Friday, August 11, 2006

Week in Review, plus some

I spent this past week at GMU2006...well, not all week, just parts of the days...mostly the mornings. I was originally scheduled for five opening session, and two rounds each of Tracking USB Devices and Windows Memory Analysis. I later found out that I had also been scheduled for Windows Live Response, give twice on Friday morning.

Overall, I think the GMU2006 conference was most conferences, you get out of it what you put in. It was a great opportunity for me to see some old faces, meet some new folks, and put faces to names. To my surprise, I got to meet AAron Walters, who came to down twice. AAron's a bright guy with a lot of really good ideas.

The downside of a conference like this is that while I'm presenting, a lot of good presentations are going on at the same time. I got to sit in on IM Forensics by Charles Giglia, but missed his MySpace Forensics presentation. I missed other presentations by folks like Jesse Kornblum, Cynthia Hetherington, and Terri Gudaitis. However, in my presentations, I got some good comments and questions, and had a couple of really good side conversations with some folks.

If you're the GWU student who talked to me on Friday morning...drop me a line. I'm always happy to help.

Anyway, I made a couple of comments during my opening session talk, and during my presentations that cybercrime is increasing in sophistication, and that there's a widening gap between what "we" (forensic analysts, first responders and sysadmins) do or are capable of doing, and what the bad guys do. I can't say that there was a strong reaction either way, but this morning I read this article, where Kevin Mandia was quoted. In the article, Kevin talks about the increased/ing sophistication of cybercrime, and the widening gap between the good guys and bad guys.

As I mentioned, I presented on Windows Memory Analysis, and interestingly this appeared in the article:

One of the worst things users can do if they think their systems have been compromised by a hacker is to shut off their PCs, because doing so prevents an investigator from analyzing the contents of the machine's RAM, which often contains useful forensic evidence, Mandia said.

The paragraph that followed this one also provided some interesting insight. This shows that this sort of thing is being done (ie, RAM is being collected and analyzed), it's being done by some smart folks, and valuable information is being used to solve cases. More importantly, the traditional approach most folks use doesn't include collecting this information.

If you have any questions about the conference, my presentations, or about anything...drop me a line.

Addendum, 17 Aug: During my presentations at GMU2006, I talked about live some of the presentations, the discussion was tangential, but in the actual Windows Live Response presentation...and the need for live response. One of the reasons for conducting live response is that downtimes of systems aren't measured in minutes, but in dollars per minute. For the most part, it sort of looks like I'm making this up...I really don't have anything to reference, other than professional experience. Well, I found a link to an article at DarkReading this morning that talks about the cost of a hack. One of the bullet statements in the article references a Yankee Group survey that indicates that some companies measure downtime in thousands of dollars per hour.


Anonymous said...

I was more impressed by this quote from the Mandia interview: "'We're not seeing any kernel level rootkits [for Windows], but the user space stuff is working well enough that it doesn't matter,' he said." I recently found a kernel mode rootkit on my neighbor's 13-year old daughter's computer (albeit the Sony DRM rootkit). This shows the penetration of this technology into the market. There is certainly a lot of effort going into developing Windows kernel mode rootkits at the moment and it would be surprising not to find them on high value targets. Is it that the rootkits are not there? Or is Kevin just not *seeing* them? :-)


H. Carvey said...

Interesting comment...and thank you. You bring up a very important point, even tangentially.

Kevin is a responder, much like myself. I firmly believe that we are not seeing these, b/c our clients are not seeing them. Even folks who aren't clients are probably seeing something unusual that they can't explain, and because spending money on security has no discernable ROI, they reload the system from clean media and put the system right back into service.