USENIX / TechEd 2006 Trip Report      http://craigchamberlain.dreamhosters.com

Saw Richard Bejtlich's talk at USENIX and Mark Russinovich's at TechEd. Russinovich gives the most complete assessment of the malware problem and the best technical discussion of the technical arms race taking place in the windows rootkit space. Bejtlich discussed security operations and incident response and made the case for replacing simple IDS alert based detection with sophisticated network security monitoring capabilities. Papers, etc available at

http://craigchamberlain.dreamhosters.com/usenix-teched2006/

Some memorable Bejtlich quotes:

"Prevention eventually fails; Enterprise is too complex, staffed by overworked, under-resourced administrators meeting 'business requirements;' every enterprise will eventually be compromised."

"Investigations with alert-centric systems quickly end, often without resolving the incident. Analysts stuck with only alert data to inspect cannot make validation and escalation decisions. MSSPs call customers to ask if they have been compromised. Security personnel ignore alerts because they have no other data."

Bejtlich summarizes his network security monitoring methodology like this:

NSM relies upon four forms of traffic-centric data
– Statistical data (Capinfos, Tcpdstat, Trafshow)
• Descriptive, high-level view of aggregated events
– Session data (Argus, SANCP, NetFlow)
• Summaries of conversations between systems
• Content-neutral, compact; encryption no problem
– Full content data (Tcpdump, Tethereal, Snort as packet logger)
• All packet details, including application layer
• Expensive to save, but always most granular analysis
– Alert data (Snort, Bro, other IDSs)
• Traditional IDS alerts or judgments (“RPC call!”)
• Context-sensitive, either by signature or anomaly

See also this best paper at USENIX Security 2005. I met one of the authors prior to publication at DHS Science & Technology 2005 where he described his methods for mapping sensors belonging to large scale traffic analysis systems like the SANS Internet Storm Center. The point of this is that it becomes possible to evade such early warning systems by avoiding the targeting of instrumented networks:

Mapping Internet SensorsWith Probe Response Attacks
John Bethencourt Jason Franklin Mary Vernon





                               USENIX / TechEd Papers & Presentations
http://craigchamberlain.dreamhosters.com/usenix-teched2006/

Network Security Monitoring
Richard Bejtlich

Fighting Malware with Advanced Detection and Removal
Mark Russinovich
Chief Software Architect
Winternals Software

Security Without Firewalls: A tutorial
Abe Singer

Ethereal & the Art of Debugging Networks
Gerald (Jerry) Carter, SAMBA Team, Centeris

Stealth Probing: Efficient Data-Plane Security for IP Routing
Ioannis Avramopoulos and Jennifer Rexford

Reclaiming Network-wide Visibility Using Ubiquitous Endsystem Monitors
Evan Cooke
University of Michigan
Richard Mortier, Austin Donnelly, Paul Barham, Rebecca Isaacs
Microsoft Research, Cambridge

Cutting through the Confusion:
A Measurement Study of Homograph Attacks
Tobias Holgers, David E. Watson, and Steven D. Gribble

Bump in the Ether:
A Framework for Securing Sensitive User Input
- Jonathan M. McCune Adrian Perrig Michael K. Reiter

Securing Web Service by Automatic Robot Detection
KyoungSoo Park, Vivek S. Pai
Princeton University
Kang-Won Lee, Seraphin Calo
IBM T.J. Watson Research Center

Structured and unstructured overlays under the microscope
A measurement-based view of two P2P systems that people use
Yi Qiao and Fabi´an E. Bustamante

LADS: Large-scale Automated DDoS detection System
Vyas Sekar
Carnegie Mellon University
Nick Duffield
AT&T Labs-Research
Oliver Spatscheck
AT&T Labs-Research

Privacy Analysis for Data Sharing in *nix Systems
Aameek Singh Ling Liu Mustaque Ahamad

Reval: A Tool for Real-time Evaluation of DDoS Mitigation Strategies
Rangarajan Vasudevan, Z. Morley Mao
University of Michigan
Oliver Spatscheck, Jacobus van der Merwe
AT&T Labs — Research