Schedule

Zeek Week 2024 has been cancelled.

Please see this post for more details. Most accepted talks will be given as webinars instead – please see our webinars page for more information.

ZeekWeek 2024 Schedule

List of currently accepted talks.

Talks (August 13th & 14th 2024):

Expand All
Parsnip: Lowering the Barrier of Entry for Parser Development

Speaker: Melanie Pierce, Idaho National Laboratory

Abstract:

Spicy and BinPAC are robust languages that greatly aid developers in crafting protocol analyzers for Zeek. Spicy, in particular, has streamlined the process significantly over its predecessor, BinPAC, making it less daunting to develop network protocol analyzers. Yet, mastering Spicy’s relatively simpler syntax and tools still demands a considerable investment of time and effort. For seasoned developers who regularly build protocol analyzers, this is hardly a deterrent, as they can fully utilize the sophisticated capabilities of these languages. However, this complexity can deter others from attempting to build analyzers. 

To address this challenge, the Cybersecurity & Infrastructure Security Agency (CISA) partnered with Idaho National Laboratory to develop and introduce Parsnip. This project aims to lower the entry barrier to creating analyzers by utilizing more accessible tools like a Graphical User Interface (GUI) and JSON. Parsnip provides a practical solution that covers 80-90% of the needs for an analyzer, which can either suffice in many scenarios or be refined further by a Spicy expert. 

This presentation will serve as a technical overview of the Parsnip project and its components.

Bio:

Melanie is a Cybersecurity Analyst at Idaho National Laboratory (INL). She joined INL in 2022. Melanie has a bachelor’s degree in Cybersecurity from Brigham Young University and is currently pursuing her master’s degree in computer science from Johns Hopkins University. After joining INL, Melanie became involved in the efforts to secure critical infrastructure networks through the ICSNPP project and the Malcolm project. With the ICSNPP (Industrial Control Systems Network Protocol Parsers) project, Melanie develops Zeek parsers in Spicy and BINPAC to provide further visibility into critical infrastructure networks. These protocol parsers are incorporated into the Malcolm tool suite. Melanie is passionate about simplifying security. Cybersecurity doesn’t need to be expensive or complicated. Melanie loves finding creative solutions to make the implementation of a basic security poster reachable, even among the smaller industries. Melanie is a strong believer in open-source software that benefits the entire community and wants to contribute to lasting impacts in critical infrastructure security. 

How to visualize OT/ICS networks for security measures

Speaker: Jiajian Zheng, Jia Wang, NTT Communications

Abstract:

OT (Operational Technology) / ICS (Industrial Control Systems) are specialized computing systems used to manage, monitor, and control physical devices, processes, and infrastructure in industries such as manufacturing, energy, transportation, and public works. 

Ensuring the normal and safe operation of OT/ICS is of paramount importance since the interruption of an OT/ICS due to cyberattacks may lead to halting production line, resulting in delays in product delivery and substantial financial losses. However, considering system availability, implementing EDR or updating operating systems and software packages in OT/ICS cannot be conducted in the same way as in IT systems. Thus, we aim to visualize and manage OT/ICS by leveraging Zeek, employing a method that does not impact the OT system but instead mirrors the communication data between OT devices. 

There are two major challenges. First, the communication between OT/ICS devices relies on proprietary protocols that vary by manufacturer. Nevertheless, Zeek lacks support for these diverse OT/ICS protocols or fails to provide sufficient log information. On the other hand, although a parser has been implemented, another considerable obstacle lies in the absence of the PCAP files to verify the accuracy of the parser. 

This presentation introduces the implementation process of CC-Link, the dominant protocol utilized in Japan PLC, and illustrates visualized images of the OT/ICS through generated log data. Lastly, it clarifies the types of security problems that can be resolved by this strategy.

Bio:

Jiajian Zheng: 

Jiajian Zheng is currently working as a development engineer at NTT Communications. He received his B.E. and M.E. in Computer and Network Engineering from The University of Electro-Communications in 2019 and 2021. In 2021, He joined NTT Communications, where he worked on the development of the OT/ICS security. 

 

Helen: 

Jia Wang received her M.I. degree in Informatics from Yokohama National University, Japan. She was honored with the Best Presentation Award at the 6th International Conference on Cryptography, Security, and Privacy in 2022. She is currently working as a development engineer at NTT Communications. Her professional interests encompass network monitoring, IT/OT security, and blockchain security.

Zeek File Extraction and Automating Malware Analysis

Speaker: Seth Grover, Idaho National Lab

Abstract:

Zeek’s file analysis framework allows files transferred in observed network traffic to be extracted to disk, but what next? This presentation will cover how Malcolm (https://cisagov.github.io/Malcolm) uses Zeek’s file extraction capability, from configuring which files to extract to performing automated analysis of extracted files using open-source tools like YARA, capa, and ClamAV.

Bio:

Seth Grover is a software developer with twenty years of experience in cybersecurity-related network traffic analysis technologies. Much of Seth’s six years at the Idaho National Lab has been spent focused on the creation and development of Malcolm, an open source network traffic analysis tool suite providing visibility into IT and OT network communications. He accepted a seat on the Zeek LT in 2023. Seth and his wife Andrea are the proud parents of four daughters, a yellow lab named Peach, and a tuxedo cat named Toad.

Zeek and "Ye Shall SEE"

Speaker: Christopher “BigBiz” Brown, Corelight

Abstract:

It’s long past time to re-think widgets, traditional dashboards and graphics that go heavy on eye candy and shallow in meaning – what would Zeek data look like while ransomware is laterally moving? What would an observability team expect to see if their servers were hijacked? What would application performance monitoring specialists NEED to SEE from load-balancer or content distribution network mis-configurations that results in loss of revenue to an organization? Can Zeek drive meaningful visuals? YES and SEE’ING is believing!

Bio:

Chris “BigBiz” Brown might be over half a century old but over 75% of that time, he has been a seasoned Instructor & Consultant. His past has led him to Corelight and he has a passion for training, knowledge transfer & working with customers to always strive for the “WOW” with their defense, detection & protection products and platforms. He is also currently a InfoSec SME and DoD Academy Instructor for Focal-Point Federal/CDW that specializes in cyber protection & mission defense team training. Prior to Corelight, he was with Focal-Point Federal and Focal-Point Academy. He has been delivering training & Professional Services for organizations such as Elastic, Exabeam, LogRhythm, Mandiant & FireEye, Northrop Grumman, ArcSight and Raytheon.

Flow-sensitive optimizations for Spicy

Speaker: Benjamin Bannier (Corelight)

Abstract:

Since spicy-1.2 we have used basic optimization passes to remove both unneeded parser features and unreachable code. This both helped reduce analyzer compilation time and unwarrented analyzer work at runtime. The limitation of these passes was that they were not sensitive to flow so would leave many opportunities for optimizations on the table. This talk gives an update of the development of flow-sensitive optimizer passes for Spicy.

Bio:

Benjamin works as a Senior Open Source Developer at Corelight where he spends most of his time on Spicy and its integration into the Zeek ecosystem. He previously worked on containerization and workload orchestration with Apache Mesos, and distributed columnar data stores. He holds a PhD in Physics from Stony Brook University.

It Was The Best of Times, It Was The Worst of Times - AI & Zeek

Speakers: Stan Kiefer, Vince Stoffer (Corelight)

Abstract:

This talk explores the integration of artificial intelligence (AI) models, particularly Chat and Completion AI like GPT-4 from OpenAI, with Zeek. Supported by extensive testing, this talk focuses on the potential synergies between these seemingly disparate technologies. It identifies three key areas where AI integration with Zeek demonstrates promise: generating natural language summaries from Zeek data, identifying attack patterns within Zeek data, and enhancing security applicability within Zeek-generated data. The talk will also look at the some limitations encountered, such as utilizing AI for coding assistance specific to Zeek scripting and Splunk queries, proposing avenues for further research and development. Overall, the talk underscores the potential and challenges of integrating AI models with Zeek, aiming to advance network security analysis and further the use of Zeek within the network security space.

Bio:

Stan Kiefer is a Senior Product Researcher at Corelight, focusing on rapid prototyping security solutions. Previously he worked for Symantec Corporation leading their cybersecurity simulation capabilities leveraging cloud infrastructure. Stan also served in the US Air Force for 12 years working inside information security and intelligence organizations. He holds a BS in Computer Science from the University of West Florida.

Vincent Stoffer is a Senior Director of Products at Corelight. As the primary product champion, Vince brings the sales, success, and engineering teams together to deliver world-class security products to Corelight customers. Vince previously held security engineering and network management positions at Lawrence Berkeley National Laboratory. Before LBNL, Vince was the network security engineer at Reed College. He attended Pitzer College in Claremont, CA, graduated with a BA in Humanities from the University of Oregon, and he holds the CISSP, GCIH, and GCIA certifications. 

Trainings (August 15th 2024):

    9:00am – 5:00pm – Training: Intermediate to Zeek

    By Keith Lehigh, Christian Kreibich, Fatema Bannat Wala

    The Introduction to Zeek training is aimed at users who have little to no experience with Zeek. We will introduce you to some basic architecture, show you how to run and customize Zeek on the command line, and give some guidance on how to do basic log analysis. This year we will also be teaching about Zeek cluster deployments in production together with all the cluster components, and the new Zeek management framework.

    Speaker Bios:

    Fatema Bannat Wala is a Security Engineer at ESnet, where her responsibilities include monitoring network traffic for intrusions, incident response, threat hunting, and deploying and managing various security services. She held prior roles in security research and software engineering and holds CISSP certification together with GCIA, GPEN, GCIH, GCDA certifications. She enjoys participating in various knowledge sharing gatherings and has given talks at BSidesDE, BroCons, ZeekWeeks, Internet2 TechEx, Educause SPC, and many more. She is also a member of SANS/GIAC Advisory Board.

    Christian Kreibich is the technical lead of the Zeek project. He works at Corelight, where he’s a Principal Engineer. He previously spent 5 years heading the networking group at Lastline, and prior to that spent 5 years as a research scientist at the International Computer Science Institute in Berkeley. He has served on the advisory board of the Open Information Security Foundation, and holds a PhD from the University of Cambridge’s Systems Research Group. He still rides skateboards, which recently earned him a busted rotator cuff.

    Keith Lehigh is an Information Security Officer at the University of Colorado performing a range of information security roles for the System division. He has been involved in the Zeek community for 15 years, serving on the Leadership Team and providing training to a range of audiences.

    9:00am – 5:00pm – Training: Spicy

    By Benjamin Bannier

    This training is intended to build and enhance your understanding and proficiency in utilizing the Spicy parser generator. The material targets primarily a technical audience, but is open to anyone.

    Topics:

    • Basics of programming and parsing with Spicy
    • Working with the Spicy documentation
    • Using Spicy to create Zeek analyzers

    Prerequisites:

    • Familiarity with a programming/scripting language
    • Basic familiarity with Zeek and its event model.

    Speaker Bio:

    Benjamin Bannier works as a Senior Open Source Developer at Corelight where he spends most of his time maintaining and evolving Spicy and its integration into the Zeek ecosystem. He previously worked on containerization and workload orchestration with Apache Mesos, and distributed columnar data stores. He holds a PhD in Physics from Stony Brook University.