|
TRAINING PROGRAM
Monday, July 31, 2006
|
|
M1 TCP/IP Weapons School (Day 1 of 2) NEW!
Richard Bejtlich, TaoSecurity.com
9:00 a.m.5:00 p.m.
Who should attend: Junior and intermediate analysts and
system administrators who detect and respond to security incidents.
TWS is the right way for junior and intermediate security
personnel to learn the fundamentals of TCP/IP networking. Students
learn how to interpret network traffic by analyzing packets generated by
network security tools. Examples of normal, suspicious, and malicious
traffic teach analysts how to identify security events on the wire.
Students will generate traffic in a virtual machine and analyze that
traffic using open source tools.
TCP/IP Weapons School will be as interactive as the student wishes. The
instructor will provide one FreeBSD VMware image loaded with the tools he
will discuss in class. He will also provide a Linux target VM. Students
can run both images on a student-provided laptop, provided the free VMware
Server product is installed.
The point of the class is to teach TCP/IP by looking at nontraditional
TCP/IP traffic. I will make comparisons to normal TCP/IP traffic for
reference purposes.
The name of the course is related to the US Air Force Weapons School,
which is the "Top Gun" of the Air Force.
Course plan:
This is a condensed and intensive two-day version of a four-day course. The
class will concentrate on the protocols and services most likely to be
encountered when performing system administration and security work. Students
will create traffic would be seen by various malicious security events.
I plan to teach TCP/IP using a layered approach. For example:
Day one, part one:
- Layer 1: Ethernet and 802.11; show frame formats; contrast with IP over Firewire; Tools to create fake wireless access points
- Layer 2: ARP traffic; 802.1q trunking and VLANS; Cisco Discovery Protocol; demonstrate tools which perform ARP poisoning and related layer 2 attacks (Yerseni, Ettercap)
Day one, part two:
-
Layer 3: IP: demonstrate IP spoofing, IP fragmentation, and routing
attacks (IRPAS, RPAK); address DHCP as a protocol that assigns IP
addresses; basic routing protocols; ICMP reconnaissance (Xprobe2) and
ICMP attacks against TCP (Gont)
Richard Bejtlich (M1, T1) is founder of TaoSecurity LLC, a company
that helps clients detect, contain, and remediate intrusions using network
security monitoring (NSM) principles. He was previously a principal
consultant at Foundstone, performing incident response, emergency NSM, and
security research and training. He has created NSM operations for ManTech
International Corporation and Ball Aerospace & Technologies Corporation. From
1998 to 2001, Richard defended global American information assets
in the Air Force Computer Emergency Response Team (AFCERT), performing and
supervising the real-time intrusion detection mission.
Formally trained as an intelligence officer, he holds degrees from Harvard
University and the United States Air Force Academy. Richard wrote The Tao of Network
Security Monitoring: Beyond Intrusion Detection and the forthcoming
Extrusion Detection: Security Monitoring for Internal Intrusions and Real
Digital Forensics. He also wrote original material for Hacking
Exposed, 4th Edition, Incident Response, 2nd Edition, and Sys Admin magazine. Richard holds the CISSP, CIFI, and CCNA certifications. His popular
Web log resides at https://taosecurity.blogspot.com.
M2 DDoS for Fun and Profit
Sven Dietrich, CERT Research, Carnegie Mellon University; David Dittrich, University of Washington
9:00 a.m.5:00 p.m.
Who should attend: System administrators, network
administrators, and computer security practitioners. A basic understanding of IP networking, network protocols, and routing as
well as an understanding of computer security fundamentals is required.
The tutorial will trace the development of denial of service attacks from
early, machine-crashing exploits to the present day distributed denial of
service (DDoS) attacks. A substantial portion of the tutorial will be
devoted to understanding DDoS attacks and developing appropriate
responses. Among the issues to be addressed are preparing for a DDoS
attack, recognizing the attack type and probable attack pattern, designing
appropriate filter rules to mitigate the attack, and working with upstream
providers. We will also survey current research that may lead to ways of
thwarting such attacks in the future.
Topics include:
-
Fundamentals: Basic networking and routing protocols
-
Denial of Service:
- Basic concepts
- Vulnerabilities and pathologies
- OS support
- The jump from DoS to DDoS
- Evolution of attack tools
-
Classes of DDoS tools:
- What they do
- Choices in the attack space
- How they work
- Currently available tools and bots
-
Diagnosis of the problem:
- How do you know you are under attack?
- Symptoms in your own operational and system monitoring data
- Differentiating between flash crowds and attacks
- Advances in research
- Inspecting a compromised system
- Building a monitoring/traffic capture facility
-
Mitigation:
- Recognition of the attack
- Attack signatures and attack tool identification
- DoS vs. DDoS
- Indications of single and multiple sources
- Creating countermeasures
- Techniques for limiting the damage
- Characterizing the attacked resources
- Infrastructure changes
- Traceback
- Filtering
- Active response
- Strikeback
-
Political hurdles:
- Dealing with your ISP
- Dealing with management
-
The bright road ahead
- DDoS and beyond
- Prospects for future advances in attacker tools
- Technical, legal, and political mitigation strategies
Sven Dietrich (M2) is a senior member of the technical staff at CERT Research at
Carnegie Mellon University and also holds an appointment at the Carnegie
Mellon University CyLab, a university-wide cybersecurity research and
education initiative. Previously he was
a senior security architect at the NASA Goddard Space Flight Center, where
he observed and analyzed the first distributed denial-of-service attacks
aainst the University of Minnesota in 1999. He taught Mathematics and
Computer Science as adjunct faculty at Adelphi University, his alma mater,
from 1991 to 1997.
His research interests include survivability, computer and network
security, anonymity, cryptoraphic protocols, and cryptography. His
previous work has included a formal analysis of the secure sockets layer
protocol (SSL), intrusion detection, analysis of distributed
denial-of-service tools, and the security of IP communications in space.
His publications include the recent book Internet Denial of Service:
Attack and Defense Mechanisms (Prentice Hall, 2004), as well as
the articles "Analyzing Distributed Denial of Service Tools: The Shaft
Case" (2000) and "The 'mstream' Distributed Denial of Service Tool"
(2000), and others on Active Network Defense, DDoS tool analysis, and
survivability.
David Dittrich (M2) is a Senior Security Engineer and Researcher for the UW
Center for Information Assurance and Cybersecurity and the Information
School at the University of Washington, where he has worked since 1990. Dave is also a member of the
Honeynet Project and Seattle's "Agora" security group.
He is most widely known for his research into Distributed Denial of
Service (DDoS) attack tools and host & network forensics. He has
presented talks and courses at dozens of computer security
conferences, workshops, and government/private organizations
worldwide. He has been a prolific self-publisher of white papers, FAQs,
and malware tool analyses, all intended to make his (and everyone
else's) life easier in dealing with computer intrusions. Dave has
contributed to the books Know Your Enemy, by the Honeynet Project
(Addison-Wesley, 2001), The Hacker's Challenge, edited by Mike
Schiffman (McGraw Hill, 2001), and two articles in the Handbook of
Information Security, edited by Hossein Bidoli (John Wiley & Sons,
2005), and was another co-author of Internet Denial of Service:
Attack and Defense Mechanisms (Prentice Hall, 2004). Dave was recently
named one of Information Security Magazine's "Security Seven"
(representing the education sector) in 2006. His home page can be found here.
M3 Measuring Security NEW!
Dan Geer, Geer Risk Services
9:00 a.m.5:00 p.m.
Who should attend: Operations and security managers who need to design or interpret a metric structure for security risk
management.
"You cannot manage what you cannot measure": every business
school says this, so it must be true. "Cyber security is about
risk management": almost everyone believes this, and for good
reason. The sum of the two says that with respect to
computer-related security we are hosed if we don't get on the
ball and design some decent security metrics. So far, so
good, but what in tarnation is that? "Ay,
there's the rub," as Hamlet would say. This tutorial makes a
healthy stab in the direction of security metrics and hopes
that its students soon surpass their teacher, which may not be
all that hard, as security metrics design is somewhere between
infancy and toddlerhood.
Topics include:
- Where You Stand Depends on Where You Sit: What management
texts/schools mean when they say, "Measure what you manage"
- Good Artists Create, Great Artists Steal: Styles and
methods of measurements used in other fields that are applicable to
security risk, and how to steal them
- Modeling: Is there any point in lifecycle or other models
of how security works; is there any unifying abstraction worth
using?
- Large Numbers: The state of the world and how to compare
yourself to it
- Information Sharing: Data fusion is dangerously powerful
but essential (with a sidebar on de-identification as a pre-sharing
safety mechanism)
- Where to Begin: How to roll your own, and a few pitfalls to
avoid, assuming that decision support is your real deliverable
- How to Communicate What You Find: Being simple without
being simplistic
Topics do not include:
- Secure coding standards, disaster recovery planning, firewall
log analysis, or anything else that is already a solved problem
or a side effect of low/no discipline
Dan Geer (M3)Milestones: The X Window System and Kerberos (1988), the first information security consulting firm on Wall Street (1992), convenor
of the first academic conference on electronic commerce (1995), the
"Risk Management Is Where the Money Is" speech that changed the
focus of security (1998), the presidency of the USENIX Association
(2000), the first call for the eclipse of authentication by
accountability (2002), principal author of and spokesman for
Cyberinsecurity: The Cost of Monopoly (2003), and co-founder of
SecurityMetrics.Org (2004).
M4 Introduction to Practical Cryptography NEW!
Steven M. Bellovin, Columbia University
9:00 a.m.5:00 p.m.
Who should attend: Programmers and managers who use or procure (or should use) cryptographic
software or hardware. No previous background in cryptography or math is
required, nor are any particular programming languages assumed.
This tutorial provides an introduction to (a bit of) cryptographic theory;
it concentrates on how cryptography can actually be used.
After completing this course, participants will understand how to apply
cryptographic mechanisms and how to integrate such protocols as SSL and
S/MIME into application systems. More importantly, they'll understand what
not to do themselves. They'll also be much more able to understand and
evaluate cryptographic products.
Topics include:
- What is cryptography; history of cryptography?
- Cryptographic primitives (block ciphers, hash functions, etc.)
- Cryptographic combinations and protocols
- Cryptography and the Internet: the design and use of major protocols, such as IPsec, SSL, and S/MIME
- Integrating standard mechanisms into your applications
- Threats
- References
Steven M. Bellovin (M4) is a professor of computer science at Columbia
University, where he does research on networks, security, and
especially why the two don't get along. He joined the faculty in
2005 after many years at Bell Labs and AT&T Labs Research, where
he was an AT&T Fellow. He received a BA degree from Columbia
University, and an MS and PhD in Computer Science from the University
of North Carolina at Chapel Hill. While a graduate student, he
helped create Netnews; for this, he and the other perpetrators were
award the 1995 USENIX Lifetime Achievement Award. He is a member of
the National Academy of Engineering and the Department of Homeland
Security's Science and Technology Advisory Board.
Bellovin is the co-author of Firewalls and Internet Security:
Repelling the Wily Hacker, and holds several patents on cryptographic
and network protocols. He has served on many National Research
Council study committees, including those on information systems
trustworthiness, the privacy implications of authentication
technologies, and cybersecurity research needs; he was also a member
of the information technology subcommittee of an NRC study group
on science versus terrorism. He was a member of the Internet
Architecture Board from 19962002; he was co-director of the Security
Area of the IETF from 2002 through 2004.
|
Tuesday, August 1, 2006
|
|
T1 TCP/IP Weapons School (Day 2 of 2) NEW!
Richard Bejtlich, TaoSecurity.com
9:00 a.m.5:00 p.m.
See Part 1, M1, for the description of the first day of this tutorial.
Who should attend: Junior and intermediate analysts and
system administrators who detect and respond to security incidents.
TWS is the right way for junior and intermediate security
personnel to learn the fundamentals of TCP/IP networking. Students
learn how to interpret network traffic by analyzing packets generated by
network security tools. Examples of normal, suspicious, and malicious
traffic teach analysts how to identify security events on the wire.
Students will generate traffic in a virtual machine and analyze that
traffic using open source tools.
TCP/IP Weapons School will be as interactive as the student wishes. The
instructor will provide one FreeBSD VMware image loaded with the tools he
will discuss in class. He will also provide a Linux target VM. Students
can run both images on a student-provided laptop, provided the free VMware
Server product is installed.
The point of the class is to teach TCP/IP by looking at nontraditional
TCP/IP traffic. I will make comparisons to normal TCP/IP traffic for
reference purposes.
The name of the course is related to the US Air Force Weapons School,
which is the "Top Gun" of the Air Force.
Course plan:
This is a condensed and intensive two-day version of a four-day course. The
class will concentrate on the protocols and services most likely to be
encountered when performing system administration and security work. Students
will create traffic would be seen by various malicious security events.
I plan to teach TCP/IP using a layered approach. For example:
Day two, part one:
- Layer 4: TCP, UDP; many packet crafting tools operate at this layer (Hping, Scapy); Port scanning (NMAP, Scanrand)
Day two, part two:
- Layers 5-7: demonstrate tools which pretend to be various applications (Honeyd, Nepenthes); Cover HTTP, FTP, SMB, DNS, TFTP (time-permitting); Also show exploitation of services using Metasploit
Richard Bejtlich (M1, T1) is founder of TaoSecurity LLC, a company
that helps clients detect, contain, and remediate intrusions using network
security monitoring (NSM) principles. He was previously a principal
consultant at Foundstone, performing incident response, emergency NSM, and
security research and training. He has created NSM operations for ManTech
International Corporation and Ball Aerospace & Technologies Corporation. From
1998 to 2001, Richard defended global American information assets
in the Air Force Computer Emergency Response Team (AFCERT), performing and
supervising the real-time intrusion detection mission.
Formally trained as an intelligence officer, he holds degrees from Harvard
University and the United States Air Force Academy. Richard wrote The Tao of Network
Security Monitoring: Beyond Intrusion Detection and the forthcoming
Extrusion Detection: Security Monitoring for Internal Intrusions and Real
Digital Forensics. He also wrote original material for Hacking
Exposed, 4th Edition, Incident Response, 2nd Edition, and Sys Admin magazine. Richard holds the CISSP, CIFI, and CCNA certifications. His popular
Web log resides at https://taosecurity.blogspot.com.
T2 Understanding and Addressing the Threat of Internet Worms NEW!
Vern Paxson, ICSI/LBNL; Stefan Savage and Geoff Voelker, University of California, San Diego; Nicholas Weaver, ICSI
9:00 a.m.5:00 p.m.
Who should attend: Researchers, Ph.D. students, and practitioners interested in the
magnitude of the threat of, and the range of possible defenses against,
large-scale "worms" that self-propagate across the global Internet.
Participants should have a solid knowledge of TCP/IP networking.
For researchers, this tutorial is particularly aimed at those
new to the problem domain.
In the past five years, large-scale Internet epidemics have
profoundly demonstrated the threat posed by self-propagating
programs ("worms"). The combination of widespread software
homogeneity and the Internet's unrestricted communication model
creates an ideal climate for infectious pathogens. Worse, each
new generation of outbreaks demonstrates increasing speed, virulence,
and sophistication.
Much has been done in recent years to understand and address this
threat; and much remains to be done. This tutorial provides a
detailed technical overview for researchers and network security
practitioners looking to immerse themselves in the state of the
art.
Topics include:
- Using "network telescopes" to observe Internet-scale behavior
- Measurements and forensic analysis of outbreaks
- Scan detection
- Content-sifting
- Host-based detection
- Behavior-based detection
- Honeyfarms
- Botnets
- Future worms
Vern Paxson, Stefan Savage, Geoff Voelker, and Nicholas Weaver (T2) are all
principle investigators of the 5-year,
NSF-sponsored Collaborative Center for Internet Epidemiology and
Defenses.
Dr. Vern Paxson is a senior scientist at the International
Computer Science Institute (ICSI) and a staff scientist at the
Lawrence Berkeley National Laboratory. His main active research
projects are network intrusion detection in the context of Bro, a
high-performance network intrusion detection system he developed;
large-scale network measurement and analysis; and Internet-scale
attacks.
Profs. Stefan Savage and Geoff Voelker serve on the
faculty of the Computer Science and
Engineering Department at the
University of California, San Diego. They have published extensively
on the characterization of and defense against large-scale
denial-of-service and worm attacks on the Internet. Prof. Voelker
likes to surf.
Dr. Nicholas Weaver is a researcher at ICSI,
specializing in automated detection and response systems, with a
particular interest in hardware-friendly algorithms and
implementations.
T3 RFID Security & Privacy NEW!
Kevin Fu, University of Massachusetts; Adam Stubblefield, JHU Information
Security Institute and Independent Security Evaluators;
Ari Juels, RSA Laboratories
9:00 a.m.5:00 p.m.
Who should attend: (1) Engineers and researchers looking
for a technical background on academic and industrial aspects of RFID
security, and (2) technically savvy managers who seek to understand
the risks and benefits of RFID technology. People who need to deploy
an RFID system will learn about potential threats and pitfalls in RFID
security and privacy.
Purveyors of Radio Frequency IDentification (RFID) technology conceive
of a new world of automation and consumer convenience. Indeed, RFID
surrounds us in many forms: supply chains, car keys, credit cards,
subway fare passes, and even blood bags. Yet these new applications
can result in unintentional privacy risks and security pitfalls. In
this tutorial, participants will gain an understanding of (1)
applications of secure RFID systems in public transportation,
electronic payments, and access control; (2) cutting-edge
cryptographic attacks on deployed RFID security systems; (3) and
defenses to avoid security and privacy risks. Participants will also
learn the basic properties of how RFID works from the perspective of
someone who uses RFID products.
After completing this tutorial, participants will better understand
how to quantify and reduce the security and privacy risks of deploying
RFID-based systems.
Kevin Fu (T3) is an assistant professor in Computer Science at
UMass Amherst where he
develops privacy-preserving RFID tickets for
public transportation. He has a PhD from MIT.
Adam Stubblefield (T3) is a research professor at the JHU Information
Security Institute and a partner at Independent Security Evaluators.
Adam specializes in evaluating the security of devices ranging from
RFID payment systems to electronic voting and wireless security. He has a PhD from Johns Hopkins University.
Ari Juels (T3) is presently the research manager and principal research
scientist at RSA Laboratories, where he has worked for nearly a
decade. He has a PhD from UC Berkeley.
T4 Security Without Firewalls NEW!
Abe Singer, San Diego Supercomputer Center; Paul Robertson, Consultant
9:00 a.m.5:00 p.m.
Who should attend: Administrators, security personnel, and anyone responsible for administering
a network. This talk is technical (and not purely conceptual), and requires
practical technical knowledge or expertise.
Effective network security is not about blocking traffic at a perimeter.
If the hosts themselves are not managed and secured, securing the network
can be a waste of time. The San Diego Supercomputer Center does not
use firewalls, yet managed to go almost 4 years without an intrusion (and a
firewall would not have helped against the one intrusion we have had).
The approach defies some common beliefs, but it seems to work, and
scales well.
"Use a firewall" is the common mantra of much security documentation,
and is the primary security "solution" in most networks. However,
firewalls don't protect against activity by insiders, nor do firewalls
provide protection for activity that is allowed through the firewall.
Equally with external threats, you can build an effective, scalable
host-based security model.
The keys parts to that model are:
- knowing your environment
- centralized configuration management
- regular and frequent patching
- strong authentication (no plain-text passwords)
This tutorial will approach securing a networked computer environment by
taking a comprehensive, center-out approach. While network-layer security
will be discussed, it will be a small part of the overall presentation.
Topics include:
-
The Security Approach
- Understanding and evaluating trust Relationships
- The threat perspectiveprotecting data
- The ongoing process of managing your environment
- Policy realism effective approach to policies that allow you to do your job, and allow others to do theirs
-
Building/fixing your environment
- Simple approach to auditing the configuration of UNIX hosts, networks, and services
- Auditing Windows systems
- Building reference systems and maintaining consistency using cfengine
- Recapturing control of your Windows desktops from your users
-
System Administration
- Trusted systems and the real world: Configuration, administration, and challenges dealing with SELinux, RSBac, Trusted Solars, etc.
- Managing user accounts and credentials
- Securely configuring and managing core network services, such as NFS, DNS, SSH
- Patching strategy
- Good system administration practices
-
Security from physical attacks
- Disk encryption: The good, the bad and the ugly of encryption options, recovery, backup, etc.
- DeviceLock and other 3rd party device access control tools
-
Miscellaneous bits
- S/MIME implementations, encrypting and signing emails,
- Centralized logging.
- Real-world examples of catching bad things going in and out
- of your environment.
- Burglar alarms.
- Reponse plans and Forensics-Friendly environments.
-
Network-layer security
- Firewalling and its uses
- Layer 2 funNetwork-level configurations, how effective they are, when and when not to use them, and what threats they address
- Overview of network tunneling and encryption
Abe Singer (T4) is a Computer Security Researcher in the Security Technologies
Group at the San Diego Supercomputer Center. In his operational security
responsibilities, he participates in incident response and forensics
and in improving the SDSC logging infrastructure. His research is in
pattern analysis of syslog data for data mining. He is co-author of
of the SAGE booklet Building a Logging Infrastructure and author of a forthcoming O'Reilly book on log analysis.
Paul Robertson (T4) has over 22 years of experience. Currently he is an
independent consultant providing IT, security, computer forensics,
training, telecom, and RFID services. He moderates the Firewall-Wizards
mailing list and is the editor of the Network Firewalls FAQ.
Mr. Robertson was Director of Risk Assessment for TruSecure (now
CyberTrust,) where he founded their computer forensics, and ISAC
programs, and assisted ICSA Labs in its IDS and firewall testing
programs. Prior to TruSecure, he worked at Gannett Company, putting
USAToday.com on the Internet, providing corporate-wide Internet and
information security expertise, investment analysis, and network design.
Mr. Robertson spent a number of years as a mainframe assembly language
programmer for an ISV writing DBMS software. Mr. Robertson started his
career in the U.S. Army, including a tenure at The White House during the
Reagan administration providing computer and telecommunications support to
the President of the United States, Vice President, National Security
Advisor, National Security Council, and others as directed.
|
|
|