DESS SSIC 2010/2011 - univ-Metz - MIM

Discovering and Learning Security Threats and Attackers
Using Honeynet/pot Technologies

Course Description

The subject of this course is to use the Honeynet/pot technologies as a tool to discover and learn existing and new threats to networked/distributed information system and better understand attackers behaviour. The course includes a project to build a custom honeypot or related tools to turn the theory into a practical session. The course requires a high involvement from the participants.

Project Details

During the period of the course, there will be a specific project to realize. The project is fully integrated into the course sessions that means some topics covered will help to enhance or complete your work.

Project definition and group composition (2 max) should be sent before end of January 2011. Project will be registered at gitorious.org and released under a free software license. Project needs to be tagged in gitorious as dess-20102011. The project must be completed for 6th April 2010. Submission of the project to a conference is highly recommended (e.g. AppSecEU2011).

No idea? Here is some potential projects:

[Perl] Improving Perl IODEF parser and dumping incident in simplified text files.
[Python,Perl or Ruby] A script to transform large tcpdump text output into MooWheel JSON format.
[Ruby] Extending logstash outputs to add XMPP export for specific matching patterns in logs.

Caveats

You may find that the subject is too experimental and not yet mature for real-life application. If you have any issue with the course (including the way I teach it), don't hesitate to talk about as early as possible.

Sessions

Date/Where	Topics and support
Saturday Jan 15, 09:00-13:00 @computer room	The Attackers’ Principles The shortest, fastest and cheapest path : a common method for compromising information system Ethics in Computer Science Ethics and Social Responsibility in this Computer Security (Honeynet) Workshop cap 1 cap 2
Saturday Jan 21, 09:00-13:00 @computer room	Network Data Capture in Honeynets Berkeley Packet Capture (BPF) and Related Technologies : An Introduction Introduction to Honeypot/Honeynet technologies and Its Historical Perspective Honeynet data capture - practical analysis of rootkits An Instrumented Analysis of Unknown Software and Malware Driven by Free Libre Open Source Software
Saturday Jan 28, 09:00-13:00 @computer room	Honeynet/pot : the data capture possibilities Project: an ultra fast introduction to git and a project review. An introduction to forensic analysis
Saturday Feb 5	N/A (don't forget to work on your project)
Saturday Feb 12, 09:00-13:00 @computer room	Forensic use case and lab (testcaseimage) What did we learn from the attackers? Project review and support
Saturday Feb 19 09:00-13:00 @computer room	Penetration testing or the art of breaking software to improve it Software review and penetration testing of : Streber PM and Tiny Tiny RSS Project review and support
Saturday Feb 26 09:00-13:00 @computer room	Passive DNS Using the DNS for fun and profit DNS Workshop Project review and support

IP, TCP, UDP headers + TCP state transition diagram from TCP/IP illustrated, Volume 1

Bibliography

Know Your Enemy : Learning about Security Threats (2nd Edition) by Honeynet Project The (2004), Addison Wesley,ISBN:0321166469
The Internet Motion Sensor: A Distributed Blackhole Monitoring System by M Bailey, E Cooke, F Jahanian, J Nazario, D Watson
A Virtual Honeypot Framework by Niels Provos, USENIX Security '04 Paper
Towards an estimation of the accuracy of TCP reassembly in network forensics by Gerard Wagener, Alexandre Dulaunoy and Thomas Engel. Published in FGCN (2) 2008: 273-278.

Copyright © Alexandre J.D. Dulaunoy ( a at foo dot be ) This work is licensed to you under version 2 of the GNU General Public License. Alternatively, you may choose to receive this work under any other license that grants the right to use, copy, modify, and/or distribute the work, as long as that license imposes the restriction that derivative works have to grant the same rights and impose the same restriction. For example, you may choose to receive this work under the GNU Free Documentation License, the CreativeCommons ShareAlike License, the XEmacs manual license, or similar licenses.