Chris Sanders

I’m excited to announce that I, along with my good friend and colleague Jason Smith, will be speaking at the DHS US-CERT Government Forum of Incident Response and Security Teams (GFIRST) Conference in August. The conference is being held the week of August 7-12 at the Gaylord Opryland Hotel in Nashville, TN. We will be speaking at 1 PM on Wednesday, August 10th.

Title: Real-World Security Scripting

Abstract:

Scripting serves several purposes within a security operation center (SOC). You can write scripts to automate common tasks, to perform actions on large amounts of data, or to perform calculations and correlation on data sets. Given a bit of time an analyst can do great things with an interpreter and a little bit of elbow grease. Over the past few years our team has found that a lot of incredibly useful analysis tools can be created with only a minimal amount of programming knowledge.

In this presentation, we are going to educate our audience on how to get started with scripting for SOC related functions. Don’t be fooled though, this isn’t your typical scripting lesson. We aren’t going to ramble on about data types, expressions, and syntax formatting. Instead, we are going to look at real scripts we use in the SPAWAR SOC every single day. We will step through as many scripts as time permits while showing effective methods for automatically parsing netflow data for known malicious hosts, extracting payloads from PCAP files for content or entropy analysis, and more. We will go through the process of creating each script from inception to production.

A few specific scripts we will break down include:

• Updating a snort ruleset across multiple sensors
• Automated reporting of known malicious IP addresses and domains with netflow data
• Extracting the data payloads of packets in PCAP files
• Retrieval and concatenation of PCAP data from multiple sources
• Automatic parsing of netflow data into various graphs for visual traffic analysis

The tools covered will be a mix of BASH, PERL, and Python. No prior scripting knowledge is required to gain value from this presentation. We will be providing source code for all of the scripts we are discussing as well as a few extras. As a bonus, we will even provide versions of some of these scripts that can be integrated into Arcsight or other SIEM products to extend their capabilities. At the very least, attendees will walk away with scripts they can implement into their production SOC immediately. The real value of this course however, is a real world crash course in scripting for analyst-centric SOC functions.

You can read more about the GFIRST conference at http://www.us-cert.gov/GFIRST/.

Look forward to seeing you there!

I’m once again going to be leading a SANS Mentor session. This time however, I’ll be teaching SEC 503, Intrusion Detection In-Depth in my new home of Charleston, South Carolina. The course will be starting on June 22nd, running once a week for two hours, for ten weeks. The course will be held at Honeywell, on Rivers Avenue in North Charleston.

An excerpt from the course description:

Learn practical hands-on intrusion detection and traffic analysis from top practitioners/authors in the field. This is the most advanced program in network intrusion detection that has ever been taught. The emphasis of this course is on increasing students’ understanding of the workings of TCP/IP, methods of network traffic analysis, and one specific network intrusion detection system (NIDS) – Snort. This is a fast-paced course, and students are expected to have a basic working knowledge of TCP/IP in order to fully understand the topics that will be discussed. Although others may benefit from this course, it is most appropriate for students who are or who will become intrusion detection analysts. Students generally range from novices with some TCP/IP background all the way to seasoned analysts. The challenging, hands-on exercises are specially designed to be valuable for all experience levels. If you want to learn the ins and outs of TCP/IP as it relates to security analysis, how to dissect packets at their most basic level, and how utilize NIDS effectively then this is the course for you.

If you are pursuing DOD 8570 certification, then the certification paired with this course, the GCIA, will satisfy the requirement for the CND-Analyst designation. This is a great course if you are a government employee or contractor pursuing 8570 compliance, or simply someone working in information security looking to strengthen your defensive technology skills and gain a widely accepted certification in the process.

If you are interested in learning more then you can visit the SANS website for this course at: http://www.sans.org/mentor/details.php?nid=24684. Also, feel free to pass around the flyer for this course, which can be viewed here. Also, I can provide some discounts to help offset the cost a bit if you contact me directly.

I had the opportunity to take the SANS FOR610: Reverse Engineering Malware course in Orlando a couple of weeks ago and I wanted to write about my experience with the course. It’s no secret that I’m a big proponent of SANS. I’ve taken SEC 503 and SEC 504 at live events and I also mentor both courses here locally in Charleston. I wanted to take FOR610 as my next course because malware analysis is something I’ve not done a significant amount of. I’ve done a fair amount of behavioral analysis but very little code analysis at the assembly level and the course syllabus appeared to be heavy on that subject so it seemed like a natural fit to help fill in some of my knowledge gaps.

Instructor

The course in Orlando was taught by Lenny Zeltser. Lenny is the primary author of the materials, and he also runs a great blog over at http://blog.zeltser.com/ that I’ve followed for quite some time. I’ve been to a lot of different training courses and have also provided courses myself so I’ve seen plenty of bad instructors and good instructors. One of the things I find most challenging when teaching is taking highly complex subject matter and breaking it down in such a way that it is understandable. Being able to do this effectively is one of my primary criteria for defining a good instructor. That said, Lenny is perhaps one of the best teachers I’ve had. He took all of the highly complex concepts and broke them down in such a way that they were understandable at some level for every one in the class. He provided clear guidance and assistance during the lab portions of the class and I don’t remember a single question that was asked that he didn’t have an immediate answer for. His depth of knowledge on the subject was very apparent and appreciated.

Difficulty

The course really has two distinct sides to it: behavioral analysis and code analysis. Depending on your background, you may find this course very difficult at times and easier at others. I have written several programs in languages including Python, PHP, and C as a function of my primary job role, so I understand programming concepts, but I’m not a professional programmer by any stretch. That being the case, I had a harder time with the code analysis portions of the course. If I didn’t have any programming experience, I think I would have been completely lost on more than a few occasions. On the other side of the coin, I had no problems whatsoever with the behavioral analysis instruction and labs, but I could tell that several other people in the class did. From what I gathered by talking to people and looking at name badges, roughly 65-85% of the folks in my class were programmers of some sort. The course is touted as not requiring any previous programming experience, but I think to get the full benefit from the class, you should at least be familiar with core programming concepts, preferably in an object oriented language.

Course Content

The course was 5 days long and covered a variety of topics. I’ve outline some of those here along with the new skills I gained or enhanced as a result of what we learned.

Day 1

The first half of the first day was devoted to the setup of the virtual malware analysis lab used in the course. This is done in such a way so that the virtual lab can be used after you leave the class to do real world malware analysis in your organization using the virtual infrastructure. The second half of day one focused on using the lab for behavioral analysis.

New Skills I Gained: Knowledge of new malware analysis tools.

Day 2

This day built upon our knowledge of behavioral analysis and introduced new concepts related to that. We were introduced to dissecting packed executables and Javascript and Flash malware.

New Skills I Gained: Automated unpacking of packed files. Tools for dissection and extraction of malicious code in Flash objects.

Day 3

This day was devoted to code analysis. We were introduced to assembly and spent a great deal of time looking at commonly identifiable assembly patterns used in malware. This was one of the most useful parts of the class for me. We also looked a bit at anti-disassembling techniques that malware authors use.

New Skills I Gained: Enhanced understanding of assembly. A plethora of anomalies to look for in assembly level code analysis of malware. Patching code at the assembly level to get a desired outcome.

Day 4

The fourth day focused on analysis of malware that was designed to prevent itself from being analyzed. We looked at packers and learned how to manually step through malware code to unpack it for analysis. The day ended with an detailed and highly valuable look into deobfuscating malware in browser scripts.

New Skills I Gained: Detailed understanding of assembly for malware analysis. Manual extraction of unpacked code from packed executables.

Day 5

The final day of the course was another one of the most useful parts of the course for me. This first half of this day focused on analysis of malicious Microsoft Office files and malicious PDFs. After lunch, we covered shellcode analysis and memory analysis.

New Skills I Gained: Tools and procedures for extracting malicious code from MS Office files and PDFs. Better understanding of PDF file structure. Extraction of malware running in memory.

Labs

The labs were an integral part of the course. In the labs we analyzed real malware samples in our virtual analysis lab. I’m incredibly happy that we looked at REAL code from REAL attackers rather than simple malware created in a lab for the purpose of the course. Doing things this way we got to see how attackers will often take shortcuts or write bad code that we have to sort through rather than just dissecting cookie cutter malware with no imperfections. The labs served their purpose, helping reinforce new concepts in a practical manner. During the course, everyone had their laptops open and two virtual machines running at all times as we would dive into them for exercises very frequently.

Although I was very pleased with the labs in some ways, I am critical of them for a few other reasons. Prior to the class, you are provided some instructions on how to setup a single Windows based VM that is destined to be infected with malware repeatedly throughout the class. In addition, the instructions said we would be given a version of Remnux, the reverse engineering malware Linux distribution created by Lenny, to use during the class when we got there. I got this all up and running without any problems, but I was pretty upset when I got to the class to find out that there was quite a bit more setup to do. As a matter of fact, almost the entire first half of the first day of instruction was taken up by additional lab configuration. We were given a CD that contained a variety of tools that were to be installed on our Windows VM. I think all in all, we had to install about 25 different tools. Several people asked why these weren’t provided prior to the class and we were told it was so that we would take more ownership over our malware analysis labs and could ask questions. Although I can respect the comments in support of this, I think providing these tools prior to the class along with the other instructions would allow for better use of time. At lunch the first day I felt a bit cheated as my company had paid for an expensive course where I was just sitting around installing software. Providing this software prior to the course and having people come prepared would have allowed for a whole half day of additional instruction which would have been incredibly valuable.

The other primary issue I had with the labs was the format in which they were laid out. In most of the labs, Lenny would teach us a concept and then step through the process on his own system. Then he would turn us loose on our systems to work on the same example he just walked through. Although somewhat helpful, it wasn’t entirely effective since we had just seen him do the same example we were working through. I would contrast this with the lab format in the SEC 503: Intrusion Detection In-Depth course. In that course, students are given a workbook with lab exercises. The instructor there would teach a concept, go through a lab on screen, and then turn students to the workbook and give them some time to work through similar, but different examples. This format provided a great deal more value because we had to do quite a bit more thinking to get through the examples on our own, rather than just recreating what the instructor did.

Summing It Up

Overall, my experience with FOR 610 was very valuable and I’m thrilled I got the chance to take the course. I walked away with a lot of new skills and am able to provide a lot of value to my organization as a result. I now feel completely comfortable performing code analysis of malicious binaries. I also learned more assembly than I ever thought I would and feel like I could even write some simple programs in assembly should I choose to punish myself in that manner. I also gained a greater understanding of lower level operating system components which will prove useful in several cases. Make no mistake, this is a very difficult course, which is why ways numbered it so high. It is the highest level forensics course they teach, and it will challenge you. However, if you are up to it, there is a lot to be learned here, and I have no doubt that it is the best malware analysis course you will find.

You can read more about this course at http://www.sans.org/security-training/reverse-engineering-malware-malware-analysis-tools-techniques-54-mid.

I’m speaking at the Kentuckiana ISSA meeting on June 4th in Louisville, KY.

The topic is “Then What Happened…Stories and Lessons in Incident Response”

Dive into recent attack packet analysis with Chris Sanders to reveal the dirty truth about recently investigated incidents.

Learn key factors in how exploits were detected, the analysis method used to determine sources…
You will also see methods used to determine the severity level of exploits and the power they may really have in your environment…

I’ll be covering some exciting things including some of the fundamental skills for intrusion analysts, tips for building your incident handling team, “packet math”, and analysis of recent attacks including a newly release 0-day.

Look forward to seeing you there! For more information including directions, check here http://www.issa-kentuckiana.org/.

I’ve recently been accepted into the SANS Institute mentor program and will be mentoring my first course next spring in the Bowling Green, KY area.

Please join Mentor Chris Sanders starting on March 18 for Security 504: Hacker Techniques, Exploits and Incident Handling.

Experience this local class and SANS award winning security training first hand in the popular Mentor format!

Chris Sanders will be leading this 36 CPE credit class in Bowling Green, KY.

For complete course details and registration information, please click on http://www.sans.org/info/52263.

About the course:

By helping you understand attackers’ tactics and strategies in detail, giving you hands-on experience in finding vulnerabilities and discovering intrusions, and equipping you with a comprehensive incident handling plan, the in-depth information in this course helps you turn the tables on computer attackers. This course addresses the latest cutting-edge insidious attack vectors and the “oldie-but-goodie” attacks that are still so prevalent, and everything in between. Instead of merely teaching a few hack attack tricks, this course includes a time-tested, step-by-step process for responding to computer incidents; a detailed description of how attackers undermine systems so you can prepare, detect, and respond to them; and a hands-on workshop for discovering holes before the bad guys do. Additionally, the course explores the legal issues associated with responding to computer attacks, including employee monitoring, working with law enforcement, and handling evidence.

Students study SANS Hacker Techniques, Exploits & Incident Handling course books at their own pace. Each week, students meet with SANS Local Mentor, who will lead class discussions, provide hands-on demonstrations, point out the most salient features, and answer questions. The Mentor’s goal is to help students grasp the more difficult material, master the exercises, and prepare them for GCIH certification.

This challenging course is particularly well suited to individuals who lead or are a part of an incident handling team. Furthermore, general security practitioners, system administrators, and security architects will benefit by understanding how to design, build, and operate their systems to prevent, detect, and respond to attacks.

These courses are great for folks who want SANS level training but don’t have the travel budget to go to a conference for a week. I’m very excited to bring something like this to my area…security training around here is slim pickins! Bowling Green is very centrally located and is only an hour from Nashville, TN, two hours from Louisville, KY, two hours from Lexington, KY, and two hours from Paducah, KY.

Also, I will be donating 20% of my teaching fee to the Rural Technology Fund, a 501(c)(3) non-profit organization which provides scholarships to high school students pursuing technical majors.

Free free to e-mail me with any questions, or visit the course website here: http://www.sans.org/info/52263.

Laura Chappell is now doing regularly scheduled online training seminars. I had the privelege of attending one of these last Thursday called the “Top 10 Reasons Your Network is Slow” and it was really great.

You can see a schedule of Laura’s training at http://www.chappellseminars.com/schedule-name.html.

I’ve just announced my second online training event. This event will be happening on Wednesday, May 27th at 2 PM EST.

Course Description:

This is an introductory level packet analysis course with a focus on practical usage. The goal of this course will be to give you exactly what you need to jump deep into your network with Wireshark and begin getting value out of these skills immediatley. This course will use completely new files and scenarios and will not repeat any real-world scenarios taught in my book or in my previous trainings.

Prerequisites:

In order to understand what is going on in this course you will need to have a decent level of experience troubleshooting networks and client/server communications. You won’t be expected to know how individual protocols look on the wire (I’ll teach you that) but you will be expected to know what DHCP/DNS/SMTP/ETC are used for. 

The course will be administered using Citrix Go2Meeting which will transmit live audio and video from my computer. Because of this, some form of broadband Internet connection is recommended. I’ve used this format before and it seemed to work really well as all users were able to connect and listen/watch successfully.

Who Should Attend:

If you troubleshoot or maintain a network on a daily basis then this course will provide immediate value to you. Packet Analysis is one of the hottest growing skill sets amongst IT staff in the world and is an absolute requirement to troubleshoot certain problems that may be faced. If you want to save yourself time, save your organization money, or make yourself more marketable by increasing your skill set, then this is the course for you.

Cost:

The early registration cost for this course is $100 USD. This pricing is valid until May 5th. After May 5th, the cost goes up to $150 USD. If you work for a non-profit or in education, please e-mail me for a discounted rate. The course is limited to a set number of participants so that I can get to all questions that may be asked, so your best bet is to get in early.

Curriculum:

Hour 1 – Intro, Theory, and Getting Your Feet Wet

• How Packet Analysis Can Help You
• “War Stories”
• How a Packet Sniffer Works
• Getting and Installing Wireshark
• Sniffer Placement on Your Network
• Walkthrough of Wiresharks Features Using Real Trace Files

Hour 2 – Protocols and Performance with Real World Case Scenarios

• Analyzing Common Protocols When They Work and When They Don’t
• Troubleshooting Network Performance Problems
• Steps for Creating a Network Baseline
• The 7 Deadly Sins of the Network

Hour 3 – Security, Wireless, and More Real World Scenarios

• Analyzing Common Network Attacks
• Wireless Packet Analysis
• Additional Tools and Resources
• Q&A

Registration:

In order to sign up for this course, please fill out the registration form below. At some point after registering, you should receive an e-mail from me with payment details.

As always, if you  have any questions regarding this training please e-mail me.

Laura Chappell, one of the packet analysis world’s best, has just announced Chappell University. Here is her official statement from her newsletter:

“Chappell University (www.chappellU.com) is open for registration today. Subscription-level service will be open soon – I’ll let you know. Chappell University is an affordable, on-demand, online training system to maintain and enhance IT skills in the area of analysis, troubleshooting and security. Last night I uploaded two lab workbooks with over 100 lab exercises using Wireshark to spot network problems, security breaches, and analyze normal and abnormal TCP/IP communications. I’ve recoreded video answers to all the lab exercises. In addition, I’ve uploaded my trace file respository and you’ll see me uploading additional WLAN, VoIP, bot-infections, application, etc., trace files each quarter. Check out the new YouTube Channel for Chappell University at www.youtube.com/chappellU and the video “Ethical Hacking with NetScanTools Pro: Tutorial on ARP Scanning to Discover All Local Hosts” (even those hidden behind firewall applications). “

If you haven’t had the pleasure of experiencing Laura’s training on-site, or via Wireshark University, I would highly reccommend both. As I said, she is one of the best in the field.

The date has been set for my first ever online Wireshark training. This will be held live on Thursday, December 11th at 2 PM Central Standard Time. The training will be taught via Go2Meeting and the slides and capture files used will be made available after the presentation. The cost for attending is $150. The only prerequisite is a basic knowledge of computer networking and an interest in the subject. Here is a breakdown of the curriculum:

Hour 1

Benefits of Packet Analysis
How a Packet Sniffer Works
Installing Wireshark
The OSI Model
Types of Traffic on the Wire
Analyzer Placement on the Cabling System
Basic Wireshark Features
Advanced Wireshark Features
Wireshark Statistics

Hour 2

Display/Capture Filters
Common Protocols (TCP, HTTP, DNS, DHCP, ARP, TELNET, FTP, POP, SMTP, etc)
Troubleshooting Performance Problems
Network Baselines
Wireless Packet Analysis

Hour 3

Additional Wireshark Tools and Resources
Useful Websites and Other Learning Resources
Q&A

I already have quite a few people signed up and will be limiting the number of attendees so that I can answer as many questions during the Q&A as I can without leaving anybody out. If you are interested, e-mail me at chris@chrissanders.org and reference the class. Payment is accepted via check (must have it very soon so it can clear in time for the training) or PayPal (info will be provided when you e-mail me).