Sunday, July 24, 2011

I am alive, GSE prep and SANS Network Security 2011 facilitator…..

My short absence from updating the blog is both sad and funny. I originally planned to skip one week because of short 3 day holiday with my wife and friends. While on holiday I received a phone call from my father explaining to me how he just broke his leg 500 miles from home! To complicate matters, my mother just had knee replacement surgery a few weeks earlier and was home in bed unable to do anything. So after returning from holiday I jumped on the next AA flight to COS to get my dad home to Kansas City. Once in KC I had to get my mom to a follow up surgery (she reinjured the new knee), and get my dad through his. My sister was a big help during this, but this family emergency through all kinds of wrenches in my GSE study plan. I returned to DFW earlier this week and started to catch up.

For GSE this week I spend time looking over the Incident Handling domain. I reviewed the incident handling process as defined by SANS:

                Preparation
                Identification
                Containment
                Eradication
                Recovery
                Lessons Learned

Additional areas covered in the IH domain include common attacks, malware and preserving evidence. Fortuantly I was able to get those areas covered as well.  This week I hope to cover the ITSEC domain, OS security, secure communications, and protocols.

Turns out this week I was also accepted to facilitate FOR 610: Reverse Engineering Malware with Lenny Zeltser at SANS Network Security 2011 in Las Vegas. This is the first time I have done facilitating for a SANS course and will tell you I am very excited about the opportunity.

I should be back to posting once a week again, and after the GSE lab I plan on doing more technical and interesting blog posts!

Sunday, July 3, 2011

Ubuntu, Sguil, InstantNSM and GSE Lab Prep

Last week I discussed Sguil and I was going to do a post on getting Sguil running on Ubuntu. Like most good plans, mine feel apart. To start with, I changed what I intended to blog about late in the game, than ran out of time.

My plan now is to include using InstantNSM and the Sguil packages to get a Network Security Monitoring (NSM) up quickly. In order to do to this I have to modify InstantNSM to “support” debian based systems. This modification will be made and tested over the next month or so. I have contacted the developer for InstantNSM to see about adding support for Ubuntu.

On the GSE Lab front I have spent time building the lab, started to read the Wireshark Network Analysis  book, and spend some time reviewing network traffic (outside of my day job of course). As I spend more time with packet captures, I am becoming more proficient writing filters in tcpdump and Wireshark.

Next week I am going on short three day trip with the wife and friends so I probably wont get a chance to post anything new, but you never know.
 
Site Meter