Chris Sanders

One of the more important skills in intrusion detection and analysis is the ability to evaluate an IP address or domain name in order to build an intelligence profile on that host. Gathering this intelligence can help guide you to making more informed decisions regarding the remote hosts that are communicating with your network in order to determine if they are of a malicious or hostile nature. I recently wrote a two-part article on collecting threat intelligence for WindowsSecurity.com which describe some methods that can be used to collect threat intelligence on a host or network.

Collecting Threat Intelligence (Part 1)

Collecting Threat Intelligence (Part 2)

I’ve been actively involved in the training and development of intrusion detection analysts for a few years now which includes being a SANS Mentor for SEC 503: Intrusion Detection In-Depth. One thing I find myself constantly doing is trying to evolve my philosophy on effective intrusion detection. While doing this, some themes arise that tend to stay consistent no matter how that philosophy changes. Through that, I’ve written up something I call the “10 Commandments of Intrusion Analysis” which highlight some of those themes that seem to be at the core of what I try to instill in the analysts I train and in my own analysis. They don’t really command you to anything, but there are 10 of them, so the name kind of fits. These may not fit you or your organizational goals or personal style, but they work for me!

1. Analysts, Analysts, Analysts!

The most important thing an analyst can have ingrained into them in their importance. An analyst is the first line of defense. The analyst is sitting in the crows nest watching for the icebergs. It is the analyst who can keep attacks from happening and can stop attacks from getting worse. Most security incidents begin with an analyst providing a tip based upon an IDS alert and end with an analyst putting in new signatures and developing new tools based up on intelligence gained from a declared incident. The analyst is the beginning and the end in information security. The alpha and omega. Okay, maybe that’s a bit dramatic, but the importance of an intrusion analyst can’t be understated.

2. Unless you created the packet yourself, there are no absolutes.

Analysis happens in a world of assumptions and its important to remember that. Most of the decisions you will make are centered around a packet or a log entry and then honed based upon intelligence gathered through research. The fact is that the analyst isn’t the one who generated the traffic, so every decision you will make is based upon an assumption. Don’t worry though; there is nothing wrong with that. Ask your friendly neighborhood chemist or physicist. Most of their work is based upon assumptions and they have great success. The takeaway here is that there are no absolutes. Is that IP address REALLY a known legitimate host? Does that domain REALLY belong to XYZ company? Is that DNS server REALLY supposed to be talking to that database server? There are no absolutes, merely assumptions, and because of that remember that assumptions can change. Always question yourself and stay on your toes.

3. Be mindful of how far abstracted from the data you actually are.

An analyst depends on data to perform their function. This data can come in the form of a PCAP file, an IIS log file, or SYSLOG file. Since most of your time will be spent using various tools to interact with data it’s crucial to be mindful of how that tool interacts with the data. Did you know that if you run Tcpdump without specifying otherwise, it will only capture the first 68 bytes of data in a packet? How about that Wireshark displays sequence and acknowledgement numbers within TCP packets in a relative manner by default? Tools are made by people and sometimes “features” can cloud data and prevent proper analysis. I think both of the features I described earlier are great, but I’m also mindful that they exist so I can see all of the packet data available or view the real sequence and acknowledgement numbers when needed. In a job where reliance upon data is critical, you can’t afford to not understand exactly how tools interact with that data.

4. Two sets of eyes are always better than one.

There is a reason authors have editors, policemen have partners, and there are two guys sitting in every nuclear silo. No matter how much experience you have and how good you are you will always miss things. This is to be expected because different people come from different backgrounds. I work with the government so the first thing I look at when examining network traffic is the source and destination country. I’ve worked with people who have systems administration backgrounds and as a result, will look at the port number of the traffic first. I’ve even worked with people who have a number crunching background who will look at the packet size first. This demonstrates that our experiences shape our tactics a bit differently. This means that the numbers guy might see something that the sysadmin didn’t see or that the government guy might have insight that the numbers guy didn’t. Whenever possible it’s always a good idea to have a second set of eyes look at the issue you are facing.

5. Never invite an attacker to dance.

This is something I’ve believed since the first day I ever fired up a Snort sensor, but IDS guru Mike Poor phrased it best while I was attending one of his SANS classes when he said that you should never invite an attacker to dance. As an analyst its very tempting to want to investigate a hostile IP address a bit beyond conventional means. Trust me, there have been many occasions where I’ve been tempted to port scan a hostile that kept sending me painfully obviously crafted UDP packets. Even more so, any time someone attempts to DOS a network I’m responsible for defending, I wish nothing more than to be able to unleash the full fury of a /8 network on their poor unsuspecting DSL connection. The problem with this is that 99% of the time we don’t know who or what we are dealing with. Although you may just be seeing scanning activity, the host that is originating the traffic could be operated by a large group or even a military division of another country. Even something as simple as a ping could tip off an attacker that you know they exist, prompting them to change their tactics, change source hosts, or even amplify their efforts. You don’t know who you are dealing with, what their motivation is, and what there capabilities are, so you should never invite them to dance.

6. Context!

One word can drastically change the dynamic of your monitoring and detection capabilities. In order to be effective you must have context into the network you are defending. Network diagrams, listings of servers and their roles, breakdowns of IP address allocations, and more can be your best friend. Basically any and everything that can be used to document the assets within the network, how they function, and how they relate to other assets are beneficial in running down anomalous events. Depending upon your role in the organization you may not be in a position to obtain these things and if they don’t already exist you are going to have a heck of a time getting the systems folks to put in the leg work to create them. However, as difficult as this may be, its an effort that’s worth pursuing. Whether you have to present your case to the CIO or just buy your network engineers a case of their favorite adult beverage its ultimately worth the effort.

7. Packets, in a word, are good.

The ultimate argument in life is whether or not people are inherently good or inherently evil.  This same argument can be had for packets as well. You can either be the analyst that believes all packets are inherently evil or the analyst that believes all packets are inherently good. I’ve noticed that most analysts typically start their career as for the former and quickly progress the later. That’s because its simply not feasible to approach every single piece of traffic as something that could be a potential root level compromise. If you do this, you’ll eventually get fired because you spent your entire day running down a single alert or you’ll just get burnt out. There is something to be said for being thorough but the fact of the matter is that most of the traffic that occurs on a network isn’t going to be evil, and as such, packets should be treated innocent until proven guilty.

8. Analysis is no more about tcpdump than astronomy is about a telescope.

Whenever I interview someone for any analyst position that’s above entry level I always ask them to describe how they would investigate a typical IDS alert. I get frustrated when someone gives answers along the lines of “I use  Tcpdump, Wireshark, Network Miner, Netwitness, Arcsight, Xeyes, etc” with no further clarification. Although their are processes and sciences in intrusion analysis, intrusion analysis itself is not a process or a science, but rather an art. If this wasn’t the case then it wouldn’t even be necessary to have humans in the loop when it comes to intrusion detection. An effective analyst has to understand that while different tools may be the most important part of the job, those things are merely pieces of the puzzle. Just like an astronomer’s telescope is just another tool in his arsenal that allows him to figure out what makes the planets orbit the sun, Wireshark is just another tool in an analysts arsenal that allows him to figure out what makes a packet bypass a firewall rule. Start with the science, add in a few tools and processes, stay cognizant of the big picture, keep an attention to detail, and eventually the combination of all of those things and the experience you gain over time will help you develop your own analysis philosophy. It’s at that point you have taken your analysis to the level of an art, and made it so that your worthy enough to not be replaced by a machine.

9. Sometimes, we lose.

No matter how hard you try there will come a point in which the network you are defending gets successfully attacked and compromised. In the modern security landscape its inevitable and there isn’t a lot you can do about it. In these times its likely that the analyst will take the heat over the incident. Because of this, you need to be prepared when it happens. An incident won’t be remembered for how an intrusion occurred, but rather how it was responded to, the amount of downtime that occurred, the amount of information that was lost, and ultimately the amount of money it costs the organization. What recommendations can you make to management to ensure a similar incident doesn’t occur again? What can you show your superiors to explain why the attack wasn’t detected? What shortcomings do your tools have? These are questions that can’t fully be answered until an intrusion has occurred and you have the context of an attack, but you can definitely consider the questions now and have a plan for how your information will be presented to key figures. You will get caught off guard and you will be blind sided, but its important that you don’t appear as such and you keep your game face on. This can make the difference between a promotion and a pink slip.

10. Dig deeper.

At the end of the day you have to have something to rest your laurels on and that has to be the fact that you’ve done your due diligence and that you’ve given your best. My “motto” per se when it comes to intrusion analysis is “Dig Deeper”. A defender has to control 65,535 ports. An attacker has to compromise one. A defender has to protect 10,000 users. An attacker has to deceive one. A defender has to examine millions of packets. An attacker has to hide a malicious payload in one. What can you do to increase your visibility into the data? What proficiency can you develop that gives you that edge against the attacker? You have a hunch that there is more than meets the eye, so what can you do to dig deeper?

I’ve always been a huge fan of using Microsoft Windows Server Update Services (WSUS) in the enterprise. It’s free and it’s the best way to effectively ensure that your workstations are up to date and secure. With the modern prevalence of client-side attacks there aren’t many things more important than keeping client computers secure as they can provide a perfect entry point for attackers into your network.
Although WSUS is great, it lacks quite a bit of functionality that it could benefit from. I’ve written a few articles about WSUS here and there and I’ve cited some of these shortcomings that include a weak management interface, a lackluster reporting system, and an inability to easily troubleshoot misbehaving clients. That being the case I’m always looking for enhancements to WSUS, and I’ve found one I really like from the folks at EminentWare who’ve asked me to review their software. Overall, I was really happy with the product and I have no qualms about recommending it to my sysadmin friends. In the sake of full disclosure I have to add that EminentWare is a paid advertiser on my site, but that in no way has any effect on my opinion of their product in this review.

The Basics

The WSUS Extension Pack adds quite a few useful features to a WSUS deployment. EminentWare released a list of the top 10 reasons you need their product, which can be found at http://www.eminentware.com/wsus-patch-management-extension.html. Some of my personal favorites include:

• Create your own packages to deploy any MSI, MSP, or EXE through WSUS

• Configure pre and post install implementation steps such as stopping/starting services, manipulating files, and running custom scripts.

• Discover rogue, unauthorized, or improperly configured machines.

That being said, the product has quite a bit to offer. EminentWare touts the Extension Pack by stating:

EminentWare’s WSUS Extension Pack extends the capabilities of your existing WSUS infrastructure, offering a powerful solution for deploying, managing, and reporting on updates, applications, and configuration settings throughout your IT environment. EminentWare’s WSUS Extension Pack adds key IT management functionality to your existing WSUS installations, allowing you to leverage existing technology to create a more flexible, more powerful enterprise patch management and configuration management solution that is extremely cost-effective.

Let’s take a look a deeper look at the extension pack.

Installation

As you would expect, EminentWare supports all of the major Microsoft server distributions so you can install it on any OS that you would install WSUS on. The website where the software can be downloaded from provides great resources for installation including a quick start guide and a short video that highlights the important parts from the guide. I skipped through the video quickly and perused the guide a bit before performing the install which seemed like it would be pretty intuitive.
The install itself went through without a hitch. Using the Express Installation option, the installer guided me through the process of installing prerequisites, creating a SQL instance, and creating a service account. The actual installation was just a few mouse clicks and less than ten minutes of waiting time. No reboots were required, which earns bonus points for me when we are talking about installations on servers.
After installation and activating my license I was presented with a series of wizards used to configure the WSUS infrastructure. The first wizard caused me a bit of trouble as it wouldn’t automatically find my domain, but I was able to enter its information in manually and proceed forward.

Figure 1: Defining the WSUS server during the initial configuration

After adding domain credentials for the product the installation was completed.

Management and Features

The management screen is built as an MMC so Microsoft sysadmins will feel comfortable working within its borders. The overall look and feel is very similar to that of the standard WSUS administration snap-in which I consider a plus. The expansion pack has more features than I ever knew I wanted, so I want to hit on a few of the ones that really struck my fancy.

Group Policy Management

I love group policy, but it’s not the easiest to use or the most user friendly. One of the parts I disliked the most about traditional WSUS setup is having to deal with the uncertainty that is group policy. The expansion pack provides a front end to the group policy settings related to WSUS so you don’t have to waste time digging around in GPOs. You can configure the local and remote policy settings for Windows updates and even refresh group policy remotely.

Status Bars and Reporting

This one may sounds a little lame, but the biggest pet peeve I’ve ever had with WSUS is its lack of progress bars and status reporting for the tasks you perform. Whether it be installing an update, refreshing policy, or remotely rebooting a computer the expansion pack adds usable, reliable status reporting of tasks.

Figure 2: The detection task provides a robust status display

Wake on LAN

This one is pretty self explanatory. If you need to apply a critical security update to a computer that is turned off at a remote site fifty miles away then WOL is your life saver. The expansion pack provides a simple and easy to use interface for utilizing this. Anything that saves me this kind of time is alright in my book.

Credential Ring

I harp on software vendors all the time because they tend to force you to create a service account for their product, make you give it domain admin rights, and use it for everything related to that software. The EminentWare guys really got this one right with their concept of a credential ring. This allows you to create service accounts with different levels of domain access and assign them to specific devices and device groupings. This way, you can specify site, department, or OU based administrative accounts rather than having yet another service account sitting there with the keys to the castle. I wish more software companies would do something like this!

Figure 3: Using the credential manager to specify credentials for particular devices

Reporting

Creating reports isn’t fun but its often the only way an IT department can bring thing to a managerial level to justify their results and expenses. The expansion pack provides a great deal of needed flexibility in reporting that was able to handle just about everything I could ever think of having a need to report. In some cases this alone could justify the cost of the software.

Device Discovery

The discovery option lets you specify an IP range or subnet that can be scanned for hosts. The results of this scan can be used to find new computers on your network that are not receiving updates or rogue devices that shouldn’t be there. This comes in handy with large networks where it’s hard to keep a handle on new devices or ones that get formatted/imaged often.

Third Party Updates

The ability to use WSUS to deploy third party updates is perhaps the most powerful aspect of the expansion pack. The framework Microsoft has built for deploying software to devices is so robust and effective that it would only make sense that you should be able to use it for the deployment of other updates. Using this feature you can configure updates for products such as Acrobat Reader, Flash, Quicktime, Firefox, Java, and more. Once again, as a highly security conscious individual this feature is worth its weight in gold and I can’t speak highly enough about it. One of the guys at EminentWare demo’d this for me and I was blown away; even more so when I did it myself.

Conclusion

I’ve reviewed a lot of products over my years as a systems administrator and network security analyst. At this time, I’ve never reviewed a product that I’ve loved as much as the EminentWare Extension Pack. WSUS is beautiful, but this product takes it to a whole new level. If I were to give it a rating I would give it a perfect five out of five. The expansion pack is the only thing like this in the market (that I’m aware of) and it is just so wonderfully done. The developers clearly talked to system administrators and found out what they thought was missing from WSUS in order to fill the void and then some. I’d probably buy the software just based upon the third party updates feature alone, but with the added administration and management features its takes the cake. Simply put, if you manage a Windows network of any reasonable size you need WSUS and you NEED the EminentWare Extension Pack.

It happens pretty often that I’ll come across an interesting PCAP file that I want to share with others. Unfortunately, divulging these packet captures can give away certain sensitive information such as an organizations internal IP range, IP addresses of sensitive company assets, MAC addresses of critical hardware that could identify the product vendors, and more.

Fortunately, there is a tool which helps alleviate some of these issues. The tool is called Tcprewrite and is actually a part of the Tcpreplay suite. Tcpreplay is used to send packets from a PCAP back across the wire, but the suite actually contains a few other useful tools.Tcprewrite itself can be used to add and modify packet fields within PCAP files. For example, if you wanted to replace the layer two addressing information within a PCAP so that all of the packets have a specified source and destination MAC address you could use the following syntax:

tcprewrite --enet-dmac=00:55:22:AF:C6:37 --enet-smac=00:44:66:FC:29:AF --infile=input.pcap --outfile=output.pcap

Tcprewrite can do neat things at layer four as well, including remapping ports used in sessions. The following example will remap all port 80 traffic to port 8080.

tcprewrite --portmap=80:8080 --infile=input.pcap --outfile=output.pcap

The examples shown above were taken directly from the tcprewrite wiki page (http://tcpreplay.synfin.net/wiki/tcprewrite) where you can find quite a few other usage examples.

The real value of tcprewrite, and the reason for this article, is its ability to randomize the addressing information in a PCAP file. This is done with the following syntax:

tcprewrite --seed=423 --infile=input.pcap --outfile=output.pcap

In this line, the seed option is used in the randomization of the addresses. This will replace all of the IP addresses in the IP headers of the packets and will also modify any ARP packets in the traffic accordingly.

From what I’ve been able to determine this option doesn’t randomize and rewrite and MAC addresses, which is a bit of a problem since MAC addresses can give away the vendor of a piece of hardware. The last thing I want is the entire world knowing that I use Cisco/Juniper/Enterasys/Etc based external firewalls. The ability to rewrite MAC addresses is there but its not random. What you can do in this case is to split a PCAP file into two separate files representing each direction of traffic. This can be done with tcpdump or tcpprep, which is a part of the tcprewrite suite as well. Using tcprewrite you can split the traffic like this:

tcpprep --auto=bridge --pcap=input.pcap --cachefile=input.cache

From there you can use syntax similar to what was shown above to replace the MAC addresses. This isn’t randomized so you will basically have to make something up. At the very least I’d recommend replacing the OUI section of the MACs. That syntax would look something like this:

tcprewrite --enet-dmac=00:44:66:FC:29:AF,00:55:22:AF:C6:37 --enet-smac=00:66:AA:D1:32:C2,00:22:55:AC:DE:AC --cachefile=input.cache --infile=input.pcap --outfile=output.pcap

It wouldn’t be too much of a stretch to write a python script that uses tcpprep and tcprewrite to automate the randomization of MAC addresses as well.

You can download tcprewrite as part of the tcpreplay suite at http://tcpreplay.synfin.net/ or just apt-get/yum install tcpreply. The tool is Unix only (or you can use Cygwin if you are tied to Windows).

I’ve been slowly working through an article series entitled “Understanding Man-In-The-Middle Attacks” for the last few months. The last article of this series was published a couple of weeks ago so I thought I’d post a quick roundup of them all. This series covers four different types of attacks, how they work, how to execute them, and how to protect yourself from them. These articles are being hosted on WindowsSecurity.com, whom I write for on a monthly basis.

You can read each article at its corresponding link:

• Part 1 – ARP Cache Poisoning

• Part 2 – DNS Spoofing

• Part 3 – Session Hijacking

• Part 4 – SSL Hijacking

I woke up this morning and was very excited to see a post on a blog a frequent, Packet Life. It looks like the folks at QA Cafe have just launched a new project called CloudShark. I’ve been playing with CloudShark all morning and I’m very impressed. A colleague of mine wrote something similar to this a while back with intentions of publishing it but never did, so I’m glad someone set forth on a similar project. I plan on using CloudShark as a component of this blog, so from now on any packet captures I post will have a “view online” link that should display the captures directly in your browser.

The best resource for more information on CloudShark seems to be their FAQ:

What is CloudShark?

CloudShark is a web site that displays network capture files right in your browser instead of running desktop tools such as Wireshark. You upload, link, or email your capture files and we’ll display them.

Why CloudShark?

We work with network capture files on a daily basis. After trying to view capture files on mobile devices without Wireshark support, we realized it was time to move packets to the cloud. The CloudShark idea was born. CloudShark was created to make viewing capture files easy from any device ranging from desktops to smart phones. After creating our own solution, we decided to make it available to everyone as CloudShark.org.

How does it work?

* Generate your capture file or use an existing capture file
* Email it, upload it, or link it
* CloudShark does the rest by providing a decode session
* If you email CloudShark with an attached capture file, we’ll email you back with a link to your decode session
* Send your capture files as an attachment to cap@cloudshark.org
* If you are in the browser already, we’ll drop you into your decode session

Are my capture files publicly accessible?

While the URLs to your decode session are not publicly shared, we make no claims that you data is not viewable by other CloudShark users. For now, if you want to protect sensitive data in your capture files, don’t use CloudShark.

Is there any limit to the size of the capture file I can upload?

Capture files are currently limited to 512 Kbytes. Larger files will be rejected.

Can I delete my decode session after I am done with it?

Not directly. Eventually it will be deleted when the disk space is recycled.

How long is my decode session available?

CloudShark is not a file storage site. We’ll try to keep your files around, but obviously there is a limit to the amount of files we can keep around. If the link to your decode session is no longer working, you may need to upload the capture file again. In the future we may provide persistent storage, but for now you should store your capture files somewhere else.

What capture formats are supported?

CloudShark uses tshark to do the actual decoding. tshark supports several capture files from other tools besides Wireshark. See http://wiki.wireshark.org/FileFormatReference.

I have a capture file hosted on my web site. Is there an easy way I can link a CloudShark decode session to this capture file?

Yes. You can create a CloudShark link that includes a URL to your capture file. Here is an example:

http://www.cloudshark.org/view?url=http://packetlife.net/captures/TCP_SACK.cap

Who are you?

CloudShark was created by QA Cafe. We are the creators of CDRouter, the leading CPE testing solution. We spend a lot of time working with capture files. You can visit us at qacafe.com.

Is this project connected to Wireshark.org?

No, not directly. We do use Wireshark, tshark actually, on our back end.

How can I contribute?

If you have any ideas, you can contact us at info@cloudshark.org.

Kudos to the folks at QA Cafe for putting this together! You can visit CloudShark at http://www.cloudshark.com and you can follow Cloudshark developments on Twitter at @Cloudshark.

I’m speaking at the Kentuckiana ISSA meeting on June 4th in Louisville, KY.

The topic is “Then What Happened…Stories and Lessons in Incident Response”

Dive into recent attack packet analysis with Chris Sanders to reveal the dirty truth about recently investigated incidents.

Learn key factors in how exploits were detected, the analysis method used to determine sources…
You will also see methods used to determine the severity level of exploits and the power they may really have in your environment…

I’ll be covering some exciting things including some of the fundamental skills for intrusion analysts, tips for building your incident handling team, “packet math”, and analysis of recent attacks including a newly release 0-day.

Look forward to seeing you there! For more information including directions, check here http://www.issa-kentuckiana.org/.

I’ve been using Snort has a host-based IDS on my laptop for quite a while now and rather than expanding my attack surface by installing a database server for logging, I am simply logging to the standard flat file format. In this format all snort alerts are logged to an alert.ids file in the C:/Snort/log directory. In previous instances I’ve just reviewed this log frequently but I’ve had the desire for quite some time to have something a bit more realtime. I’m not sure if I’ve found the best solution, but I’m currently using RainMeter to display the most recent Snort alerts on my desktop.


I did run into one problem which had a solution I think others might be interested in. Snort logs the newest alerts it recieves at the bottong of the alert.ids file, which makes gathering the most recent alerts via perl regular expressions a bit of a complicated task. I brought this problem to my analysis team at EWA and Jason Smith, who has just started learning Perl,  developed a script that alleviates this problem. The script takes the last alert in the alert.ids file and places it at the top of a new “parsed” file. The second to last alert in the alert.ids file is then placed as the second alert in the parsed file, and so on and so forth. Also, as a bit of expanded functionality the script only grabs the first four lines of every alert which gives the alert name, classification, priority, and basic packet information. This makes for a more condensed and concise output.


You can download the script here: snort_parser.zip


As for implementation, I have setup a scheduled task that runs the script every 5 minutes so that the RainMeter on my desktop is updated very frequently. One small issue I noticed was that when this task ran it would pop up a command prompt window momentarily which was quite annoying. In order to combat this I created a VBS script that runs the perl script in the background. Rather than running the perl script, the scheduled task runs the VBS script which calls the perl script as an argument so that the process is invisible to me.


You can download the VBS script here: silent_launcher.vbs


Feel free to download, use, and distribute these files as you see fit.

I’m going to be out and about a few different places the early part of this year. If you are going to be at any of these events and want to get together and talk shop or have a bite to eat, give me a shout.

• ShmooCon, Washington DC – Feb 5-7
• SANS 2010, Orlando FL – Mar 6-15

I’m also planning on attending HOPE [Tentative] (NYC), Phreaknic (Nashville), Defcon (Vegas), and Black Hat (Vegas) this year.

I’ve recently been accepted into the SANS Institute mentor program and will be mentoring my first course next spring in the Bowling Green, KY area.

Please join Mentor Chris Sanders starting on March 18 for Security 504: Hacker Techniques, Exploits and Incident Handling.

Experience this local class and SANS award winning security training first hand in the popular Mentor format!

Chris Sanders will be leading this 36 CPE credit class in Bowling Green, KY.

For complete course details and registration information, please click on http://www.sans.org/info/52263.

About the course:

By helping you understand attackers’ tactics and strategies in detail, giving you hands-on experience in finding vulnerabilities and discovering intrusions, and equipping you with a comprehensive incident handling plan, the in-depth information in this course helps you turn the tables on computer attackers. This course addresses the latest cutting-edge insidious attack vectors and the “oldie-but-goodie” attacks that are still so prevalent, and everything in between. Instead of merely teaching a few hack attack tricks, this course includes a time-tested, step-by-step process for responding to computer incidents; a detailed description of how attackers undermine systems so you can prepare, detect, and respond to them; and a hands-on workshop for discovering holes before the bad guys do. Additionally, the course explores the legal issues associated with responding to computer attacks, including employee monitoring, working with law enforcement, and handling evidence.

Students study SANS Hacker Techniques, Exploits & Incident Handling course books at their own pace. Each week, students meet with SANS Local Mentor, who will lead class discussions, provide hands-on demonstrations, point out the most salient features, and answer questions. The Mentor’s goal is to help students grasp the more difficult material, master the exercises, and prepare them for GCIH certification.

This challenging course is particularly well suited to individuals who lead or are a part of an incident handling team. Furthermore, general security practitioners, system administrators, and security architects will benefit by understanding how to design, build, and operate their systems to prevent, detect, and respond to attacks.

These courses are great for folks who want SANS level training but don’t have the travel budget to go to a conference for a week. I’m very excited to bring something like this to my area…security training around here is slim pickins! Bowling Green is very centrally located and is only an hour from Nashville, TN, two hours from Louisville, KY, two hours from Lexington, KY, and two hours from Paducah, KY.

Also, I will be donating 20% of my teaching fee to the Rural Technology Fund, a 501(c)(3) non-profit organization which provides scholarships to high school students pursuing technical majors.

Free free to e-mail me with any questions, or visit the course website here: http://www.sans.org/info/52263.

I attended the Kentuckiana ISSA Louisville InfoSec conference on the 8^th of this month and I wanted to be sure and put something up about what a great event it was.

I participated in the CTF event that was put together by Adrian “Irongeek” Crenshaw (http://www.irongeek.com and @irongeek_adc). This is only the second CTF I’ve participated in (the first being the SANS Sec 504 CTF in San Diego) and I was really pleased with it.

You can view a write up and a brief video on the technical details of the CTF here: http://www.irongeek.com/i.php?page=videos/louisville-infosec-ctf-2009.

My team ended up coming in fourth. The winning team was led by Dave Kennedy (http://securestate.blogspot.com/) who won by a pretty good margin, and the second, third, and fourth place teams all finished within about ten minutes or so of each other.

This was the second event I’ve attended that involved the Kentuckiana ISSA and Adrian and I’ve really enjoyed being involved. I think I’ll be joining ISSA in the very near future.

I wasn’t able to attend many of the talks due to being involved with the CTF but my colleagues who did spoke very highly of all of the speakers.

A big thanks to Adrian and the Kentuckiana ISSA for organizing this! I can’t wait until next year!

I haven’t exactly kept this one a complete secret, but I’ve confirmed with the great folks over at No Starch Press and have begun work on the second edition of Practical Packet Analysis. The second edition will contain over 60% new content including ALL new scenarios and capture files, a very unique take on security at the packet level, much more detailed coverage of wireless packet analysis, and even VoIP! A target release date has not been officially set, but expect something in Q1-Q2 2010.

Howdy Folks,

I wanted to take a moment and link a pair of recent articles I’ve written for WindowsSecurity.com.

September 2nd – Securing Application Execution with Microsoft AppLocker

September 23rd – Maintaining, Mandating, and Mitigating Privacy in Internet Explorer 8

Enjoy!

The fine folks over at GFI were kind enough to send me a copy of the latest release of their LANguard product which is currently at version 9.0. As a disclaimer, GFI does advertise on my site, but this is not a paid advertisement, and our business relationship is has no influence on my review of the product.

I’ve used various GFI products for several years and remember using LANguard many years ago while working for the Department of Education. As I have taken on a more security-focused role in my new position with EWA GSI I have found myself using LANguard again and am enjoying the newest version of the product just as much as I did the older versions.

The big three features LANguard boasts are vulnerability management, patch management, and network auditing. I’ll address each of those individually.

Vulnerability Management

My primary use of LANguard has always been in this category. Some of my earliest learning experiences with network security were centered on LANguard security scans and in my current security role I’m making use of it right where I left off.

The scanning engine boasts over 15,000 scanning signatures and does seem to be quite thorough. I compared GFI LG scans side by side with Nessus scans on the same hosts and found the reporting from the LG scans were picking up quite a few more items of interest when it came to Windows hosts. The scanning options are quite robust and the reporting and remediation interface couldn’t be much better. 

Patch Management

I’ve previously always used WSUS for patch management. However, if you’ve used WSUS you know that it can sometimes be unreliable and the reporting and troubleshooting features associated with it are still greatly lacking. I’m no longer directly managing a network so I evaluated the patch management features of LG on my home network and was pleasantly surprised.

I ran several scans against the devices on my networks and some of the virtual machines in my test networks that I had purposely halted automatic updates on. LG reported the missing updates on these machines and I was able to efficiently deploy those updates to the machines. I’ve always thought OS updates should be something that “just works” and LG fit the bill on this.

Network Auditing

There is a LOT of competition in this area but I was really impressed with what LG could offer here. I think a network auditing solutions biggest weak point is usually the reporting interface, and just as with the other areas of LG, the reporting is pristine. Not only can you perform on the spot audits, but you can also check for things such as illegal software installations by running comparisons against baseline audits.

Pricing

GFI has released a full-featured FREE version of LANguard to be used for up to 5 IPs. After that, pricing is done on a per-IP basis with prices starting from around $32USD per IP for a 10-24 IP block.

Conclusion

I’ve always thought GFI was a great company with some really great products and LANguard 9.0 only helps to reinforce this opinion. I will continue to use the product alongside Nessus for my security scanning needs and would fully recommend it for network management and auditing.

You can check out LANguard and other GFI products at http://www.gfi.com.

The newest issue of (In)Secure Magazine has been released today. This issue contains an article I’ve written entitled “Using Wireshark to Capture and Analyze Wireless Traffic”.

Article Introduction:

The tricky thing about a wireless network is that you can’t always see what you’re dealing with. In a wireless network, establishing connectivity isn’t as simple as plugging in a cable, physical security isn’t nearly as easy as just keeping unauthorized individuals out of a facility, and troubleshooting even trivial issues can sometimes result in a few expletives being thrown in the general direction of an access point. That being said, it shouldn’t come as a surprise that analyzing packets from a wireless network isn’t as uninvolved as just firing up a packet sniffer and hitting the capture button.

 
In this article I’m going to talk about the differences between capturing traffic on a wireless network as opposed  to a wired network. I’ll show you how to capture some additional wireless packet data that you might not have known was there, and once you know how to capture the right data, I’m going to jump into the particulars of the  802.11 MAC layer, 802.11 frame headers, and the different 802.11 frame types.

The goal of this article is to provide you with some important building blocks necessary for properly analyzing wireless communications.

 

 

You can view the full article in the (In)Secure Magainze June issue, which can be obtained here: http://www.net-security.org/insecuremag.php.