RSA 2019: RS-YAY or RS-MEH?

It’s that time of year to read countless reviews of the RSA conference. To read the view of someone who has attended many years in a row and is greatly respected for his contributions to the cybersecurity industry, you can read spaf’s post. If you want to know what an RSA first-timer thought of it, you can keep reading (or browse my twitter feed).

Let me start by saying the opening keynote on Tuesday was a spectacle of trolling proportions. A surprise opening speech by the great, no connection to cybersecurity to speak of, Helen Mirren, was followed by a cybersecurity-themed choir song (I wish I was joking). And when one later keynote panelist suggested that developers putting in backdoors should be put into prison (15:30 minutes in on this panel), it was somewhat cringeworthy for, um, well, reasons, but still resulted in a round of applause.

But things got better as I attended other sessions and had the opportunity to hear from legendary cybersecurity contributors and experts. It was an absolute treat to hear Bruce Schneier, cybersecurity royalty and Harvard Kennedy School Lecturer, talk about the role of security technologists in public policy. His keynote was thought-provoking and engaging.

I had the opportunity to attend a two hour incident response (IR) tabletop workshop and I quickly volunteered to facilitate the experience for our table of eight, under the guidance and leadership of the session organizers. Our team of “experts” did some great things along our virtual incident, but in the end we did not apologize enough upfront and paid the hard price of our ‘choose your own adventure’ cyber incident and our CEO was force to resign after a hard hitting television interview (well, he was kind of happy to do so, actually). It was challenging as a facilitator not to jump in with my own advice and opinions, but perhaps the most important lesson I learned was the difference between facilitating and participating in an IR tabletop exercise.

There were many others I got to rub shoulders with, meet and learn from throughout the week. RSA was attended by many industry thought leaders, including the likes of Ed Skoudis, Larry Poneman, Johannes Ulrich, Ron Rivest, John Strand, Alan Paller, Stephen Sims, James Lyne and Paul Asadoorian. I have to plug Strand’s awesome, free threat hunting tool here, named after his awesome, late mother who ensured it will be free forever, RITA. Did I mention that it was awesome and free?

The smaller sessions were truly the gems in my opinion, aside from the always noteworthy 5 Most Dangerous New Attack Techniques Keynote. My advice is to spend a couple hours before you attend and create a schedule, pre-register for the sessions you don’t want to miss, but stay flexible throughout the week. One of my favorite sessions was a “fireside” chat between a CISO and published author focused on communicating with the board, which I had no intention of attending. I followed along a fellow CISO colleague (Hi Okey!) and I’m glad I did because some of the unfiltered conversation that ensued during that session resulted in nuggets of wisdom possessed only by extremely experienced professionals (and those who were eavesdropping in on the conversation)! This resulted in my most controversial tweet of the week…

There was also plenty of sessions that discussed the importance of a diverse and growing workforce within cybersecurity. I had the chance to reflect on how I can personally make an impact in this area, and was able to hear from and meet many others trying to do the same thing on a much larger scale, like 16 year old Kyla Guru.

In summary, San Francisco was a good experience. RSA was a good experience, but I’m sure the excitement of rubbing shoulders with the who’s who of cybersecurity will be gone the second time I go. And the vendors? Noticed I haven’t mentioned them? They weren’t there. SIKE. They were everywhere and working HARD to be noticed. Surprisingly, though, you can spend as much or as little time as you wanted with them because they had over 40,000 targets and droves of folks that were lining up to talk to them. So, I spent some time talking to the vendors I cared about at this moment in time, spent an hour or two learning about new vendors, and now I’m all set to ignore their phone calls for at least another 6 months.

RS-YAY or RS-MEH? I would say…RS-OKAY. I will be back. But not next year. Once every 2-3 years would be perfect in my book.

Thanks for reading and don’t forget to subscribe.

Business E-mail Compromise (BEC) Workshop, Theater Edition

The Public Theater Building Front, NY

The Public Theater, NY

Earlier this week I had to opportunity to attend the Business E-mail Compromise (BEC) workshop, which is being made available in various cities around the country. Law enforcement, Symantec and various ISACs teamed up to bring awareness to this very expensive attack. For theater buffs, there was an added bonus to the NY workshop because it was held in The Public Theater, which is where Hamilton and many other famous shows first broke ground.

The Public Theater Lobby

The Public Theater Lobby

What is a business e-mail compromise attack? Put simply, it’s a fake e-mail sent to someone in the business, usually accounting or finance, with the goal of initiating a wire transfer or some other transfer of funds. It is often spoofed so that the e-mail appears to come from the victim’s boss or another executive in the company, and commonly starts with a simple, less suspicious request. If the victim engages in a conversation and replies to the initial e-mail, the conversation escalates quickly and usually ends with a large wire transfer to an external account. The most recent attacks even include a “Sent From My iPhone” signature in the bottom of the message in an apparent attempt to excuse sloppy grammar and typos.

The first part of the workshop consisted of a discussion led by an FBI and Secret Service agent. Admittedly, watching them stand on the blue tinted stage with cafe tables in the audience first made me wonder if they were going to sing the blues of cyber security, but the tone of their session was positive and informative. They are often involved in responding to these crimes, and the dollar amounts vary greatly from thousands to millions of dollars. The insight they provided was valuable, and they stressed the need to involve law enforcement quickly. After 72 hours, it becomes highly unlikely that the funds can be frozen or will ever be recovered. The goal should be to involve law enforcement as early as possible. Interestingly, they have not seen the sophistication of these attacks increase much, which means we have a window of opportunity to bring awareness to common attack methods. But it can also mean that the bad guys have not needed to adapt because they are continuing to have success. Both agents stressed that if we are not sure which agency to teach out to, contact them both (FBI & SS) and they will coordinate the response between themselves. The Internet Crime Complaint Center at www.ic3.gov is a good place to start.

Symantec highlighted an e-mail threat report they published which also provided some valuable insight. For example, they estimate that 8,000 business are a BEC target each year, and as a target you can expect to receive about 5 e-mails. I can confirm that when we received notice of one of these attacks from a single user and investigated further, we found that the same sender targeted a second user in the exact same manner, and then sent a blast phish attempt to a double digit population in our community. So it’s important that phishing incident response procedures include a step that identifies the scope of a particular attack. Predictably, the Symantec talk and report included a highlight of the many solutions they offer commercially to help detect and prevent BEC attacks.

The final session was led by local ISACs, or Information Sharing and Analysis Centers. I am a strong advocate for participation in these groups. They are basically sector-specific groups that focus on cyber security and information sharing to enable better response and intelligence. In other words, they help competing organizations in the same sector work together. Think about that for a minute. Cyber security is such a challenging problem, that competing companies are working together to help each other be successful in dealing with it! We need to do more of that across the industry, and the session really helped highlight some of the services that these ISACs offer. I’ll make a special mention of REN-ISAC and MS-ISAC, both of which I have great things to say about. If you qualify, sign up today. If you’re not sure which ISAC to join, check the National Council of ISACs Registry.

If you have an opportunity to attend one of these workshops I would recommend it. The attendees were a mixture of private and public entity business and technical professionals. The social networking aspect was valuable as well. Those conversations can prove to be more informative than some of the sessions, so take time to linger.

Thanks for reading and don’t forget to subscribe.

SANS SEC503 (GCIA) Review

Ouch. My head hurts.

I am tempted to end my review right there, but this class is just too awesome. I would not be doing it justice.

This past May I attended SEC503, Intrusion Detection In-depth, virtually. It was v-live format; Essentially a live stream of the course at SANS Houston. As far as the format is concerned, I liked it more than on-demand, but not as much as being there in the flesh. You don’t get to network as well and obviously you miss out on Netwars and SANS @ Night, but the core part of the experience is kept intact. I had the ability to interact with the class via chat, which was definitely useful. If I typed in a question, the moderator would inform the instructor, in this case Johannes Ullrich. He would than respond verbally, which was a great way to interact with the instructor remotely. This was important to me because one of the primary reasons I prefer SANS courses over many others is the caliber of their instructors. Dr. Ullrich is truly an expert in the field and for those that don’t already, I would highly recommend subscribing to his daily ISC Stormcast. If you don’t know, now you know (yes, that was a 90’s hip hop reference)! I digress.

The course lived up to the hype. It has a reputation for being one of the most challenging SANS courses. And I would have to say that of the courses I’ve taken, there is truth to that. I will qualify that by saying I do not have a strong background in this area. I had a high level understanding of packet analysis solely from SEC401, but otherwise this was uncharted territory for me. I am comfortable with IDS concepts overall and oversee a managed implementation of such, but my hands-on experience is limited. This course filled in all the gaps. I was able to work with snort quite a bit, and some other great solutions such as Bro, SiLK and Security Onion. I learned very quickly that aside from basic functionality, Bro requires basic programming capability to support, hence the limited adoption. I also learned more about IP, TCP, UDP, and IPv6 that I ever cared to know about. But more importantly, I have a crystal clear understanding of what is normal and what is not when looking at a series of packets. It also provided plenty of flight time with tcpdump and Wireshark.

wireshark screenshot

Wireshark screenshot

 

I used the full 4 months to prepare for this exam after taking the course. Partially due to external time contention (being appointed interim CISO shortly after I took the course) and partially because this material was outside of my comfort zone…not my cup of tea as “they” say. I still managed to score a 95 on the exam. I’m not sharing that to brag. I wanted to reassure my blog readers that if you are inclined to take this course, you can be successful, even if you’re not already a packet ninja. If you want to be one, this is a good place to start. I would like to set your expectation, though. Even after taking this course, I would not consider myself a black belt. Brown belt at best!

Do I recommend this course…absolutely. Keep the Advil handy, though!

No Longer Unsolved Mysteries: Kevin Poulsen

I had the opportunity to hear Kevin Poulsen speak recently and it was a real treat. Kevin is a recovered black hat, now working as a writer and journalist. I hereby pronounce his book mandatory reading for anyone working in cyber security.

Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground

It’s a great read and beyond the entertainment factor, it gives tremendous insight into how stolen credit cards have evolved from being just an edgy hobby into big, very big, business.

In the talk I attended, Kevin gave his own story and even showed us a clip of himself, troubled and devious youth hacker, as depicted on Unsolved Mysteries. But the heart of his talk summarized the story told in his book, Kingpin. This book tells the story of since captured hacker, Max Butler, who in his own mind had only the purest intentions. Hack the hackers and make money along the way. That slippery slope ended abruptly and Kevin does a terrific job of capturing the facts and the personalities involved, which are often overlooked when simply reading the headlines. Another version of his talk was recorded at Stanford Law School when he gave it in 2011. Check it out here:

After the talk, I asked him if he agreed with most security analysts who predict that criminal hacking focus will shift from stolen credit cards to medical records. He replied, in part, “I’m not convinced yet.”

KevinP_MattN

He explained in his talk that although chip and pin/sig will not stop all credit card theft, it will hamper the appeal and availability of large payloads we have seen in recent years.

Whether the focus shifts or not, one thing is for sure…bad guys are good at multitasking.

What do you think the next big thing will be? Let me know it in the comments below.

Thanks for reading and don’t forget to subscribe.

 

SANS SEC504 (GCIH) Review

There was one problem with this class…I didn’t want it to end. 6 days long and two months of supplemental studying only whet my appetite for what SANS has to offer. SANS SEC504 (GCIH) was the perfect sequel to the SANS SEC401 (GSEC) course I took over a year ago. In similar fashion you cover one book per day, but the books are only “yay” thick (a welcome reduction compared to 401):

picture of book thickness compared to pencil

Let me give you 5 reasons why this course is a must-do for any security professional.

1) John Strand: He took over authorship for this class from Ed Skoudis (his virtual big brother) and to say John has done the class justice is an understatement. He shares many firsthand experiences and even some tools in this course that were built by his own company, Black Hills Information Security (BHIS). For instance, on day 5 you get to “infect” yourself with a command and control bot that calls home using a common HTTP parameter. It’s amazing to see things from the perspective of a “bot herder” and to leave the course with a way to test your NGFW, IDS and maybe even your MSSP. Plus, he throws in there a bunch of little tidbits that are not part of the actual cirriculum. Thanks, John.

2) MP3s of the course: John was not the in-person instructor when I took this course, Kevin Fiscus was. Fortunately, Kevin understood the material about as good as anyone in the world, aside from the actual authors. However, the beautiful thing about every SANS course is that a week after it concludes, you’re provided MP3 audio files of a previous class. In this case, it was a session that John Strand taught. A quick download allowed me to listen to the course during my daily commute. In other words…two instructors for the price of one!

3) Incident Response Phases: Day 1 was our foundational day which sets the table for the following 5 days of intense instruction. By the conclusion of the course, you will be uttering the 6 stages of Incident Response in your sleep…Preparation, Identification, zzzzzz, Containment, Eradication, Recovery, Lessons Learned…zzzzzzzzzzzzz. The ZZZ’s are not there because it’s boring, but because after each and every threat you review during the week you then commence to review how to identify such an attack, prepare for it, contain it and eradicate it. Over and over again that formula is followed. Really awesome approach and a great way to learn.

4) Netcat Relays, Buffer Overflows and Format String Attacks: Day 3 was the most technically intense day of all and filled in a lot of gaps for me, and created some new ones. You will go to bed this night with a headache and wake up with a newfound respect for the tools that make complex attacks trivial to carry out today.

5) Day 6 Capture The Flag (CTF): If you’ve never participated in a capture the flag competition, this is the perfect way to start. You break up into teams and use many of the skills you have acquired throughout the week. So not only do you spend most of the week thinking like a bad guy, you then get to BE a bad guy and break into actual systems in a lab environment. As Kevin Fiscus said, “Don’t overhack this, guys!” Throughout the week you are given many “hints” and even if you are used to CTF competitions, you will learn a lot and realize that sometimes the easiest way in is through the front door…no backdoors required. But you’ll know how to create those too if you so choose.

I don’t want to make days 2 and 4 feel bad, those are great too. The bottom line is that offense should inform the defense and this course helps you to take a close look at the offense. This is not a penetration testing course, but you do walk the line throughout it with the goal of identifying and defending against common practices used by hackers today. Yes, you also look at some tools that they use, but understanding why they use such tools and how they work is more important. The course has a defensive theme woven throughout.

A pass on the exam is very achievable. Like every SANS course, it is open book. The questions are mostly straightforward, but a few of them were kind of sneaky. Others make you interpret screenshots and identify the type of attack you are dealing with. There were quite a few on my exam about the actual IR process and what steps should be taken within each phase. If you prepare well, you don’t have to worry about passing of failing. It’s more a matter of how well you will do. If you’re not in the GIAC Advisory Board, make it a goal to get 90 or better on this exam so you can  join the party. It is worth the effort. This was my second SANS course and my equation for success was the same: 1) Attend the course (online or in-person) and do all the labs while you’re there. 2) Listen to the MP3’s in your car. 3) Read each book, highlight key phrases and create a detailed index.

For this course, my index was 18 pages long and 821 lines. It is essentially an excel spreadsheet with 4 columns: Keyword/Subject, Book, Page, Summary/Info. I added several SANS cheat sheets to the back for reference and had the whole thing spiral bound at Staples for $5. Here’s a picture of mine, mostly blurred, so please don’t ask me to send you a copy:

GCIH Index Picture

One change I would suggest to SANS is to spend a little bit more time on identifying intrusion remnants on Linux computers. It is covered, but not to the extent I would have preferred. Don’t get me wrong, the 6 days were jam packed, so I’m sure the authors had to make some decisions along the way in terms of content. For instance, there was a lab on day one that walked you through looking for signs of intrusion on a Windows box. The equivalent steps were covered for Linux in the appendix, so I was able to go through that but on my own time. Memory analysis is covered in two different labs, which focused on the memory dump from a Windows machine. This is clearly the most common scenario most students will face, but in my environment there are a large number of Linux computers to deal with too. Fortunately, the skills I learned can be extended to Linux with a couple of quick Google searches.

Major Takeaways: Defend your user accounts because when the bad guys have valid credentials on your network, YOU ARE IN TROUBLE. If you can’t detect an insider, you can’t detect stolen credentials. Stop trying to be a hacker. Be a security professional. Treat your internal network like it’s hostile…because it is.

Oh, one more thing…YOU’RE WELCOME.

Did you take this course or another SANS course? Tell us about it in the comments below.

Thanks for reading and don’t forget to subscribe.

Security Conference Round-Up

Just about once a year, I start to explore the various security conferences that are available, their approximate cost and when they are usually held.  There are a few summaries out there on the web, but most are exhaustive with way too much information or simply not enough. So, here’s a summary of conferences on my radar, based on 2015 data. Fortunately, the data does not change much from year to year so this will be a good point of reference in the future. This is far from an exhaustive list, though. There are smaller hacker conventions, like Derby Con and Hope X, which I did not thoroughly investigate, but are definitely worth a nod. The costs are estimated (assuming no discounts) and the descriptions are highly subjective, mostly based on hearsay. How is that for minimizing the usefulness of this post?!

http://en.wikipedia.org/wiki/File:DEF_CON_17_CTF_competition.jpg

http://en.wikipedia.org/wiki/File:DEF_CON_17_CTF_competition.jpg

Conference Location $$$ Timing Description
Blackhat Vegas $5500 August All the corporate heavies will be here, leans towards a hacker theme. Conference without any training is about $2500.
Defcon Vegas $250 August Hacker convention. Cash only, starts right after Blackhat, lots of bad words. If you’re going to Blackhat, Defcon is a must do.
Educause Security Pro Minnesota $500 May Security within the higher ed vertical, peer preso heavy, REN-ISAC meetup.
Gartner Security Summit Maryland $3,000 June Calling all CISO’s, managers and CISSP’s! Strategic thinking and networking.
Interop Vegas $3000 April/May General IT conference with security track. Some tech, vendor heavy.
(ISC)2 Security Congress Anaheim $1000 Sept/Oct Calling all CISO’s, managers and CISSP’s, with some technical mixed-in.
RSA Conference San Fran $5000 April All the big shots will be here. Corporate with broad security coverage. Conference without any training is about $2500.
SANS Various $5000 Various More training than conference, top-notch educational opportunity. Heavy technical with some strategy mixed in. SANS 2015 in Orlando is a main attraction.

You can check out my 2014 Interop NY review here, but there will not be a NY version this year. Vegas only, so my guess is that quite a few people agreed with my assessment.

I’m sure I missed some really good ones. Please add them to the comments below. Thanks for reading and don’t forget to subscribe!