Welcome and Introduction

Adam Slagell will kickoff BroCon with a brief update on the status of The Bro Project, The Bro Center of Expertise, and Bro’s long partnership with the National Science Foundation.

Keynote Address

Vern Paxson will deliver the keynote address: Reflecting on Twenty Years of Bro.

Speaker Bio: Vern has worked on the Bro Project for as long as it was possible.

Hunting Through RDP Data

A key step of incident investigation is determining how, when, and where an attacker has moved throughout your network. One of the most accessible ways for attackers to do this is through remote desktop connections; unfortunately, remote desktop protocol (RDP) data is often confined to system-level artifacts and rarely centrally logged, making it difficult for incident responders to review the data quickly and at scale. Bro 2.4 introduces a new log source that can be leveraged to collect and aggregate RDP connection data at the network level. Focusing on incident response, one of the most useful applications for this log source is proactively hunting for attackers in your network.

This talk presents an overview of the Bro RDP analyzer, real-world examples of using the analyzer to identify attacker activity, and tips for hunting through the data to root out systems that may be worth investigating.

Speaker Bio: Josh Liburdi is a Senior Consultant at CrowdStrike; he has used Bro almost every day for the past two years in large and small production environments.

Bro integrations

This talk will cover integrating Bro into a variety of security products. This talk is presented by Bro’s Jon Schipp.

Presenting ARMORE: Applied Resiliency for More Trustworthy Grid Operation

The ARMORE system uses Bro at its core in an Industrial Control Systems context. Key contributions that will be highlighted include an implementation of a generic protocol statistics framework leveraging SumStats, protocol specific tree topologies for DNP3 and Modbus, linkages to basic anomaly detection and intelligence frameworks, and future plans for more advanced anomaly baselining. Further efforts will be briefly highlighted including active response plans as well as the rest of the system composition.

Speaker Bio: Tim Yardley bio available here.

Broker: Bro’s new communication library

With version 2.4, Bro has started to ship with a new communication library, Broker, that will eventually replace both the current communication code inside Bro as well as Broccoli’s independent implementation of the current protocol. Broker provides a unified, well-defined publish/subscribe model for sharing events and state across independent Bro instances, as well as with external applications. This presentation will provide an overview of Broker’s architecture and usage, and outline the transition plan for moving Bro over to the new functionality.

This talk is presented by Bro’s Robin Sommer.

Taking a distributed computing approach to network detection with Bro and The Cloud

This talk focuses on a new way to do network detection by leveraging Bro to send data to a backend or cloud to process the data where resources are not as limited. It also focuses on treating sensors as expendable resources that can easily be swapped out to show the entire solution from the sensor to the backend. This talk highlights how using bro data with other data inside your network creates an ideal situation to enhance detection for your network.

This talk is presented by Mike Reeves.

Justin Azoff’s laBrotory

The latest custom solutions Justin created to make his day-to-day job easier.

Justin is a security engineer at NCSA and is a member of the Bro Project.

Extinguish your network fire with Bro

Bro is the most unique IDS you have ever seen. This talk will show the most unusual ways to use Bro, some security related and some more of a fire-fighting approach during a network stability issues. You will see how Bro is used in Mozilla for detection and how it helps in IR. How does it work hand in hand with MozDef, our made in house SIEM? What are the tactics for intrusion detection and what kind of custom scripting we use. How did Bro help to solve a Release Engineering network performance problems - a few times? What is the first class of problems that any good NSM system will notice, and why? The take out from this class should be some ideas, tactics and maybe even scripts that you can use in your daily work. Everything presented will be on github with open source license.

Speaker Bio: Michal Purzynski is a Network Security Engineer in the Operations Security Group, Mozilla. Michal created a network security monitoring program in Mozilla, that covers data centers and some offices. Part of his work is DFIR, taking care of the NSM based on Bro and Suricata, finding new ways to detect threats and correlate events, creating actionable intelligence and alerts.

Linked Data Analysis

Security analysts have to sift through a lot of information to hunt for and investigate incidents. Most tools, though, operate at a very low level, making it difficult to see past the individual events and get the big picture. Linked Data Analysis (LDA) visualizes the entities in your data as a graph and shows how they are related. When you are able to step back and see what’s going on at a higher level, it’s much easier to identify suspicious patterns and detect malicious activity that you might have otherwise missed.

In this presentation, we’ll use LDA techniques and open source software to visualize several different types of logs from the Bro network analysis platform. We’ll also demonstrate some practical strategies for identifying and investigating patterns that might indicate security incidents. By the end of the session, attendees will have a set of tools and techniques they can use to perform similar analyses on their own data, and begin to find the bad guys hidden in their networks.

Speaker Bio: Before coming to work as a Security Architect and DFIR subject matter expert at Sqrrl, David Bianco led the hunt team at Mandiant, helping to develop and prototype innovative approaches to detect and respond to network attacks. Prior to that, he spent five years helping to build an intel-driven detection & response program for General Electric (GE-CIRT). He set detection strategies for a network of nearly 500 NSM sensors in over 160 countries and led response efforts for some of the company’s the most critical incidents.

David stays active in the community, speaking and writing on the subjects of Incident Detection & Response, Threat Intelligence and Security Analytics. He is also a member of the MLSec Project. You can follow him on Twitter as @DavidJBianco or subscribe to his blog, Enterprise Detection & Response.

BroControl’s development updates, v2.4 and beyond

This talk is presented by Bro’s Justin Azoff.

Detecting Quantum Insert Attacks using Bro

The Security Research Team at Fox-IT researched and published the detection of Quantum Insert. In this talk I will explain what Quantum Insert is and how we used and improved Bro-IDS to detect these type of attacks. I will also explain how we simulated the attack using Scapy and that we used this to check the detection of popular IDS systems. The talk will include a demo showing an example attack and detection using Bro. We published all this research and tools on our blog and GitHub repo:

http://blog.fox-it.com/2015/04/20/deep-dive-into-quantum-insert/

https://github.com/fox-it/quantuminsert

https://github.com/zeek/zeek/pull/31

Speaker Bio: Yun Zheng Hu is a Principal Security Expert at Fox-IT, located in the Netherlands. At Fox-IT he is part of the Security Research Team, which focuses mainly on threat intelligence and research of new detection methods. His expertise is in the field of network monitoring, intrusion detection and emergency response.

The NetControl Framework

The NetControl framework provides Bro with a flexible, unified interface for acttively interfacing to network hard-and software like, e.g., switches or soft- and hardware firewall. Common use-cases for the NetControl framework are traffic shunting, using Bro to block malicious traffic or to quarantine vulnerable machines. The NetControl interface can use a number of different technologies like, e.g. OpenFlow to communicate with networking hard-and software.

This talk is presented by Bro’s Johanna Amann.

Bro + Elk

You have a bunch of Bro logs from multiple sensors. You are tired of bro-cut and need something a little more powerful, but have zero budget. This talk will explain the free tools you need and examples of how to log your data to Elasticsearch using Logstash and viewing the result data in Kibana.

Speaker Bio: Michael Pananen is a Master of Puppets for Vigilant Technology Solutions. He manages R&D for security-focused technologies and automation. Michael authors and maintains the development of the Bro Puppet module, available for download in the Puppet Forge.

A new approach to examining Bro logs

This talk is presented by Bro’s Seth Hall.

VAST Demo

Visibility Across Space and Time (VAST) is a platform for large-scale network forensics, especially suitable for interactive incident response. It offers a rich-typed query language to facilitate finding needles in haystacks. VAST has first-class support for Bro: it imports logs natively and can also generate query results as Bro logs in addition to JSON.

This talk is presented by Bro’s Matthias Vallentin.

P0wnage and Detection with Bro

In this talk we demonstrate incident detection and analysis with Bro at Berkeley Lab. We will review several incidents over the last year and show how we use Bro to prevent reconnaissance, detect miscreant activity, and perform detailed network forensics. We will also review some of the scripts and capabilities of Bro we have implemented as a results of recent incidents.

This talk is presented by Aashish Sharma & Vincent Stoffer.

Broadmap, v2.5 and beyond

We’ll sketch the roadmap for the current Bro 2.5 development cycle, and share our thinking on longer-term directions beyond the next release.

This talk is presented by Bro’s Robin Sommer & Seth Hall.

Looking for Ghosts in the Machine

The assumption that the systems, networks and organizations that we are defending are already compromised suggests the need for a more diverse set of data sources only the network. Even ignoring issues around network access (which have some interesting solutions around SDN), there are several irreducible problems:

The utility of network related data is not being rather we suggest that it can be augmented by information extracted from on-system.

This work will describe the current efforts at NERSC to analyze system and application layer activity (syslogs, instrumented ssh and auditd) using the powerful input framework, clustering and scripting capabilities found in the core bro application. Because isshd and systems logs (inclusive web and application logs) have been previously covered at length, they will be looked at more in terms of clustering. Auditd will be used as a foil to explore more of the development process and future directions of our work including the clustering and system/user abstraction. My vision for the auditd+bro project was to build a tool that would mimic functionality typically found in fictional hacker movies. Without the alarms. Oh, and the sparks. No sparks.

The auditd project includes client side code to normalize local data and pass it via stunnel to a bro worker for further analysis. The bro policy can be roughly broken out into system information and user information. Examples of these include:

The auditd analyzer has evolved hugely in the past year and is now beginning to emerge as a usable tool. We hope to be able to begin using it on the larger clusters to begin understanding real user behaviors and track security related issues that have now and historically managed to slip under the radar in most systems due to the difficulty in accessing and analyzing auditd data. The potential to understand in a more quantitative way what is going on in our systems, as well as better identifying typical user behaviors should be interesting to explore.

Speaker Bio: Scott Campbell has worked at the National Energy Research Scientific Computing Center doing research and production security for many, many years. He started using Bro on approximately his first day at work (version 0.7a90!) and has been enjoying it since. Recently Scott has been focusing on very high bandwidth cluster implementations as well as site wide OpenSSH and auditd analysis fed via the input framework.

Review Solutions to Bro Challenge

This talk is presented by Bro’s Doris Schiöberg.

Bro at Emerson Electric

In late 2013, as part of a continuing program to enhance Emerson’s CIRT capabilities, we explored best in class solutions to develop a customizable platform to enhance network visibility. As part of that pursuit, we have committed to the use of capabilities such as Bro, that may be managed, extended, and enriched directly by our team. Since then, we have grown our Bro capability to extend across the globe, providing the visibility, validation, and understanding necessary to help meet today’s threat. The approach has created an ideal feedback loop where analysts are driving our capabilities, and our capabilities are in turn providing more value to our organization. Bro has been a pivotal cornerstone for the success we have had thus far. We would appreciate the opportunity to share how Bro has been extended by our team to solve unique problems, served as a valuable asset to our profession, and talk through our teams experiences.

Speaker Bios: Jason Batchelor is a security researcher at Emerson with a passion for intelligence analysis, reverse engineering, and developing new ways to meet today’s threats. He graduated from the Rochester Institute of Technology with a masters in Networking and Systems Administration and continues to teach reverse engineering malware there as an adjunct professor.

Daniel Nieters is an infrastructure engineer and analyst at Emerson. As a member of their incident response team, he takes on both day-to-day intelligence analysis and developing new toolsets that enable and enhance current analysis abilities on the team. He graduated from Missouri S&T with a masters in Information Science with a certificate in Information Assurance.

Panel discussion with the Bro Development Team

This year’s panel includes Bro’s creator, Vern Paxson. Bring your questions for the Bro Development Team to answer.