Warren began the training with a presentation on Computer Incident Response. He walked the attendees through the steps to take when preparing for security incident, how to detect and analyze the incident, and finally how to contain, eradicate, and recover machines and data. He ended the presentation by applying these steps to four different case studies of real security incidents. Warren said the case studies really helped reinforce the main points he wanted the attendees to learn and apply to their IR programs.
Mark presented the afternoon session on Security Log Analysis. He began with the security log analysis life cycle (collection, event management, analysis, and response) and provided examples of real attacks using Bro logs, Apache, Postfix, and more. The presentation gave the attendees ideas on how to improve their security, learn real command-line examples to apply at their organizations, as well as new methods to connect events across logs. Mark said the open Q&A format of the presentation was very rewarding. In one example, the group discussed their shared frustrations with a well known Wordpress plugin vulnerability that allows file systems to be “walked”. Mark then demonstrated a command (shown below) that could be used to detect these attempts to walk the filesystem in Bro and Apache logs.
grep -E "wp-admin.*\.\./.*\” 200 " access_log
While In Kansas City, Mark also had a chance to meet up with followers of his Command Line Magic (@climagic) Twitter account.
Mark’s and Warren’s presentations, as well as many more training materials, can be found on CTSC’s website. To contact us about presenting a training at your event, submit a request to our contact form.