When Prevention Fails, Extending IR and Digital Forensics Capabilities to the Corporate Network (PDF – 6,2 MB)

Speaking at SANS Boston

Thanks to Barbara Basalguete, Stephen Northcutt and the rest of the SANS crew for the opportunity to participate in such a great event, as well as to all the attendees that preferred to stay around after a long training day instead of heading off to Harvard Square for Friday party!

When Prevention Fails: Extending IR and Digital Forensics capabilities to the corporate network

2011 is being a big year for cybersecurity incidents with high profile attacks reported against large organizations including HBGary Federal, RSA, Lockheed Martin and several Sony companies among others. With smarter intruders that can make use of both very sophisticated attacks and simple, yet effective, phishing attacks against our users, everyone should assume that at some point their preventive measures will fail, and that sooner or later you will have to recover from a future intrusion. Based on this assumption several questions arise: When prevention fails, what is left? Am I ready to detect, react and recover from an intrusion? What can Network Security Monitoring and Digital Forensics do for me?

Ismael’s talk will address these questions, describing the latest trends in computer attacks and intrusions, including the use of Botnets and what has been called the Advanced Persistent Threats (APT). Lastly, Ismael will show how Network Security Monitoring (NSM) and Digital Forensics methods and tools can be extended to the corporate network to assist in the early detection and investigation of these threats. Best practices and techniques on how to do NSM, full packet capture, network forensic analysis and data carving will be discussed, along with some live demos using tools that are available to any security practitioner.

A full description of the event can be found here:

http://www.sans.org/info/74514

Registration is still open but you have to be quick. It might be also a good idea to drop me an email if you’re planning to be there

See you in Berlin!

Part 1 of my post on Mac OS X memory acquisition and analysis has been posted at the SANS Forensics Blog. I’ll try to publish Part 2 early next week. Stay tuned!

http://computer-forensics.sans.org/blog/2011/01/28/mac-os-forensics-howto-simple-ram-acquisition-analysis-mac-memory-reader-part-1

Update

Part 2 is published now:

http://computer-forensics.sans.org/blog/2011/02/04/mac-os-forensics-howto-simple-ram-acquisition-analysis-mac-memory-reader-part-2

Thanks for all your positive comments.

If you haven’t heard of Community SANS courses before, I encourage you to have a look at this new format (new outside the US, where it’s been running for years). This is a great way of bringing the popular SANS courses to your local security community at a reasonable cost, especially for those that can’t attend the major events.  It’s worth mentioning that unlike the SANS Mentor  sessions, these are delivered over a six-day period, just like it is at a larger SANS event, including the full set of books and access to audio files. They are just delivered in your own community, in a small classroom setting and at a discounted cost for tuition and travel expenses.

I’ve already described my experience with SANS, both as student and facilitator, so I won’t go over that again. Also, you can find a further detailed description of the Security 503 track on SANS website, an outstanding course that I’ve already described as the “most valuable course I’ve ever taken”. However, I want you to listen to Mike Poor, instructor at the SANS Institute and co-author of this course (along with Judy Novak and Guy Bruneau), describing it on YouTube. Mike Poor is both an amazing professional and a great guy that I had the opportunity to meet at SANS Sydney in 2008, when I took his Penetration Testing class. As Mike would say, this IDS course is simply “awesome”!

I’ve been also authorised to post them on my website, so feel free to download them from the updated “Papers & Presentations” page, where I have also posted some of the comments I received from several readers, as well as an interesting reference to my article from Harlan Carvey.

Happy reading!

You can download it from the following location:
http://distro.ibiblio.org/pub/linux/distributions/security-onion/

The following information is extracted from Doug’s Security Onion blog:

What is it?

The Security Onion LiveCD is a bootable CD that contains software used for installing, configuring, and testing Intrusion Detection Systems.

What software does it contain?

The Security Onion LiveCD is based on Xubuntu 9.04 and contains Snort 2.8.4.1, Snort 3.0.0b3 (Beta), sguil, idswakeup, nmap, metasploit, scapy, hping, fragroute, fragrouter, netcat, paketto, tcpreplay, and many other security tools.

What can it be used for?

-The Security Onion LiveCD can be used for Intrusion Detection. Simply boot the CD and double-click either the Snort-Sguil or SnortSP-Sguil desktop shortcuts. The Snort and Sguil daemons will then start, listening on eth0 for any suspicious traffic and creating alerts in the Sguil console.

-The Security Onion LiveCD can be used to test an Intrusion Detection System. Simply boot the CD and use the included tools (such as nmap, metasploit, idswakeup, scapy, hping, and others) to test your existing IDS or to test the included Snort 2.8.4.1 and Snort 3.0 Beta 3.

-The Security Onion LiveCD can be used to install an Intrusion Detection System. Simply boot the CD and double-click the Install desktop shortcut. For more information about installation, please see the README desktop shortcut.

I haven’t had a chance to download it yet, but I will definitely give it a try over the next few days. I’m very interested in trying out the IDS installation feature and see how it compares to other Sguil installation scripts like NSMnow. I’m currently working on the deployment of a good number of Sguil servers/sensors and NSMnow has reduced significantly the time needed to get them up and running. Hence, any new development on this topic is more than welcome.

I will keep posting my findings on this new exciting tool!

… and if you think you are a competent programmer, please don’t flame at me and listen to Ron’s last sentence!

Enjoy and happy Friday!

I’m writing this post while seated on a train going from Birmingham’s International Airport to Banbury, a small town located in the heart of Oxfordshire. It’s only a 40 minutes trip but I really enjoy it, especially if I have a good album to listen to (like that of The Script I’m listening now), some coffee and the nice view of the English countryside I can see through the window right now.

I come to Banbury very often, like once every two or three months, most of the times to hold meetings with my team colleagues, to support ISO 27001 audits or to conduct onsite assessments. None of those are the main purpose of my visit this time. After delivering a new one-day session on Incident Response and Computer Forensics at my employer’s European offices in Leiden (the Netherlands), Bochum (Germany) and Warrington (UK), it’s now Banbury’s turn.

The goal of this sessions is to train our ICT staff on how to best react to security incidents while preserving volatile and non-volatile evidence, but at the same time to give them an overview on what Computer Forensics is all about, so they can understand the importance of handling digital evidence appropriately.

While I’ve run similar sessions in the past, I’m particularly happy with the new material that I’ve put together this time, and the feedback I’m getting from the people that have attended this sessions (more than 25 so far) confirms me that.

I can’t give much detail on its content now (and I will tell you why in a bit) but all I can say is that the training is now packed with hands-on exercises that uses a virtual machine as a portable forensics lab and the image of a compromised Windows 2003 Server as the target of the analysis. It’s based on a real-case scenario and illustrates the methods and the tools that are typically used throughout the course of a real computer forensic investigation. Really useful and fun stuff!

The reason why I can’t give much detail now is because earlier this year, Ewa Dudzic, Editor in Chief of Hakin9 magazine, invited me to write an introductory article on Computer Forensics for their well-known and prestigious magazine, and that article is actually based on the content of the training described above. Now I’m glad to see that the current issue of the magazine announces that the first part of my two-series article will be published in the next issue of Hakin9, that is 4/2009. The article will not just include a step-by-step guide to forensic response and investigation but also references to all the tools and images you can use to set up your own forensic lab and do the exercises at home. Stay tuned, as I will post more details on that as soon as the article is released.

In the meantime I will carry on with my ‘European tour’ that I expect to finish at my home office later in May. Remote locations like India and Sydney might come next, possibly during the second half of 2010.

No doubt, one of the best things about delivering this training is that it’s given me the opportunity to spend more time with colleagues from different geographies and, why not, to have some fun after work. As you can see in the pictures below, I even had the opportunity to watch a live game at Old Trafford!

Watching Manchester Utd vs Porto live at Old Trafford, the Theatre of Dreams! (UEFA Champions League 2009)

Great time riding through the streets of Leiden, in the Netherlands

Thanks Andy and Paul for such a great time

Besides that, there are plenty of rumours about a possible Conficker attack on 1st April. I know you may think it’s all hype or scaremongering, and it might well be. But, if you run a large corporate network I’m sure you don’t want to sit down and wait until 1st April to find out.

If that’s the case, you have to know that the Honeynet Project has been working on a way to detect Conficker-infected machines and that they have just released a scanner for this task. The scanner is available as a python script and as a windows .exe executable, and can be used to scan a single host or a whole network range.

When run it on my mac the output looked like this:

# ./scs.py 192.168.1.1 192.168.1.254

———————————-
Simple Conficker Scanner
———————————-
scans selected network ranges for
conficker infections
———————————-
Felix Leder, Tillmann Werner 2009
{leder, werner}@cs.uni-bonn.de
———————————-

No resp.: 192.168.1.1:445/tcp.
No resp.: 192.168.1.82:445/tcp.
No resp.: 192.168.1.80:445/tcp.
No resp.: 192.168.1.81:445/tcp.
No resp.: 192.168.1.95:445/tcp.
192.168.1.99 seems to be clean.
192.168.1.101 seems to be clean.
192.168.1.85 seems to be clean.
192.168.1.97 seems to be clean.
192.168.1.106 seems to be clean.

Alternatively, popular scanners like nmap, Nessus and others have quickly updated their plugins to support Conficker detection. At the moment, Nmap 4.85beta5 has all the scripts included, and it’s now ready for download at http://nmap.org/download.html. If you’re are running a Unix-like system you probably want to update nmap from svn:

$ svn co –username=guest –password=” svn://svn.insecure.org/nmap
$ cd nmap
$ ./configure && make
$ sudo make install

Then run nmap using the new NSE script:

$ nmap –script=smb-check-vulns –script-args=safe=1 -p445 -d <target>

As of Nessus, use plugin #36036 to detect any variant of Conficker.

The Honeynet Project has also released Snort signatures to detect Conficker.A and Conficker.B traffic. Make sure you update your IDS sensors with these signatures and be ready to monitor your console over the next few days. If you don’t have any IDS technology in place (I will resist the temptation to ask you why by now) but you have access to a network span port, you can still plug any Unix-like box in and run ngrep like this:

$ sudo ngrep -qd eth0 -W single -s 900 -X
<insert shellcode string from here>
‘tcp port 445 and dst net <local network range>‘

Further details about Conficker fingerprint and the detection methods and tools can be found here: http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker

Good luck.

That’s been what I call my ‘SANS itinerary’ since I started this exciting journey back in June 2007. It all started at SANS Secure Europe, in Brussels, where I took my first SANS class with Jess Garcia, CEO of One eSecurity and a good friend of mine. It was SECURITY 508, System Forensics, Investigation & Response, an awesome track created by Rob Lee on one of the most interesting and hot topics of Information Security. It’s been almost two years since then, but now I realize the tremendous positive influence that event had in my career as a security professional.

Early on the first day, I could see that was a different kind of training, far different from all the training sessions I had attended before, including the well-known CISSP bootcamp and vendor specific training like Checkpoint‘s and others I took in the past. Unlike those, this was real hands-on training, with lots of exercises and challenges, including the use of several virtual machines and an arsenal of security tools you can take home with you. Also, the amount of material you receive throughout a 6-day course is awesome. Someone described it like “drinking directly from a fire hose”. Actually, I can’t describe it better.

Add to that a friendly, relaxed but yet professional atmosphere, and the multiple opportunities you get for both networking and sheer knowledge with attendees and instructors and you will understand why Brussels was only the start.

With Carlos Fragoso and Richard Fadul at SANS Secure Europe 2007 in Brussels

Next came London, in December 2007. That time I chose the challenging SECURITY 503: Intrusion Detection In-Depth. I don’t exaggerate if I say this is the most advanced course in network intrusion detection and traffic analysis that has ever been taught, and by far the most valuable course I’ve ever taken. The quality of the material is outstanding (I keep using it as a valuable reference) and the fact that I had Dr. Johannes Ullrich (Chief Research Officer for the SANS Institute and responsible of the Internet Storm Center) as instructor was really a plus. Even if you knew nothing about IDS I guarantee the first thing you will do when you’re back home is setting up a Snort sensor or even deploying a Sguil NSM System!

Last thing I can say about this course is that I actually enjoyed it three times: first at the live event, second when I went through the entire courseware and exercises again to prepare for the GIAC exam, and third, when listened to the mp3 files of Mike Poor teaching the same material in a different venue. Two instructors for the price of one!

The same was true of my third stop, SANS Sydney in November 2008. This time it was SECURITY 560: Network Penetration Testing and Ethical Hacking, delivered by Mike Poor (I was looking forward to meeting him!!) and authored by Ed Skoudis.

While this is described by SANS as “one of the most technically rigorous courses offered by the SANS Institute”, I had some advantage with this one. While my previous experience in areas like Forensics and IDS was limited, I had been doing penetration testing at different professional levels for more than 8 years. Although I was certainly familiar with many topics and tools like Nessus, Nmap, Metasploit and others, there were plenty of advanced tips and tricks that made this course worth the money. I will just tell you that the section on Windows command line kung fu for pentesters and the exercises on password cracking using advanced Netcat relays will leave you breathless!

Ultimate hacking with Damian Grace and Robert Di Pietro at Mike Poor’s class in Sydney!

Then again, I enjoyed listening to Ed Skoudis’ mp3 files while commuting to work for the last couple of months before I took my GPEN exam. Thanks Ed for making traffic jams a lot more bearable!

My GIAC Certs: GCFA, GCIA and GPEN. Watch the 99% score on the last one!

As I said before, so far this journey has given me the opportunity not just to receive top quality training from some of the best security instructors in the world, but also to meet great professionals, colleagues and friends that make you feel part of a unique security community. Some of the people I’ve had the opportunity to meet and even hang out with includes Jess Garcia, Mike Poor, Johannes Ullrich, Raul Siles, David Perez, John Fitzgerald, Pieter Danhieux, Richard Fadul, Carlos Fragoso, Almerindo Graziano, Jonathan Ham, Justin Clarke, Robert Di Pietro, Chris Mewett, Damian Grace, etc… and many others I am fortunate to keep in touch with.

Now, the next stop in my ‘SANS itinerary’ will be Amsterdam in May this year. This time I’m proud to say that I’ve been selected to facilitate at SECURITY 542: Web App Penetration Testing and Ethical Hacking, a new 6-day track written by Kevin Johnson and focused on finding and exploiting web application attack vectors. Seth Misenar will deliver this track at SANS Secure Europe 2009 in Amsterdam.

Best thing this time is that, in addition to attending the course, as a room facilitator I will have the opportunity to work closer with all the instructors (specially with Seth) and other fellow team members.

I look forward to that!