Does This Sound Familiar?

Now that over a week has passed since this Economist article was published, I wanted to cite it and ask if the problem it describes sounds familiar:Globally, shrinkage [(losses from shoplifting, theft by workers and accounting errors)] cost retailers $107 billion in the year to June. This was 5.6% less than the previous year, but still the equivalent of 1.36% of sales...When it comes to thwarting thieves, shop-owners are on their own. In most countries...

Read More

What Do You Investigate First?

A colleague of mine who runs another Fortune 10 CIRT asked the following question:Let's say for example, there is a cesspool of internal suspicious activity from netflow, log and host data. You have a limited number of resources who must have some criteria they use to grab the worst stuff first. What criteria would you use to prioritize your investigation activities?There are two ways to approach this problem, but they will likely converge at some...

Read More

FIRST Technical Colloquium Tue 2 Nov in NoVA

FIRST is holding a one-day Technical Colloquium in Herndon, VA on Tue 2 Nov 2010, organized by Jeffrey Palatt from IBM. The event is free and open to FIRST members and their guests, but seating is limited. The program features several good speakers but the interaction among the attendees is often what I like best! As you might expect the content involves detection and response to security incidents.If you are not a FIRST member but would like...

Read More

Powershell LSOF / Parsing Netstat

Update 09/14/2012:Other attempts at an lsof for Windows are here:thinking-about-network-security.blogspot.com/2010/10/powershell-lsof-parsing-netstat.htmlthinking-about-network-security.blogspot.com/2010/12/powershell-lsofparsing-netstat-part-ii.htmlthinking-about-network-security.blogspot.com/2010/05/lsof-for-windows-subsitute.htmlThese are very 1.0 and 2.0.  I will try to update my lsof attempts to 3.0 soon.-RMFThis script, parse-netstat.ps1, successfully parses 'netstat -ano' for each PROTO (TCP,TCPv6,UDP, UDPv6) and then uses 'ps' to enumerate...

Read More

Resources for Building Incident Response Teams

Recently a colleague asked me for resources for building incident response teams. I promised I would provide a few ideas, so I thought a blog post might be helpful. I figured some of you might want to add comments with links or thoughts.The CERT.org CSIRT Development site is probably the best place to start. From there you can find free documents, links to classes offered by SEI on building CIRTs, and so on. I don't think you can beat that site!I...

Read More

Accessing (or not) GetOwnerModuleFromTcpEntry from Powershell

Normally on XP SP2, Vista, Win7 'netstat -ano' or 'netstat -anob' gives us the connected sockets, the PID of listening applications. With the '-b' option, netstat makes an attempt at finding the owner of the socket probably through the 'GetOwnerModuleFromTcpEntry function [which] retrieves data about the module that issued the context bind for a specific IPv4 TCP endpoint in a MIB table row.'  found in iphlpapi.dll (IP Helper). Finding this same information with Powershell I have found to be more than difficult. It is easy enough...

Read More

Review of Professional Assembly Language Posted

Amazon.com just posted my four star review of Professional Assembly Language by Richard Blum. I reviewed one of his other books seven years ago: Network Performance Toolkit: Using Open Source Testing Tools. From the review:I read Professional Assembly Language (PAL) by Richard Blum because I wanted to become somewhat familiar with assembly language. Books like "Introduction to 80x86 Assembly Language and Computer Architecture" by Richard Detmer...

Read More

Review of Cyber War Posted

Amazon.com just posted my four star review of Cyber War by Richard Clarke and Robert Knake. From the review:The jacket for "Cyber War" (CW) says "This is the first book about the war of the future -- cyber war." That's not true, but I would blame the publisher for those words and not the authors. A look back to 1998 reveals books like James Adams' "The Next World War: Computers Are the Weapons & the Front Line Is Everywhere," a book whose title...

Read More

Design a Landscape - Tree in Sunset

Note: This tutorial was the first tutorial I ever did. Because of this, it is not exactly that great of a tutorial. Rather than step by step instructions, it is more or less a guide on how to do something like the picture you see above if you are already somewhat familiar with Inkscape. I decided to do a better, more updated version. Version 2 if you will. You can find it here. I am keeping this original tutorial mainly because I just don't...

Read More

First Project - Box

Click this link to go to the tutorial that I did a few weeks ago.This tutorial is great and easy to follow and has great results!Here is my completed project:This tutorial is basically what inspired me to do a design a week. Some weeks I may just show a tutorial I did, other weeks I will post my own tutoria...

Read More