Saturday, July 11, 2009

Review of Security Monitoring Posted

Amazon.com just posted my four star review of Security Monitoring by Chris Fry and Martin Nystrom. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 review:

I must start this review by noting that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 authors of Security Monitoring (SM) cite my blog and books several times, which is appreciated. I must also mention that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir boss Gavin Reid, who posted a review below, has offered to sponsor my company's application to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Forum of Incident Response and Security Teams (FIRST). O'Reilly kindly provided a review copy of SM.

I think SM should be positioned as an Introduction to Basic Security Monitoring. At just over 200 pages, it's not written to be much more than that. I'm not sure I will change cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mind of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reviewer who considers my first book to be "introductory," but it might help to remember that my first book is just shy of 800 pages and covers every aspect of Network Security Monitoring.

SM is technically correct, but its approach to incident detection will fall far short of what is needed in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 real world. SM concentrates on a paradigm it calls "policy-based monitoring," (abbreviated PBM here) with this goal: "to compare events discovered on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network to ensure that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are approved and acceptable... PBM is practical where acceptable conditions can be documented as policies... [Y]ou must codify acceptable behavior as policies, providing a reference point against which to survey" (pp 16-17) This sounds great, but it has several real flaws...


Please read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rest of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 review for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 whole story.


Richard Bejtlich is teaching new classes in Las Vegas in 2009. Late Las Vegas registration ends 22 July.

Friday, July 10, 2009

You Down with APT?

Today I had shared a phone call with a very knowledgable and respected security industry analyst. During cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 course of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 conversation he made a few statements which puzzled me, so I asked him "do you know what APT means?" He might have thought I was referring to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Debian Advanced Package Tool or apt, but that's not what I meant. When I said Advanced Persistent Threat, it still didn't ring any bells with him. I decided to do some searching on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Web to see what was available regarding APT.

Helpfully, BusinessWeek just published Under Cyberthreat: Defense Contractors this week. The article begins like this:

Northrop Grumman's info security chief addresses cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "well-resourced, highly sophisticated" attacks against makers of high-tech weaponry...

The defense industry faces "a near-existential threat from state-sponsored foreign intelligence services" that target sensitive IP, according to a report by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet Security Alliance, a nonprofit organization on whose board McKnight sits...

[BusinessWeek asked:] Are defense contractors being singled out in highly targeted attacks?

[McKnight responded:] It's gotten to a point where it has a name for itself: cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 APT or "advanced persistent threat," meaning that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are well resourced, highly sophisticated, clearly targeting companies or information, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y're not giving up in that mission.


Incidentally, McKnight practices NSM:

[BusinessWeek asked:] What kind of tools do you use to keep your network secure?

[McKnight responded:] We've focused a lot on... capabilities where you're capturing all traffic, not just bits and pieces of it.


Security company Mandiant devotes an entire site to APT, saying:

The Advanced Persistent Threat (APT) is a sophisticated and organized cyber attack to access and steal information from compromised computers.

The intruders responsible for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 APT attacks target cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Defense Industrial Base (DIB), financial industry, manufacturing industry, and research industry.

The attacks used by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 APT intruders are not very different from any ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r intruder. The main differentiator is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 APT intruder’s perseverance and resources. They have malicious code (malware) that circumvents common safeguards such as anti-virus and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y tend to generate more activity than wanton “drive by hacks” on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet.

The intruders also escalate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir tools and techniques as a victim firm’s capability to respond improves. Therefore, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 APT attacks present different challenges than addressing common computer security breaches.

Combating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 APT is a protracted event, requiring a sustained effort to rid your networks of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threat.


I briefly mentioned APT in my post last year Thoughts on 2008 SANS Forensics and IR Summit.

Aside from Northrup Grumman, Mandiant, and a few vendors (like NetWitness, one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 full capture vendors out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re) mentioning APT, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's not much else available. A Google search for "advanced persistent threat" -netwitness -mandiant -Northrop yields 34 results (prior to this blog post).

APT is one of those subjects that is very important but not well understood outside cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 defense industry. Your best bet for a public introduction to APT is to watch for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next Webinar offered by Mandiant. Ask cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m to do anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r soon; I listened to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir Webinar in May and realized many participants had never heard of APT before. If you're not down with APT, you need to be.


Richard Bejtlich is teaching new classes in Las Vegas in 2009. Late Las Vegas registration ends 22 July.

Thursday, July 02, 2009

Traffic Talk 6 Posted

My 6th edition of Traffic Talk, titled Wireshark 1.2 tutorial: Open source network analyzer's new features has been posted. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 article:

Wireshark is a staple of any network administrator's toolkit, and it can be equally useful for any network solution providers or consultants who troubleshoot business networks. Most of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 readers of this tutorial have probably used Gerald Combs' open source protocol analyzer for years. In this edition of Traffic Talk, I'd like to discuss a few new features of Wireshark as present in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 1.2 version released on June 15, 2009. I use Windows XP SP3 as my test platform.

If you have any questions on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 article, please post cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m here. Thank you.


Richard Bejtlich is teaching new classes in Las Vegas in 2009. Late Las Vegas registration ends 22 July.

Still Blogging

When I announced I would join General Electric as Director of Incident Response in June 2007, I had to post a follow-up titled I'm Not Dead. That issue even made it onto Bill Brenner's radar. Two years later I'm still at GE, glad that as of 1 January this year we have a functional and growing Computer Incident Response Team (CIRT) manned by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best incident handlers and support staff you'll find anywhere.

Sometimes work occupies time I would have previously spent blogging, reading, or writing. That's why you'll often see a flurry of blog posts when I have time on a weekend (or now, before a Company holiday). I've fallen far behind in my reading, and my writing is limited to articles. However, I will be collaborating with Keith Jones and team for Real Digital Forensics Volume 2, which should be cool. I don't have a schedule for ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r books beyond RDF2 at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 moment.


Richard Bejtlich is teaching new classes in Las Vegas in 2009. Late Las Vegas registration ends 22 July.

Bejtlich on Black Hat Briefings Panel

The registration process for my TCP/IP Weapons School 2.0 class at Black Hat USA 2009 continues to be active, with seats almost gone in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 weekday version. The weekend version has open seats. If you'd like more details, please see my post Black Hat Class Outline Posted.

I was invited to be a panelist for The Laws of Vulnerabilities Research Version 2.0: Comparing Critical Infrastructure Industries, a description of which is posted at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Black Hat Briefings speaker list. Because I'm busy during cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 10 am panel time on day 1, I won't have to make cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 decision about which great talk I'll miss at that time! I mean, Billy Hoffman, FX, Rod Beckstrom, Dino Dai Zovi, and Chris Gates all at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same time?


Richard Bejtlich is teaching new classes in Las Vegas in 2009. Late Las Vegas registration ends 22 July.

Review of Hacking Exposed: Windows, 3rd Ed Posted

Amazon.com just posted my four star review of Hacking Exposed: Windows, 3rd Ed. Better late than never! From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 review:

I've been reading and reviewing Hacking Exposed (HE) books since 1999, and I reviewed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 two previous Windows books. Hacking Exposed: Windows, 3rd Ed (HEW3E) is an excellent addition to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 HE series. I agree with Chris Gates' review, but I'd like to add a few of my own points. The bottom line is that if you need a solid book on Windows technologies and how to attack and defend cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m, HEW3E is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right resource.


Richard Bejtlich is teaching new classes in Las Vegas in 2009. Late Las Vegas registration ends 22 July.

NSA to "Screen" .gov Now, I Predict .com Later

In my Predictions for 2008 I wrote Expect greater military involvement in defending private sector networks. Today I read a great Washington Post story titled Obama Administration to Involve NSA in Defending Civilian Agency Networks. It says in part:

The Obama administration will proceed with a Bush-era plan to use National Security Agency assistance in screening government computer traffic on private-sector networks, with AT&T as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 likely test site...

President Obama said in May that government efforts to protect computer systems from attack would not involve "monitoring private sector networks or Internet traffic" and Department of Homeland Security officials say that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new program will only scrutinize data going to or from government systems...

Under a classified pilot program approved during cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Bush administration, NSA data and hardware would be used to protect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 networks of some civilian government agencies. Part of an initiative known as Einstein 3, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pilot called for telecommunications companies to route cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet traffic of civilian government agencies through a monitoring box that would search for and block malicious computer codes...

The internal controversy reflects cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 central tension in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 debate over how best to defend cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 nation's mostly private system of computer networks. The most effective techniques, experts say, require cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 automated scrutiny of e-mail and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r electronic communications content -- something that commercial providers already do.

Proponents of involving cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 government said such efforts should harness cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NSA's resources, especially its database of computer codes, or signatures, that have been linked to cyberattacks or known adversaries. The NSA has compiled cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cache by, for example, electronically observing hackers trying to gain access to U.S. military systems, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 officials said.

"That's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 secret sauce," one official said. "It's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 stuff cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y have that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 private sector doesn't."

But it is also cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 prospect of NSA involvement in cybersecurity that fuels concerns of unwarranted government snooping into private communications...

The classified NSA system, known as Tutelage, has cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ability to decide how to handle malicious intrusions -- to block cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m or watch cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m closely to better assess cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threat, sources said. It is currently used to defend military networks.


You're thinking, "this article says NSA will not monitor purely private networks. What's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fuss?" Imagine you're cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CEO, CIO/CTO, or CISO of a big company. You say "why is my company and our employees paying taxes so that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 government can protect itself while my company is left outside cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 circled wagons?" The higher you go in corporate management, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 more likely cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 only "security" that will be recognized will be "firewalls." So, you're going to have big-league corporate leaders telling cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 government that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y want cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir companies "protected" too. This isn't really what is happening, but at that level it really doesn't matter.

The bottom line is that first cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 military protected itself, and now cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 military is going to help protect civilian government agencies. Critical private infrastructure will be next, followed by economically important companies -- think "too big to be 0wned." This will be interesting.


Richard Bejtlich is teaching new classes in Las Vegas in 2009. Late Las Vegas registration ends 22 July.