Skip to content

Commit

Permalink
Initial port from old theme
Browse files Browse the repository at this point in the history
  • Loading branch information
@krmaxwell
krmaxwell committed Mar 12, 2017
1 parent ea23616 commit 3adb86c
Show file tree
Hide file tree
Showing 54 changed files with 1,137 additions and 203 deletions.
5 changes: 5 additions & 0 deletions _includes/about.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
Typical nerd: neckbeard, math and CS degree, plays too many computer games and D&D. Unix über alles, GPL zealot, re-activated activist. Currently a threat intel analyst and security researcher based in Dallas. Don't ask me about Windows anything.

Original developer of [Combine](https://github.com/mlsecproject/combine) and [Maltrieve](http://maltrieve.org). I previously worked on the [VZ DBIR](http://www.verizonenterprise.com/DBIR/) and what is now the VZ "Cyber Intelligence Center" but got out of there because Big Red is evil. I also built the incident response function at Heartland Payment Systems (post-breach _thankyouverymuch_).

I also give [talks](/talks) once in a while. I speak fluent Spanish but sadly not Portuguese of any flavor.
8 changes: 8 additions & 0 deletions _includes/contact.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
- Email: [krmaxwell|gmail](mailto:{{ site.email }})
- GitHub: [krmaxwell](https://github.com/{{ site.github }})
- Google Voice: 214-233-KYLE (-5953)
- Google+: [+KyleMaxwell](https://plus.google.com/+{{ site.google }}/)
- Twitter: [@kylemaxwell](https://twitter.com/{{ site.twitter }})
- Instagram: [technoskald](https://instagram.com/{{ site.instagram }})
- Keybase: [kylemaxwell](https://keybase.io/kylemaxwell)
- PGP: 4C8F A2D4 E91E 5064
31 changes: 31 additions & 0 deletions _includes/talks.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
## 2015
- [PyData Dallas](http://pydata.org/dal2015/schedule/#26) - "[Using Python to Fight Cybercrime](https://speakerdeck.com/krmaxwell/using-python-to-fight-cybercrime)" ([video](https://www.youtube.com/watch?v=a7v5fB2IaT4))
- [RSA Conference Expo 2015](https://www.rsaconference.com/events/us15/agenda/sessions/1929/know-your-adversary-gathering-intelligence-on) - "Know Your Adversary"
- [SANS CTI Summit 2015](http://www.sans.org/event/cyber-threat-intelligence-summit-2015) - "[The Most Dangerous Game: Hunting Adversaries Across the Internet](https://speakerdeck.com/sroberts/the-most-dangerous-game)" ([video](https://www.youtube.com/watch?v=0Xhu73fKNBI))

### 2014
- [ArchC0N](http://www.archc0n.org/index.php/archive/archcon-2014/) - "[Hackertainment](https://speakerdeck.com/krmaxwell/hackertainment)"
- [DEF CON 22](https://www.defcon.org/html/defcon-22/dc-22-index.html) - "[Measuring the IQ of Your Threat Intelligence Feeds](https://www.defcon.org/html/defcon-22/dc-22-speakers.html#Pinto)" ([video](https://www.youtube.com/watch?v=uMJSOYA9xoM))
- [Black Hat Arsenal](https://www.blackhat.com/us-14/arsenal.html) - [Maltrieve](http://maltrieve.org)
- [BSidesLV](http://www.bsideslv.org) - "Measuring the IQ of Your Threat Intelligence Feeds"
- [SANS DFIR Summit 2014](https://www.sans.org/event-downloads/33822/agenda.pdf) - "[Incident Response Patterns](https://speakerdeck.com/krmaxwell/incident-patterns)"
- [BSidesSATX 2014](http://bsidestexas.blogspot.com/p/san-antonio-schedule.html) - "[Hackertainment: Coding and Hacking for Fun and Entertainment](https://speakerdeck.com/krmaxwell/hackertainment)"
- [BSidesPR 2014](http://bsidespr.org/2014/?page_id=88) - "[Threat Intelligence for Incident Response](https://speakerdeck.com/krmaxwell/threat-intelligence-for-incident-response)"
- [SANS CTI Summit 2014](https://www.sans.org/event-downloads/35252/agenda.pdf) - "Threat Intelligence for Incident Response"

## 2013
- [BSidesDFW 2013](http://www.securitybsides.com/w/page/68749447/BSidesDFW%202013%20Full%20Track%202%20Abstracts) - "[From Minion to Engineer](https://speakerdeck.com/krmaxwell/from-minion-to-engineer)"
- [SANS DFIR Summit 2013](https://www.sans.org/event-downloads/30107/agenda.pdf) - "Open Source Threat Intelligence"
- [Shakacon 2013](https://www.youtube.com/watch?v=JxJaCIzzFzg) - "[Open Source Threat Intelligence](https://speakerdeck.com/krmaxwell/open-source-threat-intelligence-shakacon)" ([video](https://www.youtube.com/watch?v=JxJaCIzzFzg))
- [BSidesNOLA 2013](http://www.securitybsides.com/w/page/62741761/BsidesNola) - "[Grabbing Fresh Evil Bits with Maltrieve](https://speakerdeck.com/krmaxwell/grabbing-fresh-evil-bits-maltrieve-1)"
- [Secure360 2013](http://secure360.org/schedule/open-source-intelligence-research/) - "Open Source Intelligence Research"
- [BSidesSATX 2013](http://www.securitybsides.com/w/page/62049224/BSidesSATX) - "[Grabbing Fresh Evil Bits with Maltrieve](https://speakerdeck.com/krmaxwell/grabbing-fresh-evil-bits-maltrieve)"
- [BSidesChicago 2013](https://securechicago.org/pastevents/bsideschicago-2013/schedule/) - "Open Source Threat Intelligence"

# 2012

- [BSidesDFW 2012](http://www.securitybsides.com/w/page/50488342/BSidesDFW%202012) - "Sharing threat intelligence with CIF"
- [HouSecCon 2012](http://houstonseccon.com/agenda-2012/#kyle) - "Sharing threat intelligence with CIF"
- Gartner CIO Summit Mexico 2012 - "Verizon Data Breach Investigation Report 2012"


42 changes: 42 additions & 0 deletions _posts/2013-12-20-kent-doctrine-intel-analysis.markdown
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
---
layout: post
title: "Kent Doctrine for security intel analysis"
date: 2013-12-20 23:02:17 -0600
comments: true
categories: Security, Intel
---

I’ve said before that log management matters, but **log analysis matters more**. Extracting and communicating useful information (analysis) requires collecting and storing your security data as well as processing the data quickly. But having all the data available won’t matter to anybody except auditors if you don’t use it in ways that inform good decisions. [Mike Rothman](https://twitter.com/securityincite) of Securosis expressed this exceptionally well in his [preview of the 2012 RSA Conference](https://securosis.com/blog/rsa-conference-2012-guide-key-themes):

>You will see a bunch of vendors talking about their new alerting engines taking advantage of these cool new data management tactics, but at the end of the day, it’s not how something gets done – it’s still what gets done.
>So a Hadoop-based backend is no more inherently helpful than that 10-year-old RDBMS-based SIEM you never got to work. You still have to know what to ask the data engine to get meaningful answers. Rather than being blinded by the shininess of the Big Data backend focus on how to use the tool in practice. On how to set up the queries to alert on stuff that maybe you don’t know about.
To paraphrase Socrates, **unexamined data are not worth collecting**. Analysis methodology and critical thinking skills matter. Rothman is spot on with this: the value of big data tech comes when you need to grow past the capabilities that traditional SIEM and RDBMS provide. By way of analogy: if you don’t understand algebra, then don’t take a course in calculus until you have the basic prerequisites down. You’ll just frustrate yourself and waste your tuition dollars.

![Sherman Kent](https://www.cia.gov/news-information/featured-story-archive/2010-featured-story-archive/Kent_Sherman_t.jpg/image.jpg)
*Provided by CIA*

In this vein, then, I appreciated the [CIA paper on the background and work](https://www.cia.gov/library/kent-center-occasional-papers/vol1no5.htm) of [Sherman Kent](http://en.wikipedia.org/wiki/Sherman_Kent), the “father of intelligence analysis”.

He promoted an analytic doctrine that boils down to nine key points, listed in the CIA paper above. That doctrine applies across domains, not just for the sorts military and geopolitical analysis we expect from government intelligence agencies. I highly recommend that everyone read at least that section of the paper, but here are some applications for those of us involved in security intelligence analysis, especially in the private sector.

1. **Focus on Policymaker Concerns:** What keeps your management up at night? Hopefully security isn’t the only thing, of course. So assuming that your CxOs understand the general threat landscape, analysts need to ensure that they track relevant areas that can lead to useful changes and decisions at strategic and tactical levels.

1. **Avoidance of a Personal Policy Agenda:** Many analysts focus on threats that concern them for reasons outside of their organization. Maybe they disagree with the politics of the Occupy movement and overemphasize threats to entirely unrelated organizations, or worry about APT China because of Sinophobia rather than a reasoned assessment of the situation. Or maybe they want to drive decision makers to a particular tech solution. Even worse, they may use their analyses as weapons for corporate political plays. Doing that represents a disservice to the organization and an unprofessional approach.

1. **Intellectual Rigor:** This area stands as-is: "Estimative judgments are based on evaluated and organized data, substantive expertise, and sound, open-minded postulation of assumptions. Uncertainties and gaps in in­formation are made explicit and accounted for in making predictions."

1. **Conscious Effort to Avoid Analytic Biases:** None of us can completely avoid cognitive bias, but we can make sure we understand it and try to correct for it where possible. That principally means application of the scientific method. Whether or not faith and dogma have a place in one’s personal life, they certainly do not in one’s professional analyses.

1. **Willingness to Consider Other Judgments:** Fight for your ideas, but playing "devil’s advocate" should rest on a better intellectual basis than simply spreading FUD. Recognize that others may in fact know more than you do or have insights that can help you.

1. **Systematic Use of Outside Experts:** In addition to seeking out and understanding the work of other analysts, don’t restrict yourself solely to your field or even industry. Work with a community and keep bringing in fresh concepts from other disciplines.

1. **Collective Responsibility for Judgment:** Eventually, your team will produce a report. You may not have agreed with everything that went into it, but that’s the way the sausage gets made. Once that report goes to its audience, support it. Throwing the rest of your analysis team under the bus by telling the audience "I told them so" doesn’t actually make you look smarter. It makes you look unprofessional. That doesn’t mean that you should ignore all criticism; rather, it means that you should be willing to take lumps with the rest of the group. If someone asks you for your opinion, give it – but clarify that it doesn’t represent the considered opinion of the rest of the team.

1. **Effective communication of policy-support information and judgments:** Analysts need three core skills: domain expertise, critical thinking skills, and communication ability. This includes targeting your analysis to the level appropriate to your audience. You must be able to summarize your findings in understandable and accurate ways. And you must be able to handle points of uncertainty properly.

1. **Candid Admission of Mistakes:** You won’t always be right. Admit it, and review past work to see what you can learn for improvement the next time. "Try again. Fail again. Fail better."

Security intelligence analysts should learn from previous work, instead of simply trusting in their own domain expertise and innate intelligence. Dr. Kent [led the way](http://www.au.af.mil/au/awc/awcgate/cia/strategic_warning_kent.htm), and even we non-spooks can still learn from his work.
20 changes: 20 additions & 0 deletions _posts/2013-12-20-research-ideas.markdown
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
---
layout: post
title: "Research Ideas"
date: 2013-12-20 22:39:25 -0600
comments: true
categories: Security
---

To start, here are my thoughts on interesting ideas for research. Feel free to use any of these as your own inspiration, but if you do, please let me know to satiate my own curiosity!

- Graph theoretical investigation of malware (i.e. [konig](https://github.com/technoskald/konig))
- OSINT methods / technologies
- Recognizing source code plaintext
- Hadoop for log analysis or network forensics
- Chromebook forensics
- Automated IOC extraction from malware
- Threat actor profiling (e.g. hacktivist motivations and methods)
- C2/RAT vulnerability research
- [Pareto charts](http://en.wikipedia.org/wiki/Pareto_chart) for log analysis

17 changes: 17 additions & 0 deletions _posts/2013-12-24-computers-versus-telescopes.markdown
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
---
layout: post
title: "Computers versus telescopes"
date: 2013-12-24 21:11:48 -0600
comments: true
categories: Programming
---

> Computer science is no more about computers than astronomy is about telescopes. -- Michael R Fellows [?](http://en.wikiquote.org/wiki/Computer%20science#Disputed)
Lots of folks have written in the past about the distinction between computer science and programming. A comment on Twitter reminded me of this again, but in an odd direction: the commenter expressed some dissatisfaction about having to learn some of the *history* of computer science while learning to program.

From a certain perspective, I can understand. Folks just dabbling in something like [The Hour of Code](http://csedweek.org) might not have the interest or motivation right away to learn about Ada Lovelace and John von Neumann and Alan Turing. They likely have the motivation just to understand the whole idea of giving specific commands to a computer and thinking in advance of possible things that could happen - the mental framework that we coders take completely for granted.

But at the same time: learning the history of computer science matters the same way it does in any discipline. Hobbyists buying telescopes for family outings may not want to learn about, say, Galileo and Hubble and Newton (to play on the analogy in the opening quote). But once they start to take it seriously and graduate to a motivated amateur, they'll need to understand who those men were and why that matters.

The [history of computer science](http://cs.saddleback.edu/michele/Teaching/CS1A/Slides/Topic%201%20-%20History%20-%202up.pdf) may not have the depth and twists that, say, physics does. But it has its own [drama](http://www.bbc.co.uk/news/technology-25495315) worth understanding.
29 changes: 29 additions & 0 deletions _posts/2013-12-27-getting-started-in-infosec.markdown
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
---
layout: post
title: "Getting started in infosec"
date: 2013-12-27 09:11:34 -0600
comments: true
categories: Security
---

I recently participated in a discussion on a private mailing list about people who want to get started in information security. Of course it veered into standard territory about the value of certifications and such, but a few bits turned out interesting if not exactly ground-breaking.

---

What matters most: *education and learning and experience.* With very few exceptions, IT and infosec certifications mean very little to me. (And I personally have reached the point in my career that any job requiring one to get past HR is not a company where I want to work.)

Ugh to vendor / tool certifications. I'd rather hire somebody who knows (say) system forensics inside and out but has never used a given tool than somebody who knows how to run EnCase but doesn't really grasp the underlying fundamentals. Similar with the RHCE - I don't know that exam well, but I'd be concerned about whether somebody "knows Red Hat" or "knows Linux" (or, better, "knows Unix"). I've run into both types, of course: people who got a vendor cert because it helped them get a job but they really could have used any tool, and folks who claimed to know what's up because they have a cert - but put them in front of, say, FTK or Debian and they're lost. I mean, I don't care if my mechanic "knows Craftsman" as long as they can fix my car.

A few certifications actually do say something good about the cert holder: CCIE, to a degree, and the older style SANS certs (now I think they're called "Gold"?). Although I'd not pass somebody over for *having* a cert, I'd pass them over for *overemphasizing* it.

If an applicant for a junior DFIR gig hasn't had the opportunity to go take an expensive SANS course or whatever but can demonstrate lots of initiative and self guided education, with some open source projects or a blog that shows their understanding and personal contributions from their own research, I will likely prefer them anyway.

So, if you want to get started cheap and don't know how, you could start with things like:

- [SecurityTube](http://www.securitytube.net)
- [Open Security Training](http://opensecuritytraining.info)
- [Hacker Academy](http://hackeracademy.com)

Set up a home lab and do whatever interests you. Find some online CTFs (more on this soon). Do some [social coding](https://help.github.com/articles/be-social). Hang out at a local [BSides](http://www.securitybsides.com) or [DEFCON group](http://www.defcon.org/html/defcon-groups/dc-groups-index.html). There is no shortcut to success. You have to put in the time and effort.

And always remember: [hack to learn](http://www.catb.org/esr/faqs/hacker-howto.html), don't learn to hack.
18 changes: 18 additions & 0 deletions _posts/2013-12-29-2014-tech-goals.markdown
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
---
layout: post
title: "2014 Tech goals"
date: 2013-12-29 14:37:38 -0600
comments: true
categories: Programming, Meta
---

While the calendar will flip in a few days, I've had some time off and and naturally have spent some time thinking about the future. What do I want to learn and improve in my technical skills over the next year or so? Most of the following can be summed up in two "meta goals": **write more code** and **get back to math and computer science.**

At the moment, I plan to work primarily in Python and C, although that could change depending on projects and other similar factors. Today, I write most of my open source code in Python, and my closed source code for work leans even more heavily in that direction. C was my first love, though, and I still use a subset of it when working with Arduino. Other languages might crop up for specific projects, I suppose.

1. **Submit a solid proposal to speak at DEFCON.** I have no direct control over the acceptance of my proposal, but I can make sure that I work on something cool and submit a proposal that's worthy of serious consideration. Almost certainly this will deal with OSINT or network forensics.
1. **Complete the [Matasano Crypto Challenges](http://cryptopals.com/)** This will help me achieve a good hacker-level understanding of cryptography. Recent news events provide part of the motivation to learn a lot more about all this.
1. **Complete at least 100 problems from [Project Euler](http://projecteuler.net), including writeups.** This project scratches a number of different itches for me, all in good ways.
1. **Build at least one really cool hardware project.** I have a recent interest in hardware hacking, mostly around the so-called "Internet of Things", and so (likely in conjunction with my daughter) I want to build something cool, albeit undetermined right now.

For clarity's sake, of course I have other things I want to accomplish during the next few months to a year. Some of them almost fit here (more educational advocacy and volunteerism) and some don't (personal and family goals). But the above looks to me like a solid set of things to work on.
Loading

0 comments on commit 3adb86c

Please sign in to comment.