05 March, 2015

Reflections on BSidesDC 2014 Talk: Meatspace Indicators and IR

This is long overdue, but I finally am posting a recap of my BSidesDC talk from October 2014. The talk was based on my previous blog post, A Practical Example of Non-technical Indicators and Incident Response. For my BSidesDC talk, I tweaked the title slightly to "Meatspace Indicators and Incident Response: A Story From the Lab of Nate Richmond."

Overall, I think the talk went well. To give people an idea of preparation, I did two dry runs of the talk. The first was for my coworkers, who then gave me valuable feedback on the content and suggestions for improvements. It also gave me a good idea whether the material filled the time I had for my talk. Whether or not you're giving a talk sponsored by your employer, it's a great idea to get feedback from peers before submitting or giving the talk.

Since the talk used my family as an example, I also did a dry run for them after modifying the content based on the feedback my coworkers gave to me. The main reason to give the talk to my family was to make sure they were all comfortable with what I said during the talk, but also to get some feedback and be fully transparent with them about what I do with our home network.

I felt slightly guilty about using material from a couple years ago for a conference, but in the end I decided it was still relevant. I think the material was very well-suited for BSides rather than a larger conference.

I embedded the video from YouTube below. After the video, I have some comments and critiques of my talk that I noted when watching the video. It can be very painful to watch and listen to yourself, particularly for those of us who are driven to be good at the things we do and thus are very critical of ourselves, but it's always important to review what you've done so you can do it better the next time. I definitely missed a few points that I had in my notes and also rushed a bit, finishing 10 minutes early. I probably should have done at least one more dry run.

I hope it was informative, useful, and entertaining for those that attended or watched later.

I'd very much like to thank BSidesDC for having me. I enjoyed the conference both as a speaker and an attendee. I highly recommend checking out your local BSides if you get the chance. I like their focus on community, collaboration, and keeping the cost for attendees to a minimum.


The "Introduction" slide was meant in part to set up a short musing on the stickers people put on the backs of their cars to represent their family. Sorry if you have these, but they really bug me for some reason.

I think I did emphasize my two main points, which are that security practitioners sometimes forget their goals in terms of supporting the business they're protecting, and that we also can be overly focused on the latest technology when there are many indicators of compromise that require no technology at all.

If I gave this talk again, I would add a slide after "Additional Context" to show a little more about my home lab architecture. It would have made sense to leverage a little material from my blog posts New Home Lab Configuration and Home Lab Part 2. I did have links to these posts in my presentation but forgot to point them out to my audience. I also had intended to point out the evolution of my lab from a stand-alone Sguil installation running on a 700MHz w/512MB RAM prior to the creation of Security Onion to its current incarnation using virtual machines on a much faster machine.

Regarding Terms of Service and expectations of privacy, I firmly believe in what I stated during the presentation. Whether it's a business or personal network, it's very important to let your users know what is expected of them and also what is expected of those monitoring the network. It's also important for those doing network monitoring to properly adhere to these terms. When network monitoring and incident response is part of your job, you should not be taking advantage of your access to root around in people's personal business for fun. You should only be doing what is required to effectively do your job.

During the discussion of the changing landscape and countermeasures, I forgot to repeat the comments from the audience. This bothers me since I had explicitly reminded myself beforehand to repeat comments so everyone could hear them. If you are ever a presenter and the audience doesn't have microphones, please try to repeat any substantial questions or comments for the rest of the audience.

Finally, I had some other examples and discussion for the slide about "Why Does This Matter?" but neglected to glance at my notes. The bottom line is that we sometimes get caught up in the mentality of "nuke entire the site from orbit--it's the only way to be sure" rather than examining other possibilities that would still be effective but less disruptive to the business.