Gain technical knowledge and essential concepts for SOC analysts and cyber defense team members during SANS SOC Training 2021.

Thought Leaders

Table of Contents

Chris Pogue, Senior Security Analyst

Stephen Northcutt - July 8th, 2010

Pogue is a Senior Security Analyst for the Spiderlabs Incident Response and Digital Forensics team at Trustwave. He has over ten years of administrative and security experience including three years on the IBM ISS X-Force Emergency Response Services Team, five years with IBM’s Ethical Hacking Team, and 13 years of Active Military service in the US Army Signal Corps.

Chris also has worked with local, state, and federal law enforcement agencies such as the New York Police Department, the Royal Canadian Mounted Police, the Federal Bureau of Investigation, and The United States Secret Service to help pursue the digital evidence left behind by criminals of all types. His efforts have lead to arrests and convictions in Oklahoma, New York, Florida, Albania, and Germany.

Chris holds a Bachelor's Degree in Business Management, a Master’s degree in Information Security, is a Certified Information Systems Security Professional, (CISSP), a Certified Ethical Hacker (CEH), a Certified Reverse Engineering Analyst (CREA), a GIAC Certified Forensics Analyst (GCFA), and a VISA PCI DSS Qualified Security Assessor (QSA).

Chris, please tell us some of the papers or presentations you have written that are available on the web: (Top Ten Vulnerabilities Leading to Compromise) (The Simple Truth)

Sniper Forensics:

Payment Data: Don’t Store It!

Sniper Forensics V2 – Target Acquisition

And, please tell us your top three “must read” papers that are available on the web that you did not write:

Smashing the Stack for Fun and Profit
Windows Forensic Analysis (By Harlan Carvey – I know it’s not a “whitepaper” per se, but it’s so crucial, I feel like I have to include it.
How to Win Friends and Influence People (By Dale Carnegie – Again, not a “whitepaper”, but it was instrumental in developing my work ethic and guiding my customer interactions. Have to include it as well.)

How did you become interested in the field of information security?

I was a Sysadmin at American Express working in their operations center. I worked on Solaris, AIX, and Windows servers, and really enjoyed making things “work”. I had a co-worker that took me to DEFCON 11 and I learned that there was an entire discipline within the IT world that focused on the polar opposite of what I had been doing for the past four years…breaking things. I was fascinated, and soon applied internally at IBM for a position on the Ethical Hacking (pentesting) team. I had all of the OS and networking skills, but none of the mental framework for being an effective pentester, but I was hired nonetheless. After coming onto the team, I asked my new manager why she hired me. She said my enthusiasm was obvious and infectious…and while she can teach 1s and 0s, she cannot teach attitude, desire, or a solid work ethic. I thanked her for the opportunity, and have not “worked” a day since! I love my job, I love security, and I love going to work everyday. I cannot imagine myself doing anything else.

What projects are you working on today?

I am working on several different things. One is developing a relationship with Law Enforcement to help make arrests. I am a geek…they are not. I can help them solve cyber-crime. So…I help them, and I get to put people in jail…works for me.

Are you working on any single product? If so, what are some of its unique characteristics? What differentiates it from the competition?

I am working on a GUI tool called, “Illuminator” for reviewing timelines. It stands on the shoulders of mactime, but provides the end user with the ability to drill down into certain dates or specific files, giving them a graphical representation of the data. Since most non-technical people think in pictures, I am envisioning this tool being very popular with Law Enforcement and Juries.

What do you think the security products in your space will look like in two years, what will they be able to do?

That’s really the million dollar question isn’t it? I see our industry sort of like an arms race. The bad guys do X, so we as security professionals respond by doing Y..etc. Hopefully the tools we will used and create will help us to not only respond to the current operating environment, but be able to more readily react to emerging threats. This would mean taking a different approach at security in general – instead of simply reacting to a known threat hopefully we can get to the point that we can interrupt the means by which attacks are conducted.

What is your impression of the defensive information community. Are we making progress against the bad guys? Are we losing ground?

I think the current environment is kind of mediocre to he honest. I see a LOT of “security professionals” who are better at throwing around five-dollar words than they are at understanding security controls. From a forensics perspective, MANY investigators are crippled by tools. They think that EnCase or FTK will solve their cases for them, and so they are blind to the nuances of the “chase”. Logic, Locard, the foundational principles upon which ALL of the forensic disciplines are built. They leap, but have no idea to where or why…just that application X told me to click “Next”…. therefore I am now a Forensicator! It’s pretty disheartening.

So then, what are your thoughts concerning the most dangerous threats information security professionals will be facing in the next year to eighteen months.

The most dangerous threats we will face in the next year to 18 months are unfortunately the SAME threats we have been facing for the past several years. Weak security controls, a lack of awareness and education, and not enough buy in from the upper echelons of corporate management. Why would the attackers have to reinvent themselves, when there are so many fish still left in the barrel for them to shoot? Look at it like this…I work probably 50 cases per year doing forensics and incident response. In 95% of those cases, the Breach Triad (Infiltration, Aggregation, Exfiltration – Idea coined my ME…actual term coined by Colin Sheppard – Practice Manger for our team at Trustwave) was facilitated by the same handful of deficiencies. In all of these cases, I found: weak passwords, no firewall, out of date OS and AV (or no AV), flat network topology, and unencrypted sensitive data. It’s like the Marx brothers put these networks in! The attackers will evolve when the IT community decides to start implementing decent security controls.

What is your biggest source of frustration as a member of the defensive information community?

For certain it’s the total LACK of fiduciary responsibility! Here is an example. Snuffy Joe’s Tacos serves Tacos. Good Tacos. If they are not good, Snuffy Joe will replace them free of charge. He doesn’t know SQUAT about IT, or PCI so he hires Billy Bob’s Payment Systems. Billy Bob tells Snuffy Joe that he will make him PCI compliant, so he can worry about Tacos and let Billy Bob worry about his computer systems. Snuffy thinks this is great, and pays Billy a BIG chunk of money up front as well as a monthly service fee. NOW…here is the really CRAPPY part…Snuffy Joe gets breached and ordered by the brands to have a PCI Forensics investigation. I show up to find that while the POS Software is a PCI compliant version of the application, it has not been installed properly, ALL of the default passwords are still in place, the FIRST rule on the firewall is TCP/ANY/ANY, Billy Bob used pcAnywhere to perform remote administration and TCP port 1494 is WIDE open, his support creds are Admin:Support, he is several patch levels behind on the OS, and the POS terminals don’t have AV…oh…and the logging is set to the default for Windows…7 days or 512 MB. So, because Snuffy trusted Billy to take care of his POS systems, he was breached. He NOW has to pay for the forensics, plus fines from his merchant bank for being non-compliant, plus fines from the brands to replace the stolen card numbers, plus any fraud that resulted from the breach. Billy Bob pays…wait for it… wait for it…nothing. Since PCI compliance is the responsibility of the individual merchant, Billy Bob has no responsibility! So Snuffy gets hit with $40K in fines and bills…and Billy moves on to the next sale to the next unsuspecting customer. This chaps my hide to no end!

We like to give our guests a bully pulpit, a chance to share what is on their mind, what makes their heart burn, even if it is totally unrelated to the rest of the interview. Please share the core message you want people to know.

It depends on the audience…it would either be implement basic security controls, or STOP relying on tools to perform your investigations! Be smart, use logic, and find the data! There is no “find all evidence” button in EnCase or FTK (I think Forensicator Pro is the only tool with that feature =)

Would love to know more about you, what do you do when you are not in front of a computer?

I have a beautiful wife and two great children. When I am not nerding out, I enjoy playing with my children, going to the gym, and taking my wife on mini-vacations (being a road warrior has its perks…frequent flyer miles is one of them). We are also dedicated Christians and enjoy serving at the Christian School our children both attend. My wife teaches music there, and I am the volunteer IT director.