Graham Jones (Surrey, British Columbia, IT Pro)
Graham Jones (Surrey, British Columbia, IT Pro)
Last week we were very fortunate to have Kai Axford (CISSP, MCSE-Security) do a Western Canada sweep hitting Calgary, Edmonton, Vancouver and Victoria UG’s. Kai Axford (CISSP, MCSE-Security) is a Senior Security Strategist in the Trustworthy Computing Group and has been with Microsoft for 8 years. He started as Server Support Engineer and then moved on to become a IT Pro Evangelist, focusing on his peers through the Microsoft TechNet Events program. He has delivered over 200+ security presentations on a variety of topics, including digital forensics, security management, and incident response. He is a frequent speaker at security conferences, executive meetings, and business seminars around the world.
Kai is pursuing an MBA in Information Assurance and is a member of the Information Systems Security Association (ISSA), INFRAGARD, and the North Texas Electronic Crimes Task Force. He was the recipient of the 2006 “Rising Star” award from the Information Security Executive council. Kai is interested in security management and security metrics and hopes to become a Chief Security Officer one day.
Prior to Microsoft, Kai served as a leader in several real-world operations with the U.S. Army's elite 75th Ranger Regiment. Originally from Wisconsin, Kai is a huge NFL Green Bay Packers fan. He is based in Dallas, Texas (where he finds the heat overwhelming) with his lovely wife and a (very wet) yellow Labrador dog.
In Vancouver, Kai “educated” about 150 enthusiastic and very satisfied IT Pro’s. Kai described his presentation as follows:
“Identifying Computer Attacks: Tips, Tricks and Tools - It couldn't happen to you. You've been to all the classes. You've read through the volumes of security guidance. No way is this morning's newspaper headline correct. You have that sick feeling in your stomach: "My network has been hacked. My boss wants answers. What do I do now?" Check out this informative and entertaining session as Kai Axford demos the how and why attacks occur. He'll also show you the tools you need to properly identify an attack and gather forensic evidence. You will learn how to detect and trace network intrusions and see some of the popular forensics tools that can help you gain valuable information about the attack.”
All too often we are pre-occupied with security from a prevention standpoint and trying to provide peace of mind to the CEO so that he/she can sleep at night. However, there is no such thing as “absolute” security and that may mean that we are not always well prepared to handle the investigation of a serious incident. Employment in positions of responsibility for Security can be very “temporary” at times! Further there may be a need to preserve and compile forensic evidence for presentation in a court of law. Our urgency in the pressure of the moment may taint the evidence and make it unusable. Kai’s talk focused both on investigative tools and some guidance on forensics from a legal standpoint.
What constitutes an incident? As defined by AUS-CERT ( it is:
“An attack against a computer or network which harmed, or potentially may harm, the confidentiality, integrity or availability of network data or systems.” and may include such things as:
· Compromise of Confidentiality
· Compromise of Integrity
· Denial of Resources
There may be many reasons why “hackers” want access to your hardware, all the way from “you have spare cpu cycles and disk space for personal use” to “botnets and organized crime”. Apparently, botnets with up to 1.5 million machines have been reported. One interesting, and probably true, quote from Kai was “If you are a good hacker….everybody knows. If you are a GREAT hacker …nobody knows”.
Perhaps the most obvious point regarding any investigation is to “never” work on the original data in case you accidentally corrupt it and thereby compromise its value. For example, make copies of all event data (eg. logs, syslog output, firewall logs, Intrusion Detection and Prevention Systems, etc.) and work on the copies. In case there are legal proceedings there must be incontrovertible proof which means examining ALL data. There are free tools available to assist in the investigation such as Process Explorer (Sysinternals), AutoRuns (Sysinternals), WireShark, md5sum, EventCombMT, and many more. It is important to draw a clear distinction between simple incident investigation and Digital Forensics. Digital Forensics is a specialist activity which requires thorough training and experience. It is not something that the typical sys admin is likely to have in their arsenal. One of the biggest challenges in any investigation is the amount of and types of data to examine. Kai outlined some popular forensics tools that help to collect, view and analyze data without “corrupting” the evidence. Such commercial products include EnCase and Forensic Tool Kit. Open Source products include The Sleuth Kit and e-Fence.
The above by no means covers the scope of Kai’s excellent talk. I definitely wouldn’t want to steal his thunder. Besides the delivery and the “stories” are part of the experience! Kai is a very “lively” and “entertaining” speaker who really knows how to get the right messages across. It is rare that I receive so many very positive comments after a meeting both in person and via email. If you have the opportunity to hear Kai speak don’t pass it up. Kai tells me that he has a number of other presentations and we would certainly love the opportunity to have him come and visit us again.