GSE Lab Prep – The Tao of Network Security Monitoring and Sguil

I spent the past week reading The Tao of Network Security Monitoring by Richard Bejtlich as part of my “study plan” for the GSE Lab. Fortunately, or unfortunately, take a train to work every day and that gives me 1.5 hours to do whatever I want to. This time allows me to read a 600+ page technical book cover to cover in a little over a week. I also have spent time building/playing with my GSE lab.

Since there are so many reviews of the book I will limit my review to only say Richard did an amazing job with this book and if you perform any type of Network Security Monitoring (NSM) this is a must read book. One of the great strengths of this book, is Richard discusses several NSM tools not covered elsewhere other then in passing.  I am sure some of these tools will be covered in detailed in the GSE lab, so I plan on spending some time with the ones I am not intimated familiar with.

One tool mentioned in the book that I plan on spending time with is Sguil. According to the nsmwiki, Sguil is best described as aggregation system for network security monitoring tools. Major tools used by Sguil include:

• Snort/Barnyard
• Security Analyst Network Connection Profile (SANCP)
• Passive Asset Detection (PADS)
• p0f
• tcpflow

The great thing about studying Sguil for the GSE lab is all of the tools are discussed in the GSE pre-requisite classes. That fact alone makes Sguil a great tool to spend time with in the GSE lab. One thing I do know that is described as a down side to Sguil is the installation of it. I know a few articles discuss installing Sguil on Ubuntu 10.04 Long-Term Support (LTS), but I plan on writing up a procedure and posting on the blog within the next week.

GSE Lab plan……

With the GSE written out of the way it’s time to focus on preparing for the lab. My plan, which will go to hell over the summer as work and personnel stuff take over, but it’s my plan anyway.

The first part of my plan is to go over several books, which I have been trying to do for a longtime. Here is a list of the following books I plan to review:

• The Tao of Network Security Monitoring
• Extrusion Detection
• Counterhack Reloaded
• Wireshark Network Analysis
• Hacking Exposed

Although the list is long I spend almost two hours daily travelling to and from the office on public transportation so I have plenty of “free time”.

However the lab is not about book smarts, it’s about the ability to get stuff done. To make sure my skills are up to speed, review tools I never or often use I plan on creating a lab. The lab that I plan to build will consist of the following systems:

• Linux (Ubuntu) – Firewall, IDS, IPS
• Windows 2008 Server – Domain Controller
• Windows 2003 Server – Domain Controller
• Windows 7 Ultimate – Workstation
• Windows XP SP3 – Workstation
• Linux (Fedora 12) – Linux Server, www, ftp, smtp
• BackTrack4 – Attacking System

I plan to record all network traffic in the lab for later analysis. This network traffic will include “normal” and “abnormal” traffic. I will be attacking the various systems to create security incidents, than investigate the incidents. I plan to use only the tools covered in the material.

So there is my plan for preparing for the lab. Will it be enough, I don’t know but it should cover all of the defined GSE objectives and if I meet those I will pass. 

Well that was unexpected…….

Seven days ago I posted that I was going to spend that week reviewing SEC 504, then using this week to review the material I needed to work on and taking the GSE written on the 18^th. Review of the 504 material went much quicker than I thought and was done Tuesday.  I spent time contemplating moving the test date forward, and decided to take the written on Friday the 10^th. My thought was, if I didn’t know the material now, I would not know it in a week and I should go for it!

So, Tuesday night I booked the test and was ready to go for Friday. I spent Wednesday night with family, and contemplating an email I got about going to Game 5 of the NBA finals! After a very tough decision I decided not to go, which in hindsight I am kicking myself for not going. Thursday I got stuck at the office and didn’t get home until after 8 (normally not a big deal). I watched Game 5 (kicking myself again for not going), after watching the Mav’s victory I went to bed.

Friday, test day, I slept in until 6:45 since I was working from home in the morning and testing in the afternoon. At noon, I packed up all my stuff and headed to the testing center. When I got to the testing center I had to wait in the lobby for 15 minutes (which didn’t help me). Finally, I got checked in and started the exam right on time (1:00 pm).

I am not going to cover what was on the written exam other than to say all GSE objectives were covered and nothing was asked that was not listed on the GSE Objectives web site. 

After completing the test, I was greeted with a passing score, which means my next steps are to schedule the lab in Vegas at SANS Network Security 2011! Although I am proud of my accomplishment, I have no clue what’s next.

I am going to spend the next week or so coming up with a study plan, although I know I am going to steal some of it from a fellow GSE candidate Ash! I know each person has a study plan to meet their needs and I am working on mine.  Next week I will give some insights into my study plan and lab for the GSE.

GSE Written…Studying has begun in Ernst!

Since I decided to apply for the GSE I began reviewing my material from the three classes. My schedule was to have all my reviews done by 6/12 with an eye on taking the written on 6/18. As of today I am on track just completing my review of SEC 503, and already completed SEC 401.

This week is all about the last class SEC 504 (Incident Handling). Looking over the material I will say this review is the one I looking forward to the most and one of the reasons why I saved it for last!

After SEC 504, I am going to make a list of things to spend time reviewing next week such as bit masking (I always mess this up when I do it by hand) and what you use symmetric and asymmetric encryption for (I know what they are for, I occasionally mix them up though), as well as other areas.

As I go through the material, one thing I can say is there is a lot of material. The depth at which I must cover is where the real challenge in the GSE is, at least for me. For example, when doing packet analysis it’s not just knowing what a particular field represents, but what should the field look like (normal behavior) or not look like (abnormal behavior). That level of understanding is what makes this a challenge.

There are two things about studying for the GSE that I have come to appreciate already. First, the level of knowledge a GSE have is truly amazing and second, I will come away regardless of pass/fail a better security professional.

So for now, off to review SEC 504…………………………