Skip to content ↓ | Skip to navigation ↓

Security BSides Las Vegas is rapidly approaching, and we are also getting close to wrapping up our preview of some of the sessions and speakers that will be featured this year.

You can look forward to onsite coverage from all three events (ie: Black Hat and Defcon too) and some video interviews to boot – so stay tuned!

Previously we covered sessions about OMENS,  how to have Fun with WebSockets Using Socket Puppet and Open Source Penetration Testing and Forensics.

We also learned about Vulnerabilities in Application Whitelisting,  Honing Communications Skills, Baking Assurance into Software, Using Machine Learning to Support Information Security, and a workshop Introduction to Wireless Pen Testing and Assessment.


This week we take a look at a session to be presented by Rengade6 (@Renegade0x6), titled Stop Shooting Blanks – No Magic Bullets in Your Arsenal.

In the presentation, Rengade6 will attempt to make the case that there is no single device that will provide a total security solution, and that all those magic and 4th quadrant solutions will not protect your networks.

“Security is not a framework, not a destination, or a weekend of overtime implementing a new tool, and it is not news that organizations need defense in depth or a layered defense,” Rengade6 said in the session abstract.

Point being that too many organizations are stuck in a reactive security mode, simply reacting to network alerts or AV solution email reports in an effort to determine if they have been owned, as each security solution only gives us a small piece of the larger threat landscape puzzle.

“Network alerts only provide a partial picture, same with host monitoring,” Rengade6 said. “By combining logs, network alerts and system alerts, a much clearer picture emerges.”

The talk is intended to show it is possible to detect system compromises days, weeks and even months before any antivirus might catch it, and will highlight key system events and locations to monitor for advanced detection. “Network events that you may not currently be watching for that you absolutely should be watching,” Rengade6 said.

Rengade6 has worked as a satellite network administrator, a network administrator, a system administrator, an information security team lead, an Information Assurance Security Officer for the Green Zone in Iraq, an Information Assurance Manager, an instructor, on network defense, and is currently a Network Defense SME and Senior Incident Handler for an undisclosed organization.

He is a first-time speaker at BSidesLV, but says he had previously submitted a paper on a related subject for consideration by Black Hat, though it did not end up making the make the final cut.

“It was about how compliance frameworks require companies to buy certain equipment, and that equipment can be used to detect intrusions, etc.” Rengade6 said.

“But it was more geared at how compliance is not 100% bad.  In this talk I intend to actually be more technical and use more examples, and I will also hit on DNS poisoning, configuring custom HIPS/HIDS rules, and more.”

Rengade6 said he decided to revamp the paper as a talk submission for BSidesLV  because he was annoyed at the reactive nature of incident response today, and felt that there was a better, more proactive way to detect and respond to compromises.

“Every incident was the same, get the virus alert, go to the logs, review the registry,” he said.  “So I started researching how to improve the incident handling process, and how to speed it up and key in on events faster.”

In doing so he noticed that there was a common pattern,  and discovered that by monitoring systems more proactively he could find the point of compromise much faster than through traditional methods.

“After a bad compromise, I discovered that the information was there, for months before the breach. I started combing IDS/IPS, Websense, ePO data etc. and found that when I looked at system identified I routinely already had indicators of compromise,” Rengade6 explains.

“There were indications from 1-15 days before AV caught it. I started working on improving the process and getting proactive in investigating events.  I want to share that information and maybe see people walk away from this talk going, ‘Hell yeah, we can do that’.”

Rengade6 believes companies have finally started realizing that antivirus isn’t enough to protect systems anymore, and it helps that compliance frameworks require at least a basic layered security model and that industry pundits have been driving the point home as well.

“This talk isn’t to rehash what people have heard for a while now. Instead I think there is a different trend occurring, and that is information overload. All these devices and systems are generating logs, folks are reviewing them, but missing the big picture,” he said.

After discovering there was evidence of events long before being alerted by deployed solutions, and seeing in the recent Mandiant APT1 that attackers spend an estimated 243 days on a victims network before they are discovered, he decided we needed a way to detect and respond to incidents faster.

“In my opinion 243 days is entirely too long, so I started working to take the logs and alerts from different security solutions and pulled them together in one spot to move away from canned SIEM reporting and querying,” Rengade6 continued.

And it wasn’t too long before he started noticing that he could detect systems that had been compromised or infected with malware long before any antivirus solution would detect them, noting that some customers use IDS alerts and antivirus alerts as the sole method of detecting intrusion, so it is no wonder then that attackers manage to stay in a network for so long.

“I also think folks need to think about the type of information that is being collected by devices on their networks, and how to leverage it,” he said.

He uses the example of taking web logs, host based intrusion detection logs, Windows security and event logs, network based ids logs, and firewall logs and combining their data for analysis.

“What you can see is that a system on your network went to a certain webpage. Then on the host IDs an Illegal API call was detected, and a malicious Active X loader was called. Then in the Windows logs you see a new program added to the RunOnce registry key,” he explained.

“It isn’t a leap to look at the IDS and firewall logs. That same system might now be trying to connect to a remote host somewhere outside the organization, and the firewall might have return traffic in its logs. With that sort of data, you don’t need an antivirus to find the file 15 days down the line to alert you of the incident. You should already know about it.”

But he warns that a side effect of such an approach could lead to information overload if not done correctly, like the python scripts that are parsing 4gb of data he has run into, so you need to make sure you are always able to effectively search the data to find the relevant events.

“I originally had issues, because parsing the antivirus logs and HIDS logs was causing the scripts to fail with memory issues, but I worked around it and can now parse 10gb if needed,” he said.

“Unfortunately, I have had times when an alert or a notification of compromise was received, and I have gone back to look at my results and the system is right there clear as day infected, and I didn’t catch it because I still had so many other collections of data to review.  So I’ve started looking into tools like Hadoop, NoSQL, Splunk, and ELSA to try and help with this issue.”

The good news though is that in time, Rengade6 believes that by moving away from reliance on signature based detections of compromise and towards effective data mining of security information, we can take the logical step away from a reactive security model and implement a serious proactive security model.

“I want the crowd to look at this strategy and say finally, we don’t need to rely on canned reports or alerts anymore.”


Related Articles:

P.S. Have you met John Powers, supernatural CISO?


Title image courtesy of ShutterStock