Or, “How I integrated python-secrets with Splunk’s Attack Range framework, and how you can do the same for your open source project!”

Image for post
Image for post
Photo by Michael Dziedzic on Unsplash

In this article, I want to do three things. (1) point out a couple of what I consider to be pervasive fundamental computer security problems, (2) provide my own proposed solution to them, and (3) show you how you can implement that solution in your own open source project (or as a Pull Request to someone else’s open source project).

I will provide you with a way to simultaneously accomplish all the following goals:

Saying “PCAP, or it didn’t happen!” is all well and good but if you can’t see into the PCAP, how do you know what happened?

Image for post
Image for post
Photo by Nina Ž. on Unsplash

This article is aimed at those wanting to learn how to leverage network traffic capture and analysis tools as part of the digital forensics and incident response (DF/IR) processes. These disciplines involve analyzing the network communications associated with remotely controlled malicious software installed on your organization’s computer systems.

  • Those hoping to become a security operation center (SOC) analyst need to know what is behind the alerts their network monitoring or end-point detection systems produce.
  • Those seeking to advance in their career doing more detailed DF/IR tasks, including creating new signatures for detection and reporting on new capabilities in malware, need an even deeper understanding of what is contained in network traffic captures (commonly in PCAP format files).

Looking for malware in all the right places (with the right tool!)

A screen image captured from a computer infected with NotPetya ransomware, extorting the user for Bitcoins to decrypt files.
A screen image captured from a computer infected with NotPetya ransomware, extorting the user for Bitcoins to decrypt files.
NotPetya screenshot from CTU-Malware-Capture-Botnet-289–1

I’m sure at some point you’ve received a report or alert from some entity — US-CERT, DHS, someone on Twitter retweeting a security researcher or an anti-virus company, maybe even your bank or credit union? — about a specific threat actor and the malware they may wield against your organization’s network. You know, like the malware in the screenshot above.

What do you do if you want to learn how that malware works so you can prepare to respond?

If I were to give you a free software tool to help you search through hundreds of network packet captures to find information about that specific piece of malware, would that help? …

Advancing ethical thinking regarding responses to cyber crime

Image for post
Image for post
Photo by Nathan Dumlao on Unsplash

It is common for professional societies and membership organizations to have a Code of Ethics intended to guide their members. Professionals working in the field of information security (INFOSEC) are often members of one or more of these entities, as are academic cyber security researchers and students desiring to enter the INFOSEC field.

In this article I will focus on three such entities: The IEEE and the Association for Computing Machinery (ACM), which are general professional societies with broad membership across many disciplines, and the Forum of Incident Response and Security Teams (FIRST), who “cooperatively handle computer security incidents and promote incident prevention programs”. …

Respect, beneficence, and justice must be universal or else they are meaningless.

Image for post
Image for post
Photo by Louis Reed on Unsplash

I was listening to the news on August 29, 2019, when I heard the story of Maria Isabel Bueso and the demand letter she received ordering her to leave the United States by the middle of September or be deported.

I heard her doctor struggling to find a way to resolve this situation and save Isabel from what he called a “death sentence.”

When I learned of Isabel’s participation in a high-priority medical research study, I knew I had something to contribute based on my own experience. I hope that what I have to say here helps people understand how addressing the immigration status of these particular patients can be done legally, ethically, and with the greater public understanding that it is in the interest of the public good. …

How I became the first person to describe the advent of a new class of computer network attack tools.

The University of Minnesota was kept off-line for three days, and I was kept busy for weeks.

20 years ago today — August 17, 1999 — started as a normal day. But that wouldn’t last very long. Little did I know the University of Washington was about to be inundated with a flood of known compromised computers that had to be remediated as quickly as possible.

Image for post
Image for post
Photo by Kelly Sikkema on Unsplash

It turned out I was more prepared for this flood than I knew at the time. That preparation would prove quite valuable to me, as you will see. If you are a digital forensic and incident response (DFIR) professional, I think you might learn something from my story.

Good morning?

I have a little red drip coffee filter that I typically used to make some dark French Roast coffee to start my day. I began checking my email as I was drinking my coffee and began reading an incident report that had been forwarded to me, the Unix guy. (And the “security guy,” but that wasn’t in my job description. …

How I became the first person to describe the advent of a new class of computer network attack tools.

Something is happening, but what?

20 years ago today — August 5, 1999 — I rode my mountain bike across the University of Washington campus to work like every other workday. Early mornings in the summer in Seattle can be pretty nice. Sunny, a little cool with dew on the grass.

Before there were signs requiring that bike riders walk their bikes, I could cruise across campus, bunny-hopping the small 2–3 foot flights of stairs in the Quad, entering Red Square heading south, and — at just the right speed — take the two flights of ten steps each on the south-west corner Suzzallo Library in just over a second. My bike lock strapped on the handle-bars was the “only” sound: TAT!-TAT!-TAT!-TAT!-TAT!-TAT!-TAT!-TAT!-TAT!-TAT!-BAP!!…TAT!-TAT!-TAT!-TAT!-TAT!-TAT!-TAT!-TAT!-TAT!-TAT!-BAP!! …

Eradicating an Intruder from a Network

Image for post
Image for post
Photo by Jakob Owens on Unsplash

“Hacking back” doesn’t always mean going outside your own network. In fact, it is best done quietly, inside your own network where you have home field advantage, and both slowly and deliberately so as to deliver a definitive enough blow to someone’s activities that they leave your network and don’t come back. This is a story of how I did it, and how you can, too.

This story (excerpted from a book in progress) centers on a hacker who I will refer to by the nick “G0by” (spelled with a Zero, and not his real nick.) G0by was part of a criminal hacker gang actively compromising systems around the globe for the purpose of installing back doors, sniffers, Internet Relay Chat (IRC) proxies and bots, which were sold and traded in the computer underground. While fictionalized, this story is based on a series of in-real-life abuse complaints and resulting intrusion response activities at a major university in the United States that occurred in the late 1990s. The victims of this crew included universities, small businesses (including several small local ISPs), and corporations (including an online trading company, a brokerage group, a truck scale manufacturer, and an electronic media publishing company) around the globe. …

How I became the first person to describe the advent of a new class of computer network attack tools.

Part 0: The Build Up to Distributed Denial of Service

Image for post
Image for post
Photo by Taskin Ashiq on Unsplash

I was inspired to start a series of articles on the early history of DDoS by a few recent events. Rik Farrow interviewed me for a forthcoming issue (Fall 2019 Vol. 44, No. 3) of Usenix ;login: magazine while I was also writing up a history of the early days of the Honeynet Project, which refreshed my memory on a number of events in 1999-2000. I also read this MIT Technology Review article on the 20th anniversary of the “first DDoS attack” on the University of Minnesota:

It took me a little while to remember that July 22 was not the first of the three days that the University of Minnesota spent off-line from persistent flooding. That happened almost a month later. Nor was July 22 even the start of the build up to that event. …

Stories from the early Honeynet Project years (1999 to 2005)

Image for post
Image for post

This year (2019) is the 20th anniversary of the Honeynet Project, which was celebrated at the annual workshop in Innsbruck, Austria.

I was one of the earliest members of the group and have served as an Officer in two different roles (Secretary, then Chief Legal and Ethics Officer) over much of this time. This article is my perspective on a few significant events and previously untold stories from the early years, constructed from my own memory, search engines and the Wayback Machine, and the recollections of several other fantastic people who took part in this history. We learned many lessons, met many people, visited many places, and had a lot of fun along the way. …


Dave Dittrich

Information Security Researcher, Consultant

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store