Tag Archives: SANS

Using Sysmon To Enrich Security Onion’s Host-Level Capabilities

SANS recently accepted my GCFA Gold paper, Using Sysmon To Enrich Security Onion’s Host-Level Capabilities. The abstract is as follows:

With more network traffic being encrypted, as well as the persistence of advanced adversaries, it is becoming increasingly imperative that there is greater visibility at the host-level. With this greater visibility comes the ability to more efficiently detect and respond to threats. This paper highlights the use of Sysmon to enrich existing Windows host visibility capabilities in Security Onion, as well as how to use this increased visibility in detection and incident response. In this paper, the author has developed custom parsers and rulesets for integrating host-based data into Security Onion, something which to date had not yet been done for this project.

You can find the paper here. [pdf]

You can also find the ELSA Parsers, as well as the OSSEC decoder and rulesets that I wrote, on Github.

In the next month, I will be breaking up some key parts of the paper into a number of blog posts.


Tagged , , , ,

Security Onion Cloud Client – NSM for the Cloud

As of yesterday, SANS has accepted & published the whitepaper for my GCIA Gold, titled “The Security Onion Cloud Client – Network Security Monitoring for the Cloud.”


 With “cloud” servers continuing to become ever more popular, along with typical off-site servers (VPS/Dedicated), Network Security Monitoring (NSM) practitioners struggle to gain insight into these devices, as they usually don’t have the ability to tap the network traffic flowing to and from the servers—To solve this problem, I propose designing a cross platform (Windows, Linux) NSM client that would integrate with Security Onion, a NSM-centric Linux distribution.  Essentially, the NSM client would copy traffic (near real time) to the Security Onion Sensor, which would then process the data as it would any other network tap.  This would allow NSM practitioners the visibility they need into their off-site servers that are not in a setting where a typical NSM setup would suffice.

This was a topic that has direct impact on what I do on a daily basis, as most of the organizations that I do work for have at least a couple Cloud servers. I will be taking the next couple months and integrating the Cloud Client into Security Onion…. Hopefully it will see the light of day on the Stable ppa by the end of the year.

As for the actual paper, until SANS puts it on their Reading Room, you can find a pdf of it here.


Tagged , , , ,

Introducing… WinTAP

As part of my GCIA Gold project & paper that was recently published, Defensive Depth, in collaboration with New Tribes Mission USA, funded the development of WinTAP, a Daemonlogger clone for Windows.

The first iteration of WinTAP was a proof of concept that was essentially a .NET wrapper around WinPcap.  This worked well, but performance was not as well as could be hoped for.  The next iteration took the proof of concept, and instead of using WinPcap, implemented WinTAP as a kernel mode driver, using NDIS 6.0.  This allowed for much better performance and stability.

From the official description:

WinTap is a packet sniffer and soft-tap developed to mirror packets flowing through an Ethernet interface. It is purely based on the NDIS which allows us to sniff packets and rewrite them to a second interface acting as a soft-tap. WinTap consists of two components,

1. NDIS 6.0 based protocol driver.
2. User mode soft-tap.

These two act in tandem to create a soft-tap, where the protocol driver sniffs the traffic and delivers to the user mode application. User mode application does the redirection logic and returns the packets to be rewritten to second interface.

WinTAP is licensed under GPL 2; source can be found on Github.


Tagged , , ,

Accepted to STI + More…

Just a quick personal update:

I was just recently accepted to the SANS Technology Institute to pursue my MSISE (MS of Information Security Engineering).  With my previous coursework/certifications being accepted, I am currently halfway through the program–I am expecting to do a couple classes a year, and to finish the program by 2015.

With this being the case, I am currently working on my GCIA Gold….


Tagged ,

GSEC Gold Paper Accepted: Securely Integrating iOS Devices into the Business Environment

This past weekend, I was put on notice that my GSEC Gold paper was accepted and published by SANS. Here is the abstract:

“Driven primarily by the end user, iOS devices continue to inundate businesses at an ever-increasing rate.  Because these devices are housing sensitive organizational data, it is imperative that it is understood what risks to the organization are involved in allowing users to utilize these devices for business.  Ascertaining what the risks are, and what the compensating controls would be, should be a critical component of any business risk assessment. The security features of the device itself, how applications are utilized on the device, and the actual usage of the device needs to be evaluated. Beyond the aforementioned areas, a major consideration that needs to be taken into account is whether the device is personally owned or business owned, as well as how it is managed, as these will be the primary factors by which controls are evaluated to manage the incurred risk.  Finally, users need to be made aware of the risks, and trained in what their responsibility is to reduce the risk to an acceptable level.”

Here is a link to the paper.


Tagged , , ,

GCIH Gold Paper Accepted

As I alluded to in a past post, I have been working on my GCIH Gold paper for the past 6 months.  Well, I submitted it last month, and just found out that it has been accepted/passed!  This means that I now have my GCIH Gold certification.  I will be working on my GSEC Gold certification next.

As for the paper itself, I decided to do original research on social engineering on social networks–specifically, on the amount of information that people give up on the “harmless” quizzes they take on social networks like Facebook.

Below is the abstract:  (You can find the paper online here)

Social engineering for identity theft has always been around. But now, with the advent of
social networking sites such as Facebook, MySpace, and a host of others, it has become
easier than ever to harvest personal information from unsuspecting targets. This paper
looks into just how much personal information can be gathered by the seeminglyharmless
“What type of personality are you?” quizzes that are so prevalent on social
networking sites. The paper will then look at what the information could be used for, and
how to protect against this particular vector of social engineering.


Tagged , , ,

Josh Brower’s GCIH Gold Project

Just wanted to give you a brief update on what I have been working on lately.

I am currently working on my GCIH Gold paper–My abstract was accepted by SANS, and I have been working on it for a little over a month now.

I would rather not share the abstract for now, as it is an area of original research, and I would rather not tip my hand.

But to give you a clue of the general direction, here is a pic of some of my source material for the background research.

Current Reading


Tagged ,

SANS Audit 521: Meeting the Minimum: PCI/DSS 1.2: Becoming and Staying Compliant

This week I am starting a new 2 day SANS class.  This class deals with the credit card industry standard PCI DSS.  The organization I work with is working on PCI DSS compliance, and I am heavily involved in it, so we decided that I should go ahead and take the class, to get as educated as I can about the standard.  I will be posting a Lessons Learned and Review of the class after I finish it, sometime in the next few weeks.  I will also be posting what I am currently doing in my new position in Michigan.


Tagged , ,

“Hacker Techniques, Exploits & Incident Handling” :: A Review ::

As I mentioned in my last post, I just finished the SANS Sec 504 Class: Hacker Techniques, Exploits & Incident Handling.  As with my previous 2 SANS classes, I took it over 4 months, using SANS OnDemand, which allows me to take the class online, at my own pace.  The teacher was the well known Ed Skoudis of Counter Hack fame.


The only negatives I have about this class is the same as the last two OnDemand classes I’ve taken:  The layout of the OnDemand system–Let me quote from my previous OnDemand review:

“Like my previous class, I took it OnDemand, meaning that I logged into the SANS website, and took it online, at my own pace.  I have to say that I really like this format, but I do have to say that the OnDemand interface is not the most intuitive.  Check out CERT’s VTE for Intuitive.”



Ed Skoudis is a great teacher, though he does tend to talk really, really fast when he gets passionate, which he usually was, at least in this particular class.



The class was divided into two basic sections:  Incident Handling and Hacker Techniques and Exploits.

The first section, Incident Handling, delved into the topic of “how to handle an Incident,” which is defined as, “the action or plan for dealing with intrusions, cyber-theft, denial of service, and other computer security-related events.”

The second section, Hacker Techniques and Exploits, went into an extended technical discussion on the phases of an attack, and what sort of vulnerabilities an intruder exploits to take control of a system / network.

Some of the topics included:

-ARP Cache Poisoning and DNS Injection

-Buffer Overflows in Depth

-Format String Attacks

-Kernel-level Rootkits

-Using Fragroute, Fragrouter and Whisker IDS Evasion Tactics

-And alot more of the same type stuff.

I found this portion of the class to be my favorite.  We got very nitty-gritty technical, and yet it was very practical.

Overall, I would have to give the content a very high rating.  Though the content was current, it probably was not cutting edge.

Final thoughts:

I found this class to be a great very technical, yet very practical discussion on this whole topic of Incident Handling and “hacker” techniques.

A side note: Bejtlich had an interesting discussion on how SANS defines Incident Handling/Response, and SEC 504. Check out http://taosecurity.blogspot.com/2009/04/speaking-of-incident-response.html for the post.


Tagged , ,

Aced the GIAC Certified Incident Handler (GCIH) Exam…

Well, I just got back from Charleston, where I had my GCIH exam this morning. 

I was pleasently suprised to find that it turned out to be fairly easy–It probably helped that I have spent the past 4 months studying through the SANS class associated with the GCIH.  After a little under an hour and a half, I finished the exam, with a 96%. 

With two silver certifications out of the way, I now need to complete the two accompaning Gold papers, to apply for the Master’s program.

In an upcoming post, I will review the SANS class I just finished (SEC 504).


Tagged , , ,