Lab Village

BSidesCharm 2018 will try something new that I am calling Lab Village. The idea is to have hands-on technical labs for open source infosec tools plus at various times throughout the day, someone that uses that tool for a living showing how they would solve that exercise. It is extremely difficult to explain how to tell when the assumption you made is incorrect in a generic sense, but in specific situations, it is significantly easier.

We need volunteers to build hands-on labs and to do live analysis. If you are interested in helping, please contact me on Twitter or email Forgotten ForgottenSec com!

My dream is to cover the major open source DFIR tools like:

  • Snort/Suricata IDS
  • Bro IDS
  • Argus
  • Autopsy/Sleuth Kit
  • Volitility
  • Wireshark/Network Miner/Xplico
  • Windows Logs – no specific tool, but …. lots to do here
    • Windows Firewall Logs
    • Windows Auth Logs
    • Windows

      Lab builders will end up helping to build the following:

      • Memory Image(s) with Malware
      • Hard Drive Image(s) with Malware
      • PCAPs with:
        • C2
        • Data Exfil + Profile of Normal
        • Malicious Web Traffic
        • And so on

      I need people to make pcaps and host logs to match real SOC events: Both True Positives and False Positives. These logs should be taken during events that the SOC would normally analyze such as:

      • Users forgetting their password and triggering badly designed brute force rules
      • Phishing attempts (success and fail)
      • Questionable Scripts from Powershell & Bash
      • Lateral Movement Attempts
      • unusual network behavior – Malicious and just applications being weird
        • Labs should be designed to closely simulate real-world work examples. These will not be step-by-step walkthroughs, rather realistic scenario’s with supporting artifacts as though a real ticket was assigned to an analyst from a SOC/DFIR team lead.

          In addition to the labs, having a professional work through the labs while explaining their logic and inferences, especially the ones that prove incorrect. It is so difficult to learn pitfalls and mistakes and how to tell when they are wrong. It is critically important for new analysts to understand! In the SOC world, false positives plague us, but knowing how to determine if an alert is a false positive with proof rather than assumptions is an important skill, but not something easily learned.

          Too many SOCs end up hiring passionate candidates with no experience with the tools/skills they need to do their job. I dream of Tier 1 SOC analysts having worked through realistic investigations and understand the basics of the job, before they get hired. Currently we have no global standards for SOC skills, but we could. The first step is to have opportunities to see realistic scenario’s before starting your first SOC job…

SOC: Maturity Levels

So I tweeted a SOC PSA about great places to start detection. I gave a few ideas and got back many responses about things to include. The discussion focused on Level 1, but I started adding more and categorized things. The levels are my own opinion and will likely change over time as I add more depth and breadth to this list.

Here is the list:

Level 1

  • full DNS logs
  • Firewall Logs from both OS network firewalls
    • Block SMB internally and alert on events
    • Block HTTP from non-proxy
  • Bro logs/Netflow
  • Admin Auth logs
  • Proxy Logs – @lmeyerov – assuming you have proxies required
  • Anti-Virus Logs – @hhf – Great indicators
  • Email Logs – @chadalt – excellent data source for watching for phishing.
  • IDS/WAF Logs
  • HTTP Headers

Level 2

  • Web Server Logs
  • Database Logs – Auth + Query
  • Application Logs
  • Powershell
  • Hashes of Binaries transmitted
  • DHCP Logs – @stielervaneeden
  • Host Logs – @hhf – Great indicators, but the log to value trade-off for host auth logs is lower than other logs mentioned here.
  • Process Execution Parent-Child Relationships – @MrBenChung
  • Application Whitelisting Logs (if App Whitelisting is deployed) – @MrBenChung

Level 3

  • SSL Certificate Metadata – @vivekrj
  • Full PCAP – @MrBenChung
  • Script Logging
  • Wifi Connection Logs – @MrBenChung
  • NAC Logs (if you have NAC deployed)