Monday, July 20, 2009

SANS Forensics and Incident Response 2009 Summit Round-Up

I'd like to share a few thoughts from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 second SANS WhatWorks Summit in Forensics and Incident Response, where I delivered cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 keynote. I could only attend cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first day, but I thought it was definitely worthwhile. I was given a few questions which I promised to answer on this blog, so here cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are.

With your background with Information Operations and cyber security, what would you advise cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new U.S. Cyber Command? What should cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir priorities be?

I've written a lot on cyber command over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 years. I believe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir first priority is to create a real career path for cyber operators. Tools, tactics, and procedures are secondary to attracting and retaining talent. You can accomplish amazing feats if you have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right butts in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 seats. Without that, you are guaranteed to fail. Part of that will involve identifying all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 people with cyber duties in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 military. Once cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y have that part working, I would advise Cyber Command to think in terms of a Cyber NORAD.

Five years from now cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Verizon Data Breach Report 2014 is published. What trend will be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "big red dot" in 2014? What will be your biggest surprise?

To clarify, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "big red dot" of 2009 was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 huge number of records stolen by external parties, far exceeding internal intruders.

This is a really good question. I never see a future where insiders are more dangerous than outsiders. By insiders I mean people formally associated with an organization, e.g., employees, contractors, etc. Outsiders are people who are not formally associated with an organization. Insiders will remain capable of individual large incidents, but outsiders will continue to conduct repeated large and small incidents.

I will be really surprised if IPv6 is changing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way businesses operate in 2014. I think we may see internal business operations (like carrier networks) using IPv6, but I don't think we'll see a substantial user base for IPv6 by 2014. If that is not true I will be surprised.

What do you know about public/private partnerships to leverage known command and control servers? Is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re any way for a CIRT to avoid third party notification by performing proactive detection?

There's a few options here. One is to join cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Forum of Incident Response and Security Teams (FIRST). FIRST maintains a private mailing list that shares information among members. Anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r option is to look for private associations among peer businesses. A third idea is to make contact with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 many volunteer and commercial security intelligence services organizations, including The Shadowserver Foundation, Support Intelligence, Secure Science, iDefense, and many ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs.

With cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 questions answered, I'd like to say I thought Summit organizer Rob Lee did a great job (again) keeping cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 event moving smartly. Kris Harms, Harlan Carvey, Jamie Butler/Peter Silberman, and Brendan Dolan-Gavitt all delivered great talks. The two user panels I saw (I missed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 third) were also excellent.

I wanted to record a few tricks that Kris offered so I don't forget cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m.

  • Use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 PsTools handle.exe app and grep for "pid\:" in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 output to see a different sort of process list.

  • Grep handle.exe output for "Mutant" to see mutexes.

  • Pay attention to digital signature output in autorunsc.exe, particularly for results that are not signed and/or not verified; and signed but verification failed. Check hashes against fileadvisor.bit9.com.

  • Remember to teach junior analysts a methodology, like:


    1. Determine if compromised.

    2. Develop investigative leads.

    3. Build a timeline.

    4. Determine how compromised.

    5. Suggest remediation measures.

    6. Assess impact of compromise.



While listening to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 speakers, it was clear to me cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 differences between three communities:

  1. Intrusion detectors and responders

  2. Computer forensics investigators

  3. Litigation support and ediscovery investigators


I thought this slide by Jess Garcia from One eSecurity showing one practitioner's opinion on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 variety of forensics tools was interesting.



I still need to try MANDIANT Audit Viewer. Jamie Butler and Pete Silberman noted that since MANDIANT Memoryze uses live analysis to access cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Windows page file, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y don't run into issues found when trying to combine a dead page file with a memory capture.

I'm looking forward to next year! If you do IR, you should try to be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re.



Richard Bejtlich is teaching new classes in Las Vegas in 2009. Late Las Vegas registration ends 22 July.

3 comments:

ChikaBebe said...

thanks for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 information
ChikaBebe | KisapMata

Anonymous said...

$1.3 million reasons to care Wow Accountability, Enforcement and Consequences. What a Concept!

http://www.washingtontimes.com/news/2009/jul/25/contractor-returns-money-to-pentagon/

Saturday, July 25, 2009
Contractor returns money to Pentagon
Tony Capaccio BLOOMBERG NEWS

Apptis Inc., a military information technology provider, repaid $1.3 million of a $5.4 million Pentagon contract after investigators said cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company provided inadequate computer security and a subcontractors system was hacked from an Internet address in China.

Privately held Apptis, based in Chantilly, returned cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 money in February "for services that were never performed" during a three-year military health-service contract awarded in November 2004, according to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Pentagon inspector generals semi-annual report.

Apptis agreed to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 repayment after cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Defense Criminal Investigative Service concluded cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company and a subcontractor failed to provide "proper network security and information assurance services," according to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 report, released in June.

The subcontractors system under Apptis management was intruded upon "with total access to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 root network" from an Internet address in China, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 report said. The report didnt say when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intrusion occurred. The Pentagon started its investigation in August 2007.

Under cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 contract, Apptis provided software maintenance, updates and testing for a Military Health System program that standardizes reporting of health costs and includes unclassified though sensitive personnel data, according to a government description of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 program.

The case illustrates "an ongoing problem in protection of Defense Department information that is not under cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 complete control of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 department," said special agent Paul Sternal, head of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 criminal services cyber crimes unit, in an interview.

"Violations such as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se will be getting more attention because of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 increased emphasis on cyber security," Mr. Sternal said. The agency is conducting similar investigations of ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r companies, he said.

Pauline Healy, an Apptis spokeswoman, said in an e-mail, "The amount we paid was to settle any and all issues surrounding performance requirements to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mutual satisfaction of both parties." Mr. Healy said cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "apparent intrusion" occurred with a subcontractors system.

Mr. Sternal wrote in a 2007 article for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 government-published Journal of Public Integrity that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is no law or rule requiring defense contractors to report cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 loss of "sensitive but unclassified defense data through cyber cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ft."

"This lack of reporting requirements presents a national security vulnerability," he wrote.

President Obama is seeking to improve security in government computer systems. He said in May he will appoint a White House adviser to oversee cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security of all government and business computer networks in response to widespread breaches and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ft of information.

The Pentagon by September will publish proposed revisions to its acquisition rules that will require improved protection of Pentagon information in its contracts, spokeswoman Cheryl Irwin said in an e-mail.

P@ck3t P1MP said...

I'm still confused about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 excitement of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new cyber security command. Doesn't JTF-GNO and JFCC-NW
already provide that role? It seems to me cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are polishing s**t and giving it a new name. It seems to me cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 biggest problem is policy enforcement,hiring&training qualified people.

Policy Enforcement:
The Dod has great policies that are already written but are just not being followed and enforced.If your command has an IAM that's a GS12 and or an O-3 and below that full bird or 2 star is going to bring his wireless device in a secured space whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r you like it or not.

Training&Hiring:
The navy only recruits individuals with high asvab scores be nuclear techs. They cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n spend anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r two years training cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hell out of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m before cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y go to thier first duty station. Why not follow that proven model? to me it seems like an easy fix , recruit people with high Asvabs scores cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lock cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m in a room with ed skoudis,mike poor,muts (backtrack), H D Moore (metasploit),Richard Bejtlich , etc. and don't let cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m leave until cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y know how to attack or defend a network properly.

just my two cents.