Wednesday, October 15, 2008

What Happens In Vegas?



What’s a Mennonite doing in Vegas? Facilitating for the SANS Digital Forensics and Incident Response Summit, what else? I actually arrived in Vegas a few days early to gain some additional training, taking the SANS Browser Forensics and Digital Analysis classes from the incredibly talented Mike Murr.

As always at SANS, I learned a ton. My personal take-aways from the summit, and almost themes if you will, were two resounding messages: (1) Pulling the plug on “pulling the plug” and (2) Don’t neglect your points of egress (or what I like to call, don’t let the door hit you on the way out!).


Steven D. Shirley from DC3 gave the opening address, and Rob Lee was the Chair.
It seemed almost every presentation mentioned that pulling the plug in an IR investigation is dead! After all, isn’t Incident Response often about “live” acquisition? To that end, the significance of memory forensics played front-and-center-stage during many of the presentations, with guru AAron Walters leading the charge.Eoghan Casey (pronounced Owen) and Chris Daywalt reminded us that what leaves our network is critical, and that creating a baseline or “white list” for our points of egress is paramount. We were also advised to baseline our network traffic, and our system’s memory. We were cautioned that we might not want to become complacent inside the “soft and chewy center” of our WAN. If we become lazy or get too comfortable with our “trusted” core, we could very well be leaving ourselves wide open. Being a skeptical New Yorker, when I write about trust, I like to break it into three categories: (1) blind trust, (2) no trust, and (3) earned trust. Blind trust is obviously unsafe, trust no one is preferable (in my opinion) but highly unpractical in the real world, and earned trust isn’t utopia, but deserves some merit.

We also reviewed some necessary basics that are still being overlooked by many:

●Naming conventions, i.e., instead of naming our boxes by their function, choose a less pronounced schema. I’ve seen corporations use fantasy characters or even types of beer.

●Don't allow "mount shares" on domain controllers.

●Allow a minimum of 30 minutes each day to review logs (of course we’d prefer more, but this is preferable to zilch). And if you notice, for example, in your VPN logs that you have 40 minutes worth of attempts at $ or root, you might want to take a closer look.

●Stay away from i-frames on your web pages.

●Make all users non-admins. I will warn you that without the support of upper management, this could backfire. If you are upper management, support it 100%, and have a policy in place. A common argument against this is that the business culture doesn’t support it, or it’s not practical. For a lot of us in security, this is 101, which is why it may be hard for some of us to fathom, but this small decision has the potential to create many enemies. Just try taking away the CEO’s privilege to download music, yet how many times have we seen some of the biggest offenders against our network policies coming across the wire that leads straight to the jack next to the mahogany desk.
We learned about the increasing importance of preparing for a breach. I’ve referred in the past in this blog to learning at SANS that the minute we think our network is secure, is the second we’ll be hacked. Ego often plays a role in network security, but it’s almost tabu to draw attention to it. Perhaps it’s time we check our ego’s at the door of our Data Centers, and devise a contingency plan in the unfortunate event that we ourselves suffer a compromise.

Steve Whalen of
Forward Discovery walked us through iphone forensics-Awesome! Ovie Carroll (I love my scarey t-shirt!) spoke about “User Attribution” and that finding the smoking gun isn’t enough. We must be able to connect the dots from that gun, using fingerprints, GPS, text message logs, recent e-mails, phone calls and even Google Searches. A thorough digital investigation has to be a combination of good-old law enforcement investigation skills, mixed with a deep-dive into the events leading up to (and from) the crime scene.Richard Bejtlich (pronounced “Bait-Lik” by the way for those who have the opportunity to meet him for the first time and don’t care to mispronounce his name) echoed some of the same challenges about building and deploying security best practices that we had just heard at our most recent NYC InfraGard meeting from David Stern of DoITT, who oversees many of NYC’s finest concerns. Mr. Bejtlich used the example of building a bridge and how the Safety Inspector is told to “go away” because they need to finish the project by January first and that all the Inspector is doing is slowing things down. Then when the bridge collapses, they yell at the Safety Inspector, chiding him and asking him why he hadn't ensured their safety.Harlan Carvey, a veritable rock star, walked us through registry analysis. Clearly he has way too much fun with reg keys, leaving all of us to reap the many benefits.

Verizon's CyberTrust group was represented, and their well-received
Data Breach Investigations research paper was brought up on more than one occasion. We were also made aware of an addendum to that paper.

The entire summit was a slam-dunk, right up to the final session. It was a "shoot-out" with Chris Brown, CEO of Technology Pathways (ProDiscover), Gus Quiroga, Product Manager at Guidance (EnCase) and Matthew Shannon, Founder F-Response. I wanted to jump up and down when the question was raised asking each vendor what they were planning to give-back to the community, and I was very impressed by each of their responses. ProDiscover has a free version of their software (if I remember correctly when I first used it, it is limited to the number of times you can us it), but it does not have a number limitation on artifact ingestion. The others offer sliding scale prices for law enforcement and education.
I highly recommend this event, and am personally signing up again for the next SANS Digital Forensics & IR Summit that I’m told will be held in DC in July of 2009 (less than a year to have to wait-hurray!).

1 comment:

Keydet89 said...

Thanks for the comments!