Ayoi's

Initially I want to post a series of i-Hack Defense Challenge packet capture analysis using NetWitness Investigator but in the middle of medling around with the Investigator’s features and functions, one of the Analysts came and ask me a series of questions regarding the required knowledge and skills. Besides he is the first ever analyst ever to come to me and ask those questions, the most interesting question that he asked is “Where to Start?” So as a good (hopefully) person, I ask him to join me for tea break so we can discuss more freely on this topic which in the end we end up discussing in heavy downpour. Not a good decision I guess..

So, below are the suggestion that I made to him. These are based on my learning experience, reading books, articles and blogs also from attending trainings.

You can build the system either using the real machine or through virtualization via VMWare. As for me, I just use VMWare (I dun have the financial means and space to have separate machines for testing though )

1. System or Operating systems

In this, I have to agree with Ed Skoudis statement that analyst should be able to understand and acquire the knowledge of using different sets of Operating systems. This is important as analyst should be able to identify any abnormal behavior of these operating systems based on their logs, processes or other means. In fact you need to be able to implement the defensive measures on these platforms as well. So the Linux vs Windows or Linux vs BSD arguments can be securely deleted from the analyst mind.

Under this phase, I think we can divide it into 3 subphases as well.

a) Installation

Ok, OK, maybe some of you might argue that not much can be done during Windows Server installations but then installing Windows XP and Windows 2003 is not exactly the same. Maybe you can provide some input here..

For linux or unix variants Operating Systems, you can start performing task by selecting different type of installation. Perhaps you can start by selecting full installation, then maybe more specific options like for server packages etc. If you want to make the machine as a web server, perhaps you can start using custom installation where you can select only the necessary packages installed.

From there you can start identify the differences between these options selection like in term of performance, processes, memory and processor usages,  services running, open ports etc.

b). Administration

I think at least you need to grab the basic system administration skills. Especially when managing the patch management, housekeeping, logs reviewing, process and performance monitoring etc. This is when perhaps you should learn all the command lines kung fu stuff like WMIC etc. I guess somehow CLI is still the tool of trade when doing administration. That’s my opinion btw.

c). Hardening/protection

This is a good practise btw. Identify what kind of protection mechanism that you need for the system. At least you need file integrity checker and anti virus. Of cause you need to enable only necessary applications running on that particular system. Minimize services and applications (part of defensible network ya’ know). You might add Host based Intrusion Prevention System (HIPS) but I would like to advice that you should evaluate these applications especially on any impacts on your system performance (if any). Meaning if you setting up a web server that running on apache that offers CMS, identify appropriate defense mechanism like apache’s mod_security, has tripwire enabled and perhaps has its own firewall enabled as well.

So that’s the first step for you to take and I do welcome any additional inputs on this subject. We shall continue later.. On networking side.

p/s: I think OWASP provides few guidelines on building a secure systems and how to test them. So it would be a good reference when you start doing this.

Comments RSS