Page 53 - Cyber Defense eMagazine September 2018
P. 53
53
The Ponemon study showed that a majority of breached organization were notified by someone other than
their own staff. Grabowski concludes that is a problem because IT people do not know the software used in
the industry. They don’t have time to analyze the software and they don’t have time in their day to day
operations to learn how to use the product. If it is in the classroom first we can literally send out hundreds
of students a year with product knowledge. To be able to be a professional tester you must use the same
techniques that a criminal hacker does to search for vulnerabilities.
At any given moment a student can spin up a virtual workstation on VMware Virtual Center Stack using
hybrid Nimble Technology and create an entire infrastructure. Any distribution of Linux can be used as well
as any Microsoft Operating System. Linux distribution for security include Kali 2018, Deft, Paladin, and
Security Onion. Grabowski also uses Syracuse’s University’s Security Education (SEED) labs provided by
Dr. Kevin Wu, which are based off Ubuntu. The SEED labs provide an abundance of training for information
security education.
IBM Qradar a SIEM runs on Redhat, AlienVault runs on Debian. Correlog runs on anything and can be
easily installed onto a Windows operating system. PRTG is also a self-install onto a Windows operating
system. We are marketed these tools thoroughly in the cyber security realm. However, who has time to
understand what is going on with the product. When we monitor things in something as common as
Wireshark sniffer, we could literally learn something new every day. When using something like Wireshark
we can see everything happening we just need to learn how to filter it properly to find what we are looking
for. Did a rogue device get an IP address from a Man in the Middle (MITM) attack? Did a Bluetooth device
connect to the network or device? Was a door opened that was connect to a Google Hub? Did the Nest
Smoke detector generate an encrypted alarm?
More importantly as we start to understand these breaches, how did we detect them? How did we
reconstruct the events? Using tools such as Belkasoft Evidence Center, Encase, FTK, Autopsy, or
OSForensics in conjunction with Linux Distros of Kali for Pen testing.
Even more beneficial is determine an actual false positive in a SIEM. Recently we were trying to detect
torrent traffic on our network and we having problems popping the alarm. Then a week later the alarm
popped up in the executive summary dashboard as torrent traffic. The port was reporting 17500, which isn’t
common for torrent traffic. Torrent traffic is on ports 6881-6889. Was the port obfuscated? Pinging the IP
address of the VM we retrieved a host name which corresponded to a student ID. Upon questioning the
student to determine if they were running torrent traffic they denied their involvement. Believable because
the student was a trustworthy student. Research concluded that he opened Drop Box on the computer,
which indeed uses port 17500.
Students also participate in live hackathons or in Master the Mainframe contest. Symantec held a hack that
included Ransomware. Students had to determine a bitcoin address, look in Wireshark to find the URL, gain
admin rights of the website, and then convert the encrypted file using key with Python. Technologies
included Wireshark, bitcoin, Ransomware, PHP, Python, Linux. In that particular hackathon there is a
tremendous gain of reconstructing events, which become a valuable asset to our skill sets that reinforce the
theory in the classroom. We learn something new every day from the products we get to use every day.
