Articles & Presentations

Tuesday, November 19, 2013

Austin ISSA Malware Discovery training a HUGE success




Last Friday we held a Malware Discovery training "From Joe to Pro, how to discover malware in your environment" for the local Austin ISSA chapter.

For an all day event it went pretty quick from my perspective being the trainer, but the feedback was GREAT! We received so many great comments we will be holding another training event just before BSides Austin 2014! March 19th.

In addition we have been asked to hold the training in Dallas Jan 31st for our local NAISG, ISSA and infraGard folks and other invited guests.


What made the training really cool, was the lab infrastructure that were graciously sponsored by Rackspace! These bad boys made the training smooth and the exercises fast! How fast you ask? Well in our development of the labs we were using an Amazon AWS Windows 2008 R2 server and the Hash_Master scans took roughly 21 mins on the AWS Server. On the sponsored Rackspace servers it took.. Wait for it....... 5 mins! Yup, five whole mins to scan the entire disk. Since we had to do this 3 times, it was an impressive improvement.

Here is the screenshot of our configuration from the Virginia region.


So cloud providers are not created equal and Rackspace has my appreciation for their performance, ease of use and all around awesomeness!

So if you are in Dallas Jan 31st, sign up for the training and come see how to discover malware like a Pro!

For more information, visit our Training page at:

Malware Discovery Training page

#InfoSec #HackerHurricane #malware

Friday, November 8, 2013

Like natives, InfoSec needs to become more hunters, less gatherers




Today we are faced with an ever increasing threat of advanced malware and the attacks associated with it. Compliance has created a gathering mentality in Information Security and it is no longer adequate to defend our tribe.

We must move more towards a hunters mentality and seek out the bad stuff in order to protect our tribe. We must detect and respond to the threats and seek them out because they are sneaky prey looking to take your goods while you gather data, stats, reports and check compliance reports for auditors.

Be an InfoSec Hunter and less a gatherer.

#InfoSec #HackerHurricane

Friday, November 1, 2013

(O) E&Y Poll states 96% of organizations are not prepared for a Cyber attack.. Hmmmm

This is an article I have to render an opinion on as it is a great example of 'What the heck have you been working on all these years?'

The Ernst & Young article may be found here discussed on Naked Security:


65% of larger corps stated 'Financial' as a reason they are unprepared for a large Cyber event and 71% of small Orgs under $10million.  So let me get this straight, you have staff, you have bought many tools and most likely since this is an E&Y poll, you follow some sort of compliance framework.

In Wendy Nathers talk at LasCon in Austin she discussed the results of a poll that she asked industry experts to pick the technologies if starting from scratch for a 1000 person company... What did the list look like?  I shouted out "PCI", and the next slide said... PCI.  

I was even bold enough to state that I didn't need all that technology to practice "real security," that myself and another qualified InfoSec pro could do it with a few tools, if exploited properly.  Of course someone pointed out that I would never pass an audit and he is correct.  As a former State of Texas InfoSec resource I understand compliance all too well and years at HP dealing with SOX, PCI, HIPAA, ISO and others, I understand too much how compliance is a time sucking, resource pig that does not achieve what we really need to secure our companies and nation.

So why are so many not prepared for a cyber attack?  In doing many presentations I ask the following question, "How many are confident their environment is malware free, or once you find malware that the system is malware free?"  How many hands do we get?  0-1 per Preso!

Why is InfoSec so broken, or lack confidence?  I blame compliance.  I have stated compliance does not equal security as too often it is achieved by an auditor saying "Check, you pass".   There is no real evaluation of how you are actually doing at security defense.  Many say get Penetration Testing regularly to test your defenses.  I say "Phooey" to that as well, it proves little that your defenses are good enough.

Most Pen Testers I know will find a way in or fool a person to 'Click on That', just look at Trustwave's report on hacking a reporter who asked them too and knew they were coming!  There is merit in Pen Testing, but I feel most people, say 96% will fail the Pen Test.  Why? Because the way we currently think about Information Security, in that compliance frameworks like Implementing PCI will make you secure enough, but people, almost everyone is getting popped and they have some basic security framework in place.

"Real Security" is a dirty in the trenches kind of work.  HackerHuntress stated people didn't like Blue Team jobs because it is "hard" and I said "No it's not"...  We talked some and agreed in the end it is management and lack of trained staff that can do what I and others I know that are complete defenders can do.  Maybe we just don't know how, or lack confidence to defend all that is good.

We don't need to train the users and create and give more Employee Awareness as the E&Y article indicates.  We need to teach 'Real Security' to the in the trenches blue team defenders that are employed at many, if not most companies.  We need to teach them how to actually detect and respond to any size Cyber event and do so at the speed of business so that they may move on and you can get back to defending your network.  And the policy statement... Really?  Did E&Y not read that employees will disregard company policies where BYOD was involved?  We already know they surf non-business related sites on work systems because they can.  What makes anyone think policies will prevent anything?  They are guides on how to do things, or how a person will be reprimanded if caught.  Policies are regularly broken and the Internet has become an entitlement to most employees these days... Take it away and see what happens, I dare you!

This is why I do presentations on malware, logging and I challenge people at talks, to inject some thinking, to get people thinking, 'Is there another way?'  Thawt Leadership I think it' scaled ;-)  I share what I know about logging and malware at local ISSA 1/2 day and all day events, I do presentations at many Cons all to educate and share the love and a new way of thinking.  

Most people I talk with do not have the basic Windows auditing tweaked to actually record the events needed to detect a Cyber Attack of any kind.  If they do, they have not refined their audit rules and are not alerting via email to real actionable events.  They also do not monitor well known locations for malware or suspicious changes to a Windows system and sending that to the logs either.  Example;  How many of you have enabled the Advanced Auditing Security 'create files' property for one or more Windows directories (Windows, System32, Drivers, WBEM) to detect if a new file, not replaced files by Windows Update, but new files like malware are recorded and sent to you via email by your logging solution?  Implement and refine this feature alone and you are well underway to detecting a small to large Cyber Attack!  Don't leave out actually enabling the Windows Audit Policy as it (Yay Microsoft) is off by default and record success of privileged items and others of course.

Logging is HUGE to being prepared for a Cyber event of any size.  It can detect behavior of a Malwarian or Bad Actor reaching beyond a compromised system.  It can also allow defenders to report on who did what, where and when, but not why unless you ask them.  If you also monitor key locations across your Windows systems for file additions or changes you can detect odd files, which if happening from one system to many is also suspicious and can be alerted via email if you have a solution that can do this like BigFix, Tanium or others.

We also have to give up on spending tonnage of $$$$ on protecting the endpoint.  It WILL get popped if you allow users to surf the InterWebbings without strict controls.  Bad sites serving up malware are all over and the majority are on legitimate websites.  No, FireEye will not prevent all this threat, what about Thumb Drives?  Or users on their company laptops surfing outside the company when not protected by your proxy solution like FireEye?  The endpoint WILL get popped and InfoSec really needs to move more towards Detect and Respond to this threat in their budgets and focus less on prevention to move forward.  Start thinking like hackers and be a detective, not a preventive InfoSec program as it will serve you well and prepare you for any size Cyber event.

So I leave you with this to consider...

1.  What is 'Real Securiy' to you?
2.  Do you have a robust logging solution in place?
3.  Do you alert to the items I stated above?
4.  Have you attended a local BSides event to interact with the people in the know?
5.  Do you believe you have the people that can learn these tricks and skillz?

Or do you just believe compliance will get us there?

Let me know your thawts at the next Con.

#InfoSec #Logging #Malware