SANS 2013 was great, but I'm certainly glad to be back home. It was a long week of sitting in conference rooms from sun up to sun down listening to some of the brightest instructors in InfoSec. I really enjoy the quality of the conferences that SANS provides.
GIAC Intrusion Analyst (GCIA) Job Task Analysis (JTA)
It was an honor to be selected to participate in the JTA session. The JTA is a way for GIAC to double check the correlation of their certification exam scores to the actual job skills that SANS is trying to teach. I flew in a day early to take part in the exercise. I enjoyed the opportunity and hopefully get to help out again in the future. And, I got to meet Judy Novak.
SEC504: Hacker Techniques, Exploits and Incident Handling
This is the fourth class I've taken from SANS, so I pretty well knew what to expect. SEC504 covered a lot of material, but much of the material felt familiar to me already, just more depth and insight into the attack techniques that are readily available. For a lot of the attacks out there today, there really aren't very many good defenses. So I guess numero uno on the list for things I learned at SANS 2013 isn't really something new, but something old and very foundational to InfoSec.
- Use common sense to limit who has access to systems and data in your environment.
- Baseline your environment so that you know what is "normal" in terms of ports being used and processes running on your systems.
- Don't reuse the same password for local administrator accounts across your organization.
- Use host-based firewalls to prevent compromised systems from being able to easily pivot to other systems on the same subnet.
- I also picked up a Teensy to play around with for physical testing.
Now I just have to get busy studying for the GCIH exam...
APT: It is Not Time to Pray, It is Time to Act - Dr. Eric Cole
Dr. Cole is an excellent speaker and easy for me to pay attention to. His tone and cadence in his presentations are very academic, but at the same time very candid and realistic. He doesn't come across as somebody that is trying to wow you with his vast knowledge of InfoSec. He seems to genuinely care about the material he is presenting and willing to do whatever it takes to make that material interesting and tangible to his audience. The content of the keynote for SANS 2013 wasn't so much about all of the APT hype as it was a very focused warning of the need to master the basics of InfoSec before we will really be able to win against the attackers.
Dr. Cole outlined 5 steps to improving security posture and being able to react to indicators of compromise more efficiently.
1. Identify Critical Data - Align critical assets with threats and vulnerabilities to focus on risk. Using Risk Based Thinking - What is the risk? Is it the highest priority risk? Is it the most cost effective way of reducing the risk?
2. Align the Defense with the Offense - The areas that defense currently focuses on are not the same as what the offense is focusing on.
3. Know thy Organization - You Cannot Protect What You Do Not Know About. Organizations need accurate up-to-date network diagrams and network visibility maps, focus on configuration management and change control.
4. Defense in Depth
a) Inbound Prevention
b) Outbound Detection
c) Log Correlation
d) Anomaly Detection
5. Common Metrics - Use the 20 Critical Controls!
Vendor Expo
Eh, not much to say here other than some vendors had some boths set up with some trinkets and trash on display. And now my inbox and voicemail are full of messages that I don't really need.
Social Zombies: Rise of the Mobile Dead - Kevin Johnson
Yeah, I know social media is out to get me. Really, duck face?
Introduction to Windows Kernel Exploitation - Stephen Sims
This is one area that I have no experience with. Stephen did a great job of taking a difficult subject and explaining it so that I could follow along.
How to Become a SANS Instructor - Eric Conrad - Lunch-n-Learn
Eric has an interesting story about how getting involved with SANS boosted his career and opened up the door of opportunity. I've thought about signing up for the Mentor program, maybe this was persuasive enough to get me to send in the application?
ADHD and Samurai - John Strand and Kevin Johnson
The Active Defense Harbinger Distribution (ADHD) is pretty cool. It is a Linux distro built around the idea of making life difficult for the bad guys. It focuses on Annoyance, Attribution and Attack. Some of the fun features include infinitely recursive directories, seeding honeytokens with call-home commands so that you can locate where your data has be exfiltrated, and setting up the signed Java applet attack in Metasploit to actually exploit the attacker. There is a great write up of Paul Asadoorian and John Strand's RSA presentation here.
The Samurai Web Testing Framework (WTF) is also a nifty Linux distro with a series of tools to assist in web app pen testing.
Hacking You Friends and Neighbors For Fun - Joshua Wright
Very entertaining. If you haven't seen this talk yet, check out the slides here.
InfoSec in the Financial World: War Stories and Lessons Learned - Bryan Simon
Bryan make the case for improving the information sharing of financial institutions with regards to adversaries, attacks and defense strategies. Ironically, on his way to the conference, half his slides were yanked by his legal department so that he wasn't able to share some of the stories he wanted to. The best part about this session were all of the conversations that started up afterwards.
NetWars Tournament
Wow, this was my first time at Netwars. I wasn't really sure what to expect here. All I can say is, there are some wicked smart people at SANS and I need some more practice.
No comments:
Post a Comment