Troubleshooting NSM Virtualization Problems with Linux and VirtualBox

I spent a chunk of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 day troubleshooting a network security monitoring (NSM) problem. I thought I would share cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem and my investigation in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hopes that it might help ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs. The specifics are probably less important than cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 general approach.

It began with ja3. You may know ja3 as a set of Zeek scripts developed by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Salesforce engineering team to profile client and server TLS parameters.

I was reviewing Zeek logs captured by my Corelight appliance and by one of my lab sensors running Security Onion. I had coverage of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same endpoint in both sensors.

I noticed that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SO Zeek logs did not have ja3 hashes in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ssl.log entries. Both sensors did have ja3s hashes. My first thought was that SO was misconfigured somehow to not record ja3 hashes. I quickly dismissed that, because it made no sense. Besides, verifying that intution required me to start troubleshooting near cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 top of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 software stack.

I decided to start at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bottom, or close to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bottom. I had a sinking suspicion that, for some reason, Zeek was only seeing traffic sent from remote systems, and not traffic originating from my network. That would account for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 creation of ja3s hashes, for traffic sent by remote systems, but not ja3 hashes, as Zeek was not seeing traffic sent by local clients.

I was running SO in VirtualBox 6.0.4 on Ubuntu 18.04. I started sniffing TCP network traffic on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SO monitoring interface using Tcpdump. As I feared, it didn't look right. I ran a new capture with filters for ICMP and a remote IP address. On anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r system I tried pinging cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 remote IP address. Sure enough, I only saw ICMP echo replies, and no ICMP echoes. Oddly, I also saw doubles and triples of some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ICMP echo replies. That worried me, because unpredictable behavior like that could indicate some sort of software problem.

My next step was to "get under" cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 VM guest and determine if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 VM host could see traffic properly. I ran Tcpdump on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Ubuntu 18.04 host on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 monitoring interface and repeated my ICMP tests. It saw everything properly. That meant I did not need to bocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r checking cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 switch span port that was feeding traffic to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 VirtualBox system.

It seemed I had a problem somewhere between cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 VM host and guest. On cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same VM host I was also running an instance of RockNSM. I ran my ICMP tests on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 RockNSM VM and, sadly, I got cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same one-sided traffic as seen on SO.

Now I was worried. If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem had only been present in SO, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n I could fix SO. If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem is present in both SO and RockNSM, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem had to be with VirtualBox -- and I might not be able to fix it.

I reviewed my configurations in VirtualBox, ensuring that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "Promiscuous Mode" under cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Advanced options was set to "Allow All". At this point I worried that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re was a bug in VirtualBox. I did some Google searches and reviewed some forum posts, but I did not see anyone reporting issues with sniffing traffic inside VMs. Still, my use case might have been weird enough to not have been reported.

I decided to try a different approach. I wondered if running VirtualBox with elevated privileges might make a difference. I did not want to take ownership of my user VMs, so I decided to install a new VM and run it with elevated privileges.

Let me stop here to note that I am breaking one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rules of troubleshooting. I'm introducing two new variables, when I should have introduced only one. I should have built a new VM but run it with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same user privileges with which I was running cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 existing VMs.

I decided to install a minimal edition of Ubuntu 9, with VirtualBox running via sudo. When I started cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 VM and sniffed traffic on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 monitoring port, lo and behold, my ICMP tests revealed both sides of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 traffic as I had hoped. Unfortunately, from this I erroneously concluded that running VirtualBox with elevated privileges was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 answer to my problems.

I took ownership of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SO VM in my elevated VirtualBox session, started it, and performed my ICMP tests. Womp womp. Still broken.

I realized I needed to separate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 two variables that I had entangled, so I stopped VirtualBox, and changed ownership of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Debian 9 VM to my user account. I cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n ran VirtualBox with user privileges, started cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Debian 9 VM, and ran my ICMP tests. Success again! Apparently elevated privileges had nothing to do with my problem.

By now I was glad I had not posted anything to any user forums describing my problem and asking for help. There was something about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 monitoring interface configurations in both SO and RockNSM that resulted in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 inability to see both sides of traffic (and avoid weird doubles and triples).

I started my SO VM again and looked at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 script that configured cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 interfaces. I commented out all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 entries below cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 management interface as shown below.

$ cat /etc/network/interfaces

# This configuration was created by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Security Onion setup script.
#
# The original network interface configuration file was backed up to:
# /etc/network/interfaces.bak.
#
# This file describes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network interfaces available on your system
# and how to activate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. For more information, see interfaces(5).

# loopback network interface
auto lo
iface lo inet loopback

# Management network interface
auto enp0s3
iface enp0s3 inet static
  address 192.168.40.76
  gateway 192.168.40.1
  netmask 255.255.255.0
  dns-nameservers 192.168.40.1
  dns-domain localdomain

#auto enp0s8
#iface enp0s8 inet manual
#  up ip link set $IFACE promisc on arp off up
#  down ip link set $IFACE promisc off down
#  post-up ethtool -G $IFACE rx 4096; for i in rx tx sg tso ufo gso gro lro; do ethtool -K $IFACE $i off; done
#  post-up echo 1 > /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6

#auto enp0s9
#iface enp0s9 inet manual
#  up ip link set $IFACE promisc on arp off up
#  down ip link set $IFACE promisc off down
#  post-up ethtool -G $IFACE rx 4096; for i in rx tx sg tso ufo gso gro lro; do ethtool -K $IFACE $i off; done
#  post-up echo 1 > /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6

I rebooted cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system and brought cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 enp0s8 interface up manually using this command:

$ sudo ip link set enp0s8 promisc on arp off up

Fingers crossed, I ran my ICMP sniffing tests, and voila, I saw what I needed -- traffic in both directions, without doubles or triples no less.

So, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re appears to be some sort of problem with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way SO and RockNSM set parameters for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir monitoring interfaces, at least as far as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y interact with VirtualBox 6.0.4 on Ubuntu 18.04. You can see in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network script that SO disables a bunch of NIC options. I imagine one or more of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 culprit, but I didn't have time to work through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m individually.

I tried taking a look at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network script in RockNSM, but it runs CentOS, and I'll be darned if I can't figure out where to look. I'm sure it's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re somewhere, but I didn't have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time to figure out where.

The moral of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 story is that I should have immediately checked after installation that both SO and RockNSM were seeing both sides of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 traffic I expected cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m to see. I had taken that for granted for many previous deployments, but something broke recently and I don't know exactly what. My workaround will hopefully hold for now, but I need to take a closer look at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NIC options because I may have introduced anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r fault.

A second moral is to be careful of changing two or more variables when troubleshooting. When you do that you might fix a problem, but not know what change fixed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 issue.

Importing Pcap into Security Onion

Within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last week, Doug Burks of Security Onion (SO) added a new script that revolutionizes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 use case for his amazing open source network security monitoring platform.

I have always used SO in a live production mode, meaning I deploy a SO sensor sniffing a live network interface. As cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 multitude of SO components observe network traffic, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y generate, store, and display various forms of NSM data for use by analysts.

The problem with this model is that it could not be used for processing stored network traffic. If one simply replayed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 traffic from a .pcap file, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new traffic would be assigned contemporary timestamps by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 various tools observing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 traffic.

While all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NSM tools in SO have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 independent capability to read stored .pcap files, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re was no unified way to integrate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir output into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SO platform.

Therefore, for years, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re has not been a way to import .pcap files into SO -- until last week!

Here is how I tested cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new so-import-pcap script. First, I made sure I was running Security Onion Elastic Stack Release Candidate 2 (14.04.5.8 ISO) or later. Next I downloaded cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 script using wget from https://github.com/Security-Onion-Solutions/securityonion-elastic/blob/master/usr/sbin/so-import-pcap.

I continued as follows:

richard@so1:~$ sudo cp so-import-pcap /usr/sbin/

richard@so1:~$ sudo chmod 755 /usr/sbin/so-import-pcap

I tried running cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 script against two of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sample files packaged with SO, but ran into issues with both.

richard@so1:~$ sudo so-import-pcap /opt/samples/10k.pcap

so-import-pcap

Please wait while...
...creating temp pcap for processing.
mergecap: Error reading /opt/samples/10k.pcap: The file appears to be damaged or corrupt
(pcap: File has 263718464-byte packet, bigger than maximum of 262144)
Error while merging!

I checked cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 file with capinfos.

richard@so1:~$ capinfos /opt/samples/10k.pcap
capinfos: An error occurred after reading 17046 packets from "/opt/samples/10k.pcap": The file appears to be damaged or corrupt.
(pcap: File has 263718464-byte packet, bigger than maximum of 262144)

Capinfos confirmed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem. Let's try anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r!

richard@so1:~$ sudo so-import-pcap /opt/samples/zeus-sample-1.pcap

so-import-pcap

Please wait while...
...creating temp pcap for processing.
mergecap: Error reading /opt/samples/zeus-sample-1.pcap: The file appears to be damaged or corrupt
(pcap: File has 1984391168-byte packet, bigger than maximum of 262144)
Error while merging!

Anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r bad file. Trying a third!

richard@so1:~$ sudo so-import-pcap /opt/samples/evidence03.pcap

so-import-pcap

Please wait while...
...creating temp pcap for processing.
...setting sguild debug to 2 and restarting sguild.
...configuring syslog-ng to pick up sguild logs.
...disabling syslog output in barnyard.
...configuring logstash to parse sguild logs (this may take a few minutes, but should only need to be done once)...done.
...stopping curator.
...disabling curator.
...stopping ossec_agent.
...disabling ossec_agent.
...stopping Bro sniffing process.
...disabling Bro sniffing process.
...stopping IDS sniffing process.
...disabling IDS sniffing process.
...stopping netsniff-ng.
...disabling netsniff-ng.
...adjusting CapMe to allow pcaps up to 50 years old.
...analyzing traffic with Snort.
...analyzing traffic with Bro.
...writing /nsm/sensor_data/so1-eth1/dailylogs/2009-12-28/snort.log.1261958400

Import complete!

You can use this hyperlink to view data in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time range of your import:
https://localhost/app/kibana#/dashboard/94b52620-342a-11e7-9d52-4f090484f59e?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:'2009-12-28T00:00:00.000Z',mode:absolute,to:'2009-12-29T00:00:00.000Z'))

or you can manually set your Time Range to be:
From: 2009-12-28    To: 2009-12-29

Incidentally here is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 capinfos output for this trace.

richard@so1:~$ capinfos /opt/samples/evidence03.pcap

File name:           /opt/samples/evidence03.pcap

File type:           Wireshark/tcpdump/... - pcap

File encapsulation:  Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rnet

Packet size limit:   file hdr: 65535 bytes

Number of packets:   1778

File size:           1537 kB

Data size:           1508 kB

Capture duration:    171 seconds

Start time:          Mon Dec 28 04:08:01 2009

End time:            Mon Dec 28 04:10:52 2009

Data byte rate:      8814 bytes/s

Data bit rate:       70 kbps

Average packet size: 848.57 bytes

Average packet rate: 10 packets/sec

SHA1:                34e5369c8151cf11a48732fed82f690c79d2b253

RIPEMD160:           afb2a911b4b3e38bc2967a9129f0a11639ebe97f

MD5:                 f8a01fbe84ef960d7cbd793e0c52a6c9

Strict time order:   True

That worked! Now to see what I can find in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SO interface.

I accessed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Kibana application and changed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 timeframe to include those in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 trace.

Here's anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r screenshot. Again I had to adjust for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 proper time range.

Very cool! However, I did not find any IDS alerts. This made me wonder if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re was a problem with alert processing. I decided to run cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 script on a new .pcap:

richard@so1:~$ sudo so-import-pcap /opt/samples/emerging-all.pcap

so-import-pcap

Please wait while...

...creating temp pcap for processing.

...analyzing traffic with Snort.

...analyzing traffic with Bro.

...writing /nsm/sensor_data/so1-eth1/dailylogs/2010-01-27/snort.log.1264550400

Import complete!

You can use this hyperlink to view data in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time range of your import:

https://localhost/app/kibana#/dashboard/94b52620-342a-11e7-9d52-4f090484f59e?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:'2010-01-27T00:00:00.000Z',mode:absolute,to:'2010-01-28T00:00:00.000Z'))

or you can manually set your Time Range to be:

From: 2010-01-27    To: 2010-01-28

When I searched cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 interface for NIDS alerts (after adjusting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time range), I found results:

The alerts show up in Sguil, too!

This is a wonderful development for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Security Onion community. Being able to import .pcap files and analyze cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 standard SO tools and processes, while preserving timestamps, makes SO a viable network forensics platform.

This thread in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mailing list is covering cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new script.

I suggest running on an evaluation system, probably in a virtual machine. I did all my testing on Virtual Box. Check it out! 

Try cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Critical Stack Intel Client

You may have seen in my LinkedIn profile that I'm advising a security startup called Critical Stack. If you use Security Onion or run cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Bro network security monitoring platform (NSM), you're ready to try cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Critical Stack Intel Client.

Bro is not strictly an intrusion detection system that generates alerts, like Snort. Racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r, Bro generates a range of NSM data, including session data, transaction data, extracted content data, statistical data, and even alerts -- if you want cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m.

Bro includes an intelligence framework that facilitates integrating various sources into Bro. These sources can include more than just IP addresses. This Bro blog post explains some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 options, which include:

Intel::ADDR
Intel::URL
Intel::SOFTWARE
Intel::EMAIL
Intel::DOMAIN
Intel::USER_NAME
Intel::FILE_HASH
Intel::FILE_NAME
Intel::CERT_HASH

This Critical Stack Intel Client makes it easy to subscribe to over 30 threat feeds for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Bro intelligence framework. The screen capture below shows some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 feeds:

Visit intel.criticalstack.com and follow cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wizard to get started. Basically, you begin by creating a Collection. A Collection is a container for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threat intelligence you want. Next you select cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threat intelligence Feeds you want to populate your collection. Finally you create a Sensor, which is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system where you will deploy cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threat intelligence Collection. When done you have an API key that your client will use to access cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 service.

I wrote a document explaining how to move beyond cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wizard and test cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 client on a sensor running Bro -- eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r Bro by itself, or as part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Security Onion NSM distro.

The output of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Critical Stack Intel Client will be new entries in an intel.log file, stored with ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r Bro logs.

If Bro is completely new to you, I discuss how to get started with it in my latest book The Practice of Network Security Monitoring.

Please take a look at this new free software and let me know what you think.

Tweet

A Brief History of Network Security Monitoring

Last week I was pleased to deliver cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 keynote at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first Security Onion Conference in Augusta, GA, organized and hosted by Doug Burks. This was probably my favorite security event of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 year, attended by many fans of Security Onion and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network security monitoring (NSM) community.

Doug asked me to present cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 history of NSM. To convey some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 milestones in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 development of this operational methodology, I developed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se slides (pdf). They are all images, screen captures, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 like, but I promised to post cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. For example, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 image at left is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first slide from a Webinar that Bamm Visscher and I delivered on 4 December 2002, where we presented cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 formal definition of NSM cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first time. We defined network security monitoring as

cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 collection, analysis, and escalation of indications and warnings to detect and respond to intrusions.

You may recognize similarities with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intelligence cycle and John Boyd's Observe - Orient - Decide Act (OODA) loop. That is not an accident.

During cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 presentation I noted a few key years and events:

• 1986: The Cliff Stoll intrusions scare cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 government, military, and universities supporting gov and mil research.
• 1988: Lawrence Livermore National Lab funds three security projects at UC Davis by supporting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Prof Karl Levitt's computer science lab. They include AV software, a "security profile inspector," and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "network security monitor."
• 1988-1990: Todd Heberlein and colleagues code and write about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NSM platform.
• 1991: While instrumenting a DISA location suffering from excessive bandwidth usage, NSM discovers 80% of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 clogged link is caused by intruder activity.
• 1992: Former FBI Director, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n assistant AG, Robert Mueller writes a letter to NIST warning that NSM might not be legal.
• 1 October 1992: AFCERT founded.
• 10 September 1993: AFIWC founded.
• End of 1995: 26 Air Force sites instrumented by NSM.
• End of 1996: 55 Air Force sites instrumented by NSM.
• End of 1997: Over 100 Air Force sites instrumented by NSM.
• 1999: Melissa worm prompts AFCERT to develop dedicated anti-malware team. This signaled a shift from detection of human adversaries interacting with victims to detection of mindless code interacting with victims.
• 2001: Bamm Visscher deploys SPREG, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 predecessor to Sguil, at our MSSP at Ball Aerospace.
• 13 July 2001: Using SPREG, one of our analysts detects Code Red, 6 days prior to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 public outbreak. I send a note to a mailing list on 15 July.
• February 2003: Bamm Visscher recodes and releases Sguil as an open source NSM console.

As I noted in my presentation,. cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 purpose of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 talk was to share cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fact that NSM has a long history, some of which happened when many practitioners (including myself) were still in school.

This is not a complete history, eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r. For more information, please see my 2007 post Network Security Monitoring History and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 foreword, written by Todd Heberlein, of my newest book The Practice of Network Security Monitoring.

Finally, I wanted to emphasize that NSM is not just full packet capture or logging full content data. NSM is a process, although my latest book defines seven types of NSM data. One of those data types is full content. You can read about all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first first chapter of my book at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 publisher Web site.

Tweet

Bejtlich Teaching at Black Hat Trainings 8-9 Dec 2014

I'm pleased to announce that I will be teaching one class at Black Hat Trainings 2014 in Potomac, MD, near DC, on 8-9 December 2014. The class is Network Security Monitoring 101. I taught this class in Las Vegas in July 2013 and 2014, and Seattle in December 2013. I posted Feedback from Network Security Monitoring 101 Classes last year as a sample of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 student commentary I received.

This class is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 perfect jumpstart for anyone who wants to begin a network security monitoring program at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir organization. You may enter with no NSM knowledge, but when you leave you'll be able to understand, deploy, and use NSM to detect and respond to intruders, using open source software and repurposed hardware.

The first discounted registration deadline is 11:59 pm EDT October 31st. The second discounted registration deadline (more expensive than cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first but cheaper than later) ends 11:59 pm EST December 5th. You can register here.

I recently topped cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 1,000 student count for my cumulative years of teaching my own material at Black Hat. Since starting my current Black Hat teaching run in 2007, I've completely replaced each course every ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r year. In 2007-2008 I taught TCP/IP Weapons School version 1. In 2009-2010 I taught TCP/IP Weapons School version 2. In 2011-2012 I taught TCP/IP Weapons School version 3. In 2013-2014 I taught Network Security Monitoring 101.

I have no plans to design a new course for 2015 and beyond. If you want to see me teach Network Security Monitoring and related subjects, Black Hat is your best option.

Please sign up soon, for two reasons. First, if not enough people sign up early, Black Hat might cancel cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 class. Second, if many people sign up, you risk losing a seat. With so many classes taught at this venue, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 conference lacks cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 large rooms necessary to support big classes.

Several students asked for a more complete class outline. So, in addition to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 outline posted currently by Black Hat, I present cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following that shows what sort of material I cover in my new class.

OVERVIEW

Is your network safe from intruders? Do you know how to find out? Do you know what to do when you learn cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 truth? If you are a beginner, and need answers to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se questions, Network Security Monitoring 101 (NSM101) is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 newest Black Hat course for you. This vendor-neutral, open source software-friendly, reality-driven two-day event will teach students cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 investigative mindset not found in classes that focus solely on tools. NSM101 is hands-on, lab-centric, and grounded in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest strategies and tactics that work against adversaries like organized criminals, opportunistic intruders, and advanced persistent threats. Best of all, this class is designed *for beginners*: all you need is a desire to learn and a laptop ready to run a virtual machine. Instructor Richard Bejtlich has taught over 1,000 Black Hat students since 2002, and this brand new, 101-level course will guide you into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world of Network Security Monitoring.

CLASS OUTLINE

Day One

0900-1030

·         Introduction

·         Enterprise Security Cycle

·         State of South Carolina case study

·         Difference between NSM and Continuous Monitoring

·         Blocking, filtering, and denying mechanisms

·         Why does NSM work?

·         When NSM won’t work

·         Is NSM legal?

·         How does one protect privacy during NSM operations?

·         NSM data types

·         Where can I buy NSM?

1030-1045

·         Break

1045-1230

·         SPAN ports and taps

·         Making visibility decisions

·         Traffic flow

·         Lab 1: Visibility in ten sample networks

·         Security Onion introduction

·         Stand-alone vs server plus sensors

·         Core Security Onion tools

·         Lab 2: Security Onion installation

1230-1400

·         Lunch

1400-1600

·         Guided review of Capinfos, Tcpdump, Tshark, and Argus

·         Lab 3: Using Capinfos, Tcpdump, Tshark, and Argus

1600-1615

·         Break

1615-1800

·         Guided review of Wireshark, Bro, and Snort

·         Lab 4: Using Wireshark, Bro, and Snort

·         Using Tcpreplay with NSM consoles

·         Guided review of process management, key directories, and disk usage

·         Lab 5: Process management, key directories, and disk usage

Day Two

0900-1030

·         Computer incident detection and response process

·         Intrusion Kill Chain

·         Incident categories

·         CIRT roles

·         Communication

·         Containment techniques

·         Waves and campaigns

·         Remediation

·         Server-side attack pattern

·         Client-side attack pattern

1030-1045

·         Break

1045-1230

·         Guided review of Sguil

·         Lab 6: Using Sguil

·         Guided review of ELSA

·         Lab 7: Using ELSA

1230-1400

·         Lunch

1400-1600

·         Lab 8. Intrusion Part 1 Forensic Analysis

·         Lab 9. Intrusion Part 1 Console Analysis

1600-1615

·         Break

1615-1800

·         Lab 10. Intrusion Part 2 Forensic Analysis

·         Lab 11. Intrusion Part 2 Console Analysis

REQUIREMENTS

Students must be comfortable using command line tools in a non-Windows environment such as Linux or FreeBSD. Basic familiarity with TCP/IP networking and packet analysis is a plus.

WHAT STUDENTS NEED TO BRING

NSM101 is a LAB-DRIVEN course. Students MUST bring a laptop with at least 8 GB RAM and at least 20 GB free on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hard drive. The laptop MUST be able to run a virtualization product that can CREATE VMs from an .iso, such as VMware Workstation (minimum version 8, 9 or 10 is preferred); VMware Player (minimum version 5 -- older versions do not support VM creation); VMware Fusion (minimum version 5, for Mac); or Oracle VM VirtualBox (minimum version 4.2). A laptop with access to an internal or external DVD drive is preferred, but not mandatory.

Students SHOULD test cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 open source Security Onion (http://securityonion.blogspot.com) NSM distro prior to class. The students should try booting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest version of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 12.04 64 bit Security Onion distribution into live mode. Students MUST ensure cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir laptops can run a 64 bit virtual machine. For help with this requirement, see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 VMware knowledgebase article “Ensuring Virtualization Technology is enabled on your VMware host (1003944)” (http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1003944). Students MUST have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 BIOS password for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir laptop in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 event that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y need to enable virtualization support in class. Students MUST also have administrator-level access to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir laptop to install software, in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 event cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y need to reconfigure cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir laptop in class.

WHAT STUDENTS WILL RECEIVE

Students will receive a paper class handbook with printed slides, a lab workbook, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 teacher’s guide for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lab questions. Students will also receive a DVD with a recent version of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Security Onion NSM distribution.

TRAINERS

Richard Bejtlich is Chief Security Strategist at FireEye, and was Mandiant's Chief Security Officer when FireEye acquired Mandiant in 2013. He is a nonresident senior fellow at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Brookings Institution, a board member at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Open Information Security Foundation, and an advisor to Threat Stack, Sqrrl, and Critical Stack. He is also a Master/Doctor of Philosophy in War Studies Researcher at King's College London. He was previously Director of Incident Response for General Electric, where he built and led cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 40-member GE Computer Incident Response Team (GE-CIRT). Richard began his digital security career as a military intelligence officer in 1997 at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force Computer Emergency Response Team (AFCERT), Air Force Information Warfare Center (AFIWC), and Air Intelligence Agency (AIA). Richard is a graduate of Harvard University and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 United States Air Force Academy. His fourth book is "The Practice of Network Security Monitoring" (nostarch.com/nsm). He also writes for his blog (taosecurity.blogspot.com) and Twitter (@taosecurity), and teaches for Black Hat.

Tweet

Bejtlich Teaching at Black Hat USA 2014

I'm pleased to announce that I will be teaching one class at Black Hat USA 2014 2-3 and 4-5 August 2014 in Las Vegas, Nevada. The class is Network Security Monitoring 101. I've taught this class in Las Vegas in July 2013 and Seattle in December 2013. I posted Feedback from Network Security Monitoring 101 Classes last year as a sample of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 student commentary I received.

This class is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 perfect jumpstart for anyone who wants to begin a network security monitoring program at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir organization. You may enter with no NSM knowledge, but when you leave you'll be able to understand, deploy, and use NSM to detect and respond to intruders, using open source software and repurposed hardware.

The first discounted registration deadline is 11:59 pm EDT June 2nd. The second discounted registration deadline (more expensive than cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first but cheaper than later) ends 11:59 pm EDT July 26th. You can register here.

Please note: I have no plans to teach this class again in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 United States. I haven't decided yet if I will not teach cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 class at Black Hat Europe 2014 in Amsterdam in October.

Since starting my current Black Hat teaching run in 2007, I've completely replaced each course every ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r year. In 2007-2008 I taught TCP/IP Weapons School version 1. In 2009-2010 I taught TCP/IP Weapons School version 2. In 2011-2012 I taught TCP/IP Weapons School version 3. In 2013-2014 I taught Network Security Monitoring 101. This fall I would need to design a brand new course to continue this trend.

I have no plans to design a new course for 2015 and beyond. If you want to see me teach Network Security Monitoring and related subjects, Black Hat USA is your best option.

Please sign up soon, for two reasons. First, if not enough people sign up early, Black Hat might cancel cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 class. Second, if many people sign up, you risk losing a seat. With so many classes taught in Las Vegas, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 conference lacks cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 large rooms necessary to support big classes.

Several students asked for a more complete class outline. So, in addition to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 outline posted currently by Black Hat, I present cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following that shows what sort of material I cover in my new class.

OVERVIEW

Is your network safe from intruders? Do you know how to find out? Do you know what to do when you learn cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 truth? If you are a beginner, and need answers to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se questions, Network Security Monitoring 101 (NSM101) is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 newest Black Hat course for you. This vendor-neutral, open source software-friendly, reality-driven two-day event will teach students cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 investigative mindset not found in classes that focus solely on tools. NSM101 is hands-on, lab-centric, and grounded in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest strategies and tactics that work against adversaries like organized criminals, opportunistic intruders, and advanced persistent threats. Best of all, this class is designed *for beginners*: all you need is a desire to learn and a laptop ready to run a virtual machine. Instructor Richard Bejtlich has taught over 1,000 Black Hat students since 2002, and this brand new, 101-level course will guide you into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world of Network Security Monitoring.

CLASS OUTLINE

Day One

0900-1030

·         Introduction

·         Enterprise Security Cycle

·         State of South Carolina case study

·         Difference between NSM and Continuous Monitoring

·         Blocking, filtering, and denying mechanisms

·         Why does NSM work?

·         When NSM won’t work

·         Is NSM legal?

·         How does one protect privacy during NSM operations?

·         NSM data types

·         Where can I buy NSM?

1030-1045

·         Break

1045-1230

·         SPAN ports and taps

·         Making visibility decisions

·         Traffic flow

·         Lab 1: Visibility in ten sample networks

·         Security Onion introduction

·         Stand-alone vs server plus sensors

·         Core Security Onion tools

·         Lab 2: Security Onion installation

1230-1400

·         Lunch

1400-1600

·         Guided review of Capinfos, Tcpdump, Tshark, and Argus

·         Lab 3: Using Capinfos, Tcpdump, Tshark, and Argus

1600-1615

·         Break

1615-1800

·         Guided review of Wireshark, Bro, and Snort

·         Lab 4: Using Wireshark, Bro, and Snort

·         Using Tcpreplay with NSM consoles

·         Guided review of process management, key directories, and disk usage

·         Lab 5: Process management, key directories, and disk usage

Day Two

0900-1030

·         Computer incident detection and response process

·         Intrusion Kill Chain

·         Incident categories

·         CIRT roles

·         Communication

·         Containment techniques

·         Waves and campaigns

·         Remediation

·         Server-side attack pattern

·         Client-side attack pattern

1030-1045

·         Break

1045-1230

·         Guided review of Sguil

·         Lab 6: Using Sguil

·         Guided review of ELSA

·         Lab 7: Using ELSA

1230-1400

·         Lunch

1400-1600

·         Lab 8. Intrusion Part 1 Forensic Analysis

·         Lab 9. Intrusion Part 1 Console Analysis

1600-1615

·         Break

1615-1800

·         Lab 10. Intrusion Part 2 Forensic Analysis

·         Lab 11. Intrusion Part 2 Console Analysis

REQUIREMENTS

Students must be comfortable using command line tools in a non-Windows environment such as Linux or FreeBSD. Basic familiarity with TCP/IP networking and packet analysis is a plus.

WHAT STUDENTS NEED TO BRING

NSM101 is a LAB-DRIVEN course. Students MUST bring a laptop with at least 8 GB RAM and at least 20 GB free on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hard drive. The laptop MUST be able to run a virtualization product that can CREATE VMs from an .iso, such as VMware Workstation (minimum version 8, 9 or 10 is preferred); VMware Player (minimum version 5 -- older versions do not support VM creation); VMware Fusion (minimum version 5, for Mac); or Oracle VM VirtualBox (minimum version 4.2). A laptop with access to an internal or external DVD drive is preferred, but not mandatory.

Students SHOULD test cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 open source Security Onion (http://securityonion.blogspot.com) NSM distro prior to class. The students should try booting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest version of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 12.04 64 bit Security Onion distribution into live mode. Students MUST ensure cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir laptops can run a 64 bit virtual machine. For help with this requirement, see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 VMware knowledgebase article “Ensuring Virtualization Technology is enabled on your VMware host (1003944)” (http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1003944). Students MUST have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 BIOS password for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir laptop in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 event that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y need to enable virtualization support in class. Students MUST also have administrator-level access to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir laptop to install software, in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 event cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y need to reconfigure cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir laptop in class.

WHAT STUDENTS WILL RECEIVE

Students will receive a paper class handbook with printed slides, a lab workbook, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 teacher’s guide for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lab questions. Students will also receive a DVD with a recent version of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Security Onion NSM distribution.

TRAINERS

Richard Bejtlich is Chief Security Strategist at FireEye, and was Mandiant's Chief Security Officer when FireEye acquired Mandiant in 2013. He is a nonresident senior fellow at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Brookings Institution, a board member at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Open Information Security Foundation, and an advisor to Threat Stack. He was previously Director of Incident Response for General Electric, where he built and led cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 40-member GE Computer Incident Response Team (GE-CIRT). Richard began his digital security career as a military intelligence officer in 1997 at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force Computer Emergency Response Team (AFCERT), Air Force Information Warfare Center (AFIWC), and Air Intelligence Agency (AIA). Richard is a graduate of Harvard University and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 United States Air Force Academy. His fourth book is "The Practice of Network Security Monitoring" (nostarch.com/nsm). He also writes for his blog (taosecurity.blogspot.com) and Twitter (@taosecurity), and teaches for Black Hat.

Tweet

The Limits of Tool- and Tactics-Centric Thinking

Earlier today I read a post by Dave Aitel to his mailing list titled Drinking cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Cool-aid. Because it includes a chart you should review, I included a screenshot of it in this blog, below. Basically Dave lists several gross categories of defensive digital security technology and tools, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n lists what he perceives as deficiencies and benefits of each. Embedded in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se pluses and minuses are several tactical elements as well. Please take a look at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 original or my screenshot.

I had three reactions to this post.

First, I recognized that it's written by someone who is not responsible for defending any network of scale or significance. Network defense is more than tools and tactics. It's more often about people and processes. My initial response is unsatisfying and simplistic, however, even though I agree broadly with his critiques of anti-virus, firewalls, WAFs, and some traditional security technology.

Second, staying within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 realm of tools and tactics, Dave is just wrong on several counts:

• He emphasizes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 role of encryption to defeat many defensive tools, but ignores that security and information technology architects regularly make deployment decisions to provide visibility in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 presence of encryption.
• He ignores or is ignorant of technology to defeat obfuscation and encryption used by intruders.
• He says "archiving large amounts of traffic is insanely expensive and requires massive analytics to process," which is wrong on both counts. On a shoestring budget my team deployed hundreds of open source NSM sensors across my previous employer to capture data on gateways of up to multi-Gbps bandwidth. Had we used commercial packet capture platforms we would have needed a much bigger budget, but open source software like Security Onion has put NSM in everyone's hands, cheaply. Regarding "massive analytics," it's easier all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time to get what you need for solid log technology. You can even buy awesome commercial technology to get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 job done in ways you never imagined.

I could make ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r arguments regarding tactics and tools, but you get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 idea from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 three I listed.

Third, and this is really my biggest issue with Dave's post, is that he demonstrates cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 all-too-common tendency for security professionals to constrain cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir thinking to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 levels of tactics and tools. What do I mean? Consider this diagram from my O'Reilly Webinar on my newest book:

A strategic security program doesn't start with tools and tactics. Instead, it starts with one or more overall program goals. The strategy-minded CISO gets executive buy-in to those goals; this works at a level understood by technicians and non-technicians alike. Next cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CISO develops strategies to implement those goals, organizes and runs campaigns and operations to support cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 strategies, helps his team use tactics to realize cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaigns and operations, and procures tools and technology to equip his team.

Here is an example of one strategic security approach to minimize loss due to intrusions, using a strategy of rapid detection, response, and containment, and NSM-inspired operations/campaigns, tactics, and tools.

Now I don't want to seem too harsh, because tool- and tactics-centric thinking is not just endemic to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 digital security world. I read how it played out during cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 planning and execution of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 air campaign during cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first Gulf War.

I read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wonderful John Warden and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Renaissance of American Air Power and learned how cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 US Air Force at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time suffered cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same problems. The Air Force was very tactics- and technology-focused. They cared about how to defeat ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r aircraft in aerial combat and sought to keep cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Army happy by making close air support cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir main contribution to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "joint" fight. The Air Force managed to quickly deploy planes to Saudi Arabia but had little idea how to use those forces in a campaign, let alone to achieve strategic or policy goals. It took visionaries like John Warden and David Deptula to make cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 air campaign a reality, and forever change cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 nature of air warfare.

I was a cadet when this all happened and remember my instructors exhibiting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 contemporary obsession with tactics and tech we've seen in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security world for decades. Only later in my Air Force career did I see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 strategic viewpoint gain acceptance.

Expect to hear more from me about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 need for strategic thinking in digital security. I intend to apply to a PhD program this spring and begin research in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fall. I want to apply strategic thinking to private sector digital defense, because that is where a lot of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 action is and where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 need is greatest.

For now, I talked about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 need for strategy in my O'Reilly Webinar.


Tweet