We had a large turn out of seasoned and aspiring security professionals at the RISE Open Floor meeting this month. Thank you to all who attended and provided questions or personal experiences for the discussion. Special thanks to our hosts, ECPI University, and to TEKsystems for sponsoring pizza for the event! Continue reading
Notes from Oct 2016 Ransomware Meeting
Special thanks to Brad at malware-traffic-analysis.net (http://www.malware-traffic-analysis.net/index.html), we used his examples for the October meeting. His site is an excellent resource for learning. He also posts updates and other malware related info on his twitter @malware_traffic.
Here is the traffic we walked through: http://www.malware-traffic-analysis.net/2016/05/13/index.html
And here is the solution: http://www.malware-traffic-analysis.net/2016/05/13/page2.html
To use Security Onion to analyze the traffic you can get the Security Onion ISO here and install it in a VM: https://github.com/Security-Onion-Solutions/security-onion/blob/master/Verify_ISO.md
Here is how to replay the traffic in Security Onion for analysis:
Here are some resources on ways to extract files (file carving) from pcaps:
- SANS paper on file extraction using different tools: https://www.sans.org/reading-room/whitepapers/tools/extracting-files-network-packet-captures-36562
- Some more info on some of the same tools in the paper above: http://www.behindthefirewalls.com/2014/01/extracting-files-from-network-traffic-pcap.html
- Carving using hex editors: https://www.security-sleuth.com/sleuth-blog/2015/4/18/the-perks-of-being-a-file-carver-1
- Carving SMB and SMB2: http://chrissanders.org/2011/11/packet-carving-with-smb-and-smb2/
- Carving with Wireshark: https://malwerewolf.com/2014/04/wireshark-primer-manual-carve-http-objects/
We talked about some quick ways to get info on IPs and domains when researching potential incidents. Here is a quick hit list:
Oct 2016 – Your Money or Your Data
Join us for an interactive forensics scavenger hunt analyzing a pcap with some of the latest variants of ransomware. We will be looking at how Angler EK can, and often will deliver multiple infections such as Locky, CryptXXX and even some unknown goodies.
This will be an interactive session and I will try to come up with some small goodies to give away for those that solve the pieces to the puzzle first. Please bring a laptop with Wireshark installed to participate. Wireshark is a free protocol analyzer and an excellent tool for you toolbox. You can download it here: https://www.wireshark.org/
If you aren’t sure how to use Wireshark you can review the notes from our May session about Wireshark. There are also some good tutorials on Youtube. These both use the old Wireshark interface, the new one looks a bit different. All of the concepts are the same, some of the menus have just been moved around. If you have it installed, and are familiar with it, the session will be a lot more beneficial to you.
The meeting will be on 10/13 at R&K Solutions, 2797 Frontage Rd NW, STE 1000, Roanoke, VA 24017 at 5:30pm. Google Maps.
Nate Sykes is the IT Director at R&K Solutions. Nate has worked in all areas of system and network administration. He has been involved in different aspects of security for the last 6yrs, mostly involving prevention and detection. He holds GSEC, GMON and Security+ certifications.
May 2016 – Deep Dive with Wireshark
Meeting info: May 12th, @6pm, at ECPI (directions below).
This meeting is a can’t miss opportunity for a hands on deep dive with Wireshark. David Raymond (@dnomyard, bio below) who has previously spoken at Black Hat USA, RSA and Scmoocon will be presenting.
Wireshark is a great tool for quick-and-dirty network traffic analysis and it is widely used for network troubleshooting and incident response. In this hands-on discussion, we will review the basics of Wireshark and discuss capture filters, display filters, and basic protocol analysis. We’ll then go beyond the basics to talk about more advanced features of Wireshark and touch on some of the command-line utilities that come with it, such as tshark, editcap, mergecap, and randcap.
To get the most from the discussion, attendees should bring a laptop with the latest version of Wireshark installed.
ECPI (5234 Airport Rd NW #200, Roanoke, VA 24012 or Google Maps) will be hosting the meeting and there will be some lab machines available for use by those without a laptop available.
David Raymond currently serves as Deputy Director in the Virginia Tech IT Security Office and Lab. In this position he helps oversee the security of the VT network, advises graduate students and undergrads doing cybersecurity research, and teaches courses in computer networking and security in the Department of Electrical and Computer Engineering. David holds a Ph.D. in Computer Engineering from Virginia Tech, a Masters in Computer Science from Duke University, and a Bachelors in CS from West Point. He has published over 25 journal and conference publications on a variety of topics and has spoken at numerous industry and academic conferences to include Black Hat USA, RSA, Shmoocon, and the NATO Conference on Cyber Conflict.