tag:blogger.com,1999:blog-4088979.post112475839919659812..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Request for Lab IdeasRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger8125tag:blogger.com,1999:blog-4088979.post-1125097221784837472005-08-26T19:00:00.000-04:002005-08-26T19:00:00.000-04:00Sean C, would you mind sending me email? richard ...Sean C, would you mind sending me email? richard at taosecurity dot com. Thank you.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1125074505829883712005-08-26T12:41:00.000-04:002005-08-26T12:41:00.000-04:00Hi Richard,I am also a newbie to security, but tho...Hi Richard,<BR/><BR/>I am also a newbie to security, but thought I could offer some advice on content for your class. Not knowing the techinical skill-set of the class (assume they know TCP/IP and networking basics), I'm sure it can be a challenge to make sure each student walks out of the class feeling they learned something.<BR/><BR/>My company recently enrolled me in an IDS class. There were plenty of new apps to play with (over 20). A simple problem, and one that I hope you can avoid, is supplying a simple "score-card" of what each apps does. For example, in the IDS class, we touched:<BR/>1-ISS RealSecure<BR/>2-Snort<BR/>3-ISDCenter<BR/>4-ISDInformer<BR/>5-Netcat<BR/>6-NMap<BR/>7-FPort<BR/>8-Barnyard<BR/>9-Acid<BR/>10-TCPReplay<BR/>etc.....<BR/><BR/>Keeping track of all the apps while in the class became a little daunting after the 3rd or 4th day. Being primarily a networking tech, even playing with UNIX or Linux was a novelty. <BR/><BR/>Overall, I greatly appreciate your comments on Amazon and your website. I look to you for guidance on introducing me to Security (and what's worth my time and what's not worth my time).<BR/>Thanks,<BR/>SeanSean Chttps://www.blogger.com/profile/08516364847801916441noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1124917558453873882005-08-24T17:05:00.000-04:002005-08-24T17:05:00.000-04:00Richard,Don't count on people to bring their lapto...Richard,<BR/><BR/>Don't count on people to bring their laptop packed with all tools needed. I think a bootable cd which contains the tools needed will avoid multiple hours trying to troubleshoot compiling problems and still allows for a flexible lab setup using demonstrating hubs/taps/spans etc.<BR/><BR/>I think you should focus on detection and more specificaly on analysis and correlation between different sources of information.<BR/>There are enough "hacking courses" that let you run diverse tools but up to now I still need to find the first course that covers real time detection scenarios.<BR/><BR/>I did like the forensics challenge of the honeynet project where you needed to find out how a box got hacked and create the timeline of the intrusion. Maybe you can use this kind of canned forensics exercise tooAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1124872544558919442005-08-24T04:35:00.000-04:002005-08-24T04:35:00.000-04:00I agree with the posts above that recommend that Y...I agree with the posts above that recommend that YOU provide and control the classroom environment. <BR/><BR/>A couple of years ago I attended a digital forensics class where each student was supposed to bring thier own laptop configured with Linux. VERY specific instructions were provided but many students failed to follow them. Throughout the week time was lost trying to get things to work properly on those systems. Those of us who followed the instructions felt like our time was being wasted by those who didn't (or couldn't) follow instructions.<BR/><BR/>A few weeks later I attended the Foundstone Forensics and Incident Response (taught in part by you) and the difference was amazing. NO time was lost trying to make miscongigured systems work.<BR/><BR/>The use of VMware is obvious. Also, you may want to take a look at VMware ACE. I have seen a couple of presentations about it and think it has some benefits in the classroom. With ACE you can create self running VM images that can overcome the problem you cited with bootable CDs. I think you can even create these images in such a way that they will expire.<BR/><BR/>Of course this is one more software purchase that needs to be dealt with.<BR/><BR/>Then there is the non techical time waster that is just as hard to control. Make sure that students have at least the basic knowledge necessary to understand the content of the class. I have attended (and I'm sure you have taught) classes where one or more students lacked even the basic skills necessary to understand the class content. Perhaps a pre-test for required skills would help.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1124813963432769832005-08-23T12:19:00.000-04:002005-08-23T12:19:00.000-04:00Richard,I hope that one day I can take one of your...Richard,<BR/><BR/>I hope that one day I can take one of your courses. Right now I'm more of a network guy than into security; however, I'm starting to dip more into security each and every day. Since I spend a lot of time in a Sniffer, it seems like the next logical step in my career (is to move into security).<BR/><BR/>For your labs, I'd imagine that the virtual stuff will work best because in just a matter of seconds you can restore the system back to its original config (in case you need to start over, or to try a different attack vector, etc). Time is of the essence.<BR/><BR/>I'd like to see something like a 'Capture the flag' contest at Blackhat. Divide the group up into teams of 5 (provided that you have 15 folks present). Each team has to make notes of what attacks they tried on the other team(s) and report on how far they got into hacking into each environment. Plus report on how well their environment was protected during the attacks. (This example might be a stretch, but I had to mention it because I would like to think that the learning experience of this would be a real gem)<BR/><BR/>Another would be, for YOU (Richard) to be the attacker and for the teams to be the Network Security groups of different corporations. You've given each team of 5 people an environment to monitor and protect. For you Richard, you could probably just replay traces of attacks you've recorded or captured (it'll make it easier) for you so that you can assist the team(s) in protecting their environment and support them while you have the automated attack looping or a script running,etc.<BR/>Since time is of the essence, you might place focus on certain tools that are best utilized per attack.<BR/><BR/>Thanks for allowing us to make suggestions - hope they come in handy.<BR/><BR/>ChuckAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1124803679534277402005-08-23T09:27:00.000-04:002005-08-23T09:27:00.000-04:00Richard,When I teach my Windows IR course, I rely ...Richard,<BR/><BR/>When I teach my Windows IR course, I rely pretty heavily upon "canned" exercises in order to teach the attendees skills and processes.<BR/><BR/>I include canned "infections" of malware, usually scripted through batch files and run off of the course CD. That way, it takes only a couple of minutes before a break to have the students insert the CD, then I run around the room (or have the lab asst. do it with me) and run the script that "infects" the systems. These are simple, easy to script, and the clean-up is scripted as well.<BR/><BR/>Here's what I suggest...use a combination of various types of canned examples. In one instance, use a canned tcpdump capture and let the attendees "explore" ways of examining it. In another, have something on one system that generates traffic, and have the attendees perform the captures themselves.<BR/><BR/>If this is the sort of thing you're looking for, let me know, and we can hash these out a bit.<BR/><BR/>H. Carvey<BR/>"Windows Forensics and Incident Recovery"<BR/>http://www.windows-ir.com<BR/>http://windowsir.blogspot.comAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1124771362587188122005-08-23T00:29:00.000-04:002005-08-23T00:29:00.000-04:00I am a big fan of caned examples in training. A s...I am a big fan of caned examples in training. A short story from my colllege days. I took a math class and it was overflowing with students to the point they split it into 2 sections. One was the "fast" section and the other was the "not so fast" section. The fast section was taught by the Prof. and the other section was taught by a phd student. At the end of the term the "not so fast" group had covered more material then the "fast" group, I was in the fast group. The reason for this was rediciously simple the phd taught from notes and the professor just figured it out real time. The lack of notes caused time to be wasted. I think that doing things in the wild/ad-hock captures would also cause you to spend time not covering the material, but dealing with problems. Use canned example/captures it will allow you to teach more material in the class.<BR/><BR/>marc<BR/>mspitzer@gmail.comAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1124762531218183022005-08-22T22:02:00.000-04:002005-08-22T22:02:00.000-04:00Richard, I wish I could offer more concrete sugges...Richard, I wish I could offer more concrete suggestions, but I am still a newbie. However, teaching is something I would also like to do someday...quite a ways down the road though. :)<BR/><BR/>I would definitely suggest sticking to making students get on your environments as opposed to getting their laptops in sync with what you have. It might be that one student who paid the money and demands you get his gear to work and winds up taking up lots of your time.<BR/><BR/>This sort of reminds me of one of the better-tuned books on networking: <A HREF="http://www.amazon.com/exec/obidos/tg/detail/-/0471661864/qid=1124762007/sr=8-1/ref=pd_bbs_1/104-4446557-6752704?v=glance&s=books&n=507846" REL="nofollow">Computer Networks: Internet Protocols in Action (Jeanne Matthews)</A>. Rather than spend time (both in the book and in her classroom setting) recreating traffic, she pre-captured traffic and let the students immediately open it up in ethereal. One of the best and simplest ideas!<BR/><BR/>What I would possibly most enjoy in a lab-based class would be seeing some of these tools in action against real-world sorts of attacks, both automated and human-driven, with both false positives and negatives thrown in, along with how to deal with them. To me, as a relative newbie, I would love to see what these tools are made for and to get my feet wet in playing with them...nothing huge and fancy (unless you had the class time and enthuisiasm from the group!)...but enough to get me really going. I would not want to spent too much time on environment or network setup.<BR/><BR/>I truly wish I could take one of your classes, and someday I hope to have that opportunity as I have greatly enjoyed your books, blog posts, and insights. <BR/><BR/>-LonerVampAnonymousnoreply@blogger.com