To The Last Tribe Consulting

As I mentioned in my last post, I just finished the SANS Sec 504 Class: Hacker Techniques, Exploits & Incident Handling.  As with my previous 2 SANS classes, I took it over 4 months, using SANS OnDemand, which allows me to take the class online, at my own pace.  The teacher was the well known Ed Skoudis of Counter Hack fame.

Presentation

The only negatives I have about this class is the same as the last two OnDemand classes I’ve taken:  The layout of the OnDemand system–Let me quote from my previous OnDemand review:

“Like my previous class, I took it OnDemand, meaning that I logged into the SANS website, and took it online, at my own pace.  I have to say that I really like this format, but I do have to say that the OnDemand interface is not the most intuitive.  Check out CERT’s VTE for Intuitive.”

Teacher

Ed Skoudis is a great teacher, though he does tend to talk really, really fast when he gets passionate, which he usually was, at least in this particular class.

Content

The class was divided into two basic sections:  Incident Handling and Hacker Techniques and Exploits.

The first section, Incident Handling, delved into the topic of “how to handle an Incident,” which is defined as, “the action or plan for dealing with intrusions, cyber-theft, denial of service, and other computer security-related events.”

The second section, Hacker Techniques and Exploits, went into an extended technical discussion on the phases of an attack, and what sort of vulnerabilities an intruder exploits to take control of a system / network.

Some of the topics included:

-ARP Cache Poisoning and DNS Injection

-Buffer Overflows in Depth

-Format String Attacks

-Kernel-level Rootkits

-Using Fragroute, Fragrouter and Whisker IDS Evasion Tactics

-And alot more of the same type stuff.

I found this portion of the class to be my favorite.  We got very nitty-gritty technical, and yet it was very practical.

Overall, I would have to give the content a very high rating.  Though the content was current, it probably was not cutting edge.

Final thoughts:

I found this class to be a great very technical, yet very practical discussion on this whole topic of Incident Handling and “hacker” techniques.

A side note: Bejtlich had an interesting discussion on how SANS defines Incident Handling/Response, and SEC 504. Check out http://taosecurity.blogspot.com/2009/04/speaking-of-incident-response.html for the post.

Josh

The Tao of Network Security Monitoring: Beyond Intrusion Detection was my first Information Security book that I read.  The author, Richard Bejtlich , has authored a few other books that I hope to read soon.  As for Tao, I have found it to be an absolutely fascinating book on InfoSec.

The author starts out by laying the groundwork of Risk Management, and how risk, threats, vulnerabilities and exploits are defined and used in the real world.

The author then makes this statement:

“Security is the process of maintaining an acceptable level of perceived risk. A former director of education for the International Computer Security Association, Dr. Mitch Kabay, wrote in 1998 that “security is a process, not an end state.” No organization can be considered “secure” for any time beyond the last verification of adherence to its security policy. If your manager asks, “Are we secure?” you should answer, “Let me check.” If he or she asks, “Will we be secure tomorrow?” you should answer, “I don’t know.” Such honesty will not be popular, but this mind-set will produce greater success for the organization in the long run.”

With this kind of outlook on security, the author puts forth the concept of a “defensible” network: a network that can easily watched (monitored); a network that limits an intruder’s freedom to maneuver; a network that offers a minimum of services; and finally, a network that can be kept current.

With this foundation laid, the author delves into “Network Security Monitoring” which is defined as “the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions.”  The rest of the book deals with the practical aspects of NSM: how to setup and use programs to collect NSM data; Best Practices; Case Studies; managing a NSM program; and finally, tactics on attacking NSM, and ways to mitigate these risks.

I have found this book to be very helpful in bringing balance to my understanding of how Intrusion Detection fits into an InfoSec program.  I will follow up on this thought in my next post.

I would highly recommend this book to anyone interested in going deeper into InfoSec, especially dealing with Intrusion Detection Systems.  It does have quite a bit of BSD-centric material, of which I skipped over alot of, but still very useful principles.

I hate to give my first book review a 10 out of 10, but any less would not do it justice.

Josh