Things I learned
There are plenty of tools out there to make your job easier, but there are times when the tools aren’t going to work as expected. In those cases (often the most critical if dealing with a new 0-Day exploit or crafted packets that bypass known signatures), it is imperative to understand how to manually decode packets to find where the evil is hiding.
A determined attacker can always find a way in. The really good attacker does so with very minimal noise. For example, on day 6 during the PCAP analysis challenge, one of the things that really stood out to me was that there were several various attempts to compromise the honeypot we were asked to analyze, but the successful attacker was able to gain root access and do so by generating less than 1% of all the alerts that were triggered by the snort signatures we were using. Talk about finding the smallest needle in the needle-stack!
Review your logs! This is one of those things that every admin knows he ought to do, but never seems to find the time to do it right. The key to managing your time for reviewing logs and alerts for Intrusion Analysts is minimizing the number of false positives. This involves knowing how to build an IDS in such a way as to detect the attacks that are most likely to succeed in the environment you are trying to protect. Is there really a point in alerting on the fact that someone just tried to port scan your network? Maybe, but it depends on how much time you are really going to spend researching that event. Are you really getting any value out of that snort alert letting you know that SQL Slammer is still probing port 1434, even though your firewall doesn’t allow any traffic from the outside in to port 1434?
Regrets
I wish the class would have spent at least a half day or so walking though the Security Onion (SO) disto. The Packetrix VM has enough tools to complete the PCAP analysis challenge for day six, but it would have been fun to use tcpreplay to feed the pcap into SO and use Squil to drill into the details of the attack. I really wish that we could have spent just little bit of time on a quick into to Bro-IDS. Mike mentioned OSSEC a few times in class, but I wish we could have spent some time looking at how it works.
I wish I would have read Network Intrusion Detection (NID) by Stephen Northcutt and Judy Novak before taking the class. The course materials were written by Judy, and NID covers a lot of the same material and has somewhat the same approach to the material that the class had. I highly recommend for anyone getting ready to take SEC503, read NID.
Studying for the GCIA Exam
Came home. Went back to work. Played catch up on all the requests piling up while I was gone. Finally got around to taking the first practice exam a few weeks later. I found out I was actually pretty interested in learning more about blue team operations so I order a few books and spun up a few VMs and started playing around.
Below is a list of materials I used to study for the exam and polish up my intrusion analysis skills.
TCP/IP Illustrated, Vol. 1 by W. Richard Stevens
So how did I do on the exam?
This was a tough exam. I poured a lot of hours into studying for this. It was getting close to the deadline to take the exam, so I signed up at the closest PearsonVUE testing center, only to have them call be back after 5 PM on the Friday night before I was scheduled to take the exam on Monday morning to tell me that my scheduled exam was canceled due to technical difficulties. Contacted GIAC right away and they work everything out, which gave me a couple of extra weeks to cram. In the end, all of the extra study paid off. I aced the exam.
