Friday, August 12, 2011

Gfirst Overview – The Good, The Bad, and the WTF?

I have spent my last week at the 7th annual GFIRST conference in Nashville TN. The spectrum of presentations that I have seen have ranged from this could be interesting, this I am going to deply, I am not cool enough to get into this secured room, and the stealthy vendor presentations for what their products can do.

My week started off with a two day training session with Netwitness, I can see so MUCH promise with their investigator, and PCAP files in the environment, this is something I plan to pursue when I get back into the office.

Tuesday started off with a class titled Visualizing Change-Over-Time to Support Digital Forensics, the idea that Mr. Leschke is attempting to produce sounds like it will provide numerous advancement in Digital Forensics by visualizing changes in the file structure of a machine that is being investigated. While it is not ready for consumption by fellow investigators it does show some promise.

My second session on Tuesday was called A New Look Using Different Traffic Analysis to Find Emerging Non-Signature Threats: One of these things is not like the others. The talk was looking at how to profile traffic based on Layer-7 metadata. While at a high level this is interesting, about half way through the talk I started to get a sinking feeling that there was a stealthy ninja lurking in the depths of the final slide, and BOOM!! He sprung out.. What could have been interesting talking on utilizing open source tools and technology turned into a glorified sales pitch for Narus. This was probably the only WTF sales pitch I heard all week. I think  Chris Sanders summed it up the best:
Unfortuantely, being a vendor talk, Mr. Cavuto didn’t provide anything that would help people generate layer 7 metadata, but he did have a product he was selling that would do it. Fortunately, I have some code that will generate this type of metadata from PCAP. I’m going to button that up and release it here at some point…for free

My finally session on Tuesday was Investigating Coordinated Data Exfiltration of Corporate Data. I was not sure what to expect out of this, except that I have followed Andrew Case (attrc) on twitter for some time and I have enjoyed his insight on the subject of Digital Forensics. I had also assumed he was going to be much older, I think though he is younger than me. I was not aware of Dr. Golden Richard works until that session. When I left that session I had taken over 4 pages of notes, on techniques, investigation points and area for potential Thesis research. The class was VERY informative for a novice investigator, and the best on that I saw on Tuesday.

Wednesday, my first class I was only able to get into the last 30 minutes of it, and that was because I went to the wrong room initially. The class was titles Real-World Security Scripting by Chris Sanders and Jason Smith. All I can say was that this class WAS AWSOME!! Everything I liked about the Ninja Narus Vendor talk on Tuesday was covered in here, utilizing free scripts and tools that Chris and Jason created. The potential of deploying this in a small environment is outstanding, deploying it into a large SOC becomes freaking incredible. Files are freely available on Forge.Mil, you will need DoD credentials to get access or bother Chris and he will send them. I am not sure what was covered in the first part of the class, but from those I have talked to everything built on previous discussed tools. I regret missing the first part of this.
I initially was going to sit into the Sniper Forensics class hosted by Christopher Pogue, it was held in the same room that the Ninja Narus vendor presentation was held so I decided to skip out of the first half and visit the CERT/SEI session that utilized there Virtual Environment for Malware and Insider Threat. It was interesting that they have this available to them, it is a shame it’s not available to the public. It has the potential to educate and train a lot of security analysts.

I did end up sneaking into the last half of Sniper Forensics, and regret that I missed the first half. Chris’s presentation was incredible and I learned a lot in the class. Wednesday was one of the more educational days that I had at Gfirst.

Thursday started off with the Mandiant Presentaion, on OpenIOC and finding evil, and how you can use this framework to find evil in your environment. Chris Bream and David Ross did a wonderful job informing us and not trying to turn this into a vendor pitch. OpenIOC is free, but it is responsibility of the Organization to populate the IOC’s because Mandiant will not provide unless you are paying for their service. There were two reasons given, if the Evil Hacker would know what IOC we are looking at then they will change them and we will lose that aspect, and Mandiant is a business, this is stuff they have found over time. I do not feel that Chris or David was here to sale Mandiant as a service, they were more interested in pushing the knowledge out there that this option is out there, we are working to make it better, we would love to see the community pick it up and run with it. Also do not forget about Mircon, and the Beer Party, because Mandiant is staffed with a  bunch of Beer Snobs….. Also informed us that Mandiant is hiring……..

I was going to skip out on the next session and crash the Lockpick Association Tradeshow and look for some cool tools, thankfully that was not opened, and I was stuck at attending Using Social Networks To Profile, Find, and Own Your Victims. This was my first encounter with Dave Marcus, and it was an incredible session. Social Hacking is something that interests me, because people are usually trusting and open, and while online things become even more open and easier to find. I enjoyed this class a lot, it has to be one of my favorite classes during GFirst. I do know that I have started following Dave on twitter, and I plan on attending other classes he teaches if given the chance. Some of the information provided by Dave I was aware of, and some of it just floored me. Keep it up Dave!!

My third class of the day was Anatomy of Financial Crimeware and Mobile Banking Trojans. The topic itself is interesting, of course working in the financial industry I had high expectations for this, unfortunately the first 45mins of the class was stuff I have encountered and researched, the last 15 mins were somewhat interesting, I did like the example on Fragmentation Attack using swipe cards for access. This was more of an introductory class for various threats.

My last class of the day is hosted by Karlo Arozqueta, and it is called Close Tickets Faster! Windows IR VIA CMD Tools.  Innovation is the buzz word of the class.  One question that Karlo presented to us, was Do We Know EVERYTHING that our product can do? Are we Monitoring EVERYTHING that we can? He then stepped into showing some scripts that he uses to gather information on a remote windows machine using windows utilities to acquire information on them. There is some interesting stuff for a novice investigator or even one with years of experience.  Another takeaway from the class is that you are unable to copy/paste a command from a 2007 or newer XLS file into a command line if the command has a quote mark in it.  There was a few interesting command lines that were shown, Karlo was not sure on how some of the things worked in Windows 7, and wireless, but promises that it works wonders with XP.

Friday morning opened to my first and only session of the day. It was about Finding Covert Channels and Obfuscation of malware. This class started off as a great primer for those new in the techniques of Malware Obfuscation, teaching those new to the craft and even those with some experience in hunting malware. Adam walked us through the analysis of malware using IDAPro and OllyDBG. Started off with some easy stuff to give us a feel for it, then ended with a custom malware attempt that he had reversed out and reports back to his own C&C. Learned a lot of useful information in this class, and would recommend anyone interested in malware analysis to take a chance and sit into any of his presentations.

Overall I felt that the training and sessions that I sat in during GFIRST was top tier. The presenters knew what they were discussing and it forced me to challenge my thinking and philosophies of being an Infosecurity specialist. The people I have met, and learned from are top notch professionals that care about their craft and the community. If you ever have a chance to attend this free conference I would highly recommend it. 

1 comment:

  1. I was at GFIRST as well, but it seems we did not often go to the same sessions. Like you, I found some sessions a waste, but some quite good. I have found something worthwhile at each of the three GFIRSTs I have been to. Like you, I recommend them to anyone, at least anyone working in or around government.