Thursday, 24 October 2013

DeepSEC - Effective IDS/IPS Auditing And Testing With Finux

DeepSEC - Effective IDS/IPS Auditing And Testing With Finux – Arron 'f1nux' Finnon

There comes a time in your life when you have to walk the walk! As a public speaker, I’ve done my share of talking the talk, and those that know me, know I have recently been conducting a lot of small training courses and workshops on effective NIDS/NIPS auditing and testing.

Truth be told, I’ve been doing this for two reasons. The first reason, is no matter how much I talk about this issue, nothing is going to help people more than sitting down and working with them. The second reason I’ve been on the road so much is getting myself in shape for DeepSEC training. Now, if you have to ask why getting myself fighting fit for DeepSEC is so important to me then you've either not been to the conference, or frankly you have no idea what on earth you're talking about.

I've always had a great love and respect for the crew of DeepSEC, and I have never hid that. I've been to a lot of conferences and frankly a lot of conferences like to boast about being the best in Europe, DeepSEC doesn't need to boast! I believe DeepSEC to be the best full-stop! The lack of egotistical babel; the beautiful city of Vienna; the amazing speakers and trainers; the warm and friendly family feeling you get there; and most importantly the crew that manages it, shows that bigging yourself up doesn't count for anything, doing it does!

So that being said, time to big up our training offering. So yes, of course ours is the best training offering ever! Of course you should hurry right now and purchase a ticket before they sell-out, in fact buy two or three, I mean every geek has at least one friend! Yeah, it will be biblical and we'll shove so much information into your brains that you'll be crying pcap files till new years day, blar, blar, blar. Seriously though, we have put together something special. Hand on my heart as I swear to God himself, we have taken everything we've learned about NIDS/NIPS testing and put together a course that will actually help. No silver bullets to be found here (we're based in Scotland, we sold the silver a very long time ago!), just what's needed to actually make a test of a NIDS/NIPS worthwhile. We cover everything in the Open Source Network Intrusion Framework (OSNIF) Top5, so NIDS/NIPS Evasion Techniques, False-Positive Issues, Protocol Ambiguities, Detection Rates, and Misconfiguration and Invisible Traffic Issues. We cover why sacrificial host testing with NIDS/NIPS has some serious flaws, and how to produce clean sample attack traffic to test attacks. However, we do have something very special indeed planned for the second day of training.

Now this part is where I get to be mean, I’m not actually going to tell you the actual details of the second day. All I’m going to say is we're going to take an issue that faces enterprise networks everyday, and we're going to analyse and build an effective defence against it. Now the details are interesting, and without doubt everyone there will learn a lot. However, more importantly we'll show attendees how easy it is to take a threat, no matter how big the hype is, and actually defend against it.

This training course will be of benefit to testers as well as defenders. Whilst I’m here, I’m going to put this out there too. This is the d├ębut of our OSNIF Top5 training in Europe, it hasn't been done here, it has never been done, EVER, with a two day practical defence module. We will be dropping a new open source project on the second day too. So buy your tickets now for DeepSEC, come do the training, and come see me and Gavin's talk whilst you’re there too.

Visit DeepSEC training pages for more information.

Wednesday, 16 October 2013

Alba13 going deep with janet

Alba13 - Going deep with Janet - Jac0byteRebel & F1nux

So Janet likes the Scottish researchers! I mean Janet actually likes two Scottish researchers at any one time! Janet is very accommodating! I think we can all agree, Janet is interesting! Now get your minds out of the gutters. I mean Janet (Joint Academic Network) CSIRT Annual Security Conference on the 30th October in London, silly!

So myself and Gavin 'jac0byteRebel' Ewan are talking at Janet this year, and I must say I'm excited to be there. Some of the talks look very interesting to say the least, and as always it's a great pleasure to see Gavin speak. I'm especially looking forward to seeing the 'new kid on the block' Stephen Bonner speaking. I've heard that this kid will go far in the industry so I'm expecting great things from him. I just hope he copes with the pressure of public speaking; if he takes my advice he'll bring some chocolate to keep his blood sugar up!

That aside, I suppose I should talk about me, well not actually me, but my talk. So, long story short, I'm going to talk about why you should test IDS/IPS and what can happen if you don't! The talk is based on three fictional case studies that have all taken inspiration from real life events. I very much enjoy delivering this talk, as the delivery is a little different from how I normally do things. I hope that the Janet audience will enjoy it too.

(jac0byteRebel's (not to be confused with Jac0byterebel) bit)
My talk, contrary to popular belief, is not about going old school with bats and choppers. It is however a 're-imagining' of my first ever security conference talk, A Salesman's Guide to Social Engineering. In the reworked talk all of the psychology BS is stripped out and we are left with a simple narrative; What if one of our salesforce went rogue? How could a sales process be applied in a 'kill chain' type manner to pwn a company and walk away with trade secrets and other all the other juicy stuff. A word of warning: if you are easily offended or hold firmly onto the belief that social engineers are mind bending Jedi, then you might want to stay at home. To the rest of you, see you there.
(jac0byteRebel's bit ends)

Thanks Gavin for your input, you'll need to remind me to take the bat and chopper out of my bag! All joking aside, we're really looking forward to this. Detection, Social Engineering, PCI, Japanese Cherries, some dude called Robbie Walker, and the Bonner chocolate assault all make for a fine day with Janet in London.

Tuesday, 15 October 2013

Historical Tour Of IDS Evasion

DeepSEC 2013 - Finux's Historical Tour Of IDS Evasion, Insertions, and Other Oddities – Arron 'f1nux' Finnon

Never let it be said that I don't know how to flog a dead horse! In fact if flogging a dead horse was an Olympic sport you'd all be calling me 'Sir Finux' by now! The problem is that this dead horse seems to have come straight from the pages of some sort of zombie story. No matter how many times you think NIDS/NIPS, or whatever the vendors marketing department calls them nowadays, this dead horse isn't dead, it's alive, well, and worth big money. I'm not talking small sums of money like hip-hop stars are used to, I mean mega bucks, well like vendors are used to. So maybe in the end I’m not flogging a dead horse after all, maybe I’m flogging a cash cow!

Worrying thing is, I’ve spent years talking about this stuff. I know deep down I’m like a typecast actor, only good for playing the geek roles, in this case the detection geek! What can I say though, I’m one of those geeks that loves detection. It is an interesting challenge, that is both rewarding, and complex. I've lost count of the amount of times I have spoken about network detection and the real sad testament to NIDS/NIPS industry. In the long and fruitful journey of NIDS/NIPS industry’s life, I am just the proverbial 5 minutes before midnight of the doomsday clock.

You see, I’ve talked a lot about effective NIDS/NIPS testing, about building methodologies and standards that everyone interested in network defence technology can utilise to make them, well, better. One of the interesting comments I hear regularly about this is; Don't you think we run the risk that the IDS industry will become like the Anti-Virus industry? Well, I always answer this question the same way, which industry do you think came first? NIDS/NIPS have been around for a very long time, not to say the AV market is new or anything, but people tend to be genuinely surprised to find out NIDS/NIPS is older.

My DeepSEC talk looks at the history of NIDS/NIPS, but more importantly, the history of failing. Now look, yes of course I’m going to do some vendor bashing, why change a habit of a lifetime! More importantly though, it is about recognising what has gone wrong, how this can be addressed, and what we can expect from the future. Because in the end, I have been told three things every year since I’ve been involved in security; Next year will be the year of the Linux Desktop; next year we will run our of IPv4 address space; and that NIDS/NIPS will be dead next year. Each year none of those things have played out as expected.

On a personal note, I would like to add this. It is and always will be a great honour to speak at DeepSEC, and this year will mark my third. I intend for this to be a special occasion and invite you all to come and enjoy it!

Arron 'finux' Finnon
You can find out more about Arron's talk here,

If you want to learn more about testing NIDS/NIPS effectiveness then come join us at DeepSEC in Vienna this year, where Arron Finnon and Gavin Ewan of Alba13 Research Labs will be showing what goes into making an effective and useful NIDS/NIPS assessment. Also we'll be showing how enterprise threats can be managed and how you can build better detection. Find out more details here

Monday, 14 October 2013

The Economics of False Positives

DeepSEC 2013 – The Economics of False Positives - By Gavin 'jac0byterebel' Ewan

It seems fitting that the last blog post I wrote for my own site was also a prelude to DeepSEC, albeit 12 months ago! I am equal parts excited and terrified at the prospect of delivering my new talk 'The Economics of False Positives' at DeepSEC in Vienna this year. Not only am I giving this talk for the first time at DeepSEC, but it also represents a marked departure from my usual bread and butter, social engineering.

The talk draws inspiration from two points of my life, the distant past and the present day. In the distant past while studying at university most of you that know me are well aware of my study of psychology, but few are aware of the fact my degree also comprised a large part of economics. While the psychology side served well for serving up social engineering talks and research (indeed, very much ANTI-psychology), I have had no need to call upon my economics background while working within infosec. Until now.

My good friend, founder of Alba 13 Research Labs and renowned speaker, Arron 'Finux' Finnon, founded not only Alba 13, but also the Open Source Network Intrusion Framework (OSNIF) project. I could write an entire blog post on the merits of OSNIF, and indeed am an ardent supporter of the project, but as a type-cast social engineer, really had nothing much to offer other than moral support. As previously stated, until now.

The OSNIF project, amongst other things, has composed a top 5 of areas that the powers that be in the field of NIDS/NIPS agree need to be addressed in any effective IDS/IPS test. None of the areas have weight over another (so no jockeying for position ala the OWASP Top 10), but one has drawn my attention right from the start, that is the area of false positives. Flogged to death from a technical perspective, false positives are an area of concern in many technical fields, both in and out of computer security. While a quality checker of loafs accidentally throwing out a bad loaf that turned out to be good is not really a big deal, telling someone they have cancer and then having to retract the statement cannot be covered with an 'Oops, sorry'. Sadly, the attitude to false positives within computer security seems to bear closer to the former than the latter in terms of PERCEIVED impact.

In actual fact, false positives have a tangible business cost. My talk will address this at both a micro and macro level. At the micro level I shall explore how a business can drill costs down to the level of the individual false positive. At the macro level I will demonstrate that taking the figures from above we can provide a model to determine the 'optimum level' of false positives, carefully balancing the need to reduce false positives with the very real effect of having no true positives either! Thus the talk will also move into another of the OSNIF top 5, Detection Rates, and why the two go hand in hand.

I look forward to seeing you all there!

Gavin 'jac0byerebel' Ewan

You can find out more about Gavin's talk here:

If you want to learn more about testing NIDS/NIPS effectiveness then come join us at DeepSEC in Vienna this year, where Arron Finnon and Gavin Ewan of Alba13 Research Labs will be showing what goes into making an effective and useful NIDS/NIPS assessment. Also we'll be showing how enterprise threats can be managed and how you can build better detection. Find out more details here