10-11 April 2017
Carlsbad, California
Hosted by: ThreatSTOP and Farsight Security

I'm happy to announce that 
    ISOI XVIII, hosted by ThreatSTOP and Farsight Security 
    on Mon.-Tues., 10-11 April 2017, will be be held at:

 Green Dragon Tavern and Museum
 6115 Paseo Del Norte
 Carlsbad, CA 92011

We did not get a reserved room block rate at a specific hotel, but nearby hotels include:

   Carlsbad by the Sea Resort
   Upscale motel, ~$125/day, free breakfast, easy walking distance

   Hilton Garden Inn Carlsbad Beach
   Beach hotel, ~$190/day, possible free breakfast (0.7 mi)

   Grand Pacific Palisades Resort
   Vacation resort, ~$190/day, Karl Strauss breakfast (0.6 mi)

   Staybridge Suites
   Corporate studios, ~$170/day, breakfast included (4.1 mi)

* NOTE: Additional information regarding a Sunday night gathering and the 
  Monday night "ISOI XVIII Fun Night" will be provided separately to attendees.


Sunday, 9 April 2017

16:00-18:00 "Early Registration" (sponsored by OISF)
    The Open Information Security Foundation invites
    attendees to a pre-gathering at the event venue (Green Dragon Tavern)

18:00-onward Hallway Discussions (literally)
Monday, 10 April 2017

NOTE: Breakfast is on your own. Most hotels have their own breakfast
options, or try local restaurants for breakfast.

08:30-09:00  Registration

09:00-09:15  Welcome to ISOI XVII! Intro, announcements, logistics, etc.

09:15-10:00  Tim O'Brien (Trace3): The road to hiring fellow hackers is
paved in good intentions

This talk takes the experiences of the speaker as both interviewer and
interviewee, as well as from others within the scene in order to let the
people making hiring decisions know what they can do to get the people
and experience they need for their teams. In addition, this allows for
candidates to learn the limiting factors and challenges of hiring
mangers face in hopes to prepare for and 'hack the system' to workaround

10:00-10:45  James Pleger (Kudelski Security): How to suck at Threat

In this lighthearted presentation, we will discuss some of the common
pitfalls that organizations have ran into when standing up a Threat
Intel function. We will also go over the 3 core competencies of a modern
TI mission and discuss some proven techniques that show value to
executive leadership sourced from technical content.

10:45-11:15  Break

11:15-12:00  Chris Astacio (Palo Alto Networks): A Retrospective on
Exploit Kits

With all the talk of the lack of an Exploit Kit market and activity
lately, I would like to review where the Exploit Kit market has been.
Beginning with perhaps the origins of commodity exploit kits and how
these kits would protect their code as well as the attack traffic.
Continuing to how the market's products have evolved and discussing some
of the more impactful kits as well as why they were so impactful.
Finally ending up with what kits we've observed today and possibly where
or if the market will go from here.

12:00-13:00  Lunch (sponsored by Farsight Security)

13:00-13:45  Zach Wikholm (Flashpoint): Links in the Supply Chain

In a post-Mirai world, everybody is looking at IoT as a horrible problem
for the future. However, large portions of the botnets were made of up
of older (2004-2009) devices. In late 2016, Flashpoint uncovered one of
the largest culprits of the vulnerable devices; XiongMai Technologies.
XM Technologies had sold hundreds of thousands of white-labeled DVR, NVR
and HVR boards to over 200 companies in 93 countries, all with the same
unchangeable telnet username and password. In this talk, I will discuss
the issues with reporting these vulnerabilities as well as demonstrate
how we found out who made these devices. Rather than being another
"vendor bad, researcher good" talk, it's time to shift the focus to what
can be done for the hundreds of thousands of devices around the world
that cannot be patched, and are vital to business owners in countries
around the globe.

13:45-14:30  Jamie Cochran (Cloudflare): Botnet Fallout: Take down, take
over or forget it?

Battling malware and botnets has evolved over time; protect the end
point, protect the market, kill the servers. How effective has the
ecosystem been at this? What happens when we focus on one facet of this
and not the others? We will deep dive into a few recent botnets for IoT
devices and Android, our attempts to mitigate the issue and assist in
destroying the threat. More interestingly, we will plunge into the
aftermath of such events, how much data is still flowing from the
infected devices and what can the industry do from here to improve
protections for their networks and consumers?

14:30-15:00  Break

15:00-15:45  Simon Conant (Palo Alto, Unit 42): Gaza Cybergang score an

We recently observed attacks that we believe are part of a campaign
linked to DustySky, a campaign which others have attributed to the Gaza
Cybergang group, that targets government interests in the region. This
report shares our analysis of the attack and customized Remote Access
Tool (RAT). We also discovered during our research that the RAT Server
used by this attacker is itself vulnerable to remote attack, a
double-edged sword for these attackers.

Bonus: Adware in Applications’ Clothing

We share our analysis of a set of trojanized Android applications,
discovering that the Trojan author is also the owner of multiple Android
app stores used to distribute his malware by the tens of thousands. And
the rarest of things – a Russian actor deliberately targeting Russian

16:30-17:15  David Perry (Ambassador APWG)): What's wrong with the end

To a very great degree, we inside the computer security industry display
what I can only characterize as a sneering disrespect for the end user.
End users are characterized as lazy and stupid, and yet they are the
only reason that we have a need for security, safety and privacy. Why
all of this contempt? We don't seem to be able to fix the systems and
make them wholly secure, why can't we at least spend some effort on
fixing the users themselves? All of us decry that better user behavior
would at least help. All of us similarly say that the problem cannot be
100% fixed from that angle. So what?  Education might not be the only
answer, but I assure you it can help. I propose to study what small
problems might be solved the most easily, and to measure the cost of the
effort and the effect down the stream.

18:00-21:00  ISOI XVIII Fun Night
             (sponsored by ThreatStop and TeamCymru)

Tuesday, 11 April 2017

NOTE: Breakfast is on your own. Most hotels have their own breakfast
options, or try local restaurants for breakfast.

08:30-09:00  Registration, Set-Up, etc.

09:00-09:45  Donald "Mac" McCarthy (MyNetWatchman): Creds 'R' Us

There has been a recent explosion in the number of credentials offered
for sale in underground marketplaces. This evolution has fueled an
increase in account takeover activity – criminals no longer need to
master the sophisticated and time-consuming steps of breaching
databases, conducting phishing campaigns, or infecting end-users with
keyloggers – all they need is a bitcoin wallet! What is the scope of
this problem, where are all these credentials coming from, how are these
markets maintained, and where is this headed? This presentation dives
into these questions as well as considering steps that can be taken to
mitigate the problem.

09:45-10:30  Steve Santorelli (Team Cymru): Monetizing Malware - a case study

Steve will be covering a few high anonymity VPN services being used by miscreants, 
detailing a bit of comparative market analysis and attribution. He will also go over 
some of Team Cymru's Community services including our conferences.

10:30-11:00  Break

11:00-11:45  Ya Liu and Wenji Qu (Netlab 360): Yet another Mirai talk

In this talk, we will cover few aspects of the mirai from the very
beginning till these days, we will go over various methods being use by
us to capture the mirai samples, including VT, layer4 netflow traffic,
active probing, dns clustering, as well as customized honeypot. We will
also present some major observations we have discovered so far, for
example, the efforts of changing C2 communication protocol (XorKey,
private dns server, random c2 selection in given subnets, backup dga
channel..etc), as well as other facts like different ways mirai has been
used to infect more victims.

12:00-13:00  Lunch (sponsored by Farsight Security)

13:00-13:45  Barry Greene (Senki): Top Security Tools, Capabilities &
Capacity That Every ASN Must Deploy

The objective of the session is get a review of all the tools,
capability, and capacity that every ASN should deploy to allow for
effective traceback, backtrace, investigation, mitigation, and
remediation. We'll spend 15 minutes covering the outline and 15 minutes
discussion. The materials will be shared before hand to get some dialog
and thinking before the session. The goal is to have ISOI participants
influence what would be taught at the NOGs (e.g. NANOG, RIPE NCC
workshops, etc.).

13:45-14:30 Will Peteroy (ICEBRG): Forensic analysis techniques in an
encrypted world

Great, we encrypted 'all the things', now how do we analyze the things?

The movement to encrypt network communications has created a new set of
challenges and critical choices for information security and risk
operations personnel and executives. Encryption renders many legacy
network security monitoring tools useless and there are compelling cases
for maintaining user privacy. This talk will examine how the increasing
adoption of encryption in common network protocols impacts security
architectures and present new techniques to build threat intelligence
and detection streams that operate on top of encrypted traffic.

14:30-15:00  Break

15:00-15:30  Eric Ziegast (Farsight Security): Overview of DNSTAP

Eric will give attendees a primer on DNSTAP, an update on supported
nameservers, and a couple use cases for security researchers (not just
PassiveDNS). dnstap is a flexible, structured binary log format for DNS
software. It uses Protocol Buffers to encode events that occur inside
DNS software in an implementation-neutral format.

15:35-16:30 Fergie, Eric Ziegast, Tom Byrnes, Barry Greene, et al.:
Panel (and audience) discussion: The Future of ISOI

Panel and audience discussion on the future of ISOI, the challenges of
success, etc.

Since ISOI is a grassroots, community-driven meet-up, it is important
for us all to provide our visions, suggestions for improvement, etc. in
order to make ISOI a continuing pillar of the operational security
intelligence community.

16:30-17:00  Closing remarks