[SANS ISC Diary] Full Packet Capture for Dummies

I published the following diary on isc.sans.org: “Full Packet Capture for Dummies”

When a security incident occurred and must be investigated, the Incident Handler’s Holy Grail is a network capture file. It contains all communications between the hosts on the network. These metadata are already in goldmine: source and destination IP addresses, ports, time stamps.  But if we can also have access to the full packets with the payload, it is even more interesting. We can extract binary files from packets, replay sessions, extract IOC’s and many mores [Read more]

[The post [SANS ISC Diary] Full Packet Capture for Dummies has been first published on /dev/random]

from Xavier

Bringing EMET protections into Windows 10

This post is authored by Chris Hallum, Senior Product Manager, Windows

The Enhanced Mitigation Experience Toolkit (EMET) was born as a stop-gap solution to deliver tactical mitigations against certain zero-day software vulnerabilities and over time it’s proven effective against a wide range of vulnerability exploit techniques. Since its first release in 2009 we’ve received a great deal of feedback on it and one common request was to include EMET functionality directly into Windows itself.

With Windows 10 we’ve integrated the many mitigation features that EMET administrators have come to rely on directly into the system. With the Windows 10 Anniversary Update our efforts have achieved critical mass and so EMET 5.5 is entering into the sustained engineering part of its lifecycle. More background information on EMET, it’s integration into Windows 10, and the updated support statement can be found in the Moving Beyond EMET post which can be found on Security Research & Defense blog.

from Microsoft Secure Blog Staff

Cybersecurity and cyber-resilience – Equally important but different

The  October Mirai-based IoT attack demonstrated an important and often neglected consequence of technology’s expansion into every aspect of our daily lives, as well as into the systems that underpin our economies and societies. We have never been as exposed to cyberattacks and because technology’s pervasiveness in our lives the possible consequences of attacks, such as the one that occurred last month, are going to be more widespread and troublesome than in the past.

The particulars of the attack, from its scale to the use of everyday devices such as webcams, are interesting and worrying in themselves (see here and here for excellent pieces) but they also raise a key question. Security professionals have long accepted that no interconnected system will ever be 100% secure, and that there will soon come a time when even the fundamental underpinnings of the Internet itself could be put at genuine risk of failure due to cyberattacks. If this is the case, should the resources we put into preventing successful cyberattacks be matched by our preparations for handling the a successful attack’s consequences? In other words, shouldn’t cyber-resilience be treated on a par with cybersecurity?

From a policy-making perspective, one challenge in answering this question is that there is no global definition of cyber-resilience, and therefore only limited agreement on how to achieve it. Even if we can sidestep this theoretical hurdle and consider how we could design our systems (social, commercial, political) so that they would be able to continue to operate at some level in the face of “black-swan” violations of those systems’ fundamental assumptions, we are not much closer to a solution. Suggesting we plan for even a brief period where, for example, there is simply no electricity may seem like planning for the sun not rising one morning. The reality is, however, that cyberattacks are not zero sum games where a breach means unavoidable system failure. With complex technologies there will be as many ways of working around an attack, as there are ways of carrying it out. Investing in cyber-resilience will make this practicable.

How could that be achieved? I believe it will be critical that we focus on readiness, responsiveness and being able to reinvent our systems and processes over the course of a cyberattack. Readiness is a long-term function, underpinned by assessing and managing risks, and developing capabilities for response and recovery in the event of disruptions. Responsiveness is the detection, identification and alleviation of a cyberattack as it happens, keeping systems functioning in the process of doing so. Reinvention will lead off from the response, and should seek to adapt to what might be either a period of extended stress or a short, sharp shock, finding new ways to protect systems and deliver services that have been disrupted.

The structures and processes necessary for this kind of cyber-resilience are distinct from those that go into cybersecurity, although there are some shared technical skills and processes. For any organization realistically comparing its cybersecurity needs with its cyber-resilience needs, however, the differences between the two are clear. Specifically, resilience requires there to be a focus on culture, as much as there is on technology. Organizational leadership needs to set forward-looking, outcome-oriented goals with clear accountability, and to foster planning at all levels. Creativity in managerial, operational, and technological approaches is also essential, encouraging teams facing the consequences of a cyberattack to take risks, fail fast, learn faster, and maintain a can-do attitude in the face of adversity. Investment in research, education, and identification of best practices needs to underpin this cultural aspect in the long-term.

In conclusion, cybersecurity and cyber-resilience should be recognized as two distinct, but complementary disciplines. These disciplines grow more crucial with the rapid evolution and increasing ubiquity of technology in our modern society. For now, cybersecurity gets more headlines than resilience amongst political and business leaders, but one without the other will never be enough to secure our societies and economies or sufficient to withstand the chronic stresses and acute shocks.

 

from Paul Nicholas

"Awareness Training Ranks High in New Cyber Security Report"

Key Awareness Findings from the SANS 2016 Survey on Security and Risk in the Financial Sector What if you could peer into the front lines of the battle against cyber threats in the financial services sector? What role does security awareness play in thwarting attacks? The 2016 SANS Survey on Security and Risk in the … Continue reading Awareness Training Ranks High in New Cyber Security Report

from Securing the Human

Popularity of a Talk VS. Internet Usage?

When I analyzed the data collected during the last BruCON edition, I had the idea to correlate the timeslots assigned to talks with the amount of Internet traffic. First a big disclaimer: My goal is not to judge the popularity of a speaker or the quality of his/her presentation but more to investigate if the network usage could reveal interesting facts.

Measuring the bandwidth is not a good indicator. Some people used BitTorrent clients or others were downloaded big files in the background. I think that it is more relevant to collect the number of sessions. The first step was to extract relevant data. I decided to focus only on HTTP traffic (TCP 80 & 443). Only public destination IP addresses have been used (eg. connections to the wall of sheel are not included). All sessions with their timestamp have been extracted and indexed by Splunk:

Then, I exported the connections grouped by slots of 30 minutes and exported the data in a CSV file:

source="/opt/splunk/var/run/splunk/csv/httpbrucon.csv" index="brucon" | timechart span=30m count

Finally, I exported the schedule from sched.brucon.org and correlated both with Excel:

And the graph showing traffic per talk:

So now, how to interpret those numbers? A peak of traffic can be interpreted in both ways: When the speaker has a nice slide or explain something awesome, attendees will often share it on social networks. But, on the other side, bored people (or those who are lost in too complex slides) will be tempted to surf the web waiting for the end of the presentation. Based on the feedback received about some talks, both situations are present in my results (again, I won’t disclose which one).

This model is not perfect. Besides regular talks, there was also workshops organized and they could generate a significant amount of connections too. The idea to improve the reporting could be to restrict the analyze to connections performed from wireless access points located in the main room…

[The post Popularity of a Talk VS. Internet Usage? has been first published on /dev/random]

from Xavier

"OUCH Newsletter is Out - Using the Cloud Securely"

The Novemberedition of the OUCH! security awareness newsletter is out. For this monthwe focus on Using the Cloud Securely. We chose this topic as there is a great deal of unnecessary confusion and fear aboutthe Cloud. Cloud technology isa powerful way to collaborate with others and be far more efficient at work and home. However … Continue reading OUCH Newsletter is Out - Using the Cloud Securely

from lspitzner

Debriefing the BruCON Network

This summary is not available. Please click here to view the post.