Tuesday, November 24, 2009

CMD.EXE Incident Response Cheat Sheet

Recently, I have been putting together some incident response tools and documentation for our systems administrators and wanted to provide an easy to use reference of Windows command line tools available at their disposal. There is a a lot of great information and resources available but I could not find a single one page cheat sheet of all the cmd.exe commands one might use during incident response. The closest thing I found to containing all the commands I wanted to cover was Russell Butturini's Hak5 U3 Switchblade which is an awesome resource but my aim was to teach what each command does. Consequently, I began creating a cheat sheet myself using Jeremy Stretch's popular PacketLife.net cheat sheet template he recently made available here.

I have attached v1.0 and am hoping others can find some value with using it or maybe make some suggestions or additions to it. I would love to do one for Linux and maybe a more detailed one on WMIC. Let me know what you think.

Monday, November 23, 2009

RBS Worldpay: It's Not Child's Play

I have found the RBS Worldpay ATM heist fascinating. Although the dollar amount stolen cannot compare to some larger compromises in recent history, the coordination the attackers and thieves displayed is unprecedented. Moreover, it appears the corporation of law enforcement spanning three continents was able to bring an indictment on November 10, 2009. A copy of that document can be found here. Not much is known about the technical details of the compromise but I recently decided to put together a diagram of what is known about the heist for a training I am scheduled to do next month. I used the Crayon Network Visio Stencil found here to create it and though some might find it amusing.

More articles and coverage on the compromise and arrests can be found here:


Monday, November 16, 2009

Only You Can Prevent Forest Fires - A Smokey The Bear Approach to Security

A few weeks back Larry Pesce from PaulDotCom posed the following question on Twitter:

"Hmm. If you had to deploy ONE security technology in your organization, what would it be? What is the risk reduction vs, total effort?"

Many people quickly replied. Some answers included: a comprehensive patch management solution (my pick), Security Information Management (SIM) system, network based firewall, Intrusion Prevention System (IPS), incident response plan, and my personal favorite "a very large dog..." . Larry quickly followed up asking what would the second technology be and why?

I struggled with that question. After all it is a "no win" situation. A proper incident response plan would certainly be needed but is reactive. Network defenses would be beneficial but do not take in account a mobile workforce. I finally settled on some sort of central system that would facilitate the system hardening of the end nodes. The reasoning for my answer is the result of experiences I had early in my information systems career.

During my time as a desktop support tech, I spent most days putting out fires. The lack of centralized patch management, host based firewalls, build procedures, and asset management was the source of chaos for the desktop and systems administration teams. Worm outbreaks, improper configuration, and end users running with local administrator rights were the norm not the exception. Consequently, the team was too busy chasing their tail around to be proactive. Those experiences resonated heavily with me and ever since I have insisted in being proactive whenever possible.

Would have proper incident response or a SIM solution have helped my former employer? Maybe. Incident Response procedures and SIM's are important parts of any defense infrastructure but they are reactive, not preventative. Consequently, I would certainly place them in my top five but only after implementing the basics of defense.

While Larry's hypothetical situation is enough to give any security practitioner nightmares, I found it to be a great source of self reflection. Larry discusses the replies in more detail during Episode 172 of PaulDotCom Security Weekly, so check it out when you get a chance. I'm interested to know what you would choose and how fast you would update your resume if you found yourself in the same situation.

Friday, November 13, 2009

DojoCon 2009

I have had several things I have been meaning to post but my day job has been keeping me crazy busy lately. However, I did manage to find a few hours to check out some of the talks streaming live from DojoCon 2009. For those not familiar with DojoCon, it was created by Marcus J. Carey this year and was held November 6-7, 2009 in Maryland. Marcus not only coordinated the conference but also donated a large amount of the proceeds to Hackers for Charity (HFC). I had the opportunity to watch several talks including the keynote from Marcus Ranum, a great talk by Matt Watchinski of Sourcefire VRT, and a fantastic breakdown on lock picking by Deviant.

I haven't had the opportunity to watch the remaining talks yet but I am looking forward to it. I recommend you check out some of the recordings, drop Marcus a thank you note, and donate to HFC. Marcus did a great job with the con and HFC is a great cause.

Thank you Marcus!