How to stop ‘troubleshooting in the dark’

By on 28 Aug 2020

Categories: Community Events

Tags: , , ,

Blog home

Ball of rubber bands

Recently I had the pleasure of conducting two virtual training sessions: one for 40 Pakistani network operators, and one for 12 Mongolian network operators from six organizations.

The two economies are separated by over 3000kms but united by the same goal: to increase the security preparedness of organizations so that they’re not ‘troubleshooting in the dark’.

All of the training participants were, without question, technical, but most of the participants, in my view, were somewhat new to doing security analysis and investigation, which may not be so straightforward like configuring firewalls. They hadn’t necessarily been exposed to certain areas of security like analysing malware or a breached server or network appliance.  

They did, however, all recognize the very pressing need to ‘do more in security’ so that they didn’t find themselves completely blind when handling a security incident or abuse report. This is something I see very commonly now — netops folk really stepping up to build their security capacity.

Although the two training sessions differed, some of the topics covered included:

  • Incident response in practice (monitoring, detection and alerting), and an analysis of case studies. We used open-source tools like Elastic Stack and Elastalert for this.
  • Pcap analysis, using Suricata to analyse network traffic collected from some security incidents.
  • File system forensics, investigating a disk image taken from a compromised webserver.
  • Analysis of memory from a compromised computer.
  • The APNIC Honeynet project focusing on compromised devices and what they were trying to do on the honeypots (spoiler alert: DDoS agents and cryptominers).

One thing I always enjoy about these training sessions is how open people are to sharing experiences and information. People tend to abide by the principle that ‘we may compete in business, but not in security’. This is not always easy especially when sharing sometimes means exposing your weaknesses. All the participants in the two training sessions are from companies that are competing with one another. This, to me, exemplifies some of the best things about the Internet, and it’s also the only way that we, as security folk, can have a chance of neutralizing bad actors.

Special thanks go to the Pakistan Telecom Authority and Mongolian telco, Gemnet, for organizing/facilitating the sessions.


Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

Leave a Reply

Your email address will not be published. Required fields are marked *