BSidesCharm 2018 will try something new that I am calling Lab Village. The idea is to have hands-on technical labs for open source infosec tools plus at various times throughout the day, someone that uses that tool for a living showing how they would solve that exercise. It is extremely difficult to explain how to tell when the assumption you made is incorrect in a generic sense, but in specific situations, it is significantly easier.
We need volunteers to build hands-on labs and to do live analysis. If you are interested in helping, please contact me on Twitter or email Forgotten
My dream is to cover the major open source DFIR tools like:
- Snort/Suricata IDS
- Bro IDS
- Argus
- Autopsy/Sleuth Kit
- Volitility
- Wireshark/Network Miner/Xplico
- Windows Logs – no specific tool, but …. lots to do here
-
- Windows Firewall Logs
- Windows Auth Logs
- Windows
Lab builders will end up helping to build the following:
- Memory Image(s) with Malware
- Hard Drive Image(s) with Malware
- PCAPs with:
- C2
- Data Exfil + Profile of Normal
- Malicious Web Traffic
- And so on
I need people to make pcaps and host logs to match real SOC events: Both True Positives and False Positives. These logs should be taken during events that the SOC would normally analyze such as:
- Users forgetting their password and triggering badly designed brute force rules
- Phishing attempts (success and fail)
- Questionable Scripts from Powershell & Bash
- Lateral Movement Attempts
- unusual network behavior – Malicious and just applications being weird
Labs should be designed to closely simulate real-world work examples. These will not be step-by-step walkthroughs, rather realistic scenario’s with supporting artifacts as though a real ticket was assigned to an analyst from a SOC/DFIR team lead.
In addition to the labs, having a professional work through the labs while explaining their logic and inferences, especially the ones that prove incorrect. It is so difficult to learn pitfalls and mistakes and how to tell when they are wrong. It is critically important for new analysts to understand! In the SOC world, false positives plague us, but knowing how to determine if an alert is a false positive with proof rather than assumptions is an important skill, but not something easily learned.
Too many SOCs end up hiring passionate candidates with no experience with the tools/skills they need to do their job. I dream of Tier 1 SOC analysts having worked through realistic investigations and understand the basics of the job, before they get hired. Currently we have no global standards for SOC skills, but we could. The first step is to have opportunities to see realistic scenario’s before starting your first SOC job…