Ayoi’s

Yes, my HOD asked me to conduct an interview session tomorrow for Security Analyst posts available here. Well as usual I’ve prepared a series of questions to ask the candidates. And no, I wont reveal the questions here. It is not that I dun want to be called “poyo” again but I think this time the questions will be really really really easy and very basic. No tcpdump output stuff, no incident identification from packet dumps, no snort alerts interpretation stuff, and no more on what-do-you-think-about-IDS-IPS-stuff either. What’s the point of asking those questions when I know 90% of the candidates will possible failed to answer those questions.

How bout asking on IDS deployment in a network? Maybe not as I think maybe nobody can or will answer that. Maybe I shud ask about basic network diagram? I used to ask the candidate to draw a simple diagram of a network that has basic security devices either inline or passive but then still nobody answer it. I didn’t expect anybody to answer perfectly. Nobody is perfect and nobody is NOBODY. (Wifey used to reply “I am Nobody” when I say “nobody is perfect).

So for tomorrow, I just looking for anybody that has the right attitude, the passion and the level of knowledge that they had for the post. (When you have the right attitude, have the passion, I do believe that you have the basic knowledge and skills as the result of DIYs, googling and try-and-error methods. Agree?)

So for the candidates who will attend the interview session tomorrow, I wish them good luck and please…

Do some simple google search anything about ICT Security, and of cause about Security Analyst.

Good luck.

OK, this is the second part of the previous post here.

For security monitoring, the most important factor is HUMAN factor. Without a knowledgeable and skillful analyst who can give appropriate dissection on the output presented to them by the tools, the detection process will definitely failed on Identification process level. If they failed to provide any useful context on the output or indicator produced, then how can they produce appropriate warning? It doesn’t matter how advance the application will be, how comprehensive the guidelines prepared because at the end of the day, these analysts failed to understand what are they looking at, what actually happened and what are the appropriate reactions needed.

According to one of NSM’s Principles;

“Indicators are collected and analyzed where Products perform collection because people need assistance in interpreting the network traffics. People will perform analysis as product or tool will only provides outputs or conclusions about the traffics but PEOPLE will provide context based on the situation and network environment.” Unless we have super intelligent tools that can replace human decision making and intuition, then this statement remains true.

Like the previous post, I’ve provided a simple example of using wireshark. Again I will use this example again..

The KEY point here is simple, IF you know what you are looking for, where to look and consequently understands what are being presented to you by the tools (the outputs) then you might have no or less complaints on using that tool.

From the information presented by the wireshark, we know that SYN Flood attack occurred. From the general view we know that the attacks source seem like from many hosts to 192.168.2.127. We also know that the targeted port is increasing from each packet came from these hosts. Agree? But you might say that due to the increasing destination port (increment by 1), perhaps the source hosts are performing NMAP -sS scanning?

Well the TCP control flags involved in those two type of traffics (SYN Flood and Nmap -sS) might be the same (SYN Flag) but the objective is totally different. Scanning or reconnaissance is the act of information gathering meaning that when you sending some request, you want to know the reply. In Nmap -sS case, when you send a SYN packet to a machine at specific port, you want to know whether the service that using the port is running or not based on the response given by the targeted machine. A SYN + ACK flagged response will indicates the service via the targeted port is available while a RST + ACK shows otherwise.

As Example  (This scanning is targeted to closed https port):

ayoi# nmap -sS 192.168.2.126 -p 443

Starting Nmap 4.52 ( http://insecure.org ) at 2008-05-02 22:01 MYT
Interesting ports on 192.168.2.126:
PORT    STATE  SERVICE
443/tcp closed https
MAC Address: 00:1E:C9:BA:E0:8E (Dell)

And the packets will be

22:01:55.144824 IP 192.168.2.7.47264 > 192.168.2.126.443: S 3725734349:3725734349(0) win 3072 <mss 1460>
22:01:55.145338 IP 192.168.2.126.443 > 192.168.2.7.47264: R 0:0(0) ack 3725734350 win 0
22:01:55.246070 IP 192.168.2.7.47265 > 192.168.2.126.443: S 3725799884:3725799884(0) win 2048 <mss 1460>
22:01:55.246394 IP 192.168.2.126.443 > 192.168.2.7.47265: R 0:0(0) ack 3725799885 win 0

Note the Bold ones. Btw how on earth that NMAP knows that 192.168.2.126 is using DELL NIC? Of cause based on the first 3 bytes of the MAC Address. For MAC Address, the first 3 bytes belongs to Manufacturer.

Ok proceed with the open port scanning result (MSSQL port)

ayoi# nmap -sS 192.168.2.126 -p 1433

Nmap done: 1 IP address (1 host up) scanned in 0.818 seconds

Let see the packets generated by this activity

22:07:26.614121 IP 192.168.2.7.39401 > 192.168.2.126.1433: S 2210806291:2210806291(0) win 4096 <mss 1460>
22:07:26.614298 IP 192.168.2.126.1433 > 192.168.2.7.39401: S 1072455176:1072455176(0) ack 2210806292 win 16384 <mss 1460>
22:07:26.614312 IP 192.168.2.7.39401 > 192.168.2.126.1433: R 2210806292:2210806292(0) win 0

So by this kind of responses then you know which port or services is available and which is not.

As for SYN Flood attacks, you definitely do not want any response from the targeted machine. Your main purpose is to brought down the machine or any services that running on that particular machine. So the wise way is to send many SYN flagged packets to the targeted machine with spoof IPs as the sender. Meaning the targeted machine will reply to non-existence hosts. Agree?

Back to the packet captured shown in the wireshark, based on the Layer 2 information also we can identify that those spoof IPs are coming from one source. Take note on the MAC address, for each packet will have different source IP but same source MAC address.

OK, the packets shown below not exactly taken from wireshark, I used Windump (too lazy to do screen capture and photoshop editing)

12:31:05.298444 00:0c:29:f3:a6:39 > 00:16:d3:06:6f:0e, ethertype IPv4 (0×0800), length 54: 138.248.102.217.2898 > 192.168.2.127.4: S 1224680571:1224680571(0) win 512
0×0000:  0016 d306 6f0e 000c 29f3 a639 0800 4500
0×0010:  0028 4688 0000 4006 7f4f 8af8 66d9 c0a8
0×0020:  027f 0b52 0004 48ff 247b 66b4 2cad 5002
0×0030:  0200 ecb7 0000
12:31:06.299688 00:0c:29:f3:a6:39 > 00:16:d3:06:6f:0e, ethertype IPv4 (0×0800), length 54: 75.4.79.22.2899 > 192.168.2.127.5: S 937274104:937274104(0) win 512
0×0000:  0016 d306 6f0e 000c 29f3 a639 0800 4500
0×0010:  0028 592a 0000 4006 c464 4b04 4f16 c0a8
0×0020:  027f 0b53 0005 37dd aaf8 3a03 9c6f 5002
0×0030:  0200 8c00 0000
12:31:07.301244 00:0c:29:f3:a6:39 > 00:16:d3:06:6f:0e, ethertype IPv4 (0×0800), length 54: 222.140.18.61.2900 > 192.168.2.127.6: S 725808845:725808845(0) win 512
0×0000:  0016 d306 6f0e 000c 29f3 a639 0800 4500
0×0010:  0028 8fb7 0000 4006 3728 de8c 123d c0a8
0×0020:  027f 0b54 0006 2b42 f6cd 3959 22eb 5002
0×0030:  0200 7043 0000
12:31:08.302673 00:0c:29:f3:a6:39 > 00:16:d3:06:6f:0e, ethertype IPv4 (0×0800), length 54: 107.230.246.46.2901 > 192.168.2.127.7: S 382745863:382745863(0) win 512
0×0000:  0016 d306 6f0e 000c 29f3 a639 0800 4500
0×0010:  0028 3fdf 0000 4006 15b5 6be6 f62e c0a8
0×0020:  027f 0b55 0007 16d0 3d07 4156 a244 5002

SO again, it doesn’t matter what kind of tools or applications that you are using, but the most important thing is you understand and know how to give a proper dissection on the information presented. Once you know what, when, How, why to give proper analysis, the relevance information needed then you can start demanding or perhaps insisting on having the rite tools to give you the right information in performing your tasks. Not just a mere guidelines.

Do you have the required TEPES to be a Security Analyst?

T = Talent

E = Education (formal and informally - And yes certification just an added bonus and you must show that you are REALLY deserve to have those certificates)

P = Professionalism ( Right attitude maa)

E = Experience

S = Skills

If the answer is YES, do not hesitate to email me your CV, and even the answer is NO but if you think you can perform the tasks required, you also can email me as well.

Have the guts?

Yeah, big plans for my life (which of cause include my family) and for my current department. For my family of cause it’s regarding upgrading our standard of living. Nothing else. Well for all these years, I’ve worked for my family (everybody does I guess) and will try my best to provide comfort, security and good educations for my children.

And for my current department, I have few plans that need to be put on paper first as I believe only in that way ppl will recognize and understand what I am trying to do. Definitely at least IF I moved away from the current company, perhaps I’ve done few good things to improve the quality of services and perhaps the process as well. I owe my current company a lot (in sense of knowledge, skills, experiences and many others) and that’s why I do feel that sometimes I didn’t give back enuff.

Hopefully my plans will be materialized

That’s the thing that keeps on playing in my mind since I’ve been contacted by one of my former colleagues. After all these years I still feel grateful and blessed for the things and events that happened in my life. When I joined my current company as a security analyst, there were plenty of questions and goals that I’ve asked myself. For a start I just look into the internet to learn about the job description (apart the ones stated in my offer letter), the required skills and knowledge plus the responsibilities. From there I started to improve and acquiring the necessary skills and knowledge in order to perform my security analysts tasks. But as I was stationed at The Client site, the one obvious thing that I lacking is the resources to perform my own RnD, simulations and other things even though there are plenty learning materials  in order to enhance my knowledge, skills and capability.

Out of frustration, I started having my own lappy - thanks to wifey anyway (cheap but u dun have any idea how many things that I’ve learned from using this ol friend) and coupled with vmware, I proceed with my own education. Of cause, I started to improving my soft skills area especially when dealing with clients (day to day interaction maaa) and perform some minor in house training as well. And when transfered to the HQ, I’ve been presented with plenty of time to continuing my education (to be honest, one of the best aspects of working here is the learning environment which encouraged by our Bosses planned knowledge sharing session, technical write ups, etc and yeah, we do have K-Based workers here )

From working shifts, I’ve been upgraded to have normal working hours (and yeah I’ve been promoted to be Senior Security Analyst as well and that happened when I started my 1st day at the HQ) and now I’ve been given tasks that initially I thought not suitable for me but then after consultation with wifey and long self review hours, I started to accept this transition as well.

My Goal? First of all I want myself to be an asset to my company instead of liability. Secondly to show them that I am worth more than what they are paying me now and I have to substantiate that claim with the knowledge, skills, capability and improvement that I have made since I joined the company 4 years ago. How? By executing the tasks (related task ok? Installing NMS is not in the tasks) bestowed upon me professionally

One more thing, I think I can call myself an undergraduate of the University of Google

Let see what is the future has in store for me and I’m looking forward for it (or moving forward? ;P)