Amazing how fast six days can blaze past and be so packed full of knowledge, learning, challenges, events and fire alarms.

This year conference was so hot, the place nearly burnt down. Twice.

Survived another SANS conference in Canberra; met a heap of great people, kept entertained by the instructors, kept awake by random false fire alarms during the night and came away with some new skills and knowledge.

I was fortunate to be chosen as one of the four facilitators, so got to run around in the background, have Mentos been thrown at me and finally be expelled by the Americans on the 4^th of July.

All of this and get an education. Fantastic stuff.

Over 100 people turned up from all over Oz and New Zealand for the four tracks.

Leading us out of the security darkness and FUD:

• The home grown Mark Hofman, bring the wholesome security goodness of SEC401: SANS Security Essentials Bootcamp.

The trio of rebellious upstarts from the New World, er, wonderful gentlemen from the United States of America:

• John Strand, startling students with sudden manoeuvres and forced marches in SEC504: Hacker Techniques, Exploits & Incident Handling.
• Bryce Galbraith marshaling his desperate band of would be ethical heroes in SEC560: Network Penetration Testing and Ethical Hacking
• Chad Tilbury bring order and reason to hard drives gone mad in SEC508: Computer Forensics, Investigation & Response

Lucky me, an Englishman surrounded by ungratefuls from the colonies on the 4^th of July. And what did I have as a uniform, why a SANS red coat. Ah, the irony!

It is a red coat. NOT an apron.

Yes, bad puns on the American revolution will continue to creep in. In some cases run in and stage dive spectacularly, head first , on to an empty floor.

Shearwater steered the event seamlessly and smoothly (with a little help from the volunteers of course). A special mention to Shearwater’s Ray for keeping the “low cal” cheese cakes, pecan pies and other yum treats re-appearing despite some of the conference staff attempts to thwart us stuffing our faces. Good work Ray – the legions of late breaking students from 401 salute you!

The courses, like the food, were devoured by everyone, for some just starting out on their understanding of the vast security field, they were astounded by what they were learning. A couple of folks in Mark Hofman’s 401 class felt shell shocked after the second day over the sheer volume of information. Mark’s teaching approach was one of the ways they could absorb and comprehend the knowledge. A high sugar diet apparently helped too.

I was in Bryce’s class and he rocked it. The class was a mixed crowd with a strong government contingent sitting at the back. After the first theory based day, there was a momentum of excitement, as each day built upon the last. Bryce kept us rolling through the material and labs. There were extensive labs exercises each day. Some of the class would read ahead the night before and spend the time playing with the lessons. Others would carefully follow the labs, make sense of the steps and seeing how they worked. Some just went at it.

There were some great questions pitched up from the class. This is where Bryce’s extensive professional knowledge shone through. He ably answered the questions and would always put it in to a real life perspective. The really help drive home some of the points and made the training “sticky”. One of the great qualities SANS’ instructors bring to the material is the ability to help understand it and make it accessible. I noted that Bryce would explain in-depth to those new to the topic, but would mentor those who had their feet in the material already and wanted to explore.

With never a dull moment, I would find myself being painted by the laser pointer after finishing the labs too quickly by Bryce. Little did I realise that it was a prelude to frequent Mentos carpet bombing.

I blame attacks like this for not winning the day six challenge.

A Mento in the USB slot will stop all but the most harden pen tester.

John Strand is an impassioned teacher and one that never stops moving, physically or mentally. If you want someone who is clearly passionate and excited about what he does, John is your man. He throws in those great stories and examples, while sweeping the class down the road of learning with him. Ashley, the junior facilitator, was told to use the dart gun if John got too excited or made a break for it. We estimate John could have walked the 300km to Sydney during the six day if we’d let him.

Chad’s class, by stark difference, was an oasis of calm, refinement and serious thoughts. There was a quiet air of awe in Chad’s class room as he guided the class in to the mysteries of digital forensics. Whenever I was running for my life from hurled Mentos, I would see the rapt, focus faces of the class follow Chad thought the lessons. Damian, the senior facilitator, end up have a remarkably peaceful week of order and compliance. The only time the class got restless was on law day. Tragically, the chewy sweets in class that would normal kept them going seemed strangely depleted. They had “magically” been dumped on my laptop again. How ironic.

Sadly, I could never stay to soak in that tranquility, as a moving target means less bruising.

SANS @Night Presentations

What was particular great this time was all the instructors got to do after-class presentations of a topic close to their hearts. It called “SANS @Night” and was worth waiting around for each one of them.

Production Honeypots with John Strand – Tuesday night

John had a fiery, punchy and potentially controversial take on how honey pots should be move out of the shadows of research and in to the headlights of production networks. John’s presentation demonstrated how standard protections provided limited real protection by, what many take as a found stone of security, anti-virus and IDS. John stated that attackers can strike with little fear of retribution, while we are left we little or no information on who they were or what they were after. Safe havens exist in within the physical world which allow attackers to operate with no concern of retaliation or harassment from law enforcement. Why shouldn’t we be more aggressive in our defence?

He proposes the use of production honey pots to collect data from and about the attacker. Why not harvest what browser, pc and location of an attacking machine? Why stay passive? John was not advocating striking back (I’m pretty sure, anyway) but use the honey pot technology in an active, rather than passive manner. In this active mode it could capture significant information on the attacker. John has taken this approach and build a SAN course around some of the many tools and methods he talk over during the evening http://project.honeynet.org/project has a smattering of the tools mention throughout the talk.

As defence is close to my heart, this was one of those time I would have love to had more time to understand and see a honey pot environment in action. There was a lot of empathy in the room about not being so nice when dealing with attackers. The comment that stuck was “we (defenders) have to play by the rule. Attackers don’t care. They do what it takes to get what they want.”

Thought provoking stuff.

SANS Community Evening Panel Discussion by SANS Instructors – Wednesday night

A good number of the Canberra security community turned up to add to the 40 plus students.

A lively and good humoured discussion, but it got somewhat side tracked by a couple of people from the crowd who kept on bring the topic back to their original question. The recurring questions where somewhat generic and could have been answered by your favourite search engine. This was a shame as I could see others who wanted to ask questions, but never got the chance. This was in strong contrast to the last year, where the panel debated a huge range of topics and picked through some very tough questions.

John Strand retorted with some very funny one liners to some of the blander questions, kept us chuckling and Mark got to answer on the more interesting local knowledge queries.

The hour and a bit was up and the speakers were gently herded out of the room. It was during this time a couple of great questions popped up, and I only wish the panel had taken a go at them instead. Next time, perhaps.

Live Incident Response: Memory Analysis with Chad Tilbury – Thursday night

“Introducing the top three must-have capabilities in your IR toolkit that were released in the past year. Learn how live memory collection and analysis is a game-changing tactic now utilized in effective Incident Response and Mitigation techniques. Find out what will replace the tried and true “sysinternals” tools and replace them with capabilities that are crippling rootkit technology.”

I annoyingly missed a large chunk of Chad’s talk, but caught up at the point of a live forensic demonstration. He took the audience through a recovery process and, wow , it was impressive on what he could recover. Watching the presentation really made me put the 508 forensic class on my wish list.

The tools are here from the talk along with some truly amazing community input: http://forensics.sans.org/

Incorporating Advanced MitM Attacks in Your Penetration Testing Regimen with Bryce Galbraith – Friday night

Bryce had been talking about monkey in the middle (MitM) attacks all week, so it was no surprise that the 560 students were looking forward to the presentation. Although MitM attacks are not new, it is a shocking to see how utterly effective they can be to bypass security measures. Bryce went through a host of scenarios on subverting what is normally taken as a secure method of communicating. The attacks covered layer 2-7 in the OSI model, so it really kicked off the brain to thinking was my environment open to this and if yes, how would I close it down?

A truly great talk to close off the week.

Bryce in action

For those curious how I managed to keep track of the day of the week mapped to what course day, I can now reveal my secret:

Socks – it works for me

Yup, my sock have the day of the week on them. Who needs these high tech solutions anyway?

Until next time.