Monday, July 20, 2009

SANS Forensics and Incident Response 2009 Summit Round-Up

I'd like to share a few thoughts from the second SANS WhatWorks Summit in Forensics and Incident Response, where I delivered the keynote. I could only attend the first day, but I thought it was definitely worthwhile. I was given a few questions which I promised to answer on this blog, so here they are.

With your background with Information Operations and cyber security, what would you advise the new U.S. Cyber Command? What should their priorities be?

I've written a lot on cyber command over the years. I believe their first priority is to create a real career path for cyber operators. Tools, tactics, and procedures are secondary to attracting and retaining talent. You can accomplish amazing feats if you have the right butts in the seats. Without that, you are guaranteed to fail. Part of that will involve identifying all of the people with cyber duties in the military. Once they have that part working, I would advise Cyber Command to think in terms of a Cyber NORAD.

Five years from now the Verizon Data Breach Report 2014 is published. What trend will be the "big red dot" in 2014? What will be your biggest surprise?

To clarify, the "big red dot" of 2009 was the huge number of records stolen by external parties, far exceeding internal intruders.

This is a really good question. I never see a future where insiders are more dangerous than outsiders. By insiders I mean people formally associated with an organization, e.g., employees, contractors, etc. Outsiders are people who are not formally associated with an organization. Insiders will remain capable of individual large incidents, but outsiders will continue to conduct repeated large and small incidents.

I will be really surprised if IPv6 is changing the way businesses operate in 2014. I think we may see internal business operations (like carrier networks) using IPv6, but I don't think we'll see a substantial user base for IPv6 by 2014. If that is not true I will be surprised.

What do you know about public/private partnerships to leverage known command and control servers? Is there any way for a CIRT to avoid third party notification by performing proactive detection?

There's a few options here. One is to join the Forum of Incident Response and Security Teams (FIRST). FIRST maintains a private mailing list that shares information among members. Another option is to look for private associations among peer businesses. A third idea is to make contact with the many volunteer and commercial security intelligence services organizations, including The Shadowserver Foundation, Support Intelligence, Secure Science, iDefense, and many others.

With the questions answered, I'd like to say I thought Summit organizer Rob Lee did a great job (again) keeping the event moving smartly. Kris Harms, Harlan Carvey, Jamie Butler/Peter Silberman, and Brendan Dolan-Gavitt all delivered great talks. The two user panels I saw (I missed the third) were also excellent.

I wanted to record a few tricks that Kris offered so I don't forget them.

  • Use the PsTools handle.exe app and grep for "pid\:" in the output to see a different sort of process list.

  • Grep handle.exe output for "Mutant" to see mutexes.

  • Pay attention to digital signature output in autorunsc.exe, particularly for results that are not signed and/or not verified; and signed but verification failed. Check hashes against

  • Remember to teach junior analysts a methodology, like:

    1. Determine if compromised.

    2. Develop investigative leads.

    3. Build a timeline.

    4. Determine how compromised.

    5. Suggest remediation measures.

    6. Assess impact of compromise.

While listening to the speakers, it was clear to me the differences between three communities:

  1. Intrusion detectors and responders

  2. Computer forensics investigators

  3. Litigation support and ediscovery investigators

I thought this slide by Jess Garcia from One eSecurity showing one practitioner's opinion on the variety of forensics tools was interesting.

I still need to try MANDIANT Audit Viewer. Jamie Butler and Pete Silberman noted that since MANDIANT Memoryze uses live analysis to access the Windows page file, they don't run into issues found when trying to combine a dead page file with a memory capture.

I'm looking forward to next year! If you do IR, you should try to be there.

Richard Bejtlich is teaching new classes in Las Vegas in 2009. Late Las Vegas registration ends 22 July.


ChikaBebe said...

thanks for the information
ChikaBebe | KisapMata

Anonymous said...

$1.3 million reasons to care Wow Accountability, Enforcement and Consequences. What a Concept!

Saturday, July 25, 2009
Contractor returns money to Pentagon

Apptis Inc., a military information technology provider, repaid $1.3 million of a $5.4 million Pentagon contract after investigators said the company provided inadequate computer security and a subcontractors system was hacked from an Internet address in China.

Privately held Apptis, based in Chantilly, returned the money in February "for services that were never performed" during a three-year military health-service contract awarded in November 2004, according to the Pentagon inspector generals semi-annual report.

Apptis agreed to the repayment after the Defense Criminal Investigative Service concluded the company and a subcontractor failed to provide "proper network security and information assurance services," according to the report, released in June.

The subcontractors system under Apptis management was intruded upon "with total access to the root network" from an Internet address in China, the report said. The report didnt say when the intrusion occurred. The Pentagon started its investigation in August 2007.

Under the contract, Apptis provided software maintenance, updates and testing for a Military Health System program that standardizes reporting of health costs and includes unclassified though sensitive personnel data, according to a government description of the program.

The case illustrates "an ongoing problem in protection of Defense Department information that is not under the complete control of the department," said special agent Paul Sternal, head of the criminal services cyber crimes unit, in an interview.

"Violations such as these will be getting more attention because of the increased emphasis on cyber security," Mr. Sternal said. The agency is conducting similar investigations of other companies, he said.

Pauline Healy, an Apptis spokeswoman, said in an e-mail, "The amount we paid was to settle any and all issues surrounding performance requirements to the mutual satisfaction of both parties." Mr. Healy said the "apparent intrusion" occurred with a subcontractors system.

Mr. Sternal wrote in a 2007 article for the government-published Journal of Public Integrity that there is no law or rule requiring defense contractors to report the loss of "sensitive but unclassified defense data through cyber theft."

"This lack of reporting requirements presents a national security vulnerability," he wrote.

President Obama is seeking to improve security in government computer systems. He said in May he will appoint a White House adviser to oversee the security of all government and business computer networks in response to widespread breaches and theft of information.

The Pentagon by September will publish proposed revisions to its acquisition rules that will require improved protection of Pentagon information in its contracts, spokeswoman Cheryl Irwin said in an e-mail.

Martin said...

I'm still confused about the excitement of the new cyber security command. Doesn't JTF-GNO and JFCC-NW
already provide that role? It seems to me they are polishing s**t and giving it a new name. It seems to me the biggest problem is policy enforcement,hiring&training qualified people.

Policy Enforcement:
The Dod has great policies that are already written but are just not being followed and enforced.If your command has an IAM that's a GS12 and or an O-3 and below that full bird or 2 star is going to bring his wireless device in a secured space whether you like it or not.

The navy only recruits individuals with high asvab scores be nuclear techs. They then spend another two years training the hell out of them before they go to thier first duty station. Why not follow that proven model? to me it seems like an easy fix , recruit people with high Asvabs scores the lock them in a room with ed skoudis,mike poor,muts (backtrack), H D Moore (metasploit),Richard Bejtlich , etc. and don't let them leave until they know how to attack or defend a network properly.

just my two cents.