Internet Security Operations and Intelligence III - a DA Workshop

AED conference center, Washington DC.
August 27 - 28, 2007

ISOI3 gratefully acknowledges the following companies whose generous support has made the conference possible:

Afilias Ltd.:
The Internet Society:
Shinkuro, Inc.:

After-conference reception sponsored by Sunbelt Software:

Agenda and Schedule

First day: Lectures and Case Studies
08:55 - 09:00 Welcome to ISOI 2 and Preview of the Day Gadi Evron (Beyond Security)
09:00 - 09:30 "Google adwords .. .the dangers of dealing with the Russian mafia" Roger Thompson (Exp Labs)
09:30 - 10:00 "Incident Response During the Recent Attack" Hillar Aarelaid (Estonian CERT)
10:00 - 10:30 "Strategic Lessons From the Estonian 'First Internet War'" Gadi Evron (Beyond Security)
10:30 - 11:00 "Targeted attacks (spear phishing): A demonstration and
analysis of a former Office 0-day"
Rob Hensig (Microsoft)
11:00 - 11:30 "FastFlux Update: Monitoring the IPv4 Network in 3D" N. Bourbaki
11:30 - 12:00 "What you should be asking me as a routing vendor" Barry Raveendran Greene (Cisco)
12:00 - 12:40 Lunch break Got chow?
12:40 - 13:05 "Storm Worms...When it rains it pours" Dan Hubbard (Websense)
Joe Stewart (SecureWorks)
13:05 - 13:30 "Phishing and the IRS - New Methods" Andrew Fried (Treasury Department)
13:30 - 14:00 "Cyber Threat Analytics and the BotHunter Tool" Marcus H. Sachs (SANS ISC)
14:00 - 14:25 "Beware: TNT!!! (The Newest Threat)" Righard J. Zwienenberg (Norman)
14:25 - 14:45 Snack break apparently Gadi slipped up
14:45 - 15:10 "Infrastructure Security and Internet Attack Statistics" Danny McPherson (Arbor)
15:10 - 15:35 "Botnets in a Hosting Environment" James Pleger (Honeywell)
15:35 - 16:00 "The Spammer Evolves - Migration to WebMail" William Salusky (AOL)
16:00 - 16:25 "Vulnerabilities used to hack sites for phishing" John LaCour (Mark Monitor)
16:25 - 16:50 "Managing the response to eCrime, Lessons Learnt
in the UK Financial Sector"
Tom Salmond (Ernst & Young)
16:50 - 17:10 "Domain Registrations Revenue of Blacklisted,
Phished, and Malware Hosting"
Rick Wesson (Support Intelligence)
17:10 - 17:35 "How Not to Hide if You're a Russian Hacker Living in India" Paul Ferguson (Trend Micro)
17:35 - 18:00 "Six Degrees of Bot Herders -
Data Aggregation and Relationships"
Andre' M. DiMino (The Shadowserver Foundation)

Sunbelt after-party dinner!

Second day: [mostly] Open Community Discussion
09:00 - 09:05 Preview of the day Gadi Evron (Beyond Security)
09:05 - 09:30 "Automated Static Analysis of Malware" Jose Nazarijo (Arbor)
09:30 - 09:55 "Mpack and Honeyjax (Web 2.0 honeypots)" Dan Hubbard (Websense)
09:55 - 10:10 APWG spot Dave Jevans (APWG)
10:10 - 10:25 Break No joke
10:25 - 10:40 *spot
10:40 - 11:10 "HaxTor - Tor for eCrime?" Lawrence Baldwin (MyNetWatchman)
11:10 - 12:10 "Finding Community and Industry Solutions for LEOs:
Getting the Bad Guys"
Lotsa agents
12:10 - 12:45 Lunch break Try Our Falafel
12:45 - 13:15 "The Changing Role of Service Providers in the Fight" Lotsa providers
13:15 - 13:45 "Kitten Hashes and Botastic Rainbow Redirects" David Dagon (Damballa)
13:45 - 14:15 "Fighting Cybercrime at the Source" Joe Stewart (SecureWorks)
14:15 - 14:45 "Open discussion: What is a bot?" Allysa Myers (McAfee)
14:45 - 15:05 TBA Johannes Ullrich (SANS ISC)
15:05 - 15:20 "Identifying Botnets Using Anomaly Detection
Techniques Applied to DNS Traffic"
Jose' Carlos Brustoloni (University of Pittsburgh)
joint publication with
Ricardo Villamarin-Salomon
15:20 - 15:50 "Affecting Change" Marcus H. Sachs (SANS ISC),
Randy Abrams,
Gadi Evron (Beyond Security),
Paul Ferguson (Trend Micro)
15:50 - 16:20 Fastflux solutions Steve Crocker (ICANN SSAC),
William Salusky (AOL),
Ram Mohan (Aflias),
Dave Piscitello (ICANN SSAC),
Gadi Evron (Beyond Security), N. Bourbaki
16:20 - 16:45 Boxing Match (gloves needed!)
16:45 - 17:15 "Modeling phished and compromised user accounts" Mark Seiden (MSB Associates)
17:15 - 17:45 "Thank you, what's next?" Greg Galford (Scuba from Florida),
Righard J. Zwienenberg (Norman)

BOFs will be announced separately:
- Fastflux Task Force
- Rock phish coordination
- Storm Task Force

Some press leading up to the previous workshop:
Dark Reading

The workshop's purpose is to bring together members of the Internet
security operations community at large and DA and MWP specifically, and share
information, as well as plan our future operations.
After the workshop, a reception for attendees will
be sponsored by Sunbelt Software.

The workshop is organized by the DA and MWP communities and is open only for members of the
following vetted communities:
DA, MWP (and sister communities such as routesec), OARC, NSP-SEC, ICANN SSAC
FIRST. MAAWG, IS-ISAC, IT-ISAC, FS-ISAC, anti virus vetted groups and the honey net project.

If you are not a member and would like to attend, feel free to send a
request. We would be happy to learn of your interest.
Law enforcement officers who are not members of our communities need
to contact us to arrange their arrival.

Among the attendees are:
Professionals from Internet Service Providers (ISPs), Anti Virus vendors,
Anti Spam vendors and projects, CERT teams, Law Enforcement, Academia, etc.
coming together to work on the most recent technology, intelligence and
operations being done online today for the security of the Internet.

The workshop is closed to reporters.

Cost and Registration:
Attendance is free of charge. You must confirm your arrival by July 20th by emailing or the organizer directly.

This workshop's main topics are fastflux, online fraud, DDoS and botnets.

This is the official CFP for ISOI 3. Main subjects include: fastflux, fraud, DDoS, botnets. Other subjects relating to Internet security operations are also welcome.

Submission is simple, email us directly with your topic and some data
to back it up by July 20th, to

Dates: August 27, 2007 and August 28, 2007
When: Aug 27 - 9:00 a.m. to 7:00 p.m. and Aug 28 - 9:00 a.m. to 7 p.m.

AED Conference Center
1825 Connecticut Avenue
Washington, DC 20009

Hotels nearby that have AED rates (be sure to tell the hotel that you are
attending a conference at AED when you are booking. These are AED rates, not
special rates for this meeting. The hotels will not know what you are talking
about if you mention the ISOI3 Meeting.)

Jury's Washington
1500 New Hampshire Avenue, NW
Washington, DC 20009

The Churchill Hotel
1914 Connecticut Avenue, NW
Washington, DC 20009

Hilton Washington
1919 Connecticut Avenue, NW
Washington, DC 20009

After-conference reception: August 27 - 7:00 p.m.

This is the third of a series of workshops. The agenda of the first
workshop is located here and the second can be found here.

Gadi Evron,
ISOI/DA coordinator and organizer.

Greg Galford - Logistic operations
Jeff Moss - Agenda
Bri R - Attendee liaison
Marcus H. Sachs - Pre-con Leaders Summit
William Salusky - DC area local coordination
Zot O'Conner and other MSRC folks - Con Security
Matt Jonkman - Pre-con party
Randal Vaughn - Coordinator, Press and Academic Liaison