![DEF CON 23 [Audio] Speeches from the Hacker Convention - Chris Sistrunk - NSM 101 for ICS - 101 Track](https://www.defcon.org/images/defcon-23/dc-23-itunes-logo-Audio.avif){kind=logo}
Chris Sistrunk - NSM 101 for ICS - 101 Track
09/22/15 • -1 min
Materials Available here: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Chris-Sistrunk-NSM-101-for-ICS.pdf
NSM 101 for ICS
Chris Sistrunk Sr. ICS Security Consultant, FireEye
Is your ICS breached? Are you sure? How do you know?
The current state of security in Industrial Control Systems is a widely publicized issue, but fixes to ICS security issues are long cycle, with some systems and devices that will unfortunately never have patches available. In this environment, visibility into security threats to ICS is critical, and almost all of ICS monitoring has been focused on compliance, rather than looking for indicators/evidence of compromise. The non-intrusive nature of Network Security Monitoring (NSM) is a perfect fit for ICS. This presentation will show how NSM should be part of ICS defense and response strategy, various options for implementing NSM, and some of the capabilities that NSM can bring to an ICS security program. Free tools such as Security Onion, Snort IDS, Bro IDS, NetworkMiner, and Wireshark will be used to look at the ICS environment for anomalies. It will be helpful if attendees have read these books (but they aren't required): The Cuckoo's Egg by Cliff Stoll, The Practice of Network Security Monitoring by Richard Bejtlich, and Applied Network Security Monitoring by Chris Sanders and Jason Smith.
Chris Sistrunk is a Senior Consultant at Mandiant, focusing on cyber security for industrial control systems (ICS) and critical infrastructure. Prior to joining Mandiant, Chris was a Senior Engineer at Entergy (over 11 years) where he was the Subject Matter Expert (SME) for SCADA systems. He has 10 years of experience in SCADA systems with tasks such as standards development, system design, database configuration, testing, commissioning, troubleshooting, and training. He was the co-overseer of the SCADA, relay, and cyber security labs at Entergy for 6 years. Chris has been working with Adam Crain of Automatak on Project Robus, an ICS protocol fuzzing project that has found and helped fix many implementation vulnerabilities in DNP3, Modbus, and Telegyr 8979.
Chris helped organize the first ICS Village, which debuted at DEF CON 22.
He is a Senior Member of IEEE, Mississippi Infragard President, member of the DNP Users Group, and also is a registered PE in Louisiana. He holds a BS in Electrical Engineering and MS in Engineering and Technology Management from Louisiana Tech University. Chris also founded and organizes BSidesJackson, Mississippi's only cyber security conference.
Twitter: @chrissistrunk
https://www.facebook.com/chrissistrunk
Materials Available here: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Chris-Sistrunk-NSM-101-for-ICS.pdf
NSM 101 for ICS
Chris Sistrunk Sr. ICS Security Consultant, FireEye
Is your ICS breached? Are you sure? How do you know?
The current state of security in Industrial Control Systems is a widely publicized issue, but fixes to ICS security issues are long cycle, with some systems and devices that will unfortunately never have patches available. In this environment, visibility into security threats to ICS is critical, and almost all of ICS monitoring has been focused on compliance, rather than looking for indicators/evidence of compromise. The non-intrusive nature of Network Security Monitoring (NSM) is a perfect fit for ICS. This presentation will show how NSM should be part of ICS defense and response strategy, various options for implementing NSM, and some of the capabilities that NSM can bring to an ICS security program. Free tools such as Security Onion, Snort IDS, Bro IDS, NetworkMiner, and Wireshark will be used to look at the ICS environment for anomalies. It will be helpful if attendees have read these books (but they aren't required): The Cuckoo's Egg by Cliff Stoll, The Practice of Network Security Monitoring by Richard Bejtlich, and Applied Network Security Monitoring by Chris Sanders and Jason Smith.
Chris Sistrunk is a Senior Consultant at Mandiant, focusing on cyber security for industrial control systems (ICS) and critical infrastructure. Prior to joining Mandiant, Chris was a Senior Engineer at Entergy (over 11 years) where he was the Subject Matter Expert (SME) for SCADA systems. He has 10 years of experience in SCADA systems with tasks such as standards development, system design, database configuration, testing, commissioning, troubleshooting, and training. He was the co-overseer of the SCADA, relay, and cyber security labs at Entergy for 6 years. Chris has been working with Adam Crain of Automatak on Project Robus, an ICS protocol fuzzing project that has found and helped fix many implementation vulnerabilities in DNP3, Modbus, and Telegyr 8979.
Chris helped organize the first ICS Village, which debuted at DEF CON 22.
He is a Senior Member of IEEE, Mississippi Infragard President, member of the DNP Users Group, and also is a registered PE in Louisiana. He holds a BS in Electrical Engineering and MS in Engineering and Technology Management from Louisiana Tech University. Chris also founded and organizes BSidesJackson, Mississippi's only cyber security conference.
Twitter: @chrissistrunk
https://www.facebook.com/chrissistrunk
Previous Episode
Mike Sconzo - I Am Packer And So Can You - 101 Track
Materials Available here:https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Mike-Sconzo-I-am-packer-and-so-can-you.pdf
I Am Packer And So Can You
Mike Sconzo Security Researcher
Automating packer and compiler/toolchain detection can be tricky and best and downright frustrating at worst. The majority of existing solutions are old, closed source or aren’t cross platform. Originally, a method of packer identification that leveraged some text analysis algorithms was presented. The goal is to create a method to identify compilers and packers based on the structural changes they leave behind in PE files. This iteration builds upon previous work of using assembly mnemonics for packer detection and grouping. New features and analysis are covered for identification and clustering of PE files.
Mike Sconzo has been around the Security Industry for quite some time, and is interested in creating and implementing new methods of detecting unknown and suspicious network activity as well as different approaches for file/malware analysis. This includes looking for protocol anomalies, patterns of network traffic, and various forms of static and dynamic file analysis. He works on reversing malware, tool creation for analysis, and threat intelligence. Currently a lot of his time is spent doing data exploration and tinkering with statistical analysis and machine learning.
Next Episode
Mark Ryan Talabis - The Bieber Project: Ad Tech 101, Fake Fans and Adventures in Buying Internet Traffic - 101 Track
Materials Available here: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Mark-Ryan-Talabis-The-Bieber-Project.pdf
The Bieber Project: Ad Tech 101, Fake Fans and Adventures in Buying Internet Traffic
Mark Ryan Talabis Chief Security Scientist, zVelo
In the past year, I found myself immersed in the multi-billion dollar digital advertising industry. This gave me the opportunity to investigate the unique security challenges and issues facing the industry. It was a shock to me at first how complex the advertising ecosystem was particularly in the advent of programmatic advertising. But I dove in head first and learned a lot which I would like to share with my fellow security professionals. During this time, I got involved with unscrupulous publishers, apathetic ad networks, angry advertisers and activist malware researchers. I encountered self proclaimed experts with fantastic claims, vendors using scare tactics, and a glaring disconnect between the security and ad tech worlds.
In this presentation, I would like to be able to provide the audience with my experience plus a number of things. Among which are:
Provide security professionals a 101 type of introduction to the world of digital advertising ecosystem. Among the things we will tackle is what is programmatic advertising, what the roles are of the different players like ad networks are and how money is made off all this interplay.
Provide the audience a perspective on what security challenges the advertising industry is facing and opportunities for us security professionals to be involved. We all know about malvertising and its a big deal to us security guys but there are bigger, and in an advertisers perspective, more relevant issues that needs to be taken care of first. All of this will be discussed in this talk.
An introduction about the different and creative ways unscrupulous publishers can pad their earnings. We will be talking about hidden ads, ad stacking, intrusive ads, auto-refreshes, popups, popunders, blackhat SEO techniques and dirty inventory.
An in depth discussion on the problems caused by non-human traffic (NHT). We will talk about what it is, why is it a problem, how it is generated, and more importantly, how do we catch it? In fact, this presentation is named the “Bieber Project” which is the experiment which I leveraged to understand non-human traffic and determine how we can identify it.
Mark Ryan Talabis is the Chief Security Scientist for zVelo Inc where he conducts research on advertising fraud and non-human traffic. He is also formerly the Director of the Cloud Business Unit of FireEye. He is an alumni member of the Honeynet Project and a member of the anti-malware working group of the Interactive Advertising Bureau (IAB) where he is contributing in the promotion of threat intel sharing across the advertising industry.
His current work focuses on helping the advertisers and ad networks in finding ways to identify non-human traffic through various browser impression and behavioral based anomaly detection techniques. This also includes work on detecting various impression and click padding techniques by unscrupulous publishers.
He is a graduate of Harvard University and is a co-author of two books from Elsevier Syngress: "Information Security Analytics: Finding Security Insights, Patterns, and Anomalies in Big Data" (2014) and "Information Security Risk Assessment Toolkit: Practical Assessments through Data Collection and Data Analysis" (2012). Techniqies He has presented in various security and academic conferences and organizations around the world including Blackhat, DEF CON, Shakacon, INFORMS, INFRAGARD, ISSA, and ISACA.
If you like this episode you’ll love
The Torch: The Great Courses Podcast
ITSPmagazine Podcasts
CodeWinds - Leading edge web developer news and training | javascript / React.js / Node.js / HTML5 / web development - Jeff Barczewski
Education On Fire - Sharing creative and inspiring learning in our schools
Craft Beer & Brewing Magazine Podcast
Episode Comments
Generate a badge
Get a badge for your website that links back to this episode
<a href="https://goodpods.com/podcasts/def-con-23-audio-speeches-from-the-hacker-convention-58118/chris-sistrunk-nsm-101-for-ics-101-track-3016446"> <img src="https://storage.googleapis.com/goodpods-images-bucket/badges/generic-badge-1.svg" alt="listen to chris sistrunk - nsm 101 for ics - 101 track on goodpods" style="width: 225px" /> </a>
Copy