adding comments into wireshark and pcaps

Read a post today that blew my mind. SANS Diary made mention of adding comments into Wireshark pcaps! Holy crap that is awesome, not only to put comments into a pcap, but adding a new column into the display to show them all is an amazing way to notate a capture set.

The diary entry also talks about Moloch and CloudShark. Moloch is a tool to download/install and set up, which will take packet capture feeds and index, store/display them for easy referencing, and for adding extra comments (tags) through a web interface. This doesn’t replace an IDS, but will augment the ability to manage traffic displays and packet feeds. I can see using this to carve out and save normal traffic examples or malicious incident snippets or just as a budget-conscious way to start indexing traffic patterns.

CloudShark is a cloud or on-prem solution that will do much the same thing, only probably more polished.

The bottom line, though, is I had no idea comments could be added to pcaps in Wireshark! (Save format defaults over to pcap-ng as well, to save the extra data.)

upgrading the gaming rig for 2018

(I wrote this about a month ago, and it got stuck in drafts. But now I’m pulling it back out and letting it loose.)

I’ve watercooled my gaming systems since around 2002. My last gaming system build was actually around 2012, and since then I’ve just been coasting on that system. I reworked the water loop into two loops a few years ago, adding a closed loop over the CPU (Corsair H60) and keeping a custom build over the GPU. Very cool. About 6 months ago my day-to-day system (an older gaming system) water cooling loop got some contaminants in it (after not having had any in many years) and I had an algae explosion. Rather than clean it up or even replace parts, I just scrapped the whole system and replaced it with a spare (better!) system I had sitting around doing nothing important.

Now, this week, my main gaming system suffered my first leak ever. A reservoir/pump combo drive bay unit was seeping water somewhere inside it. While the leak didn’t damage anything, it did cause me to rip out the loop and begin the process of replacing the air cooling (fan and heat spreaders) on the GPU. Water cooling was initially done to reduce the sound of my computers; but these days, fans are larger and far quieter such that the reduction in sound is negligible anymore. Somewhere in either that process or just the process of touching/moving things that hadn’t been much touched in many years, the motherboard decided to stop posting at all. I gutted everything out, but no improvement. Well, I was actually going to look at upgrading the system next year anyway!

(PS: After much fiddling, I actually got the old motherboard posting again, but this was after I had rebuilt the system. So it’ll still see life in an ancillary machine for testing/playing.)

So I’m taking the time to upgrade the motherboard, CPU, and RAM, and SSD. What’s interesting is how gaming hardware hasn’t really changed so much in the past 5 years, such that some of my components can actually be re-used. This marks the first time I’ve done an actual large upgrade rather than just building new from scratch.

I really wanted to get an Intel i5-8400 CPU, but I can’t find any available for at least several weeks. So I decided to spend a bit more for the Intel i5-8600. This requires an 1151 socket board which is covered in 300-level motherboards. So I’m picking up a Gigabyte Z370 AORUS Gaming 5 motherboard. This means I need new DDR4 memory, so I’ll pick up 16GB of G.SKILL Ripjaw 8×2 sticks. I kept the option to keep a closed water loop on the CPU with a new Corsair H60. I also had an unused SSD sitting around, so I’m making use of that as my system drive (though my old case really wasn’t built with SSDs in on the market yet, so it’s really just kinda hanging out in there…).

I really didn’t want to make these purchases right now, but things happen. Probably my computer telling me to make use of the Steam sale-driven Skyrim Special Edition that I purchased over Thanksgiving weekend!

building your personal brand in infosec

A post by Harlan Carvey as he ties up some draft thoughts on 2017 piqued my attention. Part of the post deals with building a personal brand in infosec, which channels information from a post by CryptoCypher over on AlienVault on the same topic.

I particularly dig this bit of advice when looking to build your brand online and using a blog as a means to that: “The first step is understanding that you do not have to come up with original or innovative content. Not at all. This is probably the single most difficult obstacle to blogging for most folks.” That really is it; it’s very hard to come up with original content. Often, the best bet is to build upon or give personal opinion about other topics, or just share information/links about things that others may not have seen. If nothing else, it’s also good practice for formulating opinions and thoughts on various topics, ahead of when a VP or developer comes walking up with questions (or a sales guy slides you into an ambush at a conference!).

And I totally agree when he says this about one of the purposes of a blog: “…a blog post is a great way to showcase your ability to write a coherent sentence.” If nothing else, a blog can do that and give an employer a hit on a Google search that will demonstrate interest in the industry. Everything else accomplished beyond that is bonus.

What I’m grateful for, though, is being pointed to the other article by CryptoCypher. This article is a very complete, and actionable bit of advice for anyone in infosec. And I think the guy practices what he preaches. For instance, I’m aware of the Twitter handle and see him participate in discussions, and recognize the handle/bio image elsewhere. (Granted, it might not always be positive recollection, as things like n–bsec can teach us, but images and the people you associate with can be cleaned up with sincerity and effort and old-fashioned time.)

Getting back to the blogging part, he had this bit of truth to add: “A lot of people do not blog at all so just by having one you are already ahead of most students in that regard.” Not just students, but most professionals!

I really love the rest of his items. Getting involved in college and hackathons (or CTFs) and conferences is a huge boon of contacts and experience. I know, there are many introverted infosec insiders out there (myself included!), but there needs to be some focus on just saying, “Hi, what-do-you-do/what-brings-you-here?” to someone random at an event where you both clearly have intersecting interests to some degree.

Even more so, I love the inclusion of mentoring, though I would say this goes both ways: being mentored and being a mentor. I don’t care if the mentoring is formal in person or informal over Discord/Slack, but mentoring and teaching what you know is the best way to solidify what you actually know, and paves the way to share ideas, improvements, and consume even deeper topics. Be positive, be approachable, be helpful, be sincere.

I also believe many of us just need some friends in our lives, to share our lives with and stay on a positive track.

I also believe that we need far less mentoring than we think we do. If you can pass Sec+ or other entry level certs/material, you can truly consume anything in the industry given some measure of time and effort. Infosec is a half step up from “just” being a sys/desktop/network admin or other IT grunt. But it’s just a *half* step up. The imposter syndrome can be very real, but that devil just needs to be ignored and relegated to a basement office.

And, as the author mentions, I believe Twitter is one of the best places to cultivate a personal brand. You get immediate exposure and access to like-minded persons. Likewise, Slack and Discord and even Reddit can offer similar opportunities to get on board.

If anything is missed in all of these mentions, I think it would be developing a Github presence and populating it with some scripts and other pieces of work (it can also double as a wiki or place you keep links/resources or something).

A personal brand isn’t for everyone. There are plenty of infosec folks who do not define themselves by their day job; they do not hang out on Twitter with us or go to more than 1 local con every few years. They probably have their own interests and ways to spend their life’s time. And that’s perfectly fine. But putting in some effort on a personal brand can certainly help anyone with the interest to invest. And this applies to things outside infosec as well.

week 1 cisco cyber ops content observations

I’ve sampled much of the material for the first half of the Cisco CCNA Cyber Ops certification material, namely for the Understanding Cisco Cybersecurity Fundamentals (210-250 SECFND) portion of the program, and I’ve gotten through about half the material in depth. (Disclaimer: I am taking the self-paced e-course through a Cisco scholarship, so I am not paying for it.*)

So far, I really like the material that is collected as it pertains to a SOC Analyst position. And let me tell you, Cisco makes constant mention that this material is meant specifically for a SOC Analyst. I think it effectively overviews the general things I think an entry level SOC Analyst should know coming in, or have learned about in their first 6 months. And this includes not just book knowledge, but ability to utilize some tools and troubleshooting and log/alert reviews (aka analysis!).

I would slot this material about one half step above Security+ (It’s been years since I took this) and at a similar level to the SANS GSEC course. (I have not taken that, but the topics covered seem to match very closely). I think someone could conceivably skip GSEC if they hold the Cyber Ops cert, and vice versa. Moving from something like the CCNA R&S track over to pick up Cyber Ops could be conceivable for maintaining the latter and expanding a career path. I would expect that a 2- or 4-year degree in infosec would be at least equivalent to CCNA Cyber Ops cert.

Keep in mind there are two exams that make up the Cisco CCNA Cyber Ops Certification. The above-mentioned SECFND as well as the Implementing Cisco Cybersecurity Operations (210-255 SECOPS), which dives deeper into actual SOC processes and procedures. I have not reviewed that material other than a cursory glance at the exam topics.

Should the CCNA Cyber Ops cert be mandatory for entry-level SOC Analyst candidates?
Of course not. But a candidate with this is going to be looked upon favorably. Personally, I think most any sort of IT background or degree (plus security interest) is enough to get someone in the door as a SOC Analyst. This will help a) provide training for someone already in the door, or b) help set someone just a little bit above their peers. I’m not sure I’d pick someone with GSEC, Sec+, or Cyber Ops over the others in that grouping, but any sort of interest and proven knowledge is good. I think the cert should allow for more lenience on any actual years of experience, though. That is probably the balls-iest thing to say in all of this. I would honestly say that someone who can consume and learn from this material has knowledge that is gained in 0.5-2 years in a SOC by someone without that prior learning.

Is the CCNA Cyber Ops geared towards students with 0 professional experience or those that have some level of prior knowledge/experience?
Here’s the breakdown of what I feel someone should know coming into this material:

security and cryptography concepts at a Security+ level.
enterprise networking concepts (LAN, WAN, sec tools) at a 0.5-2 year professional level
Windows troubleshooting/experience at a 0.5-2 year professional level (desktop/server blend)
Linux troubleshooting/experience at a 0.5-2 year professional level
Programming/coding/web dev experience to some degree
Cisco product exposure, CCNA R&S exposure to some degree

While I don’t think someone needs, say, 0 Windows experience, I think they need to know Windows (or conversely Linux or networking) to a degree that someone could work at an entry-level Windows admin job, for instance. If a candidate has 0 Windows administration/troubleshooting knowledge or 0 networking knowledge (ever set up home LANs?), I’d point them first to an A+ or Security+ course track. For Linux, I’d probably point to Linux+ as a primer. However, I think someone with decent personal Windows/networking/Linux knowledge can succeed here, even without having had that experience on a professional job. Also, a 2- or 4-year IT degree should suffice.

Some of the topics and technologies you really don’t get without having some exposure to security processes in an organization, but the concepts shouldn’t be foreign (i.e. LDAP management, IPS/IDS tools, endpoint security tool features, log collection and analysis). And I think the material does a good job introducing it enough that a new SOC Analyst can hit the ground running in their first week.

Honestly, much of this material matches things I’d ask in interviews for mid-level Windows server or desktop admins. It’s just stuff someone really should know if they pursue a long-term career in IT, let alone security.

Would this be a good option for an experienced IT admin looking to transition into security?
If someone has several years of admin work and wants to get into security, I think this is a decent way to go, depending on goals and prior knowledge. A network admin can get up to speed on security and systems topics, and a system admin can get up to speed on security and network topics. But I think very experienced persons could look further up the chain if they want. But, the reality is sometimes you have to start somewhere when doing a career shift into infosec, and I wouldn’t look down on someone starting here.

What about someone who has 3+ years of security experience?
Honestly, I doubt that student will learn much new, but if the cert helps with job searches or is essentially free, then go ahead. But otherwise I think that level of experience could be looking further upwards. If there is any sort of current security person who could benefit, it’s one who is tasked with building out a brand new IR process, new SOC team, or applicable topics. I can see some good learning happening in that sort of a situation, particularly in the second exam of the two.

Would this be applicable to a non-Cisco shop?
I actually think so, but obviously much of the countermeasures and solutions have a distinct Cisco product slant. Again, I consider the GSEC to be somewhat analogous to this cert, so that can be a substitute.

What could come after CCNA Cyber Ops?
What I also like about this cert is where someone with Cyber Ops can go. I can honestly see this as a jumping point to almost every “advanced” security certification/training path out there, even going into PWK/OSCP, and definitely to CISSP/CISA/CISM or CCNA Sec. I think I might start considering this not just an entry-level-ish cert, but a gateway cert to everything else (much like Security+, GSEC, an actual infosec degree, and even CEH [until the US Gov finally drops it]).

*Would I have taken the course/exams had it not been offered for free?
I honestly doubt it. I’ve been doing IT and infosec work for 15 years, and as such, I’m really not learning much through the course that is brand new to me. Some topics are difficult as I just don’t need some particular trivia every day. But I’d really say I’d have pursued something further up the chain in place of this had it not dropped into my lap. If I pass, I’ll certainly add it to the resume/LinkedIn page, but I think my job experience over the past few years and a CISSP already demonstrate the same commitment and knowledge that this cert would. Given the next 4 months free, I would have spent the time elsewhere.

training and goals for 2018

A function of getting older and adulting more (somewhat) is knowing I just don’t have time for everything I want to do or learn for a given day, week, month, or year (video game habits have suffered the most for this). I’ve found it’s useful to make some lists and goals for the year. In past years, I would make a new year resolution to learn some new hobby or personal skill, things like learning how to play guitar or learn more about cocktails. Recently, I’ve found this is a great habit to have with the career side of my life. In particular, I found other people doing something similar on TechExams.net, where colleagues would make achievable yearly goals that get them where they want to go.

This year, I don’t plan to do a whole lot as far as building a new hobby or interest, but rather hone what I have now, fill in gaps I didn’t get to (I never did learn how to play a guitar very well), play a few more video games (deep-seated job in this activity), and focus on work/career and relationships for 2018.

This list isn’t complete. I have some personal goals I won’t end up sharing here, plus also various notes on topics I’d like to get to, but don’t see myself committing to at this time. Also, some of these items are brief, while I have more detail in my private notes on how I’d like to proceed.

training and career goals for 2018

  • keep doors of learning open for both blue (defense) and red (offense) sides of the field. I’d like to know both deeply, and it helps keep me well-rounded and ready to tackle most anything that may come my way.
  • balance career growth opportunities along with actual learning. I find as I get further into my career, I need less letters after my name, and have more yearning for learning actual things. In my earlier years, I found I was deeply driven by learning enthusiasm, and it’s so nice when the job itself is aligned with fulfilling that drive. I can point out years I had this, and which years I did not.
  • balance of work-driven (paid) and personal growth learning opportunities. Some wonderful training is cost-prohibitive, or requires access to hardware/software that has a dollar tag on it that is hard to achieve outside the workplace. I feel behind the curve with pursuing this due to previous management frugality.
  • Keep the job! I initially left this off, since it’s part of day-to-day life with me and not a question, but I suppose it needs stated. I like my job outlook this year, and hope to use the entire year to become amazing at it.

structured learning/training

  • Q1-2 Cisco Cyber Ops Scholarship Program
  • Q2-3 SANS FOR508 (GCFA)
  • Q1-4 finish LinuxAcademy RHCSA/LFCSA courses (and finish this subscription)
  • Q1-4 Metasploit Unleashed course (I’ve never really sat down and gone through this…)
  • Q3-4 SLAE-> CTP/OSCE (tentative, or just prep)
  • Q1-2 Maintain CISSP (hey, already done!)

unstructured learning

  • HackTheBox VIP sub (keep offensive skills from getting rusty)
  • work topics (placeholder for work-related learning)
  • Web Hacking 101 book
  • Burp Suite improvement/growth (courses, videos, etc)
  • Python improvement/growth (undetermined)
  • PowerShell improvement/refresher (undetermined)
  • expand Home Lab with automated AD builds
  • pen testing Linux distros to check out
  • CTF participation (as it fits in)
  • learn Scapy usage

improvement topics

  • incorporate Feedly, Pocket, Discord, Slack in day-to-day habits
  • expand OneNote use
  • work on linkedin/career stories and goals (1-page resume for fun)(sec boss interview questions)
  • work on better anonymity online/VPN service for personal use
  • continue to hone and improve and tighten this and other learning/career lists

personal non-career goals/priorities

  • exercise (regular habit build; should take up biking in spring) and eating better (continued)
  • caring for relationships and friends

using the new noscript addon with firefox 57 (quantum)

Recently, Mozilla has been pushing out its new Firefox 57 aka Quantum. The main reason I still use Firefox as my primary browser is the ability to turn off all scripting with full control using NoScript (IE can’t really, and Chrome I don’t trust fully with it’s built-in allows for Google). So it was extremely jarring when one of my systems updated to Quantum and removed my ability to use NoScript. Turns out, NoScript needed to be rewritten from scratch in order to work in new Firefox versions, which apparently was a rude surprise for even the author. Since then, he’s been working to get the new version stood up and functional.

When NoScript got started again as a WebExtension, it lacked any sort of temporary permissions control, which I use constantly. Soon, it got a global “temporary allow all” which is not something I would even touch. Now, however, we do have more granular control on temporary permissions. Unfortunately, the UI isn’t very clear on what’s happening.

My Use-Case: I browse the webs with Firefox+NoScript. When starting a fresh browser install, I install NoScript immediately and remove all the defaults so that I trust nothing at all. Then I browse what I normally browse. As pages don’t load or functionality isn’t working, I’ll examine what is blocked by NoScript. I then make a judgement call on whether to permanently trust (i.e. allow a script to execute on that page) or temporarily allow it, which means only as long as my browser process is active. Tomorrow, temporary permissions will disappear and I’ll start all over again. Clearly, websites I visit often will have a few permanent allows, but by and large, I leave everything blocked that doesn’t interfere with my ability to consume a web site.

So, let’s get back to the UI. How do I do what I was doing for many years in the new NoScript UI? (WARNING: The add-on is currently in active development, and these screenshots and steps may become obsolete in weeks or days. The version I’m referencing here is 10.1.5.5.)

Here’s what I see on ESPN.com:

And here’s a view after I change a few things:

So, what do I do with my typical use-case now? I browse to a site and see it’s not displaying properly. I click the NoScript addon icon (or ALT+Shift+N) to open the drop-down window with all sorts of scripts that want to execute. I click the blue “S” next to one I want to allow. This defaults to temporary allow, and whichever HTTP/HTTPS protocol it pertains to. If the site switches to HTTPS, I’ll need to do this again. If I see a bunch of subdomains under a domain that I trust, I’ll make my choice next to the entry that starts with a “…”. This latter situation is good to use with CDNs which can come from one of many subdomains.

Typically, I choose one script to allow, let the page reload, and keep repeating until I’m either satisfied with how the page looks/works, or I’ve exceeded my level of personal risk with the scripts I’m loading. Sometimes, I see 50 scripts that want to run and just decide the content is not worth wrestling with scripts to get it to work (often video embeds will be quite the hunt to get to work).

This sounds like I might be complaining about my cheese being moved. And partly I am. But, let’s face it, the change is needed and we’ll end up with even more granular control over script execution with this new NoScript version with features I’ve not even touched in this post. If anything, I’m annoyed with Mozilla for putting users like me in this situation where, for several weeks, I effectively was browsing the web with my pants down or not browsing it at all.

2017 goals in review

Late last year and into this year I made some training and professional goals for myself. I thought I had posted about them, but turns I didn’t really post those tidbits (I have a whole host of things in my own notes), but I figured I would provide an update on what I did in 2017 in regards to those goals.

I spent about 2 months preparing for the PWK/OSCP lab and exam pairing, and over 3 more months in the course lab, and passed that exam. Probably one of the most satisfying things I’ve accomplished in my career. Really, anything I say about it and what it means to me is an understatement.

Through the summer months, I was bogged down a bit with a job that I have just since decided to move on from (I have a week off this week!), and I had really set aside more time for a possible OSCP re-take. Failing a first attempt on that exam is not an uncommon, but this did leave me with some extra time for the year.

I also had told myself I should check off another Offensive Security course and cert pair: WiFu/OSWP. I can happily say that I signed up for this course just over a week ago, and this week passed the exam. It’s definitely something I wanted to get done in 2017, and having a week or two off has given me the time to focus on it.

I spent significant time taking some courses on Linux Academy, namely reviewing the Linux Essentials course and RHCSA prep course. I’ve used Linux at home for many years, but have never really had any true formal study in Linux, so this has been nice to fill in some gaps in my knowledge. The Essentials course is mostly review for me, but I have learned a few things. The RHCSA cert itself is not something I will pursue (since my title does not include Linux in it), but I do find it useful to have that level of aptitude and workability in Linux. I started this course as part of an obligation to my employer, and since I’m changing jobs, I’ve put this one more into casual studying over the past few months. This is one of those nice items where my own personal goal fit with my job duties and training requirements.

Among other less tangible goals, I’ve made progress in building out my home lab this year based around ESX running on an Intel NUC. As with any lab, it still needs plenty work, and that will roll into 2018. I’ve also built the habit of attending local security meet-ups, namely SecDSM, through the year. And I’ve also gotten my hands on a few extra old laptops that I can use for additional exposure to non-Kali pen testing platforms.

Job-wise, this was a really big year. This marks the second full year for me being a true full-time security professional. Through the rest of my career, security has always been a part of my duties, but I was still always a sysadmin first and a security admin second (for those who have had that sort of hybrid role, you know what I mean). Last year and this year have been good in this regard; it really does make a world of difference to be able to devote serious time to improving security rather than constantly getting interrupted with small and large operational tasks.

All told, it’s been a transition year for me, and a very good one on almost every front. And while I have some individual accomplishments in the bag, my biggest takeaway has been just being conscious of my career direction, my learning habits, and my continued training. I slacked off over the past several years, and getting back on track has been a huge deal to me and my happiness and enthusiasm.

the wifu/oswp experience and alternatives

Just over a week ago I signed up for the Offensive Security WiFu/OSCP course and exam. This week I took and passed the exam. Much like the OSCP exam, this is a hands-on practical exam whose goal is to break into several wireless networks.

What sort of material does it cover? Well, there is a syllabus posted. But breaking it down, about a third of the material is about the 802.11 wireless spec, plus some tips on hardware and setting up wireless in BackTrack 5. Another third covers cracking WEP encryption with various attacks. Another roughly 20% covers WPA/WPA2 PSK cracking (old, insecure setups). The last roughly 15% covers graphing tools for wireless recon and MITM/client attacks using airbase-ng, airserv-ng, airtun-ng, and karmetasploit.

Is the course dated? Well, yes. But learning the basics is the first step to learning the harder stuff. And keep in mind, back in the early to mid-2000s, it was ridiculously exciting to see wifi hotspots popping up everywhere and start cracking insecure WEP and WPA configurations, all with the backdrop of grey, largely undefined laws regarding wifi shenanigans. That said, I do wish it covered more stuff or had an advanced version of the course to cover bluetooth, SDRs, mobile devices (to an extent), pineapples, and other fake AP/client shenanigans. But, I do understand there are severe channelges to the labs to accomplish all of that.

If it’s dated, is it worth the money? That’s always going to be a personal decision.

Can the same material be found elsewhere for less overall cost? Of course! And in lieu of actually purchasing the course, here are sources that should hold the same knowledge as presented in the course (and so much more!) for less monetary cost.

802.11 Wireless Networks (O’Reilly blue bats book) acts as the best technical reference for wifi. Incidentally, a new edition is due in 2018. The first third of WiFu is the briefest of summaries about the 802.11 spec.

Hacking Exposed: Wireless (Wright/Cache) is a complete book for wireless weaknesses and attacks, and will cover Bluetooth and SDRs. It’s not going to walk someone through every single issue, but will fuel google searches for more complete tutorials on pretty much everything.

Penetration Testing: A Hands-On Introduction to Hacking (Weidman). Weidman’s book devotes only a small chapter to wireless hacking, but it covers the bulk of what WiFu covers: WEP and WPA auth and key recovery.

Aircrack-ng tools wiki/documentation. The WiFu material reads pretty closely to the documentation of these tools, and will cover things like airserv-ng and airtun-ng.

Metasploit Unleased is a free course hosted by Offensive Security, and has a section devoted to a tool that I don’t think is covered by any of the above sources: Karmetasploit.

All of the above should cost less than the course, but provide just as much information and far beyond as well. (Which does translate into needing to spend more time doing and more time reading many more pages.) There are also undoubtedly plenty of related videos and how-tos over the years for these topics as well posted in various free and less-free sites.

traveling tips and notes from a cyber warrior

I’ve not had too much cause to travel all that much, but enough to know that these tips are pretty complete and excellent: The Infosec Introvert Travel Blog. For the most part, traveling is still often a personal matter; do what you feel you’re comfortable and secure with doing. Be safe, be happy, and find some measure of enjoyment, even if it’s just reading a book in the hotel bar.

retaining soc analysts

DarkReading article, 3 Ways to Retain Security Operations Staff, is actually really good. I imagine the work of a typical tier 1 SOC analyst is much the same as NOC staff and probably in a similar vein (managerial-wise) as front line technical support teams. I imagine they have the same challenges and same expectation of burn and churn (aka either get burnt out and leave or get that first year or two of experience and leave). The article cites average retention span of a junior analyst to be 12-18 months. That sounds pretty accurate, especially when reading the description of the tier 1 and tier 2 roles. And I totally buy the fact that right now, after 1-2 years of SOC work, you can jump to something better and see a decent bump in pay now that the candidate is essentially a seasoned professional (so to speak). To be honest, even C- and D-players can coast along and them get more progressive roles after a couple years. (Arguably, you shouldn’t mind if they cycle out, as you’d rather keep your A- and B-players as much as possible.)

The author’s 3 steps are rotation of duties, aggressive training, and step-up retention bonuses so you keep “seasoned” analysts rather than have them jump to those other jobs.

I like these steps, and the solution of rotating duties is sound enough to combat monotonous duties, oddball shifts, on-call demands, and lack of challenging work to learn from (aka be stimulated by). The downside to this is you might still lose people due to rotating down into the tier 1 duties on a regular basis. You might also run into the common rotation problem where tasks at one tier just don’t get done by one person since they know they’ll rotate out of it next week, so it gets left undone. This does help hide underperformers a bit. Another downside is when shift roles are too rigid such that oddball shifts don’t get to rotate.

Of course, these solutions and situations are all variable based on the organization in question. If the organization is just serving tier 1-3 MSSP/SOC functions, maybe it will have to live with the churn and burn process. But if the SOC is part of a larger organization with roles to transition into over time, that should be tapped as a valuable source of promotion and talent retention.

cisco cyber ops scholarship experience

A few months ago I tossed my name into a sign-up for a Cisco Cyber Ops Scholarship program which provides training for qualified individuals to achieve the Cisco Cyber Ops certification. This certification, unlike everything else with Cisco, does not require having another Cisco cert under one’s belt already. A week ago, I received an email stating I could finally start the next step, which is look over the rules and fill in a small “candidate intake survey.” A few days later, I received a link to take a “prequalification” exam. A few more days after that, I received a note that I was accepted and had to take another small survey. At this point, I’m awaiting more feedback on when I can start the training. I’m hoping to kick this off through Q1 and Q2 of 2018.

What is the Cisco Cyber Ops certification? Stealing from someone on Techexams who put it very succinctly: “The CCNA CyberOps is for someone who wants to be a SOC analyst, examining packets and flows on a dashboard.” By contrast, there is also the CCNA Security certification. “The CCNA Sec is for someone who wants to be a network security admin, setting up appliances and firewalls.” Honestly, this sounds like Cisco’s play into the cybersecurity world, and a good one, as otherwise you need to slog through all the courses and studying to implement devices, when many analysts just want to be able to use, tune, watch, and wield the tools once deployed. On a more detailed level, the Cyber Ops cert is the combination of two tracks/exams: Understanding Cisco Cybersecurity Fundamentals (210-250 SECFND) and Implementing Cisco Cybersecurity Operations (210-255 SECOPS).

Are there requirements? Yes, you’ll have to check the rules. I qualify for having an old Security+ certificate in my name. Plus I passed the prequalification exam and accepted the terms/conditions.

What’s the prequal exam like? Clearly I won’t get into details, but the exam was something like 60-ish questions over 45 minutes and covered topics in the course: Windows, Linux, Cisco/Networking, and Infosec topics. Honestly, I found this pretty challenging as my Cisco-centric networking is rusty. I’d honestly say about 50% of the exam covers CCENT and CCNA R&S topics. So plan and study accordingly.

Do I expect to learn much from this? As far as Windows, Linux, and Information Security topics, I honestly doubt I will learn too many new tricks or information; keeping in mind that I’ve done troubleshooting on both platforms for many years as a sysadmin. However, I hope to brush off plenty of Cisco networking rust and bone up on that more than I am today. I think I’ll probably learn the terminology Cisco wants to use for security topics. I also would like to know more about the actual course details, as I can then properly recommend the certification for those looking to possibly get into infosec and want to know what else to look into besides the normal Security+ -> self-study route. The entry level route is one that is difficult to prove or know you’re ready for, especially since infosec is cross-disciplinary. If a cert can demonstrate knowledge in the above 4 categories without needing x years of job experience or 4 other separate certs (Linux+, CCENT/CCNA, Windows something, Security+), that can be a good thing.

Why are Windows and Linux included? As an analyst, I believe the goal is to be able to investigate and troubleshoot alarms and events. This includes being able to log into some servers and run some troubleshooting tools and utilities to see what’s going on, like listing processes, ports in use, look at logs, and maybe do some scripting or command line kung-fu. It’s fine if you can watch a dashboard for events, but real value in security folks is a broad ability to troubleshoot and investigate platforms at least on a superficial level, and not accidentally break things operations depends upon in the process.

Am I so far interested and excited about the cert? For the industry, I actually am. Sure, it’s Cisco-centric, but this cert should demonstrate that someone is ready to put some boots on the ground in a SOC. Security+ and other certs are ok, but there’s lots of trivia and often not a lot of practical skills you can put to use in month 1 of an entry level job. For that alone, I’m pretty excited about this offering and what it means for our entry level tier of folks, who badly need better support to get ramped up out of school.

How do I plan to study for this? First, I’ve already been looking up experiences from others who have taken the course successfully. Seems there is material worth reviewing that lay outside the course materials themselves. Here’s what I’ve come up with so far to check out. I have also seen mention the ITProTV has videos on the course, which I might try to get access to (keeping in mind that November/Thanksgiving special deals are coming up!)

Whatever the scholarship-provided training materials/labs/access will be.
CCNA SECFND book: https://www.amazon.com/Cyber-SECFND-210-250-Official-Certification-ebook/dp/B06Y1RYPL5/
CCNA SECOPS book: https://www.amazon.com/210-255-Official-Pearson-Cybersecurity-Curriculum-ebook/dp/B071JVMJ8T/
Regular Expressions: https://www.debuggex.com/cheatsheet/regex/python
Regulat Expressions: https://www.debuggex.com/cheatsheet/regex/pcre
NIST 800 61: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf [pdf]
NIST 800 86: http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-86.pdf [pdf]
Wireshark filters: http://packetlife.net/media/library/13/Wireshark_Display_Filters.pdf [pdf]
CVSS Calculator: https://www.first.org/cvss/calculator/3.0

microsoft advice on mitigating dde attack

It sort of flew under the radar amongst larger incidents and attacks over the past month, but the Microsoft DDE abuse popped up, which is essentially a feature in Office products that allows the execution of an application when provided the link to it in the doc. The feature is meant to allow a document to automatically update itself from external data sources. And, much like macros in the past, disabling DDE (and OLE) in Office could break features that some people do rely on. Nonetheless, there is advice out there from ThreatPost/Microsoft.

tools to aid investigating o365 email

I’ve only recently become a consumer of O365, and have not done any administration, investigation, or poking around on the undersides of it, but these two links came across on a local Slack channel and I wanted to pull them out and save them for future reference. Both of these github links offer support for investigating O365 phishing emails and shenanigans. First, one from LogRhythm and another by the OfficeDev crew.

can you distill cyber security into 10 steps?

Today saw an infographic fly across my LinkedIn news feed: 10 Steps To Cyber Security. Only 10? To achieve Cyber Security, not just the top steps? Sweet! To be fair, these are less steps as they are entire spheres to address with multiple controls and initiatives in each one. But, is anything missing? Just having 10 steps still seems awfully light.

Backups. No mention of backups, and I think every security strategy should have backups as step 0.

Data. None of the 10 steps given have anything to do with data. I imagine someone could say evaluating your data is part of the central risk strategies, but I don’t buy that. Know and secure the data that is important to your business. That should be a standalone strategy bubble.

Segmentation. I don’t really see anything that would pull in secure configuration of networks, namely segmentation. Sure, it’s more of a control, but I think it’s important enough to be up with these other 10 items. (Network Security may cover this, but I think it’s too easy to just read this item as perimeter only.)

Software. I was hoping to see Secure Configuration include software on systems, but really it’s not there, and no other items really gets into this.

Software Development. This is really close to software, but it has less to do with software installed on systems and more to do with software developed in house. While the items could read similarly, the approaches are done by entirely different teams with different projects.

Is there a list that includes these items and the ones in the above link? Actually yes, but it’s 20 controls, not 10 steps: The CIS Top 20 Security Controls list. Wow, that sounds like a marketing pitch…