Sunday, October 20, 2013

Network Topology Configurations for Security Onion

Occasionally questions are asked on the Security Onion (SO) mailing list about physical and virtual network configurations for getting network traffic into SO.  These questions often have nothing to do with SO itself and everything to do with network architecture issues, such as sensor and tap placement, switch configuration, and virtualization software configuration.

Here is a paper I originally wrote back in April for the Security Onion mailing list to address these issues.  It would probably be better as a blog post, but it's a little long for that and transferring the graphics from Word to the blog is a bit of a pain, so I'm leaving it PDF format for now.  If anyone spots any errors or finds anything that isn't clear, let me know and I will update the document.

Network Topology Configurations for Security Onion

Sunday, October 13, 2013

Admissibility of Digital Evidence in Virginia

Here is a paper I wrote for Champlain College's "Practice of Digital Investigations" course as a part of the M.S. in Digital Forensic Science curriculum.  The assignment was as follows:
Prepare a report identifying the requirements for having digital evidence accepted in a criminal or civil court within your jurisdiction. You should identify relevant state and federal legislation, and court rules or instructions. Your report should include the requirements for presenting expert evidence, this includes any federal or state rules of evidence that apply to expert testimony.
Your answer should be approximately 2500 words. You may choose to focus on civil or criminal cases.
This was quite a learning experience for me since I have no background in court proceedings or law enforcement.  Before researching this topic, I assumed there were specific rules governing digital evidence as opposed to physical evidence, which I found was quite a faulty assumption.

Admissibility of Digital Evidence in Courts of the Commonwealth of Virginia

Monday, July 22, 2013

OSINT...Oh What?


I recently participated in a brief Twitter conversation that started with a statement that the terms "OSINT" (Open Source INTelligence) and "OPSEC" (OPerational SECurity) are too military-sounding (they are military terms after all) and thus might turn some audiences off from understanding the underlying concepts, particularly those audiences who really ought to understand and apply them.  I wanted to comment more on these concepts, but 140 characters makes it tough to do.  Hence, I decided to write a couple of blog posts to discuss what these terms specifically mean, why they are applicable in the private sector, and some potential alternative terms that might be more widely accepted outside the government.

In this first of two posts, I discuss OSINT.  In a follow-on post I will discuss OPSEC.

What is OSINT?


To understand open source intelligence, you first must understand the intelligence part of the term.  Joint Publication 1-02 (JP 1-02), "Department of Defense Dictionary of Military and Associated Terms", defines intelligence as:
"The product resulting from the collection, processing, integration, evaluation, analysis, and interpretation of available information concerning foreign nations, hostile or potentially hostile forces or elements, or areas of actual or potential operations..."
That's a mouthful, but in layman's terms intelligence is the final product of the analysis of (potentially) disparate pieces of information into a coherent meaning.  The "interpretation of...information" is the key element in this definition, as intelligence is the outcome of human judgement that gives meaning and application to raw information.  Even before you have information to analyze, you have raw data that may have even less apparent value or meaning.  The following graphic illustrates the relationship among data, information, and intelligence:

Source: Joint Publication 2-0, "Joint Intelligence", June 22, 2007
Retrieved July 21, 2013, from

Here's a very simplistic example of this relationship in information security terms:

  • Data:  Raw log files collected from disparate network nodes.
  • Information:  A timeline of network activity derived from processing the log files.
  • Intelligence:  An assessment of an attacker's tactics based on what activity took place on the network derived from analysis of the timeline.  This is probably combined with other data and information sources and might also include an estimate of future attacker actions or even attribution to a specific threat group based on observed tactics.

A key philosophy usually followed in military operations is that of intelligence-driven operations.  That is, operations must be informed, directed, and focused by intelligence.  For example, a military commander's mission may be to defeat an insurgency.  To do this, the commander must understand the local culture and power structures, identify key community leaders and insurgent personalities, and myriad other details.  These things require the collection of relevant information and analysis of that information to guide the commander's actions to reach his goals.  The alternative is to play "whack-a-mole", constantly chasing the latest problems without really solving the underlying issues.

Intelligence-driven operations in information security might mean understanding the specific threats against your company or industry, including their tactics and capabilities, and organizing your defenses to counter those specific threats instead of deploying broad, generalized defenses that may not stop the threats you actually face.  Threats must also be taken into context with your specific vulnerabilities and the threat's ability and intent to exploit those vulnerabilities, which equals your risk (the risk equation includes other factors, such as asset criticality, but calculating risk a whole other discussion).

Open Source

Now let's address the open source in open source intelligence.  JP 1-02 defines open source intelligence as:
"Information of potential intelligence value that is available to the general public."
This definition is contradictory to the definition of intelligence since we've already established that information and intelligence are not synonymous (amazing, two government documents contradicting one another!).  I'd say this is really a definition of open source information rather than open source intelligence.  Intelligence information is information "of potential intelligence value", but information is not intelligence.  A more accurate definition of open source intelligence, using the definition of intelligence as the root, is:
"The product resulting from the collection, processing, integration, evaluation, analysis, and interpretation of information available to the general public..."
Whether or not information is available to the general public, i.e., "open source", is in the eye of the beholder.  So far I've discussed information and intelligence from the government's point of view.   In that context, open source means information that the government does not keep to itself.  In other words, the average private citizen can access open source information without government clearance or authorization.

Now, just because open source information, and the derived open source intelligence, is not obtained through sensitive government methods doesn't mean it isn't useful.  In fact, the government has organizations devoted to the collection and analysis of open source information.  From the Director of National Intelligence's Open Source Center:
"Information does not have to be secret to be valuable. Whether in the blogs we browse, the broadcasts we watch, or the specialized journals we read, there is an endless supply of information that contributes to our understanding of the world. The Intelligence Community generally refers to this information as Open Source Intelligence (OSINT). OSINT plays an essential role in giving the national security community as a whole insight and context at a relatively low cost.

OSINT is drawn from publicly available material, including:

  • The Internet
  • Traditional mass media (e.g. television, radio, newspapers, magazines)
  • Specialized journals, conference proceedings, and think tank studies
  • Photos
  • Geospatial information (e.g. maps and commercial imagery products)"

OSINT in the Private Sector

"Open source" information in the context of a private business has essentially the same meaning as it does in a government context: information openly available to people and organizations outside the company.  A simplification would be to say open source information is non-proprietary and closed source information is proprietary, which is the point I put forward in the conversation that sparked this post.  However, a corporation might make certain proprietary information publicly available, either for free or for a fee, so proprietary information might also be open source.

With that said, I propose two simple replacement terms for OSINT in the private sector: openly available (thanks, @kylemaxwell) and publicly available (with the understanding that public means outside the company) intelligence.  "Publicly available" might be slightly more accurate because it connotes any information available in any manner outside a company, including information available for a fee or based on some organizational membership.  It is also the term used in the Open Source Center quotation above.  Openly available might cause some people to associate the term only with information available with no restrictions whatsoever, although that distinction might be splitting hairs.


It is important to understand the value of publicly-available information to prevent one from dismissing certain sources of information as being unreliable or not useful simply because the information is easily obtained.  Any information, regardless of the source, has potential value.  I think intelligence, however, is a more important concept to grasp than whether or not the intelligence is derived from public (open source) or non-public (closed source) information.  The value of information in practice is based on the application of human analysis and judgement to draw conclusions, make connections between seemingly unrelated or disparate pieces of information, and drive decisions and actions that make the best use of available resources.

That is intelligence.

Saturday, April 20, 2013

My Home Security Lab (Part I)

Like many folks interested in information security, I have a home lab environment.  I thought I'd share my setup just to provide another option for anyone who might be looking for examples of how to create their own lab.  In this first post, I'll go over my requirements and hardware choices.  In subsequent posts, I'll talk about my physical and virtual network topology and configuration.

Many different configurations and combinations of virtual and physical infrastructure could be used depending on what your ultimate goal (and budget) is.  I primarily wanted a network security monitoring (NSM) lab, so I had the following requirements:
  • Capability to run several (3-4 or more) machines (physical and/or virtual) at the same time
  • Capability to monitor all of those machines via a physical tap, a switch mirror/SPAN port, or a virtual configuration
  • Expandable storage for saving full-content packet captures, creating a large number of VMs and snapshots, and whatever other needs arise over time
  • Ability to segregate the lab traffic from the rest of my home network
  • CPU support for virtualization extensions (VT-x and VT-d)
  • Flexibility for additional future uses, such as password cracking, malware analysis, or other uses I may not have considered
  • Spend as little money and reuse as much existing hardware as possible
With those requirements, I decided a virtualization server was the only way to go in terms of flexibility.  That meant the first decision was to select a virtualization platform.  I settled pretty quickly on VMware's vSphere Hypervisor since it's free, has a very small footprint (144MB), and is packed with features.  There are other options such as Proxmox VE, Xen Hypervisor, or running VirtualBox or VMware Workstation in a host operating system, but I never seriously considered those.  That doesn't mean, however, that these options aren't viable - Richard Bejtlich runs a such a setup running VMware Workstation as a "server" that seems to work great for his requirements, and there are many examples out there if you look.  It boils down to your personal preferences and what meets your needs.

I looked at several new and refurbished machines, but never found quite the specifications I was looking for within an acceptable price range, so I decided to build my own "white box" VMware ESXi server.  It can be tricky finding consumer grade hardware that is compatible with VMware's enterprise hypervisor, and one of the most difficult items to find is a compatible motherboard that still has the features you want.  I narrowed my choices down to ASRock boards primarily based on information I found at Paul Braren's TinkerTry blog and specifically his vZilla build.

 Ultimately I settled on the following build:

Component Make/Model Price Vendor
CPU Intel Core i7 3770 3.4GHz LGA 1155 (Ivy Bridge) $279.99
Motherboard ASRock Z77 Fatal1ty Professional $238.49
Case Cooler Master CM 690 II Advanced $79.99
Power Supply Cooler Master Silent Pro M 600W $45.07
Memory 32GB G.Skill Ripjaws X Series $174.24
Graphics Card Nvidia Quatro $0.00 On-hand
Hard Drive 250GB 3.5" SATA III $0.00 On-hand
Optical Drive No-name SATA DVD-ROM $0.00 On-hand
Network Adapters x2 Realtek 10/100/1000MB $0.00 On-board motherboard
Total: $817.78

A few notes about these choices:

  • All prices are from about six months ago, and some reflect sale prices or promo codes available at the time, so your mileage may vary.  More recently I added two Seagate Barracuda 2TB 6GBs drives for more storage and to reduce the higher disk I/O I would have running everything off one hard drive - these ran about $70.00 and $80.00 on sale.
  • The motherboard was chosen for its VMware compatibility; considerable number of PCI slots that will allow me to add additional network adapters as needed for various configurations; more than enough SATA ports; and VT-d passthrough support, which allows you to directly connect hardware to a VM without it running through the virtualization platform.  My board has on-board Realtek NICs, but I think the latest version of this same board has Broadcom NICs, so you need to make sure VMware drivers are available.
  • I went with an Intel CPU simply for the quality and performance.  I briefly considered AMD's six and eight core FX CPUs since they were comparably cheaper and I thought the extra cores might be useful for virtualization.  However, I couldn't find any definitive information regarding their performance over Intel's hyper-threaded quad-core i7 and did find some anecdotal evidence that they would not perform as well, so I just stuck to the known quantity.
  • I could probably get by with a lower powered power supply, but I wanted room for expansion.
  • At some point I would like to fill up my drive bays with four more 2TB drives and add a hardware RAID controller, but right now those features are more "wants" than "needs", so I'll save my money for other things.
So, that's my hardware.  In coming posts I'll discuss my vSphere configuration, as well as a little about my physical infrastructure.

Monday, April 15, 2013

From paid to free...

So, this is my first post on a blog I'm not sure how often I will even use.  For a while I was paying for a web hosting account and a domain name, mostly to share family photos and do a little blogging specifically for friends and family.  It wasn't too long before I realized that no one would take the time to log into my web site to view my photos and blog posts since everyone is already on Facebook and other social media sites, which I still haven't fully embraced (I don't even have a Facebook account although I've gotten addicted to Twitter in the past few months!).

I also intended to setup a sub-domain to start yet another information security blog, but never got around too it.  In the end I kept the domain name and hosting account just to use it as an SSH proxy for browsing the web on untrusted networks.  Finally I got around to setting up a VPN server at home and no longer had any use for the web site, so I closed it down and saved some money.  Recently I got another inkling to start an infosec blog, so I thought I'd setup this one and see where it goes.

Rather than trying write content to attempt to draw readers (although that would be nice), I'll probably use it as more of a personal note-taking device, a place holder for things I don't want to search for, or random topics that interest me.  After all, if I'm not interested in what I'm writing about, I don't expect anyone else will be either!