Thursday, January 24, 2013

DumpEventLog is a great tool to parse Windows event logs

We have an instant messaging server in the office which helps with communication with those employees that telecomute.  The server is running OpenFire (I think) and the clients are using Pidgin to connect and instant message.  I'm not much of an administrator, so I can not comment on how good the tools actually are.  But, as a user, I find great value in being able to reach out to anyone and have a quick conversation without having to wait for email or the like.

That said, our Pidgin server has been going down with some regularity; roughly once a month, but sometimes a bit more.  And when it goes down, it takes forever to come back up.  The usefulness as a tool has been diminishing. 

As an incident response guy, one of the first things I wanted to see was the logs.  But, I did not know a way that I would be able to read the logs short of logging in to the server...and I did not have credentials (I'm not an admin.)  I looked for, and found, this script, DumpEvenLogs.vbs.  The script was suitable for me to give to an admin to run and provide the results back to me.  And, there were a couple of canned scripts to look at some of the low hanging fruit (failed logons, user accounts created, abnormal shutdowns, etc.)  The data returned to me was easy enough to read, and in a format that I could look at whatever criteria I wanted.  Ultimately, I filtered the data on date, and was able to pin down that the machine was hanging upon reboots after applying patches.  Rather benign.  But, having this tool helped solve the problem.  As for the server issue.....that hasn't been fixed, but at least we know when to expect it to go down again next.

Tuesday, January 22, 2013

ESXi, Google Chrome, and Exchange 2010 STIGs released

I happened to be browsing DISA's site when I saw that the following STIGs have been released:

  • ESXi 5 (Draft)
  • Google Chrome (both a benchmark and a STIG)
  • Exchange 2010

This is great news in regards to ESXi, as many times we run across ESXi in the field.  While the guidance is to use ESX, most entities migrate to ESXi for cost.  And the guidance does not translate to ESXi, it's just a different animal.  So, I'm glad DISA has released ESXi guidance.  Further, adding a benchmark for Google Chrome will make auditing those systems with Chrome installed much easier.

Thursday, January 3, 2013

Incident response and insider threats

I mentioned yesterday that I was sorting out what I wanted to accomplish and where I would like to focus my activities in the coming year.  Heck knows, I am nowhere near ready to make a break and start something new or in a different direction.  However, during some of my free time (walking the pooch or driving to work) I've had a chance to mull over additional areas of this niche in computer security. 

One area that fascinates me to no end is the management of the insider threat to the organization.  And I think, to some degree, I want to move into an area where I have the ability to help mitigate and protect from that threat.  By doing so, I'll get to leverage my passion for incident response and to some extent, digital forensics.  At least, it is something to look forward to.

I noticed a post go through my blog reader today that the CERT Insider Threat team released another great resource.  I've just downloaded it:  The Common Sense Guide to Mitigating Insider Threats, 4th edition.  I haven't read it yet (I think I saw it is 144 pages.)  I'll get on it shortly.  But, if it is like their book, The Cert Guide to Insider Threats, then I'm sure it will be great.

Something else that is somewhat nagging at me is that I know my technical skills are starting to slip.  (Heck, many many years ago, my first coding forays were in COBOL, I don't know how much I could write in that language.)  I know that the DFIR community works a lot in Perl and Python.  I had started to teach myself Python early last year, but without having an active project to work on, I find that I can't keep the skills sharp.  So, I plan to remove rust, and get myself as technical as practical.

Finally, one of the tools I really want to get better aquainted with is the Security Onion, a tool that I think has plenty of value for incident responders, and network defenders in general.  I just saw today in a post that version 12.04 has been released.

Wednesday, January 2, 2013

A new year

Happy New year!

I wanted to call out the top posts of the years, and maybe throw in some other cool stats.  But I can't figure out how to see my stats for just the calendar year.  I see week, month, and all-time options.  I just want year.  If you know how to get those stats, leave it in the comments.

I'm sure it is going to be a busy year in the IA world.  The DoD is always changing, and we seem to be picking up new clients and ACA offices to work with.  So, I'm sure that there will be new DoD/IA posts in the future.

My passion still lays in the IR/Forensics realm, and I hope to get into that realm full-time in the future.  How that will happen remains to be seen.  And, in the DFIR realm, I'm looking to focus more on one aspect.  The DFIR space has been expanding over the last couple of years, there is so much more to do than there used to...so I'm looking for something to get more specialized.  I like timeline analysis, I log log analysis; but there are other areas that while I'm not the most proficient in them, it's something I'd like to try.  So, as the new year progresses I'll try to update where I'm going.

May you realize your hopes and dreams in the new year....and you're not spending all of your time fighting the bad guys.