ZeekWeek 2022 Schedule of Events
All times are Central time.
12 October 2022 – Day 1 – Training
8:30am - 5:00pm - Training: Intermediate to Zeek - Cluster Edition
The Introduction to Zeek training is aimed at users who have little to no experience with Zeek. We will introduce you to some basic architecture, show you how to run and customize Zeek on the command line, and give some guidance on how to do basic log analysis. This year we will also be teaching about Zeek cluster deployments in production together with all the cluster components, and the new Zeek management framework.
8:30am - 5:00pm - Training: Hands-on Zeek Scripting
In the Hands-on Zeek Scripting training, Aashish Sharma will walk attendees through the fundamentals of Zeek Scripting along with some practical exercises. Training will cover scripting basics but will advance through various frameworks such as notice, input, clusterization techniques etc. Training will comprise of Hands-on some theory on each topic and hands-on exercises.
11:45am - 1:00pm - Lunch
5:00pm - 6:30pm - Welcome Reception
9:15am - 9:30am - Welcome & Opening Remarks
9:30am - 10:30am - Keynote: The Evolving Cyber Threat Landscape
The cybersecurity landscape is dynamic: between the capabilities of our tools, improved analytical skills, and the clever and evasive techniques used by our adversaries. One variable that remains constant is that we win when we work together. Cyber security is a team sport which is improved by speed and clarity of our communications.
Wendi Whitmore has been on the front lines of the cyber battlefield both as an Air Force Officer and a corporate leader. She will share lessons she has learned from the stories she has lived through and the key insights she has gained in these roles. She will share the impacts technology improvements have had on investigations, the power of a good analogy and how, sometimes picking up the phone results in learning something you never wanted to know, but cannot ignore.
10:30am - 10:45am - Break
10:45am - 11:15am - Zeek for Windows: The Journey to run on all endpoints
At Microsoft, one of the pillars of Microsoft Defender for Endpoint (MDE) is its Network Detection & Response (NDR) capabilities which allows device discovery, detection of network-based attacks and response to ongoing cyber-attacks. The NDR agent runs on every onboarded endpoint in the customer’s network and collects information based on incoming and outgoing traffic. This data is processed in the cloud and produces insights that are displayed to the customer (such as Device Inventory, Vulnerability Assessments, alerts, etc.).
One of the challenges we face is the time it takes to deliver new content to our customers endpoints. Meanwhile, new cyber-attacks are impacting customers at a growing rate. To overcome this gap, we understood that we need a fast way to deploy new detection logic to our agents, thriving to shorten the response time from months to hours. After exploring multiple alternatives, we’ve found Zeek – a mature open-source network detection platform with scripting abilities and numerous built-in dissectors that are already production-ready. Thus, we concluded that for the long-term Zeek is a great fit for NDR .
There was only one problem – Zeek isn’t built for Windows!
In order to fully take advantage of Microsoft Defender for Endpoint’s large scale and network visibility, we realized that running Zeek on Windows endpoints is crucial. We needed to take Zeek to uncharted territory and run it in an unprecedented domain – Windows endpoints.
This, naturally, made our goal clear – to create a Windows adaptation for Zeek (AKA porting).
This adaptation, as we planned from the beginning, will be our contribution back to this amazing community.
In this talk, we are going to present the changes we introduced to Zeek in order to adapt it for running on Windows endpoints, the many challenges we faced and insights we learned along the way. To name a few –
- Native compilation of a UNIX-based project with MSVC
- Zeek performance impact on endpoints
- Zeek security implications on Windows
Moreover, we are going to share how integrating with Zeek has transformed our NDR agent and evolved it to become a platform for researchers, empowering them to develop new content independently. Additionally, we’ll talk about how Zeek is bringing us new opportunities for collaboration between products inside Microsoft and out here in the Zeek community.
Elad is a Senior Software Engineer with 7+ Years of experience of engineering in the cyber-security field with a specialization in Windows Internals, autonomous agents, and scripting engines. Before joining Microsoft, Elad served as a captain in Unit 8200, the IDF’s cyber and intelligence units, where he was a software engineer and R&D team leader and developed several award-winning projects for one of the unit’s main intelligence operations. At Microsoft, he develops the agent for the Microsoft Defender for Endpoint (MDE) Network Detection and Response (NDR) component. He leads a small feature team consisting of his fellow team-members, to bring forth the vision to integrate Zeek into NDR and create the next generation architecture for NDR.
11:15am - 11:45am - Fun and Games with Zeek Metadata
Interestingly, the Zeek project not only contains the code to build Zeek, but tools to read the source itself to generate documentation for the project. This package uses these tools to create site-specific docs, so you can know exactly what your installation/configuration will produce. Further we can create props.conf and transforms.conf files automatically so that Splunk will better understand the logs. Next up is to extend this to auto generation of Avro schemas to aid Hadoop (and other) ingest pipelines.
Steve Smoot has been in and out of open source since coding for his Computer Science PhD at UC Berkeley in the 1990s and has been working in networking since 2000. Presently he is Corelight’s VP of Customer Success, where he focuses on building technical teams to enable Customers to achieve their goals with Zeek. Formerly, he played a catalytic role at Riverbed, scaling from 10 to 2600 people, and before that brought the FastForward Networks technology and how-to to Europe for Inktomi. Previously, he developed video compression technology that enables the video streams we all watch every night. Dr. Smoot is a graduate of MIT and holds a PhD in Computer Science from the University of California at Berkeley.
11:45am - 12:00pm - Lightning Talk
12:00pm - 1:15pm - Lunch
1:15pm - 1:45pm - "Zero Trust, and verify" - Zeek
In this talk we highlight how Zeek can play a crucial role in enabling various tenets of Zero-Trust. We start with looking at fundamental design goals of Zeek itself from the time when Zero-trust was not even a buzzword. We further discuss Zero Trust security models – specifically the Networking Piller – and how Zeek can facilitate Zero Trust postures of visibility, automation and analytics. At the end of this talk we focus on Zeek’s challenges in optimal zero trust implementation and discuss possible solutions.
1:45pm - 2:15pm - CatchM3ifuKan - Detecting Command-and-Control Techniques Up and Down the Networking Stack with Streaming Statistical and Machine Learning Techniques
In this talk we hypothesize that to evade detection advanced attackers utilize the entirety of the networking stack. As a Data Science research team we introduce the paradigm of Online/Incremental Machine Learning to aid with timely detection. Based on research we highlight areas of malicious command-and-control that have a high potential for anomaly-based / outlier detection. Some real world examples from recent investigations are presented. The talk also provides discussion into the benefits and limitations of expert systems in integrating Machine Learning and Statistical techniques into effective detection logic on Zeek data.
Matti is a Senior Data Scientist at NCC Group. He enjoys researching Applied Mathematics and identifying how that can be helpful to challenges in offensive and defensive cyber security, as well as wider societal challenges.
Ruud is a Senior Data Scientist at Fox-IT, part of NCC Group. He uses his experience with Machine Learning and statistics to create detection capabilities where signatures are not sufficient and is part of the team that provides real-time ML detection on network traffic for Fox-IT.
Joost is a Data Scientist at Fox-IT, part of NCC Group. Joost enjoys forensic analysis, CTFs and winning at table football.
2:15pm - 2:45pm - An Intro to the Management Framework
Zeek 5 introduces the Management framework, a new approach to managing Zeek clusters. The framework builds on Zeek’s Cluster and Supervisor frameworks, and will replace zeekctl over the course of the next releases. This talk will cover the framework’s goals and architecture, demo its current abilities, cover limitations, and outline the roadmap for the next releases.
Christian works at Corelight, where he’s currently dedicating all his time to open-source Zeek. Prior to Corelight, he built and led the networking team at Lastline, served on the OISF advisory board, and was a staff researcher at the International Computer Science Institute. He holds a PhD from the University of Cambridge.
2:45pm - 3:00pm - Break
3:00pm - 3:15pm - Lightning Talk
3:15pm - 3:45pm - Lessons Learned: Two Years of Developing Parsers for Industrial Control Systems Protocol
By Seth Grover, Cybersecurity Researcher, Idaho Lab
The Industrial Control Systems Network Protocol Parsers (ICSNPP) project is an ongoing endeavor of cybersecurity researchers supporting DHS CISA at Idaho National Laboratory for about two years. Since its initial commits to GitHub in January 2021 we’ve developed eight “from scratch” ICS protocol parsers for the Zeek network security framework, extended logging capabilities of Zeek’s default Modbus and DNP3 parsers, released an LDAP parser (thanks to some resurrected old BinPAC++/Hilti proof-of-concept code and the great work the Spicy development team and others in the Zeek community) and submitted nearly 30 PRs to third-party Zeek plugin repositories to make them compatible with the latest releases of Zeek. This presentation will cover how we approach developing new Zeek protocol analyzers and how we’ve addressed challenges we’ve encountered.
Speaker BioSeth Grover is a software engineer in cybersecurity R&D with eighteen years of experience in SIEM and other security-related network traffic analysis technologies. An Idaho native, Seth has worked at Idaho National Lab since 2018, much of which has been focused on the creation and development of Malcolm, an open-source network traffic analysis tool suite providing visibility into OT network communications.
3:45pm - 4:15pm - Automated Bug Finding with Fuzzers, with Special Guest OSS-Fuzz
By Tim Wojtulewicz, Senior Software Engineer, Corelight
Automated fuzzing enables software developers to find bugs that would otherwise be very difficult to discover and fix manually. In this talk, I’ll be discussing how the Zeek project uses Google’s OSS-Fuzz system to surface these bugs, and how we’re fixing the issues it exposes.
Tim is a software engineer at Corelight, working on the core of Zeek on a daily basis. He likes to describe his job as “taking things apart and putting them back together again in better ways.
4:15pm - 4:30pm - Closing Remarks
14 October 2022 – Day 3
9:15am - 9:30am - Welcome & Opening Remarks
9:30am - 10:30am - Keynote: Building Killbot-Killing-Killbots for Fun and ?Profit?
By Nicholas Weaver, Researcher, ICSI and Chief Mad Scientist (+CEO, + Janitor) of Skerry Technologies
On one hand, small drones are cool and incredibly capable, and autonomous abilities greatly increase their utility. On the other hand, this also makes them very scary, as they represent a substantial security threat. And on the gripping hand, probably the best tool to stop a small autonomous drone is yet another small autonomous drone.
But really, how easy is it to do small autonomous drones? What can you do with them?
Over the past few months I’ve started a small one-man startup intent on building small, human safe, vision-based, low cost, and fully autonomous drones based on what was previously a side project. And writing grant applications to fund things.I’ll talk hardware design, 3D printing, machine vision, supply chain issues, fun with Banggood, and multiple possible applications ranging from chasing away pest birds to the aforementioned killbot-killing-killbots.
10:30am - 10:45am - Break
10:45am - 11:15am - Filtering logs like a pro
Zeek logs can often be overwhelming. Fortunately the zeek logging framework provides a ton of ways to reduce the amount of data being logged. You can route uninteresting log lines to different files, or drop them entirely. You can create separate log streams containing a small subset of particularly interesting logs. You can exclude individual fields in large logs if you don’t make use of them. You can do all of this dynamically using all the capabilities of the Zeek scripting language.
11:15am - 12:00pm - Zeek for Endpoint: Detection and Device Discovery
By Boaz Wasserman, Senior Security Researcher, Microsoft
At Microsoft, we have created a modified version of Zeek that can run natively on Windows machines, both workstations and servers. Developing this modified version has allowed us to unlock critical capabilities for network based malicious activity detections as well as network based device discovery.
Zeek was chosen out of several different possibilities thanks to it being robust, easily extendible, and has a lot of milage and community content. Zeek on Windows can easily be deployed automatically on a large number of machines without needing to change any network configuration. This attribute provides visibility into intrasubnet communication as well as avoiding the need to deploy a centralized network tap which requires additional hardware, configuration, and maintenance. Zeek provides great value by itself thanks to the session-aware telemetry, which is a significant upgrade to single packet telemetry when it comes to device discovery and detection.
Moreover, the preexisting community content gave Zeek a huge benefit as there are many dissectors and scripts that we could start using from day one.
In this talk, we are going to present how we leveraged the ability to run Zeek on most Windows endpoints in an organization, to significantly improve the device discovery and detection value we get from network based telemetry. Using already available protocol dissectors, we were able to quickly integrate NTLM, FTP and SSH traffic processing, and perform passive device discovery on top of it. Moreover, we will present our usage of both community-based detection scripts (for example, PrintNightmare) as well as proprietary detection logics based on raw telemetry. We will present the Zeek scripts modifications we have made to make sure they suit our needs of providing telemetry that can be used for device discovery as well as detection. We will also give a few examples on detection and device discovery logics that could be implemented over the modified telemetry.
Boaz brings over 9 years of experience in cyber security research, cyber operations, and incident response. Before joining Microsoft, Boaz served as a lieutenant in Unit 8200, the IDF’s cyber and intelligence unit, and led a team of cyber research and analytics experts for some of the IDF’s most groundbreaking intelligence projects. Following his discharge from the army, Boaz spent over two years “in the trenches” leading high-profile incident response engagements. At Microsoft, he develops detections for the Microsoft Defender for Endpoint (MDE) Network Detection and Response (NDR) component as well as IoT and endpoint device discovery and classification mechanisms.
12:00pm - 1:15pm - Lunch
1:15pm - 1:45pm - Network Tapping for Zeek
By Michael Smitasin, Systems Security Architect, Lawrence Berkeley Labs
Visibility into a network can be crucial for both intrusion detection and troubleshooting, but doing so in modern Research & Education networks with many 40G, 100G and future 400G links is challenging. Where should you tap? What hardware is available? How should it be configured?
Berkeley Lab has been running Zeek/Bro since 1994 and we’ve used various forms of taps and tap aggregation since. This talk dives into our current configuration of tapping both at our border and throughout our internal network as we strive for pervasive visibility in a Zero Trust environment with more than 3Tbps of tapped link capacity.
This is a technical talk aimed at cyber security and network engineers who wish to deploy taps and tap aggregation to feed Zeek. It looks at the concepts of tapping, example hardware options and minimum configurations, static and dynamic ACLing, limitations of specific hardware, tap placement strategy in an R&E campus network for internal visibility, link aggregation for load balancing to Zeek clusters, and ends with Zeek cluster configuration under both FreeBSD and Linux. For the purposes of time, it may gloss over certain details while leaving pointers for the audience to pursue on their own.
Speaker BioMichael Smitasin is a cyber security engineer at the Lawrence Berkeley National Laboratory. Previously a network engineer, his current work focuses on open network security architecture, tap aggregation and large scale blocking.
1:45pm - 2:15pm - Zeek known services classification - ZTA edition
By Fatema Bannat Wala, Security Engineer, ESnet
With the advent of new mandate of Zero trust, one of the aspects of it is to monitor outbound traffic and services used by an enterprise. Zeek by default comes with the known services detection internal to a network, which works great to fine tune inbound network traffic based on the services allowed on the network. This presentation talks about a zkg package that we wrote to detect known services on the internet that our network connects to, so that we can do egress traffic filtering and fine tune allowed outbound connections from our network.
2:15pm - 2:45pm - Practical GAN-based Synthetic IP Header Trace Generation using NetShare
By Yucheng Yin, PhD student/CMU
We explore the feasibility of using Generative Adversarial Networks (GANs) to automatically learn generative models to generate synthetic packet- and flow header traces for network-ing tasks (e.g., telemetry, anomaly detection, provisioning). We identify key fidelity, scalability, and privacy challenges and tradeoffs in existing GAN-based approaches. By synthesizing domain-specific insights with recent advances in machine learning and privacy, we identify design choices to tackle these challenges. Building on these insights, we develop an end-to-end framework, NetShare. We evaluate NetShare on six diverse packet header traces and find that: (1) across distributional metrics and traces, it achieves 46% more accuracy than baselines, and (2) it meets users’ requirements of downstream tasks in evaluating accuracy and rank ordering of candidate approaches.
Building on top of the insights from PCAP and NetFlow, NetShare could serve as an efficient tool to share sensitive zeek logs, which could facilitate the researchers and developers to devlop more robust and accurate models with access to a broader set of data.
Yucheng Yin is a Ph.D. student at Electrical and Computer Engineering, CMU and Cylab advised by Prof. Vyas Sekar and Prof. Giulia Fanti. His research interests include the application of machine learning (especially Generative Adversarial Networks, or GANs) to networking, security, and systems. His works have appeared at several top venues like ACM SIGCOMM, USENIX SECURITY, and NDSS. Prior to joining CMU, he receives a dual bachelor’s degree from Shanghai Jiao Tong University (ECE) and the University of Michigan (CS).
2:45pm - 3:00pm - Break
3:00pm - 3:30pm - What the Metadata?
By Stan Kiefer, Security Product Researcher, Corelight
Traditionally, network identifiers such as IP and MAC addresses are fairly constant and can easily be attributed back to a specific host at a specific location at a given time. In the cloud, this level of consistency does not exist, complicating incident investigation.
In cloud or container environments, the layer 3 portion of networking is, in most cases, abstracted away from the higher level tasks of running workloads or presenting data. Because of this abstraction, when Zeek logs are collected for cloud or container network environments, the attribution is much more difficult for users of the logs to obtain. The log users would need to know which instance, host, pod, container, etc had the IP address seen within the logs at the exact time the log was created. In most cloud environments, this simply is not tracked due to the abstracted nature of the solutions. In this talk, we will walk the audience through the traditional look/feel of network data, the void we believe exists in that same data taken from cloud or container solutions, then close the gap by showing the enriched log data and explaining how the enriched logs could be used by a network admin, incident responder or threat hunter. We will demonstrate how we took real time metadata from several cloud capabilities (K8s, AWS, and Docker) and enriched the Zeek logs in each. Speaker BioStan is a Product Researcher at Corelight, focusing on rapid prototyping security solutions. Previously he worked for Symantec Corporation leading their cybersecurity simulation capabilities leveraging cloud infrastructure. Stan also served the US Air Force for 12 years working inside information security and intelligence organizations.
3:30pm - 3:45pm - Lightning Talk
3:45pm - 4:00pm - Lightning Talk
4:00pm - 4:30pm - The State of the Zeek Project (Roadmap and Community)
By Dr. Kelley Misata, Senior Director of Open Source, Corelight, and Christian Kreibich, Technical Lead, Corelight