Sunday, September 30, 2012


I'm at DerbyCon this weekend, and I can recommend some of the talks as being of special interest to intrusion analysts.

Bart Hooper did an excellent talk called "Hunting Evil", where he spoke on the subject of obfuscated malware, especially JavaScript, and methods on decoding it. He did a nice walk through of deobfuscating a BlackHole Exploit landing page, using a new tool he wrote called Spondulas. Spondulas was written to extend and update the work that other  tools such as Malzilla (one of my favorites) do. It supports POST requests, GET requests and Ajax persistent connections and has a monitor mode that will systematically requery the site and record changes that have been made to it. It will follow through the redirect chain and pull down each site and file it for inspection.

Doug Burks did a great talk on the new beta version of Security Onion. If you're not familiar with Security Onion, it's a distribution  with pre-configured versions of Snort, Sguil, Snorby, Elsa, PRADS, Bro, Suricata, Network Miner, Squert and more. Doug has taken the project from originally being a Live CD to a enterprise level project supporting a network of distributed sensors. This is really the easiest way to get up and running with IDS and analysis tools. If you're just starting out and want a platform to to work with and learn on, the sensor and console can both be installed on the same box with a few clicks and a few answers to some basic questions.

H.D. Moore of Metasploit fame did the first talk of the conference on the "Wild West" of the Internet, sharing results from his massive survey of ports, services and platforms. The results are somewhat shocking, as we haven't come nearly as far as we'd like to think in locking down our infrastructure. The basic security tenants of patching, upgrading, shutting down unneeded services and not exposing unneeded services to the public are still not being heeded.

Finally, the talk by Jeff Moss was excellent. Jeff spoke on the general direction of network and information security, he talked about his current tenure with ICANN, and laid out the political and financial forces that are shaping the direction of the Internet. Highly recommended.

No comments:

Blog Archive