Ask Lesley InfoSec Advice Column: 2017-02-26

This week, we discuss red team and blue team self-study, getting kids interested in security, and security paranoia. As always, submit your problems here!

Dear Lesley,
I am a threat intelligence analyst who is currently underutilized in my current job, and feel like my skills and tradecraft are slipping because of it. I’m wanting to give myself some fun projects to work on in my off-time but am not really sure where to start. What types of things would you recommend?

Dear M,
You’re certainly in a great field to want work in, in 2017. Not only do you have the whole pantheon of nation state actors conducting cyber operations to study, but you have a huge range of commodity malware, botnets, insider threats, malware authors, and dark web markets to study.  If you’re not feeling inspired by anything in that list, perhaps reach out on Intel sharing lists or social media to see if an existing project could use your skill set? Lots of folks are doing non-profit threat research work and need extra hands.

Dear Lesley,
If you do not have the budget to send people to SANS or to conferences, what free supplement resources would provide fundamental training for someone studying DFIR?  
-Curriculum Writer

Dear Curriculum Writer,
I can totally appreciate not being able to send somebody to a thousand dollar (or more) commercial conference or training program. However, most BSides conferences are free (or under 20 dollars). I suppose if you are totally geographically isolated and there is no BSides in any city in driving distance, those may be impossible, but I would definitely explore the conference scene in detail before writing them off. Sending somebody to a BSides or a regional conference for the cost of gas and a few bucks provides a lot of value for the money.

Otherwise, a DFIR lab will be your best friend for self study. Unfortunately, I can’t guarantee a home lab will be totally free to implement. Let’s talk about some fundamental requirements:

– One or more test hosts running assorted operating systems.
– An examiner system running Linux
– An examiner system running Windows (recommended)
– Intermediate networking
– Free (or free non-corporate) forensics and malware analysis tools.
– A disk forensics suite
– A memory forensics suite
– A write blocker, associated cables, and drives.

An ideal comprehensive DFIR lab, where money is no object, might look something like:

– A host PC with 16GB (or more) RAM.
– VMWare Workstation
– Ubuntu (free), Windows 7, 10, and Server 2008 VMs
– A SANS Sift Kit examiner VM (free)
– A REMnux Kit examiner VM (free)
– A Cuckoo Sandbox VM (free)
– A Server 2k8 examiner VM
– An EnCase or FTK forensics suite license
– A write blocker, associated cables, and a number of hard drives.

But, we can do it more cheaply, sacrificing convenience. We can virtualize with VirtualBox (losing the ability to take non-linear, branching snapshots), or on bare metal machines we scrounge from auctions or second hand stores (the least optimal solution). This can work, but every time we infect or corrupt a machine, we’ll have to spend time restoring the computers to the correct condition. We can stick with analyzing Windows versions that are out of support, but we won’t be totally up to date.

One of the most difficult things for people studying the “DF” side of DFIR is the inability to get expensive licenses for industry-standard corporate forensics suites. There’s really no great solution for this. There are limited demo versions of this software that come with some forensics textbooks. SANS Sift Kit does include The Sleuth Kit, an open source suite which performs some similar functions.

Physical forensic toolkits aren’t cheap, but aren’t in the same ludicrous territory as forensics software. You can pick up an older used Tableau forensic bridge for about 150 dollars on eBay. Perhaps if you network within your local security meetup, somebody will be able to lend you one, as many college and training courses provide them.

Once we have something resembling a lab, we can follow along with tutorials on SecurityTube and on blogs, in forensics and malware reversing textbooks, in open courseware, and exploring on our own.

Dear Lesley,
I have a daughter that I would like to encourage her to go into IT and possibly security if she’s interested. I know your father was influential to you getting into security. Do you have any suggestions to me as a dad on things I can do to encourage my daughter to become interested in IT and security?
-Crypto Dad

Hi Crypto Dad,

Yep, both of my parents had a big influence on my career! A hard question to answer, but an important aspect was not pushing me hard towards or away from hobbies. I was treated like a small adult and provided the opportunity to follow along with whatever my dad was doing in his shop, and even at a very young age he answered my questions without patronizing me or getting frustrated. He didn’t dumb things down; he just started at the beginning. I always had access to stuff to learn how it worked and how it was made. By the time I found out I ‘wasn’t supposed to’ know or like things , I already knew and liked them.

Dear Lesley,
I’m a penetration tester who seems to be falling behind with the times. My methods aren’t efficient. Recently I discovered there are better ways of doing things than my three year old SANS curriculum taught me. How can I stay current without becoming a lonely crazy old cat lady?
-Just a crazy cat lady

Hi Crazy Cat Lady,
You’re ahead of many folks by realizing there’s a problem. I see a lot of infosec people let their skills stagnate for many years after training or college, and our field changes really fast. No quick fix, but here are some suggestions:

– Participate in CTFs. Ignore the scoreboard and the dudebros and “rock stars”. Just compete against yourself, but do it genuinely and learn from your mistakes.
– Jump over to the blue team side for a bit and read some really thorough incident and threat reports from the past couple years. Sometimes seeing what other people are doing will give you interesting ideas of avenues to research.
– If you’re still reaching for Kali, escape its clutches. Kali is an amazing VM, but it will only take you so far and lacks some newer tools. It can also discourage thinking “out of the box” about how to compromise a network. After all, it is a box.
– Get out to cons to watch red team talks. Watch recent ones on YouTube, too. See what other folks are up to. Your cats will be okay for a couple days, and you’ll make new friends.
– PowerShell Empire. 💖💖💖
– Don’t be embarrassed to make mistakes and ask questions.
– Don’t be embarrassed to make mistakes and ask questions.
– Don’t be embarrassed to make mistakes and ask questions.

Dear Lesley,
How do you deal with any overbearing paranoia being in InfoSec? Example: I want my home network to be as secure if not more than my work network… How can I explain my paranoia regarding outside threats (however unlikely), and to cope with it 🙂
-Too Paranoid to enter my name

Hi Paranoid,

Fear is healthy in small doses. Fear keeps us alert to potential threats, and helps us survive dangerous situations. However, constant fear is not helpful and is patently unhealthy. If you see illusory threats in every dark corner, you won’t notice when a real one is there, and you’ll be too tired to respond properly to it.

You need approach this as analytically as you can. Let’s talk about measuring real risk.

– Evaluate your assets. What would somebody genuinely target you for? This isn’t necessarily items or information, but could also include your job position or connections.
– Evaluate real threats to you. Who rationally has motive to “get you”, and do they have the means and the opportunity to?
– Evaluate your vulnerability. How could somebody attack you or your assets, and how much effort and resource would it take to do it? How well do you mitigate vulnerabilities? Are you a harder target than others facing similar threats?

Risk is a direct result of the level of threat against you and your assets, and your vulnerabilities. It’s impossible to change the level of threat. All one can do to change risk is change assets, or change vulnerabilities.

People make personal decisions about acceptable risk. A firefighter lives with a different level of risk than a librarian. The firefighter likely has to deal with occasional moments of quite rational fear and adrenaline (due to actual threats and vulnerability), but does not live in constant fear of burning buildings. The librarian might consider running into burning buildings an unacceptable level of risk, which is why he found a less risky profession. However, both people live comfortable with their overall risk and their mitigations, and not in irrational fear.

With all this in mind, consider the things that you’re paranoid about carefully. What is the real level of risk each poses? What level of real risk will you choose to accept on a daily basis? If your overall level of risk is actually too high to cope with on a daily basis, reduce your targeted assets, or reduce your vulnerabilities. If you find your level of risk acceptable, then maintain that level rationally and try not to be unduly afraid. You likely have more to fear from chronic health problems than nameless threats.

One thought on “Ask Lesley InfoSec Advice Column: 2017-02-26

  1. I received several comments and questions about the differences between VMWare and Virtualbox snapshots. While both products can take snapshots of virtual machines, the functionality is more limited and linear in Virtualbox in comparison with the more full featured VMWare Workstation, and this will impact use in a security lab environment. I apologize for the lack of specificity, thank you for your feedback!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s