Friday, April 08, 2005

Thoughts on GFIRST Conference

Tuesday and Wednesday I attended the Government Forum of Incident Response and Security Teams (GFIRST) conference in Orlando, Florida. The event was organized by the Department of Homeland Security's Directorate of Information Analysis and Infrastructure Protection, which owns the United States Computer Emergency Response Team (US-CERT).

I spoke on Tuesday about network security monitoring with Sguil and open source tools. My talk went well, although I had a surprise encounter with ACID developer Roman Danyliw! He is currently chair of the Extended Incident Handling IETF working group and part of the CERT/NetSA (Network Situational Awareness) Team, creators of the System for Internet-Level Knowledge (SiLK) NetFlow suite.

Although I could only attend a few presentations, I was glad to see 2 1/2 talks by Red Cliff consultants. On Tuesday I saw Kevin Mandia speak about the state of incident response. On Wednesday I attended two talks by Curtis Rose. Curt's first talk introduced attendees to malware analysis on the UNIX platform. He explained how to reverse engineer a variant of the allinone.c backdoor by CNHonker's Lion. That material will appear as chapter 13 of our new book Real Digital Forensics.

In Curt's second talk he showed how to capture Windows process memory using userdump.exe, part of the Windows OEM Support Tools package. In a related story, Curt described how he did the forensics on the hard drive of Sami Omar Al-Hussayen. Curt also set up the network that Russian hackers Alexey Ivanov and Vasiliy Gorshkov thought was Invita Security.

One of the details that emerged from Curt's monitoring of the Invita Security network involved a password used by Alexey Ivanov. When accessing one of his drop sites, Alexey's FTP password was www.pidor.com (Internet Archive available). Think of what an unwary analyst might do with that information. Only someone who is monitoring Alexey's actions might know about www.pidor.com. Say that unwary analyst decides to visit www.pidor.com to learn more about the site. If Alexey or a friend is monitoring Web accesses to www.pidor.com, they could learn that they are being monitored. This case demonstrates how important it is for analysts to not "touch" remote or foreign sites involved in intrusions. You may tip your hand to the attacker and ruin an investigation or recovery effort.

I also attended a talk by Ron Plesco of the National Cyber-Forensics and Training Alliance. They work with the Internet Crime Complaint Center and the Digital Phishnet, and formed the operations plan for Operation Slam Spam.

In other .gov news, I learned a new term -- "Computer Network Defense Service Provider." There's an article describing how "The National Security Agency (NSA) has recommended the Defense Information Systems Agency (DISA) for a Level 2 accreditation (commendable performance) as a Tier 2 Computer Network Defense (CND) Service Provider." I also heard about the Cyber Annex to the DHS' National Response Plan and the privacy rules governing collection of information under the The E-Government Act of 2002.

No comments: