Attackers can do so much in memory these days and not touch the disk, especially with things like PowerShell to abuse. In walks a talk to help combat that: Taking Hunting to the Next Level Hunting in Memory by Jared Atkinson and Joe Desimone. And the code released to do it: Get-InjectedThread.ps1. Talk was also given in May at SANS Threat Hunting and Incident Response Summit 2017, and while I don’t have a video link for it, the PDF of the slides is available. If some of this sounds familiar, one of the presenters is from Endgame which is where I recently linked another similar blog post from.
I’ve recently started looking into getting casually involved in CTF competitions in the infosec space. And a common question I hear is: What’s the point of doing them? Often these competitions have almost trivia-like questions that involve knowledge, some meatspace social engineering or lock picking, radio manipulation, pcap analysis, malware analysis, image analysis, decoding/decryption, reverse engineering, network service fuzzing, and so on. Sometimes, you either know it or you don’t, and if you learn it on the fly, you’ve eaten up your time to do the rest.
Well, the answer isn’t a direct one. Do you learn key infosec skills? Probably not directly.
But you do learn how to do things you sort of already know faster and better. Like knowing a bit of Python and then banging out a few snippets for some challenges. +2 to Python skill!
You also pick up the ability to do cheap, quick little things like that you can emulate in the day-job to analyze (quickly) some new exploit code that is released, or troubleshoot something quickly at work, or manipulate and fuzz a new app for a project.
It’s about practice, and in a sort of intense time-bound moment.
It’s about exposure to a few new concepts and skills that can be picked up.
It’s about meeting others and sharing some notes to get better and pick up those new skills easier.
But, if I had to just give one answer, it’s the common answer for those that desire to be an expert in something: practice, practice, practice.
This week I read an article, The Cult of Passion, from Chris Sanders. I didn’t like it much at all at first. But then I liked it, and now I really kinda don’t like it again. I think it’s just the tone of the piece; it’s very Tumblr-esque. It’s very “use the term properly, damnit!” even though we all do (mostly) end up using it in the same way, though definitely blurring denotation and connotation together. Do we really have to convince everyone that the phrase, “I have a passion for security,” is unhealthy, or do we all really know what we mean?
(I originally wrote more about what I disliked, but I wanted to cut that down and yet still keep my points. Basically, I don’t like the assertion that passion can’t be measured so we can’t evaluate it. I think, between the lines, Chris is trying to say that the person who does “infosec” 20 hours a day is not necessarily better than the person with a better work-life balance, or something like that. I just don’t like the way he frames it. I also didn’t like the miss that we are actually paying to do infosec all day, in terms of hours of our life and time. Now, granted, we are paid money in return, but make no mistake we are still paying to some degree. I also don’t like the blind assertion that other professions clock out after 8-10 hours. Anyway, moving to the positive…)
Regardless the tone and whether I like the full article or not, there are some absolutely excellent points, all centered around what we love doing. It’s a good idea to say, “If you didn’t get paid, would you still come in to work?” “If you had to pay to do infosec, would you?” Personally, I like to ask, “If I was income neutral, what would I enjoy doing as a job?” And this also goes into deciding what passions I might have outside of work, for instance, “What do I do when not at work to be happy? What hobbies do I spend the money I made on?” (Note: I emphasize the one question in this paragraph, as it’s a key question I ponder through my life, and one that could be it’s own chapter in a book. I look at my resultant answers, and balance that against whether those other ideas are just post-lottery-winning ideas or things I can actually make a living doing.)
The above faults aside, the other questions are excellent. Infosec is often a resultant pursuit due to passions in more fundamental things. And if nothing else, this article has allowed me to get a little bit beyond, “Well, I have a passion for infosec,” and actually look into why that is. Infosec is a result of other, more fundamental passions.
I love solving problems, puzzles, riddles, and mysteries (thanks Encyclopedia Brown and childhood puzzle books!).
I love organizing things, lists, planning, and seeing a well-oiled machine work, both today and more long-term. (thanks science background/interest!).
I love creating solutions to problems. This includes using creativity and imagination (thanks gaming and reading as an only-child!).
And (probably the most common one we collectively get correct) I love learning new things (curiosity and the information gap) and creative (and objective!) ways to use technology and do all of the above (thanks brain!).
For me, I have fairly equal parts objective knowledge application/observation as well as subjective creativity and imagination. I do require these both to be addressed month-to-month. This means I can’t just create new things or harbor ephemeral ideas all month, but I also can’t just read balance sheet numbers for a month. (Interesting to note that coding is a strange middle ground in today’s IT environment) I need a bit of both, and honestly, most of IT supplies that in spades as long as my role isn’t in such a large company that I am only nose-deep in one thing week after week. For many people, it might be that they require doing different things here and there lest they become bored; but for me, there’s reason behind the desire for a little variety.
I probably have a little bit of a love for catching bad guys doing bad things; even if that means catching innocent people making mostly innocent mistakes that fall outside the lines (is it schadenfreude [BOFH!] or hall monitor syndrome?). I want to make sure things are still operating as they need to be operating. (I like to look at it like I’m teaching how to properly do something.)
I honestly also feel like I have a passion for teaching and sharing knowledge with others in a way that doesn’t come across as egotistical. I can also communicate well enough to tailor my delivery to the technical levels of my audience, and I take some pride in that. I’ve worked with non-technical clients, non-to-mostly-technical coworkers, and technical colleagues.
Pulling from my hobbies, I love a little bit of friendly competition (multiplayer gaming). I love using my imagination (reading, even solo gaming), I love creating something (I don’t stoke this enough, but maybe cosplay soon), I love possessing comfort items but I also love keeping things simple. I love using my senses (food, music, movies, clouds, wind, weather, candles, a bit of drink, exercise). And I love more learning and engagement with friends over all of the above or some new experiences.
So, I love lots of things that show my passion. Do I have gaps or weaknesses that are borne out of personality or shaped by my experiences in life over the past decades? Yes. Chris mentions that imposter syndrome, and I know I do suffer from that; I have this inherent dislike/distrust of other people, but I also seem to have this inherent unfounded respect of other people I don’t know, or rather I attribute competence to other people without any proof (we can talk about philosophy and metaphysics another time over whisky). That usually only lasts until I find my voice amongst new people or roles. How do I fix this? Just keep myself surrounded by other infosec people so I realize that I’m at least as good as most everyone else. By forcing myself to speak up. By also forcing myself to fail and be better for it!
I’m terrible meeting new people. I’m a typical introvert where I am terrible about initial small talk. It’s not an inherent thing to be interested in other people who aren’t already close friends. I make friends slowly, and often find myself assuming someone would rather not talk than shoot the shit for a bit (since, usually, I feel that way!). I’m super easy to get along with, I don’t actually have terrible social anxiety, but I tend to be the quiet one in the corner. And while I always come out of that shell, it just often seems to take some time and effort to do that. How do I fix this? Just smile and try to ask questions I actually want answered by a stranger. Actually try to be interested in others in general; they all know something I don’t!
I’ve worked in IT for the past 15 years, and for all of those years, training and organized learning on the job (outside of troubleshooting something and learning from it) were luxuries that I never had time or backing to pursue. That was all own time pursuits and things that were outside the budget. As a result, I feel like I need to have my working days filled with actual work. I’m not sure this is a me thing or rather shaped by my managers of the past 10 years that required such time-spend reports every week.
Due to some of my managers and company cultures and combined with the occasional imposter syndrome issue, this does end up causing me to be a little risk averse, more so when my manager is hyper risk averse. This means failure is a bad thing, which can mean I end up not trying something and coming out neutral rather than trying and failing. Now, keep in mind most of my background is in Sysadmin/Ops; I feel security itself is far more forgiving of trying new things, as long as they don’t land the company on the news headlines due to a breach. But my science and tech background means lots of fails are useful data and contribute to learning! So I love failing, but it does strike a strange situation where my environment screams Don’t Fail and yet I sort of want to do something and try it out with X% risk of failing. It’s something I have to deal with consciously with both me, but also probably more so my environment. We’re humans in a human world; it’s ok. And as long as people aren’t dying, life will go on. I’ve worked in a company that said, “Innovate and try new things!” while at the very same time whispering, “Failure is not acceptable.” It’s a cultural red flag that I keep in mind during job searches.
All of this leads me to another related topic: what do I want to do? I’ve looked at framing this quest(ion) not long ago in a post from last winter: security job areas.
So, what do I want to do all day that I’ll love doing, and just happen to get paid to do? (Yes, there’s tons of other things to think about, such as the team, manager, company, and other things that influence happiness, but let’s assume the best here.) What sucks is I find myself just listing all the infosec roles (except maybe management and SOC analyst)! But I’ll try to rank things a little bit here.
red teaming – sounds so fun and varied, plus gives good, actionable value in return to clients
pen testing – solving problems and analyzing an environment are fun.
vulnerability assessment/management – much the same as above, just a little more structured and formulaic
security advising, consulting – quite varied, from high level concepts to low level step by step advice.
risk, compliance reviews, auditor, policies to find gaps and advise on proper steps/evidence
incident response/malware analysis
web application pen testing and reviews
Does this mean I’d hate doing the other things? Absolutely not. Honestly, other than being a third shift SOC analyst in a large company or just a initial provisioning tech in an MSSP, I’d likely be happy with most any infosec role.
So, this turned out to be a lotta introspection, and I even hesitated to even post it. But what does this mean for me tomorrow, next month, this year, and in 5 years? It gives me a way to evaluate what I want to do, for work, in each of those time periods. It also gives me an idea of an end goal (let’s just say a blend of red team/pen testing/vuln assessments/audits/consulting) which in turn gives me a chance to look at my gaps in getting there. Do I lack some certifications or training on the CV? Do I lack certain knowledge and skill I can pick up on my own time? What tasks do I want to grab at work tomorrow? And what opportunities should I keep my eye open for and jump at the moment they appear? It’s good stuff, and I think I maybe already knew some of this, particularly with my OSCP learning earlier this year, and continued CTF/Hack lab efforts.
BHIS has a build post for an updated hashcat password cracking workhorse system. Pretty cool! It almost makes me sad to think about building a system and not use it for gaming, but it certainly makes sense if you need to crack hashes on a very regular basis. For less needy setups, the main goal is Ubuntu 16.04 + NVidia + Hashcat appearing to all work together with no fuss at all. From there, just slap together what you can afford or need or fit into your space, casewise. For me, I’ve built gaming systems for almost 15 years, all with water cooling, so I would continue to make that a necessary build piece for the quieter operation. Though, to be honest, GPU fans these days (that I’ve heard) are surprisingly quiet when new. And the all-in-one CPU cooling loops are super convenient.
Any time I’m building a system, I honestly still spend some months researching on the HardOCP forums. Been a member for so long, and it’s still a great community to ask questions of.
Not much to say about it yet, but this is the OWASP Testing Guide v4. I’ve just not marked this yet, so wanted to get it put in here for future reference. I’ll likely add a link on the side when I do an update.
Every day, there are posts on infosec social media about getting into the field. And every day there are replies with a variety of answers. It’s a pretty hot topic, and has been for a long time, though probably fueled a little bit more than usual this year due to Mr. Robot and recent job reports about a void in infosec candidates. It’s probably also impacted by the feeling that, “I don’t know enough to be in security, these guys are pros!” and the subsequent perceived need to learn more.
I penned this yesterday to link to a blog post attempting to be a source to point such questions to, but scrapped it thinking it wasn’t useful enough. Today, I see the author has extended the list to be far more interesting and broad! And make no mistake; this is a hard question to answer, since every role is a little different and we all bring various bodies of knowledge and experience into the field from where we’ve tread previous; some new to linux, some new to windows, and so on.
Is the list perfect? Of course not, but it offers lots and lots of ideas for someone with questions about how to get a foot into the industry.
News about the disclosure of RNC files is everywhere this week. But I just want to point to a comment thread about the topic over on Reddit. News like this is very watered down, usually, and we don’t get proper context due to lack of back-and-forth. Though, to be fair, UpGuard’s write-up is pretty thorough!
What’s the bottom-line deal? Data that should have been private was placed onto Amazon’s S3 cloud platform, and then made public without proper access control in place. Someone found it. Game over.
Mistakes (and it likely is just a mistake) like this are made all the time, but they usually get made behind the curtain of a private network. None of us hear about them, and they likely don’t get abused, or if they do, it’s found and fixed silently. But those mistakes made on the public cloud platforms becomes a very big deal. Get smurt about cloud security! Companies cannot treat data in the cloud with the same lack of care that they do with internal privileges and access.
I saw a talk the other week about Software Defined Radios and how they work, plus how to get into the hobby. One thing I felt was just minorly missing was some context on how useful SDR may be. Just today, I saw a link on Reddit to another Intro to SDR and RF Signal Analysis. Since seeing the previous talk, I can actually begin to digest this information, but more interesting are the real world applications near the lower half of this post.
Looking for a Discord community? I ran across The Penetration Testing Community the other day and joined up. I cannot attest to how useful the community is yet, but they’re white hat oriented and already have plenty of participation. Seems interesting, since I usually have Discord up somewhere, just like I always have IRC up at home. (This reminds me, I haven’t had an IM program up at home in…several years…this makes me feel old and makes me sad…) Like most (all?) infosec communities, this one is a bit beginner/student-heavy in population. If you join, be sure to read the rules, as they do require you to announce yourself, though I don’t think there is any effort made to validate what you say.
Quick read of the day: Enterprise Offense: IT Operations [Part 1] – Post-Exploitation of Puppet and Ansible Servers. While not quite on the scale of pwning a full domain with AD, pwning the system that is allowed to make configuration changes at root level on many other systems is still a juicy target.
Cybersecurity spend: ROI Is the wrong metric. I normally don’t bother with some of the major publications and their news and article feeds, but this one caught my eye and I enjoyed the message being presented, even though it still falls into the same traps as other articles from these publications: they sound important, but really don’t say anything concrete or immediately actionable. Still, it’s almost there for lines like this:
How do you want your network defenders to spend their valuable time? What do you want them to accomplish? What is the 140-character Twitter line that describes the essence of that effort?
Doing some random morning news browsing, and I followed a link to “10 things you need to know before hiring penetration testers.” I love lists! I love good ones, because they’re good, and bad ones, because you can rip them up and point out good things by using the bad examples. They’re just really easy to digest. Like sushi. Anyway, so what are the tips you need to know before hiring and are they good tips? (Turns out they are!)
1. Strong Communication Skills. Ok, this article starts out strong by repeatedly mentioning something I hold very dear and consider myself to be very strong about: being able to adjust communication between deeply technical and far less technical for those not so inclined. I also really like the mention that technical skills can be taught, but communication skills are far harder. I think the one exception to this rule would be those people who are very reserved and quiet before either breaking out of their social shell or gaining that confidence and voice in what they’re saying. Some people just need past that imposter syndrome feeling, and they’re off to the races.
2. Beware of “Secret Sauce” Consultants. I didn’t understand this item from the title, but really this is talking about making sure findings are repeatable as described and accurate, and partly to know what you’re talking about for a pen testing methodology. I wish this item was longer and more expounded on, though.
3. Get Involved with the Security Community. Keep in mind this article is about things someone needs to know before hiring a pen tester, so this item is asking the hiring manager to get involved with the security community and go where the experts are. There’s not much to say about this. I’ve had managers who are technically involved and others who really just don’t know anything about the greater IT community outside the company. While both can be effective, one tends to be better tuned than the other.
4. Reputation is Everything. A really strange bullet point, but packed with very valid points. The exception, of course, will be entry level people who really do come out of nowhere, but I agree with the points that a pen tester should be known to some degree or other. They don’t have to necessarily be a keynote speaker, but participating and being involved to whatever degree and demonstrating some continued learning and passion should certainly be a factor. I really do like the parting comments about bewaring of egos and rock stars. There can be a certain level of “clubbyness” to a certain half-technical level of known speakers and infosec pundits who get really big egos and many followers/fans, but who are really only just complaining about the same things everyone else is and not offering much new other than stroking the ego.
5. Technical Acumen: Required. This seems obvious. Pen testing is not a task you can just talk your way through. Yes, you can fake it pretty well, since no one hiring you may be smart enough to call the BS (“Sorry, I couldn’t find anything wrong…”), but ultimately that will always get found out, and we start talking about the previous point about reputation. This ends up being a really good bullet point about results and understanding tools, rather than just blindly wielding automated suites.
6. Well-Rounded, Recent Experience. This is a touchy subject lately. If every pen testing position required experience, we’d never get new ones. I get the points about needing experience; I actually agree that the typical pen tester should not be fresh out of high school or probably even university. But there are exceptions and there certainly are positions next to full pen testers that entry level persons can fill. This article appeared in 2014, and today there are many more opportunities to at least practice and demonstrate and build skills in pen testing activities. But the point is still really strong. To me, pen testing really should require plenty of real world experience in, at least, IT in general.
7. Hire Passionate Hackers. Maybe my favorite bullet points on here. I’ve done some participation in interviews for fellow IT admins in the past, and I always look for what I call the “geek side” of candidates; do you geek out about this stuff at home as well as work? And so on. I know that can lead to burn out, but I find it important to be passionate and enjoy this work, and to demonstrate that and be around others with similar passion. And I echo the quote in here; I love the challenge and solving puzzles and learning, but it’s very much about helping others be more secure and make them better, whether that be fixing technical holes or educating on practices.
8. A Willingness to go Off-Script. Being creative and being able to wield those surgical tools rather than only knowing automated suites. That’s the bulk of this point, but I dig that it hints at being able to employ some tradecraft, i.e. evasion and covert practices that change with every engagement.
9. Know that a Pentest is Only Part of the Picture. Pretty obvious!
10. Don’t be Afraid of Pentesters. I like this point, too, and it’s not as obvious or one that I likely would have thought about. Don’t be afraid of the testers; include them in your operations. Don’t be afraid to direct their work/output. A really good point and a great way to close out the article.
Just a quick link drop here for future use: Breaking Out of Citrix and other Restricted Desktop Environments. This list is Windows-centric and includes some old tricks that likely don’t work anymore. But even looking at some of the older techniques illustrates the creativity involved in bypassing restrictions (and how features can be abused in unintended ways).
I tend to usually avoid vendor blogs since they are usually self-serving as far as presenting a problem in a singular way that makes their product the answer; basically marketing posts. But I do appreciate posts that offer additional knowledge beyond just the marketing slant. Endgame has a post about hunting malware threads and processes in memory. I highlight this post, because it starts out by going over various methods that malware attempts to dig into memory and hide. And then it has a paragraph about detecting things like this using a PowerShell tool, Get-InjectedThreads.
Super cool information for someone getting into malware analysis or detection.
A few months ago Microsoft changed how they tell us about product updates. Rather than give us neat little bulletins and MS18-001 style summaries, we have to now pull our own information from their repository. For most of us, this is annoying, since a month with 12 “updates” which themselves package an average of 6 actual updates for 5 affected products (30 actual patches per update, for example) used to still be one single “MS18-001 Description” entry in our ledgers. Now things are dirtier and annoying (change!).
But not all is bad. Now, enterprising persons can craft their own method and format for pulling monthly information out of the repository. Such as this code snippet which is simple enough to post here for illustration purposes, but was taken from github user JohnLaTwC:
## Uploaded by @JohnLaTwC ## Miss security bulletins? Create them yourself in a few lines of PowerShell: ## First, get an API key to the MSRC Portal API ## Sign-in in here: https://portal.msrc.microsoft.com/en-us/developer, and click on the Developer tab, click the Show button on the API key. ## Install the MSRC PowerShell cmdlets, Run in an Admin PowerShell: ## Install-Module -Name MSRCSecurityUpdates -force ## In a normal user PowerShell: Import-Module MSRCSecurityUpdates -Verbose:$false Set-MSRCApiKey -ApiKey "your-api-key" $timeperiod = Get-Date -Format yyyy-MMM # Older style report #$fname = 'MSRCSecurityUpdates' + $timeperiod + '.html' #Get-MsrcCvrfDocument -ID $timeperiod | Get-MsrcSecurityBulletinHtml | Out-File $fname #Invoke-Item $fname # Newer style report $fname_cve = 'MSRC_CVEs' + $timeperiod + '.html' Get-MsrcCvrfDocument -ID $timeperiod | Get-MsrcVulnerabilityReportHtml | Out-File $fname_cve Invoke-Item $fname_cve
This looks super simple, and it is, but that’s because the heavy lifting is in the requirements needed from the comments at the top of this code block. You need to get an API key and install the MSRC PowerShell cmdlets. Ok, that’s not really heavy, but there are options for decent-looking reports without spending a ton of time.
In a previous life, every month I would compile information about the monthly Microsoft patches. For general information, I would include the MS designation, name, description/details with context for my business, URL, and applicable KBs listed out.
I then also added a few contextual points by pulling in CVSS scores, exploitability index, MS severity, impact, and whether the details are publicly known into the same pane. I also added in the scoring for a few other key vendors/services for further context and our own personal resultant criticality.
The above report actually poops out almost all of this information. It’s not crazy pretty, but it’s not as bad as exporting directly from the repository. And it does give me much of what I had before, all told.