Hackin9
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Tokyo's world-famous Akihabara district lost one of its signature stores on Saturday, and with it a piece of the area's rich electronics history faded away.
 
HealthCare.gov, the troubled insurance-shopping website launched in October by the U.S. Department of Health and Human Services, is now working well for most users, officials said Sunday.
 

*A call for more blue defenders*

In a couple weeks I will be a TA for Mr. Mike Poor in DC at CDI (Shameless plug, if you are a reader and see me in DC say so!!!) for SANS 503. We often get asked, why does BPF matter || why should I bother with hex || why do I need to learn this???? My application does all the work for me!

I would like to share a ‘vet’ U.S. Navy story and shout out a thanks to, at the time QM2(SW), a talented navigator. He was telling me the “Stars never lie” and in that they always show the way. If you learn to read them, take my GPS, take my N take my Y technology, I have the star. If we know where the north star is? We can always find north! After watching him dismiss a senior inspector with core math and navigation skills and the stars? I was a believer!

At the core our minds are powerful processors. According the quad process model we take in vast amounts of information and process it at incredible speeds (Conrey, Sherman, Gawronski, Hugenberg, & Groom, 2005). This is likely why there are times when a 'solution' to a problem just somehow pops into your mind. Or why after years of driving it seems automatic.

If we understand the “Core” network communication we can break down protocols!

A couple of opinions/facts/ideas/comments/<insert favorite polarized media narrative here>;

  1. Most if not all IDS/IPS/HIDS/NIDS speak BPF [1]
  2. And another thing? RAW packets ‘usually’ cannot lie (it’s the RAW factor that counts)
  3. Most if not all sniffers/HIDS/NIDS/IPS/IDS/Firewalls speak PCAP
  4. Understanding the root language can help you understand new code built into that language

Coming to my point? For $DayJob I have been asked to prepare an Incident Management workshop, which has become a more common request. In this I hope to shed light on the important of core skills like TCPDumpFU || HexFU || BinaryFU || ProtocolFU. Most importantly I want to emphasis that a core understanding can help in the critical thinking process when facing new or unknown problems or challenges. Our faithful readers know the near axiomatic statement from any handler “got packets?”

Lately I have been asked to consult on more incidents than normal (for me) and in that I have noticed that although the operators are quite intelligent with fundamental problem solving skills, yet they are not effectively equipped. We need better blue defenders!!!!

It’s easier to attack than defend (Tzu, 1889). My most favorite moment is making most glorified attacker for “said G groups” unplug laptops and say “how did you do that?”…  (read active defense is not to attack but to fatigue your enemy, frustrate them, make them tired of attacking, deny them the ability to attack!)

Back to the point, we have been under attack for so long and breach after breach after breach aft……………. It has become the ‘new norm’ and I wanted to address the Pachyderm in the room! We are short of blue defenders! It’s easy, perhaps sexy to download “Kali” linux? But… How many have heard of HoneyDrive [2]? Or perhaps SecurityOnion [3]?

[4] “If I make an attacker spend an extra 9 hours attacking my website? I’ve won!” John Strand, SANSFire 2013.

Hard data, according to the Verizon DBIR [5] HIDS, NIDS, Log Review and Incident Response are responsible for between 1-4% of discovery methods (Figure, 44, p.54). I wonder how much of our IT $budget$ is spent on the tools that give us the 1-4%? We have to get that number higher! The facts point to unrelated parties as a primary means of detection. Getting a phone call is not a good way to receive an Indicator of Compromise (IOC).

Back to the origin of the post to come full circle? Why BPF, why  PCAP, why hex? To first defend against a thing you must understand a thing (Tzu, 1899). If we form a base understanding of opponents tactics along with the battlefield we can better defend!

 

Resources:

Conrey, F. R., Sherman, J. W., Gawronski, B., Hugenberg, K., & Groom, C. J. (2005). Separating multiple processes in implicit social cognition: the quad model of implicit task performance. J Pers Soc Psychol, 89(4), 469-487. doi:10.1037/0022-3514.89.4.469

Tzu, S. (1899). Sun Tzu's Art of  [online] Retrieved from: http://suntzusaid.com/book/3 [Accessed: 1 Dec 2013].

[1] http://www.tcpdump.org/papers/bpf-usenix93.pdf

[2] http://sourceforge.net/projects/honeydrive/

[3] https://code.google.com/p/security-onion/

[4] http://sourceforge.net/projects/adhd/

[5] http://www.verizonenterprise.com/DBIR/2013/

 

Incident Management Resources:

http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf

http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf

http://csrc.nist.gov/publications/nistpubs/800-83/SP800-83.pdf

http://www.ncix.gov/publications/reports/fecie_all/Foreign_Economic_Collection_2011.pdf

http://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/26-CIP_CyberAssessmentGuide.pdf

http://www.ietf.org/rfc/rfc2350.txt

http://www.cert.org/csirts/resources.html

http://www.iso27001security.com/html/27035.html

http://www.itu.int/en/ITU-D/Cybersecurity/Documents/ALERT.pdf

http://www.itu.int/ITU-D/membership/portal/index.asp?Name=45047

http://www.itu.int/ITU-D/asp/CMS/Events/2011/CyberCrime/S6_Mohamad_Sazly_Musa.pdf

http://csrc.nist.gov/groups/SMA/fasp/documents/incident_response/CIRT-Desk-Reference.pdf

 

The Practice of Network Security Monitoring: Understanding Incident Detection and Response

by Richard Bejtlich http://amzn.com/1593275099

http://www.sans.org/reading-room/whitepapers/incident/incident-handling-process-small-medium-businesses-1791?show=incident-handling-process-small-medium-businesses-1791&cat=incident

http://www.sans.org/reading-room/whitepapers/incident/computer-incident-response-team-641?show=computer-incident-response-team-641&cat=inciden

http://www.cert.org/csirts/csirt_faq.html

 

~Richard

@packetalien || rporter at isc dot sans dot edu

 

 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

InfoSec Breaches 2013
Saudi Gazette
Saturday, 30 November 2013 - 26 Muharram 1435 H. Archives. Select Issue : Loading... HOME · KINGDOM · MID-EAST · WORLD · OPINION · ECONOMY · SPORTS · WEEKEND · CLASSIFIED ADS · SWIPE RIGHT. InfoSec Breaches 2013. Info-graph. Twitter.

 

99 percent Indian IT engineers lack secure programming skills
CanIndia News
The survey-cum-test “The Talent Crisis in InfoSec” was was conducted by EC-Council, a global leader in InfoSec certifications and training. Unveiling the findings, EC-Council president Jay Bavisi said that a mere 13 percent of engineering students were ...
99 pc Indian geeks lack programming skills!Free Press Journal

all 9 news articles »
 
Internet Storm Center Infocon Status