Monday, June 7, 2010

CDAC Cybersecurity: Incident Handling and Response

So, what's a guy with lots of computer skillz and a shiny new GCFA certificate do for fun? He goes to FEMA Cybersecurity training! I know you're all jealous, admit it.

These classes are free if you can catch one in your area, but I can honestly say that I didn't learn anything new in this class. It did reinforce a lot of prior learned techniques and I got another certificate for my "I Love Me" wall.

Here it is in a nutshell:
Day 1:
We covered the basics of Network Security. Access Control, Physical Security and Biometrics, Social Engineering.

Risk Assesment and Business Continuity Planning, Information Classifications, Privileges and Auditing.

Lab on setting Password complexity and length. (Yah, pretty weak stuff)

Device Hardening, Firewalls, Secure Protocols.

Lab on Packet capture and Network Monitoring. (not bad, but not in-depth enough to teach what you're actually looking at. I already know the how-to's)

Day 2:
Incident response planning and the steps to Incident Response including legal aspects, policy and procedures.  We also touched on Gramm-Leach Bliley, HIPAA, FERPA and the Computer Fraud and Abuse Act. (I could have used this section for the GCFA exam)

ISP legal procedures and requests for retention, some outdated threat statistics, Labs on setting up event and IIS logging, Malware types. Attack types including Man in the middle, DoS, DDoS, Spoofing.

Lab on password cracking. This would have been a lot more fun if I hadn't already ripped the SAM hive off of most of the laptops in the classroom and cracked all the passwords before lunchtime :) (I couldn't help it, I was bored)

Day 3:

Handling an Incident. Here we started going into the significance of the attack: Public utilities, CC theft, etc...  and then went on to discuss monitoring of a live breach, IDS systems and monitoring them, Snort for Windows, Honeypots and Honeynets.

Evidence handling was next, The ex-cop and myself were the only ones that had any idea what chain of custody was or why it was important. Evidence handling and preservation, volatile data gathering. (I was actually impressed that they covered this at all, traditional forensics is image, image, image. Sort through it all later)

Forensic tools and their use: This section could have gone on for days, I was thankful they just breezed over a handful.of the common (and free) tools.


Handling an Incident and Follow-up.
Short-term handling techniques depending on the type of threat.  i.e. virus, worm, Trojan, DoS, site defacement.

Responding to intruder access.Change passwords, limit network access, system examination for extra open ports, research possible access methods.

Lab on setting account lockout policy.

Checksums and known-good lists.

Responding to internal breach. IeView, Cache audit, email examiner. (again, useful but pretty low level stuff)

 System logs, IDS logs, syslog,  using sawmill and log parser to provide search mechanism. ( I like grep...)

Tracking intruder source. Traceroute, Nslookup, dig, whois. Using Sam Spade

Day 5:

Practical Labs.

Scenario 1 You are contacted by the CIO of a power company who suspects one of his techs has been trying to access a central control server. Examine his workstation to see if his suspicions are founded.
(This one was kind of fun, the workstation is loaded with password cracking utilities, dameware remote control, IE  shortcuts and visits to hacking websites and some recoverable emails of guidance from a more experienced hacker.)

Scenario 2. Move on to the server referred to in scenario 1. (I missed one piece on this one. One of the first things I did was run a netstat against it and I failed to notice that port 23 was listening.  I was in the right place and Windows Server 2003 doesn't usually listen for telnet traffic. Duhhh. I did catch a number of other things that were out of place like a user profile folder for a non-existent user that contained the dameware listener and a handful of nefarious scripts.)

Scenario 3: Network technician calls you because he can't get into his Windows 2000 server anymore and is afraid it's a security breach.  (boot off of recovery disk and reset the admin password, basic virus scan reveals a couple of trojan backdoors. System is 5 years behind on security patches...kinda boring)

All in all, I think it would be a good class to get your feet wet. If you're already certified in anything security there won't be anything new for you. However, this class is a prerequisite to become a FEMA/CDAC Cyberterrorism First Responder (CFR). I'm hoping they roll through next year so I can take the course and earn that certification.

I did meet a number of security people from my local area and got an invite to the 2600 group here in Helena. I exchanged some business cards and had a generally relaxing week away from the office.  The instructor was very good and the course materials were good. Overall I give it a C+ mainly because it lacked any real depth.

By the Way my buddy Chris was interviewed for "The Cyber Jungle" Radio show, you can check out the podcast here. Fast forward to the 58:00 minute mark of episode 141 for his interview.  Congratulations to Chris as well for getting his "Sniper Forensics" presentation accepted at DEFCON 18 in Vegas.

Now if he could only get me onto the Spiderlabs team............


  1. I admit it, I'm jealous.

    "The ex-cop and myself were the only ones that had any idea what chain of custody was or why it was important." That surprises me. I would think most people getting into forensics have a security background or at least a good computer background and would know this. Comments?

  2. Unfortunately 90% of my class was just there for the CE credits for one certification or another. Chain of custody is boring. It's absolutely, positively necessary in the line of work I am pursuing but it's boring.