At the end of September I attended the TRANSITS II workshop organised by The GÉANT Association (previously TERENA), kindly hosted by SURFnet at their offices in Utrecht, NL. This course follows on from the TRANSITS I workshop that I blogged about at the beginning of the year, but focuses more on specific technical skills, rather than the overall workings of a CERT.
Inadvertently breaking with OxCERT tradition, I neglected to take any photos during this trip. Instead I’ve included images from the Internet for visual relief, they’re probably better than anything I could have achieved myself anyway!
Day one kicked off with a fascinating overview of computer forensics from Jaap van Ginkel. These sessions covered general digital forensic principles, combined with practical, hands-on exercises in acquiring forensically sound disk and memory images for analysis. The theoretical explanations were interspersed with real world examples, which always help to bring things to life.
Jaap went on to describe various places that evidence might be found on a disk, along with a selection of tools to help automate the process.
While it was noted that a short course like this couldn’t turn a novice into a forensics expert, the information is particularly useful for our team as we are looking to enhance our own digital forensics capability in the near future.
Don Stikvoort broke up the straight technical talks with an interesting module on Human Communication. Historically, IT is not an industry that has been seen to value communication skills; but the ability to both listen and explain effectively, in a variety of formats, is essential in a modern workplace – technical or not. Certainly, OxCERT are required to communicate regularly with colleagues throughout the University, and in the wider information security community.
The communication sessions touched on various valuable areas, such as how to build rapport with others by subtly and unobtrusively matching or mirroring their pose. It was also interesting to learn that only 7% of typical communication is conveyed by the words used, the rest is interpreted from body language and tone of voice. Perhaps this explains some of the misunderstandings that lead to spiraling arguments on mailing lists!
Wim Biemolt started the final day with some engaging talks about Netflow, particularly using the Nfdump and Nfsen tools. OxCERT already make extensive use of Netflow to investigate security incidents, but the refresher was welcome. I was not personally familiar with the Nfsen web interface so enjoyed having the opportunity to experiment with it.
These sessions also opened up useful discussion of the practical uses of Netflow for a CERT, and the appliances that can be used to generate flow data from traffic.
We rounded off the course by working through one of the ENISA CERT exercises. These exercises are freely available from the ENISA website and present various scenarios.
Our exercise instructed us to assume the role of the national CERT of a small, fictional country. In the scenario, the country in question is subjected increasingly serious and politically motivated cyber attacks. This opened up some interesting discussions and differing points of view, these exercises would certainly provide a useful starting point for anyone planning their own security fire drills.
All in all, another very worthwhile course with a nice mix of hands-on exercises and background theory, and a great follow up to TRANSITS I.