Understanding Svchost

Some relatively simple code helps us understand svchost processes. You will need a large screen to display the output:$global:svchost = get-wmiObject win32_process -filter "name='svchost.exe'"$global:win32_handle = $svchost | foreach { gwmi -query "Select * from win32_service where processID = $($_.handle)" }$global:Sort_handle = $win32_handle | sort processID, Name $global:Sort_svchost = $svchost | sort processID$Sort_handle | format-table processID,name,state, startmode,Started,AcceptStop,Description -AutoSize$Sort_svchost | format-table ProcessID,ThreadCount,HandleCount,WS,VM,KernelModeTime,ReadOperationCount,ReadTransferCount,OtherTransferCount...

Read More

Simpler IP Range Matching with Tshark Display Filters

In today's SANS ISC journal, the story IP Address Range Search with libpcap wonders how to accomplish the following:...how to find SYN packets directed to natted addresses where an attempt was made to connect or scan a service natted to an internal resource. I used this filter for addresses located in the range 192.168.25.6 to 192.168.25.35.The proposed answer is this:tcpdump -nr file '((ip[16:2] = 0xc0a8 and ip[18] = 0x19 and ip[19] > 0x06)\and...

Read More

Effective Digital Security Preserves Long-Term Competitiveness

Yesterday I mentioned a speech by my CEO, Jeff Immelt. Charlie Rose also interviewed Mr Immelt last week. In both scenarios Mr Immelt talked about preserving long-term competitiveness. Two of his themes were funding research and development and ensuring the native capability to perform technical tasks.It occurred to me that digital security is reflected in both themes. In Crisis 0: Game Over I asked I'm sure some savvy reader knows of some corporate...

Read More

Posts to Read Elsewhere

I'm not a big fan of just publishing links to other people's stories, but there's a few that I really like this week. Please consider checking these out:Nate Richmond wrote Building an IR Team: People and Building an IR Team: Organization. These posts are gold for anyone trying to build an IR team on their own, or trying to benchmark against an expert's recommendation. Keep writing Nate!Alec Waters caught my attention with his post Prevention...

Read More

Black Hat Budgeting

Earlier this month I wondered How much to spend on digital security. I'd like to put that question in a different light by imagining what a black hat could do with a $1 million budget. The ideas in this post are rough approximations. They certainly aren't a black hat business plan. I don't recommend anyone follow through on this, although I am sure there are shops our there who do this work already.Let's start by defining the mission of this...

Read More

Being a Critic Is Easy, So What Would I Do?

After my last post, some of you are probably thinking that it's easy to be a critic, but what would I suggest instead? The answer is simple to name but difficult to implement.Operate a defensible network architecture. Hardly anyone does. I don't need to explain all of the reasons why here; they could occupy a series of posts, or maybe even a book.Once the DNA is operating, detect and respond to failures. The nice aspect of operating a DNA is that...

Read More

Ugly Security

I read Anton Chuvakin's post MUST READ: Best Chapter From “Beautiful Security” Downloadable! with some interest. He linked to a post by Mark Curphey pointing out that Mark's chapter from O'Reilly's new book Beautiful Security was available free for download in .pdf format. O'Reilly had been kind enough to send me a copy of the book, so I decided to read Mark's chapter today.I found the following excerpts interesting.Builders Versus BreakersSecurity people fall into two main categories:Builders usually represent the glass as half full. While recognizing...

Read More

SANS Forensics and Incident Response 2009

The agenda for the second SANS WhatWorks Summit in Forensics and Incident Response has been posted. I am really happy to see I am speaking on Tuesday, because I will not be available Wednesday. Day 1 appears mainly technical, and day 2 is mainly legal. Please consider registering for the two-day conference. It's the best incident response event in the US this year!Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas...

Read More

DoD Creates USCYBERCOM

Today is an historic day for our profession, and for my American readers, our country. As reported in The Washington Post and by several of you, today Secretary Gates ordered the creation of U.S. Cyber Command, a subordinate unified command under U.S. Strategic Command. The NSA Director will be dual-hatted as DIRNSA and CYBERCOM Commander, with Title 10 authority, and will be promoted to a four-star position. Initial Operational Capability for...

Read More

Free .pdf Issue of BSD Magazine Available

Karolina at BSD Magazine wanted me to let you know that she has posted a free .pdf issue online. I mentioned this issue last year and its focus is OpenBSD. Check it out, along with Hakin9!Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 Ju...

Read More

The Problem with Automated Defenses

Automation is often cited as a way to "do more with less." The theory is that if you can automate aspects of security, then you can free resources. This is true up to a point. The problem with automation is this:Automated defenses are the easiest for an intruder to penetrate, because the intruder can repeatedly and reliably test attacks until he determines they will be successfully and potentially undetectable.I hope no one is shocked by this....

Read More

You Know You're Important When...

You know you're an important when someone announces a "Month of Bugs" project for you. July will be the Month of Twitter Bugs, brought to my attention in this story by Robert Westervelt. The current project is led by a participant in the Month of Browser Bugs from three years ago named Avi Raff. I don't see projects like that as being irresponsible. What would be more irresponsible is selling the vulnerabilities to the underground. Would the...

Read More

The Centrality of Red Teaming

In my last post I described how a Red Team can improve defense. I wanted to expand on the idea briefly.First, I believe the modern enterprise is too complex for any individual or group to thoroughly understand how it can be compromised. There are so many links in the chain that even knowing they exist, let alone how they connect, can be impossible.To flip that on its end, in a complementary way, the modern enterprise is too complex for any individual...

Read More

Offense and Defense Inform Each Other

If you've listened to anyone talking about the Top 20 list called the Consensus Audit Guidelines recently, you've probably heard the phrase "offense informing defense." In other words, talk to your Red Team / penetration testers to learn how they can compromise your enterprise in order to better defend yourself from real adversaries. I think this is a great idea, but there isn't anything revolutionary about it. It's really just one step above...

Read More

Response to the Möbius Defense

One of you asked me to comment on Pete Herzog's "Möbius Defense". I like Lego blocks, but I don't find the presentation to be especially compelling.Pete seems to believe that NSA developed "defense in depth" (DiD) as a strategy to defend DoD networks after some sort of catastrophic compromise in the 1970s. DiD as a strategy has existed for thousands of years. DiD was applied to military information well before computers existed, and to the computers...

Read More

Conflict and Confusion

For years, I didn't run DEP, Anti-Virus or other behavioral blocking software because I believed the hit on machine performance simply wasn't worth it. Additionally, I found most "protective software" bulky and and inelegant. Some noticeable exceptions were BlackICE (now defunct) and a PC host firewall now owned by CheckPoint. To rid myself of Viruses occassionally, I would use TrendMicro's housecall. In any event, after some years struggling to...

Read More

Too Much, Too Fast...Part II

Above and far below might be the type of topology or map you may want to look at if you had a million or so Conficker machines and you were considering where to store your next payload so that it would remain:(1) well-hidden(2) ever-presentThe first column (also the X axis above) is the count of the number of times this particular memory size is stored on my machine. The second column (in KB and Y axis above) is the memory size itself. The last...

Read More

How Much to Spend on Digital Security

A blog reader recently asked the following question:I recently accepted a position and was shocked to learn, I know this shouldn't have happened, that Information Security/Warfare is largely an afterthought even though this organization has had numerous break ins. Many of my peers have held their position for one or even two decades and are great people yet they are not proactively preparing for modern threat/attack vectors. I believe the main difference...

Read More

Too Much, Too Fast

At some point, the software industry will have to come to terms with the fact that it grew too fast, created too many rapid application development vehicles and expanded code into Operating Systems that just cannot fundamentally withstand concerted attacks from hackers, organized crime, nation state terrrorists, etc. Ultimately, the best defense against intrusion, worms, buffer overflow attempts, etc will be to 'native sentinel' programs that can 'electric fence' every loaded feed, hook, interface, binary,library against suspicious behavior. ...

Read More

Counterintelligence Options for Digital Security

As a follow-up to my post Digital Situational Awareness Methods, I wanted to expand on the idea of conducting counterintelligence operations, strictly within the digital security realm. I focus almost exclusively on counter-criminal operations, as opposed to actions against nation-states or individuals.Those of you who provide security intelligence services (SIS), or subscribe to those services, may recognize some or all of these. By SIS I am not...

Read More

Crisis 0: Game Over

A veteran security pro just sent me an email on my post Extending the Information Security Incident Classification with Crisis Levels. He suggested a Crisis beyond Crisis 1 -- "organization collapses." That is a real Game Over -- Crisis 0. In other words, the cost of dealing with the crisis bankrupts the victim organization, or the organization is ordered to shut down, or any other consequence that removes the organization as a "going concern,"...

Read More

Extending the Information Security Incident Classification with Crisis Levels

Last week I tweaked my Information Security Incident Classification chart. Given recent events I might consider extending it to include Crisis 3, 2, and 1 levels. Perhaps they would look like this. I previously alluded to "11" in my original post.Crisis 3. 11 / Intruder has publicized data loss via online or mainstream media.Crisis 2. 12 / Data loss prompts government or regulatory investigation with fines or other legal consequences.Crisis 1....

Read More

Department of Defense Digital Security Job Opportunities

A friend of mine from DoD is trying to hire clueful digital security practitioners. He is looking for people to accept positions with DoD-wide and/or service-specific responsibilities. Skillsets needed include reverse engineering, incident response and analysis, penetration testing, and security engineering. The most important characteristic of the candidate is a desire to see DoD achieve its missions successfully. The next requirement is intense...

Read More

Digital Situational Awareness Methods

I've written about digital situational awareness before, but I wanted to expand on the topic as I continue my series of posts on various aspects of incident detection and response.Here I would like to describe ways that an enterprise can achieve digital situational awareness, or a better understanding of their security posture. What is interesting about these methods is that they do not exclude each other. In fact, a mature enterprise should pursue...

Read More