Introduction to The Honeynet Project from the CEO.

This keynote presentation by a cyber deception practitioner argues that behaviorally based cyber deception influence models —those that communicate public signals or displays of network vulnerabilities and strengths— could become one of the most effective deterrents to attackers. This provocative argument challenges traditional COTS approaches to cyber deception. Drawing from his unique experiences developing and operationalizing cyber deception programs in both industry and government, Pappa will introduce three behaviorally based models of cyber deception influence. These models will be framed by disruptive moments in Die Hard, where Det. John McClane single-handedly influenced a dozen terrorists inside Nakatomi Plaza on Christmas Eve.

This talk presents VelLMes, a framework that uses large language models to simulate interactive services like SSH (shelLM), MySQL, POP3, and HTTP for honeypot deployment. We explore the benefits and limitations of LLM-driven deception, evaluating both service simulation and deception capabilities. The talk raises key questions about measuring deception effectiveness and highlights future directions for generative AI in cybersecurity beyond honeypots.

This lightning talk presents DICOMHawk, an open-source Python-based honeypot simulating the DICOM protocol, a medical standard for storage and transmission of medical imaging data. DICOMHawk offers a higher level of interaction compared to the current standard DICOMpot, with DICOMHawk not being detected as honeypot by Internet-level scanners, like Shodan. It implements realistic DICOM commands, honeytokens, comprehensive logging and a user-friendly web interface. These features help security practitioners and researcher to gain deep insights into the threat landscape and Internet-level scanners. This demo introduces DICOMHawk’s architecture, its functionality and usefulness.

Manually injecting a fleet of decoys into applications and detecting access attempts to them isn’t straightforward. Kubernetes, the dominant platform for modern software development, offers a great foundation into which we can easily integrate traps to detect hackers.

This talk will introduce Koney, a first-of-its-kind operator - that is, a “plugin for Kubernetes” - that allows you to define so-called deception policies for clusters. Koney automates the setup, rotation, and teardown of honeytokens and fake API endpoints, and uses eBPF to detect, log, and forward alerts when traps have been accessed.

This talk will present how application layer cyber deception techniques can be formalized “as code” and what technical methods can be used to inject traps at runtime, all without requiring access to source code. We will continue with a live demonstration of how Koney can place honeytokens in application containers in seconds.

Participants can leave with a better understanding on how cyber deception can be formalized in policy documents and be equipped with a functional open-source tool [1], Koney, that lets them experiment with cyber deception in their own environments.

Deploying a realistic honeypot is a lot of work. What kind of system is it? Who are the users? What applications does it have? Who’s going to create all the files and documents it takes to make a compelling trap? And that’s just for one honeypot. Deploying a realistic network of servers can be a major undertaking. That’s why we created DECEIVE, an Open Source, AI-backed honeypot that you can deploy with as little effort as it takes to write a single sentence. It’s high fidelity simulation with minimal effort.

The goal of this talk is to explain the critical challenges of cyber counterintelligence, emphasizing the importance of deception and focusing on using influence operations to deceive adversaries. Deception is essential in cyber counterintelligence to disrupt adversary activities and protect our interests. Influence operations are a powerful tool for manipulating information and the adversary’s perception of reality. In the modern cyber domain, deception via influence operations presents unique challenges and opportunities—and is becoming increasingly important. The main message is: effectively deceiving adversaries through well-crafted influence operations is not only beneficial but necessary to protect the interests and strategic advantage of every company. Just think about it!

Intel Owl is an Open Source Intelligence, or OSINT solution to get threat intelligence data about a specific file, an IP or a domain from a single API at scale. It integrates a number of analyzers available online and a lot of cutting-edge malware analysis tools. It is for everyone who needs a single point to query for info about a specific file or observable. This Lightning Talk will guide the audience through how this software works and how it can be leveraged by security analysts to save time and optimize their work during their day-to-day activities.

This talk focuses on the RCE vulnerabilities in IoT devices that botnets frequently exploit to infect new devices. As these methods have only become more prevalent as an infection vector, we use a large block of passive IPs also known as a network telescope and two smaller blocks of IPs or ‘reactive telescopes’ that emulate unresponsive services on all ports to capture these RCE attempts and characterize the attacks and behaviors of groups that target these vulnerabilities. We further flesh out the underlying infrastructure and practices, and where this method fits in between completely passive measurements methods and fully emulated honeypots in the detection spectrum and the unique insights we can gain from this method.

We also use the insights gained from running this experiment to explore further additions and improvements to our setup and the future of existing techniques used to combat these attempts and then whether we can use newer methods to disrupt these botnets.

This talk dives into how open-source honeypots like Cowrie, Conpot, Dionaea, and Glastopf can be detected in the wild. These tools are widely used to lure and monitor attackers, but they often have small giveaways—quirks in behavior or implementation details—that can expose them as traps.

We will start with a quick overview of how these honeypots work/look, then move into real-world examples where they were identified through subtle signs. From there, we will look at how detection can be scaled using tools like Nuclei, making it possible to scan larger environments efficiently.

The goal is to show both red and blue teams how honeypots can be fingerprinted, why that matters, and what can be done to make them harder to detect.

Data exfiltration remains one of the hardest threats to detect. Attackers can silently read and steal sensitive data without triggering traditional security controls—file reads are rarely logged, and DLP solutions are often bypassed. But what if we could turn the attacker’s tactics against them? This talk introduces a novel approach using Virtual Filesystem (VFS)-based deception to project believable but fake data files, credential stores, and crypto wallets that silently track unauthorized data access. Unlike traditional beaconing documents, which relies on external callbacks that can be blocked, this method detects exfiltration attempts at the moment of access using M-out-of-N access patterns to reduce noise and false positives. Attendees will learn how Honeytoken type deception techniques can alert to data-stealing attackers in real-time—without disrupting legitimate users.

In the last few years, SMS-phishing (smishing) has significantly increased. Getting blocked by telcos over SMS, adversaries have started to shift from SMS to online communication services such as RCS and iMessage to evade detection. Due to the lack of open-access, up-to-date data, it is challenging to identify these evolving techniques scammers use to target users; let alone build effective mitigations.

During this talk, presenters will showcase the infrastructure of a working honeypot deployed in the UK and Germany. It has already collected over 100 real-world scam messages in a timely and accurate fashion across SMS, RCS, and iMessage.

The participants will learn about the strategic seeding mechanism we use to ensure our honeypot numbers are targeted by scammers while minimizing generic spam. The talk will also present an overview of our results, including two unique case studies - possible identification of SMS blasters and the other validating the system’s reach into active criminal networks.

This talk will explore the evolution of banking threats across Latin America (LATAM), with a particular focus on threat actors originating from Brazil. We will begin with a brief overview of the primary threat actors currently targeting the region.

The main focus will be on Mispadu, a Malware-as-a-Service (MaaS) platform that has been actively targeting Mexico and other LATAM countries over the past few years. We will compare campaigns from two years ago to current activity, highlighting changes in delivery methods, obfuscation techniques, and infrastructure.

Key takeaways include:

• Banking malware continues to evolve, particularly in the initial infection and delivery stages, in an effort to bypass modern security measures.
• Command and control (C2) infrastructure, however, is evolving at a slower pace.
• Organizations should focus their defenses on the initial stages of the attack chain to better protect their environments.

The session will also present a step-by-step breakdown of Mispadu’s deployment techniques, including how obfuscation methods have changed over time.

CESNET has recently started a project of building a honeynet distributed across organizations in different sectors. It is based on preconfigured VMs with Cowrie and Dionaea honeypots, made such that it is quick and easy to deploy even for an unexperienced network admin. After a simple registration process, all data captured by the honeypots are automatically shared to Warden, the data sharing platform operated by CESNET, so they can be centrally analyzed. The goal of the talk is to briefly present the project and explore the possibilites for collaboration with the Honeynet Project community.

Nowadays, financially motivated adversaries are constantly looking for new ways to obtain initial access into target organizations. One particular method that attackers recently started using for this purpose is deploying malicious implants through unpopular legitimate software. While using such an infection vector, attackers often manage to deceive security analysts, who commonly classify alerts originating from such software as false positives.

During this talk, we will share details of a recent malicious campaign that was orchestrated through an infection of unpopular software. We initially started its analysis from an inspection of two domain names, which looked suspicious to us. During the presentation, we will firstly discuss how we used community-based threat intelligence tools to pivot from these domains to the executables of compromised software. Afterwards, we will establish the timeline of the software infection by examining open-source information available about it. Following that, we will describe the malicious code implanted into the software and analyze the final payload dropped by it, which is a previously unknown Python-based stealer.

This talk, as well as the live demonstrations offered throughout it, will allow attendees to better understand how crowdsourced threat intelligence instruments can be leveraged to conduct threat hunting activities, as well as gain experience in handling obfuscated Python malware.

Welcome to T-Pot 101, an hands-on workshop crafted for those looking to dive into the vast capabilities of the All-In-One honeypot platform - T-Pot. Tailored for beginners, this workshop is the first step towards mastering setup, installation, and basic configuration of a deception system.

🌐 What We Offer:

• A detailed walkthrough for the installation of T-Pot.
• Placement of T-Pot and first usage.
• Distributed setup with sensor and hive.
• Utilizing T-Pot dashboards for event analysis.
• Best practices for daily operation and keeping your system updated.

Join us for learning and exploration, conducted by the authors of T-Pot.

Note: Students are required to bring their own laptops capable of running virtual machines in bridged networking mode. Minimum specifications are: a processor with 8 CPU cores (i.e. Apple M1 Pro+, Core i5 12th gen+, Ryzen 5 5th gen+, 16GB of RAM, and 512GB of fast storage (SSD or NVMe). For best results, the laptop must be able to dedicate at least 4 CPU cores, 8GB of RAM and 64GB of free disk space to the virtual machine.

In this training we’ll look at a pcap captured on a webserver machine https://www.malware-traffic-analysis.net/2025/04/13/index.html. We’ll identify the clients/server, protocols seen, different types of scans and find different types of attacks that it contains (reconnaissance, Reflection Amplification DDoS Attacks, Remote Code Execution, etc.). The pcap, methodology and tools are representative of analysis of honeypot network traffic at scale. We’ll be using tools such as Zeek, Suricata and Wireshark to extract metadata from the traffic, DuckDB to filter the data, Google Gemini and ChatGPT to better understand the attacks we’re seeing.

At the end of the training the students will:

• have a clear picture of how efficiently yet rather comprehensively analyse pcaps captured on honeypots.
• be able to read network metadata (e.g. generated by Zeek) and to create some network traffic rules (e.g. with Suricata).
• have a good picture of the popular attacks (e.g. Reflection Amplification DDoS Attacks, insecure credential theft), vulnerabilities (e.g. affecting wordpress) used recently in internet-scale attacks.

This course provides a hands-on introduction to using Ghidra for software reverse engineering, taught by co-author of The Ghidra Book: The Definitive Guide. Learn how to use and customize Ghidra to fit your SRE workflow, all presented with hands-on examples and plenty of crackme challenges. Whether you are new to the field of reverse engineering, new to Ghidra, or just want a refresher to participate in the Reverse Engineering Capture the Flag (CTF), this course provides you with the opportunity to explore the capabilities of this powerful open source reverse engineering tool suite to understand how it can enhance your reverse engineering process. Hands-on labs will provide flexibility for students to choose between basic and challenge assignments to ensure that everyone has something interesting to explore in context. All challenges will be completed in a browser-accessible, pre-configured environment—just bring your laptop, a modern web browser, and some curiosity.

This workshop will walk you through the design process for creating behaviorally based sock puppets to support any size deception program or project. It is tailored for beginners as well as advanced practitioners. The session will concentrate on the behavioral foundations of designing and building sock puppets and operating those deception artifacts.

In this workshop, participants:

• Will get an introduction to the trainer’s original framework for designing and operationalizing Cyber Deception Sock puppet
• Making your sock puppets with limited and no backstopping more authentic features, using everyday objects and content creation approaches
• How to create and incorporate a deception storyline or narrative with your sock puppets
• Evaluating your cyber deception sock puppets
• Discussion of common pitfalls of cyber deception sock puppet performance, including generalized examples from the trainer’s FBI background

This three-hour, hands-on workshop guides participants through the end-to-end workflow of modern passive network fingerprinting - covering JA3, JA3N, JA4, p0f and MuonFP - and demonstrates how to turn raw fingerprints into actionable defenses.

After a brief welcome and taxonomy overview, attendees will dive into live TLS captures to dissect the ClientHello, extract JA3 signatures and normalize them to JA3N. After that we will explore the enhanced fields of JA4 - a JA3 successor.

Next, we’ll shift to TCP/IP fingerprinting, using p0f to identify OS and tool patterns, then generate MuonFP fingerprints to reveal tunneling overhead and sequence quirks.

Finally, you’ll learn how to translate your MuonFP-derived p0f signatures into a BPF filter, compile and deploy it in real traffic, and verify that unwanted scanners are dropped at the wire. Throughout the session, each concept is taught through live demos and interactive labs, helping you to generate, interpret and apply network fingerprints immediately in your own defensive workflows.

Capture the Flag (CTF) events are competitive games where participants earn points by uncovering hidden “flags”—specific pieces of data embedded in challenges. This CTF is designed to give you hands-on experience applying reverse engineering skills using Ghidra. You’ll work through a diverse set of crackmes—small executable challenges crafted to test your ability to analyze and manipulate binary code. The challenges range in difficulty, making the event suitable for everyone from first-time reverse engineers to seasoned CTF players.

All challenges will be completed in a browser-accessible, pre-configured environment—just bring your laptop, a modern browser, and your enthusiasm for solving puzzles. If you’re new to reverse engineering or CTFs, don’t worry: beginner-friendly training materials and guided walkthroughs will be available to help you build confidence and skills. Come explore what Ghidra can do, and level up your reverse engineering abilities in a fun, supportive setting!

The goal is to inroduce the attendants to the world of reversing Android malware.

It would be focused on static analysis after understanding the entry points for Android apps and how to look for clues in the code.

The main tool to use will be apktools and go deep in the obtained smali code.

Also at the end more tools will be presented for users interested in continue with the journey of androd malware analysis.

Defining cyber deception strategies in production environments is a complex challenge. This training is oriented to people who want to learn how to translate Tactics, Techniques, and Procedures (TTPs) into concrete cyber deception activities and plans in this guided hands-on lab. Participants will work in teams through a simple methodology with four phases: behavior extraction, criteria selection, mapping TTPs to deception activities, and storytelling design. Teams will develop effective deception strategies for real-world scenarios.

After an introduction to the topic, the hands-on labs will be divided into four phases, each including an exercise and a theoretical summary of the concepts. Participants will work in teams of 3-4 people to encourage synergy between the different profiles involved.

During each phase, participants will have access to an online spreadsheet to record their notes in the form of a logbook. At the end, the strategies proposed by each team will be compiled and shared in real time to evaluate the criteria applied and the potential effectiveness of the proposed scenarios.

The main goal is to provide a practical and minimalistic experience on how to design and contextualize deception strategies based on threat behaviors, aligning them with clear defensive objectives.

Takeaways:

• A step-by-step simplified process to turn threat intelligence into deception actions.
• Practical experience in identifying and mapping TTPs to deception tactics.
• Criteria-based decision-making to define the intent and impact of deception.
• Integration of deception into a coherent narrative that enhances credibility.

This hands-on training focuses on the essential skill of understanding malware behavior on the network. It’s designed to provide practical experience in identifying malicious connections, distinguishing between normal and suspicious activity, recognizing unusual patterns, and handling large volumes of traffic. The key takeaway is not just learning how to use tools, but gaining the experience needed to spot malware’s actions on the network. You’ll learn how malware hides, how to recognize encryption methods, how to analyze web traffic patterns, and how to filter out false connections. By analyzing malware, you’ll learn to think like an attacker and gain the skills needed to effectively analyze network traffic for malicious behavior.

This workshop examines the mechanisms of psychological manipulation through the intersecting lenses of language, perception, and cognitive warfare. Grounded in Orwellian theory and Cold War-era influence operations, it investigates how doublespeak and ideological framing distort reality and shape identity. In an age where truth and fiction increasingly converge, the workshop analyzes the strategic use of language as a tool of control and a weapon, focusing on techniques such as conformity induction, learned helplessness, and the fragmentation of narrative identity.

Emphasizing the distinction between perception (sensory input) and perspective (interpretive filter), the workshop explores how these constructs are exploited to shape belief systems and behaviors. Participants engage in immersive, experiential exercises—including “Truth Reassignment” and “Contradiction Circle”—designed to simulate real-time cognitive manipulation and reveal the subtle mechanisms behind belief alteration.

Through a multidisciplinary approach combining theoretical frameworks, historical case studies, and guided reflection, the workshop equips attendees with practical strategies for cognitive resistance. Topics such as semantic overload, doublespeak, and cognitive dissonance are explored as instruments of epistemic control, while media literacy, linguistic precision, and metacognitive awareness are emphasized as essential tools of defense.

Participants will learn to question prevailing assumptions, recognize manipulative framing, and cultivate the clarity needed to resist narrative coercion and reclaim interpretive agency in an era of pervasive psychological influence.

Key Takeaways:

1. Understand the Distinction: Grasp the crucial difference between perception (what we sense) and perspective (how we interpret), and how both can be hijacked.
2. Mechanisms of Control: Recognize techniques like conformity induction, learned helplessness, narrative fragmentation, semantic overload, spontaneous trait transfer, and doublespeak as deliberate strategies of psychological manipulation.
3. Historical Context: Learn from Cold War-era influence operations and Orwellian theory to understand modern applications of cognitive warfare.
4. Experiential Insight: Through immersive exercises like “Truth Reassignment” and “Contradiction Circle,” personally experience how easy it is for beliefs to be subtly reshaped.
5. Practical Strategies for Resistance: Develop media literacy, practice linguistic precision, and enhance metacognitive awareness to detect manipulative framing and maintain cognitive sovereignty.
6. Empowerment: Leave with actionable tools to question assumptions, disrupt coercive narratives, and reclaim interpretive agency in a psychologically weaponized environment.