Ayoi’s

The talk that I’ve presented during Infosec.my technical forum this year is Network Security: 3 Key Elements where the key elements are process, technology and Human. I have the idea to give presentation on that topic based on my observation and experience in this field (OK not that long though). Most of our competitor emphasis on how advance their technology is when managing their clients network security. Well I am from the old school in this field where I believe technology is only to assists human in performing their tasks. From the email that I received this morning, I know how right I am in this matter..

(more…)

Since acting as the head of a new unit in my department, I’ve noticed that most of the time my job will become less technical and more on high level kind of thingy. I attend meetings, devise a training series for the analysts, writing reports (which I hate most) and yeah making presentation slides as well. But from time to time, I do miss doing analysis, looking at the logs and alerts, reconstruct back attackers activities based on our logs and many other stuff. As I seldom touch my lappy at home due to the attention required by my children especially the twin, I’ve found it’s hard sometimes for me to cope with the work load. I know that I have this so called designated assistant where I am the one who recommend his employment but recently I just decided to move him back into the SOC. I believe he needs more knowledge especially on our operations. Anyway I dun think I will recommend anyone else after this..

(more…)

Last few weeks I did a presentation on our department general work flow. I’ve prepared some presentation slides, some handouts indicates the work flow (I try my best to be as clear as possible) and everything was fine at that time. Soon afterward one of my colleagues complained that it seems that the stakeholders affected in the work flow either did not understand partially on my presentation or totally clueless on that. Hence I end up scratching my heads trying to figure out what went wrong (No wonder my CSO is having lesser hair )

(more…)

We had a lively discussion yesterday. Yeah quite lively. Topics ranging from issue on the application and tools that we use up to the macro things like the basic security knowledge/understanding etc. One of the issues is most of the SA found that the current tools that they use are not user friendly, too cumbersome, not too helpful and yeah, lack of guidelines on how to use those tools…

Regarding this guidelines, I have to admit that we are suppose to have some simple documented guideline on the usage of the application (besides the overall process of Detection and also perhaps IRH) but after a while then I realized that some of the SA actually did not want those kind of guidelines. What they wanted is how to perform the analysis or Identification process (based on the feedbacks that I’ve received from some of them) And yes, I do remember that during my time at The Client site, I was asked by The Client to prepare some SOPs on how to analyze security events (Fascinating huh). I told them what I could do is just to prepare some general guidelines and even I stated in those manuals or SOPs that by no means that those guidelines and SOPs will be a definite one. If I could produce what The Client wanted, I might as well should write a book on how to be a Security Analyst. Sigh

Anyway, one of my colleague point out one good point. He said that this is not a case of SA being overwhelmed or confused by the tools and application interface but merely they want some guidelines like the ones that I prepared for The Client (or sort of - But based on their spoon-fed attitude, no surprise). So my colleague did mention that the current application and tools allow the analyst to see or to perform their analysis from different angles and views. Meaning the Analysts should or must know what to find, when to start investigate, what kind of information needed, where to find that kind of information and also HOW to make use of the application or tools’ features in order to perform their identification process.

Like sguil, ethereal, wireshark, OSSIM etc only have guides on how to make use of the application’s features but none on HOW to perform your analysis (of cause). It seems like most of these SAs failed to grep the fundamental knowledge that these application merely assisting them to perform their analysis and not the other way around. Let me put this wireshark example..

Ok I purposely disable the coloring rule for this packet capture file. By default, for anyone who use this tool must know the features or capabilities that wireshark offers and also he or she knows what to find/look and plus understand on the information presented to them by the wireshark (where in this case protocols).

IF you dun have such knowledge then I believe:

a). You will say that this tool is too cumbersome, not user friendly etc

b). You might as well complaint to the seniors that this tool is not suitable for your usage.

c). IF this tool is mandatory for u to use, then you will crying for guidelines (in this case even the wireshark help file will be deemed not that helpful) because actually you want a guideline on how to digest or understand the information presented.

I think I have to stop now. Wait for part two…

Yeah, rumours. Rumours say that I have to go back to The Client site for another post and for another 2 years. I have no  problem with  The Client previously but I feel that I’ve done my stuff/work there  (I wont say I’ve done an exceptional job there) but  AFAIK it’s up to the expectation. So far I feel that I’m comfortable with my current surrounding, my tasks and the freedom that I had in order to perform my tasks and job.

hmm

Ahh, this idiom came into my mind when one of my former colleagues told me that one of our competitors will not entertain any job application from our staff (especially for security analyst post). Why? Because one of our former “analysts” joined their company a couple of years before and they quite surprise with her level of “knowledge”.

Surprise? Not for me tho. In fact, I’ve expected this kind of situation will surface once these fellas went out applying similar job at other companies. Well, they thought having the degree or certificates can guarantee them the job that they applied. Surprisingly (not so) some of them who have been working for a number of years as an analyst still failed to grasp the proper tasks, knowledge, skills required by an analyst.

Bahh… enuff mumbling. I think I do sound like a broken record. To be honest, I’m kinda fed up

Btw, before you start to install anything, please understand what are these applications meant to do.

Hmm.. I better keep my mouth shut now

Last few days, one of my colleagues in his email pointed out one of the articles in securityfocus.com where really attract my attention. His email titled was “scary”

After reading the whole article, I do agree on the author views and opinions. In fact, most of his points in that article already mentioned by Mr Betjlich in his books, Tao of Network Security Monitoring - Beyond the Intrusion Detection and Extrusion Detection - Security Monitoring for Internal Intrusion. That’s why I always recommend these two books to those who have any interest or plan to be in this security industry especially for future Security Analyst. Let me quote few of the interesting points in the article followed by my comment.

“The highly publicized network intrusion seemingly underscores the claim by many hackers that most, if not all, network security defenses are useless and that defenders are far better off not wasting money on an intrusion detection systems (IDS), intrusion prevention systems (IPS) or an antivirus solutions. A skilled attacker, the mantra goes, can easily bypass these defenses. ”

If you read the books that I’ve mentioned above, you’ll noticed that Security is defined as the process of maintaining an acceptable of perceived RISK where RISK = Threat x Vulnerability x Asset Value. Usually we will put a lot of efforts in reducing the RISK by reducing or eliminating the Vulnerability factor. However this effort will be undermined by the Characteristics of the Intruder where some of them are smarter than the defender (you) and they are unpredictable hence every network eventually will be compromised. Once we have this kind of perception, then perhaps we might religiously follows the security processes (assessment, protection, detection and response) as we realized that Security Management by Belief only leads to failure.

“The biggest problem by far is that the majority of these devices output logs that quickly become ignored after they are installed. This is due to a lack of training for personnel who need to not only be able to interpret the logs, but also verify the accuracy of them. That verification is done by comparing the logged alerts to the actual traffic itself. Unfortunately, too many IT security analysts lack the knowledge to do just that. “

“ Now system administrators and IT security analysts alike should both have a very good understanding of the TCP/IP protocol suite. By studying and understanding these protocol blueprints, the analyst will come away with the knowledge of what normal protocol behavior looks like.”

I have to agree on this point. Especially for local security scene. Looking for a capable Security Analyst is like searching Cinderella without having the benefit of her glass shoe. I’m not claiming that I am a good analyst that should be the role model (as there are many better analyst out there) but from my observation during the interviews that I’ve conducted for some times and also from my observation on our current team, the obvious thing is they lack of the fundamental knowledge not only on security but on networking as well. As example, from 6 or 10 candidates that I’ve interviewed recently, only one manage to answer when I ask about TCP handshake. And even that he only stressed on the tcp control flags exchange. If you don’t have this kind of knowledge then how can you identify when is the exact time the intruder establish connection to the victim? The difference between SYN flood attacks and NMAP -sS? People performing port scanning? Who is performing scanning and who is responding?  How to trace the communication using the sequence numbers? And of cause if you are using snort for your detection engine, then how can you create / fine tune the snort rules or understand the reason why the alerts triggered?

“Having the knowledge to understand how a protocol such as DNS behaves would also allow you to spot a hacker removing documents from your network. After all, it would be rather unusual to see a prolonged series of packets on UDP/TCP Port 53 with a size of 1540 bytes. So we know that if a network gets hit with a zero-day hack or other such stealthy vector that we should still hopefully be able to uncover the attack by the hackers desire to move data from the network.

This investigative approach presumes that the corporate network is logging all traffic. Recording all data traffic is almost a necessity, as it is rather hard to confirm the veracity of any IDS or IPS alert if you have no packets to look at.”

Definitely. There is not much you can see and derived from snort syslog output. Only the src and dest IPs and ports with the alert messages. How can you perform your analysis? How do you know the alerts really indicate something malicious is happening or the alerts are false positives? I know there are limitations on efforts of having all types of data to be stored. But to avoid this kind of confusion, at least we have session data stored for analysis.

“A lot can be done, however, by stressing the basics and leveraging existing knowledge. There is nothing magical or secretive in these methods. Even though the attacker may be very good, what comes in, must eventually come out. That is where you can almost certainly find them. Hackers that proclaim that they can come and go silently like the wind and bypass all network defenses are a threat only in the movies.“

Intruders Who Can Communicate with Victims Can Be Detected - How true it is. Even every compromise phases indicates that intruders activities can be viewed / monitored / detected. Intrusion is not magic. Intruders behaviour, methods can be studied and understood. Provided that the defender knows what they are looking at, what they are looking for and where to look. The only time when the intrusion occurred undetected is when the alerts are not monitored properly or analyst failed to understand the decision making logic of the detection systems.

Again let me put these three scenarios on the needs of collecting the right information and having the skilled analyst

*Without IDS*
An attacker attacks using 0-dayz exploits exploiting 0-dayz vulnerabilities on a workstation. Bypassed the firewalls, and the attack patterns didn’t match any rules in IPS  and no blocking actions. The victim complaints and all we can do is patch and proceed. But we never know what actually happens.

*With IDS without proper Collection Process *
An attacker attacks using 0-dayz exploits exploiting 0-dayz vulnerabilities on a workstation. Bypassed the firewalls, the attack patterns didn’t match any rules in IPS  so no blocking actions, the attack patterns didn’t match any rules in IDS  and no alerts triggered. The victim complaints and all we can do is patch and proceed. But we never know what actually happens.

*With IDS with proper Collection Process *
An attacker attacks using 0-dayz exploits exploiting 0-dayz vulnerabilities on a workstation. Bypassed the firewalls, the attack patterns didn’t match any rules in IPS  so no blocking actions and the attack patterns didn’t match any rules in IDS and no alerts triggered. The victim complaints and we can start investigate with the available data that collected. Update the signatures and perhaps feed it to IPS and IDS  plus the information gathered can be used for legal purposes
~ No one is judged anymore by how they prevent incidents. Everyone gets hacked. Instead, organizations are judged by how they detect, respond, and recover ~

The article title is “Catch Them If You Can” and you can read it here.

What do you think?

Recently (not that recent maa) we received this kind of alerts which trigger some discussion between us.

[**] [1:2000538:5] ET SCAN NMAP -sA (1) [**]
[Classification: Attempted Information Leak] [Priority: 2]
03/10-13:59:00.891305 192.168.4.20:80 -> 192.168.4.127:256
TCP TTL:44 TOS:0×0 ID:56012 IpLen:20 DgmLen:40
***A**** Seq: 0×11BBA413 Ack: 0×5A5D56A9 Win: 0×400 TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS162]

There are 250 same alerts triggered which triggers my curiosity as well (also means that I require your inputs as well)

Here is the rule that trigger the alert

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:”ET SCAN NMAP -sA (1)”; fragbits: !D; dsize: 0; flags: A,12; window: 1024; reference:arachnids,162; classtype: attempted-recon; sid: 2000538; rev:5;)

Anyway as we dun have the benefits of looking into the actual traffic, what I can do is try to guess or simulates the traffics that may trigger the alerts.

So the main issue is as the alerts show that 192.168.4.20 is performing nmap -sA scanning to 192.168.4.127 from port 80, some of my colleague did tell me that it’s the other way around

Meaning that actually 192.168.4.20 is responding to the request from 192.168.4.127.  I tried few times trying to craft a request that may trigger the response which trigger the alerts

So if any of you can help me crafting a request that can provide this kind of response :

13:59:00.892083 IP 192.168.4.20.80 > 192.168.4.127.53: . ack 1817132945 win 3072

13:59:01.992738 IP 192.168.4.20.80 > 192.168.4.127.53: . ack 3666296980 win 1024

13:59:01.993247 IP 192.168.4.20.80 > 192.168.4.127.80: . ack 3322425882 win 3072

13:59:01.993654 IP 192.168.4.20.80 > 192.168.4.127.554: . ack 3954598287 win 1024

13:59:01.994093 IP 192.168.4.20.80 > 192.168.4.127.389: . ack 1397273947 win 4096

13:59:01.994193 IP 192.168.4.20.80 > 192.168.4.127.256: . ack 3032925021 win 1024

13:59:01.994658 IP 192.168.4.20.80 > 192.168.4.127.443: . ack 3616913710 win 3072

13:59:01.995096 IP 192.168.4.20.80 > 192.168.4.127.21: . ack 3566764576 win 3072

I am more than glad and grateful to received/read/listen you views/opinions/advice.

Anyway here is the simulation that I tried and a simple analysis on it. anal1.pdf

What a week. I think I nearly lost my voice for 4 days of conducting training. A good response from the participants and of cause for the first 2 days are the most challenging period of the training. To be honest at the end of each day, I think I’ve drained all the energy that I have not only for conducting the training but also to assist my colleagues for our MSS implementation at one of our most fussy (my view ONLY maa) clients so far.

Btw, as I am not buying any new books last two months, I’ve decided to print some articles from the Internet for light reading during my travel time from home to office (Yeah, I am using LRT both Putra and Star to get to work) One of the articles really attract my attention. The article title is Analyzing Malicious Code and of cause you can downloaded the article from hackin9.org Why I found that article is interesting?

Because for my personal knowledge enhancement, I plan to add my skills on Malware/botnets/viruses analysis. Initially I’m waiting for resources to implement honeypots at our company (and also I ordered Virtual Honeypots - From Botnet tracking to Intrusion Detection book) but due to some circumstances (also due to the tight schedule that I have) I have to put off the plan for a “while”

From the article it does show the methodology of performing the analysis and maybe I can start by analyzing virus or malware without having the honeypots implemented (yet). And of cause offensivecomputing will be one of the references besides honeynet.org. Also I’ve asked one of my colleagues here to assist or providing some guide while performing this type of analysis.

Hopefully I can find some time to do all these things (I have another 3 sessions of 4 days training to conduct) and meanwhile perhaps I can start by downloading all the necessary tools. Wish me luck (especially in finding free time)

Adam’s impression when I decided to go for malicious code analysis

It’s not about the car OK? It’s about me. From a young and immature lad to (still) young and a man who has a lovely wife, 2 lovely and very very naughty daughters and blessed with a twin or two boys under his responsibility. From a young lad who was hoping to play his trade in corporate world (yeah, I did take ICSA course and to be honest get through till the pre-professional papers) to a person who finally found his niche or his passion in the ICT world. From a young lad who was working in numerous startup companies to hopefully settled down at a public listed company. And from a person who learned about a company administration ( from law to company secretarial practice) to a person who fell in love with ICT especially in networking and security.

And now it seems that I am back to what I’ve started before, instead of dealing more on technical stuff, I mean doing analysis works, I’ve been given the tasks that deal more on bird eye view or macro. Anyway still I can perform necessary Research and Development on improving our capability in providing world class solution to our Clients. As our company provides services and solutions instead of product selling, I still and do believe that the most precious asset is the knowledge possessed by our staff. Any products where in our case SIEM/SEM/SIM are basically the same with our competitors and the only thing that will differentiate between one MSSP with another is the pool of knowledgeable and competent human resource in providing a good and quality services. And of cause proper development, training and career path+layout of this asset need to be carefully planned and implement.

Sometimes I do feel that I’m inching away from my original task every single day. And yeah, I do wonder is it because I am deemed not competent to perform my original tasks and that’s why I’ve been given another tasks? Maybe.. I can’t answer that either..