Besides that, there are plenty of rumours about a possible Conficker attack on 1st April. I know you may think it’s all hype or scaremongering, and it might well be. But, if you run a large corporate network I’m sure you don’t want to sit down and wait until 1st April to find out.

If that’s the case, you have to know that the Honeynet Project has been working on a way to detect Conficker-infected machines and that they have just released a scanner for this task. The scanner is available as a python script and as a windows .exe executable, and can be used to scan a single host or a whole network range.

When run it on my mac the output looked like this:

# ./scs.py 192.168.1.1 192.168.1.254

———————————-
Simple Conficker Scanner
———————————-
scans selected network ranges for
conficker infections
———————————-
Felix Leder, Tillmann Werner 2009
{leder, werner}@cs.uni-bonn.de
———————————-

No resp.: 192.168.1.1:445/tcp.
No resp.: 192.168.1.82:445/tcp.
No resp.: 192.168.1.80:445/tcp.
No resp.: 192.168.1.81:445/tcp.
No resp.: 192.168.1.95:445/tcp.
192.168.1.99 seems to be clean.
192.168.1.101 seems to be clean.
192.168.1.85 seems to be clean.
192.168.1.97 seems to be clean.
192.168.1.106 seems to be clean.

Alternatively, popular scanners like nmap, Nessus and others have quickly updated their plugins to support Conficker detection. At the moment, Nmap 4.85beta5 has all the scripts included, and it’s now ready for download at http://nmap.org/download.html. If you’re are running a Unix-like system you probably want to update nmap from svn:

$ svn co –username=guest –password=” svn://svn.insecure.org/nmap
$ cd nmap
$ ./configure && make
$ sudo make install

Then run nmap using the new NSE script:

$ nmap –script=smb-check-vulns –script-args=safe=1 -p445 -d <target>

As of Nessus, use plugin #36036 to detect any variant of Conficker.

The Honeynet Project has also released Snort signatures to detect Conficker.A and Conficker.B traffic. Make sure you update your IDS sensors with these signatures and be ready to monitor your console over the next few days. If you don’t have any IDS technology in place (I will resist the temptation to ask you why by now) but you have access to a network span port, you can still plug any Unix-like box in and run ngrep like this:

$ sudo ngrep -qd eth0 -W single -s 900 -X
<insert shellcode string from here>
‘tcp port 445 and dst net <local network range>‘

Further details about Conficker fingerprint and the detection methods and tools can be found here: http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker

Good luck.

That’s been what I call my ‘SANS itinerary’ since I started this exciting journey back in June 2007. It all started at SANS Secure Europe, in Brussels, where I took my first SANS class with Jess Garcia, CEO of One eSecurity and a good friend of mine. It was SECURITY 508, System Forensics, Investigation & Response, an awesome track created by Rob Lee on one of the most interesting and hot topics of Information Security. It’s been almost two years since then, but now I realize the tremendous positive influence that event had in my career as a security professional.

Early on the first day, I could see that was a different kind of training, far different from all the training sessions I had attended before, including the well-known CISSP bootcamp and vendor specific training like Checkpoint‘s and others I took in the past. Unlike those, this was real hands-on training, with lots of exercises and challenges, including the use of several virtual machines and an arsenal of security tools you can take home with you. Also, the amount of material you receive throughout a 6-day course is awesome. Someone described it like “drinking directly from a fire hose”. Actually, I can’t describe it better.

Add to that a friendly, relaxed but yet professional atmosphere, and the multiple opportunities you get for both networking and sheer knowledge with attendees and instructors and you will understand why Brussels was only the start.

With Carlos Fragoso and Richard Fadul at SANS Secure Europe 2007 in Brussels

Next came London, in December 2007. That time I chose the challenging SECURITY 503: Intrusion Detection In-Depth. I don’t exaggerate if I say this is the most advanced course in network intrusion detection and traffic analysis that has ever been taught, and by far the most valuable course I’ve ever taken. The quality of the material is outstanding (I keep using it as a valuable reference) and the fact that I had Dr. Johannes Ullrich (Chief Research Officer for the SANS Institute and responsible of the Internet Storm Center) as instructor was really a plus. Even if you knew nothing about IDS I guarantee the first thing you will do when you’re back home is setting up a Snort sensor or even deploying a Sguil NSM System!

Last thing I can say about this course is that I actually enjoyed it three times: first at the live event, second when I went through the entire courseware and exercises again to prepare for the GIAC exam, and third, when listened to the mp3 files of Mike Poor teaching the same material in a different venue. Two instructors for the price of one!

The same was true of my third stop, SANS Sydney in November 2008. This time it was SECURITY 560: Network Penetration Testing and Ethical Hacking, delivered by Mike Poor (I was looking forward to meeting him!!) and authored by Ed Skoudis.

While this is described by SANS as “one of the most technically rigorous courses offered by the SANS Institute”, I had some advantage with this one. While my previous experience in areas like Forensics and IDS was limited, I had been doing penetration testing at different professional levels for more than 8 years. Although I was certainly familiar with many topics and tools like Nessus, Nmap, Metasploit and others, there were plenty of advanced tips and tricks that made this course worth the money. I will just tell you that the section on Windows command line kung fu for pentesters and the exercises on password cracking using advanced Netcat relays will leave you breathless!

Ultimate hacking with Damian Grace and Robert Di Pietro at Mike Poor’s class in Sydney!

Then again, I enjoyed listening to Ed Skoudis’ mp3 files while commuting to work for the last couple of months before I took my GPEN exam. Thanks Ed for making traffic jams a lot more bearable!

My GIAC Certs: GCFA, GCIA and GPEN. Watch the 99% score on the last one!

As I said before, so far this journey has given me the opportunity not just to receive top quality training from some of the best security instructors in the world, but also to meet great professionals, colleagues and friends that make you feel part of a unique security community. Some of the people I’ve had the opportunity to meet and even hang out with includes Jess Garcia, Mike Poor, Johannes Ullrich, Raul Siles, David Perez, John Fitzgerald, Pieter Danhieux, Richard Fadul, Carlos Fragoso, Almerindo Graziano, Jonathan Ham, Justin Clarke, Robert Di Pietro, Chris Mewett, Damian Grace, etc… and many others I am fortunate to keep in touch with.

Now, the next stop in my ‘SANS itinerary’ will be Amsterdam in May this year. This time I’m proud to say that I’ve been selected to facilitate at SECURITY 542: Web App Penetration Testing and Ethical Hacking, a new 6-day track written by Kevin Johnson and focused on finding and exploiting web application attack vectors. Seth Misenar will deliver this track at SANS Secure Europe 2009 in Amsterdam.

Best thing this time is that, in addition to attending the course, as a room facilitator I will have the opportunity to work closer with all the instructors (specially with Seth) and other fellow team members.

I look forward to that!

I’m not usually very excited about posting on LinkedIn Discussion Groups. On top of that, I don’t even have the time to blog anything on my own site. However, I could not resist to write a comment on that discussion about what the best IDS system is. Not when I read the following comment:

Actually the idea of an IDS system has been obsolete for a few years now. Given the latest events in the security area, there are plenty of traffic anomalies far more advanced than relatively-simple signatures out there to deal with.

The best approach nowadays is the IPS (Intrusion Prevention Systems) which would not only detect and inform IT management of the attack events but will also apply the necessary countermeasures to them. Most important of all, this must happen at wire-speed with ASIC-based systems.

Ok, I understand that IPS vendors and resellers have the right to claim what they want, but saying that “the idea of an IDS system has been obsolete for a few years now” is simply too much for me.

Just in case you are not registered with LinkedIn, the following is the comment I’ve just added to that discussion:

I respect everyone’s comments and views, but obviously some of the above are clearly biased. It’s not the first time we hear comments like “actually the idea of an IDS system has been obsolete for a few years now”.

Back in 2003, Gartner analyst Richard Stiennon stated, “IDSs have failed to provide value relative to its costs and will be obsolete by 2005″. Well, although I understand that claim (keep reading), many security analysts will tell you that IDS is very much alive and recent findings like those covered in the “Verizon Business 2008 Data Breach Investigations Report” support this (see http://securityblog.verizonbusiness.com/2008/06/10/2008-data-breach-investigations-report).

First thing to know is that IPS and IDS are different things and that they fit in different layers of the Defense In-Depth strategy and in different phases of the well known Assessment-Prevention-Detection-Reaction loop. IPS devices are meant for intrusion prevention and always run “inline”, very much like firewalls, whilst IDSs (whether network or host based) are passive solutions obviously designed for intrusion detection. Both technologies are complementary and should be part of a holistic security strategy. In many scenarios you will not be able to prevent and stop all attacks with a 100% accuracy. Thus, when prevention fails, what else is left? Detection and then reaction.

However, an IDS is not that different to an IPS from a technology point of view. Take Snort as an example, which is the most widely deployed intrusion detection solution in the world and actively used by large organisations like DARPA, GSA, NIST, NSA as well as the US Armed Forces. Get Snort running in inline-mode with active-response enabled and you have an IPS. Same product but different configuration sitting in a different place on your network. So take and IDS, put it inline and get a third party to manage it and there you have your IPS. Now you understand why most vendors will tell you that IDS is dead.

However, I can understand why many people still claim that IDS is dead. Many fail to understand that an IDS is not a “Plug and Play” device. The state of the art of IDS has not yet evolved to a point where they can be plugged and work accurately right out of the box, and it won’t be for a while. It is imperative to have a trained and competent analyst (or team of analysts) tunning, updating, examining and investigating the output from the IDS. Do you have the resources to do that? Well, that should be part of the cost analysis of implementing any IDS/IPS solution. Now, with many IPS devices a big chunk of that work can be externalised on a third-party, namely Managed Security Services Providers (MSSP).

As far as what solution is right for your site, it is a decision that depends on your site configuration, your team skills, your network bandwidth, your budget, organisation’s risk appetite, just to name a few. I would suggest to combine both IPS and IDS solutions, implementing them in different parts of your network as part of a comprehensive Defense in Depth strategy.

Finally, I recommend you have a look at open-source solutions like Snort, Bro (not all IDS are signature-based only) or even more advanced NSM solutions like Sguil (I really like this one), Hex, etc… See if you have the necessary skills and resources to implement and maintain them, as it won’t be easy. Otherwise hire a specialist to help you out with the implementation if you decide to go down that route.

As of commercial IPS solutions I have a very good feedback from Juniper devices. Also check with your firewall vendor, as integrating firewall and IPS management under the same console makes sense.

Feel free to flame me if I’m wrong.