Lab Village

BSidesCharm 2018 will try something new that I am calling Lab Village. The idea is to have hands-on technical labs for open source infosec tools plus at various times throughout the day, someone that uses that tool for a living showing how they would solve that exercise. It is extremely difficult to explain how to tell when the assumption you made is incorrect in a generic sense, but in specific situations, it is significantly easier.

We need volunteers to build hands-on labs and to do live analysis. If you are interested in helping, please contact me on Twitter or email Forgotten ForgottenSec com!

My dream is to cover the major open source DFIR tools like:

  • Snort/Suricata IDS
  • Bro IDS
  • Argus
  • Autopsy/Sleuth Kit
  • Volitility
  • Wireshark/Network Miner/Xplico
  • Windows Logs – no specific tool, but …. lots to do here
    • Windows Firewall Logs
    • Windows Auth Logs
    • Windows

      Lab builders will end up helping to build the following:

      • Memory Image(s) with Malware
      • Hard Drive Image(s) with Malware
      • PCAPs with:
        • C2
        • Data Exfil + Profile of Normal
        • Malicious Web Traffic
        • And so on

      I need people to make pcaps and host logs to match real SOC events: Both True Positives and False Positives. These logs should be taken during events that the SOC would normally analyze such as:

      • Users forgetting their password and triggering badly designed brute force rules
      • Phishing attempts (success and fail)
      • Questionable Scripts from Powershell & Bash
      • Lateral Movement Attempts
      • unusual network behavior – Malicious and just applications being weird
        • Labs should be designed to closely simulate real-world work examples. These will not be step-by-step walkthroughs, rather realistic scenario’s with supporting artifacts as though a real ticket was assigned to an analyst from a SOC/DFIR team lead.

          In addition to the labs, having a professional work through the labs while explaining their logic and inferences, especially the ones that prove incorrect. It is so difficult to learn pitfalls and mistakes and how to tell when they are wrong. It is critically important for new analysts to understand! In the SOC world, false positives plague us, but knowing how to determine if an alert is a false positive with proof rather than assumptions is an important skill, but not something easily learned.

          Too many SOCs end up hiring passionate candidates with no experience with the tools/skills they need to do their job. I dream of Tier 1 SOC analysts having worked through realistic investigations and understand the basics of the job, before they get hired. Currently we have no global standards for SOC skills, but we could. The first step is to have opportunities to see realistic scenario’s before starting your first SOC job…

SOC: Maturity Levels

So I tweeted a SOC PSA about great places to start detection. I gave a few ideas and got back many responses about things to include. The discussion focused on Level 1, but I started adding more and categorized things. The levels are my own opinion and will likely change over time as I add more depth and breadth to this list.

Here is the list:

Level 1

  • Knowledge of a SIEM – pivoting through different data sources/points
  • Knowledge of an IDS/IPS/WAF alert and how to research it
  • Full DNS logs
  • Firewall Logs from both OS & network firewalls
    • Block SMB internally and alert on events
    • Block HTTP from non-proxy
  • Bro/Netflow alerts
  • Admin Auth logs
  • Proxy Logs – @lmeyerov – assuming you have proxies required
  • Anti-Virus Logs – @hhf – Great indicators
  • Email Logs – @chadalt – excellent data source for watching for phishing.
  • HTTP Headers

Level 2

  • Web Server Logs
  • Bro/Netflow Logs
  • Database Logs – Auth + Query
  • Application Logs
  • Powershell
  • Hashes of Binaries transmitted
  • DHCP Logs – @stielervaneeden
  • Host Logs – @hhf – Great indicators, but the log to value trade-off for host auth logs is lower than other logs mentioned here.
  • Process Execution Parent-Child Relationships – @MrBenChung
  • Application Whitelisting Logs (if App Whitelisting is deployed) – @MrBenChung
  • False Positive Root Cause Analysis
  • Identifying new data sources of value

Level 3

  • SSL Certificate Metadata – @vivekrj
  • Full PCAP – @MrBenChung
  • Script Logging
  • Wifi Connection Logs – @MrBenChung
  • NAC Logs (if you have NAC deployed)

NSM: The Forgotten Frontier

For some reason, the skills associated with being a Security Operations Center (SOC) analyst never seem to be listed as important in HR.

Top Priority Skills:

  • Analytic Detailed Analysis
  • Basic Networking
  • Logs
    • Windows
    • Linux
    • Application Server
    • Application Auth
    • Database Audit
    • Firewall
    • Windows Authentication
    • Linux Authentication

    Senior Level Skills

    • Protocol Analysis
    • Packet Analysis
    • Code Analysis
    • System Architecture
    • Logs
      • Web Application Firewall
      • IDS/IPS
    • Malware/Intrusion Attempt Incident Reporting
    • Host Forensic Analysis
      • Hard Drive Forensics
      • Memory Forensics

          Conference Talks related to SOC issues:

InfoSec Basics Labs

When I started learning infosec in college, I realized how different labs can be depending on the how the teacher/course maker made the labs. I ended up breaking down styles into a few categories:

  • Complete command-by-command instructions with explanations of each command
  • Command-by-Command instructions with no explanations
  • Instructions on the order of tasks and which tools to use, but having to figure out how to use that tool on your own
  • Instructions on the order of tasks and being given a repository of tools to use

Each method gives different advantages and disadvantages. I prefer the last option, because I think it forces the student to research and learn about the tools. Additionally, any of these can and should be supplemented with questions along the way and at the end to draw conclusions. Anyone can regurgitate information, but these questions are designed to force the student to think about what they did and how they did it. That understanding is pivotal to creating prepared infosec professionals as we are expected to be able to figure stuff out on our own.

One of the projects that I have worked off and on for a long while is the CTF Wiki. The project started as me trying to think of something I do to give back to the community, specifically a visible resource, however at the time, I wasn’t very knowledgable. Although I am not in love with just living for documentation, I found that CTFs did not show differences between them or have any more documentation then a basic repository of solved challenges assuming you found that. As I started to document the essence of each challenge: categories of skills, timing, hints, format of the challenge and so on, I also started documenting the tools and use cases. Due to lack of time, I haven’t had time to update the CTF Wiki in a long time which frustrates me greatly.

Recently, I was asked to help mentor an awesome person that has decided as she learns more about infosec, she will help me transition the site to its new home, format and help add information. Anyone else that is willing to help in this effort, please send me a email. My email is ( Forgotten ForgottenSec com ) and is on the front page of the CTF Wiki. This started roughly 2 months ago and as time progresses, we get closer to launching the new site which has me really excited. As the CTF Wiki transitions to Github, this allows all contributors to be credited via their coding resume aka Github. This is a amazing opportunity for students to show they are going above and beyond what the classroom has provided and helping to give back to the community.

Just recently, a student from my college asked me to be his mentor. It amuses me how much I offer to help and basically no students took me up on it, however two people now came to me which is awesome. Regardless, I got him working on a slightly different project that became the subject for this post. The CTF Wiki has become more then just CTF info when I started to incorporate the tools and ideas needed to work on these challenges. When I was in college learning, I tried to get students to work with me to play various CTFs and realized we had to start off with really easy challenges to get people having fun and thinking. Some struggled to go beyond basic classwork and get into infosec challenges. At the time, the labs the school had were mostly my least favorite type of lab which is basically step-by-step commands with few to no questions forcing students to think. Regardless, I plan on folding a infosec lab repository into the CTF Wiki for learning. If you have labs you are willing to share, there will be a section on the CTF Wiki explicitly for that. My goal is to have myself and others working to improve labs to teach various portions of infosec. Crowd-Sourced labs will provide the community with better resources for both students, instructors, and allow students aren’t paying for a formal education to receive quality training for free similar to the idea of Coursera, but open to anyone to use or improve. The new site is not yet ready for launching, but I expect for it to be ready in the coming months and I am really excited to have a few labs posted by launch. If you have labs that you want to share now, please let me know.

Attending Conferences

In the 5 years that I have been working in InfoSec, I have been to a few dozen conferences across the east coast and across the country. I have attended every conference I have been able to as I feel I get a lot out of visiting them especially the first time I go to each event. Many people have been to more conferences then me, but here is my list of what I have visited so far:

Shmoocon Washington, DC
BSidesDC Washington, DC
BSidesCharm Baltimore, MD (just outside)
BSidesDE Wilmington, DE
Summercon New York City, NY
Thotcon Chicago, IL
Derbycon Louisville, KY
Circle City Con Indianapolis, IN
Hack Miami Miami, FL
Defcon Las Vegas, NV
BSidesLV Las Vegas, NV
Hack3rCon Charleston, WV (not to be confused with Charles Town… very different)
Shmoocon Epilogue Fairfax, VA

Each has a focus and each has value depending on your goals. Many of them even have a focus that is varied in intensity depending on the event. Regardless, depending how you participate in the conference will change your experience dramatically. Regardless of what you end up doing, realize that a twitter account is almost necessary to get the full experience. Many professionals I know have Twitter accounts they only utilize during conferences, which is perfectly acceptable. Here is a list of some of the possibilities of things to do:
Attendee Type:

  • Attending Training
  • Hallway Con/BarCon/Eating with other con participates
  • Challenge Player
  • Attending Parties
  • Attending Talks
  • Attending Villages

Other Badges:

  • Vendor/Sponsor
  • Staff/Volunteer
  • Organizer
  • Trainer
  • Speaker

Some people devote the entire conference experience to one of the above, but ideally, you should attempt to participate in as many of these as possible at each con you attend. At least as many of the attendee type things to do at cons as well as speaking and training. It is a very different and interesting experience to be any of the first three types of “Other Badge” participants. Being a staff, volunteer, vendor or sponsor shouldn’t take up your entire con experience. Ensure you participate and enjoy since you showed up to the conference. I will break down each type of attendee experience:

Attending Training:

Some have said Training is one of the more common justifications for attending conferences at this point which makes sense to me. Many conferences offer relatively inexpensive training compared to dedicated training events like SANS. You can experience some unique trainings that may not be quite as polished as a professional training event, but at a fraction of the cost. Additionally, there are some topics that just aren’t available in a professional training environment at the moment. It is a great learning experience and in many cases is a negligible cost difference. These trainings are almost always given by practitioners not professional trainers meaning their real world experience in the subject material is significantly better. Most people I’ve spoken to would much prefer a more knowledgable trainer rather then a more polished trainer if you have to choose between the two. I attend any training I can at conferences. It can take up a significant amount of time, but I am rarely disappointed. In many cases, training is available on the days leading up to the conference which increases your learning opportunity. If possible always participate as it sets the tone for the rest of the con and you can form relationships with other students that can make the con more fun and create a lasting network of others interested in subject of the training which can be very valuable in addition to networking with the instructor during the conference.

Hallway Con/BarCon/Eating with other con participates

This is my second favorite portion of conferences, yielding only to training. Given the lack of social nature of many in the information security field, I attempt to appeal to peoples sense of appetite by ensuring at each meal I eat, there is at least one person I haven’t eaten with that con. To achieve this, I tweet relatively in advance before eating and ask who wants to join me, tagging the conference and any other random tags I think are appropriate. Additionally, if the wait is long, I tend to ask random people “Who doesn’t want to wait in line?” in a attempt to get random people I don’t know to join me. This is especially applicable at Defcon. The most common thing I end up doing at most cons is hanging out in the hallway talking with people. Sometimes about a talk that I have just seen, but more often asking what they have been working on or researching. This has led to some amazing opportunities and connections with others that share similar research interests. Often I end up explaining some of my projects and/or research as well. This has led to some contributors in a few of my projects and sometimes it just increases peoples awareness and sometimes all I get is negative commentary like “that is a waste of time”, but everyone is entitled to their opinion. Sometimes their negativity is correct; sometimes its not. If I decide a conversation is not useful, I just move on. There are typically between a hundred and two thousand attendees at every conference listed above besides Defcon. If your conversation with one person isn’t interesting or useful, move on or change the subject. Many times, these conversations end up at the bar.

Many people in InfoSec like to drink. I don’t mind, but I am not in love with drinking. I tend to only drink what I enjoy drinking which causes some issues, but often it allows the willingness to open up and have better conversations. Social anxiety appears rampantly. Libations help… If don’t want to drink, don’t. If someone pressures you to drink, tell them no clearly and if they continue, hangout with someone else. There are plenty of people that have fun at conferences without a drop of alcohol like Jayson Street, although some believe Diet Pepsi is his alcohol. It is a choice; not a requirement.

Regardless talking with others and learning/networking through private conversations is extremely valuable. This allows for peer review of your findings/research, learning of others research, projects, tools and ideas. Many of these conversations have led to ideas for projects and research. Sometimes the only value I get out of conversations is laughing with someone and a contact for the future if I ever get a interest in whatever that persons expertise is in. Remember that while you may be knowledgable in a subject, there is always someone that is also researching that same subject and others who don’t even know that research topic exists. High level conversations about research and projects is commonly found in the bar.

I tend to hang out in the smokers area quite often regardless of not smoking. the outside area for smokers always contains a few folks and people need to do something besides sit on their phones, so there is almost always good conversation wherever the smokers area.

Challenge Player

Over the last couple years, information security challenges have exploded in popularity in both the professional and student portions of information security community. Most value practical application far above any paper showing non-practical knowledge. The challenges force students to take the theory they learn via traditional college system and supplement it with practical challenges that force students to think and apply those concepts in someone practical applications. Working professionals enjoy the opportunity to do the same. Challenges come a wide range of formats including Attack Challenges, Defensive challenges and the most popular Jeopardy style. These challenges touch on a broad range of different skills including:

  • Crypto
  • Forensics
  • Web Exploitation
  • Binary Exploitation
  • Recon
  • Reverse Engineering
  • Programming
  • Packet Analysis
  • Log Analysis
  • Lockpicking
  • Social Engineering
  • Wireless Challenges

These categories make-up the practical skill-sets covered in most InfoSec jobs. While playing these challenges, learning, research and working with others can teach you an incredible amount.

Attending Parties

Depending on the particular conference, most of the parties are similar. Loud music, very few people dancing, tons of alcohol and lots of people out the in hallway chatting just outside the party area, far enough away to have a conversation without screaming, but close enough to hear the music. I strongly recommend ear plugs for most of these as in the party area, the noise can be deafeningly loud. Similar to bar con/hallway con and meal-time, given libations, most attendees tend to chat easier at party time. There are always some who get destroyed; either help them or ignore them. As mentioned before, I do recommend enjoying some alcohol, but getting plastered is not recommended. It can be quite the fun escape, but your at the event to teach, learn, and network; Being sick does not help.

Attending Talks

This may seem somewhat intuitive, but it is rarely worthwhile to view talks. Given the numerous other options for things to do. This assumes most if not all talks are recorded. I tend to attend talks that aren’t recorded and other conference portions. If there is a talk on a subject and I believe I have questions or if I am extremely interested in that subject or if I know the speaker and just want to support/troll them, I will attend the live talk, otherwise I am almost never in talks. Know which talks are recorded and which aren’t. Every once in a while, there is a recording issue and talks won’t be recorded, but that is rare. When talking with others, find out what are the most interesting talks they’ve been to, if any, and why. This helps after the con when I watch videos.

Attending Villages

Villages are interesting areas focused in a particular subject. Some examples are the awesome folks at Wifi Village (the folks that host the Wireless CTF), TOOOL, Hardware Hacking Village, and ICS Village. These contain the experts in a given subject. Many contain talks given on advances in that specialty area. I visit every one I can at every con I go to.

Suggestions


Rooms

At conferences, you only sleep a few hours per night and you don’t want to leave your expensive toys in your room. Plan to split a room with someone. Always put the sign up requesting not to be disturbed, this helps to avoid maids with sticky fingers. Any supplies you need, you can get from the front desk. Staying at the con hotel has advantages and disadvantages. The conference hotel will have unsafe wifi/network, but thats also true of surrounding hotels. It is significantly easier and faster to get back to your room to change, drop equipment/swag, and get back to the festivities.

Gear

In most cases, a minimal amount of equipment is ideal. The less to carry around the better. If your taking a technical training, then bringing a laptop is necessary, but otherwise avoid it. Keep a minimum amount of extra cloths and plan to have some extra space for stuff picked up at the conference as swag still takes up space. After a few hours of walking around, even a few pounds can make a noticeable difference. This is the benefit I mention above in the rooms section. If your room is in the conference hotel, it is much easier to drop off the swag bag and backpack. Bring a rechargeable battery for your phone/tablet.

Twitter

As I mentioned above even if you only utilize it during conferences, create a account and watch the Conference & Conference Organizer twitter account and the associated hashtag. It is the easiest way to get info on whats going on. Setup your twitter on phone and make sure your phone rechargeable battery is charged and you have a adapter for your phone. I almost always tag the con account and hashtag when I go eat and find someone else that wants to go. Many others do the same. It is a great opportunity to meet other professionals and have some great conversations.

Goal

If you have a idea of what your looking for to start, that helps. Some typical goals:

  • Recruit other professionals or be recruited
  • Get advice technology choices within your organization
  • Learn how to implement a new technology
  • Learn how mature a technology you have implemented
  • Build your professional network to prepare for the future
  • Advertise your projects or business

Conclusions

So there is a ton of information in this post that is hopefully useful, but I was asked if I consider conferences worth attending. As a information security professional , the exposure of various technologies, solutions and ideas combined with the ability to learn quickly how to implement the correct solution is extremely important. In a larger organization, you can be more specialized in a particular technology, toolset and/or role, while in smaller orgs, your part of everything. I heavily value exposure to various technologies and experts to help with hard decisions. Conferences supported by twitter is how I do that. Conferences allow me to have discussions on critical questions and issues that can’t be answered in 140 characters or just shouldn’t be. Following up on twitter with people you meet in person help lead to personal projects, research and new thoughts.

As you long as you pick the right conference to participate in, you will be exposed to new tools, ideas, and/or people that will help you progress. I found conferences extremely valuable to my development as a professional and now that we am preparing multi-day in-depth Snort Basics and Snort Tuning classes, going to conferences has become even more valuable as I connect with more groups that need the training that we are putting the finishing touches on. If your ever at a con, come say hello; if you can’t find me, tweet at me and I will come find you.

PS: Make sure you know what the distance is to your event. Committing to showing up to a conference, being on the road for an hour of what you think is a 90 minute drive and having the GPS say, 5 hours remaining is really bad, especially when you have no hotel and planned on driving home.