Source Code S2: Episode 1 – Richard Bejtlich

We kick off season two by welcoming Richard Bejtlich onto the podcast. Richard spent the bulk of his career helping further the evolution of network security monitoring through stints at AFCERT, GE, and Mandiant. We talked about his career evolution, the future of computer network defense, the revolution of private intelligence, and how he almost became an astronaut.

You can find Richard on Twitter @taosecurity.

Listen Now:

You can also subscribe to it using your favorite podcasting platform:

 

If you like what you hear, I’d sincerely appreciate you subscribing, “liking”, or giving a positive review of the podcast on whatever platform you use. If you like what you hear, make sure to let Richard know by tweeting at him @taosecurity. As always, I love hearing your feedback as well and you can reach me @chrissanders88.

Special thanks to our title sponsor, Ninja Jobs!

 

 

Gaining Technical Experience with Deliberate Practice

When I moved to Georgia I started riding my mountain bike several times a week. Almost every other day I’d pop out of the office before lunch and ride three one-mile circuits on a trail near my house.  Six months after starting, I realized I’d never looked at the data collected by the trip logger on my bike. I thought it’d be really interesting to see how my speed had improved as I biked more.

I was pretty disappointed when I saw the data.

My performance hadn’t increased a bit.

After months of biking the same three miles, I had no noticeable gains in my cycling ability. I wasn’t finishing the ride any faster, and I wasn’t any less tired. What gives?

 

Me failing at life (dramatization).

 

I got angry and decided to spend some time focusing on performance. Hell hath no fury like a geek with the ability to collect data and manipulate independent variables. I looked up YouTube videos about cycling posture and breathing techniques. I also started reviewing my trip log after every ride and setting goals. I wanted the average of my ride times to improve by at least a few seconds every week.

After sticking with this regimen for just another month, the results were in. I had improved my performance by nearly 30%.

Why was I able to accomplish so much in a month after not making any progress in six months?

The answer is that I stopped riding mindlessly and began deliberately practicing.

 

Practice vs. Performance

We mostly think of practice vs. performance in terms of athletes, so let’s stick with that example. In a given basketball game lasting an hour, an active player might get up a dozen two-pointers, a few three-pointers, and a couple of layups. They might make about forty passes and jump for twenty rebounds. They might also run three offensive and defensive schemes twenty times each.

Now let’s compare those stats with a week of hour-long daily practice sessions as I’ve done in the table below.

 

1 Game 1 Week of Practice
Two pt shots 12 500
Three pt shots 3 500
Layups 2 200
Passes 40 1000
Rebound attempts 20 200
Offensive schemes 3 x 20 5 x 100
Defensive schemes 3 x 20 5 x 100

 

Clearly, what happens in a game performance is a much smaller subset of what is practiced. The purpose of practice is to develop individual skills in preparation for a performance. Practice is a planned, mindful exercise. An entire practice might be devoted to a single skill like shooting, or mastering a skill within a specific scenario, like rebounding in a man-to-man defense.

A performance combines every facet of your practice. Performance is full of surprise and unpredictable. While practice is actively thoughtful, performance generally involves acting out of muscle memory and getting into a zone that many psychologists called “flow”. Experts experience a much stronger state of flow because they’ve developed more muscle memory (both mentally, and physically).

 

The Secret of Practice

In the example I just described, you might notice that the amount of time allotted to practice is much greater than performance. Be careful though — the development of skill isn’t purely a function of time. That’s why my six months of riding trails showed no improvement in my cycling skill. It’s also why you drive a car every day but are probably ill-equipped to steer a race car around Daytona at 200mph.

The secret of building expertise through practice isn’t that experts log more hours of practice. Experts log higher quality practice.

Whether you’re an athlete or an analyst, the characteristics of high-quality practice are the same.

Requirement 1: A clearly defined long-term goal

The goal of practice is to perform well. What does peak performance look like? In sports, this usually means putting up good stats or winning a game. In intellectual pursuits, it might mean arriving at an accurate answer or completing a task quickly. High-quality practice works toward long-term goals.

Requirement 2: An understanding of the component parts of that goal

Performance is made up of multiple skills used in a variety of scenarios. High-quality practice requires that you understand your long-term goal well enough to break it down into these component parts so you can focus on them individually.

Requirement 3: 100% concentration and effort

Performance is all about muscle memory and flow, but those things are established in practice. You practice a skill several times so that when you really need to use it, you can do so quickly. Performance isn’t just about completing a task, it’s about doing it efficiently and effortlessly. To do this, you must be mindful of the task you’re performing and apply all your attention to it. This way, simpler tasks can become automatic and you can devote previous limited working memory resources to understanding other unknowns.

Requirement 4: Immediate and informative feedback

You practice so that you can get the mistakes out of your system. Of course, this requires that you’re able to spot the mistakes in the first place. You have to collect data and establish a feedback loop. Informative feedback is one reason coaching is so important. A coach’s primary role is to help spot the mistakes you’re making and equip you with the tools to overcome them.

Requirement 5: Repetition, reflection, and refinement

When you combine all the elements I’ve mentioned thus far, you get the blueprint for practice. High-quality practice means repeating skills, reflecting on how well you completed the skill, and refining your approach to the skill.  These things must all be deliberate. You have to practice with the goal of getting better. Just going through the motions won’t get you anywhere.

 

Out of Practice

Infosec practitioners stink at deliberate practice.

It’s something that most of us don’t spend any time thinking about. I ask every analyst I meet how they practice their craft. The answer I always get without fail is this:

 

Attacking a VM and/or reviewing the logs generated from the attacks can be an effective practice strategy, but most never follow through with it and even more don’t approach it the right way. If there were a graveyard for VMs built for this purpose but only used once, it’d be overflowing. I don’t want those VM’s to have died in vain, so I’m going to tell you how you can practice smarter.

 

Developing a Practice Plan

If you want to become an expert at anything and accelerate the accumulation of experience you need to deliberately practice it. You have to be strategic about how you focus your practice. I recommend creating a practice plan, which is built from a list of skills used during performance of a job and scenarios where you might encounter them.

In our basketball example, skills include shooting, passing, and rebounding. Scenarios include different schemes like man-to-man defense, dribble-drive offense, and inbounding plays. Multiple skills will be encountered differently based on the scenario where they are needed.

The same thing applies to information security. Consider the work of a malware analyst. Three skills you’ll use during reverse engineering include:

  1. Simulating responsive services
  2. Identifying imported code libraries
  3. Understanding network communication sequences

Those skills manifest differently depending on the situations you’ll encounter. Those situations can be defined a number of ways:

  1. Platform: Windows, Mac, or Linux
  2. Malware Function: Droppers, worms, exploits, RATs
  3. Malware Techniques: Registry persistence, VM detection, heap spraying, opening network listeners, keylogging

Now you have what you need to make a practice plan. You simply combine skills with the scenarios you’ll encounter them in. So, you might wind up practicing the following things:

  1. Simulating a DNS server to resolve a domain requested by an iOS dropper
  2. Identifying the code libraries imported by Windows malware to understand its purpose
  3. Understanding the network communication of a RAT to build IDS signatures

If you practice these things, you’ll be able to do them effortlessly when you’re under the gun to analyze a real malware sample you’ve found on your network.

This example is focused on malware analysis, but it can easily be applied to red teaming, alert review, threat hunting, web application development, socket programming, or just about any technical skill you can think of. You just need to clearly identify the skills and situations associated with the job.

 

Challenge

Now that you know about deliberate practice, I’m challenging you to take action. I want you to examine a facet of your job you want to get better at and break it down like I just did. Figure out the skills you need to be good at the job, and the scenarios where you’ll use those skills. Make a list of both and reply to the comments on this post with your practice plan.

 

The Cuckoo’s Egg Decompiled: An Introduction to Information Security

I’m excited to announce my newest online course. This is unlike any course I’ve done before and I’m making it available completely free.

The Cuckoo’s Egg Decompiled is a cross between an online course and a book club. Starting on November 9th, we’ll get together every Thursday night at 7:30 PM ET. Our “textbook” will be Cliff Stoll’s epic “The Cuckoo’s Egg”…the book that launched the career of many infosec practitioners and required reading for the field!

Each week I’ll review a few chapters of the book and we’ll tie Cliff’s experiences to modern themes in computer security. This series is ideal for people who are new to information security or want exposure to other facets of the field, but anyone is welcome. All you need is an internet connection and (optional) a copy of the book.

How can I join?

The weekly sessions are hosted LIVE online and free to attend. All you need to do is sign up and login. You can register before the start of the next session. Registration IS REQUIRED and space is limited.

What will we do?

For each session, I’ll provide an overview of the reading and then lead a discussion about the topics presented in the book. I’ll tie in aspects of Cliff’s story to modern security themes, breaches, tools, and techniques. I’ll demonstrate techniques from the book that are still relevant, or their modern evolutions. You’ll have the opportunity to participate by chiming in with your own thoughts and experience, participating group polls, or asking questions.

What work is required?

Ideally, you’ll come to each session having read the chapters we’ll discuss (I’ll tell you what those are ahead of time). Each week will cover around five chapters, which is only about 30-40 pages. Trust me, once you get started reading the book you’ll have a hard time putting it down. Couldn’t find the time to get the reading in this week? No problem, I’ll provide a quick rundown of the reading when we start.

What will I learn?

We’ll touch on a wide variety of information security topics. This will include but isn’t limited to: network architecture, host forensics, network forensics, packet analysis, security management, honeypots, malware, exploitation, attribution, lateral movement, encryption, network scanning, and espionage. You’ll have the opportunity to gain exposure to problem spaces spanning multiple infosec job roles and the underlying themes that tie them all together.

Who is this class designed for?

This course is specifically designed for people who are new to information security, those who have been in infosec for only a couple of years, or high school and college students. Topics will be discussed at an entry-level with a focus on stimulating curiosity and steering you towards additional resources if you want to learn more. Of course, while this group is designed to be entry-level, participation from experienced practitioners is also welcome!

Is participation required?

Absolutely not! Feel free to sit back and listen. If you’d like to join in I’ll open up the floor periodically to voice or video participation. There will also be a live chat going the whole time and I’ll be monitoring a hashtag on Twitter.

Will the sessions be recorded?

Yes, recordings will be made available until the next session begins. Live participation is highly encouraged so you can participate in the discussion and get the most out of the time. After the class is completed, the entire set of recordings, along with my instructional materials, will be made available for free to high schools, universities, and full-time students.

What if I miss a week?

No problem! You can catch one of the recordings and just read the chapters we would have covered.

What is the schedule?

We’ll plan to meet on these days, but this is subject to change as we get further along.

November 9, 16, 30

December 7, 13, 21

January 4, 11, 18, 25

Where can I get a copy of the book?

  1. You can buy a new copy from Amazon here
  2. Chances are, you might be able to find a friend or coworker who has a copy they will lend you
  3. Your local library might have a copy

How can I stay up to date on the event and changes?

Sign up for the group mailing list here.

Will this series be offered live again?

Probably not anytime soon. But, if this is successful there’s a good chance that I’ll do similar courses focused on different books.

Should I tell everyone I know about this course?

Only if you like them and want them to succeed in life. If you tweet about this course, use hashtag #cuckoosegg.

Where can I sign up?

Space is limited and registration is required. Click the button below to reserve your spot.

 

New Online Course: ELK for Security Analysis

I’m excited to announce the release of the ELK for Security Analysis online course! You’ll find the description of the course to follow. Registration is open now (with early bird pricing), and the course officially opens next month.

For more details, see: http://chrissanders.org/training/#elk

You must master your data If you want to catch bad guys and find evil. But, how can you do that? That’s where the ELK stack comes in.

ELK is Elasticsearch, Logstash, and Kibana and together they provide a framework for collecting, storing, and investigating network security data. In this course, you’ll learn how to use this powerful trio to perform security analysis. This isn’t just an ELK course, it’s a course on how to use ELK specifically for incident responders, network security monitoring analysts, and other security blue teamers.

You’ll learn the basics of:

  • Elasticsearch: How data is stored and indexed. Working with JSON documents.
  • Logstash: How to collect and manipulate structured and unstructured data.
  • Kibana: Techniques for searching data and building useful visualizations and dashboards.
  • Beats: Use the agent to ship data from endpoints and servers to your ELK systems.

I’ll also show you how to build complete data pipelines from ingest to search. This means you’ll get to watch step-by-step guides for dealing with security specific data types like:

  • HTTP Proxy Logs
  • File-Based Logs (Unix, auth, and application logs)
  • Windows Events & Sysmon Data
  • NetFlow Data
  • IDS Alerts
  • Dealing with any CSV file you’re handed
  • Parsing unstructured logs, no matter how weird they are

When you walk away from this course, you should be equipped with the skills you need to build a complete IDS alert console, investigation platform, or security analysis lab.

More details and registration: http://chrissanders.org/training/#elk

Rural Tech Fund Shirts

If you’re looking for a fun way to support the Rural Technology Fund, we’ve got shirts now! Our new “This Shirt Fights Poverty” shirt does exactly what the name says. All proceeds from the store go to support computer science education in rural and high-poverty classrooms.

You can grab your shirt here: https://shop.spreadshirt.com/ruraltechfund.

We have plenty of sizes, styles, and colors available.

If you bought a shirt, I’d love to see it! Take a picture and post it to the Rural Tech Fund Facebook page or tag on @RuralTechFund on Twitter!