyatt Regency Savannah 2 W. Bay Street Savannah GA 31401

General Session

9:00am EST

SysFlow: Scalable System Telemetry for Improved Security Analytics

In this talk, we introduce SysFlow as a new data representation for system behavior introspection for scalable security, compliance, and performance analytics. SysFlow is a compact open data format that lifts the representation of system activities into a flow-centric, object-relational mapping that records how applications interact with their environment—analogous to how NetFlow summarizes network communications. However, unlike NetFlow, which only captures network interactions, SysFlow connects network behaviors to processes and file access information, providing a richer context for analysis. This additional context facilitates deeper introspection into attack kill chains, resulting in analyses that yield lower false positives, and higher detection rates than traditional network-based approaches. SysFlow supports single-event and volumetric flow representations of process control flows, file interactions, and network communications. The new telemetry format drastically reduces storage requirements as compared to existing system telemetry sources, thereby enabling feature-filled analytics, process-level provenance tracking, and long-term data archival for threat hunting and forensics.

We present a new open-source telemetry pipeline built atop SysFlow. The pipeline provides a set of reusable components and APIs that enable ease deployment of telemetry probes for bare-host and container workload monitoring, as well as the export of SysFlow records to S3-compliant object stores feeding into distributed security analytics jobs based on Apache Spark. Specifically, the analytics framework provides an extensible policy engine that ingests customizable security policies described in a declarative input language, providing facilities for defining higher-order logic expressions that are checked against SysFlow records. This allows practitioners to easily define security and compliance policies that can be deployed on a scalable, out-of-the-box analysis toolchain while supporting extensible programmatic APIs for the implementation of custom analytics algorithms. As a result, the pipeline enables researchers and analysts to redirect their efforts to developing and sharing analytics, rather than building support infrastructure for telemetry.

The SysFlow probe has been optimized to incur minimal performance overheads and does not require program instrumentation or system call interposition for data collection, therefore having negligible impact on monitored workloads. The implementation has been validated under multiple stress test profiles. We will demonstrate use cases for the identification of advanced and persistent threats, security vulnerabilities, performance bottlenecks, and service outages.

Attendees will Learn:

Design principles and architectural insights influencing the SysFlow telemetry pipeline implementation;
How to deploy and instantiate the SysFlow pipeline in container cloud environments;
How to use the new telemetry pipeline to (a) create security policies for container integrity analytics and (b) write custom algorithms atop the analytics framework to identify malicious behaviors in containers.

Speakers

Frederico Araujo

Senior Research Scientist, IBM

Dr. Frederico Araujo is a Senior Research Scientist at IBM Research, where he leads the team's efforts on cloud-native security and endpoint security. He's an avid contributor to open source and a maintainer of the SysFlow and CNCF's Falco projects. His work has been featured in top... Read More →

Teryl Taylor

Research Staff Member, IBM Research

Dr. Teryl Taylor is a Research Staff Member in the Cognitive Cybersecurity Intelligence Group at IBM Research. He has ten years of experience in cybersecurity related research, including NetFlow based analytics, system telemetry and analytics, security visualization and cyber deception... Read More →

SysFlow Araujo; Taylor pdf

Tuesday January 7, 2020 9:00am - 9:30am EST
Regency Ballroom Hyatt Regency Savannah 2 W. Bay Street Savannah GA 31401

General Session

9:30am EST

Data Driven Challenges

Speakers

Timothy Shimeall

Senior Member of the Technical Staff, CERT Division - SEI/CMU

The only person to make 15 consecutive appearances at FloCon, Tim Shimeall is a Senior Situational Awareness Analyst of the CERT Program at the Software Engineering Institute (SEI). Shimeall is responsible for the development of methods to support decision making in security at and... Read More →

Shimeall Data Driven Challenges pdf

Tuesday January 7, 2020 9:30am - 10:00am EST
Regency Ballroom Hyatt Regency Savannah 2 W. Bay Street Savannah GA 31401

General Session

10:00am EST

Bayes at 10+ Gbps: Identifying Malicious and Vulnerable Processes from Passive Traffic Fingerprinting

As network monitoring techniques have evolved in response to the rise of encrypted traffic, protocol fingerprinting has become an essential component of network defense. While exact-match fingerprinting of TLS clients is now widespread, it is too imprecise to use for process identification. To more reliably determine the process associated with a session, we applied inferencing based on naïve Bayes to fingerprints and destination information, using equivalence classes of destinations derived from auxiliary data. Our implementation of the packet capture and inferencing uses Linux TPACKETv3 and can identify processes on 10+ Gbps enterprise internet connections. This system detects many interesting categories of processes, including malware, evasive applications, scanners, and obsolete and vulnerable software. As it is based on an interpretable machine learning model, its findings are readily understandable and it can adapt to different prior probabilities. In this presentation, we describe our inferencing system and its implementation, our results in applying it to real-world traffic, and open issues in this technology area. We also review the data and open source software that we published to demonstrate this capability.

Attendees Will Learn:
Attendees will learn about the prevalence of encrypted traffic, the problems with simplistic exact-match TLS fingerprinting, and the benefits of inferencing on fingerprints plus destination information. They will also learn about our open source software and data.

Speakers

David McGrew

Fellow, Cisco Systems

David works in cybersecurity research and development and applied cryptography. He designed authenticated encryption and encrypted voice and video communications standards that are in widespread use, championed open and patent-free cryptography, and pioneered the commercial use of... Read More →

3. mcgrew bayes at 10gbps pdf

Tuesday January 7, 2020 10:00am - 10:30am EST
Regency Ballroom Hyatt Regency Savannah 2 W. Bay Street Savannah GA 31401

General Session

10:30am EST

Morning Break

Tuesday January 7, 2020 10:30am - 11:00am EST
Scarbrough Ballroom

Break

11:00am EST

Keynote

Speakers

Dhia Mahjoub

Head of Security Research, Cisco Umbrella

Dhia Mahjoub is the Head of Security Research at Cisco Umbrella. He started in cybersecurity in the late 1990s, writing sniffers and port scanners in C and experimenting in his lab with hacking tools from insecure.org. He earned an engineering degree in Computer Science and Networking... Read More →

Tuesday January 7, 2020 11:00am - 12:00pm EST
Regency Ballroom Hyatt Regency Savannah 2 W. Bay Street Savannah GA 31401

Keynote

12:00pm EST

Lunch

Tuesday January 7, 2020 12:00pm - 1:00pm EST
East Harborside Ballroom

Meals

1:00pm EST

Cyber Analyst Data Fusion Dreams Do Come True

This panel will discuss the practical yet awesome possibilities for data fusion when analysts synthesize historically-divergent data sets (such as flow data and threat intelligence data) in the operational context. This type of data fusion potentially affects the whole spectrum of cyber analysts: incident responders, threat hunters, threat intelligence analysts, risk analysts, etc. We will discuss how this data fusion can influence intelligence sharing activities, disrupt the dreaded analyst fatigue, and inform intelligence/data disposition strategies. Participants will learn about threat + flow modeling techniques and SOPs that they can explore back home in their operational contexts.

Moderators

Katie Kusjanovic

Her primary roles include conducting demonstrations of Threat Intelligence Platform and Intelligence Feed technologies and supporting customers with their operational and analytic needs. Her career covers incident response and cyber security engineering. She has a bachelor’s degree... Read More →

Speakers

Terry Bruger

Founder, BuboWerks

S. Terry Brugger, PhD, did his undergrad at Purdue where he first got bitten by the security bug. He went on to Lawrence Livermore National Lab where his work became increasingly security focused. Concurrently, he worked on his dissertation at UC Davis, first on “Data Mining for... Read More →

Jeffrey Chrabaszcz

Data Science Lead, Govini

Jeffrey Chrabaszcz is the Data Science Lead at Govini, a data and analytics firm dedicated to transforming the business of national security through data science and machine learning. Dr. Chrabaszcz and his team help Govini deliver objective, decision-grade information at scale to... Read More →

Lena Pons

Machine Learning Research Scientist, CERT Division - Software Engineering Institute

Jonathan "Jono" Spring

Senior Vulnerability Researcher, Carnegie Mellon University Software Engineering Institute

Dr. Jonathan Spring is a senior member of the technical staff with the CERT division of the Software Engineering Institute at Carnegie Mellon University. He began working at CERT in 2009. Prior posts include adjunct professor at the University of Pittsburgh’s School of Information... Read More →

Tuesday January 7, 2020 1:00pm - 2:00pm EST
Regency Ballroom Hyatt Regency Savannah 2 W. Bay Street Savannah GA 31401

Panel

2:00pm EST

Afternoon Break

Tuesday January 7, 2020 2:00pm - 2:30pm EST
Scarbrough Ballroom

Break

2:30pm EST

Less is More with Intelligent Packet Capture

Human-driven network forensics activities (such as threat hunting and incident response) focus on identifying the source of potential network threats or other problem incidents. Analysts must sift through large amounts of network data to find forensically relevant events. Full packet payloads (called packet capture, or PCAP) have long been considered as the gold standard of forensic evidence. While full packet capture does contain all relevant forensic information, capturing and storing every packet for an extended time period is often prohibitively expensive and inefficient to analyze in bulk.

Because of these shortcomings, network analysts often turn away from full packet capture to alternative forms of forensic data. Popular alternatives include NetFlow, extended (augmented) flow, and application metadata (DPI). These alternatives provide forensic value and use significantly less disk space than full packet capture, but lack the complete packet payloads needed to fully confirm the presence of malicious activity on the network. This trade-off between the forensic value of data and the size and cost of storing it has caused analysts to seek an optimized balance between full packet payloads and other forms of forensic data.

We describe a machine learning (ML) driven approach to this storage dilemma that uses open-source tools that provide what we call intelligent packet capture. Intelligent packet capture combines incremental flow updates, streaming machine learning, and threat intelligence to classify flows and predict which packets are likely to be interesting to network analysts. Selected packets are saved to disk and combined with augmented flow meta data. This provides the best of both worlds: fewer storage demands with more forensically relevant data.

Attendees Will Learn:
Attendees will learn to build and deploy a cost-effective network forensics solution with open source tools like Argus and Dragonfly Machine Learning Engine. They will also learn how to operationalize threat intelligence feeds and apply machine learning to large-scale flow analysis.

Speakers

Randy Caldejon

CTO & Co-Founder, CounterFlow AI, Inc.

As CTO of CounterFlow AI, Randy Caldejon leads the company's innovation and product development. Prior to CounterFlow, Randy was the CTO of Enterprise Forensics at FireEye. He is a widely-respected authority in network security monitoring and sensor technology. A military veteran... Read More →

Caldejon intel pcap dragonfly flocon pdf

Tuesday January 7, 2020 2:30pm - 3:00pm EST
Regency Ballroom Hyatt Regency Savannah 2 W. Bay Street Savannah GA 31401

General Session

3:00pm EST

Alchemy: Stochastic Data Augmentation for Malicious Network Traffic Detection

Malware and botnets are abused for various types of cyber-crime such as data exfiltration, distributed denial of service (DDoS), and recently data ransom. Existing signature-based network security techniques are designed to detect pre-defined and rule-based traffic patterns. However, due to the continuous evolution of malware and botnets, these techniques have trouble defending against the increasing types and volumes of these threats. Machine learning has become a promising alternative approach to network security. Many previous studies have aggregated traffic data into groups by hosts or flows for generating features and training detection models.

However, two problems degrade detection performance. One is the scarcity of training sets due to the rarity of new types of malicious traffic. The other is variations in feature values generated from incomplete data due to the limited amount of observed traffic. Existing solutions aim to increase data to enhance the robustness of detection models against these problems. Unfortunately, the regenerated feature vectors may not represent the nature of traffic well enough, since most of these solutions regenerate synthetic feature vectors only on the basis of existing feature vectors without considering the real distribution of raw traffic.

In this talk, we introduce a stochastic method called Alchemy that regenerates a set of feature vectors by randomly resampling the raw traffic data of each bag into several subsets. Alchemy can increase training sets and robustly represent raw traffic to correct the influence of variations in feature vectors, regardless of types of traffic data and classifiers. We evaluated Alchemy with real-world traffic data of network flows, passive DNS records, and HTTP logs, and demonstrated that it improves detection performance of various classifiers more effectively than the conventional methods in all three types of traffic data.

Attendees Will Learn:
Applying machine learning to network traffic analysis is a promising approach to enhance cybersecurity. In this talk, attendees will gain basic knowledge of how to build machine learning-based detection models with different types of network traffic data (e.g., NetFlow, passive DNS records and HTTP proxy logs) and features. Attendees will also learn how to build more accurate models with less labeled traffic data, which is a common problem in many universities and enterprises that do not have enough positive (malicious) training sets. This method can be used as an add-on application to existing detection models and can help operators to quickly start building their initial machine learning models.

Speakers

Bo Hu

Senior Research Engineer, NTT

Bo Hu received an M.S. in wireless network engineering from Osaka University in 2010 and joined NTT the same year. He has mainly been engaged in researching network security, machine learning, graph mining, and inter-cloud technology. He has developed a machine learning pipeline for... Read More →

Hu, Bo Alchemy pdf

Tuesday January 7, 2020 3:00pm - 3:30pm EST
Regency Ballroom Hyatt Regency Savannah 2 W. Bay Street Savannah GA 31401

General Session

3:30pm EST

Comcast Security Analytics Platform

As new threats and attacks emerge, and the volume of data grows, so does the complexity of data.

The regular Security Information and Event Management (SIEM) system, while great at quickly searching through the data and making basic correlations, is not built for adding customizable, machine learning-enabled analytics. The Comcast cybersecurity threat analytics team is developing solutions that make use of various security tools and the SIEM, supplementing and extending them with a data lake.

Comcast processes terabytes of security-related logs every day, from many different tools and in many different formats. In addition, it uses lookup data sources such as Active Directory and asset databases. To use all of this data for large-scale security analysis and modeling, we process these logs and lookup data with ETL processes using Apache Spark jobs.

In this talk, we explore the design and architecture of our threat analytics system. We describe how we use large-scale data platforms in Apache Spark/S3 and Airflow to manage complex ETL pipelines and orchestrate various workflows. We also present how we will develop analytical and ML pipelines and modules to detect cyber threats. We discuss how Comcast enables the review of model output using notebooks and dashboards. Notebooks allow for initial model output evaluation. Dashboards are used for the later rounds where we improve on visualization, enhance the data with additional details, and expand the number of people reviewing the results.

Attendees Will Learn:
Listeners will learn practical ways to process large-scale security-related data and analyze it using cloud based infrastructure.

Speakers

Gary Gabriel

Principal Security Developer, Comcast

Gary Gabriel is a Principal Security Developer at Comcast. As a member of the Security Analytics and Data Science team, Gary contributes to the design and development of the security analytics platform, as well as development of models used to detect threats in the Comcast enterprise... Read More →

Mason Cheng

cyber-security data science lead, Comcast

Mason Cheng is a Principal Data Scientist at Comcast.

Gabriel Cheng Comcast Security pdf

Tuesday January 7, 2020 3:30pm - 4:00pm EST
Regency Ballroom Hyatt Regency Savannah 2 W. Bay Street Savannah GA 31401

General Session

6:30pm EST

Off-Site Networking Reception

Join us for our Off-Site Networking Reception at the Moon River Brewing Company. Conference badge will be required for admittance.

Sponsors

NetQuest Corporation

Tuesday January 7, 2020 6:30pm - 8:30pm EST
Moon River Brewing Company 21 W. Bay St, Savannah, GA 31401

Networking

7:00am EST

Breakfast

Wednesday January 8, 2020 7:00am - 8:30am EST
East Harborside Ballroom

Meals

7:00am EST

Registration

Wednesday January 8, 2020 7:00am - 4:30pm EST
Regency Ballroom Foyer

Registration

8:30am EST

The Long & Winding Road to “Production-Worthy”

Fraudulent domains are malicious domains posing as well-known services or websites. They are used by criminal and APT groups to target victims. As a result, identifying them is of particular interest to government agencies seeking to defend their networks against such attacks. This talk will detail several lessons learned from building and iterating on a production-deployed network defense analytic designed to identify these domains. Our initial analytic was a heuristic-based approach that focused on a relatively simple hypothesis. it performed well in operational testing with respect to false positives. However, this initial version had a substantial false negative problem that subsequently drove our development efforts for the next iteration. To develop our next version, we extended our heuristic approach and incorporated a machine learning model. Experimental testing led us to incorporate the machine learning model in a different way than initially planned, highlighting the classic balance between false negative coverage and false positives. The use of a machine learning model proved to be very valuable to strengthen the analytic and validate the hypothesis used for our heuristic approach. Although we were happy with the experimental results of the second version, we now had a false positive problem. Further complicating the matter, our analytic also had relatively serious computational shortcomings that did not allow it to keep up with the throughput of data. While we were able to develop a strategy for false positives, extensive profiling of our analytic code pointed to computational problems in our machine learning model that would be non-trivial to solve. We attempted several changes with our model but were ultimately forced to return to the drawing board and implement an entirely new model. This talk will outline key themes related to developing a “production-worthy” analytic: expanding the scope to solve the operational problem, balancing false negatives and false positives, incorporating software and systems engineering concerns, and measuring performance from several perspectives. We will discuss the specific tools and techniques that we used to overcome the various challenges we faced, and impart the lessons we have learned on our long and winding road to version 3.0 of our fraudulent domain analytic.

Attendees Will Learn:
Attendees will learn valuable skills for how to test their analytics from different perspectives. From an operational perspective, we will discuss how to evaluate analytics for coverage of the problem and false positives. We will detail different approaches for how to overcome challenges on either side of the spectrum. From a software perspective, we will discuss how to use code profiling tools to determine the computational performance of analytics. We provide specific examples of how the use of these tools can improve the quality of an analytic and allow a developer to move closer to “production ready.”

Speakers

Emily Heath

Capability Area Lead, The MITRE Corporation

Emily Heath is the Capability Area Lead for Cyber Data Analytics and Malware in the Defensive Operations Department at the MITRE Corporation. Her work focuses on the application of machine learning, analytics, and optimization approaches to problems in cybersecurity, ranging from... Read More →

7. Long and Winding Road pdf

Wednesday January 8, 2020 8:30am - 9:00am EST
Regency Ballroom Hyatt Regency Savannah 2 W. Bay Street Savannah GA 31401

General Session

9:00am EST

A Practical Decision Framework for Implementing Evasion-Resilient Host-Based Analytics

Any organization that needs to sustain and improve its defensive cybersecurity posture must be able to implement the optimal set of security analytics. Recent advances in the fields of artificial intelligence (AI) and machine learning (ML) increase the incentive to implement predictive analytics that take advantage of these underlying technologies. Instead of building heuristic analytics that aim to match through static queries and signatures, ML models are applied to defensive cybersecurity to capture and generalize the underlying characteristics of malevolent behavior, such that they can protect from new and slightly modified threats. However, since there is no standard approach for implementing ML analytics in the cybersecurity domain, applying ML analytics without the underlying required components can easily waste much organizational effort.

Using examples from MITRE’s ATT&CK™ model, the speakers present a novel framework to help organizations decide whether the detection of a malevolent technique is best suited with a simple static heuristic analytic or a ML security analytic. The discussion, which focuses on host-based detection, includes the critical underlying decision points and the tradeoffs that should be considered to influence the overall decision. The framework is broken down into components that include data, analytic evasion, and the organization itself. Considering that data is a critical component of predictive ML models, and that sufficient data collection and labeling continues to be a challenge, the speakers provide a deep dive into this area with discussion on host-based data sources. Even if the right data is being collected, it is rarely labeled, limiting the application of supervised ML models. While Windows Security events and Sysmon event data are typically collected for host-based detection, process monitoring data can be efficiently consolidated and processed on the endpoint before being ingested into a big data platform for translation into ML-ready format. The proposed framework will provide security analytic developers a structured means to implement analytics to better secure and defend an enterprise network.

Attendees Will Learn:
This talk will provide attendees with a practical framework that can be applied to determine whether a simple heuristic analytic or a machine learning (ML) analytic is the best choice for detecting a certain malevolent technique. In addition, the speakers will provide a deep-dive into host-based data sources focusing on the features available for training ML models. Security operations personnel will benefit from a repeatable decision framework to improve the analytic implementation process, without the need for a background in the data science field.

Speakers

Joe Mikhail

Technical Staff, The MITRE Corporation

Joe Mikhail is a member of the technical staff at The MITRE Corporation, where his work currently focuses on implementing cybersecurity analytics to detect behaviors based on the MITRE ATT&CK™ framework. His recent journal article in ACM Transactions on Intelligent Systems and Technology... Read More →

Brandon Werner

Cybersecurity Engineer, The MITRE Corporation

Brandon Werner is a Cybersecurity Engineer at The MITRE Corporation who applies his data science background to solve various problems in the cybersecurity domain. Brandon is interested in the use of machine learning (ML) to automate cybersecurity tasks, such as intrusion detection... Read More →

Mikhail Werner DEOFRAMEWORK pdf

Wednesday January 8, 2020 9:00am - 9:30am EST
Regency Ballroom Hyatt Regency Savannah 2 W. Bay Street Savannah GA 31401

General Session

9:30am EST

A Structural Approach to Modeling Encrypted Connections

To weary network users, encryption provides privacy for data in transit. To network operators and security analysts, encryption hinders visibility. Breaking encryption and inspecting content can be costly and error prone.

By analyzing the lengths and ordering of encrypted data exchanged throughout a connection (i.e., signals that don't require breaking encryption) network monitoring systems can infer protocol state without parsing the content of the connection. By modeling a protocol's state transitions and overlaying that model on a connection's sequence of lengths (SOL), inferences can be made about how the protocol is being use. This provides a sort of compromise between privacy and visibility.

This presentation will explore how the concept of SOL can be applied to model encrypted protocols, including the SSH, SSL, and RDP protocols.

Attendees Will Learn:
Attendees will gain insights into a proven and scalable method for analyzing encrypted flows without breaking and inspecting their contents.

This talk is meant to expand the audience's understanding of techniques for summarizing network connections and approaches to encrypted traffic analysis. The mechanism of the SSH, SSL, and RDP protocols will be explored using both techniques.

Speakers

Anthony K

Technical Director, Corelight, Inc.

Anthony Kasza is a Technical Director for Corelight. At Corelight, Anthony is responsible for developing prototypes that provide insights into network activity. Prior to working at Corelight, Anthony was responsible for discovering new and tracking known threats, creating scalable... Read More →

9. FloCon 2020 FINAL Anthony Kasza pdf

Wednesday January 8, 2020 9:30am - 10:00am EST
Regency Ballroom Hyatt Regency Savannah 2 W. Bay Street Savannah GA 31401

General Session

10:00am EST

Automating Reasoning with ATT&CK?

MITRE's ATT&CK framework is popular among computer network defense (CND) practitioners. One goal of ATT&CK is to enumerate adversary tactics and organize them under different strategies. This organization enables defenders to label observed adversary activity with tactics, then heuristically hypothesize what other adversary behaviors are likely, based on how that tactic is related to others in the framework. We evaluated how useful this approach would be. Our evaluation is based on measuring correlation and predictiveness among tactics in case studies curated by MITRE and labeled with ATT&CK tactics. We could not find any reliable relationships between tactics or strategies. We believe this is because the ATT&CK framework removed the structure provided by the diamond model. We will explain why model structure is important and what we might gain by restructuring ATT&CK to better capture temporal and structural relationships.

Contributor Unable to Attend:
Rawan Al-Shaer is a double major in Computer Science, Cybersecurity and Mathematics, Statistics at the University of North Carolina at Charlotte. Her main research interest is statistical machine learning for cybersecurity for adversarial behavioral characterization.

Speakers

Jonathan "Jono" Spring

Senior Vulnerability Researcher, Carnegie Mellon University Software Engineering Institute

10. jspring flocon attck pdf

Wednesday January 8, 2020 10:00am - 10:30am EST
Regency Ballroom Hyatt Regency Savannah 2 W. Bay Street Savannah GA 31401

General Session

10:30am EST

Morning Break

Wednesday January 8, 2020 10:30am - 11:00am EST
Scarbrough Ballroom

Break

11:00am EST

Keynote

Speakers

Ryan Kovar

Principal Security Strategist, Splunk

Ryan Kovar, with over 20 years of experience cybering, has done everything from pulling miles of CAT5 cable on an aircraft carrier to learning that he didn't want to be a malware RE. Most recently, he worked at the Defense Advanced Research Projects Agency (DARPA) on a team dedicated... Read More →

Wednesday January 8, 2020 11:00am - 12:00pm EST
Regency Ballroom Hyatt Regency Savannah 2 W. Bay Street Savannah GA 31401

Keynote

12:00pm EST

Lunch

Wednesday January 8, 2020 12:00pm - 1:30pm EST
East Harborside Ballroom

Meals

12:30pm EST

Lunch Time Table Talk: Get Beyond Alerts - Maximizing Network Defense w/Suricata, Session 1

Securing a network often begins with the ability to generate alerts when malicious or non-standard network traffic is observed. This is routinely accomplished through intrusion detection and prevention systems (IDPS), such as Suricata. Unfortunately, an alert only provides a narrow view into a possible incident. Data surrounding an alert also needs to be available to help analysts build context before and after an alert. Context enables an organization to understand the threats it faces and gives it the ability to respond to incidents quickly and more effectively. To complicate network defense further, not all malicious traffic will generate an alert when it encounters an IDPS. Analysts need to look for anomalies in network traffic to identify malicious or suspicious patterns through a process commonly referred to as threat hunting.

While many know that Suricata as an IDPS, it can provide much more visibility than just alerts. From protocol-specific logs to full-packet-capture, Suricata can generate the data needed for a comprehensive view into an organization’s network.

In this talk, you will learn how to use Suricata to generate alerts, produce protocol-specific logs, and identify malicious and anomalous activity in your network traffic. Attendees will leave this discussion with a better understanding of what is required for comprehensive network security monitoring and how Suricata can maximize their coverage.

This is the first day of a two-day session.

Intended Audience: This is an ideal talk for security analysts, blue teamers, and malware
researchers to learn how Suricata can provide visibility beyond an alert.

Speakers

Josh Stroschein

Director of Training, Open Information Security Foundation - OISF

Josh is a subject matter expert in malware analysis, reverse engineering and software exploitation. He is the Director of Training for the Open Information Security Foundation (OISF), where he leads all training activity for the foundation and is also responsible for academic outreach... Read More →

Wednesday January 8, 2020 12:30pm - 1:00pm EST
Verelst/Percival

Lunch Time Table Talk

1:30pm EST

Mobile Users’ Susceptibility to Phishing Attacks

Mobile device technology is one of the fastest growing, most widely used sectors of the diversifying technology market. Mobile devices are increasingly used to exchange personal information (e.g., mobile banking, email, chatting, and shopping), which creates a potential information security threat. While individual behaviors affect this vulnerability to security threats, more research needs to be done on what constitutes and influences threat avoidance behaviors. This study assessed factors that influenced threat avoidance behaviors of mobile device users related to phishing attacks. It tests the hypothesis that mobile device users’ perception of threat can reduce their susceptibility to phishing attacks. The study demonstrates that mobile device users feel threatened if they perceive that the severity of an attack will affect them; this in turn affects their motivation to avoid phishing attacks. Consumer perceptions of threat increased if they perceived that the consequences of the threat to their mobile device would be severe.

Attendees Will Learn:
Attendees will learn how user behavior impacts the phishing landscape and how their perception of threats affects their motivation to avoid phishing attack threats. Identifying this behavior can help to mitigate phishing attacks on mobile device users, thereby improving security operations.

Speakers

Ley Sylvester

Senior Oracle Database Administrator, Blackbaud

Ley Sylvester is a Senior Oracle Database Administrator at Blackbaud, where she implements the database lifecycle (including database security) and shares her knowledge of good security practices. Before working at Blackbaud, Ley worked in various business verticals (including food... Read More →

LSylvester Mobile Presentation pdf

Wednesday January 8, 2020 1:30pm - 2:00pm EST
Regency Ballroom Hyatt Regency Savannah 2 W. Bay Street Savannah GA 31401

General Session

2:00pm EST

How to Use Machine Learning for a Phishing Incident Response

Phishing is one of the most popular and prolific attacks that organizations face today. Security Operations Center (SOC) teams spend a huge chunk of their time investigating suspicious emails to determine if they are legitimate phishing attempts.

In this talk, we will share observations accumulated from building a machine learning (ML) classifier for detecting phishing emails, based on the analysis of over 200K suspicious emails gathered from top-tier SOC teams around the world.

As part of the discussion, we will cover how various SOC teams handle their phishing investigations. We will describe the processes they employ as part of the phishing investigation and what they can, and cannot, automate out of those processes. We will also share real-world metrics for the time spent on various stages of the investigation process.

Next, we will cover an introduction to Supervised Machine Learning and the advances made in the field of text classification, especially around the supporting open source libraries. We will explain how we collected the dataset used in our research and describe what is unique about that dataset. We will touch upon the explainability technique for the model decision and its importance to the security analyst.

Lastly, there will be a deep dive into the ML development process in building a phishing classifier. We will elaborate on each of the following steps, explaining the obstacles encountered and their workarounds:
1. Problem definition
2. Data
3. Evaluation
4. Features
5. Model
6. Experimentation

Attendees will learn how to build their own phishing email classifier based on their email datasets, observe a model in action, and see how the model numbers net out in real-world in SOC deployments.

Session outline:
Introduction to phishing incidents and response processes at SOC teams
Phishing problem definition
Datasets used
Process followed to build the model
Model deployment
Q&A

Attendees Will Learn:

How SOC teams handle phishing investigations internally today.
How Machine Learning can be applied to accelerate phishing incident response
How the ML model can be adapted to different security incident environments.
How ML classifiers are a powerful tool in decision making for security.

Speakers

Erez Harush

Data Scientist, Palo Alto Networks

Erez Harush is a Data Scientist at Palo Alto Networks. His career began in the Israeli Defense Forces, “Unit 8200” - an elite military technology unit that has become an incubator for Israel’s renowned high-tech sector. He served in “Unit 8200” for six years, researching... Read More →

Harush ML for a phishing incident response pdf

Wednesday January 8, 2020 2:00pm - 2:30pm EST
Regency Ballroom Hyatt Regency Savannah 2 W. Bay Street Savannah GA 31401

General Session

2:30pm EST

Methods for Testing and Qualifying Analytics

This session will describe a process for testing analytics and qualifying them for usage to inform ongoing network defense. The talk starts with a brief discussion of what analytics are and describes some ways in which they fail. A sample analytic is introduced as a running example. Based on this foundation, the talk covers principles for testing analytics in general and the sample analytic in particular. As the principles are introduced, sample testing and results from that testing are provided. The talk concludes with a discussion of what it means to qualify an analytic for use and why such qualification is useful to network defenders.

Attendees Will Learn:
Network analytics have typically been developed and have often been deployed in an on-demand, ad-hoc manner. This has the advantage of timeliness but may lead to reliability and performance issues. This talk discusses how to identify such issues and make informed decisions as to the limitations of a given analytic.

Speakers

Timothy Shimeall

Senior Member of the Technical Staff, CERT Division - SEI/CMU

Shimeall AnalyticTestQual pdf

Wednesday January 8, 2020 2:30pm - 3:00pm EST
Regency Ballroom Hyatt Regency Savannah 2 W. Bay Street Savannah GA 31401

General Session

3:00pm EST

Demo & Poster Session

Posters and concepts related to the FloCon 2020 theme, "Using Data to Defend," will be presented during this session. Our sponsors will also be on hand to provide demonstrations and answer questions about their products and services.

Presentations Include:
Network Traffic Analysis with SiLK
Timothy Shimeall; Senior Member of the Technical Staff, CERT Division - Software Engineering Institute
Nancy Ott; Senior Technical Writer/Editor, Software Engineering Institute
Previous revisions to the SiLK Analysts' Handbook, "Network Traffic Analysis with SiLK", shifted the focus from individual tools in the SiLK tool suite to the perspective of network traffic analysts. As such, the handbook is organized according to a workflow for analysts to follow when investigating network activity and anomalies. The analytical thought processes outlined in the new version of this handbook apply to any type of general security analysis. This handbook offers insight on how to think through the problems, address them, and apply the methodology to analysis of network flow or other data.

The new 2019 revision of the handbook (copies available at this session) offers additional content, including case studies exploring possible data leakage, using the new aggregate bag structures to track incoming and outgoing data volumes as paired data, and tips to speed analyses using the SiLK tool suite. Presenters Timothy Shimeall and Nancy Ott (two of the guide's co-authors) will also be gathering feedback from FloCon attendees about content for the upcoming 2020 revision to the Analysts' Handbook. Your input will inform and help to prioritize work on the next update of this guide!

Large-Scale Indicator Caches using Analysis Pipeline and the Elastic Stack
Dillon Lareau; Software Engineer, CERT Division - Software Engineering Institute
Anusha Sinha; Assistant Software Engineer, CERT Division - Software Engineering Institute
Indicator caches make it quicker and easier to find the presence of specific indicators in flow traffic, such as IP addresses or domain names. Indicator caches also make it possible to later associate those cache records with specific flow data without having to perform expensive searches of the actual repository. We developed and tested a system to generate and search these indicator caches using Analysis Pipeline, Logstash, Elasticsearch, and Kibana that is able to handle over 40 Billion flows per day.

Speakers

Timothy Shimeall

Senior Member of the Technical Staff, CERT Division - SEI/CMU

Nancy Ott

Senior Technical Writer/Editor, Carnegie Mellon University - Software Engineering Institute

Nancy Ott is a Senior Technical Writer/Editor at Carnegie Mellon University's Software Engineering Institute. She's been writing about highly technical products for longer than she cares to admit. Before joining SEI, Nancy worked for Carnegie Mellon University's National Robotics... Read More →

Dillon Lareau

Software Engineer, CERT Division - Software Engineering Institute

Dillon Lareau is a Software Engineer in the CERT division of Carnegie Mellon University’s Software Engineering Institute. As the current lead developer for Analysis Pipeline, Dillon works to help monitor and defend large networks using software. Dillon holds Bachelor of Science... Read More →

Anusha Sinha

Assistant Software Engineer, CERT Division - Software Engineering Institute

Anusha Sinha is a Software Engineer in the CERT division of Carnegie Mellon University's Software Engineering Institute. She began working at CERT in 2018 and has contributed to the design and development software used to monitor and defend large networks. Anusha holds a Bachelor... Read More →

Sponsors

Anomali

The Anomali suite of threat intelligence solutions empowers organizations to detect, investigate and respond to active cybersecurity threats. The award-winning ThreatStream threat intelligence platform aggregates and optimizes millions of threat indicators, creating a “cyber no-fly... Read More →

Cisco Umbrella

As the industry’s first Secure Internet Gateway in the cloud, Cisco Umbrella provides the first line of defense against threats on the internet. Because Umbrella is delivered from the cloud, it is the easiest way to protect all of your users in minutes.

CounterFlow AI

CounterFlow AI is driven by a veteran team of data scientists and network security enthusiasts who are dedicated to building solutions that protect and defend some of the largest and most complex enterprise networks in the world. The team behind the technology includes experts who... Read More →

NetQuest Corporation

Suricata

Suricata is a free and open source, mature, fast and robust network threat detection engine.The Suricata engine is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing.Suricata inspects the... Read More →

Wednesday January 8, 2020 3:00pm - 5:00pm EST
Scarbrough Ballroom

Networking

7:00am EST

Breakfast

Thursday January 9, 2020 7:00am - 8:30am EST
East Harborside Ballroom

Meals

7:00am EST

Registration

Thursday January 9, 2020 7:00am - 3:00pm EST
Regency Ballroom Foyer

Registration

8:30am EST

Look Ma, No Malware!

In many cyber security scenarios, we want to associate traffic from malicious actors together, even when we don't have possession of the malware itself. This allows us to understand the overall threat landscape of a particular type of attack and may eventually lead to attribution. This talk uses a specific instance of this problem, DNS-based DDoS attacks, as a case study to highlight how the application of unsupervised learning, and some particular methodologies, can help address this threat intelligence problem.

Over the last few years, we have studied a type of DNS DDoS attack which first appeared at-scale in 2014. Known as a Slow Drip, or Random Qname attack, these attacks were particularly disruptive in the 2014-2015, particularly to the Internet's middle infrastructure. Little malware was ever recovered, and none that explained the breadth and magnitude of the attacks. These attacks continue today, but in the largest known study of the attacks, we found that the threat landscape has changed significantly in the last few years. Through a combination of text and time series features, we are able to characterize the dominant malware and demonstrate that the number of global-scale attack systems is relatively small. These results are based on large-scale global pDNS analysis over eight months.

While the results are useful to organizations needing to understand global DNS-based DDoS threat actors, the methodologies are more universal. We consider the case where a reasonably large amount of data, unlabeled, exists over time; this might be the case for certain DGAs, for example, or DNS tunneling. In our case, this data comes from a strong statistical classifier, but could encompass weaker classifiers.

The observable metadata, in our case the DNS queries, are the source to understand the underlying malware. We use traditional Exploratory Data Analysis (EDA) and feature engineering to gain intuition of how different malware may manifest in our data. The divergence of character distributions between different attacks proves enlightening, but won't scale over time as a production system needs. Identifying archetypical distributions from an initial large sample allows us to overcome this hurdle, and create a distance measure that can be combined with other features to cluster attacks, and the attack generators by extension.

The use of archetypes in unsupervised learning allows us to reliably compare data over time to fixed points, and in a way that scales. We need to be concerned about model drift, where the underlying threat changes, and in our study we did this by considering the application of the unsupervised model to data six months later.

What Will Attendees Learn?

Exposure to the Slow Drip attack, it's mechanisms, history, and presence on the network
Understanding of the evolution of this attack to where it is today
Case study application of unsupervised learning to very-large scale cyber problem for the purpose of threat intelligence
The use of character distribution divergence (jensen shannon distance) for clustering data
The use of archetypes for unsupervised learning -- and then supervised -- over time
Inspiration to try to understand cyber attacks even when no malware exists

Speakers

Renee Burton

Sr. Staff Threat Researcher, Infoblox

Dr. Burton is the Sr. Staff Threat Researcher for the Cyber Intelligence Unit of Infoblox, a leading DDI company. She straddles the boundary between the organization's threat analysts and data scientists, focusing on the design of analytics support threat intelligence and discovery... Read More →

14. Burton Presentation pdf

Thursday January 9, 2020 8:30am - 9:00am EST
Regency Ballroom Hyatt Regency Savannah 2 W. Bay Street Savannah GA 31401

General Session

9:00am EST

Malware's Abuse of Privacy Enhancing Technologies

Privacy enhancing technologies such as Tor play a critical role in enabling persecuted people to access the open Internet. These tools achieve their goals by obfuscating network-visible artifacts of flows. However, they can be abused by malicious actors to evade detection. We examine malware's abuse of privacy enhancing technologies specifically related to the Transport Security Layer protocol. We first review longitudinal trends in malware’s use of TLS, TLS 1.3, and DNS-over-HTTPS/TLS. We then review more advanced evasion strategies such as the general strategy of randomizing TLS ClientHello parameters to evade TLS fingerprinting and the use of three popular censorship circumvention tools: Tor, Psiphon, and UltraSurf. In many cases, these tools attempt to mimic popular TLS profiles, which has previously been shown to be difficult to achieve in practice. We quantify the ability of malware’s use of these tools to emulate common applications. Furthermore, we provide well-defined detection strategies implemented in our open-source network monitoring tool.

Attendees Will Learn:
Attendees will learn the prevalence of malware using recently approved standards and the visibility losses associated with these standards. They will also learn how malware is using censorship circumvention programs. Finally, we demonstrate how network operators can detect these threats.

Speakers

Blake Anderson

Senior Technical Leader, Cisco

Blake Anderson currently works as a Senior Technical Leader in Cisco’s Cloud and Network Security Group. Since starting at Cisco in early 2015, he has participated in and led projects aimed at encrypted network traffic analysis, which has resulted in open source projects, academic... Read More →

15. Malware's Abuse of Privacy pdf

Thursday January 9, 2020 9:00am - 9:30am EST
Regency Ballroom Hyatt Regency Savannah 2 W. Bay Street Savannah GA 31401

General Session

9:30am EST

Code Similarity Detection Using Syntax-Agnostic Locality Sensitive Hashing

Maintaining software security as the volume of new code written increases is a pressing "big data" problem. Once a vulnerability is identified in one piece of software, identifying other software that might contain a similar vulnerability is critical. However, conducting this type of search is time-consuming and challenging. In this presentation, we discuss Syntax-agnostic locality sensitive hashing (Syntax-agnostic LSH), an efficient method for finding code with similar functionality in large code repositories. Our approach significantly reduces the amount of time analysts need to identify potentially vulnerable software.

LSH is known to successfully find near-duplicate documents at scale. It is also proven in applications such as audio/video//image searching, entity resolution, and fingerprint comparison. Applying LSH to software results in fast searching as it compresses code segments into hashes and eliminates the need for pairwise comparisons by clustering similarly hashed code segments together. Because we hash on the semantic meaning of code segments rather than the code itself, our variant of LSH handles varying code writing styles and compilation strategies that can cause code with the same functionality to look syntactically different.

The use of Syntax-Agnostic LSH as a code similarity detection and searching capability reduces the time, effort, and cost of debugging and maintaining software and allows us to be one step ahead of attackers. Our approach is both an investigative and preventative tool. It allows for much faster identification of code with both technical and logical vulnerabilities that need to be fixed, and it encourages the reuse of “repaired” code through its ability to search for code segments by functionality, rather than syntax. Our cyber team has incorporated Syntax-Agnostic LSH into its investigative platform, with the expectation that it will decrease the length of investigations from 3-4 weeks to under a week.

Attendees Will Learn:
Attendees will learn how to better maintain the security of large codebases through investigative and preventative means.

Speakers

Lara Dedic

Machine Learning Researcher, Novetta

Lara Dedic is an Applied Machine Learning Researcher at Novetta, an advanced analytics company headquartered in McLean, VA. Lara focuses on applying machine learning methods from natural language processing (NLP), computer vision, and other domains to cybersecurity.

16. Code Similarity pdf

Thursday January 9, 2020 9:30am - 10:00am EST
Regency Ballroom Hyatt Regency Savannah 2 W. Bay Street Savannah GA 31401

General Session

10:00am EST

Morning Break

Thursday January 9, 2020 10:00am - 10:30am EST
Scarbrough Ballroom

Break

10:30am EST

ML Detection of Cyber Attack Signatures and Behaviors from Known and New Threat Actors

Artificial Intelligence (AI) will be the main driver of the Fourth Industrial Revolution, concluded the 2019 World Economic Forum in Davos, Switzerland. The authors of this talk believe that AI and machine learning (ML) will also revolutionize enterprise risk and security management. We successfully built AI/ML pilots across many sub-domains of this important field, from cyber attack analysis and enterprise risk management to fraud and financial crimes analysis. Using cyber attack analysis as an example, we set out to improve the effectiveness of our cyber intrusion prevention system (IPS). Besides blocking and ignoring actions, a typical IPS system also sends out numerous alerts that require the attention of a cyber analyst for triaging. We built a data ingestion and wrangling pipeline, selected the optimal machine learning model based on a performance leader-board, and customized an attack recommendation engine. This allowed our cyber analysts to quickly analyze alerts and immediately focus on relevant attack signature patterns and high priority events. In our study, using data from a two-month period, we were able to improve the attack blocking rate of the IPS system by 7.2%, thereby markedly improved the effectiveness of our existing security tool. Additionally, our ML initiative also helped our cyber analysts by providing behavior analytics on adversaries, and provided enterprise-specific threat intelligence on both known and new threat actors. We hope to share with the broader cyber-ML community the methods and results of our effort, along with some attacker tactics, techniques, and procedures (TTP) discussions. More importantly, we hope to share the many lessons learned along the way. The two most important are “Quality over Quantity”, and “Data before Algo”.

Speakers

Will Li

Senior Architect, Vanguard

Will Li is a senior technical leader in risk and security space at Vanguard. His current focus is on promoting the adoption of analytics and machine learning across the many sub-domains of enterprise risk, security, and fraud management. Prior to that, Mr. Li has had a long and diverse... Read More →

Thursday January 9, 2020 10:30am - 11:00am EST
Regency Ballroom Hyatt Regency Savannah 2 W. Bay Street Savannah GA 31401

General Session

11:00am EST

Using Deep Neural Networks to Detect Compromised Hosts in Large Scale Networks

Detecting compromised hosts in networks is an important cyber security challenge. Investing in defenses on the perimeter of the network is key to prevent compromises within the network. However, hosts are compromised at an alarming rate due to security breaches and insider threats. It is becoming impossible for network security analysts to keep up with the barrage of data to manually detect compromises. Automating the detection of compromises and providing decision support play a key role in optimizing the analyst's workflow. Various statistical modeling techniques have been proposed to assist analysts with detecting compromised hosts by examining their behavior on the network at flow level. But most of this research lacks real datasets that reflect modern attacks, preventing their use in real-world scenarios. Literature tends to use benchmark data sets that are simulated and outdated.

In this presentation, we discuss the generation of a new dataset based on recent, real network data from global research and education that is fused with actual threat lists and contextual information. This augmented data set provides ground truth in training supervised statistical models. We describe the development of a statistical model based on deep neural networks. Using these cutting-edge modeling techniques, we were able to detect compromised hosts in a network using the InSight2 platform at a high accuracy and low false positive rate. Compared to existing statistical models, our model is readily deployable in wide range of networks, since it has been developed using real-world data. We present case studies based on its deployments at academic institutions and explore its impact in real-world applications from both academic and industrial viewpoints. These case studies use several visualization techniques to show the initial detection, exploration of the source of the attack, command and control centers, and lateral movement of cyber security threats. This process generates further data that can be used to improve the accuracy of the model as the analyst documents and categorizes the threat after Investigation.

Attendees Will Learn:

Latest developments in statistical modeling used for threat detection
How deep learning can be used for better accuracy
Complementing and improving the analyst workflow

Speakers

Angel Kodituwakku

PhD candidate Computer Engineering, concentrating in Cybersecurity, The University of Tennessee, Knoxville

Angel Kodituwakku is currently a PhD candidate in Computer Engineering with a concentration in Cybersecurity at the University of Tennessee, Knoxville. He served as a Research Associate for two years on a National Science Foundation funded project. He received his MS in Computer Engineering... Read More →

Eboni Thamavong

Lead Associate - Commercial Cyber Team, Booz Allen Hamilton

Eboni Thamavong has worn many hats throughout her career and is at the forefront of transformation in cybersecurity operations, analysis, and strategy. She is known for identifying areas for development and growth to move organizations forward. Ms. Thamavong is known for her insights... Read More →

Kodituwakku Thamavong Deep Learning for Compromised Hosts Detection pdf

Thursday January 9, 2020 11:00am - 11:30am EST
Regency Ballroom Hyatt Regency Savannah 2 W. Bay Street Savannah GA 31401

General Session

11:30am EST

Required Elements for Constructing a Highly Adoptable and Adaptive Digital Forensic Model

Research indicated a lack of a widely-accepted digital forensic model. This qualitative modified Delphi study identifies the acceptable digital forensic model elements required to create a widely-accepted digital forensic model with a high degree of usefulness, a low degree of difficulty, and the capability of organizational acclimation through adaptation. The study consisted of elemental theme generation using a United States sample population of 20 experts in the field of digital forensics from private and public sectors. Participants have all been through a certification process, have more than five years’ experience, and considered forensic experts by U.S. courts. Participants evaluated the researched potential of forensic model elements from formerly suggested models and best practices in addition to the open-ended questions they answered. The analysis of the captured participant data involved the use of ATLAS.ti Qualitative Data Analysis Software and the use of Apache OpenOffice. The Delphi method provided six themes centered on the required elements of an adoptable and adaptive digital forensic model. Participant responses confirmed the literature review data, indicating there is no standard forensic model. Only six participants indicated that they use a forensic model of some type. The identified elemental themes provide a foundation for future research into establishing a digital forensic model that would be widely accepted and have a high degree of usefulness, a low degree of difficulty, and the capability of organizational acclimation through adaptation.

Attendees Will Learn:

The digital forensic processes currently used, despite no official model.
The 6 themes produced from the study, which cover the elements required to create a widely accepted digital forensic model. Incorporating these elements into their local analysis/forensic models can potentially enhance security.

Speakers

Ken Rodgers

Digital Forensic Examiner, K-Rod Technology

Ken Rodgers is a digital forensic consultant for K-Rod and former Senior Forensic Examiner with the FBI, where he has performed digital forensic examinations on cell phones, hard drives, and various other devices with operating systems such as Linux and Windows. Ken has testified... Read More →

Rodgers Required Elements pdf

Thursday January 9, 2020 11:30am - 12:00pm EST
Regency Ballroom Hyatt Regency Savannah 2 W. Bay Street Savannah GA 31401

General Session

12:00pm EST

Lunch

Thursday January 9, 2020 12:00pm - 1:30pm EST
East Harborside Ballroom

Meals

12:30pm EST

Lunch Time Table Talk: Get Beyond Alerts - Maximizing Network Defense w/Suricata, Session 2

This is the second day of a two-day session. It builds upon information discussed on day one.

Securing a network often begins with the ability to generate alerts when malicious or non-standard network traffic is observed. This is routinely accomplished through intrusion detection and prevention systems (IDPS), such as Suricata. Unfortunately, an alert only provides a narrow view into a possible incident. Data surrounding an alert also needs to be available to help analysts build context before and after an alert. Context enables an organization to understand the threats it faces and gives it the ability to respond to incidents quickly and more effectively. To complicate network defense further, not all malicious traffic will generate an alert when it encounters an IDPS. Analysts need to look for anomalies in network traffic to identify malicious or suspicious patterns through a process commonly referred to as threat hunting.

While many know that Suricata as an IDPS, it can provide much more visibility than just alerts. From protocol-specific logs to full-packet-capture, Suricata can generate the data needed for a comprehensive view into an organization’s network.

Intended Audience: This is an ideal talk for security analysts, blue teamers, and malware
researchers to learn how Suricata can provide visibility beyond an alert.

Speakers

Josh Stroschein

Director of Training, Open Information Security Foundation - OISF

Thursday January 9, 2020 12:30pm - 1:00pm EST
Verelst/Percival

Lunch Time Table Talk

1:30pm EST

Uncovering Priority Anomalies using Pattern Discovery as a Roadmap for Contextual Analysis

In most real-world network environments, abnormal activity is a routine part of normal operation. Systems that flag statistically abnormal events flood IT specialists with meaningless alerts. Meanwhile, systems that key on signatures are limited to discovering what is already known to be anomalous. In this talk, we describe an approach to anomaly detection that is based on the insight that large-scale tensor decompositions can be used to create an effective roadmap for targeted database and graph queries that confirm or reject behavior hypotheses. Tensor decompositions, which are based on matrix operations extended to higher dimensions, have been shown to isolate coherent patterns of behavior from within complex network traffic logs. This pattern-based approach can immediately link together multiple discrete activities separated by time, entity, or location in multidimensional data and can embody interactions that cannot be expressed (or often even anticipated) by rule signatures. Tensor decompositions alone, however, are limited in that they cannot ascribe significance to discovered patterns. Large database and graph structures are a natural choice for representing linked metadata at scale and offer rich query capabilities. As a first-line analytics tool, however, search-based approaches can suffer from the “boil-the-ocean” problem of having to examine the totality of massive data stores to find instances of specific, sometimes complex patterns, among potentially billions of interconnected records.

We show how patterns discovered through tensor decomposition can be thought of as documents that can be subjected to a variety of analyses, in parallel, with successively increasing need for deep contextual information. Patterns are subjected to topic-based analysis trained from prior decompositions to discover anomalies. Anomalous patterns are then further categorized using tests for the existence of a variety of descriptive behaviors including beaconing, mapping, and scanning, among others. Once patterns requiring deeper, targeted inspection have been identified, elements of these patterns drive query-based analysis scripted according to the category assigned to the pattern. These analyses are capable of combining records from the original network log data with contextual information including network topology, whitelist and blacklist information, and external information such as published alerts. This segmentation of analysis allows adaptation and customization to specific environments resulting in scalable, network-aware prioritization of alerts while also reducing alert clutter.

Attendees Will Learn:
In this talk, attendees will be exposed to a unique approach to network anomaly detection and prioritization that combines tensor decompositions with deeper, query-based analysis. This talk will describe tensor decompositions as an emerging method for discovering patterns in network flow logs. Examples drawn from operational data will demonstrate the boundary of what is possible with unsupervised analysis alone and then with unlabeled topic analysis incorporating historical data. This talk will also show how tensor methods create a novel and compelling use case for large database and graph stores, employing those systems to close the remaining gap to providing prioritized alerts.

Speakers

Thomas S. Henretty, Ph.D.

Managing Engineer, Reservoir Labs

20. Reservoir FloCon 20 pdf

Thursday January 9, 2020 1:30pm - 2:00pm EST
Regency Ballroom Hyatt Regency Savannah 2 W. Bay Street Savannah GA 31401

General Session

2:00pm EST

Countermeasures to Security Threats in Networked Medical Devices

The purpose of this qualitative Delphi study was to examine the underlying basic motivation of IT experts and create a model for developing effective countermeasures for cyber threats to networked medical devices in the healthcare industry in the United States. This study addresses the growing need for countermeasures for risks related to networked medical devices. The participants included fifteen IT experts with relevant experience in employing a schema to analyze security risks in networked medical devices. Semi-structured interviews in multiple rounds reached a saturation of data in the third round.

The findings of this research could aid users in preventing security breaches with networked medical devices. This model could be used by IT leaders in the healthcare industry and manufacturers of networked medical devices to improve the security of their devices from cyber threats and minimize the risks related to their use, especially when these devices are connected to a network. The findings from this study could also help IT and healthcare organizations that support networked medical devices to increase their awareness of cyber threats. In addition, the model could also help scholars to identify areas of risk where more countermeasures are needed.

Attendees will learn ways to make IT support and healthcare organizations aware of the growing need for countermeasures to risks associated with networked medical devices.

Speakers

Melinda Lyles

Professor, Florida Southwestern State College

Melinda Lyles is a Professor at Florida Southwestern State College. She previously served in Information Technology in the United States Navy and retired with with over 21 years combined service as an officer in the United States Public Health Service. During her service time, she... Read More →

Lyles Countermeasures pdf

Thursday January 9, 2020 2:00pm - 2:30pm EST
Regency Ballroom Hyatt Regency Savannah 2 W. Bay Street Savannah GA 31401

General Session

2:30pm EST

Cybersecurity Data Science 2020: Practitioner Perspectives and Guidance

Cybersecurity Data Science (CSDS) is a rapidly emerging practitioner discipline at the intersection of two fields of intense public and commercial interest. CSDS emerges from the growing practice of applying data science to prevent, detect, and remediate expanding and evolving cybersecurity threats. It offers a range of methods to address growing challenges in the cybersecurity domain, including rapidly evolving threats, expanding vulnerabilities, shrinking human resources, data overload, and challenges with orchestrating automated decisioning.

Because CSDS is in the early stages of professionalization, however, gaps in its practice impede its effectiveness. This presentation seeks to characterize the emerging CSDS professional discipline from the perspective of practitioners. Results from interviews with 50 global cybersecurity data scientists will be summarized and reviewed. Common themes raised in interviews will be framed to provide attendees with practical guidance on implementing CSDS solutions and programs. Through an aggregated analysis of interview themes, this presentation seeks to address the following questions:

• What is the professional status of cybersecurity data science?
• What are its perceived central challenges?
• What methodological and technical trends are emerging?
• What are the key best practices based on the collective experiences of peers?
• What aspects of data science are appearing on the adversarial side?

In mapping CSDS boundaries and gaps based on comprehensive practitioner input, this presentation offers guidance to practitioners, managers, and researchers interested to advance CSDS professional practice and general effectiveness. This includes those who are planning operational programmatic implementations and/or research initiatives. As this research will be published in a forthcoming book, the hope is to gain feedback from the community on the best practices and challenges it has identified. This presentation advances the 2019 presentation by extending and completing the research and analysis that was previously conducted .

Attendees Will Learn:
This talk addresses fundamental questions concerning the status of cybersecurity data science (CSDS) as an emerging profession. Based upon interviews with 50 global cybersecurity data scientists, the talk offers guidance from those at the forefront of this emerging domain. Attendees will:
• Gain advice from CSDS practitioners for those seeking to implement solutions
• Learn key stumbling blocks and gaps in deploying CSDS solutions
• Learn how organizational, process, and technical factors must align to deliver on CSDS
Summarizing research from a forthcoming book, this talk will be of interest to practitioners, managers, and planners seeking to understand CSDS challenges and best practices.

Speakers

Scott Mongeau

Cybersecurity Data Scientist, SAS Institute

Scott Mongeau is a Cybersecurity Data Scientist - Principal Business Solutions Manager at SAS Institute. He has three decades of experience in designing and deploying data-intensive solutions in a range of industries, including management consulting, software and services, financial... Read More →

22. Mongeau Cybersecurity Data Science 2020 Practitioner Perspectives and Guidance pdf

Thursday January 9, 2020 2:30pm - 3:00pm EST
Regency Ballroom Hyatt Regency Savannah 2 W. Bay Street Savannah GA 31401

General Session

3:00pm EST

Conference Close

Speakers

Joshua Fallon

Network Defense Analyst, CERT Division - SEI/CMU

Dr. Joshua Fallon has served as FloCon Chair since 2021. He is a network defense analyst with the CERT Situational Awareness team, where he participates in analysis of network security and resilience and supports the development of tools and methods for network security analysts and... Read More →

Thursday January 9, 2020 3:00pm - 3:15pm EST
Regency Ballroom Hyatt Regency Savannah 2 W. Bay Street Savannah GA 31401