FloCon 2017 has ended

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

General Session [clear filter]
Tuesday, January 10


Assessing Targeted Attacks in Incident Response Threat Correlation
The current number of active cyber threats is astounding. Do you know which threats are targeting you right now and which threats are likely tocause greatest harm to your company?
This session examines how correlating network flow data with cyber threat information during incident response provides knowledge of not only what threats are active or targeting you, but which of your assets are being targeted before or during an incident. We examine the many data types used in commonly-shared indicators of compromise and explore which provide for automating correlation with network flow data. The pros and cons of common correlation algorithms are discussed with a focus towards their contributions and limitations to enhancing threat intelligence efforts. Proper network flow correlation should provide a foundation for performing risk-based mitigation that identifies the threats that are creating the
greatest loss of value for your organization rather than chasing down the threats deemed most harmful by the industry.

avatar for Jamison Day

Jamison Day

LookingGlass Cyber Solutions, Inc.
Jamison M. Day is a Decision Science PhD that was selected as 1 of 5 members nation-wide to serve on a Supply Chain Security Team for the U.S. Director of National Intelligence. His interactive analytics products have helped Microsoft and the Department of Homeland Security reduce... Read More →
avatar for Allan Thomson

Allan Thomson

LookingGlass Cyber Solutions, Inc.
As LookingGlass Chief Technology Officer, Allan Thomson has more than three decades of experience across network, security and distributed systems technologies. Allan leads technical strategy, architecture and product development across all LookingGlass Dynamic Threat Defense product... Read More →

Tuesday January 10, 2017 9:30am - 10:00am
Great Room V-VIII 7450 Hazard Center Dr.
Thursday, January 12


Detecting Threats, Not Sandboxes: Characterizing Network Environments to Improve Malware Classification
Applying supervised machine learning to network data features is increasingly common; it is well suited for tasks such as the detection of malicious flows and application identification. In these applications, it is essential to avoid biases that can arise due to the fact that different training datasets are obtained in different network environments. Unfortunately, it is not straightforward to understand how these environments can introduce biases; many previous studies have not even attempted to do so. In this work, we focus on the important case of training data obtained from malware sandboxes, and its use in detecting malware communications on enterprise networks. We present techniques to identify data features derived from the TCP/IP, TLS, DNS, and HTTP protocols that are artifacts of network environments, and show data features that are invariant across those environments.

HTTP headers provide a good example; the user-agent is often but not always invariant. The via header, on the other hand, indicates that a flow has passed through a proxy, and thus it is not representative of the application's type or intention, but rather a feature of the network environment. In our datasets, nearly 100% of the enterprise HTTP flows contained the "via" header, but this was uncommon in the malware sandbox dataset. A naïve application of machine learning would use this fact to achieve low error in cross-validation tests, but it would also fail at capturing the concept of maliciousness, and its efficacy on real network traffic would suffer. A similar situation holds for TLS, which contains a complex set of data features. Most Windows sandboxes use the XP version to maximize the probability that the submitted malware sample executes. TLS flows that take advantage of the underlying operating system's TLS library would use an outdated version of SChannel. In the cases where the malware samples use SChannel, offering obsolete TLS ciphersuites is not an inherent feature of the malware, but rather a feature of the sandbox environment. Understanding and accounting for these biases is necessary to create machine learning models that can accurately discern malicious traffic versus that of enterprise traffic, and not simply learn to classify different network environments. In addition to highlighting these pitfalls, we offer solutions to the problems and demonstrate their results. By understanding the target network environment and creating training datasets composed of synthetic samples, we can systematically avoid a sandbox bias. For example, when monitoring a network with a web proxy enabled and where Windows 10 is the most prevalent operating system, we create synthetic HTTP flows by modifying the existing malware HTTP flows to include the appropriate "via" header. Similarly, we modify the TLS ciphersuite offer vector and extensions to resemble the appropriate version of SChannel. Finally, we use the synthetic malware dataset and baseline benign data collected from the enterprise network to create robust machine learning classifiers that can be deployed on the enterprise network.

avatar for Blake Anderson

Blake Anderson

Cisco Systems Inc.
Blake received his PhD from the University of New Mexico. In his dissertation, he developed novel machine learning techniques and applied these techniques to classify, cluster, and find phylogenetic relationships on malware data. Blake spent time performing security research at Los... Read More →
avatar for David McGrew

David McGrew

Cisco Systems, Inc.
David McGrew is a Fellow in the Advanced Security Research Group at Cisco, where he works to improve network and system security through applied research, standards, and product engineering.  His current interests are the detection of threats using network technologies and the development... Read More →

Thursday January 12, 2017 1:00pm - 1:30pm
Great Room V-VIII 7450 Hazard Center Dr.


I Want Your Flows To Be Lies
Real time and recorded flow data can be an incredible boon to systems administrators, by providing a comprehensive vision of how a network functions, or fails to function. Changes in flow data can also be used, to detect anomalous behavior like an intruder, a data exfiltration attempt, or a DDoS attack. All of this is great. So why do I want to fill your flow data with lies?

Flow data provides exactly the same information to an attacker: what servers are important, where the interesting data lies. This data is one reason that sophisticated attackers target routers as one of their first targets: what a great source of information about what is important on the network! Suddenly it is easy to distinguish high-value servers from low-value servers, and real machines from honeypots.

CyberChaff and Prattle are novel network defense solutions that work by creating fake nodes and fake traffic into your networks, to mask the true topology and direct attackers towards alarms. In this talk, I describe how we can use this same infrastructure to mask the real flows on your network, decreasing their value to an adversary and hiding the defensive areas of your network. I'll even show you how to hook your flow data back into Prattle, to ensure that nothing stands out to the attacker.

And then, finally, I'll show how you how you can get the information you wanted back without tipping your hand.

avatar for Adam Wick

Adam Wick

Galois, Inc.
Adam Wick leads the systems software group at Galois, Inc., an R&D company in Portland, OR. Galois does research in formal methods, programming language development, operating systems, compiler engineering, and security. Dr. Wick has worked in a variety of fields at all level of the... Read More →

Thursday January 12, 2017 1:30pm - 2:00pm
Great Room V-VIII 7450 Hazard Center Dr.