10:00 – 10:30 Registration & Refreshments (COS313)
10:30 – 10:45 Welcome from the OWASP Cambridge Chapter Leader, Adrian Winckles, Director of Cyber Security & Networking Research Group, Anglia Ruskin University (COS310)
10:45 – 11:30 Nick Palmer, Technical Director, Europe, Attivo Networks “Deception technology, luxury item or life line?”
11:30 – 12:15 Alan Melia, Principal Incident Response Investigator, Investigations & Incident Response – MWR InfoSecurity, “Conducting an APT Investigation”
12:15 – 13:00 Adrian Winckles, Director of Cyber Security & Networking Research Group, Anglia Ruskin University, “Can IPFIX improve Traffic Capture Techniques for Cyber Threat Intelligence”
13:00 – 14:00 Lunch & Networking (COS310)
14:00 – 14:45 Simon Newman, Chief Strategy Officer, London Digital Security Centre
14:45 – 15:30 Verizon (TBC), Payment Security Intelligence Report
15:30 – 15:40 Roundup & Close
Nick Palmer, Attivo Networks “Deception technology, luxury item or life line?”
Abstract: Is deception technology only for mature security operations or is it an effective cyber security solution to help companies mature their capabilities? Organizations continue to build their security arsenal, yet advanced threats and insiders continue to breach networks and extract valuable data. Learn how deploying decoys throughout your environment can build the bridge strengthening all the levels in your security stack. Join us for this session where you’ll hear about real-world deployment experiences, the value customers are realising, and what Red Teams are saying about deception-based threat detection.
Alan Melia, MWR InfoSecurity, “Conducting an APT Investigation”
How do you go about conducting an APT investigation? This talk walks through the technical details of an actual APT investigation.
Tracking the investigation of the incident from detection point back across the client environment and through 9 separate compromised servers in 2 different domains and using 5 separate user accounts.
Details of the process, tools and techniques used by the investigators to follow the ‘breadcrumbs’ of evidence so as to identify the entry vector, establish a containment plan followed by remediation and recovery of the client estate.
While some of the details have been obfuscated, the process, tools and techniques used are very much real.
Adrian Winckles/Dr Mark Graham, ARU, “Can IPFIX improve Traffic Capture Techniques for Cyber Threat Intelligence?”.
IPFIX is the ratified standard for flow export. It was designed for security processes such as threat detection, overcoming the known drawbacks of network management based NetFlow. One major enhancement in IPFIX is template extensibility, allowing traffic capture at layers 3 through 7 of the OSI model. This talk introduces IPFIX and describes the creation of BotProbe - an IPFIX template specifically designed to capture botnet traffic communications from the analysis of almost 20 million botnet flows. BotProbe realises a 97% reduction in traffic volumes over traditional packet capture. Reduction of big data volumes of traffic not only opens up an opportunity to apply traffic capture in new areas such as pre-event forensics and legal traffic interception, but considerably improves traffic analysis times. Learn how IPFIX can be applied to botnet capture and other security threat detection scenarios.
To register for this free event, please register online at
The meeting will be held in the Coslett Building, Room COS310 (Breakout Room COS313 for networking & refreshments).
Please enter through the Helmore Building and ask at reception.