Chris Sanders

I’m sitting in my hotel room after just finishing my last session at US-CERT GFIRST in Nashville, TN. This was my first time at GFIRST both as an attendee and presenter, and I really had a great time. Where I’m originally from in Kentucky isn’t too far from Nashville so I am familiar with the area and the venue choice, the Gaylord Opryland Hotel, is a beautiful facility and top-notch for this kind of conference. I wanted to take a moment to address where people can find the resources for my presentation as well as my thoughts on some of the presentations I had a chance to see and the conference as a whole.

My Presentation

Along with my friend and colleague Jason Smith, we presented a talk on Real World Security Scripting. At a bare minimum, we wanted to share some quick and dirty scripts we wrote to do some pretty neat things within our security operations center (SOC) at SPAWAR. At a higher level, we really hoped that we could encourage some people to get involved with low level BASH, Python, and PERL scripting to automate tasks within their SOC environment as well as increase capabilities of the SOC and its staff. We generated quite a bit of interest, and as a result it looks like several people were turned away because the room was filled to fire code capacity. Our sincere apologies to those who missed to talk. We got some really positive feedback from folks who did make it to the presentation.

As promised, we will be releasing our slides and source code for the presentation. The slides can be downloaded here. As for the source code, we are maintaining the distribution release on https://www.forge.mil, which requires a DOD CAC or ECA certificate to access. I understand that a lot of government folks outside of DOD don’t have access to forge.mil, so we are trying to find another place to host this code where we can control access to only people in the .gov or .mil space. In the meantime, if you would like to get copies of the code, please e-mail me at my mil address (chris.sanders.ctr@nsoc.med.osd.mil) from your mil/gov address and I will get it over to you. We are hoping to get all of that bundled up by next week.

Presentations I Attended

Keynote Panel Discussion – “Unplug to Save”

I started the week on Tuesday by attending the opening ceremony in which there was a panel discussion between several leaders in the government cyber defense community. The panel included Winn Schwartau, Mark Bengel, Doris Gardner, John Linkous, and John Pray, Jr and was moderated by Bobbie Stempfley. If you aren’t familiar with those individuals I’ll leave the Googling to you .

The discussion was centered on the concept of “unplug to save”, focusing on whether it was an acceptable solution to unplug an entity from the Internet in order to prevent a catastrophic event from occurring as a result of a cyber attack. The panel was split and brought up several good points about the interdepencies between certain aspects of government and national defense, namely citing the one that were unknown. Truth be told, sometimes we just don’t know the affect removing certain networks from the Internet would have. I’m of the opinion that in some cases hitting the kill switch is the best policy, but that is only in an extreme and I’m not sure who that authority should be put on. The panel also got into a discussion of the inherently flawed nature of the Internet and the need for an architecture redesign. That was all fine and dandy and I won’t disagree…but until some form of governing body takes on the task of redesigning the fundamental protocols of the Internet and it is taken seriously then this is just a pie in the sky dream.

The only thing that really irked me during the discussion was when one of the panelist mentioned how we could “solve the cyber problem” by hiring the types of hackers who can’t get clearances. It would seem to be that doing such a thing would be a prime way to generate more Bradley Manning-esque cases. Granted, Manning wasn’t a computer security expert by any means, but imagine what someone with his kind of access could do with a bit of hacking knowledge. I’d just asoon we make cyber jobs within the government more attractive to young professionals so that they stay on the straight and narrow instead of the USG resorting to hiring criminals.

Internet Blockades

This talk was presented by Dr. Earl Zmijewski from Renesys and was one of the talks I enjoyed the most. He described several types of Internet censoring, blocking, and filtering techniques used across the world citing recent examples of Egypy, Libya, North Korea, and of course, the great firewall of China. All of his examples had technical data to back them up which really left me with satisfied. Random fact – N. Korea only has 768 public IP addresses.

Using Differential Network Traffic Analysis to Find Non-Signature Threats

This talk was centered on the creation of metadata of layer 7 data on the network. This isn’t entirely a new concept, but its one that most people are just now keying in on. The general idea is that you can strip out only the layer 7 data from HTTP/DNS/EMail streams, index it, and store it so that you can perform analysis on it. The benefit here is that the amount of disk space required for storage of this type of data is much less than storing full PCAP, allowing for more long term analytics. The talk was presented by David Cavuto from Narus, who did describe a few useful analytics I hadn’t though of. For example, collecting the length of HTTP request URIs and performing a standard deviation of those to look for outliers. This could potentially find incredibly long or incredibly short URIs that might be generated by malicious code.

Unfortuantely, being a vendor talk, Mr. Cavuto didn’t provide anything that would help people generate layer 7 metadata, but he did have a product he was selling that would do it. Fortunately, I have some code that will generate this type of metadata from PCAP. I’m going to button that up and release it here at some point…for free

Getting Ahead of Targeted and Zero-Day Malware Using Multiple Concurrent Detection Methodologies

This was, by far, my favorite presentaiton of the week. It was given by Eddie Schwartz, the new CSO at RSA. The talk was centered around investing time in the right areas of analysis. Namely, looking across the data sources that matter and not relying on the IDS to do all the work. Once Mr. Schwartz releases his slides I would recommend checking them out. He is a man who understands intrusion detection and how to make it effective. My favorite part of his talk was something he said a couple of times: Yes, doing it this way is hard. Suck it up. It gets easier.

They Are In Your Network, Now What?

This talk was presented by Joel Esler of Sourcefire. Joel is a really smart guy and a great presenter and he didn’t disappoint. My big take away from this one was his discussion of Razorback, which I really think is going to be one of the next big things in intrusion detection. I think a lot of the crowd missed the point on this. There were a lot of complaints because of the amount of legwork required to integrate the tool, but I think most of those people were overlooking the early stage the tool was in and the potential impact of the community released nuggets and detection plugins. I played with Razorback when it was first released and look forward to digging into it again once some of the setup and configuration pains are eased. I’ve already thought of quite a few nuggets that I could possibly write for it.

Analysis Pipeline: Real-time Flow Processing

I’m a huge fan of SiLK for netflow collection and analysis so I was excited to hear Daniel Ruef from CERT|SEI talk about Analysis Pipeline, a component that adds some cool flexibility to SiLK. Overall, I was really impressed with the capability and am looking forward to playing with the next version when it comes out in a couple of months. I always say that if you aren’t collecting netflow you are missing out on some great data, and SiLK is a great way to start collecting and parsing netflow for free. If you are already using SiLK, please do yourself a favor and look into the free add-on Analysis Pipeline.

Advanced Command and Control Channels

I thought this was an awesome overview of traditional and more advanced C2 channels that malware use. I don’t think anything here was really new, but the way the presentation was broken down was very intuitive and the examples that were given were rock solid. This was given by Neal Keating, a cyber intel analyst with the Department of State.

Final Thoughts

I really enjoyed the conference and honestly consider it one of the best and most relevant conferences for folks in cyber security within the gov/mil space. My only major complaint was that a few vendors managed to sneak their way into speaking and basically giving product sales pitches rather than technical talks. I’m hoping that feedback will make it back to the US-CERT folks and more effort will go into preventing that from happening in the future. I hate showing up to a talk that I hope to learn something from and being drilled with sales junk about products I don’t want. Yes, I’m looking at you General Dynamics and Netezza.

Overall, the staff did a great job of organizing and I’d be happy to have the opportunity to attend and speak at GFIRST 2012 in Atlanta next year.

TL;DR – Real World Security Scripting Presentation Slides – http://chrissanders.org/pub/GFIRST2011-SandersSmith.pdf – Please e-mail me for full code.

I’m very excited to announce that my latest book, Practical Packet Analysis, Second Edition, has been released. Even more so, I’m thrilled that 100% of author proceeds for this book will be going to support the Rural Technology Fund to provide scholarships to students from rural areas pursuing further education in computer related sciences. You can read more about the Rural Technology Fund at http://www.ruraltechfund.org.

Book Description

I haven’t exactly kept this one a complete secret, but I’ve confirmed with the great folks over at No Starch Press and have begun work on the second edition of Practical Packet Analysis. The second edition will contain over 60% new content including ALL new scenarios and capture files, a very unique take on security at the packet level, much more detailed coverage of wireless packet analysis, and even VoIP! A target release date has not been officially set, but expect something in Q1-Q2 2010.

Howdy Folks,

I wanted to take a moment and link a pair of recent articles I’ve written for WindowsSecurity.com.

September 2nd – Securing Application Execution with Microsoft AppLocker

September 23rd – Maintaining, Mandating, and Mitigating Privacy in Internet Explorer 8

Enjoy!

The newest issue of (In)Secure Magazine has been released today. This issue contains an article I’ve written entitled “Using Wireshark to Capture and Analyze Wireless Traffic”.

Article Introduction:

The tricky thing about a wireless network is that you can’t always see what you’re dealing with. In a wireless network, establishing connectivity isn’t as simple as plugging in a cable, physical security isn’t nearly as easy as just keeping unauthorized individuals out of a facility, and troubleshooting even trivial issues can sometimes result in a few expletives being thrown in the general direction of an access point. That being said, it shouldn’t come as a surprise that analyzing packets from a wireless network isn’t as uninvolved as just firing up a packet sniffer and hitting the capture button.

 
In this article I’m going to talk about the differences between capturing traffic on a wireless network as opposed  to a wired network. I’ll show you how to capture some additional wireless packet data that you might not have known was there, and once you know how to capture the right data, I’m going to jump into the particulars of the  802.11 MAC layer, 802.11 frame headers, and the different 802.11 frame types.

The goal of this article is to provide you with some important building blocks necessary for properly analyzing wireless communications.

 

 

You can view the full article in the (In)Secure Magainze June issue, which can be obtained here: http://www.net-security.org/insecuremag.php.

The great folks over at the TechGenix website WindowsSecurity.com have published my article on Locking Down Windows Server 2008 Terminal Services. This article is a fairly detailed list of things you can do to make sure your Terminal Server infrastructure is more secure.

You can view the article here:

http://www.windowsecurity.com/articles/Locking-Down-Windows-Server-2008-Terminal-Services.html

I’ve been pretty busy the past few weeks. I’ve just had an article published in InSecure Magazine entitled “Using Packet Analysis for Network Troubleshooting”, which can be seen here. Also, the great folks over at TechGenix just published my article entitled “Deploying Microsoft Windows Server Update Services (WSUS)” on WindowsNetworking.com, which can be seen here.

More coming soon!

Dan Nerenberg over at TheLazyAdmin.com has just published a guest post from me about WSUS. If you have never heard of this site, then I’d highly recommend adding it to your daily reads. Originally started by former MVP and current Microsoft employee Rodney Buike, it contains a great deal of informative content.

The post is a detailed WSUS FAQ. If you are considering deploying WSUS but have some questions, then chances are that this FAQ will answer at least a couple of them. Check it out here.

As many of you who are trying to buy a copy of PPA have probably noticed, it is sold out pretty much everywhere. This is because the first printing was in such high demand that it sold out completely. As with most technical books, there were some errors that didn’t get caught in the technical editing phase, so we have been waiting on those to get fixed before reprinting the book. Those are now fixed and the book was sent back to the printers the early part of this week. This means that the book should be back on the shelf in 4-6 weeks. Thanks to all of those who have bought or plan on buying a copy!

I recently did an interview with Tessa Parmenter of SearchNetworking.com regarding Packet Analysis, as well as my book. You can read the interview in its entirety here.

Several people have asked me to see a sample chapter of the book, and you can by going to the publishers purchasing page here:

http://www.nostarch.com/frameset.php?startat=packet_cs

That has a sample chapter (Chapter 6: Common Protocols) which really gives a good feel for the book. It is really the transition from the core knowledge part of the book to the case scenarios and practical knowledge. The best of both worlds!

I consider the acknowledgements section the absolute most important part of my book. As a matter of fact, it was something I was constantly working on from the books inception to its finish. That being the case, I thought it very appropriate that I post a copy of those acknowledgements here. I attribute very little of my success to myself, because it is the people around me who give me the ability to do what I do.

Acknowledgments

First and foremost, I would like to thank God for giving me the strength and fortitude it took to complete this project. When my to-do list piled up higher and higher and there was no end in sight, he was the one who helped me through all of the stressful times.

I want to thank Bill, Tyler, Christina, and the rest of the team at No Starch Press for giving me the opportunity to write this book and allowing me the creative freedom to do it my way. I would also like to thank Gerald Combs for having the drive and motivation to maintain the Wireshark program, as well as performing the technical edit of this book. A special thanks goes out to Laura Chappell, as well, for providing some of the best packet analysis training materials you will find, including several of the packet captures used here.

Personally speaking, I would like to thank Tina Nance, Eddy Wright, and Paul Fletcher for helping me along the path that has led me to this high point in my career. You guys have been great spiritual and professional mentors as well as great friends. Along with that, I have several amazing friends who managed to put up with me while I was writing this book, which is an accomplishment in itself. With that being the case, I would like to extend a very special thank you to Barry, Beth, Mandy, Chad, Jeff, Sarah, and Brandon. I couldn’t have done it without you guys behind me.

Mostly, however, I want to thank my loving parents, Kenneth and Judy Sanders. Dad, even though you have never laid hands on a computer, your constant support and nurturing is the reason all of this was possible. Nothing makes me more driven than to hear you say that you are proud of me. Mom, you have been gone from us for five years as of the writing of this book, and although you couldn’t be around to see this achievement, you are always in my heart, and that is my true driving force. The passion you showed for living life is what has inspired me to be so passionate in what I do. This book is every bit as much your accomplishment as it is mine.

As you have probably already noticed, Practical Packet Analysis has been released! I recieved my author copies yesterday so that means it should be hitting the shelves of all the major resellers in the next few days. That being said, I have been broadcasting the amazon link for a place to purchase it on the web, but now I have a couple of other links I’d like to push.

For a bigger discount, you can purchase the book directly through the publisher for $30.00 using this link:

http://www.nostarch.com/frameset.php?startat=packet_cs

If you would still rather buy from amazon, please use my affiliate link here:
Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems

Thanks for all of your support! Contest winners will be announced soon!

I have had several people ask about the layout of the chapters in the upcoming book, so now that I have something formal typed up, here ya go:

Chapter 1: Packet Analysis and Network Basics
What is packet analysis? How does it work? How do you do it? This chapter covers the very basics of network communication and packet analysis.
Chapter 2: Tapping into the Wire
This chapter goes through the different techniques you can use to place a packet sniffer on your network.
Chapter 3: Introduction to Wireshark
Here, we’ll look at the basics of Wireshark—where to get it, how to use it, what it does, why it’s great, and all of that good stuff.
Chapter 4: Working with Captured Packets
Once you get Wireshark up and running, you will want to know the basics of interacting with captured packets. This is where you’ll learn.
Chapter 5: Advanced Wireshark Features
Once you have learned to crawl, it’s time to take off running with the advanced Wireshark features. This chapter delves into these features and goes under the hood to show you things that aren’t always so apparent.
Chapter 6: Common Protocols
This chapter shows what some of the most common network communication protocols look like at the packet level. In order to understand how these protocols can malfunction, you first have to understand how they work.
Chapter 7: Basic Case Scenarios
This chapter contains the first set of real-world case scenarios. Each scenario is presented in an easy-to-follow problem, analysis, solution format. These basic scenarios deal with only a few computers and involve a limited amount of analysis—just enough to get your feet wet.
Chapter 8: Fighting a Slow Network
The most common problems network technicians hear about generally involve slow network performance. This chapter is devoted to solving these types of problems.
Chapter 9: Security-Based Analysis
Network security is the biggest hot-button topic in network administration. Because of this, Chapter 9 shows you the ins and outs of solving security-related issues with packet analysis techniques.
Chapter 10: Sniffing Into Thin Air
The last chapter of the practical section of the book is a primer on wireless packet analysis. This includes what is different about wireless analysis as opposed to wired analysis, as well as a quick case scenario involving these techniques.
Chapter 11: Conclusion and Further Reading
The final chapter of the book sums up what you have learned and includes some other reference tools and websites you might find useful as you continue to use the packet analysis techniques you have learned.

Release date is less than a month away! Get your copy purchased now before the price goes up!

Purchase Here At Amazon.com!

I have just had a full length article published on WindowsDevCenter.com entitled “Five Things You Need to Know about Virtual Server”. It is a great introductory article about Virtual Server and the benefits it provides, as well as how to install it and do some basics things with it. You can view the article on the front page of WindowsDevCenter.com or directly by clicking here.