Summer Reading 101 – The Blue Team Field Manual

I read all the time.  I admit that I read less now that I found and use Audible the Amazon audio book service).  While Audible is great the books I chose to read (or re-read) this summer are probably not available there.  I recently re-read the Blue Team Field Manual (BTFM) and read the Red Team Field Manual (RTFM) and Operator Handbook for the first time.  All are fantastic and I recommend that anyone in any cyber role from student to practitioner  should consider having copies of all three near their desk.

About these books.  These are not anything like reading popular science fiction.  These are all books that you read sitting next to a computer  (or computers) running Windows and or Linux.  These literally are a handbook and manuals; technical references that list out instructions for how to accomplish various tasks and gather information.

IMG_9919
The Blue Team Field Manual version 1.2 by Alan White and Ben Clark

 

I believe I purchased the BTFM at least 2 years ago.  When I went looking for it I couldn’t find it so I bought another copy at Amazon.  For $14.95 you can’t go wrong.  The BTFM was written by Alan White and Ben Clarke and version 1.2 is copyrighted 2017.  My recent copy from Amazon says that it was printed in June 2020 (so you know it’s a hot item or other people like me are losing their copies).

The BTFM is based on the NIST Cybersecurity Framework.  The National Institute of Standards and Technology (NIST) Framework consists of standards, guidelines and best practices to guide organizations seeking to manage cybersecurity risk.  It’s a how to guide for organizations to structure how to defend their digital presence.

The reason the BTFM is so great is because it’s structured based on the NIST Framework.  The sections of that Framework are:

  • Identify,
  • Protect,
  • Detect,
  • Respond, and
  • Recover

The BTFM walks through tools and concepts that applicable at each section; such as describing Linux and Windows defenses in the Protect chapter and describing the steps to perform live triage of Linux and Windows systems in the respond chapter.  I call theses descriptions but they really are not.  Each chapter has a list of commands that the reader can execute on a computer and then review.  After you’ve done this if you were unfamiliar with that command you’ll likely use Google and find out more about it.  But along the way you’ll see the command and see the output and hopefully create a memory so that if you are looking for a way to copy the application logs from a Windows computer in the future there is a wmic command to list all log files and the wevtutil command to copy the individual files.

The BTFM is only 132 pages long including the index and two scratch pad pages.  That said it is not a ‘fast read’.  If you take a copy and sit by a dual boot computer it will take days to go over the commands.  I suggest trying to knock out a chapter per evening.  Beyond the five chapters I pointed out earlier there is a chapter 0 (zero) that lists key documents as per the NIST Framework.  There is a chapter titled Tip and Tricks that has various OS Cheats and descriptions of tools; this really compliments the material in chapters one through 5.  The last two sections contain various Incident Management Checklists  (good questions that should be included in an investigation) and Security Incident Information about the (open source) VERIS schema.

Using Biometrics to Replace Passwords

I was recently asked this question…

I’m working on a project right now where my team wants to substitute passwords and usernames for biometric authentication.  I have expressed my multiple concerns for the security of such a system, but the idea has now come up that we could use a system with at least 2 factors of biometric authentication, such as facial and voice recognition.  While such a system is definitely better than one form of biometric authentication only, I still believe it is more insecure than using passwords. And even if it were not, I believe it is concerning from a privacy standpoint and makes our database a prime target for hackers.

To which I replied…   When evaluating any authentication solution you should consider the FAR, FRR, and CER.

FAR = False Acceptance Rate or when someone who is not an authorized user is granted access. 
FRR = False Reject Rate or when a authorized user is rejected. 
CER = Crossover Error Rate which is the point at which the FAR and FRR meet. 

You want your FAR and FRR to both be very low. If your FAR was 1 in every 100 unique authorizations; meaning that one time in every 100 authorizations an unauthorized person was granted access, that would be 1%. Is that acceptable given the number of people using the system?

You should try to account in your design for a FAR event (unauthorized user with access) and have some other protection in place; so that leads to a MFA (multi factor authorization) scheme.

FRR is what will truly frustrate your authorized users because they will be turned away and unable to access the system. That drives up the cost of operating the system since some additional person will have to be standing by to allow the rejected but authorized person access.

The CER or crossover rate is a way of detecting if either the FAR or the FRR is low.  If either is a low number it will result in a lower CER.  If you want to make sure that unauthorized users DO NOT have access and that your authorized users are not being turned away; you want to maximize your CER. 

Understanding the Traffic Light Protocol (TLP)

The Traffic Light Protocol (TLP) takes something that most people know and applies it to a new problem.  In this case the simple concept of roadway traffic lights applied to information sharing.   As defined by FIRST, an organization formed by cyber first responders; the Traffic Light Protocol is “a set of designations used to ensure that sensitive information is shared with the appropriate audience”.

According to the TLP when sharing information between two parties (a source and a recipient) the traffic light colors instruct the party receiving the information (the recipient) what the party sending the information expects regarding how the information will be used.

The key to understanding TLP is its simplicity.  Traffic lights or signals are something used and seen by drivers and passengers on roadways around the world.

It’s important that each person in an organization handling information understand and use TLP all the time and the same way.  Successful implementation of TLP in an organization is when everyone uses the protocol to process information the same way.

While most roadway traffic signals have either two or three lights; the protocol defines 4 conditions.

TLP:Red – information classified as RED when the party sharing the information intends that it will not be disclosed.  The use of this information should be restricted to participants only.  I tell people that when information classified as TLP:Red is shared with you; that information should stay with you.

TLP:Amber –  Information classified as AMBER is intended for limited disclosure.  That means you should only share this information with people in your organization.  If you work for a company in the Information Security department when you receive information classified as TLP:Amber you can share it with others in your Information security department.  Some organizations stretch this to be interpreted as within the company.  Specific company policies and procedures should clarify this.

TLP:Green – Information classified as GREEN is also limited disclosure, however disclosure should be limited to the community; people in your organization and other organizations  whom you regularly work with.  Like TLP:Amber your organizations policies and procedures should define the community.

TLP:White –  Information classified as TLP:White carries minimal or no foreseeable risk of misuse” and can be shared broadly.  It’s important to note that information classified as TLP:White is still subject to other organizational information classification (such as Secret, Top Secret , or NoForn and copyrights should be observed.

It all in the Cloud(s)

The Internet is changing yet again. One of my predictions for 2018 is that everyone will witness a migration from corporate or private data centers to the ‘Cloud’, or Internet hosted data centers. There have been tremendous advances made in both securing the Cloud and sharing with the broader technical community how to secure the Cloud.

Some important reading material about Cloud security includes:

Amazon’s Shared Responsibility Security Model,

Azure’s Security Center, and

Google’s Application Layer Transport Security.

International Cyber Conflicts @ Coursera

I just finished the course ‘International Cyber Conflicts’ at Coursera.  The course was developed and led by professors Sanjay Goel and Kevin Williams from the State University of New York at Albany.  This was a five week course that consisted of recorded presentations with inline questions; discussion forums; and end of week quizzes.

The presentations and readings for this course were good.  After several readings referred to Cybersecurity and Cyberwar by Singer and Friedman; I elected to buy the book.  I had been able to obtain the book through my local library on an inter library loan.  After the second reading I really enjoyed the book and purchased it via Amazon.

I would say the only downside to this course like others that I have viewed is that the discussion forums were not really that good.  The discussion forums themselves merged comments from previous offerings of the course (from about a year ago).  I can appreciate why the instructors did this ; in an attempt to seed the discussion forums and get more people contributing.  I didn’t think that worked.  and then as with many Coursera offerings some people just don’t understand or seek to contribute to the discussions. Tighter moderation might help there.

I enjoyed the course and would recommend it to anyone interested in cyber security.  The cost for the course was free unless you request a completion certificate.

 

USB Forensics

I recently came across two very good articles about USB forensics.

The Hitchhiker’s Guide to USB Forensics was published at the Cyberforensicator site by Oleg Skulkin and Igor Mikhaylov.  It is a very well thought out an written description of how to find out by operating system analysis what files have been copied to a USB device.  They used a Windows 10 virtual machine and the Oxygen Forensics AXIOM tool to conduct a basic analysis.  They are locating evidence about what files have been copied or moved.

I was looking for references to how to investigate just the USB drive itself.  I found the SANS Computer Forensic Guide to profiling USB Thumbdrives on Win7, Vista, and XP. This is a blog post by Rob Lee dated September of 2009.  This was more in line with what I was looking for given I that one found the USB device and wanted to start treating it as evidence. Rob had written about the differences between analyzing USB thumb drives and drive enclosures.  There was much good info in both posts.

 

 

The State of Internet Privacy? In Shambles. Moving on.

Many would consider me an Internet Old Timer.  I used ‘The Internet’; then ARPAnet back in the days when I worked as a Software Engineer for a US defense contractor. Securing communications and having confidence in message integrity; both in the identity of the sender and in the integrity in the content have always been important if not vital to communications over the Internet.  I was struck by this blog post in part because I have heard of Filippo’s work but most of all because I completely agree with his message.

 

Websites Intentionally Disabling Password Managers

It wasn’t just me.  The folks at Wired have noticed that some web sites are not really very password manager friendly.

I travel fairly often.  Lots of that travel is for work but I do get around on personal business and to get away.  One of my go to sites for travel is Hilton dot com.  I’ve been a Hilton customer for a long time.  I like their hotels.  I think they treat me well where ever I go.  This isn’t an advertisement for Hilton; your mileage (and accommodations) may vary.

When you sign in at the Hilton site you typically see a prompt for a user name and password along with a check box for ‘remember me’; where the site drops a site cookie to your browser.  This window also has ‘forgot your sign in’ and ‘register for site’ dialogues.

The annoying thing is that Hilton has added a check to see if you are a robot.  It seems like if the cookie isn’t found in your browser, the site will add a robot test to see if the session has a user attached.  I found the test usually involves matching text to pictures.  The annoying thing about the test is that if you often clear cookies (like many security researchers and I do) you’ll run into this robot check more often than the general public (many of whom unknowingly tolerate cookies).

If I use my password manager this test comes up after that software has filled in the username and password fields and submits that data; so my login fails.  Once that fail happens I have to complete the form and the robot test manually and then submit.

It is mildly annoying but I’m still spending lots of time at Hilton properties.

 

New Apple Guidelines Explain What Data the Company Will Provide to Law Enforcement

ars technica has a great article that explains recently published Apple guidelines regarding what customer data the company will provide to law enforcement.  Reviewing and understanding Apple’s position is important as the companies consumer devices such as the iPhone, the iPad, and Mac computers running OS/X readily provide users the capability to use both local and cloud storage for data.

The guidelines that are referenced in the ars article were posted by Apple under the heading “Legal Process Guidelines for U.S. Law Enforcement” and were released on May 7th, 2014.

Seminars at the John Jay Center for Private Security and Safety

If you are near New York City and interested in cyber security and criminal justice I suggest attending the seminars at the Center for Private Security and Safety at John Jay College in Manhattan. I attended seminars on cybersecurity and cyber espionage.  The presenters that I saw are faculty from the college.  I found the seminars to be very well prepared and presented.  The technical level of the seminars seems targeted at an undergraduate upper class person (Junior or senior) but all questions both more and less technical in nature were answered.