Layers Are Important

We in InfoSec chant it often and for some of us it might even be a daily mantra. “Use Multi-Factor Authentication!” (MFA) Sometimes called Two Factor Authentication (2FA), it adds an additional layer of security to your organization that almost allows for the use of ‘password’ as a password.

If you keep up with the Verizon Data Breach Investigations Report, you should already know that user credentials are the most sought after piece of information over all the incidents. With that kind of data to support a solution, it is still a bit surprising how many organizations out there are exposing services to the public internet without the extra layer(s) of authentication.

More Layers

As great as MFA/2FA is, it will not eliminate all of your problems. I had a troublesome case recently that involved phishing, exposed web services, Remote Access Tools (RAT), stolen credentials, and more. The part that made it really scary was how the attackers were able to figure out the infrastructure enough to almost get VPN access.

The attackers got access to email. Through email they were able to social engineer their way into quite a few areas. One of those areas was how employees obtain the token software and keys for VPN access. Let me restate that with a little more clarity. The attackers requested and got access to VPN tokens used as a part of the MFA/2FA protection.

The process of getting approved for VPN was quite a lengthy one, I know since I had to go through it for remote access as a part of the incident management. After struggling to get myself access, I was astounded at the fact that attackers were able to get so far. It took me quite a while to work through the protections even with the guys on the phone walking me through it all.

Simple Works

You know what stopped the attackers? A registry key. Nothing functional. Just a simple registry key that they inject on company assets. The VPN login process has a full posture check on validating your patches, anti-virus program version, firewall configuration, agent installs, etc. and part of that process includes checking for the existence of a simple registry key.

It might sound silly amidst discussions about all this high tech prevention and machine learning analysis, but sometimes simple works. Don’t overlook the basic protections. They add layers of protection that just might actually be the one piece that saves the day.

James Habben
@JamesHabben

Soft Skills: Be Present

On the heels of an industry conference, there are so many emotions running through me. Excitement – to apply new techniques and tools to my work. Frustration – that I didn’t get over my shyness to engage with others that also looked shy. Happiness – that I got to see friends from around the world that would otherwise be logistically difficult. Pride – that I didn’t screw up too badly while talking in my sessions. Exhaustion – that I didn’t get enough sleep because there are only 24 hours in a day. This time for me, it was Enfuse 2017.

In reflection, there was one trend that I noticed quite a lot during the conference. Many people were not being present in their conversations with others. I saw this in hallways between sessions, during mealtimes, and at the various parties. I wasn’t immune either, as I caught myself a couple times as well. There is always a lot going on at conferences, and that makes it especially hard to stay focused on the current engagement. This is one of the best times to either start building or further reinforce a connection with other like-minded folks in the industry. Some call it networking, although I prefer the word connecting because I feel that ‘networking’ doesn’t convey the right meaning.

Networking is when you go to an evening mixer party with a stack of business cards hoping that the numbers will work for you. The larger the number of people that have you card, the more likely you are to get contacted about something. That something might be a sales lead, a job opportunity, or even a free meal. This is not a bad thing.

Connecting is when you spend time to get to know a person. The key difference is how you engage. You focus on the one or few people in the circle and you pay attention to those people. You listen to the conversation and interact.

Some focus points to be present:

  1. Keep your phone in your pocket, purse or bag
  2. Turn your phone alerts off if you are too easily distracted
  3. Look at the person talking, not behind or beside
  4. Point your feet at the person (or group) to help keep your body engaged

Some points to help others be present:

  1. In a networking/connecting event, don’t latch onto one person and prevent them from being able to make other connections
  2. If you notice another person drifting away from you, politely bring it into conversation to either lock in attention or give the opportunity to disengage
  3. Pay attention to your own behavior to ensure you aren’t causing someone to drift
  4. Respect other people’s conversations – don’t barge in and take over

Any other tips you have to be present?

UPDATE: Reading Material

How To Win Friends & Influence People by Dale Carnegie
Part Two, Section 6 – How to Make People Like You Instantly

Key point: Make the other person feel important – and do it sincerely.

This book was originally written in 1936 and is still considered one of the best on this subject. It is referenced by almost every book that presents thoughts and ideas. You will serve yourself well by reading this book, and not just once.

This chapter gives many examples of situations on both sides of this recommendation – making yourself the most import and showing others that they are important. It is a great read with a lot of perspective.

There is nothing more frustrating to a person than to feel like the other person doesn’t value the discussion. Although some people do love to talk for hours regardless of anyone actually listening, I will hold off that discussion for another time. If you don’t want to be there, respectfully disengage. If you want to be there, be there.

James Habben
@JamesHabben

Real Self Improvement

This Digital Forensics and Incident Response (DFIR) industry attracts a lot of hard working individuals. The curious nature of people is what has stood out to me the most in all the people that I have talked to. We have an internal drive to find out how things work, and that is not satisfied until we know every part. This is a big part of what makes us stick to a job that can sometimes seem like a battle that could never be won.

The Ongoing Battle

The battle we face is a constant discovery of new artifacts and techniques. These come from both the offense side and the defense side. We don’t all have time to research these on our own, and the community is fortunately very supportive in that there a blogs to detail these findings. The offense finds a new hole and shares with their like minded folks. Then often times the defense finds a way to detect or monitor, and there is more sharing with the like minded community. You only need to see the list of links for a one week period on thisweekin4n6.com to understand the volume and community we have.

Constant Improvement

Because of the community, there are tons of resources to explain all the technical loveliness that we all enjoy. Improving our technical skills is a very achievable task. Reality is that some of the skills I learned to examine Win2k systems are (thankfully) starting to fade. Our tech changes with rapid speed.

What about our non-technical skills? Do you make any effort to improve how you interact with other people? These are often referred to as ‘soft skills’ and you will find them listed, in some form or another, on every job opening.

  • Strong communication skills
  • Ability to convey technical concepts to others
  • Be a team player
  • Comfortable speaking to a crowd

In fact, you might have been a witness to a peer getting a promotion instead of yourself while you have proven multiple times that you are far more technically capable than this peer. Your technical skills were likely not even part of the consideration for that promotion, as the soft skills matter much more when moving up.

Steps

The first step is always to realize. I won’t call this a problem because I don’t see it as such. It is a deficiency, and one that can easily be corrected if you will first make that realization.

Next, make a commitment to improve. I mean a real commitment. You won’t make much progress if you don’t take it seriously. Improving soft skills is a whole lot harder than improving your technical skills. You cannot do it alone.

Find someone to help you be accountable. This can be a sibling, friend, classmate, coworker, workout partner, or even someone you just met at a local association meet up. The important thing to find in this person is the ability to be called on the carpet if you are not following through. You know yourself best and what type of person you would be most receptive to.

Find a mentor (or two). This mentor doesn’t have to be someone in the DFIR industry since soft skills are pretty universal. In fact, you might find some extra insight from someone outside your circles. Don’t be afraid to aim high either. For the most part, I have found that people are very willing to give advice all the way up through the C-suite. If there is someone who you admire for a certain trait, go talk to them and find out about the struggle they had to gain that trait. There is an interesting program called infosecmentors.com that might be a good start.

Lastly, don’t waste time. This is one of the only things in this world that we can’t just make more of. We can make more money. We can learn more things. We can drink more whiskey. We can’t take back the hour that we sat listening to that one guy who just wanted to blabber on and on about the things only he thought were important. Be respectful of your time and anyone else you ask for time from. These people will want to see improvements made, or they will start to see time spend with you as a waste. Set an expectation of time with a person and don’t waste it.

More to Come

I have seen and heard a lot of discussion about soft skills in more recent times. I initially wanted to put together another ‘must read book list’, but I decided that I would take a little more time and talk about some various soft skills that we can work on improving together. I will be writing about these in future posts and I will provide information about some of the books that I continue to use in my path of improvement. This can be an intimidating set of skills to improve, and I want to help you do it.

James Habben
@JamesHabben

BsidesSLC Experience and Offer to Help

I was given the privilege of speaking at the BsidesSLC conference this month, and it was a very enjoyable conference for me. The people in the SLC area are very welcoming and the crew that puts the conference on did an amazing job. The name of the conference is changing for next year, but the format is staying pretty much the same. If you have the ability to attend next year, I would highly encourage you to do so.

Here are some points that I picked up during my attendance:

Bryce talked about a well known issue of developers posting secrets to code repositories such as GitHub or BitBucket. The funniest part of this is that these developers realize their mistake and commit a revision to remove. What happens to the previous commit? Exactly! This same mistake is made by even more developers when you include other cloud technologies like S3 storage. That WordPress vulnerability that allows file injection can lead to a complete meltdown when the attacker accesses all of your data that is stored inside S3 or other systems. Keep your secrets secret.

Bri explained the challenges in compromising Industrial Control System (ICS) devices. Getting the highest level of privilege on a system doesn’t automatically mean the compromise of the connected devices. There is a secondary payload required to further infiltrate and that secondary payload requires expert knowledge of the ICS being targeted. We aren’t yet at the point of having commoditized malware for ICS.

JC walked us through how he operates tabletop exercises for his clients. There wasn’t anything new for me in this one, but it was a great reassurance that I have been facilitating a quality exercise for all of my clients. I think the attendees should takeaway that there really needs to be a externally hired facilitator to run some of their exercises to work around any of the internal politics or bias. Mr. ‘Junior Infosec’ may not feel comfortable calling out the CEO for a wrong answer, but I am happy to do it.

Chad gave us an earful of all the various ways that Windows credentials can be picked and harvested by attackers, both on the wire and on the disk. He even provided a handout with all the additional notes he talked about. This is a very important topic to be aware of because the DBIR has consistently shown that credentials are the most targeted in incidents and breaches. Defenders need to be aware of every possibility of credential compromise in order to put safeguards in place.

Lastly, Lesley gave an inspiring talk about how we as industry have a collective skill to land a plane while not being professional pilots (at least most of us). She went through a great demonstration showing how every person (not an exaggeration) can contribute in some way to improving the security field. We just have to look at ourselves and identify the skills we have and offer the help to others that are trying to learn. No one in this field is an expert at everything, even though its hard to believe with the reputation following many people. We all have skills, and we all have something we want to learn.

My Offer to Help

I consistently see advice given to new folks in the field, or those trying to get into the field, that blogging is one of the best ways. This allows you to demonstrate the skills you have and gives you a reference on your resume. You don’t have to post about the latest research on the newest malware. Focus on the skills you have that you can share with others, or document your journey of learning a new skill. Communication is a critical skill in this industry and I challenge you to find a job listing that doesn’t ask for someone with ‘good communication skills’ or the ‘ability to explain technical concepts’. Blogging is pure demonstration of that ability.

I want to put the offer out there to anyone who wants to get into blogging but is too shy to get it rolling. If you enjoy my style and reading my posts, then reach out to me so that I can help you. I can help you to organize your thoughts into a post that flows. I can help you come up with topics. I can help you improve on your writing skills. I am even happy to have you post on this blog.

My DMs are open on twitter, and my email is first@last.net. Your move.

James Habben
@JamesHabben

BSides Los Angeles – Experience and Slides

BSides LA – the only security con on the beach. If you haven’t had the opportunity to attend, you should make the effort. The volunteer staff are dedicated to making sure the conference goes well, and this year was another example of their hard work.

I enjoyed attending and learning from a number of sessions and was tickled happy to see so many presenters referencing the Verizon DBIR to give weight to their message. The corpus of data gives us so many ways to improve our industry. You should consider contributing data from your own investigations through the VERIS framework, if you don’t already.

My presentation was titled “USB Device Analysis” and I had a lot of great conversations afterwards because of it. It was great meeting new faces that are both young and old in the industry. The enthusiasm is infectious!

Many asked me for my slides, so I thought I would share them here along with some of these thoughts. Thanks to everyone for attending my talk and to the BSides organizers for having me.

One thing I talked about that isn’t in the slides is the need for user security awareness training. The studies mentioned in the slides show that from 2011 to 2016, not much has changed with the public awareness of the danger around plugging in unknown USB drives. This has been demonstrated too many times to be a easy an effective way for attackers to infiltrate a chosen target.

For those of you that are in the Incident Response role, you don’t even have a chance to get involved unless your users realize the threat.

My slides

diff-pnp-devices.ps1 on GitHub
Feel free to reach out with questions.

James Habben
@JamesHabben

Reporting: Benefits of Peer Reviews

Now that you are writing reports to get a personal and professional benefit, let’s look at some other ways that you can get benefits from these time suckers. You need the help of others on this one, since you will be giving your reports to them in seeking a review. You need this help from outside of your little bubble to ensure that you are pushing yourself adequately.

You need a minimum of 2 reviews on the reports you write. The first review is a peer review, and the other is a manager review. You can throw additional reviews on top of these if you have the time and resources available, and that is icing on the cake.

Your employer benefits from reviews for these reasons:

  • Reduced risk and liability
  • Improved quality and accuracy
  • Thorough documentation

There are more personal benefits here too:

  • Being held to a higher standard
  • Gauge on your writing improvement
  • You get noticed

Let me explain more about these benefits in the following sections.

Personal Benefits

Because the main intention of this post is to show the personal benefits and improvements, I will start here.

Higher Standards

The phrase ‘You are your own worst critic’ gets used a lot, and I do agree with it for the most part. For those of us with a desire to learn and improve, we have that internal drive to be perfect. We want to be able to bust out a certain task and nail it 110% all of the time. When we don’t meet our high standards we get disappointed in ourselves and note the flaws to do better next time

Here is where I disagree with that statement just a bit. We can’t hold ourselves to a standard that we don’t understand or even have knowledge about. If you don’t know proper grammar, it is very difficult for you to expect better. Similarly in DFIR, if you don’t know a technique to find or parse an artifact, you don’t know that you are missing out on it.

Having a peer examiner review your report is a great way of getting a second pair of eyes on the techniques you used and the processes you performed. They can review all of your steps and ask you questions to cover any potential gaps. In doing this, you then learn how the other examiners think and approach these scenarios, and can take pieces of that into your own thinking process.

Gauging Your Improvement

Your first few rounds of peer review will likely be rough with a lot of suggestions from your peers. Don’t get discouraged, even if the peer is not being positive or kind about the improvements. Accept the challenge, and keep copies of these reviews. As time goes on, you should find yourself with fewer corrections and suggestions. You now have a metric to gauge your improvement.

Getting Noticed

This is one of the top benefits, in my opinion. Being on a team with more experienced examiners can be intimidating and frustrating when you are trying to prove your worth. This is especially hard if you are socially awkward or shy since you won’t have the personality to show off your skills.

Getting your reports reviewed by peers gives you the chance to covertly show off your skills. It’s not boasting. It’s not bragging. It’s asking for a check and suggestions on improvements. Your peers will review your cases and they will notice the effort and skill you apply, even if they don’t overtly acknowledge it. This will build the respect between examiners on the team.

Having your boss as a required part of the review process ensures that they see all the work you put in. All those professional benefits I wrote about in my previous post on reporting go to /dev/null if your boss doesn’t see your work output. If your boss doesn’t want to be a part of it, maybe its a sign that you should start shopping for a new boss.

Employer Benefits

You are part of a team, even if you are a solo examiner. You should have pride in your work, and pride in the work of your team. Being a part of the team means that you support other examiners in their personal goals, and you support the department and its business goals as well. Here are some reasons why your department will benefit as a whole from having a review process.

Reduced Risk and Liability

I want to hit the biggest one first. Business operations break down to assets and liabilities. Our biggest role in the eyes of our employers is to be an asset to reduce risk and liability. Employees in general introduce a lot of liability to a company and we do a lot to help in that area, but we also introduce some amount of risk ourselves in a different way.

We are trusted to be an unbiased authority when something has gone wrong, be it an internal HR issue or an attack on the infrastructure. Who are we really to be that authority? Have you personally examined every DLL in that Windows OS to know what is normal and what is bad? Not likely! We have tools (assets) that our employers invest in to reduce the risk of us missing that hidden malicious file. Have you browsed every website on the internet to determine which are malicious, inappropriate for work, a waste of time, or valid for business purposes? Again, not a chance. Our employers invest in proxy servers and filters (assets) from companies that specialize in exactly that to reduce the risk of us missing one of those URLs. Why shouldn’t your employer put a small investment in a process (asset) that brings another layer of protection against the risk of us potentially missing something because we haven’t experienced that specific scenario before?

Improved Accuracy and Quality

This is a no brainer really. It is embarrassing to show a report that is full of spelling, grammar, or factual errors. Your entire management chain will be judged when people outside of that chain are reading through your reports. The best conclusions and recommendations in the world can be thrown out like yesterdays garbage if they are filled with easy to find errors. It happens though, because of the amount of time it takes to write these reports. You can become blind to some of those errors, and a fresh set of eyes can spot things much quicker and easier. Having your report reviewed gives both you and your boss that extra assurance of the reduced risk of sending out errors.

Thorough Documentation

We have another one of those ‘reducing risk’ things on this one. Having your report reviewed doesn’t give you any extra documentation in itself, but it helps to ensure that the documentation given in the report is thorough.

You are typically writing the report for the investigation because you were leading it, or at least involved in some way. Because you were involved, you know the timeline of events and the various twists and turns that you inevitably had to take. It is easy to leave out what seems like pretty minor events in your own mind, because they don’t seem to make much difference in the story. With a report review, you will get someone else’s understanding of the timeline. Even better is someone who wasn’t involved in that case at all. They can identify any holes that were left by leaving out those minor events and help you to build a more comprehensive story. It can also help to identify unnecessary pieces of the timeline that only bring in complexity by giving too much detail.

Part of the Process

Report reviews need to be a standard part of your report writing process. They benefit both you and your employer in many ways. The only reason against having your reports reviewed is the extra time required by everyone involved in that process. The time is worth it, I promise you. Everyone will benefit and grow as a team.

If you have any additional thoughts on helping others sell the benefits of report reviews, feel free to leave them in the comments. Good luck!

James Habben
@JamesHabben

Report Rapport

Let me just state this right at the top. You need to be writing reports. I don’t care what type of investigation you are doing or what the findings are. You need to be writing reports.

There are plenty of reasons that your management will tell you about why you have to write a report. There are even more reasons for you to write these reports, for your own benefit. Here is a quick list of a few that I thought of, and I will discuss a bit about each in sections below.

  •  Documenting your findings
  •  Justification of your time
  • CYA
  •  Detail the thoroughness of your work
  • Show history of specific user or group
  • Justification for shiny tools
  • Measure personal growth

Documenting Your Findings

Your boss will share the recommendation for this because it’s a pretty solid one. You need to document what you have found. As DFIR investigators, security specialists, infosec analysts, etc., we are more technical in nature than the average computer user. We know the inner most workings of these computers, and often times how to exploit them in ways they weren’t designed. We dig through systems on an intimate level, and with this knowledge we can make some incorrect assumptions that others understand the most basic of things.

Take an example of a word document. A current generation word document has an extension of ‘docx’ when saved to disk. So many things fly through my mind when I see those letters. I know that because of the ‘x’, that it is a current generation. The current generation use the PK zip file format. It contains metadata, and in the form of XML. It has document data, and is also in the form of XML. It can have attachments, and those are always placed in a specific directory. I know you can keep going too. How many of your executives know this?

The people making decisions to investigate incidents and pay your salary do not need to know these things, but they do need to understand them in the context of your investigation. Document the details like your job depends on it. Use pictures and screen shots if you have to, since that helps display data in a friendlier way to less technical people. Go to town with it and be proud of what you discovered. The next time you have a similar case, you will have this as a reference to help spur thoughts and ensure completeness.

Justification of your time

We are a bunch of professionals that get paid very well, and we work hard for it. How many times in the last month have you thought or said to yourself that you do not have enough time in the day to complete all the work that is being placed in your queue?

 When you report on your work, you are providing documentation of your work. The pile of hard drives on your desk makes it seem to others that you can’t keep up. That could mean that they are asking too much of you, or it could mean that you aren’t capable enough. You don’t want to leave that kind of question in the minds of your management. Write the reports to show the time you are spending. Show them how much work is required for a ‘quick check into this ransomware email’ and that it isn’t actually just a quick check. If you do this right, you might just find yourself with a new partner to help ease that workload.

CYA

People like to place blame on others to make sure they are clear. Your reports should document the facts how they are laid out, and let it speak for itself. You should include information about when data was requested and when it was collected. Document the state of the data and what was needed to make it usable, if that was required. Track information about your security devices and how they detected or didn’t detect pieces of the threat. You should be serving as a neutral party in the investigation to find the answers, not place the blame.

Detail the thoroughness of your work

So many investigations are opened with a broad objective, and that is to find the malware. Depending on the system and other security devices, it could be as easy as running an AV scan on the disk. Most times, in my experience at least, this is going to come up clean since it didn’t get detected in the first place anyways.

You are an expert. Show it in your reports. Give those gritty details that you love to dig into, and not just those about what you found. The findings are important, but you should also document the things you did that resulted in no findings. You spend a lot of time and some people don’t understand what’s required beyond an AV scan.

Show history of specific user or group

If you are an investigator working for a company, you are guaranteed to find those users that always get infected. They are frustrating because it causes more work for you, and they are usually some little Possibly Unwanted Program (PUP) or ransomware. They are the type of person that falls for everything, and you have probably thought or said some things about them that don’t need to be repeated.

Document your investigations, and you will be able to show that Thurston Howell III has a pattern of clicking on things he shouldn’t. Don’t target these people though. Document everything. As a proactive measure, you could start building a report summarizing your reports. Similar to the industry reports about attack trends, you can show internal trends and patterns that indicate things like a training program is needed keep users from clicking on those dang links. This can also support justification to restrict permissions for higher risk people and groups, and now you have data to back up the fact of being high risk. There can be loads of data at your disposal, and it’s limited by your imagination on how to effectively use it.

Justification for shiny tools

Have you asked for a new security tool and been turned down because it costs too much? What if you could provide facts showing that it is actually costing more to NOT have this tool?

Your reports provide documentation of facts and time. You can use these to easily show a cost analysis. Do the math on the number of investigations related to this tool, the hours involved in those investigations by everyone, not just you. You will have to put together a little extra on showing how much time the new fanciness will save, but you should have done the hard part by already writing reports.

Measure personal growth

This one is completely about you. We all grow as people, and we change the way we write and think. We do this because of our experiences, and our understanding that we can evolve to be better. Do you write like you did in 1st grade? Hope not! How about 12th grade? Unless you are a freshman in college, you have probably improved from there also.

When you write reports, you give yourself the ability to measure your growth. This can be very motivating, but it takes personal drive. If you have any reports from even just 6 months ago, go back and read them. You might even ask yourself who actually wrote that report, and I don’t think that’s a bad thing!

Final report

Reports can be a rather tedious part of our job, but if you embrace the personal benefits it can really become a fun part. Take pride in your investigation and display that in your reports. It will show. It works similar to smiling when you talk on the phone. People can tell the difference.

If you are writing reports today, good for you! Push yourself further and make it fun.

If you are not writing reports today, DO IT!

I am starting a mini series of posts on reporting. Future posts will be on structure and various sections of an investigative report. These are all my experiences and opinions, and I welcome your comments as well. Let’s all improve our reports together!

James Habben