Minggu, 31 Oktober 2010

Does This Sound Familiar?

Now that over a week has passed since this Economist article was published, I wanted to cite it and ask if the problem it describes sounds familiar:

Globally, shrinkage [(losses from shoplifting, theft by workers and accounting errors)] cost retailers $107 billion in the year to June. This was 5.6% less than the previous year, but still the equivalent of 1.36% of sales...

When it comes to thwarting thieves, shop-owners are on their own. In most countries the criminal justice system has all but given up trying to punish shoplifters... So retailers install CCTV cameras, attach so-called electronic article surveillance tags to their wares, train their staff to spot thieves and screen workers for criminal records before hiring them. This year retailers spent $26.8 billion, or 0.34% of sales, on preventing theft.

Some dismiss shoplifting simply as a cost of doing business. Yet it can be serious. Some shoplifters work in organised gangs. Some turn violent when interrupted. Some, especially those who are hooked on drugs, are persistent and prolific.

And all impose a cost on honest shoppers. Theft inflates the average family’s annual shopping bill by $186.


How many of us in the cyber world thought we were the only ones "on our own" fighting adversaries?

The critical difference between shrinkage and digital intrusions is that retailers can measure losses because their products all bear price tags. Maybe businesses could help security professionals by putting "labels" on information assets? Even a WAG would help!

Sabtu, 30 Oktober 2010

What Do You Investigate First?

A colleague of mine who runs another Fortune 10 CIRT asked the following question:

Let's say for example, there is a cesspool of internal suspicious activity from netflow, log and host data. You have a limited number of resources who must have some criteria they use to grab the worst stuff first. What criteria would you use to prioritize your investigation activities?

There are two ways to approach this problem, but they will likely converge at some point anyway:

  1. Focus on the assets.

  2. Focus on the threats.


Focus on the assets means identify the most critical assets in your organization. You pay the most attention to them regardless of who you think is causing suspicious or malicious activity that may or may not affect those assets. In other words, whether you believe a mindless malware sample or an advanced threat may be affecting those critical assets, you still devote resources to collection and analysis of activity involving those assets.

Focus on the threats means identifying the most worrisome threats to your organization. You pay the most attention to them regardless of what assets they may target. In other words, whether you see these threats conduct reconnaissance or enterprise-wide exploitation, you still devote resources to collection and analysis of activity involving those threats.

I say these two approaches are likely to converge, because at some point you will see your most critical assets targeted by your most worrisome threats. In fact, you are likely to determine that a threat is the most worrisome precisely because it spends the most time and effort trying to access your critical assets.

I think operationalizing both approaches is tough, because many don't really know what is most important, or how to identify the most worrisome threats. Identifying critical assets is probably easier. If you identify critical assets, and then identify dedicated threats to those assets, you're probably in a position to now deal with both approaches.

You probably notice I've mentioned two of the three components of the risk equation -- assets and threats. I did not mention vulnerabilities yet. Yes, you could decide what assets have the most vulnerabilities and focus on suspicious and malicious activity affecting those assets. A lot of shops do this because it is probably the easiest approach, since identifying and categorizing vulnerabilities is probably easier than doing the same for assets and threats. However, you might waste a lot of time chasing assets which aren't as important as others. Still, this is another approach if you find that you can't make any progress on the asset- or threat-centric approaches.

Senin, 25 Oktober 2010

FIRST Technical Colloquium Tue 2 Nov in NoVA

FIRST is holding a one-day Technical Colloquium in Herndon, VA on Tue 2 Nov 2010, organized by Jeffrey Palatt from IBM. The event is free and open to FIRST members and their guests, but seating is limited. The program features several good speakers but the interaction among the attendees is often what I like best! As you might expect the content involves detection and response to security incidents.

If you are not a FIRST member but would like to see if I can sponsor you, email taosecurity at gmail dot com by Tuesday evening. Please use "FIRST TC" as the subject of the email. I will do what I can to accommodate requests, but FIRST makes the final decision concerning attendance for non-FIRST members.

Sabtu, 23 Oktober 2010

Powershell LSOF / Parsing Netstat

Update 09/14/2012:

Other attempts at an lsof for Windows are here:





These are very 1.0 and 2.0.  I will try to update my lsof attempts to 3.0 soon.

-RMF



This script, parse-netstat.ps1, successfully parses 'netstat -ano' for each PROTO (TCP,TCPv6,UDP, UDPv6) and then uses 'ps' to enumerate ID,NAME,PATH,FileVersion for the process associated with each networked PID. Thus we have a basic Powershell LSOF utility with room for calculated properties and additional text parsing. There is no spec of regex anywhere in my text parsing of netstat.  Sample output:


PS C:\ps1> .\parse-netstat.ps1
TCP Local Ports:
135
445
1025
1026
1027
1028
1031
9000
24800
47001
139
24800
139
1095
1099
1100
1101
1102
1679
1706
TCP PIDS:


  Id Name     Path                                                              FileVersion
  -- ----     ----                                                              -----------
1012 svchost  C:\Windows\system32\svchost.exe                                   6.0.6000.16386 (vista_rtm.061101-2205)
   4 System
 684 wininit  C:\Windows\system32\wininit.exe                                   6.0.6000.16386 (vista_rtm.061101-2205)
 460 svchost  C:\Windows\System32\svchost.exe                                   6.0.6000.16386 (vista_rtm.061101-2205)
 760 lsass    C:\Windows\system32\lsass.exe                                     6.0.6000.16386 (vista_rtm.061101-2205)
  12 svchost  C:\Windows\system32\svchost.exe                                   6.0.6000.16386 (vista_rtm.061101-2205)
 740 services C:\Windows\system32\services.exe                                  6.0.6000.16386 (vista_rtm.061101-2205)
   4 System
4244 synergys C:\Program Files (x86)\Synergy+\bin\synergys.exe
   4 System
   4 System
4244 synergys C:\Program Files (x86)\Synergy+\bin\synergys.exe
   4 System
 552 Picasa3  C:\Program Files (x86)\Google\Picasa3\Picasa3.exe                 3.6.105.67
 552 Picasa3  C:\Program Files (x86)\Google\Picasa3\Picasa3.exe                 3.6.105.67
 552 Picasa3  C:\Program Files (x86)\Google\Picasa3\Picasa3.exe                 3.6.105.67
 552 Picasa3  C:\Program Files (x86)\Google\Picasa3\Picasa3.exe                 3.6.105.67
 552 Picasa3  C:\Program Files (x86)\Google\Picasa3\Picasa3.exe                 3.6.105.67
   4 System
4460 chrome   C:\Users\Admin\AppData\Local\Google\Chrome\Application\chrome.exe 0.0.0.0

Minggu, 17 Oktober 2010

Resources for Building Incident Response Teams

Recently a colleague asked me for resources for building incident response teams. I promised I would provide a few ideas, so I thought a blog post might be helpful. I figured some of you might want to add comments with links or thoughts.

  • The CERT.org CSIRT Development site is probably the best place to start. From there you can find free documents, links to classes offered by SEI on building CIRTs, and so on. I don't think you can beat that site!

  • I don't think the resources at the FIRST site are as helpful, but the process of working toward membership is a great exercise for a new CIRT.

  • My TaoSecurity books page lists several books which CIRTs will likely find helpful.


What other resources would you suggest for someone building a CIRT? Please leave out the standard information security sites. Thank you.

Senin, 11 Oktober 2010

Accessing (or not) GetOwnerModuleFromTcpEntry from Powershell

Normally on XP SP2, Vista, Win7 'netstat -ano' or 'netstat -anob' gives us the connected sockets, the PID of listening applications. With the '-b' option, netstat makes an attempt at finding the owner of the socket probably through the 'GetOwnerModuleFromTcpEntry function [which] retrieves data about the module that issued the context bind for a specific IPv4 TCP endpoint in a MIB table row.'  found in iphlpapi.dll (IP Helper). Finding this same information with Powershell I have found to be more than difficult. It is easy enough to find the listening and connected sockets with [System.NET.NetworkInformation.IPGlobalProperties]::GetIPGlobalProperties(). 



List-Connections.ps1 will produce a listing comparable to netstat. However, I can't find the MIB table entry from the process to the socket (or the converse) in either 'ps' or 'gwmi win32_process'. My workaround is to use netstat from cmd.exe where gwmi_netstat_ano.cmd is:


for /f "tokens=1-6" %%a in ('netstat -ano ^| findstr TCP') do @echo %%e > ano.list.txt
for /f "tokens=1-6" %%a in ('netstat -ano ^| findstr UDP') do @echo %%d >> ano.list.txt


or where gwmi_tcpvcon_ano.cmd is:


@del /q ano.list.txt
@path C:\tools\SysinternalsSuite\;%path%
for /f "delims=, tokens=1-5" %%a in ('tcpvcon -acn ^| findstr TCP') do @echo %%c >> ano.list.txt
for /f "delims=, tokens=1-5" %%a in ('tcpvcon -acn ^| findstr UDP') do @echo %%c >> ano.list.txt



This powershell script runs the commands in 'gwmi_netstat_ano.cmd' and processes the 'netstat -ano' output with 'gwmi win32_process':


Microsoft.PowerShell.Management\Start-Process $pwd\gwmi_netstat_ano.cmd -argument /Q  -nonewwindow
$ano_list = gc ano.list.txt | sort | get-unique
$ano_proc = foreach ($ano in $ano_list) {gwmi win32_process | Select Name,ProcessId,HandleCount,ThreadCount,WriteOperationCount,ReadOperationCount,CommandLine | ? {$_.ProcessID -eq "$ano"}}
write $ano_proc | sort -property ProcessID | ft -auto
# or alternatively
foreach ($id in $ano_list) {get-wmiObject win32_process -filter "ProcessID=$id" | Select Name,ProcessID,Commandline}


PS C:\ps1: .\gwmi_netstat_ano.ps1


C:\ps1: for /F "tokens=1-6" %a in ('netstat -ano | findstr TCP') do @echo %e > ano.list.txt
C:\ps1: for /F "tokens=1-6" %a in ('netstat -ano | findstr UDP') do @echo %d >> ano.list.txt


Name        ProcessId HandleCount ThreadCount WriteOperationCount ReadOperationCount CommandLine
----        --------- ----------- ----------- ------------------- ------------------ -----------
System              4        5381         151               62649               2192
svchost.exe      1164         368          11                1902               2335 C:\Windows\system32\svchost.exe -k LocalService
svchost.exe      1304         700          27                 398               2119 C:\Windows\system32\svchost.exe -k NetworkService
svchost.exe      3168        1234          49               12312              42668 C:\Windows\system32\svchost.exe -k netsvcs
opera.exe        3684         849          39              112787              65814 "C:\Program Files (x86)\Opera\opera.exe"
ftp.exe          3796         128           1                   4                  5 ftp  rmfdevelopment.com


Name        ProcessID Commandline
----        --------- -----------
svchost.exe      1164 C:\Windows\system32\svchost.exe -k LocalService
svchost.exe      1304 C:\Windows\system32\svchost.exe -k NetworkService
svchost.exe      3168 C:\Windows\system32\svchost.exe -k netsvcs
opera.exe        3684 "C:\Program Files (x86)\Opera\opera.exe"
ftp.exe          3796 ftp  rmfdevelopment.com
System              4


( A script like Get-Svchost.ps1 can help open up the incantations of svchost.exe.) I find the cmd.exe workaround I use here unfortunate as a security professional, because it means I am unable to use Powershell to get the MIB table entry from GetOwnerModuleFromTcpEntry, information which is critical to understanding malware. Sure, I can parse this information from netstat, but this blows up any chance of scripting detection  anywhere near real-time. Perhaps someone has an answer...

Minggu, 10 Oktober 2010

Review of Professional Assembly Language Posted

Amazon.com just posted my four star review of Professional Assembly Language by Richard Blum. I reviewed one of his other books seven years ago: Network Performance Toolkit: Using Open Source Testing Tools. From the review:

I read Professional Assembly Language (PAL) by Richard Blum because I wanted to become somewhat familiar with assembly language. Books like "Introduction to 80x86 Assembly Language and Computer Architecture" by Richard Detmer or "Introduction to Assembly Language Programming: From 8086 to Pentium Processors" by Sivarama P. Dandamudi seemed too dense and textbook-like to meet my needs. PAL, on the other hand, appeared very practical and focused on getting readers working with assembly language early in the text. As long as you understand the nature of PAL and the author's goals, I think you'll enjoy reading the book as much as I did.

Review of Cyber War Posted

Amazon.com just posted my four star review of Cyber War by Richard Clarke and Robert Knake. From the review:

The jacket for "Cyber War" (CW) says "This is the first book about the war of the future -- cyber war." That's not true, but I would blame the publisher for those words and not the authors. A look back to 1998 reveals books like James Adams' "The Next World War: Computers Are the Weapons & the Front Line Is Everywhere," a book whose title is probably cooler than its contents. (I read it back then but did not review it.) So what's the value of CW? I recommend reading the book if you'd like a Beltway insider's view of government and military information warfare history, combined with a few recommendations that could make a difference. CW is strongest when drawing on the authors' experience with arms control but weakest when trying to advocate technical "solutions."

Selasa, 05 Oktober 2010

Design a Landscape - Tree in Sunset


Note: This tutorial was the first tutorial I ever did. Because of this, it is not exactly that great of a tutorial. Rather than step by step instructions, it is more or less a guide on how to do something like the picture you see above if you are already somewhat familiar with Inkscape. I decided to do a better, more updated version. Version 2 if you will. You can find it here. I am keeping this original tutorial mainly because I just don't want to delete anything. Again; I suggest you go to this better tutorial.

For this tutorial, we will be making a nice sunset landscaping scene. This is pretty easy to do but can look pretty nice. We will be using mostly Inkscape, but will use the Gimp some to help us with our initial tree (Inkscape and Gimp are both free program often used as a replacement for Illustrator or Photoshop).

Read article »

First Project - Box

Click this link to go to the tutorial that I did a few weeks ago.


This tutorial is great and easy to follow and has great results!

Here is my completed project:






















This tutorial is basically what inspired me to do a design a week. Some weeks I may just show a tutorial I did, other weeks I will post my own tutorials.