 Hey everybody. Good afternoon. So this is about building a security operation center. I'm going to show a little video first of what they tend or people think they look like. Pretty awesome video. Well, not really that awesome, but here we go. So if only we had those kind of screens. Okay, we don't work for them. No we don't. So I want to apologize to any Lockheed Martin employees right off the bat too. Most security operation centers do not look like that, but everybody wants them to. Yeah. Alright, so what makes a security operation center? Well, it's a lot of things. A lot of people think it's just an IDS system or just a firewall and we'll get to that, but the general flow is it starts with events, things that happen on the network or in the environment. And often that gets the network environments, network things go through the IDS system. There's a management system that manages that traffic. There's analyst systems. There are analysts who analyze that stuff. Contextual info like log data, time of event, all sorts of things. Reporting that thing and then incident response just dealing with the hack attempt or the malware or whatever. So what's the point though of a sock? Chris, do you want to say something? Oh, absolutely. The security operation center is designed to give you real-time detection and response. It is a central coordination point. So if you can detect everything happening on your network, whether your network is three or four machines or your network is 3,000 machines spread over a wide area. A security operation center as opposed to a cert which does a lot of incident tracking and reporting and putting out reports about recommendations for how to configure things and whatnot. A sock is operational. The key there is that it's real-time, real-response. So it's not just an offline log review, it's real-time. And also keep everything running. Just keep it going smoothly. So isn't a firewall IDS or just antivirus enough? Well, firewall, it's useful, obviously. People know about it. Attackers know about it. It only protects your systems. It doesn't protect your users. An antivirus has this lag time to catch new threats and it's not going to catch anything brand new. It matches files, you know, not traffic patterns, not the flow of the network data. The IDS itself, alerts on events, it's a lot like antivirus software where it depends on rules to be written for it, things that have been discovered or that you might be watching for. It doesn't provide context. It doesn't give you system logs, proxy logs, DNS logs, or information from users or other people. So these are the three components that every organization thinks they need to have. Back in the 80s, everybody had to have a firewall. That was the new thing. Everyone needed one. So as the 90s approached, everybody got a firewall. Now we're safe. Then antivirus started popping up and malware was important. So then everybody started investing in malicious code defense. Now everyone has to run an intrusion detection system. There are a lot of vendors out there that do that. Vendors cost money, a lot of money. So what we want to do is we want to go with these items, free, cheap, low, no cost, but we also need to fill in the other gaps. Firewall, AV, and an intrusion detection system is not a security operation center. It's a start. It's a good core set of components, but it's not everything you need. So what's the structure of a SOC? There's a lot. A lot you can put in the SOC. You've got private network and you've got people. You also have your main network that you're watching and the environment you're watching. I'll brief over these because we go over these individually. The private network has the IDS, management systems, analyst systems, and hopefully a lab. You've got your people, which are the analysts, other experts. You've got users and management. And all of this is happening in real time, 24-7, because you've got to keep watching everything that's happening. Do you want to say anything about that? What you need is a balance between technology and meat space. The computers, no matter how good your technology is, no matter how much automation people are putting in, you're still going to need people to look at your logs. You're still going to need people to analyze the anomalies to figure out what's really going on. Most of the systems that we already talked about, the firewalls and IDS is an AV attack or try to defend against known threats. There's going to be a group of stuff that you know is good on your network whether you're using anomaly-based or not. The group that you know is good and a group of stuff that you suspect is bad. But in the middle of that is going to be a whole big group of, I don't know, someone has to look at that. So that's what the analysts are for. That's what the people are for. So talking about the private network, you want to have a secure communication network between your IDS management systems and analyst systems. You don't want it to be accessible to anyone trying to attack it. You want it to be... You want to keep malware off the systems. And you want to be able to provide management and update of the IDS and the rules. So I have some diagrams of simple network diagrams of things you could do. So this one here, I don't have a laser pointer. But you can just... This is really simple. So you've got this network, you've got a switch. It's probably not managed in this case. You've got a hub, unfortunately, going before the router. And you've got the IDS system watching all traffic that comes from that switch. And hopefully your server there is providing your DHCP and stuff, not your router, so you can see everything that's going on. This could be a basic diagram for somebody's home network. If they were an enthusiast and they wanted to start learning about this stuff on their own systems. Or if you have a family and you have kids or what have you. If you have a number of different computers there or in a small office environment. Not all security operation centers just in... The idea is that every organization should have one, but they don't always start that way. So sometimes it starts as a little project in a little office with some people that care and know how to do it. So this would replicate that type of environment where you just want to look at everything you've got just starting out. And so this one is a more complex one. This would be for maybe a small organization that has a managed switch where you can span a mirror of the ports to one. So it's kind of the same idea as the last one, except you got rid of that hub. You've got the network going through that basically the same thing. It's just like here. Well, you probably get it. It's pretty simple. This next one is a more complex one where you might have a DMZ. So your DMZ is a... You've got to have your external IDS system. It's a separate from another system that has internal LAN segments. And this could be scaled up to worldwide systems. The key is that all the information from all of the IDS's, which if you're not in a network or an environment where you can monitor all of your traffic from either a hub or a spanned port switch, if your switches don't support that because they don't all do that, or if you're in just such a huge environment that you need multiple taps. What? If you're in a network where you have multiple taps, the key is to get all the data as securely as you can back to your management systems, to your analystations so that you can start looking at it. Yeah, and you can have any number of IDS systems. They can all send data to one management system or multiple management, which would be kind of a nightmare. And you can have multiple analyst systems all accessing that management system. You could additionally, we'll get to this too, you could additionally have everything running on one box. You could have management, analyst, IDS. So, talking about the actual IDS systems themselves, you don't want to have a secured OS. Linux is probably the best to do for this. They have things, the software like Snort, they have it on Windows, but I wouldn't do that. So, you want to learn how to secure the OS. There are a lot of guidelines. NSA has some good guidelines on securing all the different operating systems that you can find online. The software, there's Snort, which is a really popular open source software created by SourceFire. They have a version that you can pay for, which offers more. But Snort is fantastic. There's also a new one called Suricata. I might be pronouncing that wrong, but I believe, I might be wrong about this, but I think some people from SourceFire went off and started that. It's a great, another great IDS software. And it uses rules that you can write or also maintain by community and by SourceFire to watch for network anomalies. There's a software called Barnyard 2 which will take the data from Snort and send it off to your MySQL database or Oracle database or whatever. There's a thing called PulledPork which replaces something that was called OinkMaster. It will manage your rules, so if you have custom rules, it will actually keep them intact instead of overriding them every single time. And you've got S-Tunnel, which will securely transfer all that data from Barnyard 2 that comes from Snort, secure it over any network segment of any kind to your database server, which is possibly your management station. And then you also have packet capture. You've got to have constant running packet capture so you can review packets or network transactions as you see things happening. And TCP dump can be set to run as a daemon and can save files of any size or certain time lengths. There's also a program called DaemonLogger that looks pretty great. It actually can run as a software tap. So I'll get the taps later. But it will write out PCAP files, the dump files, and also run as a software tap on a really inexpensive system. So there's a tendency, whether you're in a corporate environment, whether you're working with government or whether you're doing this on your own, to over-engineer any facet of your security infrastructure. When we're talking about a secured OS, as Josh mentioned, Linux is the best choice for that. It's the most flexible. There are a lot of distros already set up. There are a lot of pre-built things that will run this very securely, very safely. You can bump up to OpenBSD if you really need something secure. You can write a custom OS. There's a lot of different things that you can do for this. The IDS software, we mentioned Snort and all the supporting tools for that. Snort has been around a very long time. Props to those guys, those guys are awesome. There are a lot of commercial IDSes that are based very heavily on what Snort has done. If you want to spend money, you can spend money and buy something like that, or you can use Snort or something very similar, and you can roll your own. You can do a lot of very good things, custom to your environment with Snort that you can't do with other things, or that vendors will not do for you. This isn't just what we look for open source stuff and that's all we're going to talk about. There are some distinct advantages to this. The one final point on this is when we're talking about the packet capture, if you're in a large environment, packet capture is a huge problem, simply because of size. You cannot capture all of the packets going across your network and all of the data all the time and then be able to look at it. You may have to build custom rules as to what you want to capture and let them have triggers or targets, as far as we really want to see everything to certain groups, certain servers, and then understand that if you're in a more complex environment, there are some systems that you just don't really want to see all that important information for. Yeah. And you know, there are a lot of, as he was saying, there are a lot of pre-built distros. There's some live CDs out there. I don't know if I put them in the slides, but there's something called Easy IDS, which is fantastic. It uses Snort, it uses some management software, it can run off the CD. There's other ones too and there's some really great stuff out there. So this is what Snort looks like, I mean, kind of. It's part of it as it's running. You see the little piggy there, though, that's the cutest part over on the left bottom and it's snorting up all those packets. So the management system itself, you also want to secure it OS for this thing and all this stuff is still on your, it's on your private network. With, it depends on what kind of management software you're using, but what I'm going to show a little bit of is using LAMP, using Linux Apache, MySQL PHP. And you have management software, that's stuff I was just mentioning. You've got Base, which is a popular, kind of old, kind of dated, but it's still good. It looks like, I don't know, from the web from the 90s or something, but it's fine. You've got SGUI, which is Snort GUI. It's actually pretty awesome. It will display real-time events popping up. It was a bit of a pain to configure, so I don't have that for you, but sorry. Snorby, same thing. It's actually a Web 2.0 version of Base. I mean, if a person who made Snorby heard me say that, they may not like it, but it's pretty nice. And there's other stuff to grab logs like Splunk, OSIM, those Nagios to keep, watch over your servers or report any kind of, you know, anything you want. Again, all good options. The key components here, as far as the management system, is this is just your overhead system. This is what your keeping track of your IDS, keeping track of your security infrastructure. We want to emphasize again, these should be on secured OSes. This should be on a private network, if possible. Nothing is more embarrassing than having your security infrastructure hacked for an organization. We've seen it, and it's bad. So this is what Base looks like. You kind of have to, it refreshes, you can change the refresh rate, but it's not very exciting. I'll show you a little bit more of Base in a little while. The analyst systems, also secured OS, hopefully you do them on virtual machines, because we've seen them get, you know, popped by malware or something. Just, it happens, you know, you look at malware, so sometimes it just infects your system. So you want to be able to replace those really quickly, and you want to be able to change them really easily. You want to have, hmm, I'll skip that part. You have analysis tools. So this is Wireshark, TCP DOM, and Net Witness, which is a really great program, but it only works on Windows. It doesn't work with Wine. So, it's fantastic, except for that. That's terrible. It's really sad. And there's a lot of other tools. There's a tool called Chaos Reader, which unfortunately I don't think has been updated since 2003, but it's a really great program. I'll give a little demo of that briefly after a few more slides. So, you know, this is what you're doing on the analyst system. You're looking at traffic. The most common way is this Wireshark is easy. You can, your analysts don't have to look through a bunch of text, but sometimes text is a lot better, like in the command line on TCP DOM or T-shark, which is the command line version of Wireshark. So depending on the size of your organization and what you're looking at, the analyst systems, like we saw in that cool video at the beginning, they're looking at just a real-time display of what's going on. So their analysis system is a very basic system. It's got a heads-up display showing a graphical representation of what's happening on the network. And they have a very basic ability, probably, to look at packet captures. But when it comes to malware analysis or if you really want to look at some targeted system logs or things of that nature, typically you're going to end up going to another system. The system that interfaces directly with your management interface, you really don't want to expose to malware because you don't want that malware exposed to your management interface. You don't want the malware to go from, here I'm looking at it, to now it's on my IDS, to now it's all over my network. And then there will be very limited ways to get rid of that type of information. Also, typically a lot of the security analysts or the people using the analyst workstations will be running with reduced privileges, again, to try to minimize the effect of malware being able to take advantage of the systems or really intelligent hackers jumping in and being aware to target those systems directly. Yeah, and you want to make sure that they have, I mean, the analyst system shouldn't have internet access. It should be limited. If you have to do research, you have another system on a separate network entirely. And you don't pass things back and forth between the two systems. So it'd be great to have a lab. You can use it as a test system that you can test rules for the IDS so you don't run it in production. A lot of places we've seen actually do run things in production. They test things and it messes things up. You can test configuration changes. You can use it as a backup in case the actual system fails, which could be pretty handy. It's also a safe environment. Play with malware, try hacks. You can try to trigger that rule you just wrote for the IDS and make it happen so you can actually get into your secured private network. Your lab system is critical to the success of an operation center. You don't want to be making configuration changes on the systems that are actively watching your network. You also don't want to be testing malware or playing with packet capture dumps and downloading things off the internet to see what these scripts are doing to your network and doing that anywhere on your network that's connected. This is a great place to do training if you have a large staff which costs money but you got to train somehow. It's a great place to practice but again, you don't want to do is ever connect your lab systems to your production environment. Ever. Please. Ever. I think you made this slide. Did I do that? Yeah. Awesome. Yeah. You need analysts. You need people. There's a huge group of people involved in running a security operation center. It starts with the users. If you didn't have users, of course we all hate the users because they're the ones causing the problems, right? But if we didn't have them we wouldn't need the network. So we need the users. We need assist admins. We need securities outlets to go figure out what's going on. People to go surf the web. People to come here to DEF CON. People to pay attention. Okay. We have to have the analysts sitting there 24-7. So they can't all be at DEF CON. Somebody has to stay home and watch the network, right? Management has to... You do whatever it is management does. And you need the leadership guys. You need the guys with the checkbooks because there will be times that you'll want to spend some money. Now again, we don't want to build the big blue system that we saw at the beginning on that commercial with all the nice screens. You don't need it. We'd all love to have it. That's a management's job. Yeah. We'd all love to have it, but we don't need it. But what we do need to do is sometimes we have to buy special taps. Sometimes we'll have to re-route some of the network hardware. Sometimes we'll have to buy a security zealot. If you don't have anybody on your staff, if you guys are really interested in wanting to do this, but you don't have that guy to help you guide that, you have to go find one. Sometimes those people cost money. Okay. So the key is you need to get everybody involved. Everybody has to understand what a security operations center does and what it means. Okay. Users need to understand that they're being watched, not so that they know they're being watched, but so they don't know what they're being watched for. Okay. So that they can try to stay away from malware, so that they can try to do things that don't compromise the network. And then, of course, all the other folks need to be aware. Everybody has to buy into this. All right. So going into the specifics of these people, you've got the analysts. You need to have people who they want to learn. They want to, they know what they're doing. They know networking. They can understand some of the things they're looking at. Hopefully they've done some attacks themselves. Maybe they have their own home networks that they've built. Or if you're the analyst, I mean, you probably have your own home network that you've built for downloading malware, attacking things, doing cross-site scripting or a SQL injection or whatever you feel like is your thing. You want people who are comfortable with source code maybe, with JavaScript, unfortunately, with Hex, open new ideas, not stubborn, not stuck in their ways, because things keep changing. You also don't want them to blink. They should never call in sick, and they shouldn't need sleep, basically. But that's basically the way that's the people we are, so. They're pretty good at deductive reasoning and critical thinking. That's pretty important. You need to be able to make up for the lack of context because there's often a huge lack of context with what you're looking at. You want to say something? Oh, yeah. Yes. You can never have enough good analysts ever. Most security operations centers, they're 24-7, depending on the size of your network. Some of them have to start small. Some of them have to start very modest. It could be the one person who's watching an IDS because he saw it on a live CD and he put it up in his network just to see what's going on in his area. But you have to build to these things. You eventually may want to hire to these things or try to recruit to these things. But this is the core of what a security operation center is. In that first video where we saw that cool technology, if none of those people sitting in that room with a skill set, it wouldn't matter what that technology was because none of them would know how to use it. And the people that we saw on the previous slide from leadership all the way through the users, if they don't believe in what's going on there, it doesn't matter what all that technology is. You can spend all the money you want. Money will not buy you security. These are the folks that are the core of the operation right here. They're the ones that will help get the information out to the users. They're the ones that will help get the information up to date. There are other experts as well. You've got the network administrators. They keep the whole thing going on. They can tune the IDS rules, so they can update the rules, keep the systems up to date. You've got forensics experts which would maybe take that malware that you see on your systems and go look at it and see what it's doing, see what kind of data might have been leaked if any was. You have internet response. You've got to have people to deal with it, go restore that server from a backup, et cetera. You've got external entities. In case of criminal action, you have to have law enforcement. You might have government involved. It could be if personal data is leaked of your customers, you might need to involve them. Depending on the size of your network and the nature of your business, you may have some of these folks on your staff and your security operations center. You may have SIS admins there to that user system to rebuild it and to tell them to stop surfing YouTube that day or whatever. The forensics guys could be part of your staff or they may not be. You may have to reach out to consulting teams like Mandion. Incident response, same thing. You may not have the capability of going out after the fact and responding to these and cleaning these up, but there are resources out there. So the information is available. There are a lot of books here that we've seen. There's a lot of information online about basic forensics and things of that nature. There's a project. If this is not an official organizational effort, you can play with it. You can try it. There's a lot of information out there that can guide you for free. But at some point you may want to bump all the way down this list and you may have to get people involved if you think criminal activity has taken place. You're not going to have the FBI on your staff so you're going to need to know how to reach out to those folks. So look for other organizations out there that do this for a living like cert and try to figure out ways to get information out there. And you've got the users, of course. They report things. They report phishing emails, stolen property, lots of data. They might do things. I'm pretty sure. They'll probably download malware, spyware, all that good stuff. They'll engage in inappropriate activities for your organization. You need to be able to watch for that. And the best thing is that they're the most widely deployed IDS if you tune them properly. If you teach them how to train them, they can watch out for your network. And it can be a great resource. The key is if users aren't telling you that they're receiving phishing emails, you're not necessarily going to know if any of the users are being targeted. A lot of users, a good example would be my mother, unfortunately, who thinks she's not important enough for any hacker to want to target her system, but she was a spam relay for quite a long time. It's not her information. It's her computer. Whether it's her home system or whether it's her work system. And if nobody else is watching out for that and if your organization, your security operation center, isn't able to reach out to the mail logs to find out what's going on, then this is the kind of information where your users need to be able to give that to you. Your users can be a free intrusion detection system, but they do need to be tuned properly. Exactly right. They have to be trained. They have to know what to look for. And as the security operation center folks, that would be our job to go teach them. That's the way that's easily digestible to them. They've got management. They interface with other entities, keep all the pieces from falling apart. They make it rain. And that's the money joke. And someone has to make decisions. So. I love management. Love them. Yeah. All right. So then you've got the data. What is all the stuff you're looking at? What is a security operation center seeing? You've got files, emails, users, people talking to you, maybe even letters. Someone threatens someone. You've got log files from firewalls, hosts, proxy servers, DNS servers, web mail, web servers, sorry, and network events. These are the things that you just kind of churn through and you look at it and see what's going on. The focus of a security operation center traditionally, especially in this type of a form, is network events. But here we are at DEF CON and we've got lock picking stuff going on and we've got social engineering stuff going on. There is a number of other disciplines of security that are involved in this. And while you're not necessarily going to be your security staff, if you work in an organization that has security rental cops hanging around and watching people and you need badges and all that, your security operation center isn't necessarily going to know if somebody tried to get into a machine room. You need to get involved in that information and get those logs from those entities. Four times in one week some folks are trying to get into the server room as a physical security measure, you may want to know that as a network operation center. Okay? So handling all that data is a big, big deal. You have to be able to filter that data and get out the false positives and threshold the constant, constant attacks, the things that are all the same that keep on happening. And you want to categorize that data and categorization can go all sorts of ways. You have the thing that you want to figure out and you see an attack on your system. You've got something you've got to deal with and something that maybe you want to research more. Depending on the size of your network the amount of hits, the amount of people scanning your network could be horrendous. Or if your network is sufficiently small enough, you may have absolute control over your perimeter and what's going by. There are internet resources that can tell you if there's our spike and secure shell scanning going on because of some recent activity. That can help you find out what's going on so you need to be able to do any of that filtering. All that stuff is showing up in your logs. You need to spend cycles looking at it. Siphoning that down to figure out what's going on. If you know you're not running secure shell, do you care about secure shell scanning? Chances are you may not from an actionable point of view but you may want to from a realistic point of view from an awareness perspective. Okay? So you need to be able to get all this information down, take the entirety of everything you're looking at and figure out for your environment what's best and pare it down into things that you can prioritize and take action on. So CERT actually has some great categorization recommendations. They have seven categories that you can filter things through which will make things looking at things make it easier to look through things that are coming through your network instead of one screen full of everything. You've got cat one for successful unauthorized access. That's when someone actually gets in and accomplishes what they were setting out to accomplish. So category two for denial of service. Category three you have an installation of malware or maybe in fact a beginning of malware. Forward being proper usage you could put spyware in there or you could because users download it you could also put browsing porn if that's not what your organization's into. And category five would be scans or attempted access. So you might have someone trying to do a sequel injection and they were unsuccessful. Maybe that's a category five and it's not a category one because they didn't actually make it. And category six investigation everything that doesn't fit you don't know what's happening you need to check it out more. These categories are roughly based on NIST guidance that came out before. Most of the larger search that have evolved over the past decade or so have come up with different variations of this. This is U.S. search take on what NIST came up with. And again the larger organizations like DOD cert or any other federal level certs or even other nation certs they kind of all have modifications to this. The key is this is just a way to respond to things. Okay. So you want to understand what's important in your environment and this is roughly based on the attacker's goals and what level of impact they were able to have on your network. So being able to get access to your systems or your data or your users whether the user responded to a phishing email and sent their username and password back to these guys that would be unauthorized that username and password is exposed. Okay. Denial of service typically what these guys want is only if it's successful denial of service only if it actually happened to these guys care. So as far as whatever U.S. cert has purview over they only care if it's actually happened it worked. Isolation of malware or post infection beaconing intrusion inclusion rather into a botnet anything of those nature that's category three they only care if it actually worked. If you're in a virus caught it and they don't care within the purview of what they're reporting your management will dictate generally what you're going to want to report and how you're going to take action on it. If your leadership will build that type of information system those types of processes in they'll finance you for those processes I guess but what's important here is understanding that it's up to your environment so if you're starting this out low no cost free whatever you need to use this as a way to justify what you're doing so that you can possibly get more money from management and leadership to show impact to show that you're actually catching things to make it actionable. If you can show that it's actionable and you can show that other organizations think this is important you can use this publicly available guidance and you can say look the US certainly thinks this is important maybe we should too. So getting into the analysis of stuff I didn't do a little demo for this but if you want to analyze your pop up and your analyst system I don't know Maurer check in who knows you want to look at the network capture and see what's really happening maybe take a look at the user agent look at all these different things to provide information on what's happening and you might have to research what that traffic means what you might have to look at the external IP it's beaconing out to or maybe what someone downloaded from and then to help determine what's happening you want to look at the AV log on the system itself hopefully it caught it or if it's beaconing out it probably didn't catch it and you want to see the system log see what maybe has been changed maybe there'd be something that could help you in there all that stuff is context provides context to the IDS alert that originated the great game or something like that and then you do incident response dealing with that malware this process is important this process is essentially money in the bank if you have access to these types of data sources and you can follow through this process in an efficient manner if it doesn't take you months to get this type of information if you can get this information within an hour or two of an IDS alert you can find out what happened and probably mitigate it before it does a lot of damage to your network yesterday actually it was some folks that were profiling malware and how folks were getting infected most of it was user driven and it was based on social engineering sites and whatever was trendy and going on at the time those were the guys that had the play man of the year come in did anybody else see that oh yeah okay so the guys again in that sock that we saw at the beginning they were looking at their real time IDS alerts the administrators are working somewhere else okay in a little server closet somewhere okay so you need to get those firewall logs though because if you get popped with malware chances are you might go out and try to download more malware there are a number of trojans out there that will do that okay so you want to know if your firewall is blocking those connections okay though if the firewall is dropping them they may not depending on where your stuff is placed on your network that may not trigger on your intrusion detection system where was the user before they got the malware that's where the malware probably came from either it was a you know a compromise ad that was you know redirecting them there's some hidden iframe and this that and the other there's so many clever ways to get this stuff in now that it's really kind of a game to find out where this stuff came from and getting good at that game makes you really good at doing this looking at your antivirus log again if your antivirus flags on it sometimes because antivirus is a system it only flags after it runs in some cases and when that happens the malware can still be running in memory and beaconing even though av has quarantined the results of the files after they've run so what happens is you'll end up with a system that's already beaconing and some av guy will go look at the log and say now semantic quarantined it or McAfee quarantined it and it's done but the system is still beaconing because it's running in memory and the time view of what's going on and have accessed all these logs can tell you that that system is still compromised and while it's still compromised in beaconing it can continue causing further damage looking at your other system logs and all that information but the big money talking to the user especially in malware find out what they were doing and what they saw if you find out what they saw when it was happening that's again a human intrusion detection system signature and that again helps tune your other ideas it will provide the education your users need yeah I'm good sorry so actually I have a little video of just a a grab of a file and then a reviewing the data it basically found that same procedure we saw for the malware let's go ahead and show this and it's a little bit odd the way it goes but here you go so we've got I'm running I just ran manually but it would be running as a daemon process probably I'm showing you here on base there's nothing in there right now so I've got TCP dump running watching the network traffic then I've got this system that TCP dump is running on a virtual machine this is on a separate machine so this is a damn vulnerable Linux they're getting a password file with a command execution system and now I'm going to go back over to base and you'll see as we refresh it that there's an alert it's at our password attempt I tried to get this thing so you you don't know what I got it yet you just want to see so you go in here in the base and it's a little bit odd but you can see oh they they posted something from their website or from this website and they Google.com and there's some encoding in there then cat et cetera password so now you need to look at the pcap so I actually opened it up I took it from the dump I was doing so there's that post right there and then you want to take a look at the data there's actually you can follow the stream with Wireshark which is a little easier but I had some trouble with that for some reason but here it is you can see they got that they got the root bigger deal but they got it they got into the server so that's the basic idea of what an analyst would do when they need to review an incident so talking about mitigation actually before I do that I'm going to show you this other one I'll show you Chaos Reader real quick so so this Chaos Reader is that thing that's a program it's a pro program it's fantastic it was written a while ago but it will extract from a pcap file and often will provide images and other great data that will help with figuring out what happens so let's see while he's getting that set up Chaos Reader is an excellent program it extracts all different facets of known program files from a TCP screen so it will reconstruct pictures it will reconstruct emails executables any number of things that you want to look at and if anybody is aware of any other open source or free utilities that kind of do the same thing now we're an investigator now we're an investigator thank you what's that network's minor network's minor and please don't say net witness because that's windows only so I'm going to run this it goes through it goes to the pcap pulls all that stuff out and it puts it in the directory I specified there's all these files it's not the most user friendly but you start with index.html and I don't like that so it's kind of rough but it helps quickly you can see what this user is looking at they're looking at Sarah Palin on Amazon they're going to buy her book you have to stop them so they'll get on that quick you've got to talk to that user so and this is a great program in terms of like I've seen a sequel injection attacks and I can run the network traffic on here and it will provide this is as HTML right here it will actually show you what you see in Wireshark but then typically there's often this session there might be another HTML file under there which will actually show you what the attackers saw the actual web page they were looking at it's pretty great so there are a lot of great programs this is one of them and go over here to back to this how do I get back into that so mitigation incident response I'm going to give a yes again user education I'm going to harp on this again your users are your widely most widely deployed IDS typically they're best targeted against things like malware and infections they're not going to help you if your server's getting sequel injected however your server admins your programmers those folks are the ones that you want to talk to and find out why these things are like that there's a lot of legacy that hasn't been patched or things that have not been updated these are the things that need to be looked at they need to be looked at continuously but nobody really has the resources to do that so when we start detecting these kind of things we want to go out and start educating both the users and the admins on the network and get them more focused on security security has to be part of everything we do in networking again stop using users administrative access while that doesn't necessarily always protect them proxy servers and firewalls one of the best things that we have seen recently is using proxies to block sites I mean that works great it really helps protect users from themselves or from those iframe redirects depending on if you can use great listing if you can use white listing depending on what types of proxies you have in place a lot of the more common ones now like blue coat and whatnot they're actually really just more modified versions okay squid squid somebody said it they're just modified versions of squid squid is free you can run it and you can use it to do the exact same things it works very well you can either white list your internet access if you're in a very tense environment where you have to really restrict what your users are doing or you can use this form of black listing and there's a number of other mechanisms out there that will tell you there's block posting and bad IPs there's a number of things you can do with mail servers to stop this stuff there's a bunch of anti spam software which will stop a lot of phishing attacks there's a lot of things that you can do free, low or no cost to your infrastructure to make things more secure for your users so I just have a summary basically it provides some information what we went over the tools are the best one that I found a lot of people agree it's open source it's fantastic they have a download section they have all those tools I mentioned pulled pork barnyard they have extra other tools for analysis they have some great stuff and some great white papers and you can find some guidelines on setting up your own networks I was hoping to provide a step-by-step snort installation guide but you know there's a million of them out there some of them are great and some of them aren't so great but you can just do a search and you'll find it if you have questions come see us in capri112 and here's our emails too I don't know if you want to say anything Chris no I'm good alright thank you we're ending a little early thanks a lot