SANS Webinar: Why Defense, Why Now

The webinar "Why Defense, Why Now" was given on May 30, 2013.  I watched it on July 10, 2013.  These notes are my evidence that I watched it in case of audit as I submit this for CPE credit.

Notes

"A" in APT is not for advanced threat, but rather an advanced adversary.

APTs almost always come in via email using one of these four vectors:

1. attached executable 
2. macros (office)
3. active scripting
4. html embedded content

So, do we really need these to come in via email?  Almost never, so disable these to significantly reduce risk from APTs.

Malware usually does these things

1. Upload code
2. Start a process
3. Establish connection
4. Modify startup or sytem files

So, we should focus our energy on detecting things that modify system files and make outbound connections.  This is where he pitches Tripwire.

Can use an outbound proxy.  It will break most command and control connections.

Organizations aren't detecting attacks.  Need to shift mentality to one that assumes we are going to get compromised, so figure out how to detect and neutralize compromises. 

Much like the APT webinar, he suggests looking at your network diagram and identifying all of the preventative devices and the detective devices.  The average is 88% preventive.  All the effort is on prevention and little to none on detection.  Need to start focusing more on detection.  Also 95% of the prevention is on inbound.

Prevention is ideal, but detection is a must!

Suggestions

1. Know your systems
1. up-to-date network diagram
2. network visibility map
3. cm and change control
2. Defense in depth
1. inbound prevention
2. outbound detection
3. log correlation
4. anomaly detection
3. Common metrics
1. utilize the critical controls
1. security defines the metrics
2. IT implements the metrics
3. audit validates the metrics
4. executives track the metrics

SANS Webinar: Kinetic Pwnage - Obliterating the Line Between Computers and the Physical World

This was a webcast given by Ed Skoudis in May, 2013.  I just watched it today because it looks interesting and to apply as a CPE credit for my CISSP certification.  This blog entry will be my notes and proof in case of audit.

I was audited on the last webcast that I watched, but was able to provide proof in the registration record at SANS and my notes here.

Notes

Hacking started in 1946, when the MIT Tech Model Railroad Club (TMRC) built a model railroad with control systems.

Ed's Central Thesis - we are entering the golden age of software hacking to achieve physical impact.  Think SCADA, power grids, all of the embedded and attached devices, airplanes, trains, etc.  Partially due to the fact that everything is becoming IP addressable.  Use Shodan searches to find things connected to the internet.  Also, there are web apps everywhere and everything is web enabled.

Air gaps won't work, because they disappear over time.  See Stuxnet.

Physical safeguards are becoming increasingly automated or controlled by IP.

Major areas of concern

Power grid, healthcare, and weapons systems (!).

CyberCity was built to give people a place to train against cyber attacks on physical controls.  It has military backing and simulates commercial, industrial, military, and residential areas.

Why hasn't there been a massive kinetic impact yet?

• Not an effective criminal business model (yet).
• Geo-politics - it isn't in anyone's best interest to cause mayhem (yet)
• Harder than anticipated

Conclusion

Industry has to up their game.

SANS Webinar: Put Your Game Face On: Using InfoSec Challenges to Build Your Skills and Career

I'm watching webinars for continuing eduation and CPE credit.  This webinar is "Put Your Game Face On: Using InfoSec Challenges to Build Your Skills and Career."  Who doesn't want to build their career?

Overview

Discuss ways to develop information security skills.  Behind the scenes of Capture the Flag games and other challenges.  Tips on what makes a good security challenge.  Point out places with security challenges.

Notes

Use gamification to measure skill, identify talent, train, and provide motivation.  When confronting a problem, assume that it can be solved.

Types of challenges

• Offense - attack targets, pen test
• Defense - stock attackers
• Offense and Defense - exciting, but more work to implement.  Need to enforce minimal attach surfaces - i.e. a scorebot.
• Analysis - packets, files, malware
• Other - bot-net control, cloud resources, etc.

Flat vs. depth

• flat - all challenges accessible from anywhere
• depth - need to solve earlier challenges to get to the later ones

When creating challenges, don't put in red herrings.  There will already be patterns and diversions in the challenges; don't make it more difficult.  Don't make puzzles for puzzles sake - i.e. needle in a haystack.  They won't lead to real world skills.  Have multiple methods to solve problems.

Free Challenges

Damn Vulnerable Web App
http://www.dvwa.co.uk

Iron Geek’s Mutillidae
http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10

OWASP WebGoat
https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

Metasploitable
https://community.rapid7.com/community/metasploit/blog/2010/05/19/introducing -metasploitable

Damn Vulnerable Linux: Currently being rebuilt, but you can find older versions
http://www.damnvulnerablelinux.org/


Huge archive of challenges from
2009 to 2012 here:
http://capture.thefl.ag

Multi-leveled exploit development
environment
http://exploit-exercises.com

www.counterhack.net

Conclusion

Interesting webinar.  Need to check out some of the challenges!

SANS Webinar: APT: It is Time to Act

This is the 2nd SANs webinar that I've watched.  The title is "APT: It is Time to Act."  It looked interesting because I've seen APT a few times and wasn't sure what it meant.  APT is Advanced Persistent Threat.  These notes are for my reference and for audit purposes as I log this for CPEs for CISSP.

Overview

APT is like cancer vs. the common cold threat of a few years ago.  Should think in terms of you are already infected, now go find it.  Despite best efforts, we will still get infected.

Advanced = advanced adversary.  Another interpretation of APT = average phishing technique.  Adversaries are going to used the easiest method that they can to break in.  I.e. phishing.  Usually buried in an attachment so you get compromised without even knowing.  That is the persistent part.

Too much focus on presentation and not enough on detection.

Solutions

Most dangerous applications are web browsers and email clients.  So sandbox/VM those applications.

3 Primary vectors

1. Executable content in email
2. Macros in an office document
3. Executable code in embedded HTML in the email

So disable executable content, macros, and executable HTML in email.

Prevention vs. Detection

Prevention will eventually fail, so need to also have detection.  This will allow you to detect a breach after it gets through prevention and then stop it. Organizations have to focus more on detection.  Most security is preventative (85%) vs. detective (15%), and most of it is on inbound vs. outbound.  Need to examine outbound traffic to spot unusual activity.

Encrypted outbound traffic can sneak past detection.  Need to load crypto modules to decrypt, but if adversary controls keys, then that won't work.  Solution - create crypto free zones.  That is from understanding adversary and their strength, then turning it into a weakness.

5 Steps to Secure Future

1. Identify Critical Data - can't protect what you don't know.  Determine your most important assets, biggest threats, and biggest vulnerabilities.  Get a unified focus from everyone.  Risk Based Thinking improves results.  Questions to ask:
1. What is the risk?
2. Is it the highest priority?
3. Is it the most cost effective way to reduce risk?
2. Align the defense with the offense.  Most attacks follow these five steps.  Most effort is spent defending steps 3 and 4.  If you do enough reconnaissance and scanning, then exploitation is fairly easy.
1. Reconnaissance
2. Scanning
3. Exploitation
4. Create backdoors
5. Cover tracks
3. Know your organization.  If offense knows more than defense, then they will win.  You need to have:
1. Accurate network diagram - can't protect what you don't know about
2. Network visibility map
3. CM and change control
4. Defense in depth.  There is no unstoppable adversary.  
1. Inbound protection
2. Outbound detection
3. Log correlation - look at IP address destination countries
4. Anomaly detection
5. Common Metrics.  Use the critical controls
1. Offense informing the defense
2. Automation and continuous monitoring of security
3. metrics to drive measurement and compliance

Conclusion

Need to focus on outbound detection - no prevention is perfect.  Use automation, current security devices, and a common focus.  Understand your assets and the adversary.

SANS Webinar: Windows Ports and Services Tools

I was watching a webcast called "Auditing Windows Controls: What You May Not Know Windows Can Tell You" at sans.org.  It was about Windows software and network controls and auditing them.  There are a few useful commands that I wanted to document.  This also serves as an audit record for CISSP CPEs.

Commands

One great benefit of command line tools is that the output can be captured to text logs for auditing.  They often can be scripted as well, which automates the audit process.

• netstat - lists current TCP and UDP connections
• -ano flags list all connections and listening ports, win numerical form, with the process id
• wmic - Windows Management Instrumentation Command-line
• Once in the cli, you can execute various commands
• 'process X list' - lists process from the object ID X (from netstat -ano)
• 'product list' - lists installed software with version
• netsh - network shell
• quick scripting interface to network interfaces
• gives quick information on firewall configuration
• can save information to a text file for auditing
• scwcmd - server command line configuration tooll
• gives text output for auditing
• read reports with "scwcmd /view c:/temp/report.xml" 
• 
  

Software restriction

Starting in Windows XP, there are software restriction policies (SRP).  It can be used to deny all executables unless there is an approved MD5 hash.  In Windows 7 and later, moved to AppLocker instead of SRP.  Uses SHA-256 hashes instead of MD5 for fewer collisions.  AppLocker has an audit mode.

Conclusion

This was a good webinar with a good overview of various tools.  I did not know about some of them, so it was very useful.

When auditing, get a list of authorized services and software.  Check to see if IPv6 enabled and supported officiall.  FInd out how is patching managed.

Reporting CPEs

1. Go to isc.org
2. Log in
3. Click "Submit CPEs" 
4. On the CPE Report page, click "Add CPEs"
5. Fill out the questionnaire

• Apply CPE to Credential/Concentration: CISSP
• Domain for CPE Credit: Usually "Multiple Domains (Group A)" unless webinar is specific to one domain
• Activity Start Date: the data that the webinar was watched
• CPE Type: Self Study, Computer-Based Training [CBT] or Web Cast
•  Course Name: Name of Webinar.  I put (SANS) at the end so I know where I watched it
•  Number of hours: length of webinar