Verizon Incident Sharing Framework

Earlier this month Verizon Business announced their Verizon Incident Sharing Framework (VerIS framework). This document is a means to describe digital security incidents, using four main groupings: 1. Demographics, 2. Incident Classification, 3. Discovery and Mitigation, and 4. Impact Classification.

The idea is to provide a framework that incident investigators can complete for every digital security incident. Using the output, security teams can better identify trends and make recommend improved security strategies and tactics. For example, Verizon builds their Data Breach Investigation Report using data from their incident responses as formatted using the VerIS framework.

Verizon asked me to participate on a "board" affiliated with this project, so you can expect to hear more from me. Verizon started a Zoho Forum to discuss the framework, but I think a Wiki would better facilitate collaboration and development of the document. At work we are working on our next generation incident management system, so I think the VerIS framework might help us identify information to collect on incidents.

Bejtlich Keynote at VizSec 2010

I am pleased to report that I've been invited to deliver the keynote at VizSec 2010 on 14 Sep in Ottawa, Ontario. I am on the Program Committee for a third year and will be evaluating papers soon. Please visit my post on calls for papers for DFRWS, VizSec, and RAID. Thank you.

Bejtlich OWASP Podcast Posted

My appearance on OWASP Podcast 61 is available.

The .mp3 is 36 MB. Thanks to Jim Manico for inviting me to participate.

We recorded the podcast in late January. Jim asked me the following questions:

1. Would you care to tell us how did you get into IT and what lead you into a career in information security? What keeps you busy these days?
   
2. What's the difference between focusing on threats vs focusing on vulnerabilities?
   
3. What is your problem with the "protect the data" mindset?
   
4. What do you mean by "building visibility in"?
   
5. What is your take on the Aurora/Google hack?
   
6. You just tweeted that "Network Security Monitoring ideology is the proper mechanism to combat APT/APA". Do you think network IPS/IDS/WAF can help defend insecure web applications? What are the limits of Network Security Monitoring?
   
7. How important a role do you think secure coding and secure software development life-cycle play in defending the enterprise?
   
8. Have HIPAA, PCI, SOX and other regulations helped reduce risk in the average enterprise?
   
9. Is seems pretty clear that attackers have a clear advantage. Why is that? How can we turn the tide?
   
10. Any thoughts on OWASP? Are we helping the cause?
    
11. Where are we going to be as an industry in 10 years?
    
12. You blogged that "The trustworthiness of a digital asset is limited by the owner's capability to detect incidents compromising the integrity of that asset." Given that we don't have any high integrity database, identities or application servers - how do you detect a breach of integrity when there is no verifiable integrity in the system in the first place?
    

Traffic Talk 10 Posted

I just noticed that my tenth edition of Traffic Talk, titled Pcapr.net -- where Web 2.0 meets network packet analysis, has been posted. From the article:

Solution provider takeaway: Pcapr.net is a free packet collaboration site hosted by Mu Dynamics. Solution providers can participate in the community to exchange, analyze and gather traces for testing products or processes for their customers, including network packet analysis.

Not many networking solution providers are happy with the apparently limited number of network traces available for testing their products or processes. Hardly a day goes by on a network-focused mailing list without a participant asking, "Where can I download network traffic to test X?" Fortunately for anyone who wants to take network traffic exchange to a new level, Mu Dynamics has answered the call. Its Pcapr.net site is the self-proclaimed "Web 2.0 for packets." In this edition of Traffic Talk, we'll take a tour of Pcapr.net to see what features it offers networking solution providers, including network packet analysis.

Einstein 3 Coming to a Private Network Near You?

In my Predictions for 2008 I wrote:

Expect greater military involvement in defending private sector networks... The plan calls for the NSA to work with the Department of Homeland Security (DHS) and other federal agencies to monitor such networks to prevent unauthorized intrusion, according to those with knowledge of what is known internally as the "Cyber Initiative."

Now in Feds weigh expansion of Internet monitoring we read:

Homeland Security and the National Security Agency may be taking a closer look at Internet communications in the future.

The Department of Homeland Security's top cybersecurity official told CNET on Wednesday that the department may eventually extend its Einstein technology, which is designed to detect and prevent electronic attacks, to networks operated by the private sector. The technology was created for federal networks.

Greg Schaffer, assistant secretary for cybersecurity and communications, said in an interview that the department is evaluating whether Einstein "makes sense for expansion to critical infrastructure spaces" over time.

Not much is known about how Einstein works, and the House Intelligence Committee once charged that descriptions were overly "vague" because of "excessive classification." The White House did confirm this week that the latest version, called Einstein 3, involves attempting to thwart in-progress cyberattacks by sharing information with the National Security Agency.

The first step towards creating Cyber NORAD is instrumentation. Stay tuned.

Making a Point with Pressure Points

Imagine you're a martial arts student. One day you have a guest instructor, accompanied by some of his black belts. They're experts in so-called "pressure point fighting." You've heard a little of this system, whereby practitioners can knock out adversaries with a series of precise strikes that lack the power of a brute-force approach. Until today you've had no direct experience. You may be skeptical, or maybe you believe such techniques are possible.

The seminar starts. You watch the guest instructor explain his techniques. He starts knocking out his black belts. Maybe you believe what you see, or maybe you don't. Then the instructor asks for volunteers, and several of your fellow students agree. The instructor knocks them all out, including a student you really trust to not "take a fall" to make the guest "look good." You ask the student "what happened?" and he replies "that dude knocked me out!"

Next the black belts fan out through the class to help teach pressure point techniques. They ask you if you want to get knocked out with a three-strike technique, or if you just want to feel disoriented with a two-strike technique. You decide you're a believer at this point, but you want to see what it feels like to receive a two-strike technique. Sure enough, two rapid strikes later, you're wondering what happened but are still conscious. That's all you need to believe; you're glad you're not lying on the floor, out cold!

The class ends. Several bystanders were watching through the studio's windows. Some of them are laughing. They think the whole class was fake, a joke, or stupid. Some witnesses are curious. They believe what they saw and want to know more. A few ask questions. Others mumble to themselves incoherently, probably intoxicated or mentally ill.

One of the students decides to talk to a famous yet local news reporter about his experience. This widely-read newspaper reports the story the next day, attracting a lot of attention.

With a wider audience, an extended discussion takes place about this pressure-point fighting activity.

One company conducts a Webcast and a spokesperson says "my mom used to knock me out with a frying pan when I was a kid!" He also says there's no difference between pressure-point fighting and getting punched in the face.

Another company decides to register a domain name called "pressurepointfighting.biz" and starts talking about how it works, applying what they know from Western boxing. This misses the mark but uninformed observers can't really tell the difference.

A third company jumps on the pressure point fighting bandwagon, issuing supposedly original research, inventing its own analysis, and integrating the technique into its marketing material. It turns out someone at the company had a confidential agreement with the original pressure point fighting instructor, but unilaterally decided to take a few pages out of his notebook and run to the market to make a fast buck.

A fourth company knows a lot about pressure point fighting. It writes original reporting based on its experience. Critics claim this company is just offering marketing based on the new craze.

Reaction to the news among those without direct experience is mixed, as might be expected.

Some readers are martial artists themselves. They fear being irrelevant. They are afraid their skills are not sufficient. They decide to ridicule anyone who participated in the seminar, or who has knowledge.

Some readers distrust authority. They think these techniques are just a government conspiracy to justify additional police powers. The only reason anyone is talking about such affairs is their need to get greater budgets for their oppressive police powers, man!

Some readers think the whole affair is "fear, uncertainty, and doubt" (FUD). Who could knock out a person by hitting a few pressure points? It's all a lie, or just the latest craze. It must be fake.

Some readers have been learning and practicing pressure point fighting for the last several years. They know it isn't a joke, and it is real. Also, some readers without experience realize they should learn more about pressure point fighting. That knowledge could save their lives, or the lives of those close to them. These like-minded people communicate privately, since the public arenas are now clogged with too many false discussions.

Aside from the fact that advanced persistent threat is an adversary, and not a fighting technique, this story explains the last 6 weeks of APT activity in the security industry. Not all factors are included, but enough to make my point.

Incidentally, the pressure point class is true, at least as far as the class content is described.

Keeping FreeBSD Applications Up-to-Date in BSD Magazine

The March 2010 BSD Magazine includes an article I wrote titled Keeping FreeBSD Applications Up-to-Date.

It's a sequel to my article in the January 2010 BSD Magazine titled Keeping FreeBSD Up-to-Date: OS Essentials.

With these two articles published, they replace the versions I wrote in 2005.

I wrote these articles to demonstrate the variety of ways a system administrator can keep the FreeBSD operating system and applications up-to-date, with examples showing commands and effects.

Bejtlich Teaching at Black Hat EU and USA 2010

Black Hat was kind enough to invite me back to teach multiple sessions of my 2-day course this year.

Next is Black Hat EU 2010 Training on 12-13 April 2010 at Hotel Rey Juan Carlos I in Barcelona, Spain. I will be teaching TCP/IP Weapons School 2.0.

Registration is now open. Black Hat has three price points and deadlines for registration remaining.

• Regular ends 1 Apr


• Late ends 11 Apr


• Onsite starts at the conference

Finally we have Black Hat USA 2010 Training 0n 25-28 July 2010 at Caesars Palace in Las Vegas, NV. I will be teaching two sessions of TCP/IP Weapons School 2.0, one on the weekend and one during the week.

Registration is now open. Black Hat has set five price points and deadlines for registration.

• Super Early ends 15 Mar


• Early ends 1 May


• Regular ends 1 Jul


• Late ends 22 Jul


• Onsite starts at the conference

Seats are filling -- it pays to register early!

If you review the Sample Lab I posted earlier this year, this class is all about developing an investigative mindset by hands-on analysis, using tools you can take back to your work. Furthermore, you can take the class materials back to work -- an 84 page investigation guide, a 25 page student workbook, and a 120 page teacher's guide, plus the DVD. I have been speaking with other trainers who are adopting this format after deciding they are also tired of the PowerPoint slide parade.

Feedback from my 2009 sessions was great. Two examples:

"Truly awesome -- Richard's class was packed full of content and presented in an understandable manner." (Comment from student, 28 Jul 09)

"In six years of attending Black Hat (seven courses taken) Richard was the best instructor." (Comment from student, 28 Jul 09)

If you've attended a TCP/IP Weapons School class before 2009, you are most welcome in the new one. Unless you attended my Black Hat training in 2009, you will not see any repeat material whatsoever in TWS2. Older TWS classes covered network traffic and attacks at various levels of the OSI model. TWS2 is more like a forensics class, with network, log, and related evidence.

I plan to retire TWS2 after Vegas this year and teach TWS3 in 2011, if Black Hat invites me back.

I recently described differences between my class and SANS if that is a concern.

I look forward to seeing you. Thank you.

Bejtlich to Speak at FIRST 2010

I'm happy to report that I will present Building a Fortune 5 CIRT Under Fire at FIRST 2010 on 16 Jun 10 in Miami, FL. I plan to attend the majority of the conference, since it is one of the few focused on incident detection and response. I hope to see you there!

Information Security Jobs in GE-CIRT and Other GE Teams

I'm hiring for my team (GE-CIRT) again. The following summarizes open positions:

1. Information Security Incident Handler (1145304); serious skills required


2. Information Security Incident Analyst (1147842); intermediate skills required


3. Information Security Event Analyst (1147849); extreme willingness to learn required


4. Security Assurance Team Senior Analyst (1147811); intermediate skills required


5. Security Assurance Team Analyst (1147853); extreme willingness to learn required


6. Information Security Infrastructure Engineer (1147859); serious Unix and open source system and database administration skills required

Roles 1-3 involve incident detection and response. Roles 4-5 involve threat analysis, Red-Blue teaming, and internal consulting. Role 6 supports team systems. All roles have a bias towards hiring into our beautiful Advanced Manufacturing and Software Technology System in Michigan. I already have five guys working there and expect to have at least a dozen more on our team working there by the end of the year. In some cases I have multiple jobs available. Some of these candidates will report directly to me, while others will report to my senior team leaders.

If you hope to be referred by a GE employee, be sure to have that employee follow the Company referral policy. Do not apply on your own.

If interested in joining GE-CIRT, search for the indicated job numbers at ge.com/careers. I will not answer questions until potential applicants apply to the jobs, and then I will only do so through work channels. Thank you.

In addition to the roles listed above, other security teams in GE are hiring incident analysts with the job numbers listed below.

• 1148549


• 1147886


• 1148555


• 1142824

Also, GE Research is hiring for the following positions:

• 1149708: Next Generation IT Security Program Manager


• 1149697: Infrastructure Security Leader


• 1149699: Infrastructure Security Architect


• 1149705: Information Security Incident Response Leader


• 1125694: Cyber Security Researcher