I just wanted to finish up the whole BSidesLasVegas thing with a quick summary of some of the talks I attended. On the first day, sticking pretty much stuck to the schedule I proposed in the “Gems” post, I attended the Collegiate Cyber Defense Competition (CCDC); The Dark side of Twitter, Measuring and Analyzing Malicious Activity on Twitter; and Infosec Young and Restless talks.
Since I took the most notes on the CCDC talk, I figure I’ll start with the other two first. In “The Dark side of Twitter, Measuring and Analyzing Malicious Activity on Twitter,” Paul Judge (@pauljudge) and David Maynor (@donicer) presented a stats and graphics filled talk that attempted to separate the good and the bad tweeters based on two years of data and 20 million user accounts. As you might expect malicious activity mainly involved “bad” tweeters sending followers shortened links to trojanned websites. Paul and David started with a few basic assumptions that anyone with more than 10 followers, friends, and tweets are “true” Twitter users. If my notes are right, this only accounts for 29% of all users. They continued their presentation showing a lot of analytical data and pretty graphs with the goal of finding trends that could be used to algorithmically calculate malicious activity. Based on this analysis, they ended their presentation with several examples of malicious users/tweets and tested them against a proposed algorithm.
Next, Joseph Sokoly (@jsokoly) gave a great audience-driven career presentation entitled “Infosec Young and Restless.” In his talk he addressed problems younger professionals have in the security field. Some of the topics he opened for discussion included getting your company to pay for training and how to start and grow in the infosec field. The training discussion offered various tactics, including proposing benefits to management in their terms (e.g., cost/benefit analysis), offering to cover a portion of the costs, and attending alternative/free training events (e.g., local meetups or conferences like BSidesLasVegas). Regarding how to get started and evolving your infosec career, Joseph and the audience offered lots of interesting ideas. The conclusion was that there are many different philosophies in how to start out and get where you want to go but it varies on the individual and their circumstances. Getting into infosec and progressing to where you want to be is going to be different for almost everyone.
Finally there was the “CCDC” talk. I had heard about these events before but had never fully researched them. My primary goal was learning how organizers at the collegiate level set up these events so I could possibly mimic similar events for security professionals of all levels in NoVA and my company. My initial thought was that you would just have attackers versus defenders but it looks like there are several other groups involved. Yes, you had your traditional red and blue teams but there are also groups representing business professionals, management, end users, and of course those running the contest.
Chris Lytle (@mrtoph) and Leigh Hollowell (@leighhollowell) first described all aspects of the blue team. This overview included the server environment and strategies for defending it. The typical environment includes 5 to 10 machines and the defense strategy involves all the usual suspects. Some of their higher priority suggestions included patching as early as possible and changing all passwords. Additionally, they recommended reviewing all running processes and programs, service settings, and shared folders/user permissions. From a communications perspective, they noted that the network is usually air-gaped and recommended changing all device passwords and reviewing their configurations.
The other two main groups Chris and Leigh discussed included the red and management/business teams. Red team tactics range depending on their experience. Many use automated tools however others may attempt more advanced manual techniques. The blue team needs to assume the red team will get in and instead of trying to keep them out, they need to focus on responding quickly. This not only includes the technical aspects of the exercise but also the tracking of everything to satisfy business professionals/management. For these non-technical considerations, they recommended having pre-written forms (e.g., for incident response) and making sure to follow any formal change control policies and procedures. Just like in the real world, you can’t just make a change to the firewall configuration or apply a patch. You need to submit changes to a change control board and receive approval. Of course you also have the business-focused people or other users always requesting new features and capabilities, such as vulnerable web-based forum or wiki software. As part of the change control process, the blue team weighs in on the approval decision as well.
Their final piece of advice was to assign people specific roles. The team won’t work well if everyone is trying to do everything. As an example, one person should focus on Windows machines while another person should address Linux servers. And there should be non-technical management roles as well to track the big picture and assign the rest of the team tasks and track them through to completion. They closed the talk with a quick history of the past CCDC events, future plans, and suggestions for improvement.
Well that was it for day 1 at BSidesLasVegas. Look for an upcoming post summarizing day 2. See ya!