Shmoocon Labs 2012 Part 2 «

So this year I have asked people who have contributed to labs to write up their expereiences. Here is the first one from Alex/@bluejaytkd. I want to thank Alex for taking the time to do this!

If have haven’t listened to Ep1 of the Roc Sec Podcast, a bunch of the core labs guys talked about what goes into preparing and executing Shmoocon Labs.

My (@bluejaytkd) Shmoocon labs experience

Feeling lucky

Sitting at my desk at work on November 1st, I had an off-the-cuff moment and decided to try and get a Shmoocon barcode. I had tried for years and always got overrun in the yearly F5 bash. But I figured, what the heck? To my absolute shock after hitting F5 at high noon, the site asked me how many tickets I wanted! Once my heart rate slowed back down, I ordered my ticket and started making plans to be out of work for a few days in January.

Getting started

Upon getting to Labs on Thursday, I knew we would be setting up the conference networks in a nonstop thrash. I’ll admit that as a first timer I was nervous with how good the crew would be and if I could contribute. I’m a home network enthusiast after all, not a sys admin or network admin professionally. Going out to breakfast with the team I tried to figure out if I was in over my head. There are people in this group who have written tools that many people use daily and know well. However, this did not turn out to be an issue since there was always a cable to run or an interface to learn. Everyone was really friendly and willing to teach new techniques to n00bs. After a short amount of time everyone found a niche to work in and we all settled down to get the network done.

I was assigned to the network monitoring and SIEM teams and worked to help set up our tools on several pieces of hardware provided by other labs attendees or vendors. By the end of the day we had a pretty solid working network and logging ready to go. Now we were transitioning into lab operations mode and looked forward to the next day when the conference would begin.

Getting comfortable

Once I had gotten through day one of the conference, had seen how the technical work of the conference would be handled, and been out to dinner with some of my fellow labs attendees, I was feeling a bit more comfortable and up to speed with how things would go.

On the network monitoring team we used a Linux distribution called Security Onion, which is an installable version of Linux with all of the network security monitoring tools baked in. We were curious to see how this tool would work under the conference traffic load. And this is one of the main ideas of Shmoocon Labs: Try to use whatever tools you want in a truly challenging environment. It was a great way to learn in the deep end for me and see how tools really work under a load. Under Security Onion, we ran Bro IDS, Snort, Snorby, PHPMyAdmin, and Sguil. In the SIEM team, they ran OSSIM and OSSEC as well as  Nitro Security IDS. We watched the dashboards for threats and spent the rest of the time playing with the data and trying different ways of querying our logs and information to see if we could find a new way to look at the traffic we were seeing.

Maximizing the conference

* I did find that as with most conferences, morning is a quiet time and, if you get in at 8 am, you can have some time to work and play with the Labs setup while it is still quiet and not too crazy.

* Labs offers a great learning tool. It is hard to re-create a real world environment to play with at home. At Shmoocon there’s a great playground for learning with no repercussions due to unwanted snooping through data.

* Make time to hang out with your fellow labs attendees. Some of the best conversations, connections and learning that I did at the conference was around a dinner table or over drinks. I plan to keep in contact with everyone I met at labs. This blog post itself came out of the experience!

Looking back

Was my first Shmoocon and Shmoocon labs experience was worth it? Absolutely. You may not get as much time to go to talks (although I saw plenty of them) and you may not get quite as much partying time (although you will get a wrist band to the Saturday party). But how often do you get to help setup and run a network in a hostile environment where you get some new toys to play with and you are encouraged to experiment? I imagine we all would call that a dream scenario. I learned more than I could have imagined over the weekend and am playing with many new tools in my home lab as a result. I would echo what most of my fellow labs alumni said in post-con emails “If I can get a barcode… I’ll definitely be back!”

ed. Let us know what you think in the comments, please be nice!