Thoughts from Black Hat USA 2009

Black Hat USA 2009 is history. My two classes of TCP/IP Weapons School 2.0 went very well. I should be back to teach in DC, Barcelona, and Las Vegas next year. Thank you to my students for your positive feedback and cooperation in class! Despite your numbers we had little to no problems and I believe everyone learned something useful. For future classes I will add a table of contents, focus cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 questions, add more on my personal methodologies, and add more consistent page numbers to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 class books. I added two of your comments to my Training page, and I'll add one ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r here:

The instructor was great. Very informative and very "in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 weeds" for a Director!

That made me laugh.

I recorded my take-aways from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Briefings using my new Twitter.com/taosecurity account. Moxie Marlinspike delivered my favorite briefing. He completely demolished SSL, and he presented cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 material in a very understandable story. As one attendee commented to me: "he told a story we could all follow, unlike some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r speakers." In addition to Moxie, Dan Kaminsky, and Alex Sotirov & Mike Zusman also showed SSL problems.

I paid a decent amount of attention to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "mobile" track this year. The outside world seems to not realize that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 iPhone or Blackberry in your pocket is a computer. Some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vendors don't think that way eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r. Apple is becoming cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new Microsoft as mentioned by several people this week. Start with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 page listing Apple security updates: http://support.apple.com/kb/HT1222. What kind of a URL is that?

Now look for iPhone updates:

• 17 June 2009


• 20 November 2008


• 12 September 2008

Can you spot cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem here? How about more timely updates?

Now select cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest update and search for "arbitrary code execution". I counted 27 instances. The bottom line is that Apple needs to step up to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 plate. How about creating a PSIRT like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 grown-up vendors have?

A close second favorite talk was "Fighting Russian Cybercrime Mobsters" by Dmitri Alperovitch and Keith Mularski. That's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 kind of threat-centric talk that everyone can understand. Jeremiah Grossman and Trey Ford again brought it strong with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir latest on making money through cybercrime. The last talk I attended, by Bill Blunden, featured an updated version of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 slide where he posts my picture, except he used cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 more recent, grayer-beard photo. Thanks Bill -- nice to meet you!

What is Cloud?

The slide at left was one of my favorites from Craig Balding's Cloud Security Ghost Story talk from Black Hat EU earlier this year.

I like that he shows that a "cloud" does not mean a "VM farm" run by admins who require users to endure lengthy provisioning processes, followed by requests from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IT department for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 supposed "customer" to provide information and resources cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y would expect to get from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Cloud.

Real Clouds are provisioned via credit card, are trivial and transparent to extend, and make life easier for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 customer, not a hassle!

Notes from OISF Meeting in DC

This month I was pleased to attend a public meeting of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Open Information Security Foundation in Washington, DC. I got a chance to meet several people I have known for many years through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir work with Snort, such as Matt Jonkman, Will Metcalf, Victor Julien, Frank Knobbe, and two guys from a federal agency that have extended Sguil way beyond what I knew anyone was doing! The group posted DC Brainstorming Meeting Notes, but I wanted to record a few thoughts here.

OISF is a US nonprofit, a 501c(3). Their goal is to produce a new network inspection and filtering engine (IDS/IPS) that will be released under GPLv2. They can not and will not commercialize, sell, patent, copyright, or profit from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 engine. Racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r, ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs who participate in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OISF Consortium (listed on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir Web site) are donating coders, equipment, and financial support in exchange for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ability to commercialize cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 engine.

OISF works with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Open Source Software Institute, famous for getting FIPS validation for OpenSSL -- something everybody wanted but no one wanted to fund alone. OISF is part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 DHS Homeland Open Security Technology (HOST) program. OISF has received legal guidance from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Software Freedom Law Center.

OISF has many goals for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir engine, outlined in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 notes I linked earlier. Most interesting is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir goal for a production release by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end of this year. If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are to make this goal, I think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 project needs to severely limit cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 requirements for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first release. I would focus on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following.

• Developing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rules language.


• Implementing IPv6.


• Implementing multi-threading.

Those three tasks are monumental, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y would immediately differentiate OISF from ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r options. There is talk within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 project of semi-Snort compatible output, so you might send OISF data to a file in Snort Unified or Unified2 format to be read by Barnyard or Barnyard2.

If you want to know more about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 project, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Mailing Lists are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best option. As it develops I will discuss it here.

Guest Post at Fudsec.com

I was asked to write a guest post for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new Fudsec.com blog, so I published Threat-Centric Thinking on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Rise. From that post:

A lot of people have been discussing denial of service attacks against various Important Sites earlier this month. It struck me that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 focus of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 discussion, really to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exclusion of anything else, has been one question: "who did it?"

Think about that for a second. If this attack had happened in 1996, we would have asked "how did that happen?" In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, network DoS was new enough to warrant a technical examination of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 event. Attribution would be a concern, but most people would want to know how it happened...

Review of Voice over IP Security Posted

Amazon.com just posted my four star review of Voice over IP Security by Patrick Park. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 review:

The reviews of Voice over IP Security are fairly consistent at 4 stars, and I agree with that consensus. I've read a few books on this topic, and early titles were fairly awful. My favorite remains Hacking Exposed: VoIP, but a comparison with Voice over IP Security shows different audiences for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 two books. The HE book is better suited for those assessing VoIP systems, while this book is better for engineers and those implementing VoIP systems.

Direct Financial Cost of Intrusions

Thanks to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 blog reader who directed me to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Washington Times story Contractor returns money to Pentagon:

Apptis Inc., a military information technology provider, repaid $1.3 million of a $5.4 million Pentagon contract after investigators said cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company provided inadequate computer security and a subcontractors system was hacked from an Internet address in China...

Apptis agreed to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 repayment after cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Defense Criminal Investigative Service concluded cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company and a subcontractor failed to provide "proper network security and information assurance services," according to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 report, released in June.

The subcontractors system under Apptis management was intruded upon "with total access to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 root network" from an Internet address in China, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 report said.

Wow. Can anyone think of anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r case where a company was "fined" by a customer for an intrusion? Usually we only hear of PCI issues.

SANS Forensics and Incident Response 2009 Summit Round-Up

I'd like to share a few thoughts from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 second SANS WhatWorks Summit in Forensics and Incident Response, where I delivered cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 keynote. I could only attend cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first day, but I thought it was definitely worthwhile. I was given a few questions which I promised to answer on this blog, so here cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are.

With your background with Information Operations and cyber security, what would you advise cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new U.S. Cyber Command? What should cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir priorities be?

I've written a lot on cyber command over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 years. I believe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir first priority is to create a real career path for cyber operators. Tools, tactics, and procedures are secondary to attracting and retaining talent. You can accomplish amazing feats if you have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right butts in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 seats. Without that, you are guaranteed to fail. Part of that will involve identifying all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 people with cyber duties in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 military. Once cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y have that part working, I would advise Cyber Command to think in terms of a Cyber NORAD.

Five years from now cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Verizon Data Breach Report 2014 is published. What trend will be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "big red dot" in 2014? What will be your biggest surprise?

To clarify, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "big red dot" of 2009 was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 huge number of records stolen by external parties, far exceeding internal intruders.

This is a really good question. I never see a future where insiders are more dangerous than outsiders. By insiders I mean people formally associated with an organization, e.g., employees, contractors, etc. Outsiders are people who are not formally associated with an organization. Insiders will remain capable of individual large incidents, but outsiders will continue to conduct repeated large and small incidents.

I will be really surprised if IPv6 is changing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way businesses operate in 2014. I think we may see internal business operations (like carrier networks) using IPv6, but I don't think we'll see a substantial user base for IPv6 by 2014. If that is not true I will be surprised.

What do you know about public/private partnerships to leverage known command and control servers? Is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re any way for a CIRT to avoid third party notification by performing proactive detection?

There's a few options here. One is to join cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Forum of Incident Response and Security Teams (FIRST). FIRST maintains a private mailing list that shares information among members. Anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r option is to look for private associations among peer businesses. A third idea is to make contact with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 many volunteer and commercial security intelligence services organizations, including The Shadowserver Foundation, Support Intelligence, Secure Science, iDefense, and many ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs.

With cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 questions answered, I'd like to say I thought Summit organizer Rob Lee did a great job (again) keeping cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 event moving smartly. Kris Harms, Harlan Carvey, Jamie Butler/Peter Silberman, and Brendan Dolan-Gavitt all delivered great talks. The two user panels I saw (I missed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 third) were also excellent.

I wanted to record a few tricks that Kris offered so I don't forget cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m.

• Use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 PsTools handle.exe app and grep for "pid\:" in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 output to see a different sort of process list.


• Grep handle.exe output for "Mutant" to see mutexes.


• Pay attention to digital signature output in autorunsc.exe, particularly for results that are not signed and/or not verified; and signed but verification failed. Check hashes against fileadvisor.bit9.com.


• Remember to teach junior analysts a methodology, like:




1. Determine if compromised.


2. Develop investigative leads.


3. Build a timeline.


4. Determine how compromised.


5. Suggest remediation measures.


6. Assess impact of compromise.

While listening to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 speakers, it was clear to me cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 differences between three communities:

1. Intrusion detectors and responders


2. Computer forensics investigators


3. Litigation support and ediscovery investigators

I thought this slide by Jess Garcia from One eSecurity showing one practitioner's opinion on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 variety of forensics tools was interesting.



I still need to try MANDIANT Audit Viewer. Jamie Butler and Pete Silberman noted that since MANDIANT Memoryze uses live analysis to access cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Windows page file, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y don't run into issues found when trying to combine a dead page file with a memory capture.

I'm looking forward to next year! If you do IR, you should try to be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re.

---

Richard Bejtlich is teaching new classes in Las Vegas in 2009. Late Las Vegas registration ends 22 July.

Free Issue of Linux+ Magazine Posted

A free issue of Linux+ magazine is available -- look for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 link to "Free Issue: Linux in Mission Critical". It's 68 pages of Linux information, for free!

---

Richard Bejtlich is teaching new classes in Las Vegas in 2009. Late Las Vegas registration ends 22 July.

Review of vi(1) Tips Posted

Amazon.com just posted my five star review of vi(1) Tips by Jacek Artymiak. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 review:

I agree with just about everything that appeared in KN's review. Jacek Artymiak has written a sort of "vi(1) for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Desperate" covering all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 aspects of vi I would like to see addressed. I could see this book used in an introductory Unix class where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 students are
expected to try all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 examples. Jacek posted cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sample files used in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book examples at devguide.net, so you can easily follow along.

---

Richard Bejtlich is teaching new classes in Las Vegas in 2009. Late Las Vegas registration ends 22 July.

Cisco Routers for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Desperate, 2nd Ed

A little over four years ago I reviewed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first edition of Michael W. Lucas' Cisco Routers for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Desperate. A second edition has been published, but since my first review is still posted at Amazon.com I can't post anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r. Also, Michael asked me to tech-edit cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 second edition, and I don't formally rate books in which I play a part. (Authors and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs who are involved in books -- it's bad form to give your own product five stars!)

I gave cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first edition four stars because it missed a few areas I thought were important. I'd give cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new edition five stars if I were not involved. Michael literally fixed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 areas I found in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first edition (like p 20 in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new edition reminding users to issue cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "no shutdown" command) and added a new chapter on basic switch administration.

If you are one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "poor bastards who are awake at oh-dark-thirty trying to get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir router working," you should keep a copy of this book nearby. Michael is absolutely one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best technical writers in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 networking, computer, and security worlds. Plenty of ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs could learn how to write by studying his approach to teaching readers. Great work again Michael!

---

Richard Bejtlich is teaching new classes in Las Vegas in 2009. Late Las Vegas registration ends 22 July.

White Hat Budgeting

After publishing Black Hat Budgeting last month, several readers asked me how to spend cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same $1 million on defense. This is a more difficult question. As I wrote in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 previous post, for $1 million per year an adversary could fund a Western-salaried black hat team that could penetrate and persist in roughly any target it chose to attack. That does not hold true for defense, i.e., for $1 million per year a defender could not fund a Western-salaried white hat team that could plan, resist, detect, and respond to any $1 million black hat team.

So, if you had $1 million to spend on defense, how could you spend it? I turned to my 2008 post Defensible Network Architecture 2.0 as a guide. One interesting aspect of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 eight DNA 2.0 tenets is that half of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m are IT responsibilities (or at least I would strongly argue cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are): inventoried, claimed, minimized, current. All of that is just "good IT." Security can provide inputs, but IT should own those aspects. That leaves monitored, controlled, assessed, and measured.

With that's, let's allocate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 funding. With such a small team we would expect people to move among cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 roles so cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y don't burn out, and so cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y can grow cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir capabilities.

• Staff. Without people, this operation goes nowhere. We allocate $850,000 of our budget to salaries and benefits to hire cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following people.




• The team leader should have experience as an enterprise defender as a minimum. The leader can be very skilled in at least one speciality but should be familiar with all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 team's roles. The team leader needs a vision for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 team while preserving business value. Because this team is so small cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 leader has to do strategic thinking and overall management, including cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "measured" aspect of DNA 2.0. $120,000.


• The incident response team is responsible for detecting and responding to intrusions. They perform cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "monitor" aspect of DNA 2.0. We hire three people, one with Windows expertise, one with Unix expertise, and one with infrastructure expertise. $330,000.


• The security operator is responsible for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "controlled" aspect of DNA 2.0. He or she seeks to minimize intrusions by deploying and operating countermeasures. This person is also a utility player who can learn ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r roles and consult as necessary. $80,000.


• The threat operator performs an advanced security intelligence and analysis role. He or she should be able to reverse engineer malware while also paying attention to underground activities and applying that knowledge to all aspects of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 team's work. $120,000.


• The Red-Blue Team performs adversary simulation/penetration testing (red) and collaborative vulnerability assessment (blue) activities. With a team this size cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is only room for two technicians. Red-Blue handles cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "assessed" aspect of DNA 2.0. $80,000 for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 blue, $120,000 for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 red.


• Technology. At this point we only have $150,000 left. We can spend $100,000 on technology. It should be clear that $100,000 isn't going to buy much of any commercial tools. In fact, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 $1 million security operation is going to have to rely on several realities.




• Built-in capabilities. This team is going to have to rely on capabilities built into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 products deployed by ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r IT teams, like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 computer and networking groups. This actually makes a good amount of sense. Is it really necessary to deploy anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r host firewall on Windows if you can use IPsec policies and/or Windows firewall? With a budget that small, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 uncomfortable choices to be made.


• Open source software. The $1 million security team should deploy a lot of open source software. Sguil could be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NSM suite of choice, for example. By spending money on staff who know cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir way around open source tools, you can go very far using what can be downloaded for free. Let cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 staff contribute back to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 community and it's a win-win situation.


• Commodity hardware. You can't buy hardware for free, and those NSM sensors and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r open source packages need to run on something. A decent amount of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 budget will be spent on hardware.


• Cloud hosting. The Cloud becomes an attractive place to store logs, do processing, and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r activities that don't scale well or work well on commodity hardware. Security concerns are lessened when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 alternative is no security services.


• Miscellaneous. The last $50,000 could be spent on incidentals, training, team awards, travel, or whatever else cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 group might require to attract and retain talent.

Note I did not advocate outsourcing here. You spend too much money and probably won't receive value for it.

With such a small team, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is no concept of 24x7 support. 8x5 is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best you can get. The ability of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 team to detect and respond to intrusions in a timely manner is going to decrease as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 enterprise grows. A team of 8 security defenders will be strained once cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company size exceeds 10,000 people, at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 largest.

I am much less comfortable building out this team, compared to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Black Hat Budgeting exercise. There are way too many variables involved in defending any enterprise. Most companies really are unique. However, this is a good point to stop to see if anyone has comments on this approach.

---

Richard Bejtlich is teaching new classes in Las Vegas in 2009. Late Las Vegas registration ends 22 July.

FreeBSD Pf and Tftp-proxy

Several IP-enabled devices in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lab use TFTP to retrieve configuration files from various locations on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet. This pains me. You can probably imagine what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se devices are. Unfortunately I don't control how cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se devices work.

I run Sguil at my lab gateway to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet. I watch traffic right before cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 gateway, before it is NAT'd. I really don't care what's on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r side. I mostly care what is leaving cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network, so I concentrate my NSM activities cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re.

I noticed one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se TFTP-enabled devices trying to retrieve a file repeatedly. I looked closer at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 traffic (thanks to Sguil I keep a record of traffic leaving for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet) and noticed I never saw any replies. Simultaneously I received an email from tech support for this device. They told me to unplug all Internet devices from my cable modem and plug cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 troublesome device into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cable modem overnight (!) My answer to that: "heck no."

I decided to run an experiment with a TFTP client inside cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lab and a TFTP server on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet. By watching traffic on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 internal and external sides of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 gateway, I could see TFTP requests making it to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 TFTP server on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet, and TFTP replies coming from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 server back to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 gateway. However, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 TFTP replies never appeared on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 internal side of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 gateway.

I did some research and determined that FreeBSD's Pf firewall can't handle TFTP traffic by default. Here is why:

18:13:31.205435 IP my.public.ip.addr.64212 > tftp.server.public.ip.69:  17 RRQ "test.txt" octet
18:13:31.282363 IP tftp.server.public.ip.51186 > my.public.ip.addr.64212: UDP, length 29
18:13:31.284161 IP my.public.ip.addr.57880 > tftp.server.public.ip.51186: UDP, length 4

You see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 TFTP request to port 69 UDP. The reply, however, comes from port 51186 UDP to port 64212 UDP. Pf doesn't automatically know that packet 2 is associated with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 TFTP request in packet 1.

Fortunately, FreeBSD and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r operating systems ship with tftp-proxy(8). I tried following cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 example in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 man page, but I ended up adding cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 configuration file /etc/pf.conf. $local192 is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 LAN from which I expect to see TFTP requests.

no nat on $ext_if to port tftp

rdr-anchor "tftp-proxy/*"

rdr on $int_if proto udp from $local192 to port tftp -> \
    $int_if port 6969

anchor "tftp-proxy/*"

I added cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following to /etc/inetd.conf.

acmsoda dgram udp wait root /usr/libexec/tftp-proxy tftp-proxy -v

acmsoda is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 name in /etc/services for port 6969.

I had to enable /etc/inetd in /etc/rc.conf.

inetd_enable="YES"
inetd_flags="-wW -C 60 -a 172.16.2.1"

Without cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 -a flag, tftp-proxy would be listening on all interfaces, and I don't want that.

Now I was ready to reload Pf and restart /etc/inetd.conf.

r200a:/root# pfctl -Fa -f /etc/pf.conf

r200a:/root# /etc/rc.d/inetd restart

I checked to ensure port 6969 UDP was listening.

r200a:/root# sockstat -4 | grep 6969
root     inetd      161   5  udp4   172.16.2.1:6969       *:*

Now I was able to retrieve my test file via TFTP.

tftp> get test.txt
getting from tftp.server.public.ip:test.txt to test.txt [octet]
sent RRQ 
received DATA 
Received 25 bytes in 0.1 seconds [2000 bits/sec]

I wanted to note that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 man page recommended this addition to inetd.conf:

inetd(8) must be configured to spawn cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 proxy on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 port that packets
are being forwarded to by pf(4).  An example inetd.conf(5) entry follows:

  127.0.0.1:6969  dgram   udp     wait    root \
     /usr/libexec/tftp-proxy tftp-proxy

That didn't work for me; I saw this error in /var/log/messages.

Jul 13 17:11:56 r200a inetd[99738]: 127.0.0.1:6969/udp: unknown service

By specifying cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 port only and using -a to bind inetd where I needed it, I avoided this error. There's probably anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r way around this though.

The final step will be seeing this TFTP-enabled device updating itself during cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next 24 hours.

---

Richard Bejtlich is teaching new classes in Las Vegas in 2009. Late Las Vegas registration ends 22 July.

Review of Practical Intrusion Analysis Posted

Amazon.com just published my three star review of Practical Intrusion Analysis by Ryan Trost. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 review:

I must start this review by stating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lead author lists me in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Acknowledgments and elsewhere in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book, which I appreciate. I also did consulting work years ago for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lead author's company, and I know cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lead author to be a good guy with a unique eye for applying geography to network security data. Addison-Wesley provided me a review copy.

I did not participate in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 writing process for Practical Intrusion Analysis (PIA), but after reading it I think I know how it unfolded. The lead author had enough material to write his two main sections: ch 10, Geospatial Intrusion Detection, and ch 11, Visual Data Communications. He realized he couldn't publish a 115-page book, so he enlisted five contributing authors who wrote chapters on loosely related security topics. Finally cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lead author wrote two introductory sections: ch 1, Network Overview, and ch 2, Infrastructure Monitoring. This publication-by-amalgamation method seldom yields coherent or helpful material, despite cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 superior production efforts of a company like Addison-Wesley. To put a point on PIA's trouble, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's only a single intrusion analyzed in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book, and it's in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lead author's core section. The end result is a book you can skip, although it would be good for chapters 4 and 10 to be published separately as digital "Short Cuts" on InformIT.

---

Richard Bejtlich is teaching new classes in Las Vegas in 2009. Late Las Vegas registration ends 22 July.

Must-Read Verizon Post Demolishes More Myths

I'm a big fan of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 2009 Verizon Data Breach Report. Today I read Compromised Assets & Data: But our company doesn’t handle credit cards... by Verizon's Bryan Sartin. It's an excellent post. I'd like to post several excerpts, emphasizing and expanding on certain points.

I find it fascinating that no matter where in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world you go, what type of company you talk to, public or private sector, you find two very common beliefs:

1. All data stolen in security breach is a result of lost assets, not systems-related intrusions.

2. I don’t handle payment cards (credit or debit) - so this stuff does not apply to me.

If you could only understand how outrageous cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se sound from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 standpoint of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 computer forensic investigator. Both thought processes couldn’t be more wrong.

I hear cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se refrains as well, or at least I see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 effects of devoting resources to ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r projects. Bryan continues:

Pretty much everyone I speak to firmly believes that in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 real world, companies do not get hacked into and data is never compromised as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 result of a systems-based intrusion. The prevailing wisdom, if you can call it that, suggests that almost all lost records leading to fraud are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 product of backup tapes that don’t make it from point A to point B, blackberries left in taxi cabs, and company-issued laptops left at train stations. This is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 prevailing wisdom UNTIL a company is hacked.

In reality, hackers and fraudsters target data of value. Companies are targeted, eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r directly or indirectly, because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are perceived to be data rich, and data that is stolen tends to lead to some measurable form of fraud, whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r it is counterfeit, identity fraud, etc...

Online data, including digital repositories of information like databases, transaction logs, and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r aggregation and storage points, account for an overwhelming 94 percent of casework and 99.9 percent of all verifiable records compromised.

This is confirmation of my focus on external threats. Bryan turns to his second point:

"But my company doesn’t handle credit cards, so this doesn’t apply to me..." [I]t doesn’t matter whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r you store payment card data or not. The threats affecting companies in a particular industry or sector care more about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ability to sidestep security controls reliably, than about what type of data cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y’ll find once inside. Every company has something of value to a hacker.

If you don't have something of value to an intruder, you probably don't do anything worth keeping you in operation.

The following excerpt is really crucial:

There is no question that our case load is biased toward payment cards. Payment card data is a premium cybercrime target because when applied in a certain manner, stolen records of sufficient content can lead to fraudulent purchases...

[B]based on our figures, I would estimate that payment cards represent as little as 1.2 – 1.5 percent of all data cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365fts. The remaining 98.x percent being occupied primarily by personally identifiable data (PII), cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n account credentials, company-proprietary data, and a few ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r categories in a distant fourth and fifth by incidence. Payment cards are in fact a distinct minority in data cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ft cases, albeit an extremely noisy minority.

The ensuing fraud is detectable and fraud analysis and detection tools have made it almost elementary to identify cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 likely source of a suspected payment card breach for almost 10 years.

Did you catch that? A stolen payment card intrusion is detectable. The hacked parties (online vendors, offline vendors, anyone using and storing payment card data) don't detect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 actual cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ft of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data. Fraudulent use of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 payment card data is detected by consumers and payment card providers. What about ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r data?

In simple terms, when payment card data is stolen – someone always finds out about it. The same cannot be said for PII and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r categories of compromised data we see...

Fraud is a direct, easily observable and easily trackable consequence of an intrusion. When an intruder steals payment card data, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 payment card data is used to commit fraud, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hacked party can be identified and notified using external means (bank or law enforcement calling).

However, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 consequences of ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r data cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ft intrusions are not so easily observed nor tracked. If a competitor steals your company's intellectual property, sales plans, and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r sensitive information, it may not be obvious how that competitor beat you to a deal that quarter. This is why I spoke of long-term competitiveness, because you can't tie non-payment card intrusions back to an obvious consequence or impact.

Thanks to Bryan Sartin for such a great post.

---

Richard Bejtlich is teaching new classes in Las Vegas in 2009. Late Las Vegas registration ends 22 July.

Review of Security Monitoring Posted

Amazon.com just posted my four star review of Security Monitoring by Chris Fry and Martin Nystrom. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 review:

I must start this review by noting that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 authors of Security Monitoring (SM) cite my blog and books several times, which is appreciated. I must also mention that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir boss Gavin Reid, who posted a review below, has offered to sponsor my company's application to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Forum of Incident Response and Security Teams (FIRST). O'Reilly kindly provided a review copy of SM.

I think SM should be positioned as an Introduction to Basic Security Monitoring. At just over 200 pages, it's not written to be much more than that. I'm not sure I will change cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mind of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reviewer who considers my first book to be "introductory," but it might help to remember that my first book is just shy of 800 pages and covers every aspect of Network Security Monitoring.

SM is technically correct, but its approach to incident detection will fall far short of what is needed in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 real world. SM concentrates on a paradigm it calls "policy-based monitoring," (abbreviated PBM here) with this goal: "to compare events discovered on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network to ensure that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are approved and acceptable... PBM is practical where acceptable conditions can be documented as policies... [Y]ou must codify acceptable behavior as policies, providing a reference point against which to survey" (pp 16-17) This sounds great, but it has several real flaws...

Please read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rest of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 review for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 whole story.

---

Richard Bejtlich is teaching new classes in Las Vegas in 2009. Late Las Vegas registration ends 22 July.

You Down with APT?

Today I had shared a phone call with a very knowledgable and respected security industry analyst. During cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 course of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 conversation he made a few statements which puzzled me, so I asked him "do you know what APT means?" He might have thought I was referring to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Debian Advanced Package Tool or apt, but that's not what I meant. When I said Advanced Persistent Threat, it still didn't ring any bells with him. I decided to do some searching on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Web to see what was available regarding APT.

Helpfully, BusinessWeek just published Under Cyberthreat: Defense Contractors this week. The article begins like this:

Northrop Grumman's info security chief addresses cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "well-resourced, highly sophisticated" attacks against makers of high-tech weaponry...

The defense industry faces "a near-existential threat from state-sponsored foreign intelligence services" that target sensitive IP, according to a report by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet Security Alliance, a nonprofit organization on whose board McKnight sits...

[BusinessWeek asked:] Are defense contractors being singled out in highly targeted attacks?

[McKnight responded:] It's gotten to a point where it has a name for itself: cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 APT or "advanced persistent threat," meaning that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are well resourced, highly sophisticated, clearly targeting companies or information, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y're not giving up in that mission.

Incidentally, McKnight practices NSM:

[BusinessWeek asked:] What kind of tools do you use to keep your network secure?

[McKnight responded:] We've focused a lot on... capabilities where you're capturing all traffic, not just bits and pieces of it.

Security company Mandiant devotes an entire site to APT, saying:

The Advanced Persistent Threat (APT) is a sophisticated and organized cyber attack to access and steal information from compromised computers.

The intruders responsible for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 APT attacks target cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Defense Industrial Base (DIB), financial industry, manufacturing industry, and research industry.

The attacks used by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 APT intruders are not very different from any ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r intruder. The main differentiator is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 APT intruder’s perseverance and resources. They have malicious code (malware) that circumvents common safeguards such as anti-virus and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y tend to generate more activity than wanton “drive by hacks” on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet.

The intruders also escalate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir tools and techniques as a victim firm’s capability to respond improves. Therefore, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 APT attacks present different challenges than addressing common computer security breaches.

Combating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 APT is a protracted event, requiring a sustained effort to rid your networks of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threat.

I briefly mentioned APT in my post last year Thoughts on 2008 SANS Forensics and IR Summit.

Aside from Northrup Grumman, Mandiant, and a few vendors (like NetWitness, one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 full capture vendors out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re) mentioning APT, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's not much else available. A Google search for "advanced persistent threat" -netwitness -mandiant -Northrop yields 34 results (prior to this blog post).

APT is one of those subjects that is very important but not well understood outside cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 defense industry. Your best bet for a public introduction to APT is to watch for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next Webinar offered by Mandiant. Ask cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m to do anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r soon; I listened to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir Webinar in May and realized many participants had never heard of APT before. If you're not down with APT, you need to be.

---

Richard Bejtlich is teaching new classes in Las Vegas in 2009. Late Las Vegas registration ends 22 July.

Traffic Talk 6 Posted

My 6th edition of Traffic Talk, titled Wireshark 1.2 tutorial: Open source network analyzer's new features has been posted. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 article:

Wireshark is a staple of any network administrator's toolkit, and it can be equally useful for any network solution providers or consultants who troubleshoot business networks. Most of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 readers of this tutorial have probably used Gerald Combs' open source protocol analyzer for years. In this edition of Traffic Talk, I'd like to discuss a few new features of Wireshark as present in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 1.2 version released on June 15, 2009. I use Windows XP SP3 as my test platform.

If you have any questions on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 article, please post cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m here. Thank you.

---

Richard Bejtlich is teaching new classes in Las Vegas in 2009. Late Las Vegas registration ends 22 July.

Still Blogging

When I announced I would join General Electric as Director of Incident Response in June 2007, I had to post a follow-up titled I'm Not Dead. That issue even made it onto Bill Brenner's radar. Two years later I'm still at GE, glad that as of 1 January this year we have a functional and growing Computer Incident Response Team (CIRT) manned by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best incident handlers and support staff you'll find anywhere.

Sometimes work occupies time I would have previously spent blogging, reading, or writing. That's why you'll often see a flurry of blog posts when I have time on a weekend (or now, before a Company holiday). I've fallen far behind in my reading, and my writing is limited to articles. However, I will be collaborating with Keith Jones and team for Real Digital Forensics Volume 2, which should be cool. I don't have a schedule for ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r books beyond RDF2 at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 moment.

---

Richard Bejtlich is teaching new classes in Las Vegas in 2009. Late Las Vegas registration ends 22 July.

Bejtlich on Black Hat Briefings Panel

The registration process for my TCP/IP Weapons School 2.0 class at Black Hat USA 2009 continues to be active, with seats almost gone in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 weekday version. The weekend version has open seats. If you'd like more details, please see my post Black Hat Class Outline Posted.

I was invited to be a panelist for The Laws of Vulnerabilities Research Version 2.0: Comparing Critical Infrastructure Industries, a description of which is posted at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Black Hat Briefings speaker list. Because I'm busy during cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 10 am panel time on day 1, I won't have to make cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 decision about which great talk I'll miss at that time! I mean, Billy Hoffman, FX, Rod Beckstrom, Dino Dai Zovi, and Chris Gates all at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same time?

---

Richard Bejtlich is teaching new classes in Las Vegas in 2009. Late Las Vegas registration ends 22 July.

Review of Hacking Exposed: Windows, 3rd Ed Posted

Amazon.com just posted my four star review of Hacking Exposed: Windows, 3rd Ed. Better late than never! From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 review:

I've been reading and reviewing Hacking Exposed (HE) books since 1999, and I reviewed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 two previous Windows books. Hacking Exposed: Windows, 3rd Ed (HEW3E) is an excellent addition to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 HE series. I agree with Chris Gates' review, but I'd like to add a few of my own points. The bottom line is that if you need a solid book on Windows technologies and how to attack and defend cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m, HEW3E is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right resource.

---

Richard Bejtlich is teaching new classes in Las Vegas in 2009. Late Las Vegas registration ends 22 July.

NSA to "Screen" .gov Now, I Predict .com Later

In my Predictions for 2008 I wrote Expect greater military involvement in defending private sector networks. Today I read a great Washington Post story titled Obama Administration to Involve NSA in Defending Civilian Agency Networks. It says in part:

The Obama administration will proceed with a Bush-era plan to use National Security Agency assistance in screening government computer traffic on private-sector networks, with AT&T as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 likely test site...

President Obama said in May that government efforts to protect computer systems from attack would not involve "monitoring private sector networks or Internet traffic" and Department of Homeland Security officials say that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new program will only scrutinize data going to or from government systems...

Under a classified pilot program approved during cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Bush administration, NSA data and hardware would be used to protect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 networks of some civilian government agencies. Part of an initiative known as Einstein 3, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pilot called for telecommunications companies to route cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet traffic of civilian government agencies through a monitoring box that would search for and block malicious computer codes...

The internal controversy reflects cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 central tension in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 debate over how best to defend cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 nation's mostly private system of computer networks. The most effective techniques, experts say, require cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 automated scrutiny of e-mail and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r electronic communications content -- something that commercial providers already do.

Proponents of involving cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 government said such efforts should harness cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NSA's resources, especially its database of computer codes, or signatures, that have been linked to cyberattacks or known adversaries. The NSA has compiled cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cache by, for example, electronically observing hackers trying to gain access to U.S. military systems, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 officials said.

"That's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 secret sauce," one official said. "It's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 stuff cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y have that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 private sector doesn't."

But it is also cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 prospect of NSA involvement in cybersecurity that fuels concerns of unwarranted government snooping into private communications...

The classified NSA system, known as Tutelage, has cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ability to decide how to handle malicious intrusions -- to block cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m or watch cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m closely to better assess cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threat, sources said. It is currently used to defend military networks.

You're thinking, "this article says NSA will not monitor purely private networks. What's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fuss?" Imagine you're cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CEO, CIO/CTO, or CISO of a big company. You say "why is my company and our employees paying taxes so that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 government can protect itself while my company is left outside cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 circled wagons?" The higher you go in corporate management, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 more likely cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 only "security" that will be recognized will be "firewalls." So, you're going to have big-league corporate leaders telling cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 government that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y want cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir companies "protected" too. This isn't really what is happening, but at that level it really doesn't matter.

The bottom line is that first cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 military protected itself, and now cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 military is going to help protect civilian government agencies. Critical private infrastructure will be next, followed by economically important companies -- think "too big to be 0wned." This will be interesting.

---

Richard Bejtlich is teaching new classes in Las Vegas in 2009. Late Las Vegas registration ends 22 July.