Wednesday, March 21, 2018

Bring Out Your Dead, Bring Out Your Dead!

Well, as the title says; I am bringing out my dead. My dead blog that is. I have been away for a couple years and much has changed. I have progressed quite far now in my security field and have many new skills. I am hoping to share some of what I learn with you in what I hope will be an entertaining and educational way.
Progressing into malware analysis and will be sharing the results of that as far as samples I analyze and things I discover.
Also, have something to say about recent events. To start with; the 'SlingShot' campaing as discovered and named by Kaspersky. At a point earlier this month there was a report published by Kaspersky and it detailed activity targeting many Middle East Countries and some in Africa. It explained the hack was being done by hacking into Mikrotik routers. The main piece of malware being by the group has been dubbed Slingshot based on strings found by researchers.
Cyberscoop has now claimed that they have learned that Slingshot is actually and operation of the US military's Joint Special Operations Command which is a component of Special Operations and is aimed at members of terrorists organizations such as ISIS and al-Qaeda. The source that gave the information to Cyberscoop has expressed concern that the exposure of the campaign may result in both the loss of a valuable surveillance program and the endangerment of the lives of US soldiers.
Most likely the Slingshot infrastructure has been abandoned following the disclosure.
Who knows what the repercussions from this will be, only time will tell.
Posted by at No comments:

Saturday, May 2, 2015

List of Resources for CCNP Security Studies



List of Resources for CCNP Security Studies
(working on formatting)

Purpose

This document is one that seems to be needed currently.  There is so much out there I am going to try and put together a list of all the resources that are currently available for pursuing the CCNP Security certifications. Some of these resources are free and some are paid. Some are not yet available. Please comment and feel free to make any suggestions. I do not intend for this to be a static or solo document. Any good resource for study is welcome.
Starting with the required exams and prerequisites.

Prerequisites
CCNA Security or valid CCSP or any CCIE certification can act as a prerequisite.

Required Exam(s)
300-208 SISAS
300-207 SITCS
300-206 SENSS
300-209 SIMOS 

Cisco Recommended Training
Implementing Cisco Secure Access Solutions (SISAS)
Implementing Cisco Threat Control Solutions (SITCS)
Implementing Cisco Edge Network Security Solutions (SENSS)
Implementing Cisco Secure Mobility Solutions (SIMOS)



(Paid resource) Videos available on Cisco Learning Network Premium Library
These are the video series that I have located in the Cisco Learning Network Premium Library. I marked which exam they relate to. Hopefully we will get a full play list put together to make it easier to locate for each exam.

==========================================================================================================================================
(Free resource) IPExpert videos available on YouTube
These are free videos that are produced by IPExpert and are available on YouTube
Follow this link to the playlist:
CCNP Security Videos (SISAS, SENSS, SIMOS, SITCS) - YouTube
The videos include the following:
  CCNP Security :: SISAS - AAA for Device Administration  23:16
  CCNP Security SITCS Cisco ESA Overview  4:25
  CCNP Security :: SIMOS - IKEv2 Site to Site ASA 20:35
  CCNP Security :: SIMOS - Cryptography Basics     35:34
  CCNP Security and CCIE Security Training Video :: IOS IPS (CLI) 45:31
  CCNP Security :: SENSS - Management Access Configuration  21:19
  CCNP Security :: SISAS - TrustSec Overview  7:49
   CCNP Security :: SENSS - Cisco Prime  12:48
   CCNP VOD Sample :: SECURE :: Traffic Planes  11:48
   CCNP Security Training Video :: VPN High Availability - Failover ::  – VPN 36:51
   CCNP Security :: IKEv1 IPSec Site-to-Site Digital Certificates - Exam 642-648 – VPN 41:19
   CCNP Security :: ASA Certificate Maps - Exam 642-648 - VPN
==========================================================================================================================================
(Paid resource) Cisco Press Official Study Guides
Not released. The publication dates have been moving target dates on these books so far. Everyone is anxiously awaiting the release.
CCNP Security SISAS 300-208 Official Cert Guide <-- UPDATE Kindle version is available
Hardcover - May 27, 2015   Available for pre-order only
CCNP Security SENSS 300-206 Official Cert Guide (Certification Guide) 
Hardcover – August 9, 2015 Available for pre-order only
CCNP Security SIMOS 300-209 Official Cert Guide (Certification Guide)  
Hardcover – September 21, 2015 Available for pre-order only
CCNP Security SENSS 300-206 Official Cert Guide (Certification Guide)
Hardcover – August 9, 2015 Available for pre-order only
==========================================================================================================================================
(Paid resource) CBT Nuggets Series
A good hint with CBT Nuggets is to sign up for the free week and download all the free lab resources for the videos. Some very useful information
Cisco Training Videos Online, CCNA Training Videos Online | CBT Nuggets
Cisco CCNP Security 300-208 SISAS
November 2014 with Keith Barker
Intermediate 5 Hrs 32 Mins
Cisco CCNP Security 300-209 SIMOS
July 2014 with Keith Barker
Intermediate 9 Hrs 14 Mins
Cisco CCNP Security VPN v2.0
October 2012 with Keith Barker
Intermediate 10 Hrs 33 Mins
Cisco CCNP Security Firewall
October 2012 with Keith Barker
Intermediate 13 Hrs 23 Mins
Cisco CCNA Security 640-554
September 2012 with Keith Barker
Intermediate 11 Hrs 27 Mins
Cisco CCNP Security 300-206 SENSS
June 2014 with Keith Barker
Advanced 10 Hrs 22 Mins
==========================================================================================================================================
(Partner status required) Cisco Partner Education Connection
These videos are all produced by Stormwind. When first posted they could be downloaded, but Stormwind complained and said that Cisco could not allow them to be downloaded which is too bad because they were formatted for tablets quite nicely. They still say download on the site, but that is no longer true.
SIMOS v1.0: Implementing Cisco Secure Mobility Solutions - Video  Duration 11 Hours 25 Minutes
SENSS v1.0: Implementing Cisco Edge Network Security Solutions - Video Duration 12 Hours 6 Minutes
SITCS v1.0: Implementing Cisco Threat Control Solutions - Video Duration 12 Hours 35 Minutes
SISAS v1.0: Implementing Cisco Secure Access Solutions - Video Duration 12 Hours 58 Minutes
==========================================================================================================================================


More to come.....

Posted by at No comments:

Wednesday, April 29, 2015

Who is the CyberSecurity Specialist?

Who is the CyberSecurity Specialist?
  • What is he like?
  • Who is he?
  • What must he do to keep up to date?
  • Where does he gather information?
  • What skills are needed?

This article and those that follow will be my attempt to answer these questions.
  The CyberSecurity Specialist certification is designed specifically for the Network Security Analyst Role. This person is responsible for monitoring network traffic, identifying potential threats, investigating threats, mitigation and reporting. Now, first let me start by saying that I am fully aware that there are females in this industry, but for the sake of ease and clarity I will continue to use the pronoun 'he'. This area of IT is confusing enough with the lack of clear definitions that we deal with, lets not make it worse and please do not accuse me of neglecting women in the field. After all, I have an autographed copy of Shon Harris's CISSP AIO guide and I treasure her contributions.

  What is a cyber security specialist like? Well, what is cyber? That one word has more definitions than yo can shake a stick at. Do a Google search for the word and you will see about 287 million references. So what is the best definition for the term? I like the first definition that Wikipedia gives; ' - a common prefix'. Yeah, that sums it up. Just tack the word onto the beginning of anything; cyber-this and cyber-that. For us, it means some very specific things. I believe that we can agree, that cyber is the way everything is going, with or without a clear definition. Let us say for our purposes as it applies to the noun, 'Security', that it means any technology that needs to be steered or governed into a security stance that takes into account all the variables that affects that same technology. By applying that technology to any other technological or even non-technological item, it can fall to a security vulnerability. So where does it tie together? What becomes the combining force? The CyberSecurity Specialist is the glue. It is the specialist that keeps up to date on the latest threats, the latest methods of attack, the latest and greatest one size-fits-all security solutions. The Specialist needs to be able to tie all of it together into a cohesive presentation and for that, a very special mindset is required.

  One of the key differences I notice about the CyberSecurity Specialist is the mind-set. It seems to be a mind that does not easily accept the first answer. One that does not see an end to learning. The one that seeks a role in this area is one that appreciates the smaller details and finds that is where the answers lie. After all, how many friends have you made that can find their way through a packet capture and explain it? How about a syslog that is generated by NetFLow? Looking at traffic and knowing it isn't right. More than a network admin and the server admin, we have to know the application level down to the physical. Know it and know it good. Only by having a good foundation in how things are supposed to work, will we be able to discern when something is out of tune. Makes me think of an episode of Star Trek:TNG where Capt Picard recognizes that the engines are out of phase by the feel of the engine's hum under his feet. He knew that ship so well and that is the level of familiarity that we need to have with all the many aspects of data and how it flows from the very top to the bottom. We have to know where the vulnerabilities are within those areas as well. Where is the weakness that can be exploited? What can protect that vulnerable spot? How do we do it without doing harm on the network? And finally how do we get it paid for and supported from the top level of management? Without that support the subject of security will not be brought up and will not be laid down for the users to follow.  Awareness being a key point that has to be provided by security SME's. We have it, lets share it.


Look for part 2 to follow



Question: How do we determine targeted counter-measures to targeted threats by the internet-enabled world?
Posted by at No comments:

Monday, October 27, 2014

Troubleshooting No Syslog Data in Stealthwatch from ISE Appliances


This is part of a “tales from the trenches” series by K.LeBlanc

Purpose

When faced with an issue where the ISE server appears to not be providing the Syslog data to the SMC and you are certain that all your configurations are correct there are certain troubleshooting paths that can be followed to determine where the issue lies. This can be difficult when the ISE devices and Stealthwatch appliances are maintained by different teams. And both teams are certain of their own configurations…

Recently in a client case where an existing ISE deployment that spanned internationally was being integrated with a new Stealthwatch platform, there was a need to do shared troubleshooting between the ISE technician and the Stealthwatch Implementation Engineer. The troubleshooting steps that will be discussed throughout this blog were found to be very useful in identifying the root cause. The purpose of this blog is to save someone else some steps when they are faced with a need for troubleshooting an integration between ISE and Stealthwatch. Without a foundational understanding of what is the expected normal, locating the root cause can be made much more difficult.

To understand how the SMC uses the data it is necessary to know what data the SMC is specifically interested in seeing from the ISE server. The SMC requires two items to display Auth-Session from ISE; IP Address and Audit Session ID. Why the Auth-Session is important to Stealthwatch is actually key to a major benefit of the platform to security experts that are using Stealthwatch for investigations. The Auth-Session data represents an individual user in your organization and includes fields for such critical items as the data and time the session was created, the login type, if there is a parent session plus more, and all this tied to a user in the organization. From security point of view this is some really nice data to have in the documents.

Stealthwatch first looks to get all active sessions in ISE. Stealthwatch uses four specific fields to create its second query of the data. These fields are: user_name, Nas_ip_address, audit_session_id and framed_ip_address. If Stealthwatch successfully receives this data it well then look for each individual host. This results in the data that the investigator will see in his document queries.
There are some basic requirements that need to be recognized prior to even the first troubleshooting steps so at this point I am assuming these requirements are met. In this engagement these requirements were met so we will move on to the next phase taken in troubleshooting the lack of data in the SMC.

Requirements and Assumptions:

  • -          The Cisco LAN and/or WLAN infrastructure needs to be configured to support 802.1x authentication and accounting prior to the StealthWatch and ISE integration to work.
  • -          ISE needs to be configured with a Helpdesk Admin account for StealthWatch to use.-          StealthWatch integrates with the ISE appliance designated as the Monitor. This is important to know when ISE is deployed with multiple appliances

These troubleshooting steps assume that 802.1x has been configured.


After these requirements were confirmed and the configurations had been gone over to ensure no spelling errors or fields left blank, the first step both ISE and Stealthwatch Engineers decided on was a packet capture. Since both sides were certain that they issue was on the other end, a capture from both exit points was decided upon. The capture showed that the encrypted handshake was sent, but was failing and then the ISE server was responding with a RST packet. The .172 address is the SMC and the .56 is the ISE server in this capture. (not actual addresses, these were changed for confidentiality).




At first glance this appears to be related to a certificate trust issue. Recall that the SMC must have the same root certificate trusted that generated the certificate in use by ISE.  None of the traces showed the certificate exchanged so the systems were not developing a trust.

We were able to confirm that the same root certificate was installed on the SMC so that the communication should have been authenticated. The fact that no Syslog data was appearing from the ISE server was puzzling as we were able to confirm that the current configuration was a match for the golden switch configuration (monitor mode) according to TrustSec 2.0 Design and Implementation Guide. Through following other troubleshooting steps it was determined that in this existing ISE deployment, the PEC’s were actually generating the Syslog data. So the obvious step was to add those three PEC’s under the Identity Services folder in the Enterprise tree on the SMC. However, the SMC did not allow this, it actually denied that the PEC’s were part of a valid ISE structure.

At this time Lancope stepped in with a patch strictly for the SMC appliance which when applied, allowed us to add the PEC’s and through that we began to see the Syslog data appear and fill in the user data. With the Stealthwatch platform no longer relying on API calls, there is no longer as simple as a troubleshooting step as there once was. Where a simple query in a web browser would return the answer as to if the ISE server was providing the data. Being able to capture the traffic in a packet capture to analyze and understanding the way the devices were supposed to be talking to each other was key in resolving this situation.

Hopefully, understanding the need for a troubleshooting flow or process will assist the readers in getting through a similar situation, and if not, you can always call upon the expertise of the Priveon consultants to expedite getting out of a situation like the one experienced in this instance.



Posted by at No comments:
Subscribe to: Posts (Atom)