ArmyStudyGuide.com Community

   

ArmyStudyGuide.com's Community is an Army Forum
 
ArmyStudyGuide.com    ArmyStudyGuide Community    Forums  Hop To Forum Categories  Reenlistment Forum  Hop To Forums  Reclassing    25D CYBER NETWORK DEFENDER
Page 1 2 3 4 
Go
New
Find
Notify
Tools
Reply
  
25D CYBER NETWORK DEFENDER
 Login/Join
 

Picture of CYBER Trail Blazer
posted Hide Post
 
Posts: 17 | Location: USA | Registered: 25 August 2013Reply With QuoteReport This Post

Picture of TheWiseChief
posted Hide Post
quote:
Originally posted by CYBER Trail Blazer:
hmm interesting .....

http://www.airforcetimes.com/s...experience/73453276/


Mark your calendar!!

http://cybercon.federaltimes.com/

What are you using for full packet capture?
 
Posts: 1902 | Registered: 04 February 2012Reply With QuoteReport This Post

Picture of CYBER Trail Blazer
posted Hide Post
As a standard practice, I use tcpdump for full packet capture(ex) >>>

#tcpdump -i eth0 -C 100 -w target

w/ -C option to segment the pcaps (100MB),

then later mergecap (ex)

#mergecap -w target001.pcap target002.pcap target003.pcap target_merged.pcap

to remerge the pcaps,

and TShark (ex)

#tshark -Y http.request -T fields -e http.host -r target_merged.pcap | cut -d'.' -f2- | sort -n | uniq
-c | sort -nr | more

292 archive.org
247 wikimedia.org
178 irinnews.org
85 kali.org
56 abcnews.com
37 evil.com
4 google-analytics.com
...


and strings & grep (ex)

#strings target_merged.pcap | grep -i --after-context=1 Host | sort -n | uniq -c | sort -nr > ./output_file.txt

or

#strings target_merged.pcap | grep -i ".exe" | sort -n | uniq -c | sort -nr

3 tftp -i 192.168.28.2 GET VMWareConsole.exe
2 tftp -i 192.168.28.2 GET psexec.exe
2 tftp -i 192.168.28.2 GET ituness.exe
...


to parse through the post capture data for relevant info.

Netflow is my current pursuit Wink using nfdump, and various other tools combined with stream editors and regex, I can make short work of parsing logs (all logs) for relevant info ... hope to have a working TTP soon.

This message has been edited. Last edited by: CYBER Trail Blazer,
 
Posts: 17 | Location: USA | Registered: 25 August 2013Reply With QuoteReport This Post

Picture of TheWiseChief
posted Hide Post
Yes, I am tracking all that. I can do that in wireshark and use split pcap as well.

The issue is disk space and wire speed, since I have over 25000 devices in my AO.

There is MOLOCH at http://molo.ch/

But I am looking at seeing if we can get funding for ENDACE devices such as their NetFlow Generator Appliances or other devices that can hold up to 64TB of space.

http://www.google.co.kr/url?sa...-u6whbJZckEgqlOAuEDg
 
Posts: 1902 | Registered: 04 February 2012Reply With QuoteReport This Post

Picture of CYBER Trail Blazer
posted Hide Post
have you used ELK (Eastic Search, Logstash, & Kibana) stack?

It's open source and free, and it also scales huge, but the best part about ELK stack is that it can do all of the things Splunk, ENDACE, and ArcSight can do, without normalizing the log data (leaving it parse-able & grep-able.

The issue we keep running into, when dealing with ArcSight, for example, is that once the collector normalizes the data, the raw format is discarded by the collector, and not forwarded to a repository, but with ELK stack, you keep the raw log format, even though the GUI(Kibana) normalizes the data for easy parsing. I also like that it can be applied to any existing storage array, saving $$$

Also from a forensics standpoint, raw log data is easily more admissable as evidence, then any data which has been modified from it's original state.

Phil Hagen (Advanced Network Forensics / FOR-572) swears by this tool, and uses it at his home too.

Product Briefs:
https://digital-forensics.sans...stophe_Vandeplas.pdf

https://resources.sei.cmu.edu/...5_017_001_431205.pdf

http://linuxfestnorthwest.org/...he%20ELK%20Stack.pdf

product link:
https://www.elastic.co/webinar...troduction-elk-stack

SANS prebuilt Logstash VM:
http://sourceforge.net/projects/sansfor572logstash/

here is the book that makes short work of setting up ELK stack:
http://www.logstashbook.com/

I'm building this at home in my spare time, and once I'm done and get it going, I will develop a simple TTP for setup and operation . . . work in progress Smiler

This message has been edited. Last edited by: CYBER Trail Blazer,
 
Posts: 17 | Location: USA | Registered: 25 August 2013Reply With QuoteReport This Post

Picture of TheWiseChief
posted Hide Post
Yes, we utlize Kibana and again, it pulls from the same data.

I reacheded out to the JRSS POCs and I am going to see what they tell me.

Thanks for all the links. I deal with CMU frequently and heading to their conference next month.
 
Posts: 1902 | Registered: 04 February 2012Reply With QuoteReport This Post

Picture of CYBER Trail Blazer
posted Hide Post
Yes the rumors are true .. we are 17Cs now Smiler

There is also a rumor that the CYBER Protection Brigade is standing up another Battalion (more CYBER types needed).

We have seen an influx of 35Q(supposed to be 17Cs .. dunno) PVTs, and a few 25Ds.

CPB finally got their own Patch and Insignia Smiler

So, I read another book this weekend. Chris Sanders wrote a book that embodies Security Onion, and the many programs, modules, and scripts that can be applied, all the while, linking one application or step to the next step! It is rare to find such a jem, so do not miss this one:

' Applied Network Security Monitoring '

I will be pursuing a most challenging feat soon; the offsec OSCP .. it's a long journey for one of the most coveted rights of passage for a cyber security practitioner: The hands-on, 64 days, no BS, pentest quest.

wish me luck Smiler

If you just happen to be following my advice about the books, here's another catch, recently published:

' Linux Forensics '

Here's, a listing of 28 sites/apps you can legally hack into .... seriously:

H@PPY H@CKING :-)

.. so you wanna be @ Cowboy, huh? .. here's a ' Red Ryder BB Gun ' for ya .. careful, you'll shoot your eye out Smiler

aHR0cHM6Ly9naXRodWIuY29tL2VuYXF4L2F3ZXNvbWUtcGVudGVzdA== IF you can 'decode' it Cool
hint: the tool needed is in this POST Wink

⌚ 2 J@M da TRAP n' BASE >>>>
aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1ubkF5MTkwNkVIZw==
 
Posts: 17 | Location: USA | Registered: 25 August 2013Reply With QuoteReport This Post

Picture of CYBER Trail Blazer
posted Hide Post
I hope everyone was able to learn something, and those that did take the plunge into Cyber, Good Luck as you go forward. I am retiring very soon, and moving onto life as a civilian .. again.

Nearly 3 yrs ago, when this was all started, the CSM of 7th Sig CMD (CMU Provisional) told me to 'beat that recruiting drum'. I think I have lived up to his expectations, based on the feedback from all of you, my fellow cyber warriors.

I will definitely miss the chase, but like a great man once said, "you cannot stop the winds of change, but ride them into tomorrow, for as sure as the sun does fall at the eve of day, it will rise again!"

If you wanna get a hold of me for something cyber related, or just wanna shoot the breeze, you can email me; I'm in the global.

Cheers Army Cyber! Cool
SSG Poulin, D. USA
Cyber Protection Brigade
17C (former 25D,25B,25Q/31R)

P.S. To the remaining few, the 25Ds that helped start all of this, keep banging that drum! The fight is far from over ...


Information Dominance!
 
Posts: 17 | Location: USA | Registered: 25 August 2013Reply With QuoteReport This Post
  Powered by Social Strata Page 1 2 3 4  
 

ArmyStudyGuide.com    ArmyStudyGuide Community    Forums  Hop To Forum Categories  Reenlistment Forum  Hop To Forums  Reclassing    25D CYBER NETWORK DEFENDER

 
   
 
    
 
 
  
Google Site maps Generator Tool