Monday, June 24, 2019

2019 SOC Summit - Action Items

Slide decks for talks available here:

Youtube Video (duration: 8:35) of these items:

=-=-=- Day 1 =-=-=-

Keynote: Lessons Learned Applying ATT&CK-Based SOC Assessments
Action Item: Plan for an ATT&CK based assessment to identify coverage, internal or third party.

Use Case Development Utilizing an ARECI Chart
Action Item: Identify Gaps in coverage using ARECI charts built from use cases.

Use Cases Development as a Driver for SOC Maturation
Action Item: Tune down the noise.

A SOC Technology/Tools Taxonomy – And Some Uses for It 
Action Item: Compare your deployed SOC infrastructure to the proposed taxonomy.

Mental Models for Effective Searching
Action Item: Minimize time spent at the blank search bar by developing effective capability.

Managing Security Operations in the Cloud
Action Item: Familiarize yourself with cloud defenses available and integrate into the DevOps cycle to leverage them.

Virtuous Cycles: Rethinking the SOC for Long-Term Success
Action Item: Autonomy, Mastery, Purpose. Skills, Empowerment, Creativity, Growth. Automation->Efficiency->Metrics

2019 SANS SOC Survey Preview: Live Simulcast
Action Item: Download and read the 2019 SOC Survey when it comes out.

=-=-=- Day 2 =-=-=-

How to Disrupt an Advanced Cyber Adversary
Action Item: Focus on Network Awareness, Cyber Hygiene, and proper Device Configuration.

Breach -> ATT&CK -> Osquery: Learning from Breach Reports to Improve Cross-platform Endpoint Monitoring
Action Item: Whatever you choose to instrument your endpoints with, learn the granular differentiation of the host that will made detection and hunting meaningful.

Shared Security Services: How to Adjust to an Ever-growing Landscape of Security Operations Center Responsibilities
Action Item: Tell a good story about your SOC, and your internal collaborators.

The Call Is Coming from Inside the House: How Does Your SOC Respond When Attackers Are On-Site?
Action Item: Make people disappear. Think about how the physical matters.

How to Literally Think Like an Attacker to Become a Better Defender
Action Item: Think

Arming SecOps with a Special Forces Targeting Process
Action Item: Advance your thinking using intelligence

The Case for Building Your Own SOC Automations
Action Item: Automate good capabilities, that you already have or want. SOAR tools not required.

Rapid Recognition and Response to Rogues
Action Item: Know thy network (as much as you can).

This Will Never Work: Tales from Disappointingly Successful Pen Tests
Action Item: Demonstrate weakness to drive improvement. Take time to laugh.

Saturday, June 22, 2019

New Orleans Recommendations

( Updates in 2018-02: Add these to your list: Willa Jean, Mammoth Espresso, Doris Metropolitan, Lattitude 29, Spitfire Coffee, Paloma Cafe  )

Since we're in the CBD, my favorite nearby places Cochon (but I really like butcher, it's less formal), Peche, Compere Lapin, August ($$$), Willa Jean, Juan's Flying Burritto (CBD location), Carmo, Luke on St. Charles, (great happy hour)...

Nearby for coffee: Revelator Coffee
Nearby for wine: Keife & Co, W.I.N.O
Nearby bar for hangout: Lucy's Retired Surfer, Vic's Kangaroo 

Stuff I'm going to check out this trip in the area that has opened recently: Bakery Bar, Espiritu, 

Magazine Street - Starting from Calliope, and running uptown, Magazine is a funky shopping district with lots of interesting independent stores. Check out Juan's Flying Burrito for awesome creole Mexican food. Cheap, filling, and good quality. (And loud music.) Lilette is expensive fine dining near Louisiana Avenue.

If you're uptown, check out Oak Street. Zotz is a cool coffee shop. For dinner, you can try Jacquesimo. It's a little pricy, but decadent new orleans style food. If you want that same type of food for cheap, Crabby Jack's on Jefferson Highway is run by the same guy. My favorite there is     Blackened Gulf fish with crabmeat remoulade sauce. Their Duck & Andouille gumbo is pretty damn good, too. Freret Street between Jefferson and Napoleon has become a culinary wunderbar. Amazing because when I lived there it was dangerous and all boarded up. Breakfast at bearcat cafe is excellent. High hat is New Orleans style. Ancora Pizza is well regarded.

Museums: Ogden (regional folk and outsider art), Museum of Modern Art, Contemporary Arts Center. The     D-Day (WWII) museum is supposedly really good. There's also a civil war museum.

Ride the St. Charles Streetcar line uptown to Audubon park, or go on the Canal Streetcar line to Mid-City for City park and the botanical gardens. If you're in Mid-City go to Angelo Brocado's Italian bakery for cappuccino, gelato, and cookies. It's at Carrollton and Canal Street.

Vietnamese food in NOLA is some of the best you can find in the country.  My favorite is Nine Roses. It's on the west bank (of the Mississippi) and a little hard to find, but we have big family style meals with between 5 to 20 people. It's an amazing feast, and ends up being about $25 per person.

For nice quarter restaurants, I suggest Bayona, NOLA (Emeril's place), Pelican Club, Mr. B's, or Palace Cafe. They're all fairly expensive. Tujaque's is old school New Orleans. Have lunch at Napoleon house. Definitely go to K-Paul's (Paul Prudhomme's cajun restaurant).  Find Cochon Butcher (butcher is the cafe style, Cochon is fine dining style) in the CBD (other side of Canal) for lunch. Any of Donald Link's restaurants are great. My current favorite restaurant in New Orleans is Restaurant August.

In the Treme (on the edge of the french quarter) check out Lil Dizzies for great New Orleans fare.

Check out Frenchmen Street. You can go to Snug harbor for burgers and a Jazz show. But, most people go to port of call on Esplanade for burgers. There are several good clubs on frenchmen St.: Maison, DBA, Yuki, etc.

The Bywater has several excellent places. Maurepas Cafe (update: CLOSED), Bacchanal on Poland Ave. Satsuma's for breakfast or lunch, Cake Cafe for breakfast  /lunch.

You can get good coffee at Cafe du Monde, but also Envie at Barracks and Decatur. For excellent espresso drinks, I like Velvet across from Whole Foods on Magazine. There's now a HiVolt uptown also on Magazine by Whole Foods. 

There's the original Hi-Volt on Sophie Wright place(near Magazine in Garden District near that Juan's), Mammoth Espresso and Spitfire in the CBD & Quarter.  Hi-Volt also great breakfast / brunch and baked goods, but they're much better at Sophie Wright location.

Try chickory coffee.

Go to Jean Lafitte's blacksmith shop on lower bourbon St. (go away from Canal St. past all the big clubs like Pat O'Briens and Cat's Meow, and past the gay dance clubs. ) Speaking of Pat O'Brien's, lots of people go there. 

Also, be sure to get to Preservation hall Jazz club before you start drinking one night to enjoy old style New Orleans Jazz. Probably the only place where you'll hear authentic old style.

If you still have time and money, you can check out the bywater. Look at going to Vaughn's. Take a cab, and take a cab back to the quarter / CBD. I would walk or bike from the quarter, but you don't know the area and it is not always safe. The bywater is very funky. May or may not be your thing.

St. Roch Market is a great food stall and has excellent happy hour cocktails.

If you want good beer, go to DBA on Frenchmen Street. 

There's actual Absinthe at the place on Pirate's Alley between the cabildo and the cathedral off of Jackson Sq.

For a good breakfast, go to Cake Cafe in the Marigny (past elysian fields from canal). I think it is on Decatur, but I don't recall. There's also Elizabeth's out in the bywater.

Tipitina's is a famous music club.  

There are a few things in there that didn't involve eating or drinking to do during the day.  Some people still want to go on the disaster tourist stuff.  If you want to rent bikes, go to my friend Bicycle Michael's on Frenchmen St.  Tell him you know me.  He'll probably say something like, a lot of people know Chris.  ;-)

Tune in to WTUL, 91.5FM.  It is Tulane's college radio station.  They've got club and event listings hourly, and you can win tickets pretty easily from them for shows.  Also check out WWOZ, 90.7 IIRC.  They are NOLA cultural station.  They also have club and event listings.

Wednesday, May 15, 2019

How Do I Get Started in Pen Testing?


I teach several different classes at the SANS Institute. Sometimes students are just starting out, and they're looking at how to apply the tools and skills they just learned. I'm writing this blog to provide guidance on the next steps. I'm going to try to be agnostic across the SANS curriculum, since that separation doesn't exist in most people's workplaces.

Practice At Work

First, be careful about just doing things at work. Some of the tools and skills we teach in SANS classes might not be appropriate for your job role. Instrumenting a computer network with a sniffer and monitoring traffic is a valuable defensive technique and capability. But, it might also be considered a wiretap in the United States (and most other countries). This potential violation of federal and state laws could get you fired and charged with a crime if done without permission. Same goes for penetration testing or unauthorized collection and inspection of digital evidence.
Solution: Get written permission from someone with the authority to give that permission to install monitoring or do forensics, or penetration tests.

Practice Outside of Work

If you don't have a chance to apply the lessons at work, what's another path?  I advise you to do three things. First, find some additional practice opportunities. Second, find an organization who could use your assistance and volunteer for them. Third, start to moonlight as a contractor.

Additional Practice Opportunities
There are a number of websites out there that give you a chance to practice your skills. Here are a few lists of freely available challenges:

Volunteer Opportunities

After you're confident in your ability to do simulate work, then it is time to move on to a real world circumstance. Truth is, you're probably not experienced enough to go right into the contracting and delivery. So this next step is a middle ground. Find an organization that you care about. This might be your church, your school, or your child's school. It could be your friend's small business or your neighborhood association. Select an organization that you're willing to contribute your time for free. 

Offer this organization the service you intend with an actual proposal. This will be a written agreement, and you're treating it like it is a business engagement.

My suggestion for how to think about the scope is to review this fantastic resource:

It's a bit older, but is an exhaustive list of the potential attack surface for a pen test or vulnerability assessment. There are a couple of template documents available as well. The primary artifact you'll be producing from your work is a report. Here are a large number of example reports:

Deliver the report, provide advice on how to fix it, and check in six months down the road to see how they've progressed on the proposed changes. You'll probably see that they haven't made much progress at all. ;) It's ok. Look for ways to help solve those issues.

Keep working with that organization and apply a different scope for another engagement, or find another organization to help.

Start a Small Business

Once you've done a small number of engagements for free, you're probably ready to start to charge for your services. Don't quit your day job quite yet. :)

Register an LLC with your state.

Develop the appropriate sort of contracts, usually  Master Service Agreement (MSA) and Statement of Work (SOW). One example MSA:

Buy liability insurance and potentially errors and omissions for your business, you may also need workers compensation for some organizations you contract with (even if you don't have any employees):

Find customers, deliver value, and grow your business!


That's a quick opinion on how you might proceed to develop your skills. You could also just have fun doing capture the flags and Netwars challenges from SANS.  If you have additional resource links that you think people should review for any of the above areas I've linked to, please include them in the notes. I'll add really good links back into the text of the post.

Tuesday, April 2, 2019

Instrumenting OS for Per Process DNS Query Inspection

Background information

Last night at #SANS2019 I attended Jason Fosen’s talk on process hacker and it reminded me of something I forgot to finish several years ago. I’m finalizing and posting now (several years later). This work was originally done on a windows 8 system.
Years ago, really way too long ago, I wrote a post about how to use DNS query logs to create a daily delta report to identify anomalies and novel connections:

What's Doing That?
One of the things that I saw during review of the data was a weird DNS request.

Weird unqualified DNS requests. The unqualified version would be followed by the same random string in the search domain of the computer. Usually one or two queries with qualification. Something like biuivlhobb, then biuivlhobb.montance, then biuivlhobb.montance.local, as an example.
I looked into it via some online searches, and it was pretty clearly Google Chrome doing the queries. But, that wasn’t confirmed. So I dug deeper. I started thinking about how I could see inside of a system that a specific process made a DNS query. The OS was handling the query on behalf of a process. So, how could I see which process asked the OS to make that query?
My inquiry lead me to discover that the windows method for making a DNS request is getaddrinfo. The application would use this system call to do the lookup.

So, I lauched process monitor to attempt to review what was actually making the calls.
Process Monitor :

There were two potential files of interest:
But, Process Monitor didn't show the details of the actual calls, so looked into APIMonitor:

I set the filter to just look at getaddrinfo and related requests in case I missed something.

Killed existing chrome, started again, was able to identify the getaddrinfo requests:

Cool! chrome.dll verified as the source!

Monday, April 1, 2019

Security Operations Class Status


SANS MGT517 was cancelled and will not return. I will release the material in several ways over the next year: as an online resource (, as an online class, as in person training, and in a project plan book.

Brief Background

I wrote the course that became SANS Management 517 because the two-day course I was a course author of, MGT535 – Managing Incident Response, didn’t seem to fulfill many of the questions that people were asking about. Namely, “How do I interface my incident handling capability to the Security Operations Center?”

Secondarily, there were always questions about the related disciplines of what I eventually called “Self-Assessment Function” within the SOC. How do I use, create, or mature my vulnerability assessment program? How can I convince the IT department to help us by getting a good baseline in place?

Additionally, there was a gap that several people echoed. There were several documents that identified various aspects of Security Operations Centers (SOC), but there was no single reference that said exactly what a SOC was. Carson Zimmerman’s book, and David Nathan’s book were great, but no one had publicly defined capabilities, staffing, the technology involved, and the things that a SOC ingested and what its output was.

What became MGT517 was my attempt to define a reference model around security operations centers (SOC) for organizations to consider. About 500 students attended MGT517 when it was available through SANS. These students were from countries around the world, and from every sector: from manufacturers of goods you use in your home; the companies who make the computers you use; companies who operate the largest cloud infrastructures in the world; companies who build the software that runs most major businesses; security software firms; financial firms; healthcare entities; representatives of governments. Each time I taught the class, there was a chorus of “Thank you.” I can take this back to my organization and say here’s how we should do this. There was a common theme of there not being any other resource or class which covered this topic. There was usually also constructive criticism and valuable insight shared by attendees.

I am disappointed that SANS chose to cancel the class. But what SANS didn’t cancel is my commitment to continue to develop the material. The SOC, and security operations in general is a critical capability for organizations around the world.

I previously mentioned an Analysis of Competing Hypotheses (ACH) write up on why MGT517 was cancelled. It is still underway. It’s going very slowly, but will be published eventually. That matters less than what I’m going to do next, so what follows is that information.

Crowley Motivations

Material Access and Community Value

I want people to see the information I wrote. I think it provides tremendous value because it puts forward a reference model. You’re welcome to disagree with it. In fact, I would say that you must at least consider that the model may not be a good match for your organization.  I’ve tried to envision and account for every possibility. So, the tailoring to your organization is certainly present in such an abstracted and generalized model.

In addition to the security operations class, I am writing a book to provide a project plan for building a SOC. This should provide a very low-cost option for organizations to access the concepts expressed in these various forums and provide a project plan for the organization to build a SOC.

Business Development

I want to work on interesting SOC projects. I’m only a single person, and I won’t have a team of people working for me. Why not? Because I’m not interested in building a company at this time. That takes away from my ability to focus on the subject matter. But that means that I can’t delegate tasks to people and help lots of companies simultaneously.

It means my ability to get involved in projects is very limited if I want to keep my quality level high. My SANS teaching and course development has consumed a large amount of my time for the last three years. I’m taking the time I was exerting for MGT517 course development and shifting it to course development for an online version and an onsite version outside of SANS. I will have time for no more that 3 or 4 contract customers at any given time, if I continue to teach for SANS and try to run a class independently. There’s a risk in attempting to do all of this, as SANS may see this effort as competitive and choose not to ask me to instruct classes. Setting up courses live takes a lot of time and effort, and marketing the classes is a massive uphill battle. Enrollment, payment systems, and onsite logistics are expensive. Life’s a risk.

Actions Planned

Web Resource

I paid a developer to build a website for me to have a forum for SOC discussion by vetted individuals. I haven’t been able to get back to that effort due to so many different things going on. I’ve tried to find an intern to help me to populate content onto the site. If you’re interested in helping me with the initial deployment of material, please let me know. You wouldn’t be writing anything, just populating material into the website. This will be about a 3 month effort. Twitter is the best avenue to start this conversation: @CCrowMontance.

I have a lot of material buried in slide decks that aren’t accessible to people. My intention is to rescue that information from the powerpoints I’ve build and move it to a forum for people to review and for knowledgeable people to have meaningful discussions. My intention is to vet the people who can discuss, but have the discussions be public. I think this is the best way to produce high quality content. Even without community participation, it will be a place where I can share the research and analysis I have done.

Online Class

The easiest way to get access to the material will be an online version available through The price will be affordable and the material will be adjusted to an online format. Once done, this will run perpetually and will be available on your schedule.

Live Class

This will probably be a three day event, limited to 25 participants. I’ll go to locations that are good options for me and where I think people want the event to run. This will be very much of a DIY effort, and if you’re interested in helping me to run the class or want it as part of your conference, I’ll certainly consider it. Also, private onsite runs are available with a focus on your organization’s specific implementation.

Tentative Scheduled Events & Locations

This list is ambitious, and I suspect several of these classes will not run, but I’ll try to make them all happen.

·        Online: Expected date of initial availability : November 1, 2019
·        December 2-4, 2019 : Washington, DC Area : Security Operations Class – Public Enrollment
·        January 8-10, 2020 : New York City, NY : Security Operations Class – Public Enrollment
·        March, 2020 : Macau or Hong Kong : Security Operations Class – Public Enrollment
·        June, 2020: Europe or Middle East, TBD
·        August, 2020 : Las Vegas : Security Operations Class – Public Enrollment
·        November, 2020: Melbourne, Australia : Security Operations Class – Public Enrollment

I look forward to seeing you there.