Internet Security Operations and Intelligence II - a DA Workshop

Hosted by Microsoft Corporation with an after-party dinner sponsored by Trendmicro.

January 25, 26 2007. Microsoft Conference Center, Redmond - Washington.

Agenda and Schedule

First day: Lectures and Case Studies
09:00 - 09:05 Welcome to ISOI 2 and Preview of the Day Gadi Evron (Beyond Security)
09:05 - 09:40 Key-note: "Where is That Worm? The Changing Nature of Cyber-attacks" Jerry Dixon (DHS, US-CERT manager)
09:40 - 10:10 "MSRC Exploit Zero Day Response - Case Studies" Greg Galford (Microsoft)
10:10 - 10:40 "Zero-day Exploits in 2006 - the Microsoft Antimalware Team's Perspective" Ziv Mador (Microsoft)
10:40 - 11:10 "Intelligence update: Targeted Trojan Attacks" Alex Shipp (Messagelabs)
11:10 - 11:40 "Web War Games" Hubbard Dan (Websense)
11:40 - 12:10 "Netflow revisited" Barry Raveendran Greene (Cisco)
12:10 - 12:45 Lunch break Got chow?
12:45 - 13:10 "Abusing SPF for a DDoS Amplification Attack DDoS on DNS" Douglas Otis (Trendmicro)
13:10 - 13:35 "Building and Perfecting an AS-based Reporting System" Randy Vaughn (Baylor) [Q&A with Gadi]
13:35 - 14:00 "Intelligence update: MiTM and Banking Trojan Horses" Christoph Fischer (BFK)
14:00 - 14:25 "Trolling the BotNet Economy" Chris Wee, Oliver Friedrichs (Symantec)
14:00 - 14:25 "DDoS and Botnets: Same as it Ever Was" Jose Nazario (Arbor)
14:25 - 14:50 "Web Server Botnets and Hosting Farms as Attack Platforms" Gadi Evron (Beyond Security)
14:50 - 15:15 "myNetWatchman Octopus - Reach Out and Touch a Spammer" Lawrence Baldwin (myNetWatchman)
15:15 - 15:40 "Innovations in Using DNS as an Early Warning System for Attacks" Paul "Fergie" Ferguson (Trendmicro), Gadi Evron
15:40 - 16:05 "Investigating Phishing Cases: Case Studies" S.A. Andrew Fried (Department of Treasury)
16:05 - 16:30 "Conducting Spam-related Investigation" Don Blumenthal (formerly FTC)
16:30 - 16:55 "SandBox Solutions are NOT the Ultimate Solutions and Can be Beaten:
Case Studies"
Righard J. Zwienenberg (Norman)
16:55 - 17:20 TBA S.A. Tom Grasso (FBI)
17:20 - 17:45 "Case study: Blackworm - Sinkholing and Analysing the Spread of a Worm
from Poisoned IP Data"
Coleen Shannon (CAIDA) [Q&A with Gadi]
17:45 - 18:00 "20 Years Worth Of Bygone Days Of Virus Research" Rob Slade (Grandpa Extraodinair)
18:00 - 18:25 "MS06-040: Exposure and Aftermath - A Case Study" Daniel Schwalbe (Washington EDU)
18:25 - 18:45 "Slaying the Zombie: an .edu Case Study of Bot Detection, Mitigation
and Analysis"
Curt Wilson (SIU)
18:45 - EOD TBA Roger Thompson (Explabs)

Trendmicro after-party dinner!

Second day: [mostly] Open Community Discussion
09:00 - 09:05 Preview of the day Gadi Evron (Beyond Security)
09:05 - 09:30 "Lecture: Automatic Detection and Response to Bots and Botnets
on ISP Networks"
Donald Smith (Qwest)
09:30 - 09:55 "Lecture: Breaking Virtual Keyboards on Banks and eCommerce Sites" Aviram Jenik (Beyond Security)
09:55 - 10:10 APWG spot Dave Jevans (APWG)
10:10 - 10:25 PIRT spot Paul Laudanski (CastleCops PIRT)
10:25 - 10:40 * spot
10:40 - 11:10 "From Botnet to Shutdown and Prosecution: What to Do?" Righard J. Zwienenberg (Norman)
11:10 - 12:10 "Finding Community and Industry Solutions for LEOs:
Getting the Bad Guys"
Andrew Fried (IRS), Tom Grasso (FBI),
Don Blumenthal (formerly FTC), Levi Gundert (Secret Service)
12:10 - 12:45 Lunch break Try Our Mountain Dew
12:45 - 13:30 "The future of Sandbox Technology" Righard J. Zwienenberg (Norman), Carsten Willems,
Randy Vaughn (Baylor), Thorsten Holz
13:30 - 14:00 "The Changing Role of Service Providers in the Fight" Danny McPherson (Arbor), Barry Greene (Cisco),
Donald Smith (Qwest)
14:00 - 14:30 Planning Internet-wide Zero Day Response Gadi Evron, Greg Galford (Microsoft MSRC),
Oliver Friedrichs (Symantec), Joe Hartmann (Trendmicro),
Barry Greene (Cisco), Randy Abrams (ESET),
Jerry Dixon (US-CERT)
14:30 - 15:00 "Creating an updated BCP 38 at the IETF" Paul "Fergie" Ferguson (Trendmicro), Radia Perlman (Sun)
15:00 - 15:30 "Planning an Intelligence War" Gadi Evron (Beyond Security)
15:30 - 16:00 TBA Mike Reavey (Microsoft MSRC Manager)
16:00 - 16:30 "Affecting Change in the Spam War" Lawrence Baldwin (myNetWatchman),
Marcus H. Sachs (SRI for DHS S&P, SANS ISC)
16:30 - 16:45 Introducing USENIX HOTBOTS `07 Michael Bailey (UMICH), Evan Cooke (UMICH)
16:45 - 17:00 Intelligence update: fastflux A. L.
17:00 - 17:15 Boxing Match (gloves needed!) Gadi Evron (Beyond Security) vs. William Salusky (AOL)
17:15 - 19:00 "Open Community Discussion, and Planning Future Activities" Greg Galford (Microsoft MSRC), Paul Vixie ?? (ISC),
Kevin Hong (KrCERT)

Sunday (Day After)
All day Ski trip Ziv ??

The workshop's purpose is to bring together members of the Internet
security operations community at large and DA and MWP specifically, and share
information, as well as plan our future operations.

This ISOI DA Workshop is being hosted by Microsoft Corporation, whom we
would like to thank at this time.

After the workshop, a free-of-charge after-party dinner for attendees will
be sponsored by Trendmicro.

The workshop is organized by the DA and MWP communities with the much
appreciated help of Microsoft, and is open only for members of the
following vetted communities:
DA, MWP (and sister communities such as routesec), OARC, NSP-SEC,
FIRST. MAAWG, anti virus vetted groups and the honey net project.

If you are not a member and would like to attend, feel free to send a
request. We would be happy to learn of your interest.
Law enforcement officers who are not members of our communities need
to contact us to arrange their arrival.

Among the attendees are:
Professionals from Internet Service Providers (ISPs), Anti Virus vendors,
Anti Spam vendors and projects, CERT teams, Law Enforcement, Academia, etc.
coming together to work on the most recent technology, intelligence and
operations being done online today for the security of the Internet.

The workshop is closed to reporters.

Cost and Registration:
Attendance is free of charge. You must confirm your arrival by December 1st by emailing or the organizer directly.

This workshop's main topic is BotMaster Operational Tactics
- the use of vulnerabilities and 0day exploits in the wild.

(by spyware, phishing and botnets for their businesses).

Secondary subjects include DDoS, phishing and general botnet subjects.

The call for papers is now open to the public. The main subject of
interest is vulnerabilities and 0day exploits used in the wild.
Secondary subjects are DDoS, phishing and general botnet subjects.

Submission is simple, email us directly with your topic and some data
to back it up by December 10th, to

CFP is now closed.

Dates: January 25, 2007 and January 26 2007
When: Jan 25 - 9:00 a.m. to 7:00 p.m. and Jan 26 - 9:00 a.m. to 7 p.m.
Microsoft Conference Center (MSCC)
16070 N.E. 36th Way, Building 33
Redmond, WA 98052

After-party dinner: Jan 25 - 7:00 p.m.

Ski trip: Jan 27 - All day

This is the second of a series of workshops. The agenda of the first
workshop is located here.

For Map & Photos: Click here
For Hotels nearby: Click here
Car rental is highly recommended.

Gadi Evron,
ISOI/DA coordinator and organizer.