Update of "learn-nfa-onion"

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.


Artifact ID: c13f4cf6dcaa72a228a916df1ec96a60392150b5
Page Name:learn-nfa-onion
Date: 2014-09-13 21:23:02
Original User: adric
Parent: b1cdeb7a41d0d66432dabaa285a2d874eddef34a

Learn Analysis & Forensics for Free* with Security Onion

Between the comprehensive tool set in the Onion, free sample data available online, some awesome books available, and some easy tricks to collect your own data for analysis all you need add is your own labour. This interactive presentation will lay out some basic principles of network analysis and forensics and then show the audience how to try out the techniques using tools in Security Onion and available public data as well as touch on how to setup a capture lab and some quick things you can learn about your home electronics / housemates are doing. On the way out we'll touch on some options for continuing your analysis education once you have a taste :)

PDF slides download


Transcript of slides

this.toc Intro: me, means, motive, opportunity Use SO Tools to Learn Build and Work with SO Q & A

dir(self) SysAdmin, Incident Responder 10+ sysadmin, 4+ NOC, 3+ CIRT years Security Engineer @ online service provider BBST, Apprentice Instructor GSEC Gold, GCIH, GCIA, SANS Mentor Gold paper: Inside Mac OS X Security LPIC-1, Linux trainer (past life)

@adricnet Forensics? On telly: Quincy, CSI, Dexter Looking at dead things To see what killed them Forensics: Wikitionary 1. “Relating to the use of science and technology in the investigation and establishment of facts or evidence in a court of law.” 2. (dated) “Relating to, or appropriate for courts of law.” 3. (archaic) “Relating to, or used in debate or argument.” Digital Investigation (Carrier) “develop and test hypothesis about digital events” File System Forensics Analysis, Brian Carrier (2005) The science of examining evidence to find : what happened when it happened how it happened who did it by proving and disproving hypothesis with evidence Analysis: Google, Wiki a·nal·y·sis, noun detailed examination of the elements or structure of something, typically as a basis for discussion or interpretation. the process of separating something into its constituent elements. … and Synthesis Break things into components Understand them better For discussion and to... Build new things, new understanding from the pieces “Do science to it!” -DC

? sudo apt-get install cmatrix && cmatrix -s

Questions Who? What? To Whom? When? How? Why? the Cluedo questions,5Ws savoir c'est pouvoir Knowledge Understanding Power Responsibility m,m,o Anyone can learn some DF, NF analysis Requirements: Tools Means Science! Motive Evidence Opportunity Security Onion “Linux distro for IDS, NSM, and log management” DFIR, NSM? Digital Forensics Investigations* Incident Response *as per Brian Carrier in FSFA

Use SO to Learn With working through (awesome) books and tutorials Forensics Challenges & CTFs (old and new) online samples and libraries understand your own networks better reproduce others research study for exams Learn With SO: Books Some books provide sample evidence Some books package their evidence in Security Onion Tools for most NFA books are included: Wireshark, tcpdump, Snort, Bro … Skip installing most tools and get to learning with SO Learn With SO: tutorials Tutorials on SO wiki IntroductionToSecurityOnion ManagingAlerts And elsewhere: ET: WhatEveryIDSUserShouldDo Bro: Getting started Wireshark tutorials Learn With SO: Challenges Challenges Contests and Puzzles Puzzle #1: Ann’s Bad AIM Prison Break (July 2009) Scan of the Month Dr J's packet.txt ??? Learn With SO: samples Online sample library network Wireshark wiki Huge list of SampleCaptures Sandbox analysis result pcaps, tx: anubis Cuckoo … More sources in SO Wiki: Pcaps Learn With SO: collections M57, Nitroba cases Contagio Dump Mila collects and shares malware pcaps Crimeware and/or APT refs Library of Malware Traffic Patterns DARPA, WIDE (FW) Learn With SO : Your Traffic Quick captures in tcpdump, Wireshark Preloaded packet wrangling tools: capinfos, tshark, ngrep tcpick, tcpslice, tcp[tab] Learn With SO : Your Network Tap Hyper NIC, Cables SO VM(s) vSwitching promisc!

Learn With SO: research Check out the latest from : Blogs: Contagio dump Malware Traffic Analysis Fora: Emerging Threats DFIR Twitter, Reading Room, etc Try things out easily with SO tools

Study With SO: Exams Certainly for analysis & forensics : 503, 504, 508, 572 And attackers, don't miss out : 560, OSCP, and on

Build And Work with Onions Network forensics and analysis workstations Portable sensors and traveling analyst laptops Enterprise sensor networks (especially with salt!) Testing environment for software or rules Q&A Resources Wiktionary, Wikipedia, Google Hidden Evidence, David Owen (2E 2009) File System Forensics Analysis, Brian Carrier (2005) LibreOffice, Inkscape, Fossil SCM Resources PMA, PNSM, ANSM, DFOSS books projects sites for tsk, Autopsy, Volatility, SO,etc Mailing lists for SANS DFIR, sleuthkit, etc researcher blogs webcasts & white papers SANS SEC503, SEC504 and DFIR curriculum