Bejtlich Teaching New Class at Black Hat in July

I'm pleased to announce I will teach two sessions of a brand-new two day class at Black Hat USA 2013 this summer. The new class is Network Security Monitoring 101. From the overview:

Is your network safe from intruders? Do you know how to find out? Do you know what to do when you learn the truth? If you are a beginner, and need answers to these questions, Network Security Monitoring 101 (NSM101) is the newest Black Hat course for you.

This vendor-neutral, open source software-friendly, reality-driven two-day event will teach students the investigative mindset not found in classes that focus solely on tools. NSM101 is hands-on, lab-centric, and grounded in the latest strategies and tactics that work against adversaries like organized criminals, opportunistic intruders, and advanced persistent threats.

Best of all, this class is designed *for beginners*: all you need is a desire to learn and a laptop ready to run a few virtual machines.

Instructor Richard Bejtlich has taught over 1,000 Black Hat students since 2002, and this brand new, 101-level course will guide you into the world of Network Security Monitoring.

Black Hat has three remaining price points and deadlines for registration.

• "Regular" ends 31 May


• "Late" ends 24 July


• "Onsite" starts at the conference

Seats are filling -- it pays to register early!

If you have any questions about the class, please leave a comment here or contact me via Twitter at @taosecurity. Thank you.

I'm also talking with Black Hat about teaching at their Istanbul and Seattle events later this year.

Tweet

Read More

TCP/IP Weapons School 3.0 in McLean, VA 26-27 Oct

I just created a class page for my upcoming TCP/IP Weapons School 3.0 in McLean, VA on 26-27 October 2011. I decided to offer this class because I haven't taught anything nearby in quite a while, and many people asked for a class in NoVA. I don't plan to offer this sort of "solo" (i.e., outside Black Hat) class again (or anytime soon). So, if you're in the neighborhood and you'd like to attend a TWS3 class, this could be your chance! The venue only seats 20-25 students, so please keep that in mind. You can register through RegOnline immediately. Thank you.



Tweet

Read More

Bejtlich Webinar for Dark Reading and InformationWeek

Thanks to Dark Reading and InformationWeek I will participate in the How Security Breaches Happen online virtual event on 25 August 2011. At 1330 ET I present with Nicholas J. Percoco and Kelly Jackson Higgins on "Why Bad Breaches Happen To Good Companies."



I will share the enterprise/CSO perspective while Nicholas will present the adversary simulation/pen tester perspective. Kelly will moderate. Lots of other speakers will participate from 1030 ET to 1815 ET.



We hope you can attend!

Tweet

Read More

Feedback from Latest TCP/IP Weapons School 3.0 Class

At Black Hat in Las Vegas and USENIX Security in San Francisco I taught three TCP/IP Weapons School 3.0 classes. I think my weekday class at Black Hat set a personal record student count, and I was glad to have Steve Andres from Special Ops Security there to help students with questions and lab issues!



I wanted to share some feedback from the classes, in case any of you are considering attending an upcoming class. Currently I'm scheduled to teach at Black Hat Abu Dhabi on 12-13 December. The only other possibilities for training this year include a class in northern VA in either September or October, and a class the weekend before USENIX LISA in Boston on 3-4 December 2011. Next year I will likely return to Las Vegas again in the summer (21-24 July) and DC in the fall (30-31 Oct) but beyond that I am not sure how much training I might do in 2012.



Student feedback from TWS3 included:

• I've been to a lot of training sessions and this was by far the best. The discussions were useful and practical. The labs were well done enough to repeat and follow them later.



• Excellent speaker, well-prepared and extremely engaging. Perfect balance of real world scenarios and information.



• Great course! More lab-based and little [i.e., fewer] PowerPoints is a recipe for success. Will recommend to others.



• This is the best Black Hat Training class I've ever taken. The techniques and information Richard taught are instantly usable in my day-to-day security analyst work. Well worth the time and money.



• Richard worked hard to answer our questions and tailor the class to our needs.



• Discussion-based training without PowerPoint was a great experience -- much more rewarding than death by .ppt!



• Richard does an excellent job presenting material in an engaging way.



• Excellent job handling diverse student population with very different skill levels.



• I would take another security course taught by Richard as well as recommend this course to others.

The students who attend to learn how to collect and analyze network- and log-centric artifacts and data in order to detect and respond to intrusions tend to like the class best.



Thank you to the students from all three classes for your participation!



Tweet

Read More

Security Conference Recommendations

After my post Bejtlich Teaching at USENIX Security in San Francisco 8-9 Aug a reader asked the following:

Richard,

I was curious if you could suggest other security conferences that either you have attended or have heard are better than average?

It seems as though everyone and their brother sponsor some sort of security conference and it is difficult to tell how educational they will be just by reading the website.

Perhaps you could provide some insight into how you determine which conferences you would actually pay to attend? Thanks!

Great question. The answer that follows is just my opinion, and I'm sure others feel differently. For me, I like these conferences:

• Black Hat offers the best combination of training plus briefings per unit time, on a consistent basis. In other words, I believe attendees will learn more in two days of Black Hat Training plus two days of Black Hat Briefings compared to any alternatives, every year. The content is uniformly high, regardless of whether you attend in DC, Barcelona, Las Vegas, Tokyo, or Abu Dhabi. This is why I will be teaching two TCP/IP Weapons School 3.0 classes this summer and staying for the two days of Briefings that follow.


• My next favorite event is probably the SANS What Works in Forensics and Incident Response Summit organized each year by Rob Lee. His Summit connects me with the sorts of people who do the same work that I do. The event is a mix of panels and briefings by interesting people.


• In terms of value per dollar spent, you can't beat Security B-Sides. Why is that? Well, your travel cost will likely be almost nothing, since B-Sides events happen all over the world. Registration is free. Content quality is mixed, but when you throw a lot of local security people into a room in a non-traditional format, the output is surprisingly good!


• If you want more of an academic approach, I recommend any of the USENIX conferences. They are also a mix of training, "Refereed Papers" (see what I mean), and Invited Talks. I tend to see more college students talking about "solutions" more or less detached from the real world, but the diversity of specialized events means you're likely to find something of value that meets your direct needs, especially regarding system administration. After a multi-year break, I'm returning to teach TCP/IP Weapons School 3.0 in San Francisco at USENIX Security in August.


• Returning to the incident response world, you might also like FIRST conferences. I think every CIRT should become a FIRST member, and attending a conference or other FIRST event every other year or so is a nice way to stay in touch with a very globalized security community.


• If you qualify to attend, you might also enjoy the DoD Cybercrime or GFIRST conferences. As you can tell they cater to the .gov and .mil communities, but their focus tends to involve more interesting problem sets.


• I should also give CanSecWest an honorable mention, although it's been years since I've attended. I could say the same for BSDCan and ShmooCon.
  
  Speaking of Shmoo, the logistics are the main reason I stopped going. At least with my old job, it was a hassle to commute to DC for only a Friday evening, then again for a full day Saturday, and again for only a few hours on Sunday morning. I don't like weekend events since I'd rather spend the time with my family, and the ratio of travel-to-conference for Friday evening and Sunday morning was just too high!

Regarding how I pick conferences, I primarily want to learn something and see people whom I may not have seen recently. I prefer to avoid any conferences where keynotes are given to sponsors based on their sponsorship alone. I also try to attend conferences where I expect new material to be presented.

What conferences do you like to attend, and why?

Tweet

Read More

Bejtlich Teaching at USENIX Security in San Francisco 8-9 Aug

For the first time in four years, I will teach for the USENIX organization! I'm pleased to announce that on August 8-9 at USENIX Security 2011 in San Francisco, I will teach a special two-day edition of TCP/IP Weapons School 3.0.

This class is designed for junior and intermediate security analysts. The "sweet spot" for the potential student is someone working in a security operations center (SOC) or computer incident response team (CIRT), or someone trying to establish one of those organizations. The class is very hands-on, and focuses on labs and discussions. There are less than 10 slides at the very beginning of the class, and I build the flow of the class based on what you want to hear.

If you would like details on the class, please see the linked site. You may also find my announcement for my Black Hat sessions on 30-31 July and 1-2 August to be helpful too. It will be a busy few weeks this summer but I'm looking forward to seeing you learn the investigative mindset needed to detect and respond to digital intrusions!

On a related note, I received a very positive response regarding a possible class in the northern VA area this fall. I will work out the details on that and try to post information as soon as I figure it out. Thank you.
Tweet

Read More

UBM Cancels GTEC, Bejtlich Considers Alternatives

I received word this week that the venue hosting my special session of TCP/IP Weapons School 3.0 was cancelled! That means no GTEC and no extra DC class.

I'm sad to hear this because I'm receiving word from students wondering what happened.

As best I understand it, the current Federal budget situation made hosting this conference a tough prospect for the DC crowd.

At this point I'm evaluating options, including hosting a class myself. If you would be interested in attending a group class of TCP/IP Weapons School 3.0 in northern VA this year, please email training [at] taosecurity [dot] com. I think a class late in the year, hopefully during FY 2012 (so 1 Oct or later), might be the best option for Federal workers enduring budget woes.

I'd rather teach within another venue, like Black Hat, but if there's enough demand from the cancelled GTEC event I'll see what it takes to offer a solo class.

As noted on my Training site, I am teaching Two Sessions of TWS3 at Black Hat USA in Las Vegas this summer. That is another option for those who will miss the GTEC class.

I'm also still working out details to offer training at USENIX Security 2011 in San Francisco in August. I expect word from USENIX on that before the end of the month. Thank you.

Tweet

Read More

Bejtlich Teaching at Black Hat EU 2010

Black Hat was kind enough to invite me back to teach multiple sessions of my 2-day course this year.

After Black Hat DC comes Black Hat EU 2010 Training on 12-13 April 2010 at Hotel Rey Juan Carlos I in Barcelona, Spain.

I will be teaching TCP/IP Weapons School 2.0.

Registration is now open. Black Hat set five price points and deadlines for registration.

• Super early ends 1 Feb


• Early ends 1 Mar


• Regular ends 1 Apr


• Late ends 11 Apr


• Onsite starts at the conference

Seats are filling -- it pays to register early!

If you review the Sample Lab I posted earlier this year, this class is all about developing an investigative mindset by hands-on analysis, using tools you can take back to your work. Furthermore, you can take the class materials back to work -- an 84 page investigation guide, a 25 page student workbook, and a 120 page teacher's guide, plus the DVD. I have been speaking with other trainers who are adopting this format after deciding they are also tired of the PowerPoint slide parade.

Feedback from my 2009 sessions was great. Two examples:

"Truly awesome -- Richard's class was packed full of content and presented in an understandable manner." (Comment from student, 28 Jul 09)

"In six years of attending Black Hat (seven courses taken) Richard was the best instructor." (Comment from student, 28 Jul 09)

If you've attended a TCP/IP Weapons School class before 2009, you are most welcome in the new one. Unless you attended my Black Hat training in 2009, you will not see any repeat material whatsoever in TWS2. Older TWS classes covered network traffic and attacks at various levels of the OSI model. TWS2 is more like a forensics class, with network, log, and related evidence.

I recently described differences between my class and SANS if that is a concern.

I will also be teaching in Barcelona and Las Vegas, but I will announce those dates later.

I look forward to seeing you. Thank you.

Read More

Friday is Last Day to Register for Black Hat DC at Reduced Rate

Black Hat was kind enough to invite me back to teach multiple sessions of my 2-day course this year.

First up is Black Hat DC 2010 Training on 31 January and 01 February 2010 at Grand Hyatt Crystal City in Arlington, VA.

I will be teaching TCP/IP Weapons School 2.0.

Registration is now open. Black Hat set five price points and deadlines for registration, but only these three are left.

• Regular ends 15 Jan


• Late ends 30 Jan


• Onsite starts at the conference

Seats are filling -- it pays to register early!

If you review the Sample Lab I posted earlier this year, this class is all about developing an investigative mindset by hands-on analysis, using tools you can take back to your work. Furthermore, you can take the class materials back to work -- an 84 page investigation guide, a 25 page student workbook, and a 120 page teacher's guide, plus the DVD. I have been speaking with other trainers who are adopting this format after deciding they are also tired of the PowerPoint slide parade.

Feedback from my 2009 sessions was great. Two examples:

"Truly awesome -- Richard's class was packed full of content and presented in an understandable manner." (Comment from student, 28 Jul 09)

"In six years of attending Black Hat (seven courses taken) Richard was the best instructor." (Comment from student, 28 Jul 09)

If you've attended a TCP/IP Weapons School class before 2009, you are most welcome in the new one. Unless you attended my Black Hat training in 2009, you will not see any repeat material whatsoever in TWS2. Older TWS classes covered network traffic and attacks at various levels of the OSI model. TWS2 is more like a forensics class, with network, log, and related evidence.

I will also be teaching in Barcelona and Las Vegas, but I will announce those dates later.

I strongly recommend attending the Briefings on 2-3 Feb. Maybe it's just my interests, but I find the scheduled speaker list to be very compelling.

I look forward to seeing you. Thank you.

Read More

Difference Between Bejtlich Class and SANS Class

A comment on my last post, Reminder: Bejtlich Teaching at Black Hat DC 2010, a reader asked:

I am trying to get my company sponsorship for your class at Black Hat. However, I was ask to justify between your class and SANS 503, Intrusion Detection In-Depth.

Would you be able to provide some advice?

That's a good question, but it's easy enough to answer. The overall point to keep in mind is that TCP/IP Weapons School 2.0 is a new class, and when I create a new class I design it to be different from everything that's currently on the market. It doesn't make sense to me to teach the same topics, or use the same teaching techniques, found in classes already being offered. Therefore, when I first taught TWS2 at Black Hat DC last year, I made sure it was unlike anything provided by SANS or other trainers.

Beyond being unique, here are some specific points to consider. I'm sure I'll get some howls of protest from the SANS folks, but they have their own platform to justify their approach. The two classes are very different, each with a unique focus. It's up to the student to decide what sort of material he or she wants to learn, in what environment, using whatever methods he or she prefers. I don't see anything specifically "wrong" with the SANS approach, but I maintain that a student will learn skills more appropriate for their environment in my class.

• TWS2 is a case-driven, hands-on, lab-centric class. SANS is largely a slide-driven class.
  
  When you attend my class you get three handouts: 1) a workbook explaining how to analyze digital evidence; 2) a workbook with questions for 15 cases; and 3) a teacher's guide answering all of the questions for the 15 cases. There are no slides aside from a few housekeeping items and a diagram or two to explain how the class is set up.
  
  When you attend SANS you will receive several sets of slide decks that the instructor will show during the course of the class. You will also have labs but they are not the focus of the class.


• I designed TWS2 to meet the needs of a wide range of students, from beginners to advanced practitioners. TWS2 attendees typically finish 5-7 cases per class, with the remainder suitable for "homework." Students can work at their own pace, although we cover certain cases at checkpoints during the class. A few students have completed all 15 cases, and I often ask if those students are looking for a new opportunity with my team!


• TWS2 is about investigating digital evidence, primarily in the form of network traffic, logs, and some memory captures. The focus is overwhelmingly on the content and not the container. SANS spends more time on the container and less on the content.
  
  For example, if you look at the SANS course overview, you'll see they spend the first three days on TCP/IP headers and analysis with Tcpdump. Again, there's nothing wrong with that, but I don't care so much about what bit in the TCP header corresponds to the RST flag. That was mildly interesting in the late 1990s when that part of the SANS course was written, but the content of a network conversation has been more important this decade. Therefore, my class focuses on what is being said and less on how it was transmitted.


• TWS2 is not about Snort. While students do have access to a fully-functional Sguil instance with Snort alerts, SANCP session data, and full content libpcap network traffic, I do not spend time explaining how to write Snort alerts. SANS spends at least one day talking about Snort.


• TWS is not about SIM/SEM/SIEM. Any "correlation" between various forms of evidence takes place in the student's mind, or using the free Splunk instance containing the logs collected from each case. If you consider dumping evidence into a system like Splunk, and then querying that evidence, to be "correlation," then we have "correlation." (Please see Defining Security Event Correlation for my thoughts on that subject.) SANS spends two days on fairly simple open source options for "correlation" and "traffic analysis."


• TWS cases cover a wide variety of activity, while SANS is narrowly focused on suspicious and malicious network traffic. I decided to write cases that cover many of the sorts of activities I expect an enterprise incident detector and responder to encounter during his or her professional duties.
  
  I also do not dictate any single approach to investigating each case. Just like real life, I want the student to produce an answer. I care less about how he or she analyzed the data to produce that answer, as long as the chain of reasoning is sound and the student can justify and repeat his or her methodology.

I hope that helps prospective students make a choice. I'll note that I don't send any of my analysts to the SANS "intrusion detection" class. We provide in-house training that includes my material but also focuses on the sorts of decision-making and evidence sources we find to be most effective in my company. Also please note this post concentrated on the differences between my class and the SANS "intrusion detection" class, and does not apply to other SANS classes.

Read More

PowerLite S4 Multimedia Projector

This week I taught TCP/IP Weapons School, Layers 2-3 at Techno Security 2007 in Myrtle Beach, SC. I enjoyed teaching the class, especially since several students were repeat customers. Two were even alumni from classes I taught at Foundstone five years ago! Because the cost of renting a projector and screen from the hotel (and even from rentacomputer.com) seemed outrageous, I decided to buy my own. I purchased an Epson PowerLite S4 Multimedia Projector and Da-Lite 72263 Versatol Tripod Screen 70"x70" Matte White with Keystone Elim for use in the class. I was extremely pleased with both. In fact, right after I bought the Epson projector I saw it covered in a USA TODAY review, which helped validate my purchase.

If you're in the market for a projector and screen combination for less than $800 (or even $700 if you're not time-crunched, as I was) then I think you'll like these products.

Read More

Reminder: Early Registration Ends Soon for Bejtlich at SANSFIRE 2007

I'll be teaching a special one-day course, Enterprise Network Instrumentation, at SANSFIRE 2007 in Washington, DC on 25 July 2007.

ENI is a one-day course designed to teach all methods of network traffic access. If you have a network you need to monitor, ENI will teach you what equipment is available (hubs, switch SPAN ports, taps, bypass switches, matrix switches, and so on) and how to use it effectively. Everyone else assumes network instrumentation is a given. ENI teaches the reality and provides practical solutions.

Please register while there are still seats available. My class is the day before all the six-day tracks begin. If you register before 6 June you will save $250. If you register by 27 June you will save $150. If you take this one-day class with a full SANS track my class only costs $450. Please note SANS set all of these prices and schedules.

This is the only time I'll be teaching this class in 2007. Thank you.

Update: I cancelled the class. If you want reasons please email me privately. Thank you.

Read More

Bejtlich Teaching Network Security Operations in Chicago

I am happy to announce that I will be teaching a three day edition of my Network Security Operations training class in Chicago, IL on 27-29 August 2007. This is a public class, although I will be speaking at the 30 August meeting of the Chicago Electronic Crimes Task Force. Please register here. The early discount applies to registrations before midnight 27 July. ISSA members get an additional discount on top of the early registration discount.

Network Security Operations addresses the following topics:

• Network Security Monitoring




• NSM theory


• Building and deploying NSM sensors


• Accessing wired and wireless traffic


• Full content tools: Tcpdump, Ethereal/Tethereal, Snort as packet logger, Daemonlogger


• Additional data analysis tools: Tcpreplay, Tcpflow, Ngrep, Netdude


• Session data tools: Cisco NetFlow, Fprobe, Flow-tools, Argus, SANCP


• Statistical data tools: Ipcad, Trafshow, Tcpdstat, Cisco accounting records


• Sguil (sguil.sf.net)


• Case studies, personal war stories, and attendee participation




• Network Incident Response




• Simple steps to take now that make incident response easier later


• Characteristics of intruders, such as their motivation, skill levels, and
  techniques


• Common ways intruders are detected, and reasons they are often initially
  missed


• Improved ways to detect intruders based on network security monitoring
  principles


• First response actions and related best practices


• Secure communications among IR team members, and consequences of negligence


• Approaches to remediation when facing a high-end attacker


• Short, medium, and long-term verification of the remediation plan to keep the
  intruder out




• Network Forensics




• Collecting network traffic as evidence


• Protecting and preserving traffic from tampering, either by careless
  helpers or the intruder himself


• Analyzing network evidence using a variety of open source tools, based
  on network security monitoring (NSM) principles


• Presenting findings to lay persons, such as management, juries, or judges


• Defending the conclusions reached during an investigation, even in the
  face of adversarial defense attorneys or skeptical business leaders

This is only one of two Network Security Operations courses left for 2007. Please consider attending this class if you want to understand how to detect, inspect, and eject network intruders.

Read More

Bejtlich Teaching Network Security Operations in Cincinnati

I am happy to announce that I will be teaching a three day edition of my Network Security Operations training class in Cincinnati, OH on 21-23 August 2007. The Cincinnati ISSA chapter is hosting the class. Please register here. The early discount applies to registrations before 20 July. ISSA members get an additional discount on top of the early registration discount.

Network Security Operations addresses the following topics:

• Network Security Monitoring




• NSM theory


• Building and deploying NSM sensors


• Accessing wired and wireless traffic


• Full content tools: Tcpdump, Ethereal/Tethereal, Snort as packet logger, Daemonlogger


• Additional data analysis tools: Tcpreplay, Tcpflow, Ngrep, Netdude


• Session data tools: Cisco NetFlow, Fprobe, Flow-tools, Argus, SANCP


• Statistical data tools: Ipcad, Trafshow, Tcpdstat, Cisco accounting records


• Sguil (sguil.sf.net)


• Case studies, personal war stories, and attendee participation




• Network Incident Response




• Simple steps to take now that make incident response easier later


• Characteristics of intruders, such as their motivation, skill levels, and
  techniques


• Common ways intruders are detected, and reasons they are often initially
  missed


• Improved ways to detect intruders based on network security monitoring
  principles


• First response actions and related best practices


• Secure communications among IR team members, and consequences of negligence


• Approaches to remediation when facing a high-end attacker


• Short, medium, and long-term verification of the remediation plan to keep the
  intruder out




• Network Forensics




• Collecting network traffic as evidence


• Protecting and preserving traffic from tampering, either by careless
  helpers or the intruder himself


• Analyzing network evidence using a variety of open source tools, based
  on network security monitoring (NSM) principles


• Presenting findings to lay persons, such as management, juries, or judges


• Defending the conclusions reached during an investigation, even in the
  face of adversarial defense attorneys or skeptical business leaders

This is only one of two Network Security Operations courses left for 2007. Please consider attending this class if you want to understand how to detect, inspect, and eject network intruders.

Read More

Brief Thoughts on Security Education

Once in a while I get requests from blog readers for recommendations on security education. I am obviously biased because I offer training independently, in private and public forums. However, I've attended or spoken at just about every mainstream security forum, so I thought I would provide a few brief thoughts on the subject.

First, decide if you want to attend training, briefings, or classes. I consider training to be an event of at least 1/2 day or longer. Anything less than 1/2 day is a briefing, and is probably part of a conference. Some conferences include training, so the two topics are not mutually exclusive. Classes include courses offered by .edu's.

Training events focus on a specific problem set or technology, for an extended period of time. Training is usually a stand-alone affair. For example, when I prepared for my CCNA, took a week-long class by Global Net Training. If I choose to pursue the CCNP I will return to GNT for more training. I seldom attend training because I do not usually need in-depth discussions of a single topic.

Briefings also focus on specific problems or technologies, but their scope is usually narrow due to their time constraints. The content is typically fresher because it takes less work to prepare a briefing compared to a 1/2 day or longer training session. Briefings are more likely to contain marketing material because you can be halfway through the talk before realizing it's a pitch piece. I attend briefings more often than training because they tend to fit my schedule and I can quickly learn something new.

Classes are the forums offered by institutions over an extended period of time. Traditional colleges and universities provide classes, although some non-traditional teaching vehicles exist. I've never taken any of these although I would like to pursue my PhD some point soon.

With that background, here are a few thoughts on popular education venues:

• USENIX: USENIX is my favorite venue. USENIX offers 1/2, 1, and 2-day training, plus briefings. I usually train at the three major conferences they offer: Annual, Security, and LISA (Large Installation System Administration). Training tends to be very practical, with strong preferences for operational information for system administrators. The briefings especially tend to be more academic, with lots of research by students and/or professors. People-wise, I tend to like USENIX for connecting with the university community.


• Black Hat: Black Hat is the best place to learn the newest public attack tools and techniques. Defense is usually secondary. Black Hat offers 1 and 2-day training, plus briefings. I've trained through Foundstone at Black Hat, and I'll be training at Black Hat in Las Vegas this summer. If you want to get very technical information on attacks (and some countermeasures), Black Hat is a great venue. People-wise, I've decided to begin attending Black Hat regularly because the most interesting people are there.


• SANS: SANS offers a wide variety of material, through training, briefings, classes, newsletters, and webcasts. I taught the SANS IDS track in 2002 and 2003, then returned to teach Enterprise Network Instrumentation late last year. I'll be back teaching ENI at SANSFIRE 2007. In my opinion some SANS training is woefully out-of-date, while other training is very good. SANS tracks are usually six days. SANS also offers shorter training like the log management summit I attended last year. Other times SANS offers very short briefings on a single topic, like the SANS Software Security Institute. People-wise, SANS tracks tend to involve more people at the beginning of their security careers.


• RSA: I mention RSA because it's big and people might want to know more about it. I spoke at RSA 2006. That was enough for me. RSA is the place to be if you're a vendor, but otherwise I found the talks less inspiring than other venues. If you're a cryptographer you might find RSA's cryptography track to be helpful, since that subject is usually not emphasized elsewhere. People-wise, I met lots of people trying to attract business at RSA last year.


• Niche Public Events: A lot of other venues fill this space. Among those I've attended or spoken at, CanSecWest is one leader. I delivered a Lightning Talk there in 2004. The best part of CSW is the fact it's a single track. By the end of the event, some sense of community has been built. ShmooCon is similar to CSW, although it has multiple tracks. Techno Security and Techno Forensics are two great sources of education, generally heavy on Feds and forensics. I'll be teaching at Security and probably later at Forensics this year. If you're in Europe take a look at CONFidence in Poland.


• Niche Government or Government-Centric Events: I include conferences usually sponsored or mainly attended by law enforcement, government, and military audiences here. FIRST and GFIRST fit these bills. I speak there to meet people and less to hear about what's happening. The Telestrategies ISS World events are similar. For those of you in Australia, AusCERT looks like a good bet; I'll be there this year.

That's all I have time to discuss now. Good luck spending your security education dollars.

Read More

Bejtlich Teaching at Sys Admin Magazine Conference in Baltimore

I will be teaching two half-day tutorials for the Sys Admin Technical Conference on Monday 7 May 2007 in Baltimore, MD. I'll spend the morning teaching Network Incident Response and the afternoon teaching Network Forensics. Early Bird Pricing for SA Tech 2007 ends 30 March 2007, after which the price will escalate by $250. Please register before the seats fill. Thank you.

Read More

Bejtlich at AusCERT and Secure Agility/Sydney

I'm pleased to announce I will be speaking and training in Australia in May 2007. First, I will attend the AusCERT Asia Pacific Information Technology Security Conference in Gold Coast, Australia. According to the schedule I'll be discussing the Self-Defeating Network at 1420 on Wednesday 23 May 2007. The following day I'll present half-day tutorials on Network Incident Response and Network Forensics. Registration is open now. The day after my AusCERT tutorials I will be joining friends at Secure Agility to teach Network Security Monitoring in Sydney, Australia on Friday 25 May 2007. If you'd like to attend this class please review the class page and return the registration form to me before the class fills. Thanks to Christian Heinrich for coordinating my visit to Sydney. Secure Agility will be handling collecting class fees, and I'll post more information when that aspect of the event is finalized. Thank you.

Read More

Bejtlich Teaching at SANSFIRE 2007

I'll be teaching a special one-day course, Enterprise Network Instrumentation, at SANSFIRE 2007 in Washington, DC on 25 July 2007. ENI is a one-day course designed to teach all methods of network traffic access. If you have a network you need to monitor, ENI will teach you what equipment is available (hubs, switch SPAN ports, taps, bypass switches, matrix switches, and so on) and how to use it effectively. Everyone else assumes network instrumentation is a given. ENI teaches the reality and provides practical solutions.

Please register while there are still seats available. Thank you.

Read More

TaoSecurity 2007 Training Schedule

I just posted the TaoSecurity 2007 Training Schedule on my company Web site. I didn't include all of the places I might be teaching this year. All of the public classes are tentative at this point, but I am working on securing hosting facilities. You'll notice I plan to conduct six public classes across the US, and I am appearing at a few overseas conferences too -- including a one-day public class in Sydney, Australia.

If you would like to support my bid to teach at Black Hat USA Training (28-21 July 2007) in Las Vegas, NV, please email Ping Look via ping [at] blackhat [dot] com.

Email training [at] taosecurity [dot] com for advance details on the classes listed below. Registration information for public classes will be posted shortly.

I maintain the latest schedule at TaoSecurity training.

If you would like me to conduct a private class at your facility, please email training [at] taosecurity [dot] com.

Thank you. I hope to meet you in 2007!

Read More

TCP/IP Weapons School Part 1 Wrap-Up

I'd like to address a few issues that arose during class Sunday and Monday.

First, someone asked about interoperability between the various Ethernet frame types. Page 75 of the excellent Troubleshooting Campus Networks states

Two stations cannot communicate unless they share a common frame format, which is sometimes beneficial. For example, if you have two networks on a physical medium that you wish to keep separate for security reasons, you can configure the networks for different frame types and they won't communicate with each other.

I don't agree with the "security" aspect, since the a station on a SPAN port can still see the traffic through promiscuous sniffing. Still, now you know that a host using Ethernet II framing can't talk to one using 802.3 LLC SNAP, for example.

One of you asked how a host knows the length of an Ethernet II frame if the frame doesn't carry a length filed like 802.3. This FAQ claims:

How is the length of an Ethernet II frame calculated?

The length of an Ethernet II frame is not present in the frame itself. It depends on the Ethernet network interface used. When the interface sends a frame to the network device driver, it supplies the length of the received frame.

The IP header length only specifies the length of the IP header. TCP contains an offset to application data which helps us know the length of the TCP header. UDP has a length header.

One of you asked how multicast traffic is handled by switches. According to page 97:

Bridges and switches forward broadcast and multicast frames out all ports, unless configured to do otherwise. The forwarding of broadcast and multicast frames can result in performance problems in large, flat (switched or bridged) networks.

Cisco deals with multicast using CGMP and IGMP Snooping:

Multicast traffic becomes flooded because a switch usually learns MAC addresses by looking into the source address field of all the frames it receives. A multicast MAC address is never used as source address for a packet. Such addresses do not appear in the MAC address table, and the switch has no method for learning them.

The first solution to this issue is to configure static MAC addresses for each group and each client. This solution works well, however, it is neither scalable nor dynamic....

The second solution is to use CGMP, which is a Cisco proprietary protocol that runs between the multicast router and the switch. CGMP enables the Cisco multicast router to understand IGMP messages sent by hosts, and informs the switch about the information contained in the IGMP packet.

The last (and most efficient) solution is to use IGMP snooping. With IGMP snooping, the switch intercepts IGMP messages from the host itself and updates its MAC table accordingly. Advanced hardware is required to support IGMP snooping.

One of you asked about multicast MAC addresses. Cisco says:

Multicast IP addresses are Class D IP addresses. Therefore, all IP addresses from 224.0.0.0 to 239.255.255.255 are multicast IP addresses. They are also referred to as Group Destination Addresses (GDA).

For each GDA there is an associated MAC address. This MAC address is formed by 01-00-5e, followed by the last 23 bits of the GDA translated into hex, as shown below.

- 230.20.20.20 corresponds to MAC 01-00-5e-14-14-14.
- 224.10.10.10 corresponds to MAC 01-00-5e-0a-0a-0a.

Consequently, this is not a one-to-one mapping, but a one-to-many mapping, as shown below.

- 224.10.10.10 corresponds to MAC 01-00-5e-0a-0a-0a.
- 226.10.10.10 corresponds to MAC 01-00-5e-0a-0a-0a as well.

Someone asked about detecting ARP poisoning with Snort. The snort.conf includes the following:

# arpspoof
#----------------------------------------
# Experimental ARP detection code from Jeff Nathan, detects ARP attacks,
# unicast ARP requests, and specific ARP mapping monitoring.  To make use of
# this preprocessor you must specify the IP and hardware address of hosts on
# the same layer 2 segment as you.  Specify one host IP MAC combo per line.
# Also takes a "-unicast" option to turn on unicast ARP request detection. 
# Arpspoof uses Generator ID 112 and uses the following SIDS for that GID:

#  SID     Event description
# -----   -------------------
#   1       Unicast ARP request
#   2       Etherframe ARP mismatch (src)
#   3       Etherframe ARP mismatch (dst)
#   4       ARP cache overwrite attack

#preprocessor arpspoof
#preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00

I've never tried it, but I might now.

If you have any other questions, please post them as comments here. Thank you.

I still have a few open seats left for part 2 of the course on Saturday 9 Dec 06 and Sunday 10 Dec 06, which covers the topics addressed in this class outline. We will cover layers 4 through 7. The registration form is here. Part 2 is held at the Marriot Wardman Park Hotel as well, in the Harding Room. Students who are already registered will be hearing from me shortly. Basically you'll need Ethereal or Wireshark to decode the traces we'll examine.

---

Copyright 2006 Richard Bejtlich

Read More