Category Archives: highlighter

Highlighter Super Users Series: Post 2

Back in November I published the first interview from the Highlighter™ Super Users blog series. My goal with this series is to shed some light on all the great things that can be achieved using this freeware tool. In part 2, I interviewed toolsmith author and HolisticInfoSec.org webmaster, Russ McRee.

Super User Interview #2: Russ McRee

Russ McRee is the author of ISSA Journal's toolsmith series and runs HolisticInfoSec.org. In October 2011 Russ contacted me to discuss Highlighter in that month's issue of the ISSA Journal, and later for the nomination of Highlighter for the 2011 Toolsmith Tool of the Year. As someone who has analyzed Highlighter's effectiveness as a forensics tool for his own articles, I asked him to answer a few questions based on his experience with the freeware tool.

  1. Name
    Russ McRee
  2. Realm of work
    Security Analytics (security incident management, security monitoring, attack and penetration testing).
  3. How did you hear of Highlighter?
    I watch the websites and check for tool updates.
  4. Do you know of any other tools that do what Highlighter does?
    Log Parser, Log Parser Lizard, Log Parser Studio, Splunk
  5. How do you normally use Highlighter?
    I mainly use Highlighter for Log analysis, forensic investigations, demonstrations and research (see http://www.youtube.com/watch?v=w0uOCOINrWY and https://www.sans.org/reading_room/whitepapers/logging/evil-lens-web-logs_33950)
  6. Can you describe one scenario in which Highlighter helped you find evil and/or solve crime?
    I had a recent mysterious case of core utility files and binaries gone missing from very important infrastructure management servers that initially looked malicious and intentional. Using Highlighter for analysis of Windows event logs led to the discovery of a sync job gone awry (misconfiguration) in the Application log via time stamp matching and keyword highlights.
  7. On a scale from 1 (worst) to 5 (best), how well does Highlighter address your use case(s)?
    4
  8. What is missing from Highlighter for your use case(s)?
    Word wrap option
  9. What is one Highlighter feature addition that would serve the Information Security community best?
    Potential DB support
  10. Are you aware of, or have you used, any of the following features:
    • Activity Over Time feature that lets you view log data as a function of Entries Per Day
      No, I was not aware.
    • Hotkeys feature
      Yes, I was aware of this feature.
    • Ability to change basic font settings for your output
      Yes, I was aware of this feature.
  11. Have you ever seen Highlighter used in such a way that your eyeballs melted from all the Awesome?
    My eyeballs melted from the awesome when I stuffed Highlighter with a 2.44GB Swatch log file during large file testing while writing October 2011's toolsmith. It took a little time to load and format (to be expected), but it handled 24,502,412 log entries admirably (no choking). I threw a query for a specific inode at it and Highlighter tagged 1930 hits across 25 million+ lines in ten minutes.

Keep an eye out for the final post in the Highlighter Super Users Series. If you're interested in sharing your own experiences with this tool, please let me know by commenting below.

Career Paths in Cybersecurity Interview Series: Jed Mitten, Principal Consultant

Recently, I caught-up with M-Unition bloggers Willi Ballenthin and Jed Mitten to discuss their career paths in cybersecurity. Today's blog post focuses on Jed, a principal consultant who has been with Mandiant over five years.

Helena Brito: Jed, how did you get interested in cybersecurity?

Jed Mitten: Well, when I was an undergrad my focus was on computer science: programming, data structure and algorithm analysis. The idea of virus detection was still really hot back at the time and developing heuristics sounded very cool to me. While I was working on my Bachelor's Degree I got interested in learning more about cybersecurity, so I took a class specifically on it and found it to be quite interesting. It also helped that a pretty great instructor was running the class. So that was my first taste of actual information security and, after I graduated, I wrote personnel management applications for two years in the government sector.

Halfway through that second year of programming, I realized I was not following my passion. I researched some graduate programs and found the Information Networking Institute at Carnegie Mellon University best fit my interests. Near the end of my time at CMU, I was approached by an alumnus of the INI who had begun working at Mandiant. I found the company to be a good fit for me and decided to join. I've been with Mandiant ever since.

Helena Brito: At Mandiant you're well-known for creating one of our most popular tools, Highlighter™. Do you want to give some background on Highlighter and tell our readers what inspired you and Jason Luttgens (co-creator of the tool) to make this freeware tool?

Jed Mitten: Well, I had the good fortune of sitting in the same cubicle as Jason when Mandiant moved into its first office in Alexandria, VA. One day, Jason was doing some of his magic and came across a problem of getting rid of data in log files that he knew was good. He didn't want it to bog him down visually while looking for stuff. Literally the next day Jason wrote a program called "Get Out of My Face." He showed it to me and we discussed what else could be done with the tool, such as statistics. So we hashed it around a little bit and gave the tool to some of our consultant buddies in the company, and a few external to Mandiant.

Through that process we got some pretty amazing feedback that eventually created the first iteration of Highlighter. The tool has been improving slowly but surely as the Highlighter community - a larger community now - uses it and asks for specific requests.

Helena Brito: I see that you are a member of the M-Unition blog team. Do you have any upcoming posts that you'd like to talk about or any ideas for posts that you want to write in 2013?

Jed Mitten: Recently, I reached-out to some Highlighter super users and created a series based on interviews with those users. The first post from that series just went up. Generally, I'd like to do some more posts on Highlighter; tips and tricks on some features that aren't currently used as much as more well-known features. I don't get much time for research in my daily life, but when I do I'll share it.

Helena Brito: You moved out to San Diego, California about a year-and-a-half ago. In that time, what have you done to get involved with the local tech communities out there?

Jed Mitten: Luckily, there's a lot of tech in San Diego, specifically biotech and military. Because of this I've had an opportunity to connect with some of the locals that may not do the same work I do, but work in the same security space. Whether they're developers, forensic analysts or on the penetration testing side, we all learn from one another.

I've joined local chapters of professional organizations such as HTCIA (High-Tech Crime Association) and ISSA. I hope to check out the B-Sides in Los Angeles and maybe head up to Silicon Valley once in a while to check-out the industry in that area.

Helena Brito: Is there any advice you'd like to give to people who are just getting out of school and are interested in a career in cybersecurity?

Jed Mitten: I've been asked this question a few times in my life and I sort of see three paths to get to where I am or to get to a similar, perhaps lateral, place to where I am. The first path is through the military. I know some really excellent, super-technically-savvy, creative people that came out of the military. I only met them at Mandiant, and it was kind of an eye-opener because I got to see firsthand the quality experience the military can offer people in infosec.

The second path is formal education, which was my personal path. I went to college, started at a two-year university and moved to a four-year and then went on to grad school. The education path allowed me to choose my own adventure to get to where I wanted to go. However, it's important to note that I had a clear vision for what I wanted and that helped keep me focused. Having a clear vision for your career is very important, I believe. No matter where you start, having a clear vision of where you want to end up will keep you on the right track.

The third path is for those who are just so interested in the topic of security that they follow their passion. They may have formal education, but it may not be in the career that they've chosen within security, so they get active in the community and push themselves into what they want to focus on. Having a mentor to look up to with this path is crucial as they can guide you and offer support.

Helena Brito: Thank you Jed for discussing your career path in cybersecurity. I know our readers will learn a lot from your personal experience as an infosec professional.

Highlighter Super Users Series: Post 1

The Highlighter™ Super Users series is a little something I've put together to reach out to the Highlighter community. As a user of this freeware tool from Mandiant, I want you to know there are many users out there who can help you get through your log analysis paralysis. This series is meant to highlight (see what I did there?) how some users have solved a various range of problems using Highlighter. These interviews will provide insight into the benefits and pitfalls of using Highlighter, some features you may not be aware of, and a few use cases you may not have considered.

Super User Interview #1: Ken Johnson

Ken Johnson is one of Highlighter's Twitter-friendly users. He is a malware analyst and incident responder extraordinaire; fighting evil one keyword search at a time. Known as @patories on Twitter, I reached out to him and asked some questions about his experience using Highlighter.

  1. Name
    Ken Johnson
  2. Realm of work
    My primary work is focused on malware analysis and incident response. Occasionally I also do some forensics work.
  3. How did you hear about Highlighter?
    I first saw Highlighter when I was familiarizing myself with free tools. I have used Memoryze™ previously.
  4. Do you know of any other tools that do what Highlighter does?
    Highlighter is the only tool I know of, and it does what I need so I haven't looked for others.
  5. How do you normally use Highlighter?
    I use Highlighter to trim out known good traffic from proxy logs. This helps get to the unknown stuff quicker. When logs can be multiple gigabytes this is a time saver.
  6. Can you describe one scenario in which Highlighter helped you find evil and/or solve crime?
    On more than one occasion I have used Highlighter to narrow down proxy log traffic to find connections that are malicious. There was an instance about 2 months ago where users fell for a Phish. We used Highlighter to find the C&C IP's that machines kept calling home to, by filtering out what was normal and analyzing what was left. Highlighter helped find almost 50 IP/URLS that were malicious.
  7. On a scale from 1 (worst) to 5 (best), how well does Highlighter address your use case(s)?
    I would have to give Highlighter a 4.
  8. What is missing from Highlighter for your use case(s)?
    I would like to have the ability to whitelist traffic so I do not have to manually keep removing internal hosts that we see. This may be in the program and I have not found it.
  9. What is one Highlighter feature addition that would serve the Information Security community best?
    I think the ability to whitelist hostnames would be a nice addition.
  10. Are you aware of, or have you used, any of the following features:
    • Activity Over Time feature that lets you view log data as a function of Entries Per Day
      No, I was not aware of this one.
    • Ability to change basic font settings for your output
      I know it is there, but for my use this is never used.
  11. Have you ever seen Highlighter used in such a way that your eyeballs melted from all the Awesome?
    I have only seen myself use it, but I have seen my co-workers eyeballs melt when I show them the awesomeness that they can do. Some are still stuck in the grep world...

Keep an eye out for the second post in the Highlighter Super Users Series featuring Russ McRee, author of ISSA Journal's toolsmith series and mastermind behind www.holisticinfosec.org. If you're interested in sharing your own experiences with this tool, please let me know by commenting below.

Highlighter v1.1.2 Released

Hey, guess what?! MANDIANT has just released Highlighter v1.1.2 in response to your feedback - a fix for one particularly nagging issue with highlights and removals not updating the view immediately, and a few extra items thrown in to make Highlighter a little nicer to use.

Wipe the cheesy poofs off your fingers and go here to the download page to check out the updates.

We have listened to your suggestions on how to improve this tool and have worked hard to make it a prime source for rapid review of logs and other structured text files.

New Feature:
  • Ability to change the display font. (Look in the menu under File -> Font.)

Improvements:

  • Selecting text in the display will now more accurately line up with the mouse pointer.
  • The display will now remain at the same point in the file after removing or restoring lines.

Fixes:

  • Display refresh issues in Windows 7.
  • In some cases, state files did not properly store and restore state.