Category Archives: Training

Cuckoo’s Egg – Week 2 Notes

Session Recording: (Available 11/17-11/30)

Next Week’s Registration:

This week, we reviewed chapters 4-8.

After setting up his monitoring system, Cliff observes another suspicious login using the Sventek account. Now, Cliff is better equipped to figure out what is going on and monitor every command issued by the potential attacker. He reads the logs showing the activities taken by the attacker over a three hour span. First of all, he notices that the attacker is logged in from Tymnet. This means the attacker could be coming from anywhere as Tymnet was a global network. Cliff digs into the meat of the log and is alarmed the find that Sventek is operating as a superuser. That shouldn’t be possible!

The Principle of Least Privilege

In security, we operate under the principle of least privilege. The means that users on a system should only be allowed to do the bare minimum required to complete their task and for only as long as they are required to complete it. This means users should not have administrative privileges to change the system, and applications should be installed with limited user accounts. This speaks to the concept of the attack surface. Any access an attacker has on a system provides points of interaction. Generally speaking, the more points of interaction the attacker has, the more opportunities they have to force applications or systems to respond in ways that might allow compromise. This characterizes the attack surface. The fewer interaction points we give users, the smaller the attack surface is when an attacker compromises a user’s account.

In class, we completed an exercise where we mapped the privileges of various roles in a bank setting and analyzed the attack surface of roles controlled by an attacker. I also discussed mechanisms meant to ease the burden of PLP, just as Windows User Account Control (UAC) and Linux sudo.  We are all sysadmins on our own mobile devices, and I discuss how these vendors have taken the approach of forcing us to consent applications into specific access based on their feature needs. Facebook was given as an example along with screenshots showing all the things it needs to access in order to provide its full array of features.

More Reading:

Dig Deeper Exercises:

  • Level 1:  Look at the permissions granted to a social media app on your phone. Try to map each permission to a specific function.
  • Level 2: On a Windows system, use a limited user account and attempt to perform an administrative action. Find an event log that indicates you took this action.
  • Level 3: On a Linux system, create a limited user account. Give it sudo privileges to perform administrative actions. Test this out, and find an event log indicating you took this action.


Cliff continues to dig around and discovers how the attacker became a superuser. It turns out that the attacker found a bug in the gnu-emacs application related to how it assigns ownership of files mailed between users on the system. The application simply changes the ownership of a file without respect to privilege assignments. Since the application was installed as an admin user, this allowed the attacker to trick it into copying a file such that it became owned by a privileged account. The attacker used this big to replace a systems ATRUN file, which executes every 5 minutes to conduct system administration tasks. When the attacker’s version of this file ran, it added the Sventek user to an administrative users group.

As a superuser, the attacker begins pillaging the network. They read sensitive files and e-mails, and look for passwords. The attacker also appears to be very paranoid and constantly looking over their shoulders. They enumerate who the system operators are and constantly look to see who is logged into the system and what processes are running.

Cliff presents these findings to his boss, who tells him to keep watching the attacker but not to take action yet. The monitoring system is refined to alert only when known compromised accounts login.

Process Monitoring

We use this opportunity to talk about process monitoring. The concept of a process is easy to understand, but we should give attention to the tools we can use to monitor running processes and their limitations. Active process monitoring is something done by defenders to look for suspicious or malicious processes. It is also something done by attackers to look for processes that might detect them or prevent them from accomplishing a goal.

In class, I demonstrated the PS command on Linux and discussed different ways to use it to look for running processes. I also demonstrated Process Explorer on a Windows system, as well as TASKLIST for command-line and remote process monitoring.

More Reading:

Dig Deeper Exercises:

  • Level 1: Choose three processes you use on a daily basis. Use the tools here to locate them and trace their parent processes as far as you can. Research what each parent process does.
  • Level 2: Compare your system to a clean system with no software installed (you may need to set up a virtual machine in a lab to do this). Identify what processes are unique to your system and those that are standard with the operating system.


In discussion with one of Cliff’s colleagues, the attacker’s use of the PS command is brought up. The attacker uses a flag (-g) that is supported on AT&T Unix, but not Berkeley Unix that is run at LBL. Someone wagers that the hacker is not from the west coast or he would be well versed in their flavor of Linux.

The attacker dials back in but doesn’t stay on LBL systems for long. Instead, they use LBL as a hop point to connect to a DoD server as the user Hunter. Cliff queries the NIC and finds that this IP belongs to Anniston Army Depot in Alabama. He calls the system operator and explains what he observed. The operator is aware of the attacker having been there, but thought he had been eradicated. It turns out that the attacker was using the same emacs bug but is coming in through LBL and not the front door anymore. Cliff ponders the thought that the attacker might be southern, as it would explain the familiarity with AT&T Unix which was run on the Anniston systems.


Next Session

November 30th 7:30PM ET

Read Chapters 9-14

Register/Attend Here:


Cuckoo’s Egg – Week 1 Notes

Session Recording: (Available until 11/16)

Next Week’s Registration:

This week, we reviewed chapters 1-3.

We met Cliff Stoll, an astronomer turned computer wizard at Lawrence Berkeley Lab in California. Once of Cliff’s first tasks is to figure out an accounting error that amounted to $0.75 of CPU time. He investigates and finds the error is tied to a mysterious user account named Hunter. He can’t find the source of the account so he deletes it.

Locard’s Exchange Principle

We use this opportunity to discuss Locard’s Exchange Principle. Edmund Locard is considered by many to be the father of modern forensic science. His principle states, “The perpetrator of a crime will bring something into the crime scene and leave with something from it.” This is the basis for all forensic investigations. Locard has a particularly nice quote on the subject:

“Wherever he steps, whatever he touches, whatever he leaves, even unconsciously, will serve as a silent witness against him. Not only his fingerprints or his footprints, but his hair, the fibers from his clothes, the glass he breaks, the tool mark he leaves, the paint he scratches, the blood or semen he deposits or collects. All of these and more, bear mute witness against him. This is evidence that does not forget. It is not confused by the excitement of the moment. It is not absent because human witnesses are. It is factual evidence. Physical evidence cannot be wrong, it cannot perjure itself, it cannot be wholly absent. Only human failure to find it, study and understand it, can diminish its value.”

In class, we discussed the principle as the basis for computer forensic investigations as well. We did a couple activities to exercise our minds and think about things taken and left behind. One in relation to a physical theft, another in relation to the 2017 Equifax breach.

More Reading:

Dig Deeper Exercises:

  • Level 1: Pick a crime in your local newspaper and break down what could have been left behind.
  • Level 2: Pick an attack time from this list: Consider your network or make up a fictional network. Research the attack and determine what might be left behind and how you might gain visibility into it.


Cliff gets a weird e-mail from a system called DOCKMASTER. The system owner claims that someone from LBL tried to break into his computer. Eventually, Cliff figures out this system belongs to a Naval Shipyard. He correlates timestamps provided by DOCKMASTER and finds the user Sventek was active at this time. He also discovers two logging systems reporting different timestamps for the activity. While odd at first, this turns out to be related to time drift between two system clocks.



The investigation work Cliff is conducting is contingent on logs that contain timestamps, which he uses to perform time-based correlation. It’s easy to think of timestamps as a trivial thing, but they are far from it. Most investigations require examination of multiple data sources to build a clear picture of what events have transpired. To properly query data and sequence events, we need accurate timestamps.

There are multiple challenges between an investigator and reliable, consistent timestamps. We discussed syncing timestamps, time sources, network time protocol (NTP), W32Time, and how Windows domain members sync time. We also discussed the challenges associated with timezones and daylight savings time with plenty of confusing examples (Seriously, Samoa?)

I showed multiple examples of timestamps, and also showed a log collection pipeline and Logstash configuration files used to adjust timing and define timestamps. Finally, I listed a few best practices for dealing with timestamps that include: syncing all systems to the same source, utilizing UTC time in your investigation tools, and using ISO 8601 compliant timestamps.

More Reading:

Dig Deeper Exercises:

  • Level 1: Determine where your system is syncing time from and change it to another source.
  • Level 2: Setup your own NTP server and configure your system to sync from it.
  • Level 3: Capture network traffic while syncing with your own NTP server. Examine each field, and try to determine the function of each one.


Cliff eventually learns that the Sventek user is not on campus and is unlikely to be using his account. Considering the anomalies encountered with the Hunter and Sventek accounts and the report from DOCKMASTER, Cliff begins to suspect someone has broken into his network. He takes matters into his own hands and builds a monitoring system. He writes a program to log keystrokes on his systems and connects them in between the system and the external modems. He connects physical printers to these systems to print out commands as people are entering them while dialed in remotely. He sleeps in his office all weekend to monitoring these connections and awakens one night to find something very interesting…


Next Week

November 16th 7:30PM ET

Read Chapters 4-8

Register/Attend Here:


The AND Student Charitable Profit Sharing Program

When I decided to launch Applied Network Defense, I did so with the intention of using it as a platform for making positive change in the world. We do that through our primary business model of educating people so that they can further their careers and secure their works. We also do that by donating a portion of every course purchase to charity. Thus far, those donations have helped introduce tens of thousands of kids to computer science education and save lives by outfitting entire villages in Africa with mosquito nets.

It’s time for the next evolution of our mission, and that is a student charitable profit sharing program. Now, AND students will have a say in where a portion of their course proceeds go. Periodically, AND students will have the opportunity to submit a charity to receive a donation. After nominations have been received, the collective group will vote and we will select 2-5 winners to receive a donation.

If you are a current or former student of mine, I want you to know that my life is enriched by having been able to interact with you. Now, I’m thrilled to be able to help you contribute to causes that matter to you as well. It’s very important that people who purchases training from AND know that they aren’t just educating themselves by doing so, they are enriching the lives of others too. This is another way for us to do that, together.


The Cuckoo’s Egg Decompiled: An Introduction to Information Security

I’m excited to announce my newest online course. This is unlike any course I’ve done before and I’m making it available completely free.

The Cuckoo’s Egg Decompiled is a cross between an online course and a book club. Starting on November 9th, we’ll get together every Thursday night at 7:30 PM ET. Our “textbook” will be Cliff Stoll’s epic “The Cuckoo’s Egg”…the book that launched the career of many infosec practitioners and required reading for the field!

Each week I’ll review a few chapters of the book and we’ll tie Cliff’s experiences to modern themes in computer security. This series is ideal for people who are new to information security or want exposure to other facets of the field, but anyone is welcome. All you need is an internet connection and (optional) a copy of the book.

How can I join?

The weekly sessions are hosted LIVE online and free to attend. All you need to do is sign up and login. You can register before the start of the next session. Registration IS REQUIRED and space is limited.

What will we do?

For each session, I’ll provide an overview of the reading and then lead a discussion about the topics presented in the book. I’ll tie in aspects of Cliff’s story to modern security themes, breaches, tools, and techniques. I’ll demonstrate techniques from the book that are still relevant, or their modern evolutions. You’ll have the opportunity to participate by chiming in with your own thoughts and experience, participating group polls, or asking questions.

What work is required?

Ideally, you’ll come to each session having read the chapters we’ll discuss (I’ll tell you what those are ahead of time). Each week will cover around five chapters, which is only about 30-40 pages. Trust me, once you get started reading the book you’ll have a hard time putting it down. Couldn’t find the time to get the reading in this week? No problem, I’ll provide a quick rundown of the reading when we start.

What will I learn?

We’ll touch on a wide variety of information security topics. This will include but isn’t limited to: network architecture, host forensics, network forensics, packet analysis, security management, honeypots, malware, exploitation, attribution, lateral movement, encryption, network scanning, and espionage. You’ll have the opportunity to gain exposure to problem spaces spanning multiple infosec job roles and the underlying themes that tie them all together.

Who is this class designed for?

This course is specifically designed for people who are new to information security, those who have been in infosec for only a couple of years, or high school and college students. Topics will be discussed at an entry-level with a focus on stimulating curiosity and steering you towards additional resources if you want to learn more. Of course, while this group is designed to be entry-level, participation from experienced practitioners is also welcome!

Is participation required?

Absolutely not! Feel free to sit back and listen. If you’d like to join in I’ll open up the floor periodically to voice or video participation. There will also be a live chat going the whole time and I’ll be monitoring a hashtag on Twitter.

Will the sessions be recorded?

Yes, recordings will be made available until the next session begins. Live participation is highly encouraged so you can participate in the discussion and get the most out of the time. After the class is completed, the entire set of recordings, along with my instructional materials, will be made available for free to high schools, universities, and full-time students.

What if I miss a week?

No problem! You can catch one of the recordings and just read the chapters we would have covered.

What is the schedule?

We’ll plan to meet on these days, but this is subject to change as we get further along.

November 9, 16, 30

December 7, 13, 21

January 4, 11, 18, 25

Where can I get a copy of the book?

  1. You can buy a new copy from Amazon here
  2. Chances are, you might be able to find a friend or coworker who has a copy they will lend you
  3. Your local library might have a copy

How can I stay up to date on the event and changes?

Sign up for the group mailing list here.

Will this series be offered live again?

Probably not anytime soon. But, if this is successful there’s a good chance that I’ll do similar courses focused on different books.

Should I tell everyone I know about this course?

Only if you like them and want them to succeed in life. If you tweet about this course, use hashtag #cuckoosegg.

Where can I sign up?

Space is limited and registration is required. Click the button below to reserve your spot.


New Online Course: ELK for Security Analysis

I’m excited to announce the release of the ELK for Security Analysis online course! You’ll find the description of the course to follow. Registration is open now (with early bird pricing), and the course officially opens next month.

For more details, see:

You must master your data If you want to catch bad guys and find evil. But, how can you do that? That’s where the ELK stack comes in.

ELK is Elasticsearch, Logstash, and Kibana and together they provide a framework for collecting, storing, and investigating network security data. In this course, you’ll learn how to use this powerful trio to perform security analysis. This isn’t just an ELK course, it’s a course on how to use ELK specifically for incident responders, network security monitoring analysts, and other security blue teamers.

You’ll learn the basics of:

  • Elasticsearch: How data is stored and indexed. Working with JSON documents.
  • Logstash: How to collect and manipulate structured and unstructured data.
  • Kibana: Techniques for searching data and building useful visualizations and dashboards.
  • Beats: Use the agent to ship data from endpoints and servers to your ELK systems.

I’ll also show you how to build complete data pipelines from ingest to search. This means you’ll get to watch step-by-step guides for dealing with security specific data types like:

  • HTTP Proxy Logs
  • File-Based Logs (Unix, auth, and application logs)
  • Windows Events & Sysmon Data
  • NetFlow Data
  • IDS Alerts
  • Dealing with any CSV file you’re handed
  • Parsing unstructured logs, no matter how weird they are

When you walk away from this course, you should be equipped with the skills you need to build a complete IDS alert console, investigation platform, or security analysis lab.

More details and registration: