We are in control


Well not so much really but here is a link to the slides from Randy’s presentation to help us get there.  Thanks again to Randy to coming out and thanks you all of you for being there.  Looking forward to seeing you all at the next one.

The link ->20CriticalControls-RISE2017<- The link




Notes from Oct 2016 Ransomware Meeting


Special thanks to Brad at malware-traffic-analysis.net (http://www.malware-traffic-analysis.net/index.html), we used his examples for the October meeting. His site is an excellent resource for learning. He also posts updates and other malware related info on his twitter @malware_traffic.

Here is the traffic we walked through: http://www.malware-traffic-analysis.net/2016/05/13/index.html

And here is the solution: http://www.malware-traffic-analysis.net/2016/05/13/page2.html

To use Security Onion to analyze the traffic you can get the Security Onion ISO here and install it in a VM: https://github.com/Security-Onion-Solutions/security-onion/blob/master/Verify_ISO.md

Here is how to replay the traffic in Security Onion for analysis:

We also had some discussion on how to identify what different types of files really are, regardless of what the extension is; and also how you can carve them out of traffic streams using hex editors. To determine file types you use the “Magic Bytes”:  https://blog.netspi.com/magic-bytes-identifying-common-file-formats-at-a-glance/

Here are some resources on ways to extract files (file carving) from pcaps:

We talked about some quick ways to get info on IPs and domains when researching potential incidents. Here is a quick hit list:

Oct 2016 – Your Money or Your Data


Join us for an interactive forensics scavenger hunt analyzing a pcap with some of the latest variants of ransomware. We will be looking at how Angler EK can, and often will deliver multiple infections such as Locky, CryptXXX and even some unknown goodies.

This will be an interactive session and I will try to come up with some small goodies to give away for those that solve the pieces to the puzzle first. Please bring a laptop with Wireshark installed to participate. Wireshark is a free protocol analyzer and an excellent tool for you toolbox. You can download it here: https://www.wireshark.org/

If you aren’t sure how to use Wireshark you can review the notes from our May session about Wireshark. There are also some good tutorials on Youtube. These both use the old Wireshark interface, the new one looks a bit different. All of the concepts are the same, some of the menus have just been moved around. If you have it installed, and are familiar with it, the session will be a lot more beneficial to you.

The meeting will be on 10/13 at R&K Solutions, 2797 Frontage Rd NW, STE 1000, Roanoke, VA 24017 at 5:30pm. Google Maps.

Presenter Bio:

Nate Sykes is the IT Director at R&K Solutions. Nate has worked in all areas of system and network administration. He has been involved in different aspects of security for the last 6yrs, mostly involving prevention and detection. He holds GSEC, GMON and Security+ certifications.

Twitter: @n8sec


May 2016 – Deep Dive with Wireshark


Meeting info: May 12th, @6pm, at ECPI (directions below).

This meeting is a can’t miss opportunity for a hands on deep dive with Wireshark. David Raymond  (@dnomyard, bio below) who has previously spoken at Black Hat USA, RSA and Scmoocon will be presenting.


Wireshark is a great tool for quick-and-dirty network traffic analysis and it is widely used for network troubleshooting and incident response. In this hands-on discussion, we will review the basics of Wireshark and discuss capture filters, display filters, and basic protocol analysis. We’ll then go beyond the basics to talk about more advanced features of Wireshark and touch on some of the command-line utilities that come with it, such as tshark, editcap, mergecap, and randcap.

To get the most from the discussion, attendees should bring a laptop with the latest version of Wireshark installed.

ECPI  (5234 Airport Rd NW #200, Roanoke, VA 24012 or Google Maps) will be hosting the meeting and there will be some lab machines available for use by those without a laptop available.

David Raymond currently serves as Deputy Director in the Virginia Tech IT Security Office and Lab. In this position he helps oversee the security of the VT network, advises graduate students and undergrads doing cybersecurity research, and teaches courses in computer networking and security in the Department of Electrical and Computer Engineering. David holds a Ph.D. in Computer Engineering from Virginia Tech, a Masters in Computer Science from Duke University, and a Bachelors in CS from West Point. He has published over 25 journal and conference publications on a variety of topics and has spoken at numerous industry and academic conferences to include Black Hat USA, RSA, Shmoocon, and the NATO Conference on Cyber Conflict.

April 2016 – Here come the Feds!


Our next meeting is April 14th at ECPI in Roanoke (address is below) at 5:30pm.  The speaker will be an FBI Special Agent who has been with the FBI for 12 years and is currently in the Richmond Division with a focus toward the Roanoke area.  He is currently working national security matters and has agreed to come and share with us his experiences and his thoughts on how we can assist in protecting our companies, valley and country.fbi_logo_twitter

It’s always good to meet your local FBI liaison. If you have a serious breach at your company or discover illegal activity on your network, you need to know who to contact.

Special thanks to Michael for opening up the ECPI facility to us and to Stephan for lining up our speaker.

Meeting Location:

ECPI University
5234 Airport Rd NW #200
Roanoke, VA 24012

Google Maps:

Jan 2016 – Onions Make You Cry Tears of Joy

How to Improve Your Network Security Monitoring Capabilities Using Security Onion Sensors and Network Architecture

We will be kicking off the New Year with the first part of a two part series. (Open Source Security vs Commercial Products).

open source vs

This month we will be discussing open source security and how our own Nate Sykes and Grant Sims (bios below) are using open source products to secure their network. Next month we will have Cisco come in and give us an overview of what they can offer from a commercial software standpoint.

Nate and Grant have been working to transition their security posture from a purely prevention based model to a prevent, detect and respond model. Nate and Grant put it this way “Prevention WILL fail. As a defender you have to consider/protect EVERYTHING. An attacker only has to find ONE flaw overlooked, unknown, unpatched or misconfigured.” To that end Nate and Grant will give us an overview of how they use open source security sensors to defend their network.

They will discuss:

Here are the slides from the first part of the presentation:

you shall not pass

Security Onion – Part 1

For the second part of the presentation, Grant demoed how to use Security Onion to investigate an AnglerEK incident:

Brief bios:
Nate Sykes (@n8sec) is the IT Manager at R&K Solutions, he has been working in IT for 19yrs. Nate has worked in all areas of system and network administration. He has been involved in different aspects of security for the last 6yrs, mostly involving blue team work. He holds GSEC, GMON and Security+ certifications.

Grant Sims (@ChiefRiverSims) is the Sr Security Analyst at R&K Solutions, he has been working in IT for 9yrs. He has a networking background, developed while working in a major DoD data center. He holds CCNA-Voice, CCDP, CCNP, Security+ and GPEN certifications.