Pages

Friday, July 09, 2010

SANS Forensic Summit Take-Aways

I attended the SANS Forensic Summit yesterday...I won't be attending today due to meetings and work, but I wanted to provide some follow-up, thoughts, etc.

The day started off with the conference intro from Rob Lee, and then a keynote discussion from Chris Pogue of TrustWave and Major Carole Newell, Commander of Headquarters Division the Broken Arrow Police Dept. This was more of a discussion and less of a presentation, and focused on communications between private sector forensic consultants and (local) LE. Chris had volunteered to provide his services, pro bono, to the department, and Major Newell took him up on his offer, and they both talked about how successful that relationship has been. After all, Chris's work has helped put bad people in jail...and that's the overall goal, isn't it? Private sector analysts supporting LE has been a topic of discussion in several venues, and it was heartening to hear Maj Newell chime in and provide her opinion on the subject, validating the belief that this is something that needs to happen.

There were a number of excellent presentations and panels during the day. During the Malware Reverse Engineering panel, Nick Harbour of Mandiant mentioned seeing the MS DLL Search Order being employed as a malware persistence mechanism. I got a lot from Troy Larson's and Jesse Kornblum's presentations, and sat next to Mike Murr while he tweeted using the #forensicsummit tag to keep folks apprised of the latest comments, happenings, and shenanigans.

Having presented and been on a panel, it was great opportunity to share my thoughts and experiences and get comments and feedback not only from other panelists, but also from the attendees.

One of the things I really like about this conference is the folks that it brings together. I got to reconnect with friends, and talk to respected peers that I haven't seen in a while (Chris Pogue, Matt Shannon, Jesse Kornblum, Troy Larson, Richard Bejtlich), or have never met face-to-face (Dave Nardoni, Lee Whitfield, Mark McKinnon). This provides a great opportunity for sharing and discussing what we're all seeing out there, as well as just catching up. Also, like I said, it's great to discuss things with other folks in the industry...I think that a lot of times, if we're only engaging with specific individuals time and again, we tend to loose site of certain aspects of what we do, and what it means to others...other responders, as well as customers.

If someone asked me to name one thing that I would recommend as a change to the conference, that would be the venue. While some folks live and/or work close to downtown DC and it's easy to get to the hotel where the conference is held, there are a number of locations west of DC that are easily accessible from Dulles Airport (and folks from Arlington and Alexandria will be going against traffic to get there).

Other than that, I think the biggest takeaways, for me, were:

1. We need to share better. I thought I was one of the few who thought this, but from seeing the tweets on the conference and talking to folks who are there, it's a pretty common thread. Sharing between LE and the private sector is a challenge, but as Maj Newell said, it's one that everyone (except the bad guys) benefits from.

2. When giving presentations, I need to spend less time talking about what's cool and spend more time on a Mission Guide (a la Matt Shannon) approach to the material. Throwing legos on the table and expecting every analyst to 'get it' and build the same structure is a waste of time...the best way to demonstrate the usefulness and value of a tool or technique is to demonstrate how it's used.

Thanks to Rob and SANS for putting on another great conference!

Follow-ups
Foremost on Windows (Cygwin build)

7 comments:

  1. Shanna4:11 PM

    I don't think you win the traffic game in the DC area. :-) Last year SANS held a conference in Tyson's and getting there from Alexandria was nightmarish. Getting back was even worse.

    ReplyDelete
  2. "hrowing legos on the table and expecting every analyst to 'get it' and build the same structure is a waste of time...the best way to demonstrate the usefulness and value of a tool or technique is to demonstrate how it's used."

    I really like that statement you made.. I think someone who is as CEREBRAL as you (aka "Smarter than the average bear"..) is that you see the problem and the solution in your mind before the Average Joe grasps the real problem. Having read your blog, posts and book (all equally as valuable) in the past I sometimes can read frustration into what you Type apparently based on the fact the other poster(s) don't grasp the "obvious" solution..which isn't that "obvious" to most ... I'm just sayin... ;-)

    ReplyDelete
  3. Rob,

    Thanks for the comment.

    I think one of the drawbacks of blogging is that people feel that they can read things into the post...for example, you say that you "...can read frustration into what you Type...". I get it that not everyone gets it. What you may be seeing is my attempt to get others to reason through the issue, to do their own critical thinking...and that's not frustration. No solution is really "obvious" because we all don't see things the same way or from the same perspective. For example, Chris Pogue and I are very big on clearly defining goals before conducting analysis, whereas others are perfectly content to not have goals or direction of any kind...

    ReplyDelete
  4. Oh-oh-oh-oh-oooh-oh-oh-oh-oooh-oh-oh-oh!
    Stuck with a bad OS

    Rah-rah-ah-ah-ah-ah!
    Roma-roma-mamaa!
    Ga-ga-ooh-la-la!
    Stuck with a bad OS

    I want your crashes
    I want your lack of v 2 USB
    I want your everything
    As long as they're free
    I want your bugs
    (Bugs-bugs-bugs I want your bugs)

    I want your shell
    To script your command line
    I want your meaningless error codes on the screen
    I want your bugs
    Bugs-bugs-bugs
    I want your bugs
    (Bugs-bugs-bugs I want your bugs)

    You know that I want you
    And you know that I need you
    I want it bad, you bad OS

    I want your crappy drivers and
    Your poor hardware support
    You and me could write a bad program
    (Oh-oh-oh--oh-oooh!)
    I want your bugs and
    All your limited memory too
    You and me could write a bad program

    Oh-oh-oh-oh-oooh-oh-oh-oh-oooh-oh-oh-oh!
    Stuck with a bad OS
    Oh-oh-oh-oh-oooh-oh-oh-oh-oooh-oh-oh-oh!
    Stuck with a bad OS

    Rah-rah-ah-ah-ah-ah!
    Roma-roma-mamaa!
    Ga-ga-ooh-la-la!
    Stuck with a bad OS

    I want your modem
    I want two phone lines
    'Cause we're on dial up
    As long as your mine
    I want your bugs
    (Bugs-bugs-bugs I want your bugs)

    I want your GUI
    Your old interface
    Want your screen saver
    That looks like I'm out in space
    I want your bugs
    Bugs-bugs-bugs
    I want your bugs
    (Bugs-bugs-bugs I want your bugs)

    You know that I want you
    ('Cause I'm a luddite baby!)
    And you know that I need you
    I want you, you bad, bad OS

    I want your crappy drivers and
    Your poor hardware support
    You and me could write a bad program
    (Oh-oh-oh--oh-oooh!)
    I want your bugs and
    All your limited memory too
    You and me could write a bad program


    Oh-oh-oh-oh-oooh-oh-oh-oh-oooh-oh-oh-oh!
    Stuck with a bad OS
    Oh-oh-oh-oh-oooh-oh-oh-oh-oooh-oh-oh-oh!
    Stuck with a bad OS

    Rah-rah-ah-ah-ah-ah!
    Roma-roma-mamaa!
    Ga-ga-ooh-la-la!
    Stuck with a bad OS

    Boot, boot, boot real slowly
    Thrash it
    Move that hard drive crazy

    Boot, boot, boot real slowly
    Thrash it
    Move that hard drive crazy

    Load, load , load it slowly
    Spin it
    Move that status bar slowly

    Load, load , load it slowly
    Spin it
    Move that status bar slowly

    I want your bugs and
    I want your lack of support
    I want your bugs
    Because I'm a good sport

    [Something in French]

    I want your crappy drivers and
    Your poor hardware support
    You and me could write a bad program
    (Oh-oh-oh--oh-oooh!)
    I want your bugs and
    All your limited memory too
    You and me could write a bad program


    Oh-oh-oh-oh-oooh-oh-oh-oh-oooh-oh-oh-oh!
    Stuck with a bad OS
    Oh-oh-oh-oh-oooh-oh-oh-oh-oooh-oh-oh-oh!
    Stuck with a bad OS

    Oh-oh-oh-oh-oooh-oh-oh-oh-oooh-oh-oh-oh!
    Stuck with a bad OS
    Oh-oh-oh-oh-oooh-oh-oh-oh-oooh-oh-oh-oh!
    Stuck with a bad OS

    Rah-rah-ah-ah-ah-ah!
    Roma-roma-mamaa!
    Ga-ga-ooh-la-la!
    Stuck with a bad OS

    ReplyDelete
  5. :)

    Looks like a long post was payback for a "re-directed" link.

    Great feed back. Enjoyed all your posts, and couldn't agree more with your take on "Legos" and "Buildings". Especially hit home with me since I am relatively new to the security and looking for anything to make my "awareness" better.

    ReplyDelete
  6. Joe,

    Thanks!

    From your perspective, how do you see the "legos" and "buildings"? I understood most of what the speakers said, but when I looked around the room, particularly at folks new to the community, or those that are not in it full time (LE, for example), there were a lot of blank stares.

    I think as we start showing folks the stuff they can build with the legos, the raw, technical stuff will start to click and gel, and then become useful.

    ReplyDelete
  7. "Legos" and "Buildings" at this point, for me at least, are both understood for the most part, but they are not relate-able. I understand what the tool is, what it does, I understand the big picture as well. Its just the point A to point B that is confusing. But I guess thats what experience teaches, or why they pay people like you the big bucks.

    I think the post by Rob above says it well. The legos and buildings are there, but the solution that binds them, is just not always clear.

    The positive to this is that when security experts care enough to display how they use there tools/skills/experiences/etc, it provides means for somebody in the same position as myself (career as a network/system admin) to become able to "build the same buildings" or something close.

    Which I believe is your point, and is greatly appreciated.

    ReplyDelete