vZW21 – Day 2 – User/SOC Professional Track

vZeekWeek 2021 – Day 2 – SOC Professional / Zeek User Track


Don’t forget; register today!

(Please note all times are Pacific Time)

9:00am – 9:10am  Welcome & Open Remarks

(Talk 1)

Keith Lehigh
9:10am – 9:40am Keynote

(Talk 2)

David Monnier
9:40am – 10:00am  DNS and Spoofed traffic investigation with Zeek

(Talk 3)

Fatema Bannat Wala
It always starts with some weird I am trying to investigate. This time it was related to the DNS weirds that triggered in the weird.log file that Zeek generates. Some investigations led to the new DNS RR type parsing support in Zeek 4.0 and a few led to some interesting traffic investigation that led to writing a new spoofed traffic detection zeek package. This talk is going to present the above-mentioned investigations of DNS related weirds that got triggered in ESnet’s production Zeek cluster and how we investigated the same.
10:00am – 10:20am


Using a Forest to Explore the Logs: Automation, Analytics and AI with Zeek Logs at UC Davis.

(Talk 4)

Jeff Rowe
Cyber-security operations at a large public university are a challenge due to open access policies and the volume and variety of information flows that result. Network data collection at the campus border is a foundational capability supporting a variety of university SecOps workflows, but making sense out of large volumes of Zeek network traffic logs is daunting. The UC Davis SOC has developed and deployed automation, analytics and AI to leverage the power of these logs, managing alerts, classifying problematic data flows, and identifying evolving threats specific to UC Davis. We automate alert management by filtering and correlating across Zeek log streams to create investigation packages. These include all data, occurring before and after the alert, that are relevant to alert dispensation. We employ the isolation forest machine learning algorithm to detect unusual behavior hidden in encrypted data flows. This generates alerts for anomalous outbound SSL, RDP and SSH connections from the Zeek conn log, which has successfully identified serious security incidents. We have also developed a novel threat intelligence generation process that identifies threat indicators specific to UC Davis. Our Zeek intel logs average 1 million alerts per day; we build a fully tuned random forest model from these data to learn a UC Davis-specific threat profile which has produced highly accurate classification results, and practical, actionable security alerts.
10:20am – 10:40am  BREAK
10:40am – 11:00am BadRandom: A Survey of TLS Implementations

(Talk 5)

James Hughes
The security of encrypted internet traffic forms a critical part of global commerce today, from social media to business banking. It is critical to know if these protocols, algorithms, and implementations are indeed secure. If a device is not following the TLS protocol or can not create secure random numbers, the proof of security does not apply and could be catastrophic to the security of the user.

We collected and analyzed the Client and Server Hello Random values from two billion TLS connections. We found implementations that admit not following the specification, implementations that do not seem to care, and other unknown implementations with low entropy.  Theory states and the proof of security of TLS assumes that we should have seen a single repeated value with probability 10^{-50}. We found more than 20,000.

The takeaway from this research is twofold. First, we need a broader community to help find these devices, and long term, the cryptographic community needs to create provable deterministic protocols that only work when implemented correctly.

11:00am – 11:20am Investigating Remote Desktop Protocols attacks using the Zeek observatory at UIUC/NCSA.

(Talk 6)

Phuong Cao
This talk describes the landscape of attacks targeting the Remote Desktop Protocols, the most popular protocol for remotely working with Windows systems. As a case study, we use deployed Zeek instances at the National Center for Supercomputing Applications (NCSA) at University of Illinois at Urbana-Champaign as an observatory of such attacks. Our goal is to study a full spectrum of RDP related attacks such as probing for RDP ports, brute-force password guessing, targeted account take over, and abusing RDP for amplification denial of service attacks. Our dataset includes a year-long RDP logs including IP addresses, username/password, cookies, and encryption methods of RDP connections. The method for analysis is trend analysis and statistical hypothesis testing. Our results include identification of RDP botnet using automated scans, and manual (targeted) attack attempts likely carried out by human.
11:20am – 11:40am A Better Way to Capture Packets with DPDK

(Talk 7)

Vlad Grigorescu 


Scott Campbell 

Ask grizzled Zeek users how to capture packets, and you’ll get endless suggestions, myths, and magic. Some swear by commodity cards with AF_PACKET or PF_RING, others use Myricom or more specialized NICs. For the past decade, Intel has been hard at work on DPDK — a mature framework for developing high performance network applications. We’re releasing a Zeek plugin which provides a DPDK packet source, with similar functionality as the current AF_PACKET plugin.

We’ll present a performance comparison of two systems running identical hardware and scripts analyzing the same traffic. We’ll give an overview of the tight integration between the DPDK plugin and Zeek scripts, allowing you to ditch ethtool and change settings directly from Zeek. Finally we will provide a roadmap for the planned set of future capabilities.

As part of this work, we’ve also developed some scripts for systematically testing flow load-balancing on TapAgg and NICs. We’ll be releasing these as well, enabling users to check their current setup for correctness.

11:40am – 12:00pp


Details for DPDK plugin development and performance measurement

(Talk 8)

Vlad Grigorescu 

Scott Campbell 

This talk will provide some background information about the development of our DPDK plugin as well as some details on performance measurement of it as compared to similar interface capture systems. The talk will focus on three major topics:

     * Information about the differences between the DPDK and AF_PACKET data paths, functions, and configuration/control. 

     * Performance measurements and methodologies.

     * Design philosophy and our roadmap for functionality.

12:00pm – 12:30pm

12:30pm -12:50pm  Kerberos-haters guide to Zeek Threat Hunting 

(Talk 9)

Nick Turley
Kerberos is pervasive, powerful, and complicated. The old joke is: “I went to explain Kerberos to someone, and we both walked away not understanding it”. When threat hunting with Zeek, the Kerberos protocol analyzer is an extremely powerful, yet often underutilized source of data for institutional threat hunting. In this session, we will discuss how to leverage Zeek to understand Active Directory and other Kerberos environments, enrich your Kerberos data with the powerful Zeek input framework, break down some of the mysteries of Kerberos and help you feel empowered to find new threats in your environment.


12:50pm – 1:10pm  Stop missing critical data – How to architect in Hybrid architectures

(Talk 10)

James Mandelbaum 
In this Hybrid world how do you architect a solution that does not leave blind spots for bad guys to hide in the shadows.   In this session i will cover the basics of Tap, Aggregation and Packet Brokers.  We will show how not only the physical but the virtual world can be accessed so you can feed your sensors the relevant data and discard the noise.

This will be an unbiased view of whats available to you out of the box and what you can do with third party tools.  You will learn the benefits of why a Tap is the best option in most cases but how spans are still relevant.

We always say you can’t protect what you can’t see… but how do you know what you’re not seeing?

1:10pm – 1:30pm 


PacketTotal – A Community Service for Zeek-Based PCAP Analysis (Talk 11) Jamin Becker
PacketTotal is a free cloud service based on Zeek and Suricata for static packet-capture (PCAP) analysis. The service equips cybersecurity researchers and analysts, with a database of over 100,000 indexed PCAP samples uploaded by the security community for contextualizing malicious network behaviors and cybersecurity alerts.

Originally created in 2017 by Jamin Becker, PacketTotal has thrived as a free PCAP exchange platform. Thousands of cyber analysts and network operators use PacketTotal’s services each month and contribute to its constantly growing PCAP repository. The solution facilitates the community sharing of malicious traffic detonated within lab environments to search for indicators of compromise, download the corresponding network traffic, and see examples of how malware communicates across a variety of environments.

Open-source Zeek is at the heart of PacketTotal’s data engine for extracting analytic PCAP metadata, such as connection records, application-layer transcripts, and artifacts. The richness of Zeek metadata is a key enabler of PacketTotal’s emerging search API allowing to:

1. ) Find PCAPs containing any domain name, IP address, malware strain, the protocol used.

2.) Upload and quickly identify PCAPs with similar behavior or contents.

3.) Discover relationships between PCAPs and identify common malicious techniques.

During this talk, I will demonstrate how PacketTotal uses Zeek to extract evidence relevant to security investigations, and how it can be integrated into security processes through the open-source SDK. I will also highlight some of the technical architecture decisions pertaining to the nuances of Zeek implementation.

1:30pm – 1:50pm Zeek the truth, in the Cloud

(Talk 12)

Adam Pumphrey
The move from traditional on-premise networks to the cloud has been underway for well over a decade.  In recent years, this transition has gained momentum with a new era of remote-work and telecommuting emerging and forcing organizations to rethink how they do business and how their employees perform their jobs. While not new, the increasing popularity of remote work has drawn more attention to the cloud and cloud security risks.  Threat actors are taking advantage of security control weaknesses and lax security practices to attack cloud services and their customers.  Thankfully, tools like Zeek are around to help address such problems.  In this talk I’ll delve into this and how deploying Zeek in the cloud can help address one of the largest risk organizations face when moving to the cloud: a lack of visibility.  VPC Traffic Mirroring and similar services leverage the software defined network itself for packet acquisition, this is also a profound enhancement for cloud network defenders.  I’ll describe VPC Traffic Mirroring, how its configured and deployed – and easily integrated with Zeek. Finally, I’ll wrap up by highlighting several other advantages gained by deploying Zeek in cloud environments. 
1:50pm – 2:00pm Wrap-up

(Talk 13)