BPF, PCAP, Binary, hex, why they matter?
*A call for more blue defenders*
In a couple weeks I will be a TA for Mr. Mike Poor in DC at CDI (Shameless plug, if you are a reader and see me in DC say so!!!) for SANS 503. We often get asked, why does BPF matter || why should I bother with hex || why do I need to learn this???? My application does all the work for me!
I would like to share a ‘vet’ U.S. Navy story and shout out a thanks to, at the time QM2(SW), a talented navigator. He was telling me the “Stars never lie” and in that they always show the way. If you learn to read them, take my GPS, take my N take my Y technology, I have the star. If we know where the north star is? We can always find north! After watching him dismiss a senior inspector with core math and navigation skills and the stars? I was a believer!
At the core our minds are powerful processors. According the quad process model we take in vast amounts of information and process it at incredible speeds (Conrey, Sherman, Gawronski, Hugenberg, & Groom, 2005). This is likely why there are times when a 'solution' to a problem just somehow pops into your mind. Or why after years of driving it seems automatic.
If we understand the “Core” network communication we can break down protocols!
A couple of opinions/facts/ideas/comments/<insert favorite polarized media narrative here>;
- Most if not all IDS/IPS/HIDS/NIDS speak BPF [1]
- And another thing? RAW packets ‘usually’ cannot lie (it’s the RAW factor that counts)
- Most if not all sniffers/HIDS/NIDS/IPS/IDS/Firewalls speak PCAP
- Understanding the root language can help you understand new code built into that language
Coming to my point? For $DayJob I have been asked to prepare an Incident Management workshop, which has become a more common request. In this I hope to shed light on the important of core skills like TCPDumpFU || HexFU || BinaryFU || ProtocolFU. Most importantly I want to emphasis that a core understanding can help in the critical thinking process when facing new or unknown problems or challenges. Our faithful readers know the near axiomatic statement from any handler “got packets?”
Lately I have been asked to consult on more incidents than normal (for me) and in that I have noticed that although the operators are quite intelligent with fundamental problem solving skills, yet they are not effectively equipped. We need better blue defenders!!!!
It’s easier to attack than defend (Tzu, 1889). My most favorite moment is making most glorified attacker for “said G groups” unplug laptops and say “how did you do that?”… (read active defense is not to attack but to fatigue your enemy, frustrate them, make them tired of attacking, deny them the ability to attack!)
Back to the point, we have been under attack for so long and breach after breach after breach aft……………. It has become the ‘new norm’ and I wanted to address the Pachyderm in the room! We are short of blue defenders! It’s easy, perhaps sexy to download “Kali” linux? But… How many have heard of HoneyDrive [2]? Or perhaps SecurityOnion [3]?
[4] “If I make an attacker spend an extra 9 hours attacking my website? I’ve won!” John Strand, SANSFire 2013.
Hard data, according to the Verizon DBIR [5] HIDS, NIDS, Log Review and Incident Response are responsible for between 1-4% of discovery methods (Figure, 44, p.54). I wonder how much of our IT $budget$ is spent on the tools that give us the 1-4%? We have to get that number higher! The facts point to unrelated parties as a primary means of detection. Getting a phone call is not a good way to receive an Indicator of Compromise (IOC).
Back to the origin of the post to come full circle? Why BPF, why PCAP, why hex? To first defend against a thing you must understand a thing (Tzu, 1899). If we form a base understanding of opponents tactics along with the battlefield we can better defend!
Resources:
Conrey, F. R., Sherman, J. W., Gawronski, B., Hugenberg, K., & Groom, C. J. (2005). Separating multiple processes in implicit social cognition: the quad model of implicit task performance. J Pers Soc Psychol, 89(4), 469-487. doi:10.1037/0022-3514.89.4.469
Tzu, S. (1899). Sun Tzu's Art of [online] Retrieved from: http://suntzusaid.com/book/3 [Accessed: 1 Dec 2013].
[1] http://www.tcpdump.org/papers/bpf-usenix93.pdf
[2] http://sourceforge.net/projects/honeydrive/
[3] https://code.google.com/p/security-onion/
[4] http://sourceforge.net/projects/adhd/
[5] http://www.verizonenterprise.com/DBIR/2013/
Incident Management Resources:
http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf
http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf
http://csrc.nist.gov/publications/nistpubs/800-83/SP800-83.pdf
http://www.ncix.gov/publications/reports/fecie_all/Foreign_Economic_Collection_2011.pdf
http://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/26-CIP_CyberAssessmentGuide.pdf
http://www.ietf.org/rfc/rfc2350.txt
http://www.cert.org/csirts/resources.html
http://www.iso27001security.com/html/27035.html
http://www.itu.int/en/ITU-D/Cybersecurity/Documents/ALERT.pdf
http://www.itu.int/ITU-D/membership/portal/index.asp?Name=45047
http://www.itu.int/ITU-D/asp/CMS/Events/2011/CyberCrime/S6_Mohamad_Sazly_Musa.pdf
http://csrc.nist.gov/groups/SMA/fasp/documents/incident_response/CIRT-Desk-Reference.pdf
The Practice of Network Security Monitoring: Understanding Incident Detection and Response
by Richard Bejtlich http://amzn.com/1593275099
http://www.sans.org/reading-room/whitepapers/incident/incident-handling-process-small-medium-businesses-1791?show=incident-handling-process-small-medium-businesses-1791&cat=incident
http://www.sans.org/reading-room/whitepapers/incident/computer-incident-response-team-641?show=computer-incident-response-team-641&cat=inciden
http://www.cert.org/csirts/csirt_faq.html
~Richard
@packetalien || rporter at isc dot sans dot edu
Comments
Al that being said, I also meet very few people with TCP/IP skills. The network guys are one group who never looks beyong IP headers. And most Windows/Unix people don't ever look at the network traffic. I am using it regularly to localize network problems, troubleshoot stuff where the RFCs lists a human readable protocol, and sometimes binary protos as well, have even used it a few times to prove to the vendors that their crappy software was buggy. It can be used for many other things than just looking at malware. But it takes a special person being willing to go deep, or use the resources need to get something out of this. And I see fewer and fewer people in IT with that skillset, or ability to focus and drill down. The old guys retire, and the young ones are not interested in details. Just like the shift from developers to programmers to copy/paste-kings.
Anonymous
Dec 2nd 2013
1 decade ago
Thank you for this diary
Anonymous
Dec 4th 2013
1 decade ago
Thank you for the article, but what are "Blue Defenders"?
Anonymous
Dec 10th 2013
1 decade ago