Brianne Fahey

chris sanders

Defending with Graphs

by

Visualizations are powerful. When talking about data relationships, graphs are of keen interest. This spring I spent 4 months building out an idea and writing a whitepaper that is now published on the SANS Reading Room.

The paper is called Defending with Graphs: Create a Graph Data Map to Visualize Pivot Paths.

How about a two sentence synopsis?

The tl;dr is that there are several well developed examples of attackers thinking in graphs (see John Lambert’s article) and room for more ideas for how to defend with graphs. I wanted to demonstrate a use case for security defenders building a graph data map representation of their environment and querying it to improve their ability to respond quickly and directly to an incident.

A look at an image from my results.

I hope you will peruse this work and find it useful. It builds on the work of several researchers, developers, and thought leaders including Chris Sanders’ pivotmap tool, Colin O’Brien’s grapl platform, and Olaf Hartong’s ATTACK datamap tool.

I Think, Therefore I Am An Analyst

by

There are a lot of tools to learn in the cybersecurity trade. There are a lot of sources willing to teach you about those tools.  There are not many people interested in teaching you how to think like an analyst.

I just finished the 3rd course in my Chris Sanders’ Applied Network Defense trilogy: Investigation Theory. Before this course, I’d taken and reviewed Chris’ Effective Information Security Writing and Practical Packet Analysis.

Investigation Theory is a course designed to help an analyst develop a mindset to investigate any type of security event or alert. The course is built to take roughly 10 weeks and you can pace yourself to finish faster or slower.  Although it is offered fully online, Chris organizes the course so that a new group starts it together every few months.  The benefit of this is that no only do you have the ability to interact with the instructor Chris Sanders in the online course board, you also have the opportunity to post thoughts to and respond to questions from other students.  I definitely took something away from reading other students’ answers to Chris’s posted questions at the end of many lectures.

In addition to lectures, the course includes student community discussion, recommended reading, bonus lectures, and interactive investigation labs.

Nothing helps ideas stick better than hands-on practice.

The labs were challenging. I had to try most of them several times before I submitted the correct answer.  But I learned ideas of questions to ask and places to look for leads to those answers.

One of my favorite sections in the Investigation Theory course was built around explaining the value provided by different types of analysis data. It focused on the likely available sources in an investigation like packet captures, netflow data, IDS alerts, OSINT, and an armful of different log types. The lecture described the pros and cons of the source and highlighted opportunities to aggregate and pivot on data attributes provided.

I’m proud to have finished this course.  I would recommend it.  It is less technically specific than Practical Packet Analysis, but it is full of insights that will work for a security analyst no matter what tools and tactics you have experienced.

You can a course description, pricing, and registration information at the Applied Network Defense site.

Packet Analyzing

by

I recently finished Chris SandersApplied Network Defense online course for Practical Packet Analysis.  Before I give you my impressions of the course, let me give you an idea of where I’m coming from and what I expected.

I never captured a packet before mid-2017.

I knew I’d need some practice analyzing packets to maximize my experience in the SANS SEC503; Intrusion Detection in Depth course later this year. I’ve never had a job role that gave me the opportunity to work hands-on with networks so at times networking can be an Achilles heel of mine. I’ve done a lot of reading and a little bit of experimenting at home, so I was eager to pour myself into some labs and figure out what I could do and what I needed to work harder toward.

I purchased myself a course license and started chipping away at the materials in September.  I also bought a copy of Chris’s Practical Packet Analysis book through No Starch to use as a reference.

The Practical Packet Analysis course runs on demand (you can start as soon as you purchase a license) and includes more than 100 videos and more than 20 lab exercises. It’s available to you for 6 months.  I worked on it off and on a few hours a week for about 5 months and I noted a few lectures and labs I’d like to revisit in my last few weeks of access.  Because it was that good.

This course covers so much material.

It does a really incredible job of incrementally walking the student through progressively more specific and challenging material.  You start off with some high level network concepts and a lot of attention to the OSI Model, work into understanding how those protocols and activities manifest in real life, and then top it off with learning to efficiently comb through the packets captured from this network activity with tcpdump and Wireshark.

This course is worth every hour you put into it.

I will be able to use things I learned in this course immediately, even without needing to analyze packets daily in my day job. The lectures are well communicated. The material is current and specific.  Chris Sanders doesn’t lean on expensive tools or on only one way to approach a question.  He teaches you to think it through and answers questions by providing applicable advice instead of answers.  Certainly you can skim past sections you already know and visit subjects you’re struggling with more than once.  I particularly benefited from focusing on understanding the explanations for the malware labs analysis, examining HTTP responses, carving out transferred files, and exploring traffic manipulation.

I’m pleased to have finished the course and definitely open to taking any of the other Applied Network Defense Courses when I need to go deeper into the other available subjects.

Information Security Writing

by

Learn a byte at a time.

About a month into the year, I’ve completed my first planned personal training goals: Chris Sanders’ Applied Network Defense course called Effective Information Security Writing.

This course is absolutely worth the cost!

Write Now, Reference Later

I’m a firm believer in capturing information while you’re attaining it with the goal of ultimately having a polished reference page or standard operating procedure. My process involves creating a lot of short & sweet OneNote pages as things are happening that I can revisit to combine, order, and edit later.

Writing things down is not a popular pastime among my peers. Events come in high volumes and move fast.  Capturing details seems like a luxury. I never regretted having a slick wiki page to reference when I was on-call or entering an incident analysis cold. I figured no one was into using my help pages as much as me until I was contacted via LinkedIn by a colleague from a former job to thank me for writing guides five years earlier for a tool he just inherited without much time to get up to speed.

What worked for me?

The Effective Information Security Course offered a mix of videos, exercises, templates, and online discussion.  I’d recommend it to anyone who is asked to write documentation, even if it is not the exact types of reports this course covers. The course is extremely relevant if you’re already writing reports for pen tests, vulnerability compromise reports, or case notes.

Taking time to see something through another person’s point of view often reveals your own biases and blocks to help you become aware of how you can improve. I learned that the executive summary is typically the last section of a report you write – not the first as I had been doing.  This makes total sense. Get out the long parts first and then condense it down into the highlights.  Seems so obvious but since it was logistically first int he report, it never occurred to me to write it at the end. Simple and impactful.

Completion Note

 

I thrive on courses that are flexible, and that don’t require me to be sitting a a computer the entire duration.  I could take a walk and listen to a few lectures – then settle in at my desk to try the exercises. I finished the course in roughly 10 hours over a month of nights and weekends. I started both EISW and Practical Packet Analysis at about the same time since I knew the latter would require much more attention (and time).  I had no trouble switching back and forth between the two courses while keeping track of the path and the ideas in the lessons.

Find out for yourself!

Check out the course details and consider adding this one to your own personal plan.

Learning is Living

by

There are so many things I want to know…

I regularly scan for stories and use cases that will inspire good work and sharpen what I can offer.  As a result, I read about a lot of tools and theories that I am not familiar with.  Knowledge requires information and growth requires experience.  I’ve always been a fan of the idea of writing down any term or acronym you see or hear in use and if you don’t have a chance to ask about it immediately – Google it later.

Today is always a good day to start.

Personally I keep a running list of things I want to lean more about.  That way when I see an opportunity to pick up an ebook, watch some recorded convention talks on YouTube or take advantage of a training deal, I know where to start. Because the list is sometimes overwhelming, I use a priority system that keeps me focused. Chris Sanders offered a fantastic discount on his Applied Network Defense courses at the end of 2017 and I could not pass up the opportunity to learn from him.  I saw Chris speak at BSides Cincy this summer about Curiosity as a necessary analyst skill. He is intelligent and inspiring.  Plus he knows what the heck he’s doing and I love his philanthropy goals for the Rural Tech Fund.

All this is shaping my early 2018 personal learning plan around these 3 Applied Network Defense Courses:

Some of Chris Sanders’ Applied Network Defense Courses

Keep building yourself.

I know I have a lot to learn.  I keep pushing myself to ask questions, admit when I need to do more research, and listen to the inputs of my friends and colleagues.  Listen to the experts and those willing to teach, like Chris Sanders. It will stoke your curiosity and possibly even inspire you.