How to Fake Network Security Monitoring

Thursday, September 13, 2012

Javvad Malik

99edc1997453f90eb5ac1430fd9a7c61

You’re the new guy in the security ops team, they’re giving you training and put you on a very crucial and important job… Monitoring.  

You’ll be told how important the job is and how it is essential to be done correctly to ensure the ongoing safety of the company. But you notice that nobody really shows any interest in doing it. There’s are two reasons for this.

Firstly, it’s usually a job that they don’t really understand how to do, but secondly, and more crucially, even if they do understand how it works, it makes watching grass grow an extreme sport in comparison.

Having been subjected to monitoring of all kinds early in my career, I developed a set of techniques which can be used to give the impression you’re a monitoring guru:

1. The Blink and Chin Rub

Blink frequently and rub your chin. This tried and tested technique gives the impression that you’re deep in thought and analyzing each packet individually.

Having a couple of crushed cans of red bull or coke will give the impression you’re a man on the edge and very few people will interrupt or ignore you. Every now and then let off a low level grunt.

2. Look for Key Values and Strings

A quick find for key strings and values will save you trawling through gigs worth of logs. Identify the key ones first and type them up separately. That way if anyone looks at what you’re doing, they will be impressed by your apparent ability to detect patterns.

At the end of the day simply delete it and sound frustrated whilst muttering “false positive”, bang the table for dramatic effect before grabbing your coat and heading off home.

3. Be Vague When Questioned

When your boss asks for your thoughts on some anomalous network traffic you need to tread carefully. Deliver a vague opinion, add that you’ve been analyzing a list of key values and strings to get to the root cause (see 2).

For good measure ask a question which direct the conversation away from your view. Something like, “what made you think of that?” would be perfect. It gives the boss an opportunity to wax lyrical about how they arrived at a conclusion.

4. Blame A.P.T.

Should the unthinkable happen on your watch, blame it on being an A.P.T, or it being a state-sponsored and highly sophisticated attack that has evaded all your detection controls.

Turn it around on your boss and ask him how you’re supposed to keep track of everything with such outdated hardware and software where the enemy have access to unlimited funds. If you’re lucky, you could end up with your own personal SOC being commissioned.

5. Harass an ISP

During a quiet patch people will begin to get suspicious. So to shake things up, send a passive-aggressive email to a random ISP every few weeks threatening them with legal action unless they block the state-sponsored APTers from constantly bombarding your network.

When a complaint is filed with your CEO, simply point to the previous breach and say you suspect the ISP to be compromised. Careful how you balance this because you don’t want to end up looking like a crazed conspiracy theorist.

Tell them you’ll withdraw the legal threat, but will be “keeping a close eye on them.” No-one will ever suspect you’ve got no idea how the IDS logs work.

Cross-posted from J4VV4D

Possibly Related Articles:
11370
Network->General
Information Security
Humor Log Management Advanced Persistent Threats Information Security Infosec Intrusion Detection IDS/IPS Network Security Monitoring
Post Rating I Like this!
Ba829a6cb97f554ffb0272cd3d6c18a7
Kevin McAleavey This has all the signs of a highly successful and well-attended course! :)
1347672161
Default-avatar
Tamer Ibrahim very funny , i like it :-)
1347771036
De3c528c39a0c5e1645b59a7c27888c6
Don Jackson Third reason... all you ever hear form anyone is how expensive it is for resources...

Fourth reason... nobody knows or wants to know who is responsible for any specific "thing" which makes reporting anything a waste of time because there never is any type of "reporting tree" to follow.

Fifth reason... It doesn't matter, regardless of what resources are in place or not... you're always to blame for that one time something happens.
1347903655
94c7ac665bbf77879483b04272744424
Marc Quibell This sounds like an article on how to slack and try to pass off as being useful - disappointing. This kind of work ethic gives the real pros a bad name.
1347922735
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.