If you were tasked to put together a forensic toolkit with 25 tools or less, chances are Wireshark would be one of those tools–especially if you planned on dealing with packet captures. Because it is free, open source, and cross-platform, Wireshark makes a great packet capture and analysis tool for just about any forensic toolkit. Never the less, this staple tool has been around for so long (think back to the days of Ethereal) that we sometimes take it for granted. In this article we will explore a few tips and tricks that highlight why we like this tool so much.
By Tony Lee, Scientist at FireEye, Inc.
Jason Bevis, Managing Principal at FireEye Labs
Creating and Maintaining a SOC
The details behind successful security operations centers.
by Jason Bevis (CISSP, ISSMP, CRISC)
Combating the Insider Security Threat – A Security Awareness Exercise
by Jason Bevis (CISSP, ISSMP,)
InfoSecAlways.com 
Errr, I’d like to see your paper but I get a 404 file not found message.
Clearly I have been socially engineered to expect a paper.
It’s a fair cop.
I fell for it.
My apologies Gary, I was doing some clean up and must have dropped the PDF. It should be working now.
Like I mentioned in previous posts I get really frustrated with broken links, so I appreciate the comment. At least I can control this one and get it fixed ASAP.
Thanks Jason.
That’s an unusual approach to a common problem, although I doubt any organization I’ve worked with/for would be brave enough to try it! Penetration tests using social engineering techniques are increasingly popular and (as we know) have no shortage of findings in that area. The hard part remains how to address the threat of social engineering. Pen tests are usually conducted by third party specialists under contracts with plenty of ‘get out of jail free’ clauses. Having a ‘mole in the camp’ expose the organization’s vulnerabilities at a security awareness seminar would be a powerful wake-up call. The mole would have to be very good, though, to fit in with the team and escape detection. Even ignoring the CV falsifications and implied lack of competence in their notional team role, excessive shoulder surfing, dumpster diving etc. by someone within a project team would risk bringing their strange behavior to notice and once their cover was blown, the project team would most likely react negatively. Nobody likes being spied upon.
Anyway, thanks for getting me thinking. I’m always on the look-out for new security awareness ideas.
Best wishes,
G.
Gary,
Thanks again for the comments. Although the idea is somewhat new I have seen organizations apply similar tactics, however the assessment is not done using a mole it’s done with random inspections. The biggest criticism I told when I explain this approach is in regards to delaying a project.
Hi Jason.
‘Random inspections’ are one method of checking and demonstrating the organization’s vulnerability to social engineering, certainly, as are pen tests, internal audits, management reviews, studies etc. etc. But still my point is that finding such vulnerabilities is the easy bit: closing them is a different kettle of fish.
One idea I favor is to use actual social engineering and other information security incidents to spice-up security awareness and training presentations, case studies, newsletters and the like. There are plenty of examples in the news media and on the web, although genuine incidents from within the organization itself carry more weight. The key issue is to get management to accept that the benefits of internal disclosure outweigh the grief of those implicated in the incident – anonymous reporting may help.
Like I said, thanks for the thought-provoking paper.
Gary.