BPF, PCAP, Binary, hex, why they matter?

Published: 2013-12-01
Last Updated: 2013-12-01 19:25:34 UTC
by Richard Porter (Version: 2)
3 comment(s)

*A call for more blue defenders*

In a couple weeks I will be a TA for Mr. Mike Poor in DC at CDI (Shameless plug, if you are a reader and see me in DC say so!!!) for SANS 503. We often get asked, why does BPF matter || why should I bother with hex || why do I need to learn this???? My application does all the work for me!

I would like to share a ‘vet’ U.S. Navy story and shout out a thanks to, at the time QM2(SW), a talented navigator. He was telling me the “Stars never lie” and in that they always show the way. If you learn to read them, take my GPS, take my N take my Y technology, I have the star. If we know where the north star is? We can always find north! After watching him dismiss a senior inspector with core math and navigation skills and the stars? I was a believer!

At the core our minds are powerful processors. According the quad process model we take in vast amounts of information and process it at incredible speeds (Conrey, Sherman, Gawronski, Hugenberg, & Groom, 2005). This is likely why there are times when a 'solution' to a problem just somehow pops into your mind. Or why after years of driving it seems automatic.

If we understand the “Core” network communication we can break down protocols!

A couple of opinions/facts/ideas/comments/<insert favorite polarized media narrative here>;

  1. Most if not all IDS/IPS/HIDS/NIDS speak BPF [1]
  2. And another thing? RAW packets ‘usually’ cannot lie (it’s the RAW factor that counts)
  3. Most if not all sniffers/HIDS/NIDS/IPS/IDS/Firewalls speak PCAP
  4. Understanding the root language can help you understand new code built into that language

Coming to my point? For $DayJob I have been asked to prepare an Incident Management workshop, which has become a more common request. In this I hope to shed light on the important of core skills like TCPDumpFU || HexFU || BinaryFU || ProtocolFU. Most importantly I want to emphasis that a core understanding can help in the critical thinking process when facing new or unknown problems or challenges. Our faithful readers know the near axiomatic statement from any handler “got packets?”

Lately I have been asked to consult on more incidents than normal (for me) and in that I have noticed that although the operators are quite intelligent with fundamental problem solving skills, yet they are not effectively equipped. We need better blue defenders!!!!

It’s easier to attack than defend (Tzu, 1889). My most favorite moment is making most glorified attacker for “said G groups” unplug laptops and say “how did you do that?”…  (read active defense is not to attack but to fatigue your enemy, frustrate them, make them tired of attacking, deny them the ability to attack!)

Back to the point, we have been under attack for so long and breach after breach after breach aft……………. It has become the ‘new norm’ and I wanted to address the Pachyderm in the room! We are short of blue defenders! It’s easy, perhaps sexy to download “Kali” linux? But… How many have heard of HoneyDrive [2]? Or perhaps SecurityOnion [3]?

[4] “If I make an attacker spend an extra 9 hours attacking my website? I’ve won!” John Strand, SANSFire 2013.

Hard data, according to the Verizon DBIR [5] HIDS, NIDS, Log Review and Incident Response are responsible for between 1-4% of discovery methods (Figure, 44, p.54). I wonder how much of our IT $budget$ is spent on the tools that give us the 1-4%? We have to get that number higher! The facts point to unrelated parties as a primary means of detection. Getting a phone call is not a good way to receive an Indicator of Compromise (IOC).

Back to the origin of the post to come full circle? Why BPF, why  PCAP, why hex? To first defend against a thing you must understand a thing (Tzu, 1899). If we form a base understanding of opponents tactics along with the battlefield we can better defend!

 

Resources:

Conrey, F. R., Sherman, J. W., Gawronski, B., Hugenberg, K., & Groom, C. J. (2005). Separating multiple processes in implicit social cognition: the quad model of implicit task performance. J Pers Soc Psychol, 89(4), 469-487. doi:10.1037/0022-3514.89.4.469

Tzu, S. (1899). Sun Tzu's Art of  [online] Retrieved from: http://suntzusaid.com/book/3 [Accessed: 1 Dec 2013].

[1] http://www.tcpdump.org/papers/bpf-usenix93.pdf

[2] http://sourceforge.net/projects/honeydrive/

[3] https://code.google.com/p/security-onion/

[4] http://sourceforge.net/projects/adhd/

[5] http://www.verizonenterprise.com/DBIR/2013/

 

Incident Management Resources:

http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf

http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf

http://csrc.nist.gov/publications/nistpubs/800-83/SP800-83.pdf

http://www.ncix.gov/publications/reports/fecie_all/Foreign_Economic_Collection_2011.pdf

http://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/26-CIP_CyberAssessmentGuide.pdf

http://www.ietf.org/rfc/rfc2350.txt

http://www.cert.org/csirts/resources.html

http://www.iso27001security.com/html/27035.html

http://www.itu.int/en/ITU-D/Cybersecurity/Documents/ALERT.pdf

http://www.itu.int/ITU-D/membership/portal/index.asp?Name=45047

http://www.itu.int/ITU-D/asp/CMS/Events/2011/CyberCrime/S6_Mohamad_Sazly_Musa.pdf

http://csrc.nist.gov/groups/SMA/fasp/documents/incident_response/CIRT-Desk-Reference.pdf

 

The Practice of Network Security Monitoring: Understanding Incident Detection and Response

by Richard Bejtlich http://amzn.com/1593275099

http://www.sans.org/reading-room/whitepapers/incident/incident-handling-process-small-medium-businesses-1791?show=incident-handling-process-small-medium-businesses-1791&cat=incident

http://www.sans.org/reading-room/whitepapers/incident/computer-incident-response-team-641?show=computer-incident-response-team-641&cat=inciden

http://www.cert.org/csirts/csirt_faq.html

 

~Richard

@packetalien || rporter at isc dot sans dot edu

 

 

3 comment(s)

Comments

You don't need the stars, even the sun can give you pretty good coordinates. If you timepiece is more or less precise, and you map the sun around noon (like with a sundial), then remember that the sun is south at 12:00, but, it moves 15 degrees per hour or 4 minutes per degree. So you can determine east/west coordinates down to at least 1 degree or better E/W. As for North/south, you would need to know the date. The sun moves +/- 22.5 degrees from equator or around 45 degrees per 180 days or approx 4 days per degree. Basic geometry can be used here with a stick in the ground, then measure the stick and shadow length at high noon.

Al that being said, I also meet very few people with TCP/IP skills. The network guys are one group who never looks beyong IP headers. And most Windows/Unix people don't ever look at the network traffic. I am using it regularly to localize network problems, troubleshoot stuff where the RFCs lists a human readable protocol, and sometimes binary protos as well, have even used it a few times to prove to the vendors that their crappy software was buggy. It can be used for many other things than just looking at malware. But it takes a special person being willing to go deep, or use the resources need to get something out of this. And I see fewer and fewer people in IT with that skillset, or ability to focus and drill down. The old guys retire, and the young ones are not interested in details. Just like the shift from developers to programmers to copy/paste-kings.
Many network appliances are Linux based and they have tcpdump built-in. With BPF and some Hex converting skills you can understand and solve many of root issues.
Thank you for this diary
Hi,

Thank you for the article, but what are "Blue Defenders"?

Diary Archives