tag:blogger.com,1999:blog-65715474766892715892024-03-19T06:07:51.883-07:00Risk, Failure, SurvivalCCrowMontancehttp://www.blogger.com/profile/04040557453680300321noreply@blogger.comBlogger23125tag:blogger.com,1999:blog-6571547476689271589.post-91306299486075072212020-10-09T15:16:00.003-07:002020-10-09T15:16:33.672-07:002020 CyberDefense Summit<p>My take away from the talks from today:</p><p><br /></p><p> ()</p><p>Carson Zimmerman </p><p>Keynote: Taking Your Detection Program to the Next Level</p><p><br /></p><p>Engineering is difficult - stop lying to yourself and others about what the SOC needs to engineer, and </p><p>engineer those items.</p><p><br /></p><p>()</p><p>Don Murdoch</p><p>Building the Better Playbook: Techniques to Improve Repeatability</p><p><br /></p><p>Build your playbooks in a repeatable manner to drive maturity and consistency.</p><p><br /></p><p>()</p><p>Rob van Os</p><p>Metrics on Steroids: Improving SOC Maturity using the SOC-CMM</p><p><br /></p><p>SOC-CMM is an exhaustive model for (self-)assessment of SOC Maturity and Capability. </p><p><br /></p><p>()</p><p>Steve Turner, Ben Tyminski</p><p>XDR - The Hidden Pitfalls of Evaluation and Deployment</p><p><br /></p><p>XDR deployments have distinct limitations and capabilities. Leverage standard best </p><p>practices while covering new ground.</p><p><br /></p><p>()</p><p>Dan Banker </p><p>And Then There Were None (More False Positives): Writing Better EDR Detections</p><p><br /></p><p>Dan shreds his guitar - he also has obviously spent many hours eliminating the noise from his signal.</p><p><br /></p><p><br /></p><p>==LUNCH===</p><p><br /></p><p>()</p><p>Peter Luo</p><p>Resolve Security Alerts with Adaptive Intelligence and Guided Response</p><p><br /></p><p>Augmented Intelligence is available for scenarios you frequently encounter.</p><p><br /></p><p>()</p><p>Kristy Westphal</p><p>Analysis 101 for Incident Responders</p><p><br /></p><p>Develop your team's analytical methodology, and be ready to deal with the reality of not always being right.</p><p><br /></p><p>()</p><p>Yochana Henderson, Mark Morowczynski</p><p>Hiding in the clouds:How attackers can use applications for sustained persistence and how to find it</p><p><br /></p><p>"****** [devil|god|good god] is in the details." Flaubert, Mies van der Rohe, proverb... </p><p>Make sure you understand what that configuration (button) does!</p><p><br /></p><p><br /></p><p><br /></p><p>()</p><p>Ransomware Defense and Response: Minimizing Risk of an Increasing Threat</p><p>Gabriel Currie, Will Oram </p><p><br /></p><p>The main reasons for ransomware increasing : big money (140M pounds+ in 6 years) and many more leak sites that have driven organizations to pay ransoms.</p><p><br /></p><p>()</p><p>Apurv Singh Gautam</p><p>Automating Threat Hunting on the Dark Web and other nitty-gritty things</p><p><br /></p><p>Deep web? Data you're not allowed to see. Dark web? That's where your adversaries are coordinating their attacks on you and selling their illicit goods.</p><p><br /></p><p><br /></p><p>()</p><p>Christopher Lopez</p><p>Asking Questions and Writing Effectively</p><p><br /></p><p>Are you asking the correct questions and capturing the appropriate information? Don't constrain yourself with needless process.</p><p><br /></p><p>()</p><p>Saurabh Wadhwa</p><p>Resource Smart Detection with YARA and osquery</p><p><br /></p><p>Yara : (Chess) If you see a good move, look for a better one.</p><p><br /></p><p><br /></p><p>()</p><p>Mark Baggett </p><p>New Tools for your Threat Hunting Toolbox</p><p><br /></p><p>Do what Mark does - save yourself one command a day, eventually, you'll be bored and start to automate other stuff.</p><p> </p><p> </p><p> </p><p> https://sansgear.com/product-category/cyber-defense-forum/</p><p><br /></p><p> </p>CCrowMontancehttp://www.blogger.com/profile/04040557453680300321noreply@blogger.com0tag:blogger.com,1999:blog-6571547476689271589.post-78557776890392002362020-05-09T09:36:00.007-07:002022-07-19T12:03:42.839-07:00MY SANS Mentor to Certified Experience<br />
<div class="MsoNormal">
This is a blogpost, and not intended to be a resume / CV
quality recollection. So, some of the dates are off by a bit or missing. I went
through the GIAC certification page ( <a href="https://www.giac.org/certified-professionals/directory/search">https://www.giac.org/certified-professionals/directory/search</a>
) and looked at the dates of certifications there and reconstructed this
timeline of SANS classes and certs. I know there are a few missing (like the
retired GIAC GSFP Fundamentals of Security Policy) that I took with James
Tarala in 2007 (I think).<o:p></o:p></div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOw_GQqEC1lYltmH39HFvcrKu7Ff6gTpUvUN5Cb3RlR-EYUbGjEpGWunVuAQ_3XG692WvYPCJd1cRRikGlNFYe9_C83IahGKaucnrl6Rz7FEvk5SnORTGXj3W2Db-VwnuiakW9B17jQOd5/s1600/draft_classes_certs.png" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="911" data-original-width="773" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOw_GQqEC1lYltmH39HFvcrKu7Ff6gTpUvUN5Cb3RlR-EYUbGjEpGWunVuAQ_3XG692WvYPCJd1cRRikGlNFYe9_C83IahGKaucnrl6Rz7FEvk5SnORTGXj3W2Db-VwnuiakW9B17jQOd5/s640/draft_classes_certs.png" width="540" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Rough Draft attendance and GIAC certs</td></tr>
</tbody></table>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Throughout this time, I was a facilitator for SANS because
my employers couldn’t or wouldn’t pay for the classes. I facilitated at many
conferences and summits. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
I taught several semesters of classes at Tulane University
College prior to Hurricane Katrina (August, 2005). The classes were BASH shell
programming and Apache web server administration. These were in 2003-2005. I
saw SANS as an opportunity to further my education and my interest in teaching on
the side.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
The first in-person class I took was SEC503 with Mike Poor
at Virginia Tech during Spring Break, 2005. The classroom was a large
auditorium with a couple hundred people in attendance. There was a funny wifi
problem. Randy Marchany went on stage a couple of times asking people to turn
off DHCP server in case someone was running one. Finally he went on stage and
said, “*Joe Smith* you are running a DHCP server on your laptop. We’ve tracked
your MAC address registered via our wifi registration to the DHCP Server
serving bad leases. Shut it off now, or we’re going to come find you.”<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
In 2006, I was all over the place dealing with the aftermath
of the disaster recovery from Hurricane Katrina. I was working remotely for
Tulane still, I moved from Houston, to Memphis, to Athens, Georgia. Then,
permanently to Maryland in the suburbs of DC.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
In early 2007, I tried to run a SEC503 local mentor. There
was no enrollment. I tried to run it again, maybe one person enrolled:
cancelled. I tried again, one person: cancelled. SANS advised me to switch to
SEC504. I don’t think they said this expressly, but it was essentially, “it
sells much better and people will sign up for it.” Switch. I said no. I’ll do
SEC503 first, I assured them.<br />
<br />
My first SEC503 mentor session had three students. I ran
it at the black rock center for performing arts with their projector. It went
great. The three people in the classroom really enjoyed it, and learned a lot.
I learned a tremendous amount. On average, I studied the material for about 10
hours for each hour of class time I lead. I spent my spare time learning this
content while I was working full time in the cyber security domain. I had left the work from home
position and took a position with a government contractor.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
I got a call one day from Zoher Anis. “Chris, SANS called me
and asked me to pick up a SEC401 that had some problems. I don’t know all the
details, but it has to restart next week. I don’t have time to teach all the
classes because of some travel I had scheduled. Can you co-teach it with me? I told
them I won’t do it unless you co-teach with me. They really want it to run.”
Zoher and I had worked for the same company at one point and we knew one another through the
SANS community and that company. We had a common interest in security. We
started co-mentoring classes. SEC401, SEC560, and SEC504.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
“Chris, can you go to Georgia in two weeks to teach SEC560?”
Scott Weill was asking me. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
“Let me check, Scott. I need to verify I can get the time
off work.” I knew my managers supported the SANS work I was doing on the side.
But, this was something last minute and out of the ordinary. I was managing a 24x7 monitoring and response team at the time. They approved it. I made arrangements for my backup to deal
with the projects I was working on while I was gone.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
The class went great. There were folks there from many
different companies and agencies. I met Russel Eubanks, who had recently moved
to Atlanta.<o:p></o:p></div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4cCOeihouRl8fv_sD3huMcQfdD9GCzVYwzG2QEI5GmbpkrGlfcV_fdZIcy1NTcqhUxnvrf9N5JGqquzYeZmafvm3n37Fi0pVaUOlGT9_YdkuKRbsuVuRzSlcPBzqQrAteWu08d3JS7eqX/s1600/presentations-screenshot.png" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="985" data-original-width="601" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4cCOeihouRl8fv_sD3huMcQfdD9GCzVYwzG2QEI5GmbpkrGlfcV_fdZIcy1NTcqhUxnvrf9N5JGqquzYeZmafvm3n37Fi0pVaUOlGT9_YdkuKRbsuVuRzSlcPBzqQrAteWu08d3JS7eqX/s400/presentations-screenshot.png" width="243" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small; text-align: start;">Talks I've written, download <br />from: https://mgt517.com/soc</span></td></tr>
</tbody></table>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
When I returned to work, I had a tough conversation with my
customer management. He told me that he liked what I was doing with helping
people, but while I was gone, some things had gone poorly. He said, he knew
that if I was there, I would have addressed it and there wouldn’t have been any
impact. But, my backup wasn’t prepared to deal with the unexpected. He told me
that if I was a manager of a team, I needed to assure that things went the same
in my absence as when I was present, because I wouldn’t always be present.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
When I left full time employment, I arranged with my contractor
employer and the customer to stop being the manager, and become an analyst on
the team that I had previously managed. Someone else on the team became the
manager. </div><div class="MsoNormal"><br /></div><div class="MsoNormal">Eric Conrad had approached me about a project he was working on that
would involve travel and development work. SANS had asked me to start teaching
SEC401 at the Learning Tree in five days. I asked them for at least ten of
these runs in the first year. Ten scheduled, but only six filled. I had
basically scheduled myself 150% of the time because I was afraid that my “pipeline”
of work wouldn’t come through. I was correct in some ways, but still over
subscribed.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
(The talks pictured are extra presentations I've written and are publicly available for download from: https://mgt517.com/soc . It's the sort of extra work that needs to be done to continue to develop one's knowledge and community outreach in pursuit of being an independent contractor and SANS instructor.)</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
I became a Certified Instructor in 2012. “Jul 18, 2012 at
2:44 PM. subject: Promoted to Certified - Chris Crowley.” I was teaching a lot.
I was travelling a lot.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
I’ve been traveling a lot since 2011. I’ve been home since I
returned from Tokyo, Japan on March, 9<sup>th</sup> 2020. Today is May 9<sup>th</sup>,
2020. (Update: August 18th, 2020 and I haven't left home for any work travel yet.) I think these two (now five) months are the longest contiguous time period that I’ve
stayed at home without work travel in the last ten years. I’m really enjoying
it. I’ll be happy to pick up when it’s safe to resume travel. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
There’s a new chapter unfolding for me in 2020. I’m really
excited to tell you about it, but I can’t yet. It’s going to be a really big
surprise, and you won’t guess what it is. Some of you are going to hate it, and some of you are going to be really happy for me. I'm excited! (Update: this has been deferred until 2021, but it is still coming to fruition!)</div>
CCrowMontancehttp://www.blogger.com/profile/04040557453680300321noreply@blogger.comtag:blogger.com,1999:blog-6571547476689271589.post-37265819588876729112019-06-24T15:02:00.003-07:002019-07-10T07:31:56.319-07:002019 SOC Summit - Action ItemsSlide decks for talks available here:<br />
<a href="https://www.sans.org/cyber-security-summit/archives/cyber-defense">https://www.sans.org/cyber-security-summit/archives/cyber-defense</a><br />
<br />
Youtube Video (duration: 8:35) of these items: <a href="https://www.youtube.com/watch?v=W-GGqx-q_Rg">https://www.youtube.com/watch?v=W-GGqx-q_Rg</a><br />
<br />
<b>=-=-=- Day 1 =-=-=-</b><br />
<br />
<b>Keynote: Lessons Learned Applying ATT&CK-Based SOC Assessments</b><br />
Action Item: Plan for an ATT&CK based assessment to identify coverage, internal or third party.<br />
<b><br /></b>
<b>Use Case Development Utilizing an ARECI Chart</b><br />
Action Item: Identify Gaps in coverage using ARECI charts built from use cases.<br />
<b><br /></b>
<b>Use Cases Development as a Driver for SOC Maturation</b><br />
Action Item: Tune down the noise.<br />
<br />
<b>A SOC Technology/Tools Taxonomy – And Some Uses for It </b><br />
Action Item: Compare your deployed SOC infrastructure to the proposed taxonomy.<br />
<b><br /></b>
<b>Mental Models for Effective Searching</b><br />
Action Item: Minimize time spent at the blank search bar by developing effective capability.<br />
<b><br /></b>
<b>Managing Security Operations in the Cloud</b><br />
Action Item: Familiarize yourself with cloud defenses available and integrate into the DevOps cycle to leverage them.<br />
<b><br /></b>
<b>Virtuous Cycles: Rethinking the SOC for Long-Term Success</b><br />
Action Item: Autonomy, Mastery, Purpose. Skills, Empowerment, Creativity, Growth. Automation->Efficiency->Metrics<br />
<br />
<b>2019 SANS SOC Survey Preview: Live Simulcast</b><br />
Action Item: Download and read the 2019 SOC Survey when it comes out.<br />
<br />
<br />
<b>=-=-=- Day 2 =-=-=-</b><br />
<br />
<b>How to Disrupt an Advanced Cyber Adversary</b><br />
Action Item: Focus on Network Awareness, Cyber Hygiene, and proper Device Configuration.<br />
<br />
<b>Breach -> ATT&CK -> Osquery: Learning from Breach Reports to Improve Cross-platform Endpoint Monitoring</b><br />
Action Item: Whatever you choose to instrument your endpoints with, learn the granular differentiation of the host that will made detection and hunting meaningful.<br />
<br />
<b>Shared Security Services: How to Adjust to an Ever-growing Landscape of Security Operations Center Responsibilities</b><br />
Action Item: Tell a good story about your SOC, and your internal collaborators.<br />
<br />
<b>The Call Is Coming from Inside the House: How Does Your SOC Respond When Attackers Are On-Site?</b><br />
Action Item: Make people disappear. Think about how the physical matters.<br />
<br />
<b>How to Literally Think Like an Attacker to Become a Better Defender</b><br />
Action Item: Think<br />
<br />
<b>Arming SecOps with a Special Forces Targeting Process</b><br />
Action Item: Advance your thinking using intelligence<br />
<br />
<b>The Case for Building Your Own SOC Automations</b><br />
Action Item: Automate good capabilities, that you already have or want. SOAR tools not required.<br />
<br />
<b>Rapid Recognition and Response to Rogues</b><br />
Action Item: Know thy network (as much as you can).<br />
<br />
<b>This Will Never Work: Tales from Disappointingly Successful Pen Tests</b><br />
Action Item: Demonstrate weakness to drive improvement. Take time to laugh.<br />
<br />
<br />CCrowMontancehttp://www.blogger.com/profile/04040557453680300321noreply@blogger.com1tag:blogger.com,1999:blog-6571547476689271589.post-63842050933828866342019-06-22T17:30:00.000-07:002019-06-22T17:46:43.496-07:00New Orleans Recommendations<div style="font-family: inherit;">
( Updates in 2018-02: Add these to your list: Willa Jean, Mammoth Espresso, Doris Metropolitan, Lattitude 29, Spitfire Coffee, Paloma Cafe )</div>
<div style="font-family: inherit;">
<br /></div>
<div style="font-family: inherit;">
Since we're in the CBD, my favorite nearby places Cochon (but I really like butcher, it's less formal), Peche, Compere Lapin, August ($$$), Willa Jean, Juan's Flying Burritto (CBD location), Carmo, Luke on St. Charles, (great happy hour)...</div>
<div style="font-family: inherit;">
<br /></div>
<div style="font-family: inherit;">
Nearby for coffee: Revelator Coffee</div>
<div style="font-family: inherit;">
Nearby for wine: Keife & Co, W.I.N.O</div>
<div style="font-family: inherit;">
Nearby bar for hangout: Lucy's Retired Surfer, Vic's Kangaroo </div>
<div style="font-family: inherit;">
<br /></div>
<div style="font-family: inherit;">
Stuff I'm going to check out this trip in the area that has opened recently: Bakery Bar, Espiritu, </div>
<div style="font-family: inherit;">
<br /></div>
<div style="font-family: inherit;">
Magazine Street - Starting from Calliope, and running uptown, Magazine is a funky shopping district with lots of interesting independent stores. Check out Juan's Flying Burrito for awesome creole Mexican food. Cheap, filling, and good quality. (And loud music.) Lilette is expensive fine dining near Louisiana Avenue.</div>
<div style="font-family: inherit;">
<br /></div>
<div style="font-family: inherit;">
If you're uptown, check out Oak Street. Zotz is a cool coffee shop. For dinner, you can try Jacquesimo. It's a little pricy, but decadent new orleans style food. If you want that same type of food for cheap, Crabby Jack's on Jefferson Highway is run by the same guy. My favorite there is Blackened Gulf fish with crabmeat remoulade sauce. Their Duck & Andouille gumbo is pretty damn good, too. Freret Street between Jefferson and Napoleon has become a culinary wunderbar. Amazing because when I lived there it was dangerous and all boarded up. Breakfast at bearcat cafe is excellent. High hat is New Orleans style. Ancora Pizza is well regarded.</div>
<div style="font-family: inherit;">
<br /></div>
<div style="font-family: inherit;">
Museums: Ogden (regional folk and outsider art), Museum of Modern Art, Contemporary Arts Center. The D-Day (WWII) museum is supposedly really good. There's also a civil war museum.</div>
<div style="font-family: inherit;">
<br /></div>
<div style="font-family: inherit;">
Ride the St. Charles Streetcar line uptown to Audubon park, or go on the Canal Streetcar line to Mid-City for City park and the botanical gardens. If you're in Mid-City go to Angelo Brocado's Italian bakery for cappuccino, gelato, and cookies. It's at Carrollton and Canal Street.</div>
<div style="font-family: inherit;">
<br /></div>
<div style="font-family: inherit;">
Vietnamese food in NOLA is some of the best you can find in the country. My favorite is Nine Roses. It's on the west bank (of the Mississippi) and a little hard to find, but we have big family style meals with between 5 to 20 people. It's an amazing feast, and ends up being about $25 per person.</div>
<div style="font-family: inherit;">
<br /></div>
<div style="font-family: inherit;">
For nice quarter restaurants, I suggest Bayona, NOLA (Emeril's place), Pelican Club, Mr. B's, or Palace Cafe. They're all fairly expensive. Tujaque's is old school New Orleans. Have lunch at Napoleon house. Definitely go to K-Paul's (Paul Prudhomme's cajun restaurant). Find Cochon Butcher (butcher is the cafe style, Cochon is fine dining style) in the CBD (other side of Canal) for lunch. Any of Donald Link's restaurants are great. My current favorite restaurant in New Orleans is Restaurant August.</div>
<div style="font-family: inherit;">
<br /></div>
<div style="font-family: inherit;">
In the Treme (on the edge of the french quarter) check out Lil Dizzies for great New Orleans fare.</div>
<div style="font-family: inherit;">
<br /></div>
<div style="font-family: inherit;">
Check out Frenchmen Street. You can go to Snug harbor for burgers and a Jazz show. But, most people go to port of call on Esplanade for burgers. There are several good clubs on frenchmen St.: Maison, DBA, Yuki, etc.</div>
<div style="font-family: inherit;">
<br /></div>
<div style="font-family: inherit;">
The Bywater has several excellent places. Maurepas Cafe (update: CLOSED), Bacchanal on Poland Ave. Satsuma's for breakfast or lunch, Cake Cafe for breakfast /lunch.</div>
<div style="font-family: inherit;">
<br /></div>
<div style="font-family: inherit;">
You can get good coffee at Cafe du Monde, but also Envie at Barracks and Decatur. For excellent espresso drinks, I like Velvet across from Whole Foods on Magazine. There's now a HiVolt uptown also on Magazine by Whole Foods. </div>
<div style="font-family: inherit;">
<br /></div>
<div style="font-family: inherit;">
There's the original Hi-Volt on Sophie Wright place(near Magazine in Garden District near that Juan's), Mammoth Espresso and Spitfire in the CBD & Quarter. Hi-Volt also great breakfast / brunch and baked goods, but they're much better at Sophie Wright location.</div>
<div style="font-family: inherit;">
<br /></div>
<div style="font-family: inherit;">
Try chickory coffee.</div>
<div style="font-family: inherit;">
<br /></div>
<div style="font-family: inherit;">
Go to Jean Lafitte's blacksmith shop on lower bourbon St. (go away from Canal St. past all the big clubs like Pat O'Briens and Cat's Meow, and past the gay dance clubs. ) Speaking of Pat O'Brien's, lots of people go there. </div>
<div style="font-family: inherit;">
<br /></div>
<div style="font-family: inherit;">
Also, be sure to get to Preservation hall Jazz club before you start drinking one night to enjoy old style New Orleans Jazz. Probably the only place where you'll hear authentic old style.</div>
<div style="font-family: inherit;">
<br /></div>
<div style="font-family: inherit;">
If you still have time and money, you can check out the bywater. Look at going to Vaughn's. Take a cab, and take a cab back to the quarter / CBD. I would walk or bike from the quarter, but you don't know the area and it is not always safe. The bywater is very funky. May or may not be your thing.</div>
<div style="font-family: inherit;">
<br /></div>
<div style="font-family: inherit;">
St. Roch Market is a great food stall and has excellent happy hour cocktails.</div>
<div style="font-family: inherit;">
<br /></div>
<div style="font-family: inherit;">
If you want good beer, go to DBA on Frenchmen Street. </div>
<div style="font-family: inherit;">
<br /></div>
<div style="font-family: inherit;">
There's actual Absinthe at the place on Pirate's Alley between the cabildo and the cathedral off of Jackson Sq.</div>
<div style="font-family: inherit;">
<br /></div>
<div style="font-family: inherit;">
For a good breakfast, go to Cake Cafe in the Marigny (past elysian fields from canal). I think it is on Decatur, but I don't recall. There's also Elizabeth's out in the bywater.</div>
<div style="font-family: inherit;">
<br /></div>
<div style="font-family: inherit;">
Tipitina's is a famous music club. </div>
<br />
<div style="font-family: inherit;">
There are a few things in there that didn't involve eating or drinking to do during the day. Some people still want to go on the disaster tourist stuff. If you want to rent bikes, go to my friend Bicycle Michael's on Frenchmen St. Tell him you know me. He'll probably say something like, a lot of people know Chris. ;-)</div>
<div style="font-family: inherit;">
<br /></div>
<div style="font-family: inherit;">
Tune in to WTUL, 91.5FM. It is Tulane's college radio station. They've got club and event listings hourly, and you can win tickets pretty easily from them for shows. Also check out WWOZ, 90.7 IIRC. They are NOLA cultural station. They also have club and event listings.</div>
<br />
<div style="font-family: inherit;">
<br style="background-color: white; color: #1c1e21; font-family: Helvetica, Arial, sans-serif; font-size: 14px;" /></div>
CCrowMontancehttp://www.blogger.com/profile/04040557453680300321noreply@blogger.com0tag:blogger.com,1999:blog-6571547476689271589.post-3788603786980049862019-05-15T08:33:00.000-07:002019-05-15T08:33:15.969-07:00How Do I Get Started in Pen Testing?<h3>
Intro</h3>
I teach several different classes at the SANS Institute. Sometimes students are just starting out, and they're looking at how to apply the tools and skills they just learned. I'm writing this blog to provide guidance on the next steps. I'm going to try to be agnostic across the SANS curriculum, since that separation doesn't exist in most people's workplaces.<br />
<br />
<h3>
Practice At Work</h3>
First, be careful about just doing things at work. Some of the tools and skills we teach in SANS classes might not be appropriate for your job role. Instrumenting a computer network with a sniffer and monitoring traffic is a valuable defensive technique and capability. But, it might also be considered a wiretap in the United States (and most other countries). This potential violation of federal and state laws could get you fired and charged with a crime if done without permission. Same goes for penetration testing or unauthorized collection and inspection of digital evidence.<br />
Solution: Get written permission from someone with the authority to give that permission to install monitoring or do forensics, or penetration tests.<br />
<br />
<h3>
Practice Outside of Work</h3>
If you don't have a chance to apply the lessons at work, what's another path? I advise you to do three things. First, find some additional practice opportunities. Second, find an organization who could use your assistance and volunteer for them. Third, start to moonlight as a contractor.<br />
<br />
<h4>
Additional Practice Opportunities<br /><span style="font-weight: normal;">There are a number of websites out there that give you a chance to practice your skills. Here are a few lists of freely available challenges:</span><span style="font-weight: normal;"><br />
<a href="https://www.amanhardikar.com/mindmaps/PracticeUrls.html">https://www.amanhardikar.com/mindmaps/PracticeUrls.html</a></span></h4>
<div>
<a href="https://holidayhackchallenge.com/past-challenges/">https://holidayhackchallenge.com/past-challenges/</a></div>
<h4>
<span style="font-weight: normal;"><a href="https://hack.me/c/CHALLENGE">https://hack.me/c/CHALLENGE</a></span></h4>
<h4>
<a href="https://apsdehal.in/awesome-ctf/" style="font-weight: normal;">https://apsdehal.in/awesome-ctf/</a></h4>
<h4>
<span style="font-weight: normal;"><br /></span>
</h4>
<h4>
Volunteer Opportunities</h4>
<div>
After you're confident in your ability to do simulate work, then it is time to move on to a real world circumstance. Truth is, you're probably not experienced enough to go right into the contracting and delivery. So this next step is a middle ground. Find an organization that you care about. This might be your church, your school, or your child's school. It could be your friend's small business or your neighborhood association. Select an organization that you're willing to contribute your time for free. </div>
<div>
<br /></div>
<div>
Offer this organization the service you intend with an actual proposal. This will be a written agreement, and you're treating it like it is a business engagement.</div>
<div>
<br /></div>
<div>
My suggestion for how to think about the scope is to review this fantastic resource:</div>
<div>
<a href="http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html">http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html</a></div>
<div>
<br /></div>
<div>
It's a bit older, but is an exhaustive list of the potential attack surface for a pen test or vulnerability assessment. There are a couple of template documents available as well. The primary artifact you'll be producing from your work is a report. Here are a large number of example reports:</div>
<div>
<br /></div>
<div>
<a href="https://github.com/juliocesarfort/public-pentesting-reports">https://github.com/juliocesarfort/public-pentesting-reports</a></div>
<div>
<br /></div>
<div>
Deliver the report, provide advice on how to fix it, and check in six months down the road to see how they've progressed on the proposed changes. You'll probably see that they haven't made much progress at all. ;) It's ok. Look for ways to help solve those issues.</div>
<div>
<br /></div>
<div>
Keep working with that organization and apply a different scope for another engagement, or find another organization to help.</div>
<h4>
Start a Small Business</h4>
<div>
Once you've done a small number of engagements for free, you're probably ready to start to charge for your services. Don't quit your day job quite yet. :)</div>
<div>
<br /></div>
<div>
Register an LLC with your state.</div>
<div>
<a href="https://www.sba.gov/business-guide/launch-your-business/register-your-business">https://www.sba.gov/business-guide/launch-your-business/register-your-business</a></div>
<div>
<br /></div>
<div>
Develop the appropriate sort of contracts, usually Master Service Agreement (MSA) and Statement of Work (SOW). One example MSA:</div>
<div>
<a href="https://train.fastercures.org/assets/Tools/T1D-Exchange-Templates.pdf">https://train.fastercures.org/assets/Tools/T1D-Exchange-Templates.pdf</a></div>
<div>
<br /></div>
<div>
Buy liability insurance and potentially errors and omissions for your business, you may also need workers compensation for some organizations you contract with (even if you don't have any employees):<br /><a href="https://www.fundera.com/blog/small-business-insurance">https://www.fundera.com/blog/small-business-insurance</a></div>
<div>
<br /></div>
<div>
Find customers, deliver value, and grow your business!</div>
<div>
<br /></div>
<h4>
Conclusion</h4>
<div>
That's a quick opinion on how you might proceed to develop your skills. You could also just have fun doing capture the flags and Netwars challenges from SANS. If you have additional resource links that you think people should review for any of the above areas I've linked to, please include them in the notes. I'll add really good links back into the text of the post.</div>
<div>
<br /></div>
CCrowMontancehttp://www.blogger.com/profile/04040557453680300321noreply@blogger.com0tag:blogger.com,1999:blog-6571547476689271589.post-4998491886643016682019-04-02T18:36:00.001-07:002019-04-02T18:36:09.583-07:00Instrumenting OS for Per Process DNS Query Inspection<br />
<div class="MsoNormal">
</div>
<div class="MsoNormal">
<br /></div>
<h1>
<span style="font-size: large;">Background information </span><o:p></o:p></h1>
<div class="MsoNormal">
Last night at #SANS2019 I attended Jason Fosen’s talk on process
hacker and it reminded me of something I forgot to finish several years ago. I’m
finalizing and posting now (several years later). This work was originally done
on a windows 8 system.<o:p></o:p></div>
<div class="MsoNormal">
Years ago, really way too long ago, I wrote a post about how
to use DNS query logs to create a daily delta report to identify anomalies and
novel connections: <a href="https://pen-testing.sans.org/blog/2015/07/10/dns-anomaly-analysis-tips-did-you-put-a-new-cover-sheet-on-that-ddd-report/">https://pen-testing.sans.org/blog/2015/07/10/dns-anomaly-analysis-tips-did-you-put-a-new-cover-sheet-on-that-ddd-report/</a><o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<o:p><br /></o:p></div>
<div class="MsoNormal">
<o:p><span style="font-size: large; font-weight: 700;">What's Doing That?</span></o:p></div>
<div class="MsoNormal">
One of the things that I saw during review of the data was a
weird DNS request. <o:p></o:p></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8D6opW9zq3Y_ZqJEx4jygFkit-avn1ci0EqHDeDLFpHVVWo5VtiHPBPNk1-b2PKqRVp6sf0249WoaLuUzBlBkjMR6OW_1S-vliOuW-y25rtT-GqWVpV3iChLBg69nD_pW9vjS28OWXC77/s1600/unqualified.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="260" data-original-width="1054" height="155" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8D6opW9zq3Y_ZqJEx4jygFkit-avn1ci0EqHDeDLFpHVVWo5VtiHPBPNk1-b2PKqRVp6sf0249WoaLuUzBlBkjMR6OW_1S-vliOuW-y25rtT-GqWVpV3iChLBg69nD_pW9vjS28OWXC77/s640/unqualified.png" width="640" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Weird unqualified DNS requests. The unqualified version would
be followed by the same random string in the search domain of the computer. Usually
one or two queries with qualification. Something like biuivlhobb, then biuivlhobb.montance,
then biuivlhobb.montance.local, as an example.<o:p></o:p></div>
<div class="MsoNormal">
I looked into it via some online searches, and it was pretty
clearly Google Chrome doing the queries. But, that wasn’t confirmed. So I dug
deeper. I started thinking about how I could see inside of a system that a
specific process made a DNS query. The OS was handling the query on behalf of a
process. So, how could I see which process asked the OS to make that query?<o:p></o:p></div>
<div class="MsoNormal">
My inquiry lead me to discover that the windows method for
making a DNS request is getaddrinfo. The application would use this system call
to do the lookup. <a href="https://docs.microsoft.com/en-us/windows/desktop/api/ws2tcpip/nf-ws2tcpip-getaddrinfo">https://docs.microsoft.com/en-us/windows/desktop/api/ws2tcpip/nf-ws2tcpip-getaddrinfo</a><o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
So, I lauched process monitor to attempt to review what was
actually making the calls.<o:p></o:p></div>
<div class="MsoNormal">
Process Monitor :
https://technet.microsoft.com/en-us/sysinternals/bb896645.aspx<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjX5hPB3x1jrxTekNNS06QWeX3CKMrLJqHd4GIJ-a_dypFChUQ-LUIbsF5-5l6jCGBhzP_5rsjtXajeGEZKctUDAFQuiBNzIHRE-ac3av63M7beggiElLdvflLh95jlImBUwWekW4OzNCh3/s1600/procmon_zoom.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="649" data-original-width="1429" height="290" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjX5hPB3x1jrxTekNNS06QWeX3CKMrLJqHd4GIJ-a_dypFChUQ-LUIbsF5-5l6jCGBhzP_5rsjtXajeGEZKctUDAFQuiBNzIHRE-ac3av63M7beggiElLdvflLh95jlImBUwWekW4OzNCh3/s640/procmon_zoom.png" width="640" /></a></div>
<br />
<br />
<br />
<div>
<br /></div>
<br />
<div class="MsoNormal">
There were two potential files of interest:<o:p></o:p></div>
<div class="MsoNormal">
<span style="mso-tab-count: 1;"> </span>C:\Windows\System32\dnsrslvr.dll<o:p></o:p></div>
<div class="MsoNormal">
<span style="mso-tab-count: 1;"> </span>C:\Windows\System32\dnsapi.dll<o:p></o:p></div>
<div class="MsoNormal">
<span style="mso-tab-count: 1;"> </span><o:p></o:p></div>
<div class="MsoNormal">
But, Process Monitor didn't show the details of the actual
calls, so looked into APIMonitor:<o:p></o:p></div>
<div class="MsoNormal">
http://www.rohitab.com/apimonitor<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
I set the filter to just look at getaddrinfo and related
requests in case I missed something.<o:p></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJwSHconZ50JIS8P3J031b8xuF1ZU4XsVtWDaEwxGsYyPEBYloTXCfsKhreA_KQqfd49Asuy1RTS3u6cV9eowgAEtNMCwObgmemljBQvHGTsyW4H_nV6BMU2wFZ6HcPldkPo9Vw04PpXbo/s1600/filter.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="778" data-original-width="1600" height="310" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJwSHconZ50JIS8P3J031b8xuF1ZU4XsVtWDaEwxGsYyPEBYloTXCfsKhreA_KQqfd49Asuy1RTS3u6cV9eowgAEtNMCwObgmemljBQvHGTsyW4H_nV6BMU2wFZ6HcPldkPo9Vw04PpXbo/s640/filter.png" width="640" /></a></div>
<br />
<div class="MsoNormal">
Killed existing chrome, started again, was able to identify
the getaddrinfo requests:<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<!--[if gte vml 1]><v:shapetype id="_x0000_t66" coordsize="21600,21600"
o:spt="66" adj="5400,5400" path="m@0,l@0@1,21600@1,21600@2@0@2@0,21600,,10800xe">
<v:stroke joinstyle="miter"/>
<v:formulas>
<v:f eqn="val #0"/>
<v:f eqn="val #1"/>
<v:f eqn="sum 21600 0 #1"/>
<v:f eqn="prod #0 #1 10800"/>
<v:f eqn="sum #0 0 @3"/>
</v:formulas>
<v:path o:connecttype="custom" o:connectlocs="@0,0;0,10800;@0,21600;21600,10800"
o:connectangles="270,180,90,0" textboxrect="@4,@1,21600,@2"/>
<v:handles>
<v:h position="#0,#1" xrange="0,21600" yrange="0,10800"/>
</v:handles>
</v:shapetype><v:shape id="Arrow_x003a__x0020_Left_x0020_7" o:spid="_x0000_s1026"
type="#_x0000_t66" style='position:absolute;margin-left:268.5pt;margin-top:73.1pt;
width:75.3pt;height:54.95pt;z-index:251659264;visibility:visible;
mso-wrap-style:square;mso-wrap-distance-left:9pt;mso-wrap-distance-top:0;
mso-wrap-distance-right:9pt;mso-wrap-distance-bottom:0;
mso-position-horizontal:absolute;mso-position-horizontal-relative:text;
mso-position-vertical:absolute;mso-position-vertical-relative:text;
v-text-anchor:middle' o:gfxdata="UEsDBBQABgAIAAAAIQC75UiUBQEAAB4CAAATAAAAW0NvbnRlbnRfVHlwZXNdLnhtbKSRvU7DMBSF
dyTewfKKEqcMCKEmHfgZgaE8wMW+SSwc27JvS/v23KTJgkoXFsu+P+c7Ol5vDoMTe0zZBl/LVVlJ
gV4HY31Xy4/tS3EvRSbwBlzwWMsjZrlprq/W22PELHjb51r2RPFBqax7HCCXIaLnThvSAMTP1KkI
+gs6VLdVdad08ISeCho1ZLN+whZ2jsTzgcsnJwldluLxNDiyagkxOquB2Knae/OLUsyEkjenmdzb
mG/YhlRnCWPnb8C898bRJGtQvEOiVxjYhtLOxs8AySiT4JuDystlVV4WPeM6tK3VaILeDZxIOSsu
ti/jidNGNZ3/J08yC1dNv9v8AAAA//8DAFBLAwQUAAYACAAAACEArTA/8cEAAAAyAQAACwAAAF9y
ZWxzLy5yZWxzhI/NCsIwEITvgu8Q9m7TehCRpr2I4FX0AdZk2wbbJGTj39ubi6AgeJtl2G9m6vYx
jeJGka13CqqiBEFOe2Ndr+B03C3WIDihMzh6RwqexNA281l9oBFTfuLBBhaZ4ljBkFLYSMl6oAm5
8IFcdjofJ0z5jL0MqC/Yk1yW5UrGTwY0X0yxNwri3lQgjs+Qk/+zfddZTVuvrxO59CNCmoj3vCwj
MfaUFOjRhrPHaN4Wv0VV5OYgm1p+LW1eAAAA//8DAFBLAwQUAAYACAAAACEAj639+aQCAAAiBgAA
HwAAAGNsaXBib2FyZC9kcmF3aW5ncy9kcmF3aW5nMS54bWysVFFP2zAQfp+0/2D5HdKGhkJEQF03
0KQKEAHxfDhOE82xM9tN2/36nR2nrQAxaVsfUp/v7vN33/l8cbVpBOm4NrWSGR0fjyjhkqmilsuM
Pj1eH51RYizIAoSSPKNbbujV5edPF5AuNbRVzQgiSJNCRitr2zSKDKt4A+ZYtVyir1S6AYumXkaF
hjUiNyKKR6PTqIFa0ss91FewQFa6/gsoodgPXsxBdmAQUrD0cCdwFOzfkSGV3Y1u8/ZeO+bstrvX
pC4yispJaFAiGgVHCEMzepW13ANsSt24eFWWZJPRyUk8OUkQa5vReBxPz86SHo9vLGEYcJ4kp9OE
EoYBp+fT+GQUzqvu/oDAqm8fYiDJngwuDgia1tGT3duKp0PFM63VOiULXloy3ZXvEobah2QTZPs/
Ve8YQ9pqY2+4aohbZFQgFc/KXy/oFsb2VIY435OBjd3kvki7+aKKrSv3Bf+xr1ohFjbDtOy6RuAF
GHsPGu86buLU2Dv8lEKtM6rCipJK6V/v7bt4vH/opWSNs5NR83MFmlMivkuDnR1PJghrvTFJpjEa
+tDzcuiRq2auBI6sZ+eXLt6KYVlq1TwrXczcqegCyfDsjDKrB2Nu0UYXjijjs5lfM9W0YBcyb3FY
xl4+p9nj5hl0G9S1eBlvVV5By9/Tt4/1t0bNVlaVdRC/V9U5hLG53QruR8Vrz2XhlH1A1QW4x4fL
o6fcXSbsMkbgd9+eleF5+8BZwB36Zxykh5cPvMSpxHmJPUP/JvG50KQDFA0Y49L21ZkKCt5vJyP8
hSN3Gf5o4QAdclkLscMOAO69e4vdMw/xLpWXJTLeJY8+ItYn7zL8yUruk5taKv0egMCqwsl9fH/R
e2FQQzfN0avX0YeE19w9wYf25W8AAAD//wMAUEsDBBQABgAIAAAAIQB2hWoVVgYAAA8aAAAaAAAA
Y2xpcGJvYXJkL3RoZW1lL3RoZW1lMS54bWzsWUtvGzcQvhfof1jsvbHeio3Iga1H3MROgkhJkSOl
pXYZc5cLkrKjW5GceilQIC16aIDeeiiKBmiABr30xxhw0KY/okPuQ6RExQ+4QFDEAozd2W+Gw5nZ
b0jujZtPY+odYS4ISzp+9VrF93AyYQFJwo7/cDT47LrvCYmSAFGW4I4/x8K/uf3pJzfQ1oSSdMwQ
D0YRjrEHhhKxhTp+JGW6tbEhJiBG4hpLcQLPpozHSMItDzcCjo5hgJhu1CqV1kaMSOJvg0WpDPUp
/EukUIIJ5UNlBnsJimH0e9MpmWCNDQ6rCiHmoku5d4RoxwebATse4afS9ygSEh50/Ir+8ze2b2yg
rVyJyjW6ht5A/+V6uUJwWNNj8nBcDtpoNButndK+BlC5iuu3+61+q7SnAWgygZlmvtg227VuI8ca
oOzSYbvX7tWrFt6wX1/xeaepfhZegzL7jRX8YNCFKFp4DcrwzRV8c3dzt2fb16AM31rBtys7vUbb
sq9BESXJ4Qq60mzVu8VsS8iU0T0nfLPZGLRrufEFCqqhrC41xJQlcl2txegJ4wMAKCBFkiSenKd4
iiZQk11EyZgTb5+EERReihImQFypVQaVOvxXv4a+0hlFWxgZ2sov8ESsiJQ/nphwksqOfxus+gbk
9M2bk2evT579fvL8+cmzX/OxtSlLbw8loan37qdv/nn5pff3bz++e/FtNvQyXpj4t7989faPP99n
Hma8CMXpd6/evn51+v3Xf/38wmF9h6OxCR+RGAvvLj72HrAYJujwH4/5xTRGESKmxk4SCpQgNYrD
fl9GFvruHFHkwO1iO46POFCNC3hr9sRyeBjxmSQOi3ei2AIeMEZ3GXdG4Y4aywjzaJaE7sH5zMQ9
QOjINXYXJVaW+7MUOJa4THYjbLl5n6JEohAnWHrqGTvE2DG7x4RYcT0gE84Em0rvMfF2EXGGZETG
VjUtlPZIDHmZuxyEfFuxOXjk7TLqmnUPH9lIeDcQdTg/wtQK4y00kyh2mRyhmJoB30cycjk5nPOJ
iesLCZkOMWVeP8BCuHTucZivkfQ7QDPutB/QeWwjuSSHLpv7iDET2WOH3QjFqQs7JElkYj8Xh1Ci
yLvPpAt+wOw3RN1DHlCyNt2PCLbSfTYbPASGNV1aFIh6MuOOXN7CzKrf4ZxOEdZUAw3A4vWYJGeS
/BK9N/87egcSPf3hpWNGV0PpbsNWPi5I5jucON+mvSUKX4dbJu4u4wH58Hm7h2bJfQyvymrz+kjb
H2nb/9/T9rr3+erJesHPQN1q2Zot1/XiPV67dp8SSodyTvG+0Mt3AV0pGIBQ6ek9Ki73cmkEl+pN
hgEsXMiR1vE4k18QGQ0jlMIav+orI6HITYfCS5mApb8WO20rPJ3FByzItqzVqtqeZuQhkFzIK81S
DtsNmaFb7cU2rDSvvQ31drlwQOlexAljMNuJusOJdiFUQdKbcwiawwk9syvxYtPhxXVlvkjVihfg
WpkVWDZ5sNjq+M0GqIAS7KoQxYHKU5bqIrs6mVeZ6XXBtCoA1hBFBSwyval8XTs9Nbus1M6RacsJ
o9xsJ3RkdA8TEQpwXp1Keh43LprrzUVKLfdUKPR4UFoLN9rX3+fFZXMNesvcQBOTKWjiHXf8Vr0J
JTNBacefwtYfLuMUakeo5S6iIRyaTSTPXvjLMEvKhewhEWUB16STsUFMJOYeJXHHV9Mv00ATzSHa
t2oNCOGDdW4TaOVDcw6SbicZT6d4Is20GxIV6ewWGD7jCudTrX55sNJkM0j3MAqOvTGd8QcISqzZ
rqoABkTACVA1i2ZA4EizJLJF/S01ppx2zTNFXUOZHNE0QnlHMck8g2sqL93Rd2UMjLt8zhBQIyR5
IxyHqsGaQbW6adk1Mh/Wdt2zlVTkDNJc9EyLVVTXdLOYNULRBpZiebkmb3hVhBg4zezwGXUvU+5m
wXVL64SyS0DAy/g5uu45GoLh2mIwyzXl8SoNK87OpXbvKCZ4hmvnaRIG67cKs0txK3uEczgQXqrz
g95y1YJoWqwrdaRdnycOUOqNw2rHh08EcDbxFK7gI4MPspqS1ZQMruDLAbSL7Li/4+cXhQSeZ5IS
Uy8k9QLTKCSNQtIsJM1C0iokLd/T5+LwLUYdiftecewNPSw/Js/XFvY3nO1/AQAA//8DAFBLAwQU
AAYACAAAACEAnGZGQbsAAAAkAQAAKgAAAGNsaXBib2FyZC9kcmF3aW5ncy9fcmVscy9kcmF3aW5n
MS54bWwucmVsc4SPzQrCMBCE74LvEPZu0noQkSa9iNCr1AcIyTYtNj8kUezbG+hFQfCyMLPsN7NN
+7IzeWJMk3ccaloBQae8npzhcOsvuyOQlKXTcvYOOSyYoBXbTXPFWeZylMYpJFIoLnEYcw4nxpIa
0cpEfUBXNoOPVuYio2FBqrs0yPZVdWDxkwHii0k6zSF2ugbSL6Ek/2f7YZgUnr16WHT5RwTLpRcW
oIwGMwdKV2edNS1dgYmGff0m3gAAAP//AwBQSwECLQAUAAYACAAAACEAu+VIlAUBAAAeAgAAEwAA
AAAAAAAAAAAAAAAAAAAAW0NvbnRlbnRfVHlwZXNdLnhtbFBLAQItABQABgAIAAAAIQCtMD/xwQAA
ADIBAAALAAAAAAAAAAAAAAAAADYBAABfcmVscy8ucmVsc1BLAQItABQABgAIAAAAIQCPrf35pAIA
ACIGAAAfAAAAAAAAAAAAAAAAACACAABjbGlwYm9hcmQvZHJhd2luZ3MvZHJhd2luZzEueG1sUEsB
Ai0AFAAGAAgAAAAhAHaFahVWBgAADxoAABoAAAAAAAAAAAAAAAAAAQUAAGNsaXBib2FyZC90aGVt
ZS90aGVtZTEueG1sUEsBAi0AFAAGAAgAAAAhAJxmRkG7AAAAJAEAACoAAAAAAAAAAAAAAAAAjwsA
AGNsaXBib2FyZC9kcmF3aW5ncy9fcmVscy9kcmF3aW5nMS54bWwucmVsc1BLBQYAAAAABQAFAGcB
AACSDAAAAAA=
" adj="7880" fillcolor="#4472c4 [3204]" strokecolor="#1f3763 [1604]"
strokeweight="1pt"/><![endif]--><!--[if !vml]--><span style="height: 196px; margin-left: 908px; margin-top: 3558px; mso-ignore: vglayout; position: absolute; width: 258px; z-index: 251659264;"><img height="78" src="file:///C:/Users/cc/AppData/Local/Temp/msohtmlclip1/01/clip_image007.png" v:shapes="Arrow_x003a__x0020_Left_x0020_7" width="103" /></span><!--[endif]--><br /><o:p></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiRc6pN8O1MDKAO6UtVdiGEbjYaHZGAva6DlJGNutOXAT0gVI0mRo2RwpWKI_2vYKFi4v46r7QesWAJ-PNSD8rzrxGaIsJTwtW3OYUhMgfGwlsnlnaojSZp_nrgJj9_3i2rGC38UN5x0vi/s1600/APIMonitor.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="900" data-original-width="1600" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiRc6pN8O1MDKAO6UtVdiGEbjYaHZGAva6DlJGNutOXAT0gVI0mRo2RwpWKI_2vYKFi4v46r7QesWAJ-PNSD8rzrxGaIsJTwtW3OYUhMgfGwlsnlnaojSZp_nrgJj9_3i2rGC38UN5x0vi/s640/APIMonitor.png" width="640" /></a></div>
<div class="MsoNormal">
Cool! chrome.dll verified as the source!<o:p></o:p></div>
<br /><br /><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhG8aW1_64WdhOkJvOjDQ28IGFxpH2PvRz8Je_iCVSA5mTHqjmN34ex1Ck0khoNKRq3Vq9zAzRN8XkCbtGPTuZr15Z9LwHXqTafr8hg3PxyXXraqNtr1h6czRCXUdWNdJ0cSSoTz1u6HIEB/s1600/api_zoom.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="246" data-original-width="1158" height="134" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhG8aW1_64WdhOkJvOjDQ28IGFxpH2PvRz8Je_iCVSA5mTHqjmN34ex1Ck0khoNKRq3Vq9zAzRN8XkCbtGPTuZr15Z9LwHXqTafr8hg3PxyXXraqNtr1h6czRCXUdWNdJ0cSSoTz1u6HIEB/s640/api_zoom.png" width="640" /></a></div>
CCrowMontancehttp://www.blogger.com/profile/04040557453680300321noreply@blogger.com0tag:blogger.com,1999:blog-6571547476689271589.post-58970175735465457832019-04-01T17:21:00.002-07:002019-04-01T17:21:23.531-07:00Security Operations Class Status<br />
<h1>
Summary<o:p></o:p></h1>
<div class="MsoNormal">
SANS MGT517 was cancelled and will not return. I will
release the material in several ways over the next year: as an online resource
(https://soc.montance.com), as an online class, as in person training, and in a
project plan book.<o:p></o:p></div>
<h1>
Brief Background<o:p></o:p></h1>
<div class="MsoNormal">
I wrote the course that became SANS Management 517 because
the two-day course I was a course author of, MGT535 – Managing Incident
Response, didn’t seem to fulfill many of the questions that people were asking
about. Namely, “How do I interface my incident handling capability to the
Security Operations Center?” <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Secondarily, there were always questions about the related
disciplines of what I eventually called “Self-Assessment Function” within the
SOC. How do I use, create, or mature my vulnerability assessment program? How
can I convince the IT department to help us by getting a good baseline in
place?<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Additionally, there was a gap that several people echoed.
There were several documents that identified various aspects of Security
Operations Centers (SOC), but there was no single reference that said exactly
what a SOC was. Carson Zimmerman’s book, and David Nathan’s book were great,
but no one had publicly defined capabilities, staffing, the technology
involved, and the things that a SOC ingested and what its output was.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
What became MGT517 was my attempt to define a reference
model around security operations centers (SOC) for organizations to consider.
About 500 students attended MGT517 when it was available through SANS. These
students were from countries around the world, and from every sector: from
manufacturers of goods you use in your home; the companies who make the
computers you use; companies who operate the largest cloud infrastructures in
the world; companies who build the software that runs most major businesses;
security software firms; financial firms; healthcare entities; representatives
of governments. Each time I taught the class, there was a chorus of “Thank
you.” I can take this back to my organization and say here’s how we should do
this. There was a common theme of there not being any other resource or class
which covered this topic. There was usually also constructive criticism and
valuable insight shared by attendees.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
I am disappointed that SANS chose to cancel the class. But
what SANS didn’t cancel is my commitment to continue to develop the material. The
SOC, and security operations in general is a critical capability for
organizations around the world.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
I previously mentioned an Analysis of Competing Hypotheses
(ACH) write up on why MGT517 was cancelled. It is still underway. It’s going
very slowly, but will be published eventually. That matters less than what I’m
going to do next, so what follows is that information.<o:p></o:p></div>
<h1>
Crowley Motivations<o:p></o:p></h1>
<h2>
Material Access and Community Value<o:p></o:p></h2>
<div class="MsoNormal">
I want people to see the information I wrote. I think it
provides tremendous value because it puts forward a reference model. You’re
welcome to disagree with it. In fact, I would say that you must at least
consider that the model may not be a good match for your organization.<span style="mso-spacerun: yes;"> </span>I’ve tried to envision and account for every
possibility. So, the tailoring to your organization is certainly present in
such an abstracted and generalized model.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
In addition to the security operations class, I am writing a
book to provide a project plan for building a SOC. This should provide a very
low-cost option for organizations to access the concepts expressed in these
various forums and provide a project plan for the organization to build a SOC.<o:p></o:p></div>
<h2>
Business Development<o:p></o:p></h2>
<div class="MsoNormal">
I want to work on interesting SOC projects. I’m only a
single person, and I won’t have a team of people working for me. Why not?
Because I’m not interested in building a company at this time. That takes away
from my ability to focus on the subject matter. But that means that I can’t
delegate tasks to people and help lots of companies simultaneously.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
It means my ability to get involved in projects is very
limited if I want to keep my quality level high. My SANS teaching and course
development has consumed a large amount of my time for the last three years.
I’m taking the time I was exerting for MGT517 course development and shifting
it to course development for an online version and an onsite version outside of
SANS. I will have time for no more that 3 or 4 contract customers at any given
time, if I continue to teach for SANS and try to run a class independently.
There’s a risk in attempting to do all of this, as SANS may see this effort as
competitive and choose not to ask me to instruct classes. Setting up courses
live takes a lot of time and effort, and marketing the classes is a massive
uphill battle. Enrollment, payment systems, and onsite logistics are expensive.
Life’s a risk.<o:p></o:p></div>
<h1>
Actions Planned<o:p></o:p></h1>
<h2>
Web Resource<o:p></o:p></h2>
<div class="MsoNormal">
I paid a developer to build a website for me to have a forum
for SOC discussion by vetted individuals. I haven’t been able to get back to
that effort due to so many different things going on. I’ve tried to find an
intern to help me to populate content onto the site. If you’re interested in
helping me with the initial deployment of material, please let me know. You
wouldn’t be writing anything, just populating material into the website. This will
be about a 3 month effort. Twitter is the best avenue to start this
conversation: @CCrowMontance.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
I have a lot of material buried in slide decks that aren’t
accessible to people. My intention is to rescue that information from the
powerpoints I’ve build and move it to a forum for people to review and for
knowledgeable people to have meaningful discussions. My intention is to vet the
people who can discuss, but have the discussions be public. I think this is the
best way to produce high quality content. Even without community participation,
it will be a place where I can share the research and analysis I have done.<o:p></o:p></div>
<h2>
Online Class<o:p></o:p></h2>
<div class="MsoNormal">
The easiest way to get access to the material will be an
online version available through NetworkDefense.io. The price will be
affordable and the material will be adjusted to an online format. Once done,
this will run perpetually and will be available on your schedule.<o:p></o:p></div>
<h2>
Live Class<o:p></o:p></h2>
<div class="MsoNormal">
This will probably be a three day event, limited to 25
participants. I’ll go to locations that are good options for me and where I
think people want the event to run. This will be very much of a DIY effort, and
if you’re interested in helping me to run the class or want it as part of your
conference, I’ll certainly consider it. Also, private onsite runs are available
with a focus on your organization’s specific implementation.<o:p></o:p></div>
<h1>
Tentative Scheduled Events & Locations<o:p></o:p></h1>
<div class="MsoNormal">
This list is ambitious, and I suspect several of these
classes will not run, but I’ll try to make them all happen.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoListParagraphCxSpFirst" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font: 7.0pt "Times New Roman";">
</span></span></span><!--[endif]-->Online: Expected date of initial availability :
November 1, 2019<o:p></o:p></div>
<div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font: 7.0pt "Times New Roman";">
</span></span></span><!--[endif]-->December 2-4, 2019 : Washington, DC Area : Security
Operations Class – Public Enrollment<o:p></o:p></div>
<div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font: 7.0pt "Times New Roman";">
</span></span></span><!--[endif]-->January 8-10, 2020 : New York City, NY :
Security Operations Class – Public Enrollment<o:p></o:p></div>
<div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font: 7.0pt "Times New Roman";">
</span></span></span><!--[endif]-->March, 2020 : Macau or Hong Kong : Security
Operations Class – Public Enrollment<o:p></o:p></div>
<div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font: 7.0pt "Times New Roman";">
</span></span></span><!--[endif]-->June, 2020: Europe or Middle East, TBD<o:p></o:p></div>
<div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font: 7.0pt "Times New Roman";">
</span></span></span><!--[endif]-->August, 2020 : Las Vegas : Security Operations
Class – Public Enrollment<o:p></o:p></div>
<div class="MsoListParagraphCxSpLast" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·<span style="font: 7.0pt "Times New Roman";">
</span></span></span><!--[endif]-->November, 2020: Melbourne, Australia : Security
Operations Class – Public Enrollment<o:p></o:p></div>
<div class="MsoListParagraphCxSpLast" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
<br /></div>
<div class="MsoNormal">
I look forward to seeing you there.<o:p></o:p></div>
<br />CCrowMontancehttp://www.blogger.com/profile/04040557453680300321noreply@blogger.com1tag:blogger.com,1999:blog-6571547476689271589.post-7312048261216784792018-11-30T08:07:00.000-08:002018-11-30T08:07:17.462-08:00Very Good: Not Good EnoughAs a follow on to my previous post, I want to address the cancellation of SANS MGT517.<div>
<br /></div>
<div>
The short story is there will be no additional offering of this course via SANS, and that is a final decision. I will provide training in the Security Operations Center subject matter via some non-SANS vehicle, stay tuned for the exact details around this in 2019.</div>
<div>
<br /></div>
<div>
The class was cancelled because the scores (from the daily feedback forms) were not good enough for SANS. I'm not going to address the relative merit of that decision, but needless to say I'm disappointed. </div>
<div>
<br /></div>
<div>
Nonetheless, I think the content I wrote for MGT517 is very valuable to the community, and most of the students who have taken the class have expressed their appreciation of the material, and how it has helped them.</div>
<div>
<br /></div>
<div>
That's all I have for now. Next update after the new year.</div>
CCrowMontancehttp://www.blogger.com/profile/04040557453680300321noreply@blogger.com0tag:blogger.com,1999:blog-6571547476689271589.post-49166003417527607222018-10-07T01:13:00.003-07:002018-10-07T01:13:29.797-07:00File under #Failure: MGT517 cancelledPersonal failure is always tough to acknowledge. MGT517 has been cancelled from any future runs. There are three remaining in 2018, and none scheduled in the future: https://www.sans.org/mgt517<br />
<br />
Standby here for my analysis of this situation and what lead to it. I will also include some speculation on next steps. Expected time frame is mid-November.<br />
<br />CCrowMontancehttp://www.blogger.com/profile/04040557453680300321noreply@blogger.com0tag:blogger.com,1999:blog-6571547476689271589.post-20178976532557053542018-08-05T07:29:00.002-07:002018-08-05T07:29:47.143-07:002018 Security Operations SOC Summit wrap up<br />
2018 SOC Summit is finished, the MGT517 following it is almost done. I'm enjoying co-teaching it with Carson Zimmerman. It's his first time out, and I've enjoyed hearing his perspectives on the material.<br />
<br />
I'll hit the high points from the talks with my favorite take away from each. For the TL;DR, have a few memes from the talks.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNeJhLuD_O84rn9_Yd3ULD8LmUNgrCKhrMyipzdG3c5W73iJn_8EMhb_jOHxPBMuRiK0ohCh8bMXxTp5iYG3bu67ClkUxjAgAJSrN1tI84pIBvbUhcGnU4Ivp7Pvy7qAtbdQ_fX9WTy0tf/s1600/2018-soc-summit-memes.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="578" data-original-width="487" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNeJhLuD_O84rn9_Yd3ULD8LmUNgrCKhrMyipzdG3c5W73iJn_8EMhb_jOHxPBMuRiK0ohCh8bMXxTp5iYG3bu67ClkUxjAgAJSrN1tI84pIBvbUhcGnU4Ivp7Pvy7qAtbdQ_fX9WTy0tf/s320/2018-soc-summit-memes.gif" width="269" /></a></div>
<br />
You should download the talks from here:<br />
https://cyber-defense.sans.org/resources/summit-archives<br />
<br />
Carson:<br />
. Measure not just the breadth of your log collection, but the depth<br />
. Unit test your SIEM rules / use cases<br />
. Track your SIEM use case analyst quality<br />
. Analyst baseball card<br />
<br />
Shelly & Brett<br />
. Establish Trust and protect it<br />
. Scribe to collect and report: but everyone is repsonsible for taking notes!<br />
<br />
Alissa<br />
. Insight into the state of your potential hires. Go read what they are saying about their prospects.<br />
. Chaos is not for everyone<br />
. Bad apples spread bacteria<br />
. Let Alissa talk to your SOC analysts! Figure out the problems and address them.<br />
<br />
SOC Survey<br />
. Hard to collect data, and we don't have a defined data set, but here are the highlights for this year's survey.<br />
. Tune in for the webcasts and download the paper.<br />
<br />
CompariSIEM<br />
. tools matter, but making the most of the tool is the path to success<br />
<br />
FOOD, not FUD<br />
. Framework of 5 items to provide Factual, Objective, Optimized Data<br />
<br />
Sun or Stars<br />
. Challenges are abundant, few organizations are thinking about striving for what's best for the long term<br />
<br />
Hacking your SOEL:<br />
. Move the activity to the front of the response activity<br />
<br />
All about your Assets:<br />
. Identify tools that contain the information you need, and figure out how to connect those tools together<br />
<br />
The Healthy SOC: A Case Study:<br />
. I'm going to ask you next year to come give a presentation about how you moved from where you are today to what you are next year. Will we be impressed? ;)<br />
<br />
<br />
-=-=-=-=-=- ~Day 2~ -=-=-=-=-=-<br />
<br />
What the CISO Really Wants<br />
. Have an in person conversation once a month with no computers, no technology, where you listen to understand<br />
<br />
Building the SecOps Use Case:<br />
. Develop the program for building and assessing use cases, starting with business use<br />
<br />
Back to Basics: System Integrity<br />
. Integrity Monitoring is important for identifying change<br />
<br />
TTP Zero:<br />
. Normalize the data to constrained conecpts to effectively and consistenly deliver the message on security operations<br />
<br />
Technical to Managerial positions:<br />
. It's a different skillset, you probably can't be both<br />
<br />
Threat Hunting Tour de Force<br />
. Start with ad hoc techniques then migrate them into procedures<br />
<br />
Burning Down the Haystack<br />
. operational tasks should be operational, identify pain points and fix them<br />
<br />
Most Dangerous Game:<br />
. Assess if you have full coverage using ATT&CK<br />
<div>
<br /></div>
CCrowMontancehttp://www.blogger.com/profile/04040557453680300321noreply@blogger.com0tag:blogger.com,1999:blog-6571547476689271589.post-38345550469648616792018-04-02T06:13:00.000-07:002018-04-02T06:13:55.657-07:00Metrics, metrics, everywhere and not a lot of thinking<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
Someone sent me a personal e-mail asking for guidance on metrics, so I thought I would replicate that here publicly.</div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
<br /></div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
Also, Carson Zimmerman will keynote at the SOC Summit in New Orleans in August, 2018 with a talk specifically on metrics. Hopefully you can make it to that event. If you can't make it, you can check out that talk afterward via video.</div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
<br /></div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
When starting out, I'd pick 3-5 reported metrics and a couple of service level objectives to start. Too many metrics results in diminished clarity on if you're meeting the objectives of the organization.</div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
Metric</div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
. Time to detection</div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
. Method of Detection</div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
. Time to initiate Response</div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
. Root cause analysis: Level 1,2,3. </div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
1 is a measure was available, but wasn't applied</div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
2 is a measure was available, we chose through risk acceptance not to apply and it allowed issue to occur</div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
3 is "zero day" - no measure was available</div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
</div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
Service Level Objectives</div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
. Initial notification within 1 hour to system owners of affected systems</div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
. Eradication results in final closure, no need to reopen 100% of time</div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
<br /></div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
<br /></div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
Online resource, look at Veris, which is the data schema behind the Verizon DBIR:</div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
<a data-saferedirecturl="https://www.google.com/url?hl=en&q=http://veriscommunity.net/incident-track.html&source=gmail&ust=1522760908060000&usg=AFQjCNF6xC0SCI1M1feqr7SWF5OK0CIFVQ" href="http://veriscommunity.net/incident-track.html" style="color: #1155cc;" target="_blank">http://veriscommunity.net/<wbr></wbr>incident-track.html</a></div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
<br /></div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
Look at Pescatore's "briefing the board" info:</div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
<a data-saferedirecturl="https://www.google.com/url?hl=en&q=https://www.sans.org/summit-archives/file/summit-archive-1496685631.pdf&source=gmail&ust=1522760908060000&usg=AFQjCNEVTaagOO5ZjI_0C1q2YIarmHUj3Q" href="https://www.sans.org/summit-archives/file/summit-archive-1496685631.pdf" style="color: #1155cc;" target="_blank">https://www.sans.org/summit-<wbr></wbr>archives/file/summit-archive-<wbr></wbr>1496685631.pdf</a></div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
<a data-saferedirecturl="https://www.google.com/url?hl=en&q=https://www.sans.org/webcasts/influencing-effectively-communicating-ceos-boards-directors-103927&source=gmail&ust=1522760908060000&usg=AFQjCNFpMtoAxsj5PUL2QE60r2Y3gcdtPQ" href="https://www.sans.org/webcasts/influencing-effectively-communicating-ceos-boards-directors-103927" style="color: #1155cc;" target="_blank">https://www.sans.org/webcasts/<wbr></wbr>influencing-effectively-<wbr></wbr>communicating-ceos-boards-<wbr></wbr>directors-103927</a></div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
<br /></div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
For a book to read on metrics, the standard reference is Joqaith's Security Metrics:</div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
<a data-saferedirecturl="https://www.google.com/url?hl=en&q=https://www.amazon.com/Security-Metrics-Replacing-Uncertainty-Doubt/dp/0321349989&source=gmail&ust=1522760908060000&usg=AFQjCNHUiUc5aymIx-56S1uoaU2etj92QA" href="https://www.amazon.com/Security-Metrics-Replacing-Uncertainty-Doubt/dp/0321349989" style="color: #1155cc;" target="_blank">https://www.amazon.com/<wbr></wbr>Security-Metrics-Replacing-<wbr></wbr>Uncertainty-Doubt/dp/<wbr></wbr>0321349989</a></div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
<br /></div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
Also look at the Hubbard / Siersen "how to measure risk" book. Rich gave a talk last year at the SOC summit, but I don't see the talk posted. </div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
<br /></div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px;">
<a data-saferedirecturl="https://www.google.com/url?hl=en&q=https://www.sans.org/summit-archives/cyber-defense&source=gmail&ust=1522760908060000&usg=AFQjCNHqvasQ6dgohXw2ZxGNJ8fpUEG7kA" href="https://www.sans.org/summit-archives/cyber-defense" style="color: #1155cc;" target="_blank">https://www.sans.org/summit-<wbr></wbr>archives/cyber-defense</a></div>
<div>
<br />
<br />
<br /></div>
CCrowMontancehttp://www.blogger.com/profile/04040557453680300321noreply@blogger.com0tag:blogger.com,1999:blog-6571547476689271589.post-54483021806660471332017-09-17T11:35:00.002-07:002017-09-17T11:35:53.003-07:00File under #failureEquifax announced a massive breach of tax payer information.<br />
<br />
TL;DR : Lock your credit accounts:<br />
<br />
https://www.experian.com/freeze/center.html#content-01<br />
https://www.innovis.com/securityFreeze/index<br />
https://www.transunion.com/credit-freeze/place-credit-freeze2<br />
https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo.jsp<br />
<div>
<br /></div>
<br />
Basic recommendation, freeze your credit report. This does two things. First, it protects you. Second, if most US taxpayers freeze their credit it will change the way these companies do business. They're collecting information about you and reselling it to third parties. They'll charge you a fee (credit monitoring) to protect that information. In my opinion it is perverse that they'll only protect your information for a fee. It will be interesting to see how the class action law suits which follow will shape the credit monitoring services.<br />
<br />
I'm also interested in how the Internal Revenue Service (IRS) of the United States addresses this. They've been pretending for two decades too long that the social security number is somehow a shared secret. It is not. Time to re-key, IRS. You have suffered a data breach through an irresponsible vendor partner. You've allowed these vendors to leverage your information for far too long. Fix this broken system.CCrowMontancehttp://www.blogger.com/profile/04040557453680300321noreply@blogger.com0tag:blogger.com,1999:blog-6571547476689271589.post-19991853321184493272017-06-06T17:20:00.001-07:002017-06-06T17:24:05.306-07:00SANS SOC Summit 2017A quick listing from each talk on TODO items that I extracted from the presentation.<br />
<br />
The presentations are available here:<br />
https://cyber-defense.sans.org/resources/summit-archives<br />
<br />
<b><span style="font-size: large;">Day 1</span></b><br />
<b><span style="font-size: large;"><br /></span></b>
Keynote Good vs Evil: Winning the Age Old Battle<br />
Doug Burks (@dougburks), CEO, Security Onion Solutions LLC<br />
<b>TODO</b>: Practice Japanese. More work on motivating people to perform optimally.<br />
<br />
<br />
Stuck in the Box: A SIEM's Tale<span class="Apple-tab-span" style="white-space: pre;"> </span><br />
Justin Henderson (@SecurityMapper), Systems and Security Architect, GSE # 108, Cyber Guardian Red/Blue<br />
<b>TODO:</b> Develop a list of "go to" Event IDs<br />
<br />
How to Measure Anything in the SOC<br />
Rich Seiersen, Former General Manager - Cyber Security & Privacy, GE Healthcare<br />
<b>TODO: </b>Develop predictive analytical model for SOC (and read Rich's book)<br />
<br />
Metrics for Justifying SOC Investment to the CEO and Board<br />
John Pescatore, Director of Emerging Security Trends, SANS Institute<br />
<b>TODO: </b>Decide on key performance indicators and develop report / dashboard to depict them.<br />
<br />
Debunked: Traditional IR Calls<span class="Apple-tab-span" style="white-space: pre;"> </span><br />
Gregory Braunton, National Director, Threat Management, Incident Response and Forensics, Catholic Health Initiatives<br />
<b>TODO:</b> Visual collaboration tool. (Reminds me also to develop the ACH rubrics for common incident scenarios.)<br />
<b><br /></b>
Siri for SOC: How an Intelligent Assistant can Augment the SOC Team<span class="Apple-tab-span" style="white-space: pre;"> </span><br />
Bobby Filar (@filar), Sr. Data Scientist, Endgame<br />
Rich Seymour, Sr. Data Scientist, Endgame<br />
<b>TODO:</b> Develop question based playbook for analysts.<br />
<b><br /></b>
The Need for Investigation Playbooks at the SOC<br />
Matias Cuenca-Acuna, Principal Engineer, Intel Security<br />
<br />
Ismael Valenzuela, SANS Certified Instructor, GSE #132; Global Director of Foundstone Consulting Services<br />
<b>TODO: </b>Differentiate response playbook and investigative playbook, refine current playbook.<br />
<br />
<br />
<b><span style="font-size: large;">Day 2</span></b><br />
<div>
<b><span style="font-size: large;"><br /></span></b></div>
<br />
Keynote: Survey Says: Actionable Insights from the SANS SOC Survey<br />
Chris Crowley (@CCrowMontance), SANS Institute<br />
<b>TODO: </b>Build a survey that captures a representative sample of SOCs globally.<br />
<div>
<br /></div>
<br />
SIEMple Simon Met a WMIman<br />
Craig L. Bowser, Sr. Security Engineer, Dept. of Energy<br />
<b>TODO: </b>Adapt this for SOC Analysts, and have a punch list of checks to be sure they're accomplishing these checks.<br />
<b><br /></b>
Inattentional Blindness (IB) & Security Monitoring<br />
Ismail Cattaneo, Sr. Manager of Security Operations & Engineering, Verizon Enterprise Solutions<br />
<b>TODO: </b>Pay attention, and keep working on a converged analytical methodology between "Organizational Dimensions, Analysis of Competing Hypotheses, Kill Chain, and Diamond Model"<br />
<br />
Hunting Adversaries with "rastrea2r" and Machine Learning<br />
Gabriel Infante-Lopez, Software Architect & Data Science, Intel Security<br />
Ismael Valenzuela, SANS Certified Instructor, GSE #132; Global Director of Foundstone Consulting Services<br />
<b>TODO: </b>Look at the open source project for collecting information between disparate tools.<br />
<br />
Color My Logs: Understanding the Internet Storm Center<br />
Johannes Ullrich, PhD, Dean of Research, SANS Technology Institute<br />
<b>TODO: </b>Look for ways to enrich information in SOC data with restful information from within SANS ISC. Install a Raspberry Pi.<br />
<br />
SOCs for the Rest of Us<br />
Dave Herrald (@daveherrald), GSE #79, Senior Security Architect, Splunk<br />
Ryan Kovar (@meansec), Staff Security Strategist, Splunk<br />
<b>TODO: </b>Take the questions Dave and Ryan used and turn it into an assessment capability.<br />
<br />
Building the Cybersecurity Workforce We Need: Creating Pipelines and Pathways Without Poaching<br />
Arlin Halstead, Strategic HR Business Partner, NTT Security<br />
Maxwell Shuftan (@SANSCyberTalent), Director of CyberTalent Solutions, SANS Institute<br />
<b>TODO: </b>Refine hiring standard questions and look at retention methodology.<br />
<br />
DDoS Attacks in Action<br />
Ben Herzberg, Security Research Group Manager, Imperva Incapsula<br />
<b>TODO: </b>Practice Python. Inventory DDoS vulnerability assessment and remediation tools.<br />
<br />CCrowMontancehttp://www.blogger.com/profile/04040557453680300321noreply@blogger.com0tag:blogger.com,1999:blog-6571547476689271589.post-28834032358671080892017-04-25T10:40:00.001-07:002017-04-25T10:40:41.016-07:00Threat Hunting Summit 2017 and MGT517.2017.2I had the opportunity to see many great talks, but missed just as many due to obligations and getting other work done. If you didn't get to attend the THIR summit, the high quality videos should be online soon here:<br />
<br />
https://www.sans.org/event/threat-hunting-and-incident-response-summit-2017/summit-videos/<br />
<br />
If you are interested in my talk, you can see the powerpoint here:<br />
<br />
https://bit.ly/crow-th<br />
<br />
More elaboration on the security operations functional areas here:<br />
<br />
http://www.montance.com/mgt517<br />
<br />
Thank you to the people who took the time to chat with me about their opinions or experience on the topics I covered. It's tough to present a complete system in 30 minutes. I hope your organization has a strategic vision for what your security operations is going to be. If you don't, steal my diagram from the bit.ly link above and start to plan for how your functions can work together to optimize your scarce resources.<br />
<br />
Also, much appreciation to the folks who attended MGT517. I was impressed by the discussions we had. I feel like I learn a massive amount each time I teach. Some of it is validation of the opinions I hold, some of it is a challenge to my approach. Criticism and permutations help to refine the system. I'm excited about a few things that I'm going to incorporate. First is the notion of a more data-centric depiction of the metrics I advocate for the SOC. Another enhancement planned for the next revision is a deeper dive into threat hunting scenarios. Finally, ACH brainstorm templates for incident types to encourage analysts to employ ACH, Kill Chain, and Diamond Model as analytical tools.CCrowMontancehttp://www.blogger.com/profile/04040557453680300321noreply@blogger.com0tag:blogger.com,1999:blog-6571547476689271589.post-63633245544842041502017-04-19T10:26:00.001-07:002017-04-19T10:26:18.879-07:00Positive feedback<blockquote class="tr_bq">
<blockquote style="background-color: white; color: #222222; font-family: arial, sans-serif;" type="cite">
<div class="m_-5465083259295560153WordSection1">
<div class="MsoNormal">
...never has a SANS track been more relevant, timely, thorough, and pragmatic as I found the MGT517 course to be. In my opinion, Chis (and I am quite sure an entire team of reviewers) has thought of, considered, and addressed every issue that I have encountered in my journey to standing up an internal SOC at my company.</div>
</div>
</blockquote>
</blockquote>
Positive thoughts. There are many things I'd like to refine within the class, but I appreciate the acknowledgement.CCrowMontancehttp://www.blogger.com/profile/04040557453680300321noreply@blogger.com0tag:blogger.com,1999:blog-6571547476689271589.post-66872408158536619632017-04-14T04:49:00.001-07:002017-04-14T04:49:28.508-07:00MGT517 Hot Wash - Orlando - 2017-04-14MGT517 Hot Wash - Orlando - 2017-04-14<br />
<br />
The first official run of MGT517 just wrapped up in Orlando, FL.<br />
<br />
Primary take away messages from the attendees.<br />
1. There are a number of companies trying to build a SOC, but they're not exactly sure what a SOC is.<br />
2. Political issues are more difficult to overcome than technical problems.<br />
3. I'm roughly 12-18 months late on this class. A common comment from people, "I wish I had taken this class 12 months ago when I started building the SOC for ____ company."<br />
<br />
Some improvements I plan to make:<br />
1. In the Design discussion, depict the ways we're going to cover the material in the build, operate, and mature sections. (TODO - near term)<br />
2. Set up a website with resources for reference (TODO - near term).<br />
3. Adjust the metrics to present the balanced scorecard approach, and include some of the examples that John Pescatore gave in his lunch time talk to the class. (TODO - near term)<br />
4. Enhance the swimlane diagram depicts the functional area process relationships with updated inputs, people, artifacts, and technology. (TODO - ongoing)<br />
<br />
I was pleased by the excellent attendees. Lots of great discussion and insight shared by people. A benefit of the class is making the connections with the small number of other professionals in the space.<br />
<br />
Finally, I'm thrilled at the overwhelming response of people to attend the course. I know that it is full for the next couple of runs. Anyone who is unable to get into the class, please be patient, we're running the course many times this year. Take a look at the events later this year. If the demand is persistent, I'll work with SANS to add additional runs this year.<br />
CCrowMontancehttp://www.blogger.com/profile/04040557453680300321noreply@blogger.com0tag:blogger.com,1999:blog-6571547476689271589.post-90754401697180154842017-03-26T01:17:00.000-07:002017-03-26T01:17:12.140-07:00Three Characters (Caricatures) of Incident ResponseI've been using this set of three types of IR characters to describe my opinion on the capabilities. I thought I would share it. I'll try to "polish the turd" at some time in the future.<div>
<br /></div>
<div>
We need all of these capabilities in IR/SecOps. Having each in the right measure is the trick. A few Eagles and no Janitors isn't going to work.<br /><h2>
Janitor<o:p></o:p></h2>
<div class="MsoNormal">
Not glorious or proactive, the Janitor is tasked with clean
up. This occurs after the incident has transpired. This is a necessary
capability, is usually the first capability to be developed, and should be
operational to the degree that the janitorial services is low cost,
effective, and capable of dealing with the sorts of messes the organization
produces.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
The janitor sometimes finds things left behind that are
interesting, and should know to bring this to the attention of the appropriate component
of security operations. Janitorial services are frequently outsourced, should
be relatively low cost, measurable, and repeatable. These tasks can be level 4
(measured) or 5 (optimized) on the CMMI scale.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Janitors infrequently have the agency within the
organization to affect change. Albert Einstein famously discussed his most
difficult problems with the janitor. Maybe it was because the janitor was the
only one around at his odd work hours. Maybe the conversation proceeded because
the janitor could see all the details of tings left undone by people that made
his job unnecessarily difficult.<o:p></o:p></div>
<h2>
Firefighter<o:p></o:p></h2>
<div class="MsoNormal">
A proactive capability, with the opportunity to minimize
damage. Firefighters are trained to address the most critical aspects first: save
the people and the animal’s lives first. In information security terms, this
includes tasks of preventing exfiltration or more generally actions on
objectives, to use the Cyber Kill Chain<span style="font-family: Calibri, sans-serif; font-size: 11pt;">®</span> terminology.</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
The next order of business for firefighters is to
simultaneously prevent the spread of the current blaze to nearby fire sources.
This might be buildings, or it might be portions of the landscape when dealing
with wildfires. When conditions are optimal, stopping the spread of the fire is
relatively easy. If the nearby buildings are made of concrete with metal roofs,
the required temperature to catch on fire is likely too high. But, if there are
high winds, the nearby pine forest is parched due to drought, and the current
fire is burning hot enough to send embers flying, the likelihood of the fire
spreading out of control of the current fire-fighting team increases.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Firefighters are often volunteer teams that have funding
from the community to protect any resource that might encounter a problem.
Resource rich areas with high rise buildings, dense populations, and greater environmental
risk often have more restrictive controls in place. Specialized equipment like
ladder trucks for tall buildings are deployed as needed. Community requirements
like smoke detectors, fire suppression systems, automatically closing and fire
rated doors are common in public spaces.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
The information security analogy is obvious. Preventive and
detective measures built in to systems is the result of diligent, persistent
community awareness around risks of information systems. The systems with the
most information density typically have formal requirements associated with
risk management. The less important, resource constrained areas are often left
to cobble together the response capability for the response team. The skillset
of a volunteer, self-trained force is often less than a professional response
capability. However, the ownership and agency that volunteers might have
frequently creates circumstances where they outperform their fully funded
counterparts on a dollar-wise comparison basis. That sense of ownership and
heroism usually cannot be sustained perpetually. Ad hoc response teams try to demonstrate
the need for additional funding by citing current successes and the substantial
and growing demand for the service.<o:p></o:p></div>
<h2>
Eagle<o:p></o:p></h2>
<div class="MsoNormal">
Most eagle species are apex predators. With impressive optic
acuity, they catch prey unaware. The eagle can strike and kill prey
substantially larger than itself, sometimes killing prey 6 times its own
weight.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
The threat hunting responder who knows the narrow passes in
the network, and can use the likely places an attacker must traverse to perform
actions on objectives is an IR eagle. The eagle can scan massive areas, locate minutiae
that everyone else would miss, and take out an intruder with speed and
precision.<o:p></o:p></div>
<br />
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Once the IR eagle chooses to focus in on one specific prey,
it loses sight of the other, potentially more important attackers. It’s
expensive to maintain a lot of top performers within an IR group, and like the
actual eagle, these hunters are often solitary and territorial.<o:p></o:p></div>
</div>
CCrowMontancehttp://www.blogger.com/profile/04040557453680300321noreply@blogger.com0tag:blogger.com,1999:blog-6571547476689271589.post-82905535255103826412017-02-02T19:38:00.000-08:002017-02-02T19:39:39.988-08:00FOR578 and Cyber Threat Intel Summit 2017<div class="MsoNormal">
I attended FOR578 – Cyber Threat Intelligence ( <a href="https://www.sans.org/course/cyber-threat-intelligence">https://www.sans.org/course/cyber-threat-intelligence</a>
) at the Cyber Threat Intel Summit this past week. Two of the course authors,
Robert M Lee (@RobertMLee) and Rebekah Brown (@PDXBek) co-taught the class. The
third course author is Jake Williams (@MalwareJake).<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
My background is network and security operations, incident
response, and pen testing. I haven’t ever functioned as an intel analyst
specifically. But, I’ve been both a consumer of Intel and a producer of Intel
in past roles. There were three primary items that I want to share from this
class.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
</div>
<ol>
<li>The importance of clear articulation of the use of <b><i>consumption of Intel versus production of Intel</i></b> in the mission objectives of the team.</li>
<li>The potential for <b><i>enrichment </i></b>of raw data with Intel</li>
<li>An
effective expression of the kill chain via the concept of <b><i>race to the finish.</i></b></li>
</ol>
<br />
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Before I go into the details of these items, I want to
express why they are important to me, so you understand the reason why these
are primary take away lessons. The course that I wrote (MGT517 – Managing
Security Operations: Detection, Response, and Intelligence) discusses
integration of intel into security operations. I wanted to glean as much as
possible from Rob, Rebekah, and Jake’s experience working in the Intel
community to assure that the system I’m presenting is aligned with their
experience, and what Intel Analysts attending SANS training will be bringing back
to their organizations.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
I determined that most of the other students were there to
sharpen (or to establish) the intelligence function within their organizations.
In speaking with the other attendees, and in listening to their questions,
there were many tactical (how to do the intel actions) questions. There were
also some strategic (what should we be doing) questions but most were on the
tactical side.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<h2>
The importance of clear articulation of the use of <b><i>consumption of Intel versus
production</i></b><i> <b>of Intel</b></i> in the mission objectives of the team.<o:p></o:p></h2>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
There are two major things to do with threat intelligence:
produce it or consume it. A funded and mature team of threat intelligence
analysts will likely do both. For less mature or less funded functions, the
consumption of intelligence is a more realistic goal. This consumption only
strategy (summarized) means the purchase of threat intelligence feeds and the
aggregation of open source intelligence information. This information is culled
for the data relevant to the organization the threat intel analysts work for.
At some point in time, these analysts may determine that they have collected
data internal to their organization which is worthwhile to share with other
parties outside of the organization. This is the production of intelligence. <o:p></o:p><br />
<br /></div>
<h2>
The potential for tight integration of <b><i>enrichment</i></b> of raw data with Intel.<o:p></o:p></h2>
<div class="MsoNormal">
Let’s discuss the objective of consumption of intelligence. The
term applied during FOR578 was <b><i>enrichment</i></b>. There was discussion of
what this looks like and how to do it. I’m going to skip those details because
it is more granular than the space I intend to devote to this post. But the key
take away is the process of combining external intelligence with internal data is
enrichment. Let’s use the pyramid of pain ( <a href="https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html">https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html</a>
) to describe the ingestion of threat intelligence. This is remaining abstract,
so we’ll refer to the categories of intelligence: hashes; IP addresses; Domain
Names; Host artifacts; Tools; and Tactics, Techniques, and Procedures (TTPs).<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Enrichment of your internal data with the lower levels
(hashes, IP addresses, Domain Names, and Host Artifacts) takes some work, but
is relatively straight forward. Use of this data includes analysis of the data
elements to validate they are applicable, and correlation to your stored data
to assess the presence of these data elements. An example might be the addition
of the updated file hash values to sysmon (https://technet.microsoft.com/en-us/sysinternals/sysmon)
tracking. It might include researching your DNS query logs for requests to DNS
entries identified via the threat intelligence. </div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Most important to this effort
is using that initial item of identification to start the effort of collection
of additional intelligence about what adversaries are doing within your
environment. This can be neatly encapsulated in Bejtlich’s Intruder’s Dilemna:
the defender needs only one initial indicator to begin response. (https://taosecurity.blogspot.com/2009/05/defenders-dilemma-and-intruders-dilemma.html).<o:p></o:p><br />
<br /></div>
<h2>
An effective expression of the kill chain via the concept of <b><i>race
to the finish</i></b>.<o:p></o:p></h2>
<div class="MsoNormal">
I discuss the cyber threat kill chain in MGT517 (as well as
ACH, Diamond Model, and Hofstede’s Cultural and Organizational dimensions) to
address a terrible shortage of encouraging objective analysis within security
operations.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Rob had a specific item of guidance regarding practical
application of the Cyber Kill Chain®. Among other practical guidance was
included the notion of “race to the finish.” That is, where ever you find a
data element in the kill chain, go down the chain until the finish rather than
back up the chain to the beginning. The rationale is that is where the
important information is that allows you to understand, then express the impact
to the business regarding the intrusion you’re investigating.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
I gathered many other nuggets of wisdom from Rob and
Rebekah. These three items warrant repeating: start with consumption of
intelligence and with maturing move into production of intelligence; enrich
your internal data with intelligence you consume; start by racing to the finish
in the kill chain, or whatever framework you use to understand adversary actions.</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<br />CCrowMontancehttp://www.blogger.com/profile/04040557453680300321noreply@blogger.com0tag:blogger.com,1999:blog-6571547476689271589.post-32398657300415207052016-12-24T18:17:00.000-08:002016-12-24T18:17:00.514-08:00Risk of a lost mobile deviceLosing a mobile device will one day be your reality. Sorry, but it is a fact.<br />
<br />
I just dealt with this personally. Wasn't my phone, but I needed to address the lost phone.<br />
<br />
Fortunately, the fact that it was missing was noticed very quickly.<br />
<br />
It's an Android phone, so I assisted the person to log into the google account controlling the phone.<br />
<br />
We looked at the location history, which is enabled on this particular phone. You can see if your location history is present by logging into your google account here:<br />
<br />
https://www.google.com/maps/timeline<br />
<br />
I want to briefly address the creeptastic aspect of this information. I've personally used this location history for an extended period of time on my phones. I can see where my phones are to a high degree of accuracy. My every movement is traced by these phones. There's risk to this as well. While that's not what this blog post is about, think about it. As a future experiment, I'm going to completely disconnect for a period of time. A digital detox of sorts. But for now, I get the benefit and privacy invasion of this configuration.<br />
<br />
I suspect most people have enabled Google (Android) location history without realizing the abundance of information present.<br />
<br />
The location history for this phone was enabled, the location was quickly identified, and the phone was recovered.<br />
<br />
Fortunate, in this case.<br />
<br />
Even if the location history isn't enabled, all is not lost. There's also the Android device manager:<br />
<br />
https://www.google.com/android/devicemanager<br />
<br />
Log in, lock the phone, ring the device ringer, and optionally display a contact telephone number or message. I hope you read this before you lose your phone and are able to make an informed decision around location history use.<br />
<br />
If you are considering this for a small business management of devices, you can restrict who can see your location to a small number of other accounts. This is like the functionality of commercial MDMs, available for free within Android's built in capability.CCrowMontancehttp://www.blogger.com/profile/04040557453680300321noreply@blogger.com0tag:blogger.com,1999:blog-6571547476689271589.post-21419185052236521052016-11-14T01:21:00.004-08:002016-11-14T01:21:47.149-08:00Apolitical (reds and blues)<b>Being overseas during the election was a fascinating experience.</b><div>
<br /></div>
<div>
This blog post isn't about the relative merits of either candidate or associated political parties. It is not about the information warfare techniques used during the election. It is not about the electoral college. </div>
<div>
<br /></div>
<div>
This blog post is about the inherent stability of the United States of America's governance structure, and why that structure has caused discontent in the American populace, and concerns for global stability in people worldwide.</div>
<div>
<br /></div>
<div>
In the interest of pithy expression, I'm going to raise 5 points, and ask one question.</div>
<div>
<br /></div>
<div>
1. USA's government is designed to be inefficient</div>
<div>
2. USA's government has always been a blending of competing interests</div>
<div>
3. Concerns of the people in the USA </div>
<div>
4. USA strives for global stabilization</div>
<div>
5. People are afraid of the unknown and this is nothing new</div>
<div>
<br /></div>
<div>
<b><br /></b></div>
<div>
<div>
<b>1. USA's government is designed to be inefficient</b></div>
<div>
The founding fathers constructed the government to resist the capability of any one individual or organization to exert excessive and persistent control of the government.</div>
<div>
<br /></div>
<div>
<b>2. USA's government has always been a blending of competing interests</b></div>
<div>
To operate, then, the government must cooperate within itself and convince the people (of the USA) to vote for the representatives. To accomplish this, there's a short cycle of immediate interests to demonstrate "value" to the people the representative needs to vote for him or her. Simultaneously, this representative must attempt to coerce the opposing party to give some concession. Usually this concession is in exchange for a mutual concession.</div>
<div>
<br /></div>
<div>
As such, no one is really pleased with the government. The government is a raucous contention for control.</div>
<div>
<br /></div>
<div>
<b>3. Concerns of the people in the USA</b>There's an interesting statistic I have seen from this election. I have two sources I found from wikipedia, but I'm not certain of the true, authoritative source for this number. But, the statistic is that roughly 60% of the eligible voters in the USA voted in this election.</div>
<div>
links:</div>
<div>
http://www.presidency.ucsb.edu/data/turnout.php</div>
<div>
http://www.electproject.org/2016g</div>
<div>
<br /></div>
<div>
The electproject.org site has links to the source of their data, most of which are to the state's website.</div>
<div>
<br /></div>
<div>
I'll offer two hypotheses which explain this, you're welcome to add competing hypotheses in the comments. If enough people are interested, we can construct an ACH graph representing this.</div>
<div>
<br /></div>
<div>
<i>Hypothesis 1</i>: Eligible voters in the USA who didn't vote are opposed to either of the viable (Democrat or Republican) candidates for President and thus didn't vote.</div>
<div>
<br /></div>
<div>
<i>Hypothesis 2</i>: Eligible voters in the USA who didn't vote think that the system will prevent either viable candidate from substantially affecting change.</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<b><br /></b></div>
<div>
<b>4. USA strives for global stabilization</b></div>
<div>
I'm a citizen of the United States of America. In case that's not readily apparent form this post thus far. My biased opinion is that the USA's global military presence is in fact intended to maintain a peaceful balance of power and contain opposition without conquering it. As opposed to a military with the intention of creating fealty among all adversaries.</div>
<div>
<b><br /></b></div>
<div>
<b>5. People are afraid of the unknown and this is nothing new</b></div>
</div>
<div>
I'm of the opinion (derived largely from psychological, biological, and philosophical studies plus my personal observation) that individual human actions are primarily motivated by: avoidance of pain, avoidance of death, and the search for pleasure. I think the individual expresses these in varying order of priority. </div>
<div>
<br /></div>
<div>
The unknown impact to this election was a topic of substantial inquiry last week while I was in Australia. Every non-American I spoke with asked me about the election results. My canned immediate response was intended to diffuse immediately, "What election?" With a gigantic smile. But, of course, I elaborated. I shared my thoughts on each candidate if asked. I shared my thoughts on what I think is a system capable of withstanding any megalomaniac who gets elected, intending to assert massive change.</div>
<div>
<br /></div>
<div>
I rarely talk about politics, even when asked. Which is why strangers typically talk only about the weather. https://www.youtube.com/watch?v=wTG4746_Fgc</div>
<div>
<b><br /></b></div>
<div>
<b>My question to you is, not that we can do anything, what will we do? </b></div>
<div>
This question is quoted from Bruce Mau's project "Massive Change." I chuckle to myself to think that this is a marketing company. Some other blog post I'll discuss why I don't like marketing, and that I've chosen to specifically forgo a tremendous volume of content to avoid it.</div>
<div>
<br /></div>
<div>
He was not the first to ask this question, he won't be the last. People worldwide are called upon daily to answer it. The project of responding to this question is the expression of your legacy. I sincerely hope that the designers of the government of the United States of America's legacy is that the government they set in motion is capable of maintaining its dignity and global position in spite of ugly politics and substantial discontent of the people.</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
That's the best I can do for being pithy and apolitical. ;)</div>
CCrowMontancehttp://www.blogger.com/profile/04040557453680300321noreply@blogger.com0tag:blogger.com,1999:blog-6571547476689271589.post-77679818720344980582016-10-11T09:10:00.000-07:002016-10-11T09:10:08.719-07:00What not to do when taking a GIAC exam<div class="MsoNormal">
I’ll discuss these in more detail, but here are a few items
worth considering avoiding. I’m writing this the day after I passed my GIAC
GXPN with my lowest score ever on a GIAC exam (90%). I’m accustomed to scoring
95% or better, and I feel like I had subpar performance on this exam. So, I’ll
discuss the things I didn’t so, so you won’t make the same mistakes. My GIAC
certs: GSEC (SEC401), GCIA (SEC503), GCIH (SEC504), GCFA (FOR508), GMOB
(SEC575), GASF (FOR585), GREM (FOR610), GXPN (SEC660).</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
In case you don’t know me and have found this blog post via
the magic of search, I’m a Principal SANS Instructor, and consultant. Yes, I
still take exams. I really care what I get for a score on my exams.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>1.<span class="Apple-tab-span" style="white-space: pre;"> </span>Don’t procrastinate</b></div>
<div class="MsoNormal">
<b>2.<span class="Apple-tab-span" style="white-space: pre;"> </span>Don’t skip making an index</b></div>
<div class="MsoNormal">
<b>3.<span class="Apple-tab-span" style="white-space: pre;"> </span>Don’t skip taking the practice exams</b></div>
<div class="MsoNormal">
<b>4.<span class="Apple-tab-span" style="white-space: pre;"> </span>Don’t squander your time during the exam</b></div>
<div class="MsoNormal">
<b>5.<span class="Apple-tab-span" style="white-space: pre;"> </span>Don’t beat yourself up</b></div>
<div>
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>1. Don’t procrastinate<br />
</b>The biggest problem for this exam was that I took the class in April at
SANS Orlando. I consistently advise students to (HTFU) and create the index
within a week (two maximum) of taking the class, take a practice exam within
two or three weeks, take a second practice exam if you got below an 80%, and
take the actual exam within a week or two of the practice exam.<o:p></o:p></div>
<div class="MsoNormal">
This exam, I simply didn’t do that. Why? Because I let my
schedule dictate my priorities and failed to allocate and/or follow through on
the index creation and practice exam. In retrospect, six months later, I didn’t
spend any additional time over the last few weeks that I couldn’t have spent 5
or 6 months ago. I spent approximately 9 hours studying for the exam. Most of those
9 hours was not purely focused and I had interruptions like messages and
twitter during that time. It was only as I was rushing out of my house,
jetlagged, printing my just completed index on my just connected printer (I
just moved ;) that I really dedicated my time.<o:p></o:p></div>
<div class="MsoNormal">
<b><br /></b></div>
<div class="MsoNormal">
<b>2. Don’t skip making an index</b><b><br />
</b>My index methodology is something I’ve shared with a number of people. Check
out the details and Perl scrip here: http://bit.ly/crowley-index-script . I’ve
had people come up to me to introduce themselves, thanking me for helping them
to pass exams based on this script. The method I use has been translated into
Japanese: contact me via twitter ( CCrowMontance ) if you want the Japanese
version.<o:p></o:p></div>
<div class="MsoNormal">
Short story for my index method is that I spend about 1-3
hours per book reviewing the content, and creating raw data to input to the
Perl script. The raw data looks something like this:<br />
<br />
<span style="font-family: "Courier New";">14;GIAC, exam;exam, GIAC;certification,
exam, GIAC;certification, exam, passing;exam, GIAC, pass</span><b><br />
<!--[if !supportLineBreakNewLine]--><br />
<!--[endif]--><o:p></o:p></b></div>
<div class="MsoNormal">
The<b> </b>point being
that I include the topics on each page, in some cases referencing the same
information multiple different way. The reason for the duplication is that I
don’t know how I’ll need to seek the data when I attempt to retrieve it. My
memory is excellent, but my recall is terrible.<o:p></o:p></div>
<div class="MsoNormal">
The index helps me quick find detailed information in the books
to confirm my thought, or differentiate a nuanced detail that I can’t recall.<o:p></o:p></div>
<div class="MsoNormal">
<b><br />
3. Don’t skip taking the practice exams<br />
</b>This is where I deviated from my methodology substantially. My standard
practice is to take a practice exam with my completed index then use the
practice to update the index. I was simply too busy in the last month to
complete this. I had already extended the exam once, and I really didn’t want
to extend it a second time. So I skipped the practice exam. That hurt my score,
I’m sure of it.<o:p></o:p></div>
<div class="MsoNormal">
I did take a beta version of the new practical questions.
But, that was just after I took the class. That was a cool experience, but in
some ways skewed my perception about what the practical questions would be. In
my beta exam, I used techniques covered in the class for developing exploits.
In my actual exam, I had an environment I needed to use pen test techniques
covered in the class to exploit an environment.<o:p></o:p></div>
<div class="MsoNormal">
<b><br />
4. Don’t squander your time during the exam<br />
</b>I look up questions in the book to verify that I’m right if I’m not 90%
sure that I know the answer. I mark an answer after reading the question, then
go to the book for validation. Infrequently, I have to change the answer. But,
my stance is that I have the time to do this.<o:p></o:p></div>
<div class="MsoNormal">
During this exam, I completely ran out of time, and just
answered the last 5 (practical) questions without having any idea what the
answers were. I started the practical section with only about 15 minutes left
for the exam.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Additionally, in the practical section, I crashed a service
that I wanted to interact with. To restart the service, I restarted the virtual
machine environment. This took almost 4 minutes to complete. So, that consumed
about 30% of my time to work on the practical questions.<o:p></o:p></div>
<div class="MsoNormal">
<br />
<b><br />
5. Don’t beat yourself up<br />
</b>My score percentage went down over the course of the exam. My recollection
of my check point scores is below.<o:p></o:p></div>
<div class="MsoNormal">
<b>Splits:<o:p></o:p></b></div>
<div class="MsoNormal">
Checkpoint 1: 100% (15/15)<br />
Checkpoint 2: 93% (28/30)<br />
Checkpoint 3: 91% (41/45)<br />
Checkpoint 4: 90% (50/55)<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
That being said, I didn’t lose my cool during the exam. At
the first checkpoint, I was surprised at the 100% mark. There were two
questions in the first 15 that I wasn’t sure if I was falling for a trap, or if
I was over thinking the question too much. One danger for me is going way down
an esoteric thought process to answer the question, rather than simply
answering the actual question. After 30 questions, I saw I had missed some. No
worries. Move along. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
When I took the GCFA, I answered two questions incorrectly.
This was back when you saw if you answered the question correctly immediately
after answering. My first incorrect answer was on a legal question related to
German law. I was really upset that I got the answer wrong, because I spent
about 10 minutes considering the information I had looked up in the book. I was
so bothered by this, I got the next question wrong, too. I would have entered
into a failure spiral if I hadn’t taken a few minutes right then to simply stop
answering questions, and allow the frustration and ire to dissipate. During
that GCFA exam, I actually talked myself out of the frustration. If you’re
feeling frustrated, counsel yourself that the frustration is detrimental. Pause
as long as you need to, so you don’t make another mistake.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Here I am, unhappy with my performance. But, I got a 90%. I’ve
done a root cause failure analysis, and will not do so poorly when I take the GIAC
GMON here in the next few months.<o:p></o:p></div>
<div class="MsoNormal">
Good luck on your cert exam, if you are embarking on it. If
you have questions about how to use my Perl script ( http://bit.ly/crowley-index-script
) feel free to contact me on twitter – CCrowMontance.<o:p></o:p></div>
<br />
<div class="MsoNormal">
<br /></div>
CCrowMontancehttp://www.blogger.com/profile/04040557453680300321noreply@blogger.com2tag:blogger.com,1999:blog-6571547476689271589.post-25252592787813840772016-10-02T20:48:00.001-07:002016-10-02T20:50:01.121-07:00Risk Management, Community Interaction, Planning for Failure, and Exercises to get better - AFF Level 1 <div class="MsoPlainText">
<span style="font-family: "courier new";">AFF Level 1<o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">Organizational
risk management is much of information assurance (cyber, if you must) is about.
We can spend money to help diminish the likelihood that something bad happens.
But, we can’t assure that the bad thing won’t happen. We spend time thinking
about what might go wrong, practicing for things going poorly, and dealing with
things actually going awry. I’m probably not telling you anything you don’t
know. But, bear with me because I want to share a story about my recent
experience with personal risk management in the form of skydiving.<o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">Years ago I
thought it would be exciting to try sky diving. I’ve heard of the risk
associated with it. But, I want to try. The main reason is the prospect of
eventually getting to fly in a squirrel suit. I’m definitely interested in
speed and thrills. There’s about 1,999 more jumps between me and the
opportunity to don a squirrel suit. Not sure that I’ll get there. But, that’s
not the point. That was the objective initiating this drive.<o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">From a practical
standpoint, my poise and awareness during emergency situations is a self-rated
moderate. I’ve dealt with medical emergencies, both of a group member and
myself in isolated (by myself mountain biking, for example) situations. I’ve
dealt with about 1,000 computer security incidents. That’s a round number
because I don’t really know the number. In retrospect I wish I had an incident
case log. I would be more effective today with exactly the same level of
response action if I had been tracking my response actions. (TODO: personal
system for logging and tracking response activity). I have recorded this data
all over the place. Most of those tracking systems I no longer have access to.<o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">But I digress. My
poise and awareness during stressful situations are moderate on a scale of low,
moderate, high. I have a good deal of experience, but I would rate better
emergency room doctors, people with substantial combat experience, practiced
airplane pilots, race car drivers, professional athletes as high on that scale.
Most normal people I’d put in the low category. Unknown and stressful
situations cause them to perform worse that they would otherwise. So moderate,
is performance about equal to normal capability within stressful situations,
but some experiences could still dislodge that person from poise. High level
performance then is a person who has poise and grace in all situations: even
unknown and unexpected situations well outside of their normal zone of comfort
and practice. People with high degree of poise within their area of expertise
not only meet level of performance, but exceed the expected level of
performance.<o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">Given this
self-assessment level of moderate, I should be able to operate within a
stressful situation without substantial prior knowledge of the tasks to perform,
given adequate training. <o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">The training. Accelerated
Free Fall (AFF) is the program for becoming certified to sky dive. Level one ( <a href="http://www.affschool.com/8-levels/#1">http://www.affschool.com/8-levels/#1</a>
) included about 4 hours of classroom and physical practice, culminating in a
practice jump with two instructors holding on to you while freefalling. The
student learns to: orient his body to the relative wind; hold the appropriate
position throughout the freefall; monitor the altitude; understand the
altitudes at which specific actions must be performed; use non-verbal communication
signals to coordinate with and receive direction from instructors; how to check
to assure the chute is safely landable; how to deploy backup chute by cutting
the inadequate chute loose and deploying the backup; how to navigate the
landing path; and how to alight on the earth again after your freefall.<o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">Those items are
crammed into roughly 4 hours of instruction and practice, then you get in a
plane and jump out of it. I went through the AFF Level 1 with a single other
student and one instructor for the classroom portion. During the actual jump I
had two instructors each with both hands in firm contact with my chute
harnesses.<o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">There was so much
information. It was repeated multiple times, and there were multiple quizzes
throughout the instruction. But during course of the jump, I had difficulty
retaining it all and keeping it straight. Fortunately, I retained enough of it
to get back without any major damage.<o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">I had an hour
delay between the instruction and the jump. I sat with my classmate, we talked about
the sequence. We watched the other divers landing.<o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">Finally, it came
to be my time for the jump. I got suited up, got my chute, and went through one
cycle of the exit from the aircraft with my backup (non-release side)
instructor. It was more important to do this with him because he would be
hanging onto the outside of the plane while I was doing my sequence
(up-down-step out) within the plane.<o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">We flew up to
altitude. A couple who were clearly experienced jumped first. I got up, took my
position at the door. “Check In!” Brian gave me the go signal. “Check out!”
Craig gave me the go ahead. Up. Down. Step out.<o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">I was falling out
of the plane. I didn’t think about the relative wind, but I did try to keep my
arms and legs back. I felt my body turning toward the direction of the fall,
and I arched my back further. <o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">Altitude 12, 000
feet. Circle of Awareness. Check and report. Look left - Craig gave me signals
to adjust my position. Two fingers – legs out more. I stretched my legs,
pointed my toes. Report right. Lazy W signal. My arms needed to go back more. <o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">Release check.
Left arm out in front of me. Reach back, put my hand on the hackey sack to be
able to release my chute. Return to lazy W. Again. Left hand out straight.
Right hand back to the hackey sack. Again. Left hand out. Right hand back.<o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">Circle of
Awareness. Check altitude. Report. Craig has me adjust my position. Lazy W. Fix
my arms. Report. Fix my legs.<o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">10,000 feet.
Adjust position through hand signals. <o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">9,000 feet. More
bad position. Legs extended. Arms in a better W.<o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">8,000 feet. Lazy
W. Better arm position<o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">7,000 feet.
Extend legs.<o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">6,000 feet. Lock
on.<o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">5,500 feet. I
wave off. Single finger from Brian. I reach back for my hackey sack. It’s gone.
Brian pulled it.<o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">Then, I have my
first moment of “Ok. What now?” I am paused. I don’t really know what to do for
a moment. I’ve decelerated substantially. The chute seems to be working. I look
up. I check the shape. It’s a rectangle. I check stability. I’m not really sure
what I’m looking for, but I don’t see any substantial luffing or flapping of
the chute. So, ok, I guess.<o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">Steerability. I
reach my hands up into the yellow steering handles. I’m supposed to pull them
down a bit to release the brake, then locate the holding area (where I’m going
to wait until I reach 1,000 ft.) I’m supposed to orient to the holding area
with the steering handles then do a steerability check. Instead, I go right
into the steerability check. Left turn? I looked down over my left shoulder to
be sure I won’t collide with anyone by the maneuver, and pull the left handle
all the way down. I start to turn left. I let the handle go back up. Right
turn. I look to my right and down, then pull the right handle all the way down.
I can make a right hand turn. Flare. I’m supposed to pull the handles all the
way down, to be sure I can flare. I pull them down. I think that it seems I can
slow down, so I think I’m good to go. I look around, and locate the trees I’m
supposed to head toward. They’re behind me and slightly to the right, so I head
that direction by turning about 220 degrees to the right. I check altitude. I
can’t remember exactly where I was at beginning this maneuver to the right.
About 4,500 feet, I think. I’m a bit concerned that I can’t really get to the
holding area. I navigate with the handles to adjust my direction. I’m relieved
that the steering mechanism seems pretty easy. The steering and landing were
the areas of greatest concern. In retrospect, I should have practiced a flare
and brake in this traverse toward the holding area. But, I didn’t.<o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">3,500 feet. I’m
approaching the holding area. Tracking the location of the other chutes in the
sky. There were a bunch of tandem divers who were much higher. Several of them
were doing interesting maneuvers. Some other time, I thought. I just want to
get to the holding area.<o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">3,000 feet. Still
working my way toward the holding area.<o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">2,500 feet. Not
quite to holding area, but getting pretty close. I am a little concerned about
getting there. Three or four other divers are beneath me. Presumably these are
my two instructors and the couple who jumped first. <o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">2,000 feet. The
backup radio comes on. I can’t really understand anything Craig is saying. He
tells me something, I maneuver a bit, because I’m actually heading the wrong direction
(still traveling toward the holding area). I presume he is concerned that I am
not oriented for the landing pattern properly. I adjust my position by making a
270 degree turn, so I’m generally heading back toward the landing path.<o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">1.500 feet. I’m
still in the holding area, but starting to leave it. I’m too high to leave it,
but heading into the pattern. I turn a bit to the right and back to the right
to try to stay in that area but slow down my exit from the holding area.<o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">1,200 feet. I’m
leaving the holding area, too high.<o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">1,000 feet. Out
of the holding area. Following the stream bed above the trees.<o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">600 feet. I’m at
the taxiway, where I should make a left turn. Instead of making a hard left, I
make more of a 45 degree turn with the intention of travelling some more out of
my way to extend my path a bit longer to try to lose more altitude. <o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">300 feet
(estimated). As I get to the center of the taxiway I make a 90 degree left turn
to head down the taxi way. I tried to check my altitude at this height, but
couldn’t really read it, so decided to focus on going straight.<o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">There were
several other people in the center of the field. I was too high. I knew that.
Not terribly, though. The wind was stronger here since I was heading into it,
and it noticeably required more steering. There were people in the center of
the field, in line with where I was heading. I steered slightly to the left,
making a bit of a lane change. I adjusted back to the right and continued
straight. Craig was on the radio talking to me, but I really didn’t understand
much of what he was saying. I think he said I was too high. But, I didn’t think
there was much I could do about it at this point, except go straight and land.<o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">25 feet
(estimated) I was preparing to land. Well short of the trees at the end of the
landing area. Which was a relief to me. <o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">15 feet
(estimated) I was supposed to flare at 10 feet. I estimate that somewhere
between 20-15 feet is where I actually executed the flare.<o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">Touchdown. I held
the flare like I was supposed to, but I was too high. The training covered PFL
– Parachute Fall Landing. Or something like that. The training had us jump from
incrementally higher steps. We kept our feet together, pogo’d like a pogo
stick, bent like a banana to one side, rolled onto our leg, hip, side. We kept
our arms tucked in and let our body absorb the fall through transfer of
momentum. <o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">I didn’t do any
of that. I had my legs apart. I didn’t transfer the momentum via a roll. I
absorbed it like I was doing a squat, and fell backwards, like I was rolling
out of a fall from bouldering. I boulder a lot and fall with some frequency
during bouldering. I do a lot of squats and deadlifts. So, I’m not at all
surprised that’s how my body reacted. It did the maneuver it is trained to do. It’s
just that this maneuver wasn’t the appropriate maneuver in this case. I’m
definitely sore as a result of that landing. A lingering ankle injury aches
more today than normal. My right hamstring is sore. My left hip is sore. My
gate walking feels a bit abnormal, like the position of my hips and legs is a
little off from where each part expects the other to be. I don’t feel like I
can hustle, and I don’t feel as spry as I normally do. Very fast walking
through the airport during a transfer to make today’s flight wasn’t a welcome
circumstance.<o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">Will I go for
level 2? I don’t know. I have 30 days to jump before I have to retake Level 1.
My difficult schedule will probably prevent me from completing the level 2
within 30 days. Or maybe next Saturday I’ll do it, I have a time window of
about 5 hours, which would be enough time to do it on the North Shore!<o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">I hope you take
something away from this. If you do, please let me know what it is. Let me
share my take away lessons. <o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">First, with
regard to training. I think that this reinforces my commitment to training,
simulation, and exercises more so than ever before. There are a few things that
I like about training. One is the trainer assuring me that he is thoroughly
competent in the area. When I am literally putting my life, safety, and
well-being in the trainier’s hands I want to have the sense that the program
he’s providing is solid. While I got that, I also got the sense that I was
going to be on my own. Which, I was. There were several things that could have
gone poorly which didn’t. I think these were the direct result of the training.
I suspect thousands of people go through this training program on an annual
basis across the USA. I didn’t research these numbers to write this article.
But, it would be interesting to know what those numbers are, as well as the
number of pass/ fails as well as the frequency of incidents with jumpers
related to AFF level 1.<o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">This leads me to
the correlating questions for your information assurance program. How many of
the tasks that you expect for your analysts can be broken down into a clear,
repeatable, articulated sequence that can be drilled over, and over, and over
and over? Where there’s no ambiguity for the actions to be taken? <o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">** Question
number one. Is there a plan?<o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">If you can’t
provide a clear sequence of actions to perform, can you provide a decision
making matrix? Where a proscriptive plan cannot be created, can you provide
unambiguous decision making criteria? In this experience the criteria for
assessment is SSS: Shape; Stability; Steerability. The sky diver necessitated a
framework for analysis to determine if the current state was adequate to safely
land the parachute, or if a replacement parachute was in order.<o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">This critical
period (5,500 feet until 2,500 feet) had a defined entry, a clear period of
assessment, and criteria for escalation. If at 2,500 feet there wasn’t a
parachute that met the SSS criteria, there was a defined procedure to engage.
For skydiving, this is the one escalation procedure. Cut away the main chute,
and engage the reserve chute. You probably won’t be able to manually engage the
reserve chute because the automated system to engage the reserve chute will be
activated. We drilled this action no less than 10 times. This included decision
making associated with the physical performance of the motions associated with
cutting away and engaging the reserve chute.<o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">** Question
number two: What to do when the plan failed?<o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">Throughout the
training, there was only one other person who was a student. I sincerely
couldn’t imagine going through a class of 20-30 other people who were
attempting AFF level 1. As with most other training courses, there was a sense
of comradery established. I’m a fairly solitary person. But, when I was
finished with my jump, I waited a while until I confirmed that my classmate had
successfully completed his jump. He probably jumped another time that day. I
probably could have completed another jump, but my schedule and my plan precluded
it. I suspect that another day I will jump again. I know that Jordan will
remember that first jump and our class. I also knew that while we were both
trying to develop an understanding of what was required of us we had a sense of
mutual support and a drive to assure that each of us understood what needed to
be done. As you guide people in the enterprise to complete a task, do they
think that you are looking for a reason to fire them? Or are they sure that
you’re there to help them complete all the details and achieve excellence?<o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">** Question
number three: Who’s there to help me if I need it?<o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">This is my
“lessons learned” report for my first sky dive. I’m sure that I could have
performed better. I’m glad that I didn’t get hurt. I’m glad that I followed
through on completing a challenging and ambitious plan. <o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">I will say that
on the climb up from the airport, we discussed, double checked, reviewed, and
reviewed again the steps for what we were going to do. The next time that
someone tells you that we don’t need training for incident response, network
security monitoring, or forensic analysis, ask them if they would be willing to
jump out of an airplane without having gone through training. <o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">This experience
suggests to me that incident response is more complicated than skydiving. I’m
not good at skydiving yet. But, from the sequence of sky diving that was taught
to me I have a very specific sequence of actions that must be performed and a
single clear objective. That’s substantially easier to perform and practice
than security operations.<o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">Afterword.<o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">One item that I
won’t belabor, but would ask for feedback from anyone who ever has an
opportunity to listen to me speak. Please tell me whatever phrase I use to the
degree that it becomes cloying. That thing that I fall back on to express a
sentiment of importance when I become lazy and don’t use a more interesting
word. I used to use the word “actually” a lot. Now I use the word “generally”
too frequently. Help me to thwart my linguistic laziness. Thanks for following
along with me on my first solo jump!<o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<span style="font-family: "courier new";">=-=-=-=-=-=<o:p></o:p></span></div>
<div class="MsoPlainText">
<br /></div>
<br />
<div class="MsoPlainText">
<span style="font-family: "courier new";">TODO: personal
system for logging and tracking response event and incident actions<o:p></o:p></span></div>
CCrowMontancehttp://www.blogger.com/profile/04040557453680300321noreply@blogger.com1tag:blogger.com,1999:blog-6571547476689271589.post-70858382243605349762015-06-04T04:54:00.001-07:002015-06-04T04:54:12.096-07:00Hello WorldIn an attempt to consolidate my writing and thoughts into one place for professional activity, I'm returning to the milieu of a weblog.<br />
<br />
I first was introduced to the concept of a weblog by a television show. You might not remember it: Doogie Howser, MD. ( http://www.hulu.com/watch/105 ) If you don't want to sit through the entire episode, at -01:24 there's the moralitas. The Moral of the story is written by Doogie in each episode. The contrite, September 22, 1989 lesson from the sixteen year old Doctor who had just passed his driving test at the beginning of the episode (albeit with a brief interruption to reset a dislocated hip to prevent loss of the victim's leg and establish the character of the boy genius) was, "Kissed my first girl. Lost my first patient. Life will never be the same again..."<br />
<br />
I didn't remember that specific moral of that specific story. I looked it up. But, my take away is that recording one's thoughts are beneficial for oneself in moments of reflection. They're also beneficial at times for others.<br />
<br />
So, in this blog I hope to record my personal thoughts during my professional musings, hopefully avoiding wining, pontificating, and "the poetic truths of high school journal keepers."CCrowMontancehttp://www.blogger.com/profile/04040557453680300321noreply@blogger.com0