Monday, January 09, 2006

TCP/IP Weapons School and Network Stealth

I have ideas for two new TaoSecurity classes for 2006. I'd like to hear what you think of both concepts. These classes are in the planning phase now, but I will be more confident of advancing their progress if I receive positive feedback. The first class is TCP/IP Weapons School. I plan at least four days of material. The idea behind TCP/IP Weapons School is to teach TCP/IP packet analysis, with a twist -- all traffic will be generated by network security reconnaissance, exploitation, and communications tools. (The name is related to the US Air Force Weapons School.) This course is for attendees closer to the beginning of their network security career. It will be a cool way to learn TCP/IP, without the boring aspects of a typical "fundamentals" class. I plan to cover the most popular protocols seen when performing network security monitoring, intrusion detection, and network forensics. As a class participant, you'll learn how to interpret network traffic -- but also understand how security tools look when seen on the wire. I will probably teach this course solo, and I hope to introduce at least part of it at USENIX 2006 and potentially USENIX Security 2006.

The second class is Network Stealth. I plan at least two days of material. The idea behind Network Stealth is to teach how to evade network access control and detection systems. This course is for attendees with intermediate knowledge of packet analysis, such as TCP/IP Weapons School graduates. The core of the class will be network-based; there may be some host-level issues if people find that interesting. I plan to cover evasion and insertion attacks, a wide variety of covert channels, timing and volume attacks, and related ways to make life tough for security analysts. As a class participant, you'll learn how attackers can bypass your IDS, IPS, firewall, and other security measures so you can better deal with those events. I am currently brainstorming with a very skilled security analyst who I expect to teach the course with me. I hope to introduce this course at Black Hat USA 2006.

So what do you think? Do these sound like interesting classes?

15 comments:

Anonymous said...

Richard,
I think both are excellent ideas. Although far from being at the beginning of my network security career, it also sounds like an excellent refresher course for those of us who are not doing this on a day to day basis any longer.

Da Kahua


p.s. See you at ShmooCon

Chavez said...

Hi Richard,
both classes are great ideas so far. Although I'm not quite sure if this classses are of special interest at the beginning of a network security career. (I'm right at this point now.) :-)
Nevertheless both classes roused my interest. Actually it won't be possible for me to join the mentioned conferences, so will any materials online for download somewhere? It would be really great to see e.g. an excerpt or so.

Chavez

said...
This comment has been removed by a blog administrator.
Anonymous said...

Richard,
I think these classes sound like great ideas. I think the low level knowledge of these apps and how they interact with TCP/IP and the network is critical to really understanding when a security event is taking place. This sounds like a good approach to understanding how these apps really work and what their output really means.

Looking forward to hearing you at ShmooCon.

DJordan

Anonymous said...

I would definitely be interested in the weapons class. I might be a little over my head in the NSM course since my *nix CLI is a work in progress, and I'm a little hesitant to think my skills are up to par with what that course might require.

stone

John Ward said...

Kind of interesting that you bring these up since i am writing an article following up on the proof of concept I mentioned previously. Hell, Im not quite at the "beginning" of my career, but I would still be interested in these classes. You need to start teaching some more in my neck of the woods. When you do, Ill whoop you at a round of golf ;)

Anonymous said...

Good ideas. I love to see a course on extrusion detection techniques as well.
not sure how the post about the knight rider dvd fits in...

Anonymous said...

Hi Richard,

I gave a class, similar to the TCP/IP Weapons Class, to an Army CERT team. The class was well received. I found that people who had some experience in this area found the class to be valuable as a refresher course or they learned somethings that they had not known.

Travis

Albert Gonzalez said...

Hey Richard,

Will the class be tailored fitted to new comers? Since I know A LOT of the MSSP's out there will hire fairly *new* people to the industry in an attempt to keep them longer. I have seen this at two previous locations where I worked. Let me know exactly which direction you're going.. might save me the time in writing the material myself here internally.

- Albert Gonzalez

Smitty said...

Yes these classes sound good. I would be interested in them myself even though I am just starting my carreer in Security...

Brad

Anonymous said...

Hi Richard,

How will this class be different from SANS Intrusion Detection in Depth?

Yaser

Richard Bejtlich said...

Chavez,

I do not plan to post full class materials at any time. I may provide excerpts. I would not have much of a teaching career if anyone could download my material for free!

Albert,

I plan for the TCP/IP Weapons School to be for junior and intermediate security analysts. Experts are welcome but they are not the primary audience. Network Stealth will be aimed at intermediate and expert security analysts.

Anonymous,

Regarding SANS -- my classes have material that is newer than the 1996-era slides found in Track 3 ("Intrusion Detection In Depth"). For the last 8 years, at least, SANS has taught the same track 3 material -- 1 day on TCP/IP, 2 days on Tcpdump BPF syntax, 1 day on Snort, and 2 days on material that hasn't mattered since it was written (like the so-called "Mitnick Attack.") Of the six days, the Snort material is probably most relevant, since Snort was only added to Track 3 in 2002, I believe. My classes will also not have 50-100 students taught by one instructor. I plan to build VMs for VMware Player to support my classes -- VMs students can take with them. I taught Track 3 in 2002 and 2003, and I demand that my classes will be better in every respect. I believe those who have attended Network Security Operations will agree.

Anonymous said...

Hi Richard,

thanks for your answer regarding my question. Well, I acknowledge that's a very good point. :-)
So an excerpt or a TOC would be more than nice.

Chavez

CubicleLord said...

I'd definitely be interested in taking the TCP/IP weapons class. I'm at the beginning of my 'security' career and am looking for classes to get some hands on experience.

Scott said...

Snort was in in 2001 when I went. Marty was teaching the class then too....pre-2.0 days too.