TaoSecurity Blog

Since posting Bejtlich Moves On I've been rebalancing work, family, and personal life. I invested in my martial arts interests , helped more with home duties, and consulted through TaoSecurity . Today I'm pleased to announce that, effective Monday May 21st 2018, I'm joining the Splunk team. I will be Senior Director for Security and Intelligence Operations, reporting to our CISO, Joel Fulton. I will help build teams to perform detection and monitoring operations, digital forensics and incident response, and threat intelligence. I remain in the northern Virginia area and will align with the Splunk presence in Tyson's Corner. I'm very excited by this opportunity for four reasons. First, the areas for which I will be responsible are my favorite aspects of security. Long-time blog readers know I'm happiest detecting and responding to intruders! Second, I already know several people at the company, one of whom began this journey by Tweeting about opportu...

I first used Splunk over ten years ago, but the first time I blogged about it was in 2008. I described how to install Splunk on Ubuntu 8.04 . Today I decided to try the Splunk Cloud . Splunk Cloud is the company's hosted Splunk offering, residing in Amazon Web Services (AWS). You can register for a 15 day free trial of Splunk Cloud that will index 5 GB per day. If you would like to follow along, you will need a computer with a Web browser to interact with Splunk Cloud. (There may be ways to interact via API, but I do not cover that here.) I will collect logs from a virtual machine running Debian 9, inside Oracle VirtualBox. First I registered for the free Splunk Cloud trial online. After I had a Splunk Cloud instance running, I consulted the documentation for Forward data to Splunk Cloud from Linux . I am running a "self-serviced" instance and not a "managed instance," i.e., I am the administrator in this situation. I learned that I needed to ins...

Two weeks ago today our team at Mandiant was feverishly preparing the release of our APT1 report . In the twelve days that followed publication on the evening of Monday the 18th, I've been very pleased by the amount of constructive commentary and related research published online. In this post I'd like to list those contributions that I believe merit attention, in the event you missed them the first time around. These sorts of posts are examples of what the security community can do to advance our collective capability to counter digital threats. Please note I avoided mass media accounts, interviews with Mandiant team members, and most general commentary. They are listed in no particular order. Seth Hall (Bro): Watching for the APT1 Intelligence Jason Wood (SecureIdeas): Reading the Mandiant APT1 Report Chris Sanders: Making the Mandiant APT1 Report Actionable Symantec: APT1: Q&A on Attacks by the Comment Crew Tekdefense (NoVA Infosec): MASTIFF Analysis of APT...

Two years ago I posted Splunk on FreeBSD 7.0 showing how to use the FreeBSD compat6x libraries to run the 3.4 version of Splunk compiled for FreeBSD 6.x. I decided to try this again, except using the newest Splunk on an amd64 FreeBSD system. As you can see below, it took me only a few minutes to get the system running thanks to the precompiled compat6x-amd64 package. If I needed to install on i386, I could have used the ports tree. r200a# uname -a FreeBSD r200a.taosecurity.com 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Mon Jul 19 02:36:49 UTC 2010 root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 r200a# pkg_add -r ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-stable /misc/compat6x-amd64-6.4.604000.200810_3.tbz Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-stable /misc/compat6x-amd64-6.4.604000.200810_3.tbz... Done. ******************************************************************************* * ...

A comment on my last post, Reminder: Bejtlich Teaching at Black Hat DC 2010 , a reader asked: I am trying to get my company sponsorship for your class at Black Hat. However, I was ask to justify between your class and SANS 503, Intrusion Detection In-Depth. Would you be able to provide some advice? That's a good question, but it's easy enough to answer. The overall point to keep in mind is that TCP/IP Weapons School 2.0 is a new class, and when I create a new class I design it to be different from everything that's currently on the market. It doesn't make sense to me to teach the same topics, or use the same teaching techniques, found in classes already being offered. Therefore, when I first taught TWS2 at Black Hat DC last year, I made sure it was unlike anything provided by SANS or other trainers. Beyond being unique, here are some specific points to consider. I'm sure I'll get some howls of protest from the SANS folks, but they have their own platform t...

We had a great SANS WhatWorks in Incident Detection Summit 2009 this week! About 100 people attended. I'd like to thank those who joined the event as attendees; those who participated as keynotes (great work Ron Gula and Tony Sager), guest moderators (Rocky DeStefano, Mike Cloppert, and Stephen Windsor), speakers, and panelists; Debbie Grewe and Carol Calhoun from SANS for their excellent logistics and planning, along with our facilitators, sound crew, and staff; our sponsors, Allen Corp., McAfee, NetWitness, and Splunk; and also Alan Paller for creating the two-day "WhatWorks" format. I appreciate the feedback from everyone who spoke to me. It sounds like the mix of speakers and panels was a hit. I borrowed this format from Rob Lee and his Incident Repsonse and Computer Forensics summits, so I am glad people liked it. I think the sweet spot for the number of panelists might be 4 or 5, depending on the topic. If it's more theoretical, with a greater chance of ...

Several of you have asked me to explain the difference between TCP/IP Weapons School (TWS), which I first taught at USENIX Security 2006 , and TCP/IP Weapons School 2.0 (TWS2), which I first taught at Black Hat DC 2009 Training last week. This post will explain the differences, with an added bonus. I have retired TWS , the class I taught from 2006-2008. I am only teaching TWS2 for the foreseeable future. TWS2 is a completely brand-new class. I did not reuse any material from TWS, my older Network Security Operations class, or anything else. TWS2 offers zero slides . Students receive three handouts and a DVD. The handouts include an 84 page investigation guide, a 25 page student workbook, and a 120 page teacher's guide. The DVD contains a virtual machine with all the tools and evidence needed to complete the labs, along with the network and memory evidence as stand-alone files. TWS2 is heavily lab-focused . I've been teaching professionally since 2002, and I've r...

Although there is not a version of Splunk compiled natively for FreeBSD 7.0, I was told to try using Splunk 3.4.1 on FreeBSD 7.0 via FreeBSD's compat6x libraries. I did the following: freebsd70:/usr/local/src# pkg_add -v splunk-3.4.1-45588-freebsd-6.1-intel.tgz Requested space: 106458852 bytes, free space: 1565927424 bytes in /var/tmp/instmp.HhNhQk Running pre-install for splunk-3.4.1-45588-freebsd-6.1-intel.. extract: Package name is splunk-3.4.1-45588-freebsd-6.1-intel extract: CWD to /opt extract: /opt/splunk/README.txt extract: /opt/splunk/bin/btool extract: /opt/splunk/bin/bunzip2 ...edited... extract: /opt/splunk/splunk-3.4.1-45588-FreeBSD-i386-manifest extract: CWD to . Running post-install for splunk-3.4.1-45588-freebsd-6.1-intel.. ---------------------------------------------------------------------- Splunk has been installed in: /opt/splunk To start Splunk, run the command: /opt/splunk/bin/splunk start To use the Splunk Web interface, point your browser...

I've been mulling strategies for putting Windows Event Logs into Splunk. Several options exist. Deploy Splunk in forwarding mode on the Windows system. Deploy a Syslog agent on the Windows system. Deploy OSSEC on the Windows system and sending OSSEC output to Splunk. Deploy Windows Log Parser to send events via Syslog on a periodic basis . Retrieve Windows Event Logs periodically using WMIC . Retrieve Windows Event Logs using another application, like LogLogic Lasso or DAD . I'd done number 2 before using NTSyslog , so I decided to see what might be newer as far as deploying Syslog agents on Windows goes. I installed DataGram SyslogAgent , a free Syslog agent onto a Windows XP VM. It was very easy to set up. I pointed it toward a free Splunk instance running on my laptop and got results like the following. I noticed some odd characters inserted in the log messages, but nothing too extraordinary. Next I tried the other modern free Syslog agent for Windows, SNARE . Developmen...

Previously I posted Wanted: Incident Handler with Reverse Engineering/Malware Analysis Skills . That article noted our GE Careers job posting (843369). We received several great candidates with reverse engineering and malware skills, but none in Cincinnati. Therefore, I am shuffling the positions a bit. The RE/malware person does not need to reside in Cincinnati, but now I need a different incident handler definitely located in Cincinnati. The incident handler in Cincinnati should meet the following requirements. Strong incident handling skills. I want this person to be able to speak authoritatively and confidently when dealing with internal business partners. (This is not a job supporting external customers.) Strong mentoring skills. This candidate will interact daily with our Command Center personnel. The Command Center will be the 24x7 component of our Incident Response Center. This incident handler will need to be a mentor and coach for the Command Center analysts, although...

I've been using Splunk at work, so I decided to try installing the free version on a personal laptop. Splunk is a log archiving and search product which I recommend security professionals try. Once you've used it you will probably think of other ways to leverage its power. Anyone can use a free version that indexes up to 500 MB per day, so it's perfect for a personal laptop's logs. This machine runs Ubuntu 8.04. By default Splunk installs into /opt. Unfortunately when I built this system, I didn't create a /opt partition, and / is too small. So, I decided to create a symlink in /var/opt and accept the rest of the defaults when installing Splunk. root@neely:/usr/local/src# ls -d /opt /opt root@neely:/usr/local/src# rmdir /opt root@neely:/usr/local/src# ln -s /var/opt /opt Next I installed the .deb that Splunk provides. I've also used the .rpm on Red Hat Enterprise Linux. root@neely:/usr/local/src# dpkg -i splunk-3.3.1-39933-linux-2.6-intel.deb Selecting p...