Showing posts from February, 2012

Practical Malware Analysis Book Promotion

I'm very pleased to share news of an awesome new book titled Practical Malware Analysis by Michael Sikorski and Andrew Honig. The authors will present a Webinar on their book on Wednesday 29 February at 2 pm eastern. I was pleased to write the foreword, which ends with these words: If the malware authors are ready to provide the samples, the authors of the book you’re reading are here to provide the skills. Practical Malware Analysis is the sort of book I think every malware analyst should keep handy. If you’re a beginner, you’re going to read the introductory, hands-on material you need to enter the fight. If you’re an intermediate practitioner, it will take you to the next level. If you’re an advanced engineer, you’ll find those extra gems to push you even higher—and you’ll be able to say “read this fine manual” when asked questions by those whom you mentor. Practical Malware Analysis is really two books in one—first, it’s a text showing readers how to analyze modern malw

I Want to Detect and Respond to Intruders But I Don't Know Where to Start!

"I want to detect and respond to intruders but I don't know where to start!" This is a common question. Maybe you have a new security role in an organization, or a new service or business in your current organization, or some other situation where you want to find and stop attackers. However, you have no idea where to begin. Do you have the data you need? If not, what should you add? What do intrusions look like in the data you collect? These questions can be tough to answer from a purely theoretical perspective. I propose the following approach. First, conduct a tabletop exercise where you simulate adversary actions. At each stage of the imagined attack, consider what evidence an intruder might create while taking actions against your systems. For example, if you are trying to determine how to detect and respond to an attack against a Web server, you're almost certainly going to need Web server logs. If you don't currently have access to those logs, y

Impressions: Network Warrior, 2nd Ed

Five years ago I reviewed the first edition of Network Warrior by Gary A. Donahue. Thank to O'Reilly I can post my "impressions" of the second edition of this great book. Although I read almost all of it, I am unable to post another review because has my previous review attached to the new edition. In brief, Network Warrior, 2nd Ed is the book to read if you are a network administrator trying to get to the next level. All of my praise from the previous review apply to the new book. The book is really that good, primarily because it combines very clear explanations with healthy doses of real-world experience. Thanks to Mr Donahue for taking the time to update his book! Tweet

Impressions: Windows Sysinternals Administrator's Reference

Mark Russinovich and Aaron Margosis have written another awesome addition to the Microsoft Press catalog, Windows Sysinternals Administrator's Reference . Per my policy, because I did not read the whole book I am only posting "impressions" here and not a full review . In brief this book will tell you more about the awesome Sysinternals tools than you might have thought possible. One topic that caught my attention was using Process Monitor to summarize network activity (p 139). This reminded me of Event Tracing for Windows and Network Tracing in Windows 7 . I remain interested in this capability because it can be handy for incident responders to collect network traffic on endpoints without installing new software, relying instead on native OS capabilities. I suggest keeping a copy of this book in your team library if you run a CIRT. Thorough knowledge of the Sysinternals tools is a great benefit to anyone trying to identify compromised Windows computers.

Impressions: The Tangled Web

Six years ago I reviewed Michal Zalewski's first book, Silence on the Wire . Michal is a security researcher who has consistently created high-quality content for a very long time, so I was pleased to receive a review copy of his newest book The Tangled Web . I did not read the whole book, hence I'm posting only my "impressions" here. I recommend reading this book if you want to know a lot, and I mean a lot , about how screwed up Web browsers, protocols, and related technologies truly are. Because many points of the book are tied to specific browser versions, I suspect its shelf life to degrade a little more rapidly than some other technical titles. Still, I am shocked by the amount of research and documentation Michal performed to create The Tangled Web. As always, Michal's content is highly readable, very detailed, and well-sourced. It's a great example for other technical authors. Great work Michal! Tweet

The Toughest Question in Digital Security

The toughest question in digital security is "who cares?" The recent Tweet by hogfly (@4n6ir) made me ponder this question. He points to an Aviation Week story by David Fulghum, Bill Sweetman, and Amy Butler titled China's Role In JSF's Spiraling Costs . It says in part: How much of the F-35 Joint Strike Fighter’s spiraling cost in recent years can be traced to China’s cybertheft of technology and the subsequent need to reduce the fifth-generation aircraft’s vulnerability to detection and electronic attack? That is a central question that budget planners are asking, and their queries appear to have validity. Moreover, senior Pentagon and industry officials say other classified weapon programs are suffering from the same problem. Before the intrusions were discovered nearly three years ago, Chinese hackers actually sat in on what were supposed to have been secure, online program-progress conferences, the officials say. The full extent of the connection is stil