Tag Archives: SANS

SANS Comes to Zürich Starting January 23

Starting the 23rd of January 2013, I will be mentoring  SANS Security 504: Hacker Techniques, Exploits & Incident Handling in Zürich. The training material is awesome and I am looking forward to start. Below is a short description about this mentoring session.sans-mentor

If your organization has an Internet connection or one or two disgruntled employees (and whose doesn’t!), your computer systems will get attacked. From the five, ten, or even one hundred daily probes against your Internet infrastructure to the malicious insider slowly creeping through your most vital information assets, attackers are targeting your systems with increasing viciousness and stealth.
This course addresses the latest cutting-edge insidious attack vectors and the “oldie-but-goodie” attacks that are still so prevalent, and everything in between. Instead of merely teaching a few hack attack tricks, this course includes a time tested, step-by-step process for responding to computer incidents; a detailed description of how attackers undermine systems so you can prepare, detect, and respond to them; and a hands-on workshop for discovering holes before the bad guys do.

Students on the SANS mentor program study SANS Hacker Techniques, Exploits & Incident Handling course books at their own pace. Each week, students meet with SANS Local Mentor, who will lead class discussions, provide hands-on demonstrations, point out the most salient features, and answer questions. The Mentor’s goal is to help students grasp the more difficult material, master the exercises, and prepare them for GCIH certification.

This challenging course is particularly well suited to individuals who lead or are a part of an incident handling team. Furthermore, general security practitioners, system administrators, and security architects will benefit by understanding how to design, build, and operate their systems to prevent, detect, and respond to attacks.

Tagged , ,

Computer Security Incident Handling – 6 Steps

incidentresponseActionable information to deal with computer security Incidents. Repeatable and effective steps. Steps that are unanimous among security practitioners.
It’s a good way to describe the SANS methodology for incident handling, compelled by Stephen Northcutt and others. With its origins on the Computer Incident Response Guidebook (pub. #: 5239-19) from US Navy Staff Office back in 1996. It is a 6 steps methodology. It will help you quickly and efficiently recover from a security incident.

The purpose of these 6 steps is to respond systematically to incidents. It includes the ability to minimize loss or theft of information or disruption of services when an incident occurs.

Types of incidents might include malicious code attacks, denial of service, espionage, sabotage, hoaxes, unauthorized access, insider threats, policy violations and many others.The six steps are preparation, identifications, containment, eradication, recovery and lessons learned.

A very similar process has also been brought to life by NIST on the Computer Security Incident Handling Guide (pub. #: 800-61) published in 2004. This special publication is very consistent with SANS methodology. In fact it is also a 6 step methodology with the difference that step two is named detection instead of identification.

Below a short and high level introduction of the 6 Computer Security Incident Handling steps:

Preparation : It’s at this stage that you develop the formal incident response capability. It’s at this stage where you create an incident response process defining the organizational structure with roles and responsibilities. It’s on this stage that you create your procedures with detailed guidance in order to respond to an incident. Its where you select the right people with the appropriate skill set. Its where you define the criteria do declare an incident. Its where you define the right tools to handle an incident. It’s where you define what you are going to report. To whom are you going to communicate.
This step is crucial to ensure response actions are known and coordinated. Good preparations will help you limits the potential damage by ensuring quick and effective response actions.

Identification: This is the step where you determine if an incident has occurred. Based on events observation, indicators, you look for deviations from normal operations. You look for malicious acts or attempts to do harm. The security mechanism in place will help you doing the identification. Your incident handler team will use their experience to look at the signs and indicators. The observation could occur at network level, host level or system level. It’s where you leverage the alerts and logs from your routers, firewalls, IDS, SIEM, AV gateways, operating system, network flows, etc.  After identifying an incident you need to assess the impact. Notify the appropriate individuals or external parties. If there are reasons to believe that you will engage law enforcement it’s where you ensure chain of custody. It’s also at this stage that you define next steps such as containment.

Containment: The third stage of responding to incidents. It consists of limiting the damage. Stop the bleeding. Stop the attacker. It’s where you make decision on which strategy you will use to contain the incident bases on your processes and procedures. It’s where you engage the business owners and decide to shut down the system or disconnect the network or continue operations and monitor the activity. All depends on the scope, magnitude and impact of the incident.

Eradication:  After successfully contained the incident. The next step entails removing the cause of the incident. In the case of a virus incident it may simply require removing the virus. On other complex incident cases you might need to identify and mitigate exploited vulnerabilities. It’s on this step that you should determine how it was initially executed and apply the necessary measures to ensure don’t happen again.

Recovery: It means back in production. Eventually, restoring a backup or re-image a system. It’s where you return to normal operational status.  After successfully restoration is important to monitor it for a certain time period. Why? Because you want to potentially identify signs that evaded detection.

Lessons Learned: Follow up activity is crucial. It’s where you can reflect and document what happen. Where you can learn what failed and what worked. It’s where you identify improvements for your incident handling processes and procedures. It’s where you write your final report.

References and further reading:

Computer Incident Response Guidebook (pub. #: 5239-19), 1996, US Navy Staff Office
Computer Security Incident Handling Guide (pub. #: 800-61), 2004, US NIST
Incident Handling Step by Step ver. 2.2, 2001, SANS Institute
RFC 2350: Expectations for Computer Incident Response, 1998, IETF
Handbook for Computer Security Incident Response Teams (CSIRTs), 2003, CERT / Carnegie Mellon Software Engineering Institute
Essential Incident Response Activities during the First 24 Hours, 2006, Gartner, Inc.
Good Practice Guide for Incident Management,2o1o, ENISA

Tagged , , , ,


NetWars logo used with permission from SANSUser engagement, return on investment and learning. Those are key benefits of gamification. Gamification might be a new term but it has been used on specific industries since years. One example is the militaries that have been using games, challenges and simulations to resolve problems and engage audiences.  NATO is considering gamification using the Internet. The Office of Naval Research a department from the US Navy recently ran a Massive Multiplayer Online Wargame Leveraging the Internet. Deloitte call it the engagement economy.

Gabe Zichermann and Christopher Cunningham on the preface of their latest book wrote that “Simulation and gaming is a promising, and rapidly-expanding, field of study. This new methodology is being adopted in a wide variety of disciplines. Complicated computer models have helped inform everything from finance to engineering, a new wave of “serious games” have begun to change the way we think about gaming as a told for learning, and true-to-life simulations have changed the way professionals train for intensive, on the job-skills.”

Then, how can we use and apply gamification to information security? Well, learning information security skills through gamification is what this post is about. And is where NetWars comes in. NetWars is a product from SANS and it illustrates how gamification can be used to help you increasing your information security skills. The concept is not new and there are others. Similar is the Overthewire and Smasthestack challenges, which are also known as capture the flag or wargames. However, NetWars was made by Ed Skoudis. That alone is already a differentiator. Last year at London, SANS hosted the first EMEA Netwars tournament session. It consisted of 5 levels, where each one consists of several challenges that will give you points from 1 to 15 based on its difficulty. To be able to pass to the next level you need to reach a certain threshold. The levels are designed to help participants develop skills areas such as Vulnerability Assessments, System Hardening, Malware Analysis, Digital Forensics, Incident Response, Packet Analysis and Penetration Testing.

Should business leaders invest in this type of simulations to train their employees? Absolutely, the marriage between pedagogy and technology is a fact. In addition from a pure return on investment, employee training might be the best business expense.  According to Professor Bartel, who is the Director of Columbia Business School’s Workforce Transformation Initiative and an expert in the field of labor economics and human resource management. The estimated return on employee training range from 7% to 50% per dollar spent and on two specific case studies it can grow with returns of 100% to 200% on investment. Further details on her paper “Measuring Employer Return on Investments in Training”.

To give you an example on how gamification can be used to engage people and learn. You might remember, back in 90s, there was a famous video game called Where in the World is Carmen Sandiego?. The game challenges player to track the thief who is hiding out in one of 30 cities using a world almanac as investigative tool (for example, “What country uses keroner as its currency?  Check your connections to find out which cities the thief might have fled to). The game basically teaches you knowledge of world geography and cultures.

But back to NetWars and his director, Ed Skoudis, check his presentation on “Using InfoSec Challenges to build your skills and career”. Among others the presentation describes the benefits of gamification information security challenges. The presentation also provides guidelines on how to develop your own challenges and simulations.

Teaching and training systems like NetWars are designed to mimic real life situations. In this case it represents real-world security issues with their respective flaws and resolutions on an  interactive and hands-on laboratory environment. Historically books contain theories and examples. But with simulations, challenges and games, the dynamic and a temporal element can be added. It will also allow difficult concepts to be vibrantly illustrated.

Zichermann, Gabe; Cunningham, Christopher (2011) : Gamification by Design : O’Reilly
Information Resources Management Associations (2011) :Gaming and Simulations : IGI Global

Tagged , , , , , ,