Saturday, July 23, 2011

Tools in the Toolbox - What is our goal

As a follow-up to some questions that I have received about the tools in my toolbox I thought a new blog posting might help to answer them.

Have you actually used the tool in real world scenarios?
                Currently this build out is something new to the team and the company. Our response to Malware was a chaotic solution of multiple best attempts at investigating the issue. Over the last few months we have taken more of a baseline approach on what we want to track and how we plan to react. Some of the tools in this kit I have used, others are what have been recommended from others that they use.
What is your goal from the toolbox?
                My team supports a global company, the ability for one of us to physically approach every machine is impossible. The ability to remote into a machine is difficult because of various trusts in place in the network, and that my team is not a 24/7 staffed team, we have after hour support if needed. With that in mind the tools I am looking for should meet the following:
                Data Collection that is scriptable.
                Simple user interface as needed.
                Application should be portable solution, able to be installed on a thumb drive.
                Application should be easy to use, minimal training for support staff.
                Utilities and results should be able to be contained uncompressed with 4GB.
Keeping that in mind, if I cannot script my utilities to gather the data that I need there will be push back, and less likely the broad adaption that we are looking for. Eventually we will add more robust tools, and do more collecting of data, but right now I am keeping it simple.

Why did you select the following tools?
                I have selected the tools based on familiarity with them, the purpose of the tool, command line functionality, and some personal preference. I do expect to adapt and replace the tools as needed while figuring out which tools provide the best solutions for our malware incident response.

Why didn’t you select a specific tool?
                The main reasons I did not choose to add the tool is my lack of familiarity with them as I start this process, and the lack of simplified command line collections. Another reason I have not chosen a specific tool is that I have not heard of it, this is a new process on our team, something that I am working at getting the best free tools for our purpose. It requires me testing and learning the tools that are the best options for our tool kit.

While currently I am using a paid application, Sep Tools, I am hoping to get the entire collection kit to be made up of freeware/shareware and pass the utility out to the community. 

Thursday, July 21, 2011

Tools in the Toolbox – The Beginnings - Collection Script

Recently my team at work has started to take a more active approach in malware incident response. This is a giant step for us as we move to align more to a security needs standpoint then a business need standpoint. With this change we are working at getting a consistent response to the collection of data from the impacted machine.  Since this part interests me I have tried to take on a more active role. One thing that I am working at putting together is a collection of tools that can be loaded on a collection USB and utilized to grab a baseline of our data.

One of the first hurdles I have overcome is the need to pass command line arguments on some of the applications to gather the detail we need. Since we are relying on a third party to gather this information we want this as smooth as possible.

I am stronger in my VBScript-Foo, then most of the others scripting languages out there, so I created a vbscript that will provide the command line values for my applications.
Currently it is only running Mandiants Red Curtain. I will be adding the following command line capabilities:
Symantec Endpoint Protection  Analysis Tool (available to Symantec Endpoint Protection Clients)
Mandiant Red Curtain
Mandiant Red Line (Memoryze, currently producing errors, not included)
Here is the script:
 'We need to identify who we are collectign information from   
strUser=inputbox("userID of Impacted User")
'This finds the current directory so we can properly call scripts out
Set oShell = CreateObject("WScript.Shell")
Set ofso = CreateObject("Scripting.FileSystemObject")
oShell.CurrentDirectory = oFSO.GetParentFolderName(Wscript.ScriptFullName)
pathname=oShell.CurrentDirectory
'Creates our Shell and then run commands, passing variables as needed.

Dim shell
    Set shell = CreateObject("WScript.Shell")
  'Getting Red_Curtain report and saving it   
  Return = shell.Run("cmd /K CD " & pathname & "Red_Curtain & MRCAgent.exe epcompilersigs.dat eppackersigs.dat roamingsigs -r c:\ " & strUser &".xml", 1, false)
 'Getting SEP Report and saving it.
 Return = shell.run("cmd /K CD " & pathname & "SEP_Tools & Sep_SupportTools.exe. -noup -def -fg -lp -out " & pathname & "Results", 1, false)
    'Getting Redline and Memoryze report and saving it
     Set shell = Nothing

**Disclaimer:
This code is provided as is with no warranty, it is designed to make my life easier, and hopefully yours as well.

Known Issues:
It will open a new command prompt for each task, it will run each task simultaneously.
I would like it to run then in order, one at a time so the information is not corrupted, also in the same window would be great.

I will update this script as I add more to it. 

Feature Request: Adding some sysinternal items to it. 

External Resources:
Redline on USB Drive

Wednesday, July 20, 2011

Mandiant's Tweetfest - Working for Mandiant Q/A

Mandiant Tweetfest
For those that missed the Mandiant Q/A session on July 20th 2011, I tried to grab all the questions and answers as they came in. If I missed anything let me know and I will add to the list. Questions have been modified and combined as needed to keep a concise flow and to remove twitter speak if needed.
A quick thank you to the Mandiant Team that handled this:
@Mandiant
@Taosecurity
@Davemerkel
@mjg5772
@wendilou2

Questions that got answered:
Q. Do you need a red team experienced consultant in the Boston area?
A. Mandiant does proactive work. 

Q. How does Mandiant handle a person with a military leave of absence? Some companies match pay some dont ? The potential paycuts I would face if I got mobilized or activated are too substantial to consider
A. We don't match pay, however we do allow you to use your paid leave 

Q. What are the key skill sets that you look for in a new InfoSec Specialist? Any tool/application/os knowledge that you look for?
A. forensic analysis, IR experience, malware analysis, networking/operations, and software development are a few examples. Entry level candidates need: passion in security, strong technical background, & unparalleled motivation to work hard and learn 

Q. Roughly what % travel is expected from your consultants? About how much of that would be in-area vs. out of area?
A. Travel varies per engagement &type of work, but can be anywhere from 10-60% at times, depending on work avail & personal preference.

Q. What are the guidelines for employees, is it true M requires clearance
A. A security clearance isn't required to work at Mandiant, about half carry one. 

Q. What are the typical work hours? M-F 9-5 or do they rotate?
A. As an emerging company M-F 9-5 not normal. Hours vary by position and project, but not 40 hr/week. Work hours depend on job type and current engagements. Consultants vary, product are more regular, MCIRT between.

Q. For a prospectives outside of the job area do you offer relocation services? Do you consider "entry level" pos from out of area? Relo isn't feasible for lots of #dfir types, obviously
A. We do not typically offer relocation. We do consider entry-level from out of area 

Q. dress code please ;) shirt and ties or MMA friendly
A. Dress code varies w/role. Consultants on site tend to wear suits. Product is more relaxed. MCIRT is biz casual.

Q. What's it like to work Mandiant as a product engineer?
A. Glorious. build cool stuff. 

Q. What about side coding projects?
A. Yes. Innovation opportunities abound. 

Q. Do consultants work out of an office or can work remotely (e.g. for those not on a coast)? 
A. Only Midwest office today is my house in Mpls; some staff commute to office/work remote.  

 Q.  What is the culture? Is Mgmt open to new ideas, personal growth, volunter? How? Do they Support Conference attendance? Edu? Certs?
A. As mgmt, I'd say open innovative, hard working. Certs don't match growth experience of working here. Culture is open. We're a small company with lots of interaction. If you have a good idea someone will listen. We do have edu programs and support vol efforts. For my team, I support sec cons as a way to interact with peers and dev skills. Certs aren't as high a priority. 

Q. Will Mandiant offer training for new hire/entry level position? What are the expectations for entry level? 
A. Entry level software/quality engineers: CS degree, live2code, drink caffeine, like to make things, smart. *Mandiant mentions training in other questions asked

Q. What quals/certs if any do you look for in an entry-level sec position? 
A. Mandiant is more likely to see a cert as a way to focus interview questions; we don't use certs to vet candidates 

Q. How can someone searching jobs know which job(s) allow remote work since they all list a location?
A. Case by case RT  Fresh noobs usually need to work in-office.

Q. And what about degrees? What 4-year degree is sought after the most? 
A. An entry-level Mandiant applicant participates in an open source project, or who did security in school, is #FTWDegrees for me indicate interests you've had, not necessarily skill set. For example, we don't all have CS degrees 

Q. What type of team members does Mandiant look for? People who know their skills, are able to travel?
A. Travel & skills are needed- but motivation for security & work ethic are important too 

Q. With the amount of talent Mandiant does the company offer a "mentoring" program where noobs can learn for the veterans?
A. Mentoring styles depend on biz line. In MCIRT we have different levels of analysts, so mentoring is built-in. And the student is sometimes the teacher, as well. Everybody can learn something. 

Q.  Innovation opportunities abound. - give examples? how much time a month can be allocated to research?
A. Not a set allocation, Take initiative, demonstrate skill, have impact, get more oppty. 
Depends how much sleep you get. I have a toddler. 

Q. What sort of Digital Forensics, Incident Response cases does Mandiant do? All intrusions, or do you also do insider threat, inappropriate use, CP, malware, etc? 
A. On the MCIRT side, we focus more on intrusions, but care about whatever the customer considers to be highest risk 

Q. People generally get to pick what they consider "right tools for right job" (software, hw, etc) or is it centrally managed? 
Is fairly loosely managed, tech-wise. Still, certain roles are expected to be able to use certain tools, eg MIR. Experts pick tools w/reason, though is managed. We also use our own products. 

Q. What technical skils are needed to move into a manager lvl position?
A. Strong foundation in tech consulting More skills == more customer/coworker confidence in you. People skills count.

Q. Any particular past employment you look for? military, or specific consulting companies?
A. Not necessarily For MCIRT I like to see people with enterprise tech security team experience, or consulting, or CIRT backgrounds. We're looking for all backgrounds- operations, military, LE, consulting, dev, intel-as long as u bring the passion & skills 
Mandiant hires many vets, but we hire many people with no military experience and most customers are non-mil too. For software engineers looking for passion writing software. Could be demo'd via many backgrounds. 

Q. Does familiarity with Mandiant tools help increase the value of a prospective applicant?
A. Doesn't hurt, doesn't hurt. Definitely not a sole qualifier though.  

Q. Any project/work on mobile security/ future platform?
A. Yes We definitely have "other platform" work going on 

Q. What % of your work is for non-defense clients? Outside of .mil + related .com. 
A. Tricky stats. Maybe half? Depends on the bad guys. Depends. '08 was big for card fraud. '09-10 more APT work. Future? Ask bad guys. 

Q. Canadian opportunities? Will there ever be? 
A. You never know

Q. When does the narwhal bacon?
A. At Midnight.

Q.  What type of offensive work or research is being done by your people?
A. You'll see Mandiant credited in security advisories occasionally. Not always. 

Q. For consultants what is the breakdown of office face time, versus telecommuting versus travel?
A. It depends for consultants what is the breakdown of office face time, versus telecommuting versus travel

Q. Are there teleworking options for MCIRT? 
A. Please apply to the jobs you will see posted online. More arriving soon. We consider remote workers on a case-by-case basis. 

Q. Speaking of that, what's the dress code when not customer facing?
A. Product engineer dress code: as expected at google/facebook/anyothertechshop.

Unanswered questions:
How well do you need to know Encase to work a forensics case for mandient?
What kind of interaction does management have when employees come up with potential business devel? None/willing to listen/etc
Are there opportunities for transfer to european office for US employees?
Would a Computer Forensics I certificate from CSUF be equivalent to a CS grad?
How competitive are salaries?
If a cert is more to focus interview questions, what makes an entry-level applicant stand out? 
Companies want to max investments even in hiring, what is the employee vetting process? Standard certs acceptance background checks etc?  *Somewhat answered in previous questions.

Comments from the Gallery
Like to build UI? Want to build one that doesn't suck for a security product? Working hard Mandiant we need u. 
Also check out Mandiant 2nd annual conference on all things IR, Security, & interesting attack trends/methodology

Other Questions asked that where not answered but could be found on Mandiants Website:
At MANDIANT we strive to be different.  From how we work to how we play to how we hire.  Sure, we will tell you how we are like the other guys.  Our consultants have degrees from top universities; they carry multiple industry certifications; and have top government clearances.  Of course we offer comprehensive benefits — 100% company paid health and dental insurance, 401k with match, patent and publication bonuses, three weeks of paid vacation, eight days of paid sick leave and 11 paid holidays — the standard stuff. We will tell you that our mission — in the words of CEO Kevin Mandia  is "to be the strongest incident response, computer forensics and information security company. Period." We accomplish that 
by hiring only the most talented, passionate and specialized professionals throughout the security industry.

Tuesday, July 19, 2011

Motivational Spark, Goals Defined

So last night I was on Twitter, and I happened to see that Sans Forensics and Rob Lee both linked to my blog. This has turned a blog with an avg weekly hit of 3 visits, to 167+ in one night. The sort of excitement that one feels when they are first linked to a blog that they follow is one that I cannot explain. Of course now I realize I must clean up my writing and strengthen my blog-fu to keep my visitors educated and entertained.
My first step in this journey is to get my MS in Information Assurance. I will be attending Iowa State University to pursue this degree. I chose them because location, hybrid option (online/onsite) for some of my classes, it is an NSA CAE school, and I can get a good technical background as I build my experience.  

Classes I am enrolled in this fall are as follows:

The rest of my list I will be gaining experience in the tools as I build out my lab at work, and start investigating malware and researching aspect of forensic analysis on them.
I will be pulling out my CHFI manuals, while I did not feel that the certification class was worth the money spent, I do feel that the books might hold more value than just paper weights.

Reading material that I will be either dusting off, or gathering will contain:

Stephen Northcutt, Mark Cooper, Matt Fearnow, and Karen Frederick, Intrusion Signatures and Analysis,
Chris Prosise and Kevin Mandia,
 Incident Response: Investigating Computer Crime
Brian Carrier, File System Forensic Analysis
Bruce Middleton, Cyber Crime Investigator's Field Guid
Richard Bejtlich, Keith Jones and Curtis Rose, Real Digital Forensics
Cory Altheide and Harlan Carvey, Digital Forensics with Open Source Tools


Online Resources that will be utilized include:

This should get me through the end of the year with my 1st semester under my belt and all this extra reading. It will allow me to build my skill set and help define what my Thesis study will follow.
Any suggestions on a Thesis Research Topic would be wonderful. 

Friday, July 15, 2011

Foundations in Security

I have taken a few days off from writing this because I have received word back on the application that I submitted, while I had a good feeling that I was not going to meet all the requirements I still felt I needed to try. The company I applied with is one that I would consider a leader in the industry, it doesn’t hurt that 3 of the people I would give almost anything to work for or with was currently with the company when I applied.
I have looked over the rejection letter and determined what I needed to work on to improve my chances at getting to work with this company, or if things happen the way they usually do a company that one of these three idols work for.
The next two years will include the following training:
  • Masters of Science in Information Assurance
  • Perl Scripting
  • Unix Administration 
  • Windows Administration
  • Experience with forensic image collection and analysis (Helix, SIFT)
  • Backtrack
  • Public Speaking abilities
  • Deeper understanding of network protocols
  • SANS 408/508 Certification


I will also be asking those InfoSec Guru’s that I follow for other advice on what Skill sets that they feel are important in the field. I will include that here, in hopes that other future forensicators find it useful. 

Friday, July 8, 2011

A funny thing happened on the way to my MS degree..

For those that have been able to catch up to my last 2 posts, you will have seen that I am planning on going back to get my Masters in Information Assurance. Since July 1st, I have had an interesting roller coaster of my education plan. Quick Recap:

My dream job was doing digital forensics and profiling online predators. I felt that my best option would be a Ph.D and joining the FBI and partaking in the innocent images program, or the Behavioral Science Unit. After talking with a few agents, the reality of following that path became clear, I was becoming to old to do it, so I feel back to my other love, Digital Forensics and Incident Response. By changing from the Ph.D track to the the MS track a lot of stress left my life..

On July 5th, I received notification that a company in my top 10 preferred employers have opened positions, doing DFIR. This company also employs the authors of the first two IT Security books I read, that was not a college required reading textbook. The opportunities that this company offers is INCREDIBLE!

So I have cleaned up my resume, talked to my wife about a possible relocation and I am rolling the dice. The worst thing that will happen is they say no.. the best thing that will happen is I am relocating, working with incredible talent, doing what I am passionate about...

If this doesn't happen, it means 2 years in a masters program, working to build my skill sets and push a strong DFIR position in my current company, and then re-applying in 2-3 years.

Wish me luck.

Wednesday, July 6, 2011

The Path to a Lethal Forensicator

This is what I want to achieve, this is what my goal is for my career. This is what a Lethal Forensicator is:
The Coin is designed to be awarded to those who demonstrate exceptional talent, contributions, or helps to lead in the digital forensics profession and community. The Coin is meant to be an honor to receive it; it is also intended to be rare. Those who join the Lethal Forensicators Unit will have all privileges and recognition.
These lethal forensicators who earn the Coin can detect and eradicate advanced threats in their organizations. Those that hold the coin have been properly trained incident responders or investigators and might be the only defense your organization has left in place during a compromise or a complex digital investigation. These analysts know what they are up against and continually strive to further not only their knowledge, but also the knowledge of the entire digital forensics field. They actively share their experience and encourage learning through participation in the community. They stay ahead by constantly seeking new knowledge and experience. Often, they are the leaders in the digital forensics and incident response community.
Special recognition has been created for those that have exhibited the qualities described above. We need something that recognizes leadership, talent, and expertise in the digital forensics field. The SANS Institute Lethal Forensicator Coin is one way the SANS Institute recognizes those in the field that deserve special recognition and a thank you for their continued efforts.

The path for this journey is not going to be easy. It will require a multitude of sacrifices not only for me but for my family. It requires that my focus for the next 10 years will be to improve my skills, my talents, and my offering for the Digital Forensic field. I am willing to make these sacrifices, and I know that my family supports my decision to do this. 

The first step on our journey is for me to build out some deficiencies in my skill set, and to develop new skills that are required to be a Lethal Forensicator. This means that I will be building out an ESX box to host multiple machines and run Digital Forensics against infections to build up my Incident Response and Forensics skills. I will also be attending Iowa State University to pursue my MS in Information Assurance. Last year I attended a week long training for Computer Hacking Forensic Investigator, not the best training i ever had. I realized over the last few weeks that while the class is lacking it can be a stepping stone in my certifications for gaining this experience. 

I also start my first semester for my Masters on August 22nd, my classes include digital forensics and network protocols, should be an easy and fun semester. I will also be attending GFIRST and taking all the forensics tracks I can take. Over the next 24 months my concentration will be in learning everything I can for this. 

Once graduation happens the biggest sacrifice of all comes into play. There is limited opportunities in the midwest for digital forensics.. the best market location in the US is the Washington DC area.... that means there is a potential sacrifice of moving my family away from everyone we know, the place we call home and make a new go at it, so I can follow my dreams..... 

In these two years I can also stalk the few companies that I am interested in working for them and target my skill sets for them, and get to know their elite staff, so that when I do apply I know that it will be a great fit....

I love my family.. 

Monday, July 4, 2011

Welcome Back

I have chosen to try this again, not sure why or how I got side tracked in my blogging. A lot has happened in the last year that has lead me back to this path and actually finding a good topic to carry through on this blog over the next couple of years.

Those that know me long enough know that I have only been doing IT for about 7 years and infosec for about 5 of those. My passion lies in Digital Forensics, because of a professor I had at ITT-Tech, who introduced me to Helix. You can read more of my background in here.

So what has happened that made me decide to start blogging again? After a few heartfelt conversations with my wonderful and supporting wife I decided it was time to go back to school for a Ph.D my dream position would have been profiling online predators, but after talking to a few Law Enforcement specialist I realize that my timing to following that dream is quickly approaching and a Ph.D is not going to be attainable... While I would like to say that initially I was disappointed, I would be lying.. I was not looking forward to the Algorithm Design and Analysis class I would need to take.. Found out that instead I could get past it by going for a Masters Degree, and that I think will help fill the gaps in my skill set.

Since I stopped writing in my blog I have attended the Computer Hacker Forensic Investigator  week long training session. One of the first certifications that I was not impressed with, a lot of very broad information, but for the cost I could have gotten a SANS Certification.

With everything that has happened over the past year it has made me decide to change the direction of this blog, I am going to track and record my journey from an Information Security Specialist to a Lethal Forensicator hopefully someone can learn from my experience and can build on it.