Thoughts on SANS Network Security 2013

I had six weeks between passing my GWAPT exam and attending SEC 503 at the SANS Network Security 2013 so for the first time in the past fourteen months I took a break from studying and certifications. I still spent some time setting up a VM and building a python web scrapping app but nothing worth blogging about.

For the second year in a row I was able to attend SANS Network Security in Las Vegas and for the second year in a row it was well worth it. I got back home last week and thought I’d type up a few quick thoughts on the conference since it’s been over a month since I’ve posted here.

In addition to seeing people that I wish I got to see more often I also got to meet some great new people that I look forward to talking more with in the future.

I (of course) attended the DFIR talk put on by Alissa Torres, Chad Tilbury, Lenny Zeltser and Rob Lee. It was a great talk and gave a sneak preview of each class and a nice overview of how they all fit together. That talk was followed by Jason Fossen’s talk “Windows Exploratory Surgery with Process Hacker”. The two main takeaways from this talk were:

  • He know more about Windows than I will ever know about anything
  • He is friggin hilarious

The only other night talk I got a chance to attend was John Strand’s talk covering tools on the ADHD distro including HoneyBadger and ReconNG. I’ve used ReconNG  few times but a few of the other tools were new to me and the talk as a whole was highly informative and obviously entertaining.

There were a few other night talks that I wanted to attend but Netwars was calling my name. I got a chance to play for about an hour last year and had a blast so I was looking forward to being able to play for two full nights. I did a lot better than I did last year but I also identified several areas where I need to improve my skills in 2014.

While all of the things above were awesome the main reason for attending any SANS conference is the class itself. This year I was in Mike Poor’s 503 class on intrusion detection and packet analysis.

I was excited to get a chance to attend Mike’s class as packet analysis is an area where I have a ton of room for improvement as I rarely deal with it on a day to day basis. I always put in a lot of after class studying and test prep but this class may set the record as there’s a lot for me to work on. I’ll definitely have another post or two on my study process.

Regarding the in class experience, Mike Poor is a fantastic instructor. He’s mellow, friendly, seems genuinely interested in his students leaves a very good impression.

Our teaching assistant was Judy Novak. I heard several “the legend of Judy Novak” stories from John Strand last year during my 504 class so it was cool to get to meet her. She is Knowledgeable, helpful, funny, sweet and just 100% awesome. She gave an extra session on “IDS evasion using Scapy” late one afternoon which was a cool bonus.

All in all it was a great experience and I can’t wait until I get a chance to go to another.

Comments

Post a Comment

Popular posts from this blog

SANS Index How To Guide with Pictures

Image
I got some great advice recently on creating an index for SANS exams and I wanted to write a blog post to share it with others. I took the SANS FOR 508 Computer Forensics course in 2008. It was way over my head but I had a great time and learned a ton. A few months ago I finally decided to go for my GCFA certification. I had four year old material from a course that had been completely revamped and no index. I passed the exam with a score in the 80s but it was a grueling experience. I had to rush on the last part of the exam and never felt comfortable. A few months after my GCFA exam I got an opportunity to attend a SANS SEC 504 class. I really wanted to prepare for my GCIH exam the right way so while I was at the conference I asked several individuals how they prepared their index. Most people told me that their indexes were 8-10 pages. A lot of these people had more SANS certs than I have friends so their methods obviously worked for them. My class had a teaching assistant (also SANS
Read more

Introducing FaviconLocator: The Eazy Button to Searching by Favicon

Image
  Favicons (short for favorite icons) are the cute little pixelated images that appear next to the site name in web browser tabs, bookmarks, etc. In the image below we can see the iconic GitHub logo on their site and the KFC logo on a bucket of chicken on their site. Originally, favicons were designed to add a touch of professionalism and branding, but for anyone who is like me and has over a dozen tabs open at any time, favicons are the only thing displayed and how I navigate tabs. Most of us rely on favicons on a daily basis but many never think of them as a tool we can use in OSINT and CTI investigations. That’s what we’re doing to talk about here as well as introduce a new tool. In addition to branding and aiding in navigation between tabs, favicons can serve as unique identifiers for websites. These unique identifiers can help us: Trace the online presence of organizations and discover obscure digital assets Map the online infrastructure of potential threats Potentially de-ano
Read more

Automating Domain Squatting Detection with DNSTwist and Python

Image
  There’s a good chance that, at some point, you’ve received a spam email with a link that looked close to the name of a popular domain but was just a little off. Payapl.com instead of Paypal.com or similar. Domain squatting is a malicious activity where attackers register domain names similar to legitimate ones. Attackers may use these domains to deceive users into believing they are visiting a legitimate website, which can lead to phishing and other attacks. DNSTwist (available here: https://github.com/elceef/dnstwist ) is a popular tool that helps identify domain names that are similar to a given domain name. It generates a list of potential domain names by applying various fuzzing techniques to the given domain name and then checks if these domains are registered. Check out the list of Bank Of America copycat domains: DNSTwist is an amazing tool that should likely be a part of every organization's Cyber Threat Intelligence monitoring efforts, and I wanted to automate it
Read more