Bejtlich Teaching at Black Hat West Coast Trainings

I'm pleased to announce that I will be teaching at Black Hat West Coast Trainings 9-10 December 2013 in Seattle, Washington. This is a brand new class, only offered thus far in Las Vegas in July 2013. I posted Feedback from Network Security Monitoring 101 Classes last month as a sample of the student feedback I received.

Several students asked for a more complete class outline. So, in addition to the outline posted currently by Black Hat, I present the following that shows what sort of material I cover in my new class.

Please note that discounted registration ends 11:59 pm EDT October 24th. You can register here. I have only one session available in Seattle and fewer seats than in Las Vegas, so please plan accordingly. Thank you.

OVERVIEW

Is your network safe from intruders? Do you know how to find out? Do you know what to do when you learn the truth? If you are a beginner, and need answers to these questions, Network Security Monitoring 101 (NSM101) is the newest Black Hat course for you. This vendor-neutral, open source software-friendly, reality-driven two-day event will teach students the investigative mindset not found in classes that focus solely on tools. NSM101 is hands-on, lab-centric, and grounded in the latest strategies and tactics that work against adversaries like organized criminals, opportunistic intruders, and advanced persistent threats. Best of all, this class is designed *for beginners*: all you need is a desire to learn and a laptop ready to run a virtual machine. Instructor Richard Bejtlich has taught over 1,000 Black Hat students since 2002, and this brand new, 101-level course will guide you into the world of Network Security Monitoring.

CLASS OUTLINE

Day One

0900-1030

·         Introduction

·         Enterprise Security Cycle

·         State of South Carolina case study

·         Difference between NSM and Continuous Monitoring

·         Blocking, filtering, and denying mechanisms

·         Why does NSM work?

·         When NSM won’t work

·         Is NSM legal?

·         How does one protect privacy during NSM operations?

·         NSM data types

·         Where can I buy NSM?

1030-1045

·         Break

1045-1230

·         SPAN ports and taps

·         Making visibility decisions

·         Traffic flow

·         Lab 1: Visibility in ten sample networks

·         Security Onion introduction

·         Stand-alone vs server plus sensors

·         Core Security Onion tools

·         Lab 2: Security Onion installation

1230-1400

·         Lunch

1400-1600

·         Guided review of Capinfos, Tcpdump, Tshark, and Argus

·         Lab 3: Using Capinfos, Tcpdump, Tshark, and Argus

1600-1615

·         Break

1615-1800

·         Guided review of Wireshark, Bro, and Snort

·         Lab 4: Using Wireshark, Bro, and Snort

·         Using Tcpreplay with NSM consoles

·         Guided review of process management, key directories, and disk usage

·         Lab 5: Process management, key directories, and disk usage

Day Two

0900-1030

·         Computer incident detection and response process

·         Intrusion Kill Chain

·         Incident categories

·         CIRT roles

·         Communication

·         Containment techniques

·         Waves and campaigns

·         Remediation

·         Server-side attack pattern

·         Client-side attack pattern

1030-1045

·         Break

1045-1230

·         Guided review of Sguil

·         Lab 6: Using Sguil

·         Guided review of ELSA

·         Lab 7: Using ELSA

1230-1400

·         Lunch

1400-1600

·         Lab 8. Intrusion Part 1 Forensic Analysis

·         Lab 9. Intrusion Part 1 Console Analysis

1600-1615

·         Break

1615-1800

·         Lab 10. Intrusion Part 2 Forensic Analysis

·         Lab 11. Intrusion Part 2 Console Analysis

REQUIREMENTS

Students must be comfortable using command line tools in a non-Windows environment such as Linux or FreeBSD. Basic familiarity with TCP/IP networking and packet analysis is a plus.

WHAT STUDENTS NEED TO BRING

NSM101 is a LAB-DRIVEN course. Students MUST bring a laptop with at least 8 GB RAM and at least 20 GB free on the hard drive. The laptop MUST be able to run a virtualization product that can CREATE VMs from an .iso, such as VMware Workstation (minimum version 8, 9 is preferred); VMware Player (minimum version 5 -- older versions do not support VM creation); VMware Fusion (minimum version 5, for Mac); or Oracle VM VirtualBox (minimum version 4.2). A laptop with access to an internal or external DVD drive is preferred, but not mandatory.

Students SHOULD test the open source Security Onion (http://securityonion.blogspot.com) NSM distro prior to class. The students should try booting the latest version of the 12.04 64 bit Security Onion distribution into live mode. Students MUST ensure their laptops can run a 64 bit virtual machine. For help with this requirement, see the VMware knowledgebase article “Ensuring Virtualization Technology is enabled on your VMware host (1003944)” (http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1003944). Students MUST have the BIOS password for their laptop in the event that they need to enable virtualization support in class. Students MUST also have administrator-level access to their laptop to install software, in the event they need to reconfigure their laptop in class.

WHAT STUDENTS WILL RECEIVE

Students will receive a paper class handbook with printed slides, a lab workbook, and the teacher’s guide for the lab questions. Students will also receive a DVD with a recent version of the Security Onion NSM distribution.

TRAINERS

Richard Bejtlich is Chief Security Officer at MANDIANT. He was previously Director of Incident Response for General Electric, where he built and led the 40-member GE Computer Incident Response Team (GE-CIRT). Prior to GE, he operated TaoSecurity LLC as an independent consultant, protected national security interests for ManTech Corporation's Computer Forensics and Intrusion Analysis division, investigated intrusions as part of Foundstone's incident response team, and monitored client networks for Ball Corporation.  Richard began his digital security career as a military intelligence officer in 1997 at the Air  Force Computer Emergency Response Team (AFCERT), Air Force Information Warfare Center (AFIWC), and Air Intelligence Agency (AIA).  Richard is a graduate of Harvard University and the United States Air Force Academy.  He wrote "The Tao of Network Security Monitoring" and "Extrusion Detection," and co-authored "Real Digital Forensics."  His latest book is "The Practice of Network Security Monitoring" (nostarch.com/nsm). He also writes for his blog (taosecurity.blogspot.com) and Twitter (@taosecurity), and teaches for Black Hat.

Tweet

Read More

Feedback from Network Security Monitoring 101 Classes

At Black Hat in Las Vegas I taught two Network Security Monitoring 101 (NSM101) classes. This is a new class that I developed this year, after retiring the third edition of my TCP/IP Weapons School. Once again I was glad to have Steve Andres from Special Ops Security there to help students with questions and lab issues.

I wanted to share some feedback from the classes, in case any of you are considering attending an upcoming edition. Currently I'm scheduled to teach at Black Hat Seattle on 9-10 December. I plan to continue offering my class through Black Hat as they expand their training location offerings.

Student feedback from NSM101 included:

• Great tools, fun labs, very prepared -- a lot of experience from interesting real world scenarios.
• This course was everything I hoped for and more. Very impressive considering the course is new.
• One of the best training classes I have ever taken.
• Richard hosted an exemplary class.
• I thought the class was excellent, and the content was relevant and informative.
• The instructor was there when help was needed. I can easily take what I learned here and apply it to my work.
• Excellent instructor and class. It is nice to learn from true pros who are humble and willing to help.
• Richard is an excellent speaker. His use of real world examples added value to each lab. The material was easy to understand and very well thought out.
• The stories behind the scenes and the practical notes (i.e., how to create a team) really helped.
• Great balance of hands-on and theory.
• Easy to follow and inspiring, even for an NSM beginner like me.
• Great companion to the new NSM book.
• This class was fantastic. I wish I could send my whole department.
• I look forward to using your book and teaching some of your techniques to my students.

In the "constructive criticism" category, several students recommended that I modify the class description to better suit the class structure. For example, some students didn't realize they would be using Security Onion in the class. A few students told me they would have sent more people from their team if they had a better sense of what the class was going to include. I will fix that for the Seattle edition and future events.

Overall I very much enjoyed teaching the new class. I will make a few tweaks to fix typos but otherwise I am ready to teach again in December. Once the registration form is active I will post it via Twitter.

If you have any questions, please post them as comments here or via Twitter to @taosecurity. Thank you.

Tweet

Read More

President Obama Is Right On US-China Hacking

I strongly recommend watching the excerpt on the Charlie Rose show titled Obama: Blunt Conversation With China on Hacking. I reproduced the relevant part of the transcript below and added emphasis to key points.

CHARLIE ROSE: Speaking of pushing back, what happened when you pushed back on the question of hacking and serious allegations that come from this country that believe that the Chinese are making serious strides and hacking not only private sector but public sector?

BARACK OBAMA: We had a very blunt conversation about cyber security.

CHARLIE ROSE: Do they acknowledge it?

BARACK OBAMA: You know, when you’re having a conversation like this I don’t think you ever expect a Chinese leader to say "You know what? You’re right. You caught us red-handed."

CHARLIE ROSE: You got me. Yes.

BARACK OBAMA: We’re just stealing all your stuff and every day we try to figure out how we can get into Apple --

CHARLIE ROSE: But do they now say "Look? See you’re doing the same thing. We’ve been reading about what NSA is doing and you’re doing the same thing that we’re doing and there are some allegations of that. And the man who is now unleashing these secrets who’s telling everybody is in Hong Kong.

(CROSSTALK)

BARACK OBAMA: Yes.

CHARLIE ROSE: And may be talking to the Chinese.

BARACK OBAMA: Well, let’s separate out the NSA issue which I’m sure you’re going to want to talk to and the whole full balance of privacy and security with -- with the specific issue of cyber security and our concerns --

CHARLIE ROSE: And cyber warfare and cyber espionage.

BARACK OBAMA: Right. Every country in the world, large and small, engages in intelligence gathering and that is an occasional source of tension but is generally practiced within bounds. There is a big difference between China wanting to figure out how can they find out what my talking points are when I’m meeting with the Japanese which is standard fare and we’ve tried to prevent them from --

(CROSSTALK)

CHARLIE ROSE: Right.

BARACK OBAMA: -- penetrating that and they try to get that information. There’s a big difference between that and a hacker directly connected with the Chinese government or the Chinese military breaking into Apple’s software systems to see if they can obtain the designs for the latest Apple product. That’s theft. And we can’t tolerate that.

And so we’ve had very blunt conversations about this. They understand, I think, that this can adversely affect the fundamentals of the U.S./China relationship. We don’t consider this a side note in our conversations. We think this is central in part because our economic relationship is going to continue to be premised on the fact that the United States is the world’s innovator. We have the greatest R&D. We have the greatest entrepreneurial culture.

Our value added is at the top of the value chain and if countries like China are stealing that that affects our long-term prosperity in a serious way.

This is an amazing development for someone aware of the history of this issue. President Obama is exactly right concerning the differences between espionage, practiced by all nations since the beginning of time, and massive industrial theft by China against the developed world, which the United States, at least, will not tolerate. I am so pleased that this issue is at the top of the agenda between the US and China and that the President and his team, as well as Congress, are taking it so seriously.

Tweet

Read More

Pre-Order The Practice of Network Security Monitoring Before Price Hike

When my publisher and I planned and priced my new book The Practice of Network Security Monitoring, we assumed the book would be about 250 pages. As we conclude the copyediting process and put print in layout format, it's clear the book will be well over 300. The current estimate is 328, but I think it could approach 350 pages.

Because of the much larger page count, the publisher and I agreed to reprice the book. The price will rise from the current list of $39.95 for paperback and $31.95 for ebook to $49.95 for paperback and $39.95 for ebook.

However, those prices will not go into effect until next Friday, June 21st. That means if you preorder at the NoStarch.com Web site before next Friday, you will get the current lower prices. Furthermore, use preorder code NSM101 to save 30% off list. If you use NSM101 as your discount code it shows No Starch that you got word of this from me.

Those of you who already preordered have already taken advantage of this deal. Thanks for your orders!

We're still on track for publication by July 22, in time for books on hand at my new Network Security Monitoring 101 class in Las Vegas. Seats for the two editions of the class (weekend and weekday) continue to fill.

If you live in Europe or the Middle East or Africa, you may want to attend my new class in Istanbul in September. I hope the protestors and government can manage their differences in time for this great new Black Hat event!

Tweet

Read More

Practice of Network Security Monitoring Table of Contents

Since many of you have asked, I wanted to provide an updated Table of Contents for my upcoming book, The Practice of Network Security Monitoring. The TOC has only solidified in the last day or so. I delayed responding until I completed all of the text, which I did this weekend.

You can preorder the book through No Starch. Please consider using the discount code NSM101 to save 30%.

I'm still on track to publish by July 22, 2013, in time to teach two sessions of my new course, Network Security Monitoring 101, in Las Vegas. I'll be using the new book's themes for inspiration but will likely have to rebuild all the labs.

I expect the book to approach the 350 page mark, exceeding my initial estimates for 256 pages and 7 chapters. Here's the latest Table of Contents.

• Part I, “Getting Started,” introduces NSM and how to think about sensor placement.
• Chapter 1, “NSM Rationale,” explains why NSM matters, to help you gain the support needed to deploy NSM in your environment.
• Chapter 2, “Collecting Network Traffic: Access, Storage, and Management,” addresses the challenges and solutions surrounding physical access to network traffic.
• Part II, “Security Onion Deployment,” focuses on installing SO on hardware, and configuring SO effectively.
• Chapter 3, “Stand-alone Deployment,” introduces SO, and explains how to install the software on spare hardware to gain initial NSM capability at low or no cost.
• Chapter 4, “Distributed Deployment,” extends Chapter 3 to describe how to install a dispersed SO system.
• Chapter 5, “SO Housekeeping,” discusses maintenance activities for keeping your SO installation running smoothly.
• Part III, “Tools,” describes key software shipped with SO, and how to use these applications.
• Chapter 6, “Command Line Packet Analysis Tools,” explains the key features of Tcpdump, Tshark, Dumpcap, and Argus in SO.
• Chapter 7, “Graphical Packet Analysis Tools,” adds GUI-based software to the mix, describing Wireshark, Xplico, and NetworkMiner.
• Chapter 8, “Consoles,” shows how NSM suites like Sguil, Squert, Snorby, and ELSA enable detection and response workflows.
• Part IV, “NSM in Action,” discusses how to use NSM processes and data to detect and respond to intrusions.
• Chapter 9, “Collection, Analysis, Escalation, and Resolution,” shares my experience building and leading a global Computer Incident Response Team (CIRT).
• Chapter 10, “Server-Side Compromise,” is the first NSM case study, wherein you’ll learn how to apply NSM principles to identify and validate the compromise of an Internet-facing application.
• Chapter 11, “Client-Side Compromise,” is the second NSM case study, offering an example of a user being victimized by a client-side attack.
• Chapter 12, “Extending SO,” covers tools and techniques to expand SO’s capabilities.
• Chapter 13, “Proxies and Checksums,” concludes the main text by addressing two challenges to conducting NSM.
• The Conclusion offers a few thoughts on the future of NSM, especially with respect to cloud environments and workflows.
• Appendix A, “Security Onion Scripts and Configuration,” includes information from SO developer Doug Burks on core SO configuration files and control scripts.

I hope you enjoy the book and consider the new class! If you have comments or questions, please post them here on via @taosecurity.

Tweet

Read More

Bejtlich Teaching New Class at Black Hat in July

I'm pleased to announce I will teach two sessions of a brand-new two day class at Black Hat USA 2013 this summer. The new class is Network Security Monitoring 101. From the overview:

Is your network safe from intruders? Do you know how to find out? Do you know what to do when you learn the truth? If you are a beginner, and need answers to these questions, Network Security Monitoring 101 (NSM101) is the newest Black Hat course for you.

This vendor-neutral, open source software-friendly, reality-driven two-day event will teach students the investigative mindset not found in classes that focus solely on tools. NSM101 is hands-on, lab-centric, and grounded in the latest strategies and tactics that work against adversaries like organized criminals, opportunistic intruders, and advanced persistent threats.

Best of all, this class is designed *for beginners*: all you need is a desire to learn and a laptop ready to run a few virtual machines.

Instructor Richard Bejtlich has taught over 1,000 Black Hat students since 2002, and this brand new, 101-level course will guide you into the world of Network Security Monitoring.

Black Hat has three remaining price points and deadlines for registration.

• "Regular" ends 31 May


• "Late" ends 24 July


• "Onsite" starts at the conference

Seats are filling -- it pays to register early!

If you have any questions about the class, please leave a comment here or contact me via Twitter at @taosecurity. Thank you.

I'm also talking with Black Hat about teaching at their Istanbul and Seattle events later this year.

Tweet

Read More

Mandiant APT1 Report: 25 Best Commentaries of the Last 12 Days

Two weeks ago today our team at Mandiant was feverishly preparing the release of our APT1 report.

In the twelve days that followed publication on the evening of Monday the 18th, I've been very pleased by the amount of constructive commentary and related research published online.

In this post I'd like to list those contributions that I believe merit attention, in the event you missed them the first time around.

These sorts of posts are examples of what the security community can do to advance our collective capability to counter digital threats.

Please note I avoided mass media accounts, interviews with Mandiant team members, and most general commentary.

They are listed in no particular order.

1. Seth Hall (Bro): Watching for the APT1 Intelligence
2. Jason Wood (SecureIdeas): Reading the Mandiant APT1 Report
3. Chris Sanders: Making the Mandiant APT1 Report Actionable
4. Symantec: APT1: Q&A on Attacks by the Comment Crew
5. Tekdefense (NoVA Infosec): MASTIFF Analysis of APT1
6. Chort Row (@chort0): Analyzing APT1 with Cuckoobox, Volatility, and Yara
7. Ron Gula (Tenable): We have Microsoft Tuesday, so how long until we have Indicator Wednesday?
8. OpenDNS Umbrella Labs:An intimate look at APT1, China’s Cyber-Espionage Threat
9. Chris Lew (Mandiant): Chinese Advanced Persistent Threats: Corporate Cyber Espionage Processes and Organizations (BSidesSF, slides not online yet)
10. Adam Segal: Hacking back, signaling, and state-society relations
11. Snorby Labs: APT Intelligence Update
12. Wendy Nather: Exercises left to the reader
13. Brad Shoop (Mandiant): Mandiant’s APT1 Domain/MD5 Intel and Security Onion for Splunk
14. Brad Shoop (Mandiant): Mandiant’s APT1 Domain/MD5 Intel and Security Onion with ELSA
15. Kevin Wilcox: NSM With Bro-IDS Part 5: In-house Modules to Leverage Outside Threat Intelligence
16. Cyb3rsleuth: Chinese Threat Actor Part 5
17. David Bianco: The Pyramid of Pain
18. Wesley McGrew: Mapping of Mandiant APT1 malware names to available samples
19. Russ McRee: Toolsmith: Redline, APT1, and you – we’re all owned
20. Jaime Blasco ( AlienVault Labs): Yara rules for APT1/Comment Crew malware arsenal
21. Brandon Dixon: Mandiant APT2 Report Lure
22. Seculert: Spear-Phishing with Mandiant APT Report
23. PhishMe: How PhishMe addresses the top attack method cited in Mandiant’s APT1 report
24. Rich Mogull (Securosis): Why China's Hacking is Different
25. China Digital Times: Netizens Gather Further Evidence of PLA Hacking

M-Unition (Mandiant) published Netizen Research Bolsters APT1 Attribution.

I'd also like to cite Verizon for their comments and mention of IOCExtractor and Symantec for publishing their indicators via Pastebin after I asked about it.

Thank you to those who took the time to share what you found when analyzing related APT1 data, or when showing how to use APT1 indicators to do detection and response.

Tweet

Read More