Ayoi's

Today, me and my colleage from another department had one interview session with one of the local newspapers. Actually the topic is regarding the oldest trick in security which is Social Engineering. It’s fun and we make it as a knowledge sharing session and forum style just to get rid the formality and tense climate. Everything went well even though I have few things that I wanted to share but perhaps due to lack of short notes and time, I just simply forgot (my bad).

Mostly we explained and shared about our experience when dealing this attack technique. I guess most of us didn’t aware that almost everyday people performing social engineering activities either with or without them knowing it.

Hopefully the readers can learn few things especially on dealing with this kind of attacks in the future. Like the famous saying by whom I dun quite remember,

“The weakest link in ICT Security is the human”

After the interview. Photo shoot session

Photo shoot

I dun have any appropriate post topic actually but let me sums up whatever that I have in my head.

For yesterday’s interview, like I’ve mentioned in my previous post, I didn’t expect too much and boy it helps. On the happy note, most of the candidates show a lot of passion and it seems that they have the right attitude to be in this industry but perhaps because whenever you are in an interview, you will try your best to project that you ARE the suitable candidate and you DO HAVE the right attitude rite? But as I am a good person, I just give good recommendation for the higher management to decide. Sad note? I think it is better for me to keep it to myself.

On the other hand, I think I am getting more and more macro view on overall picture of my current work. It seems that I (think) managed to pull all the strings together. Use other information to relate on my current work and managed somehow to see the bigger picture. Even though I have to admit that I do miss doing some full blown tasks like research and learning on new things fully (not on ad hoc basis), reading properly (like my assembly thingy) but somehow I think I can live with that for now. I’ve downloaded all the packets listed in the openpacket.org but for now that’s all. Hope I can play with those later on and still not yet finish with those brute force thingy.

Hopefully I can finally managed to do all the stuff that I love to do but for now, I think I am doing just fine.

Ahh.. I’ve notice that my poyo interview questions attract some interest here. Unfortunately the reply is not that accurate. So let me ellaborate or just giving the answer here.

Q1: If I ping from host A to host B, using ICMP Type 8 code 0, this ICMP packet will goes to which port?

A1: No port. The ICMP protocol structure didn’t has any port field in it. The message or the code and types will be processed by the receiving machines and appropriate response will be given.

Q2: Based on this information=handshake2.txt point out the handshake packets.

A2: Packet 7, packet 9 and packet 10. Take note on the TCP Control Flags AND the Sequence Numbers.

Q3: What kind of event that you can derive from this trace file :trace1.pdf

A3: Port Scanning using SYN flag or nmap -sS.

Q4: And what kind of event that you can derive from this trace file? : trace2.pdf

A4: SYN FLOOD. I used hping2 to create this packet. SO what’s the diff with trace1? Scanning is a form of information gathering, meaning you need to know and receive the response from the targeted machine. While when flooding a system, you DO NOT WANT its responses.

Q5: Based on this alerts information :alerts.pdf , can you identify any possible irregular behaviour of the traffic?(traffic_a.pdf)

A5: Possibly that the 443 port was used for other means. HTTPS channel is an encrypted channel and there’s no way IDS (without any SSL terminator/SSL proxy/SSL Accelerator used) can observe its traffic and subsequently produce alerts. And yes, when you can see uid=0 and guid=0 in a suppose encrypted channel, you need to investigate further.

Q6: With the existence of IPS, what do you think on the relevance of IDS

A6: This is merely an opinion question, so IMHO, the IDS is still relevant as in sense of deployment, IPS is more inline device which need to have super correct detection/prevention rules or zero false positive rules. In this perspective, most of the time, only confirmed, selective rules will be implemented. While IDS is a passive device which will never interrupts the network flow. So when an attack which the IPS rules didn’t recognized or filtered (due to false positive risk), the IDS will become the safety net (in sense of alerting for investigation). I’ve posted many times on this matter so I won’t ellaborate more.

So that’s it.

Yes, my HOD asked me to conduct an interview session tomorrow for Security Analyst posts available here. Well as usual I’ve prepared a series of questions to ask the candidates. And no, I wont reveal the questions here. It is not that I dun want to be called “poyo” again but I think this time the questions will be really really really easy and very basic. No tcpdump output stuff, no incident identification from packet dumps, no snort alerts interpretation stuff, and no more on what-do-you-think-about-IDS-IPS-stuff either. What’s the point of asking those questions when I know 90% of the candidates will possible failed to answer those questions.

How bout asking on IDS deployment in a network? Maybe not as I think maybe nobody can or will answer that. Maybe I shud ask about basic network diagram? I used to ask the candidate to draw a simple diagram of a network that has basic security devices either inline or passive but then still nobody answer it. I didn’t expect anybody to answer perfectly. Nobody is perfect and nobody is NOBODY. (Wifey used to reply “I am Nobody” when I say “nobody is perfect).

So for tomorrow, I just looking for anybody that has the right attitude, the passion and the level of knowledge that they had for the post. (When you have the right attitude, have the passion, I do believe that you have the basic knowledge and skills as the result of DIYs, googling and try-and-error methods. Agree?)

So for the candidates who will attend the interview session tomorrow, I wish them good luck and please…

Do some simple google search anything about ICT Security, and of cause about Security Analyst.

Good luck.

Last few days, one of my colleagues in his email pointed out one of the articles in securityfocus.com where really attract my attention. His email titled was “scary”

After reading the whole article, I do agree on the author views and opinions. In fact, most of his points in that article already mentioned by Mr Betjlich in his books, Tao of Network Security Monitoring – Beyond the Intrusion Detection and Extrusion Detection – Security Monitoring for Internal Intrusion. That’s why I always recommend these two books to those who have any interest or plan to be in this security industry especially for future Security Analyst. Let me quote few of the interesting points in the article followed by my comment.

“The highly publicized network intrusion seemingly underscores the claim by many hackers that most, if not all, network security defenses are useless and that defenders are far better off not wasting money on an intrusion detection systems (IDS), intrusion prevention systems (IPS) or an antivirus solutions. A skilled attacker, the mantra goes, can easily bypass these defenses. ”

If you read the books that I’ve mentioned above, you’ll noticed that Security is defined as the process of maintaining an acceptable of perceived RISK where RISK = Threat x Vulnerability x Asset Value. Usually we will put a lot of efforts in reducing the RISK by reducing or eliminating the Vulnerability factor. However this effort will be undermined by the Characteristics of the Intruder where some of them are smarter than the defender (you) and they are unpredictable hence every network eventually will be compromised. Once we have this kind of perception, then perhaps we might religiously follows the security processes (assessment, protection, detection and response) as we realized that Security Management by Belief only leads to failure.

“The biggest problem by far is that the majority of these devices output logs that quickly become ignored after they are installed. This is due to a lack of training for personnel who need to not only be able to interpret the logs, but also verify the accuracy of them. That verification is done by comparing the logged alerts to the actual traffic itself. Unfortunately, too many IT security analysts lack the knowledge to do just that. “

“ Now system administrators and IT security analysts alike should both have a very good understanding of the TCP/IP protocol suite. By studying and understanding these protocol blueprints, the analyst will come away with the knowledge of what normal protocol behavior looks like.”

I have to agree on this point. Especially for local security scene. Looking for a capable Security Analyst is like searching Cinderella without having the benefit of her glass shoe. I’m not claiming that I am a good analyst that should be the role model (as there are many better analyst out there) but from my observation during the interviews that I’ve conducted for some times and also from my observation on our current team, the obvious thing is they lack of the fundamental knowledge not only on security but on networking as well. As example, from 6 or 10 candidates that I’ve interviewed recently, only one manage to answer when I ask about TCP handshake. And even that he only stressed on the tcp control flags exchange. If you don’t have this kind of knowledge then how can you identify when is the exact time the intruder establish connection to the victim? The difference between SYN flood attacks and NMAP -sS? People performing port scanning? Who is performing scanning and who is responding?  How to trace the communication using the sequence numbers? And of cause if you are using snort for your detection engine, then how can you create / fine tune the snort rules or understand the reason why the alerts triggered?

“Having the knowledge to understand how a protocol such as DNS behaves would also allow you to spot a hacker removing documents from your network. After all, it would be rather unusual to see a prolonged series of packets on UDP/TCP Port 53 with a size of 1540 bytes. So we know that if a network gets hit with a zero-day hack or other such stealthy vector that we should still hopefully be able to uncover the attack by the hackers desire to move data from the network.

This investigative approach presumes that the corporate network is logging all traffic. Recording all data traffic is almost a necessity, as it is rather hard to confirm the veracity of any IDS or IPS alert if you have no packets to look at.”

Definitely. There is not much you can see and derived from snort syslog output. Only the src and dest IPs and ports with the alert messages. How can you perform your analysis? How do you know the alerts really indicate something malicious is happening or the alerts are false positives? I know there are limitations on efforts of having all types of data to be stored. But to avoid this kind of confusion, at least we have session data stored for analysis.

“A lot can be done, however, by stressing the basics and leveraging existing knowledge. There is nothing magical or secretive in these methods. Even though the attacker may be very good, what comes in, must eventually come out. That is where you can almost certainly find them. Hackers that proclaim that they can come and go silently like the wind and bypass all network defenses are a threat only in the movies.“

Intruders Who Can Communicate with Victims Can Be Detected – How true it is. Even every compromise phases indicates that intruders activities can be viewed / monitored / detected. Intrusion is not magic. Intruders behaviour, methods can be studied and understood. Provided that the defender knows what they are looking at, what they are looking for and where to look. The only time when the intrusion occurred undetected is when the alerts are not monitored properly or analyst failed to understand the decision making logic of the detection systems.

Again let me put these three scenarios on the needs of collecting the right information and having the skilled analyst

*Without IDS*
An attacker attacks using 0-dayz exploits exploiting 0-dayz vulnerabilities on a workstation. Bypassed the firewalls, and the attack patterns didn’t match any rules in IPS  and no blocking actions. The victim complaints and all we can do is patch and proceed. But we never know what actually happens.

*With IDS without proper Collection Process *
An attacker attacks using 0-dayz exploits exploiting 0-dayz vulnerabilities on a workstation. Bypassed the firewalls, the attack patterns didn’t match any rules in IPS  so no blocking actions, the attack patterns didn’t match any rules in IDS  and no alerts triggered. The victim complaints and all we can do is patch and proceed. But we never know what actually happens.

*With IDS with proper Collection Process *
An attacker attacks using 0-dayz exploits exploiting 0-dayz vulnerabilities on a workstation. Bypassed the firewalls, the attack patterns didn’t match any rules in IPS  so no blocking actions and the attack patterns didn’t match any rules in IDS and no alerts triggered. The victim complaints and we can start investigate with the available data that collected. Update the signatures and perhaps feed it to IPS and IDS  plus the information gathered can be used for legal purposes
~ No one is judged anymore by how they prevent incidents. Everyone gets hacked. Instead, organizations are judged by how they detect, respond, and recover ~

The article title is “Catch Them If You Can” and you can read it here.

What do you think?

Yes, I conducted an interview session today, looking for suitable candidates to fill in the empty seats in the SOC (To be honest, we do need few more ) It has been quite some time since I’ve conducted my last interview and thankfully I managed to squeeze in the interview session in between my training schedule.

Just like the previous interviews, there will be a series of questions that I will ask the candidates. This time the question will start from fundamental question (perhaps lil bit tricky, and yes, I hijacked my friend geek00l questions as well). So the questions :

1). If I ping from host A to host B, using ICMP Type 8 code 0, this ICMP packet will goes to which port?

2). Based on this information=handshake2.txt point out the handshake packets

3). What kind of event that you can derive from this trace file :trace1.pdf

4). And what kind of event that you can derive from this trace file? : trace2.pdf

5). Based on this alerts information :alerts.pdf , can you identify any possible irregular behaviour of the traffic?(traffic_a.pdf)

6). With the existence of IPS, what do you think on the relevance of IDS.

Sadly, only 1 manage to get through until the 6th question, another one manage to get through to question 3 and another 2 failed at 2nd question. And surprisingly, both of the failed candidates have many years of experience (stated in their resume maa) and even one of them has CCNA.

Hmm.. I thought the question is very simple and straight to the point compared to the previous interview questions but alas maybe I should make it more easy and simple. You tell me..