Author: Richard Bejtlich



Happy birthday TaoSecurity Blog, born on this day in 2003!

The best way to digest the key lessons from this site is to browse my four volume Best of TaoSecurity Blog book series, published in 2020. It's available in print as seen here, or as a properly formatted HTML-based digital book -- none of that PDF-based fixed format nonsense.

Each book is a theme-centric collection of posts with new commentary for each entry. Some of what I wrote stood the test of time, and some did not. See what you think. Or, just scroll backwards through this site.

Thank you to Blogspot and Google for hosting this blog for the last 22 years! This is post number 3,086 by the way.



Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)
Uncategorized
Probably once a week, I see posts like this in the r/Ubiquiti subreddit. Ubiquiti makes network gear that includes an "IDS/IPS" feature. I own some older Ubiquiti gear so I am familiar with the product.

When you enable this feature, you get alerts like this one, posted by a Redditor:



This is everything you get from Ubiquiti.
 
The Redditor is concerned that their system may be trying to compromise someone on the Internet.

This is my answer to how to handle these alerts.
 
==

This is another example of this sort of alert being almost worthless for most users.

The key is trying to understand what COULD have caused the alert to trigger. CVEs, whatever, are irrelevant at this point.

Here is one way to get SOME idea of what is happening.

Go to

https://rules.emergingthreats.net/open/suricata-7.0.3/rules/

Download the file that is named as the first part of the alert. Here that is EXPLOIT.

https://rules.emergingthreats.net/open/suricata-7.0.3/rules/emerging-exploit.rules

Find the rule that fired. This can take some digging. Here is what I ended up doing.

grep -i possible emerging-exploit.rules | grep -i log4j | grep -i obfuscation | grep -i udp | grep -i outbound

Here it is.

alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed M2 (udp) (Outbound) (CVE-2021-44228)"; content:"|24 7b|"; content:"|24 7b 3a 3a|"; within:100; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034805; rev:3; metadata:attack_target Server, created_at 2021_12_18, cve CVE_2021_44228, deployment Perimeter, deployment Internal, signature_severity Major, tag Exploit, updated_at 2023_06_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

You can ignore 90% of this. The key is here:

content:"|24 7b|"; content:"|24 7b 3a 3a|"; within:100

and here:

udp $HOME_NET any -> any any

Now, you have to guess how likely it might be there you could have ANY UDP traffic from your home network to anywhere, on any ports, that contain this string

24 7b

followed by this string

24 7b 3a 3a

within the next 100 bytes?

I'm guessing there's a decent chance that could happen in random, normal traffic.

Therefore, without any other evidence, I think you can ignore this alert.

If you want to have a better chance at understanding this in the future, please feel free to check out anything I've written about network security monitoring. Good luck!
 
==

This problem is why I have promoted network security monitoring since 1998 and subtitled my first book "Beyond Intrusion Detection." Network intrusion detection, by itself, with no supporting data and without even rule explanations, is almost worthless.

Thankfully in this case the vendor is at least using an open rule set, enabling this feeble exploration.
Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

On this day in 2004, Addison-Wesley/Pearson published my first book, The Tao of Network Security Monitoring: Beyond Intrusion Detection.

This post from 2017 explains the differences between my first four books and why I wrote Tao

Today, I'm always thrilled when I hear that someone found my books useful. 

I am done writing books on security, but I believe the core tactics and strategies in all my books are still relevant. I'm not sure that's a good thing, though. I would have liked to not need the tactics and strategies in my book anymore. "The Cloud," along with so many other developments and approaches, was supposed to have saved us by now.

Consider this statement from a report describing CISA’s red team against a fed agency: 

“[A]ttempts to capture forensic data via packet captures occurred directly on the compromised Solaris and Windows hosts, where the red team observed the data being collected and therefore had the opportunity to disrupt collection, tamper with evidence files, and better adapt and evade their defenses.”

This is why you should not rely on EDR, either, for your only understanding of adversary activity. The adversary can shut down or alter your endpoint security tooling. For network security monitoring, you also shouldn’t collect on endpoints. Collect using network taps, or in a pinch, span ports.

There is nothing in this intrusion that would have been a surprise in 2004.

Here is the post I published in 2004 when the first copy showed up on my doorstep

 


There's nothing like getting a real copy in your hands, and I cherish that experience!

I will probably revisit this event in 5 years. See you then!

Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

When I was a sophomore in high school, from 1987 to 1988, my friend Paul and I had Commodore C64 computers. There was a new graphical user interface called GEOS that had transformed the way we interacted with our computers. We used the C64 to play games but also write papers for school.

One day Paul called me. He was clearly troubled. He had somehow dragged his newly completed term paper into the trash bin instead of the printer. If I recall correctly, back then they were right next to each other (although the screen shot above shows them separate). 

Paul asked if I knew any tricks that could retrieve his paper. There was no undelete function in GEOS.

I subscribed to a magazine called Compute's Gazette, for Commodore owners. I remembered seeing an article in the magazine that included code for undeleting files dropped in the GEOS "Waste Basket." All I had to do was type it in by hand, save it to a 5 1/4 inch floppy, drive to Paul's house, and see if the program would recover his paper. Thankfully it all worked out, and we did recover his work!

Almost 37 years later, I found that issue of Compute's Gazette in the fabulous Internet Archive. It's in issue 54, dated December 1987.


I had to find it by manually looking at covers. The index doesn't list it by name.


Here is the article explaining the reason for the program.


It's interesting to think that the C64 handled deleted files the same way later operating systems did, enabling digital drive forensics.

Here's the entire program, in BASIC:


The magazine offered tips on entering programs manually.


There's even a "proofreader" to check syntax. Of course, you have to enter that in yourself too!


These days you can download the program from the Internet.

I was really pleased to find this program after so many years. It appears the magazine published an update version in a later issue, but I'm pretty sure I did not use that one. 

Incidentally, I sold my entire Commodore collection on eBay several years ago, so these are only memories.

Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

 


In the fall of 1998 I joined the AFCERT. I became acquainted with the amazing book TCP/IP Illustrated, Volume 1: The Protocols by W. Richard Stevens. About a year later I exchanged emails with Mr. Stevens. Here is the last exchange, as forwarded from my AFCERT email address to my home email.

From "Capt Richard Bejtlich - Real Time Chief" Mon Sep  6 18:27:35 1999
X-Mozilla-Keys:                                                                                 
Received: from kinda.csap.af.mil (kinda.csap.af.mil [192.203.2.250])
          by mw4.texas.net (2.4/2.4) with SMTP
  id RAA22116 for <bejtlich@texas.net>; Mon, 6 Sep 1999 17:27:38 -0500 (CDT)
Received: by kinda.csap.af.mil (Smail3.1.29.1 #7)
id m11O7Ee-000NcwC; Mon, 6 Sep 99 17:27 CDT
Received: from walt.ip.af.mil(192.168.1.142) by kinda via smap (V1.3)
id sma014865; Mon Sep  6 17:27:36 1999
Received: from kinda.csap.af.mil by walt.ip.af.mil with smtp
(Smail3.1.29.1 #6) id m11O7Ed-000VruC; Mon, 6 Sep 99 22:27 GMT
Sender: bejtlich
Message-ID: <37D43FD7.52CC675A@kinda.csap.af.mil>
Date: Mon, 06 Sep 1999 22:27:35 +0000
From: Capt Richard Bejtlich - Real Time Chief 
 <richard.bejtlich@kinda.csap.af.mil>
Organization: AFCERT
X-Mailer: Mozilla 4.6 [en] (X11; U; SunOS 5.6 sun4u)
X-Accept-Language: en
MIME-Version: 1.0
To: bejtlich@texas.net
Subject: [Fwd: Re: TCP/IP Illustrated Vol I 2nd ed?]
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii
X-UIDL: 7b89a44b661b28334c3553b3b92998bd

-------- Original Message --------
From: rstevens@kohala.com (W. Richard Stevens)
Subject: Re: TCP/IP Illustrated Vol I 2nd ed?
To: Capt Richard Bejtlich - Real Time Chief
<richard.bejtlich@kinda.csap.af.mil>

[In your message of Aug 18,  2:37pm you write:]
> Your books are excellent and everyone in my office relies upon them!  

Many thanks.
 
> Do you plan on writing a second edition of TCP/IP Illustrated Vol 1 (The
> Protocols)?  I see you have written second editions of UNIX Network
> Programming, and I'm wondering if the TCP/IP books are next.

Actually, I am first working on a revision of my APUE book, then it
will be time for TCP Vol. 1.  I am hesitant to start on TCP Vol. 1
too soon, given the "uncertain" status of IPv6 at the present.  I keep
hoping things will settle down with IPv6 and vendors will start shipping
real implementations.

Rich Stevens

Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)
Uncategorized

This is unusual. I found this "skills and interest radar" diagram I created in July 2005. It looks like my attempt to capture and prioritize technical interests. At the time I was about to start consulting on my own, IIRC.
Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)
Uncategorized

 


I wrote this on 7 December 2018 but never published it until today. The following are the "key network questions" which "would answer many key questions about [a] network, without having to access a third party log repository. This data is derived from mining Zeek log data as it is created, rather than storing and querying Zeek logs in a third party repository."

This is how I was thinking about Zeek data in the second half of 2018.

1. What networking technologies are in use, over user-specified intervals?
   1. Enumerate non-IP protocols (IPv6, unusual Ethertypes)
   2. Enumerate IPv4 and IPv6 protocols (TCP, UDP, ICMP, etc.)
   3. What is the local IP network topology/addressing scheme?

2. What systems are providing core services to the network, over user-specified intervals?
   1. DHCP
   2. DNS
   3. NTP
   4. Domain Controller
   5. File sharing
   6. Default gateway (via DHCP inspection, other?)
   7. Web and cloud services

3. What tunnel mechanisms are in use, over user-specified intervals?
   1. IPSec or other VPNs
   2. SOCKS proxy
   3. Web proxy (port 3128)
   4. Other proxy

4. What access services are in use, over user-specified intervals?
   1. SSH
   2. Telnet
   3. RDP
   4. VNC
   5. SMB
   6. Other

5. What file transfer services are in use, over user-specified intervals?
   1. SCP or other SSH-enabled file transfers
   2. FTP
   3. SMB
   4. NFS

6. Encryption measurement, over user-specified intervals
   1. What encryption methods are in use?
   2. What percentage of network traffic over a user-specified interval is encrypted, and by which method?

7. Bandwidth measurement, over user-specified intervals
   1. Aggregate
   2. By IP address
   3. By service

8. Conversation tracking, over user-specified intervals
   1. Top N connection pairs
   2. Bottom N connection pairs

9. Detection counts, over user-specified intervals
   1. Provide a counter of messages from Zeek weird.log
   2. Provide a counter of messages from other Zeek detection logs

10. For each IP address (or possibly IP-MAC address pairing), over user-specified intervals, build a profile with the following:
   1. First seen, last seen
   2. Observed names via DNS, SMB, other
   3. Core services accessed and provided
   4. Tunnel mechanisms used and provided
   5. Access services used and provided
   6. File transfer services used and provided
   7. Encryption methods
   8. Bandwidth measurements
   9. Top N and bottom N conversation tracking
   10. Detection counts
Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Cybersecurity is a social and policy problem, not a scientific or technical problem. Cybersecurity is also a wicked problem. In a landmark 1973 article, Dilemmas in a General Theory of Planning, urban planners Horst W. J. Rittel and Melvin M. Webber described wicked problems in these terms:

“The search for scientific bases for confronting problems of social policy is bound to fail, because of the nature of these problems. They are ‘wicked’ problems, whereas science has developed to deal with ‘tame’ problems. Policy problems cannot be definitively described. Moreover, in a pluralistic society there is nothing like the undisputable public good; there is no objective definition of equity; policies that respond to social problems cannot be meaningfully correct or false; and it makes no sense to talk about ‘optimal solutions’ to social problems unless severe qualifications are imposed first. Even worse, there are no ‘solutions’ in the sense of definitive and objective answers.”

Other wicked problems include climate change, smuggling, and nuclear weaponry. 

There is no “perfect new normal” because there is no “solution” for cybersecurity. 

To quote Marcus Ranum from the September 2007 issue of Information Security Magazine: “Will the future be more secure? It'll be just as insecure as it possibly can, while still continuing to function. Just like it is today.” 

A report by the Australian government titled Tackling Wicked Problems: A Public Policy Perspective suggests that there are three strategies for mitigating wicked problems: authoritative, competitive, and collaborative. Similarly, cybersecurity will likely require some combination of all three.

In summary, my modest new normal is this: anyone commenting on cybersecurity will recognize that it is a wicked problem that cannot be “solved,” but it may be mitigated, over decades, using expertise and approaches from multiple disciplines, least among them technical acumen.

If pressed to provide a technical element of the new normal, I offer “building visibility in” as one tenet. Asset owners need to understand how their digital resources are used and abused, and anyone providing computing resources should include the logging and access needed to do so.

* I found this note dated 1 June 2020 on my hard drive and decided to publish it today.

Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)
Uncategorized

I want to make a note of the numbers of words and pages in my core security writings.

  • The Tao of Network Security Monitoring / 236k words / 833 pages
  • Extrusion Detection / 113k words / 417 pages
  • The Practice of Network Security Monitoring / 97k words / 380 pages
  • The Best of TaoSecurity Blog, Vol 1 / 84k words / 357 pages
  • The Best of TaoSecurity Blog, Vol 2 / 96k words / 429 pages
  • The Best of TaoSecurity Blog, Vol 3 / 89k words / 485 pages
  • The Best of TaoSecurity Blog, Vol 4 / 96k words / 429 pages

The total is 811k words and 3,330 pages.

Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)
Uncategorized


Happy 20th birthday TaoSecurity Blog, born on 8 January 2003

Thank you Blogger

Blogger (now part of Google) has continuously hosted this blog for 20 years, for free. I'd like to thank Blogger and Google for providing this platform for two decades. It's tough to find extant self-hosted security content that was born at the same time, or earlier. Bruce Schneier's Schneier on Security is the main one that comes to mind. If not for the wonderful Internet Archive, many blogs from the early days would be lost.

Statistics

In my 15 year post I included some statistics, so here are a few, current as of the evening of 7 January:

I think it's cool to see almost 29 million "all time" views, but that's not the whole story.

Here are the so-called "all time" statistics:


It turns out that Blogger only started capturing these numbers in January 2011. That means I've had almost 29 million views in the last 12 years. 

I don't know what happened on 20 April 2022, when I had almost 1.5 million views?

Top Ten Posts Since January 2011

Here are the top ten all time posts:

I'm really pleased to see posts like Security and the One Percent: A Thought Exercise in Estimation and Consequences and Digital Offense Capabilities Are Currently Net Negative for the Security Ecosystem in this list. We've had some discussion on these topics since I posted them in the fall of 2020, but not enough. The 99% continue to suffer at the hands of adversaries and those in the security 1% who ignore them.

The Monetization Experiment

I ran an advertising experiment from April 2021 through December 2022. I "earned" $116.96 by February 2022 and $104.39 by December 2022. I don't have view numbers for that whole period, but for calendar year 2022 I attracted a little over 7.5 million views. You can see that I earned about 1.4 x 10^-5 dollars per view. I disabled ads at the end of December.

From Twitter to Mastodon

One big change I can discern since my 15 year post is that I have now abandoned Twitter and migrated to Mastodon. You can find me at infosec.exchange/@taosecurity. My current Twitter follower count is about 59.7k, down from just over 60k. My current Mastodon follower count is 1.9k. I don't really care about followers, but I figured I would capture these numbers to see if there is any change in the next five years.

The Latest Books

I spent the early years of the pandemic collecting my 3,000 or so favorite blog posts into a four volume set called The Best of TaoSecurity Blog. I'm really pleased with these books, available via Amazon in print or digital format. They include original posts, but each receives commentary with modern thoughts on the original content. The fourth volume includes material not found in the blog, such as unpublished writings from my abandoned War Studies PhD program or Congressional testimonies.

It looks like Amazon is randomly running a promotion on volume 2 of The Best of TaoSecurity Blog while I am writing this post. The print edition is regularly $19.95, but it's currently priced at $7.89. I don't know how long it will last, but if you're interested please check it out. 

I also co-wrote and published a book on stretching with a subject matter expert -- Reach Your Goal: Stretching & Mobility Exercises for Fitness, Personal Training, & Martial Arts


Thanks to ARB for taking the excellent photos!

Enter Corelight

I have been working at Corelight since August 2018. Our Corelight network security monitoring platform is really amazing and I suggest everyone check it out. We continue to have big plans for the future. 

Zeek Communicator

Since 2018 I have assumed the communications role for the Zeek network security monitoring project. Besides posting announcements to Mastodon and LinkedIn, I also share interaction and admin duties for our SlackDiscourse, and YouTube sites. I'm working with the leadership team on strategies for growing community size and involvement in 2023 and beyond.

Hobbies

During the last five years, I earned a black belt equivalent in Krav Maga Global (the system uses patches, not belts) and a blue belt in Brazilian Jiu-Jitsu (helping me to survive grappling with Jeremiah Grossman at the 2019 BJJ Smackdown during Black Hat). I've retired from practicing martial arts, for now at least. However, my Martial History Team project continues, with plans through June 2025.


I read a ton of books every month, but almost none have to do with technical security topics. My interests include US Civil War history, general military and nation state strategy, unidentified aerial phenomena, airpower, science, intelligence, and other topics. I have a strict monthly schedule and thus far have been able to stick to it for the last 16 months. I don't write reviews anymore, but I do write surveys for the martial arts books -- 36 so far.

Finally, in 2022 I returned to one of my childhood hobbies, first begin in the fall of 1982 -- tabletop roleplaying games. I've been informally studying science fiction RPGs since the beginning of last year, potentially to begin another PhD program. I think it would be interesting to research a history PhD involving science fiction RPGs. I don't say much publicly about this, although I do have a Mastodon account for Science Fiction TTRPGs. I've also been playing in an online Star Frontiers campaign with a group scattered throughout the US. 

SF was the first RPG I ever played, so it was cool to return to playing on its 40th birthday in August 2022.

Conclusion

As you might discern, I'm expressing myself in many different venues. As a result, I don't feel the need or desire to post here, at least not that often. In 2003, most of the platforms mentioned in this post didn't exist. Blogs were the hot new communication medium. Prior to that, security people published "white papers" in text form to sites like Packet Storm! (Check out two of my entries here. Those are the PDF versions.)

As far as security goes, I mostly care about the operational/campaign and higher levels of conflict, e.g.:


In my opinion, the tactics used by intruders and defenders, and even most of the tools, have not really changed in the last 10 years, and definitely not since 2018. The operations/campaigns and strategies used by both sides haven't really changed either. 

There are a few exceptions, like the massive SolarWinds supply chain compromise Mandiant discovered and published in December 2020. Ransomware has definitely ramped up to gross levels since 2018. However, there haven't been any game-changers as far as how offense and defense interact. 

Sure, way more processing is done in the cloud, and just about everything is running a vulnerable computer. However, no one on the offensive or defensive sides has significantly innovated to alter the way the two parties interact. Until that changes, security for me is largely a less interesting, but still unsolved, wicked problem. 

Thank you to everyone who has been part of this blog's journey since 2003!

Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)
Uncategorized