lots of people looking for mentors these days

Everyone wants a course or cert or mentor that will teach them how to be master hacker or to hit the ground running with a cheatsheet in hand. But the only real path requires two legs: practice and curiosity (self-study to learn the things that are still unknown). A course can help with the former, but courses can only cover a miniscule amount of all the unknown things you’ll run into. Dive in, get guidance as needed, but there is no substitute for practice and doing something by yourself. Apply for and land a job, find a mentor there, or find yourself being the mentor. Do, do, do.

That said, just ask direct questions.

the soc or siem of tomorrow

Monster post of the week goes to Gunter Olmann’s NextGen SIEM Isn’t SIEM blog post.

To paraphrase the first half, basically SIEM’s main weaknesses have been fidelity and trying to integrate newer sources. These newer sources are pushing that fidelity and active response away from the SIEM and down closer to end endpoints/attackers/events.

…Interjecting my own thoughts for a moment: Also, in the past, a SIEM was only as good as the intelligence behind it, which was often fueled entirely by the staff sitting directly in front of it. I’m sure every SIEM and MSSP vendor has been asked, “So, what do we look for out of these million logs entries?” by every single one of their clients, and the answer is always, “It depends,” or, “What do you want to find?” (You’d think intelligence would get pushed downhill, but I think only the most obvious of intelligence ever gets outside a singular organization’s walls, including those that share it!) The best (luckiest) shops have SIEM ninjas in house, but most just flounder wetly about in the hallway. Now, back to Gunter…

And he frames the transition correctly by saying these new tools typically do only a narrow scope of things really well.

Honestly, I’m not sure asking what the “next gen SIEM looks like” is exactly the right question. I’d take a small step back and say, “What does the next SOC look like?” (I’m writing this as I read the article, and Gunter goes to the same direction!) Do we still strive for one pane of glass? Do we have many panes of glass with best of breed tools?

I like Gunter’s bullet points on what the next SOC/SIEM should do or look like.

But I do want to add one other factor into this. The shops that have the budgets to get things like big SIEM tools and various other Threat Hunting or SOC-supporting tools are also the ones fighting with a ridiculous technology change pace in their own networks, and those that have manageable environments are the ones too small for the best tools. Between cloud, IOT, mobile devices, and advancing system sprawl, it’s a huge endeavor for a SOC just to keep up with its own organization.

Anyway, just to interject a wonderful (or nightmarish) vision of the future…we keep taking steps forward towards actual Gibson/Shadowrun-like ICE!

q2 2018 training and learning plans

So, what’s on my structured training list now that I’ve finished CCNA Cyber Ops? I have a 2018 goals post, but obviously things can change… I don’t blog about many of my training things, largely because I have a separate, private OneNote instance that has a huge breakdown and list of things I want to do this year, next year, and discussions on everything else that my career may entail beyond. I have a long term section, and a list of things I’m basically doing right now.

Right now, I have a small lull until I head to SANS West in two months and pick up my first SANS course, GCFA FOR508. I’ve decided to forego some courses people tend to take early on in their SANS experience, and dive into the deep end by skipping GSEC (SEC401), GCIH (SEC504), GPEN (SEC560), and GCFE (FOR500). I’ve never had the opportunity to do SANS courses before, and rather than go easy and do something I may know pretty well already, I decided not to wait years and instead get to a course that will certainly be a challenge.

To that end, I’m already doing a little bit of prep work to brush up on some forensics/IR topics so that I don’t entirely need to catch my mindset up much to hit day 1 at a brisk walk. I’ll be watching some random YouTube clips of the course and related topics, reading a few books I have sitting around on forensics and data collection, and otherwise preparing my workstation.

Beyond that, I’m likely going to do a little preparation for NetWars as well, though to be honest, I don’t expect much as a first timer. But I want to finish a bit more in my RHCSA/LFCS courses, refresh using Metasploit Unleashed (a course I’ve long since just never gotten through) to get my mind back in offense, and then do some retired HTB boxes to oil those wheels further.

I’ll also be at C2E2 (Chicago) in the middle of all of this, so that likely is enough planning for now to see me through to the midpoint of 2018.

getting domain admin before lunch

I always hesitate to link to Medium articles, as I find the platform somewhat dubious, but this article was good and included further good links at the end. The article is “Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition)” by Adam Toscher. I actually skipped the part at the top and thought to myself, gosh, this sounds like a SpiderLabs update to their old article on the same topic. Sure enough, he mentions that!

The bottom of the article includes wonderful links for more information, such as A Toast to Kerberoast and the Inveigh PowerShell tool and Relaying Credentials Everywhere with ntlmrelayx.

review of the cisco ccna cyber ops scholarship program and cert

Let’s start off getting the logistics out of the way. I started Cisco CCNA Cyber Ops scholarship program a week before the official start date of 12/28/17 (cohort 5). I took and passed the first exam, SECFND 210-250, on 02/02/18 with a comfortable score. Study time was about 2 hours per day average for about 5 weeks, and I did end up watching most of the mentor sessions, in addition to all of the Cisco online course material and labs. I purchased the Cisco Press SECFND book, but honestly did not lean on it at all.

The SECOPS 210-255 material was far shorter and took overall less time to consume. I spent about 1.5 weeks sick in the middle of my studies, but thankfully I was already ahead of the course dates. I was able to take and pass the SECOPS exam on 03/09/18 with a very comfortable score. I did not actually do any mentor sessions. On the day I passed the exam, they were only up to Chapter 8 out of 15 with 4 additional exam prep sessions later on. I borrowed a copy of the Cisco Press book for the SECOPS course, but I admit I did not use it. (Ok, I looked up one thing I was foggy on from the Cisco exam blueprint, but it actually wasn’t where it claimed to be in the book; it was flat out missing, so I set it aside for good.) SECOPS also requires some outside sources, so I read the CVSS specification and user guide, NIST 800-61r2, NIST 800-86, C2M2, Diamond Model paper, Kill chain paper, and I took a 2-hour refresher course on Regex basics from PluralSight (I have a standing account there). I would have brushed up on Wireshark usage a bit more, but I’m very comfortable with it.

I admit, I rushed this, but I also wanted to get this out of the way of other things going on in 2018, and I didn’t want it to drag on too long. And I was very successful in carving out time to dig into the materials to get an exam take as soon as possible. I took notes in OneNote on the courseware (usually played at 1.5x speed), regularly reviewed the courseware end-of-section questions, and transferred key topics to Quizlet for review the week before each exam.

What did I think of the provided materials and guidance in the scholarship? Well, it was all free other than the books which I opted to acquire on my own, plus my time spent. The online course itself was really good, though I admit it dove pretty deep and sometimes beyond the scope of what was tested. But it was all good information pertinent to what I would expect from an entry level SOC analyst. The Cisco exam blueprints were very accurate. The SECFND courseware and labs were far longer than the SECOPS materials. The courseware was very consistent, however there was one awkward lab in the SECOPS course where the word “pivot” was abused badly. Clicking on a link on a web page is not pivoting, clicking to a new window is not pivoting. Beyond that, they were very consistent and helpful. Amusingly, I was distracted by one narrator referring to Metasploit as Megasploit multiple times.

I do also want to call out that some of the courseware delved into Cisco products, and one or two small sections sounded like marketing wrote them. But the exams themselves did not test over anything specific to Cisco, other than Netflow.

The labs I actually especially enjoyed. I had zero technical issues with the labs, even running Chrome on Ubuntu 17. And honestly, I really liked the setup and the content that was presented to the students. The step-by-step instructions were also clear and accurate. To be honest, I don’t know that I learned anything absolutely new, other than being able to play with Security Onion more than I had in the past. But, I loved the thought of this material being consumed by more entry-level types of students. This is far more than was necessary to meet the exam requirements, but I would always suggest students consume those labs if they are new to the industry as there is a lot of good experience in there. If nothing else, it allows students new to Windows or Linux to run some tools and commands, or perform some attacks they’ve never seen before, including returning back their first root shell. Students who know absolutely nothing about Linux may struggle to navigate a Linux terminal here and there, but this isn’t a course introducing Linux to students.

The mentor sessions were a bit chaotic and unorganized at times, but my biggest complaint is the use of Webex as the delivery platform. I primarily run on Linux as my main desktop, and I could not get the Webex to connect on Linux, nor watch the recorded playback at all. Thankfully, another student downloaded the recordings, converted them to a regular video file, and posted them to Dropbox. An absolute godsend! That said, the mentors seemed far more at ease with any pure networking material than with security topics, and I suspect I probably know more than them about most of the topics presented. In fact, stalking on LinkedIn a bit reveals my gut feel on that is pretty correct.

And that somewhat brings up what I would consider just an observation of this scholarship. In order to get approved, one has to already possess specific recognized industry certs (my CISSP and Security+ both qualified me up front, but the OSCP would have as well if I had asked) and one has to pass a preassessment exam. That preassessment exam was not kind or easy, and had some very CCNA R&S-esque questions and some rather surprisingly deep Windows/Linux questions. In fact, the preassessment exam was the hardest thing in the whole program. But what this means is that people taking the CCNA Cyber Ops in the scholarship program are a bit stacked towards experienced infosec professionals, rather than the entry/associate level that it should be geared towards. I understand why Cisco would do this, but that might skew my experience, results, and opinion a little bit. For anyone jumping into CCNA Cyber Ops without the scholarship, there are no prerequisites or requirements; this can be your first Cisco cert, in fact. I’d consider that a huge plus.

How were the exams?
The biggest thing that I will remember about the exams was the grammar. SECFND 210-250 questions were absolutely awful. I pride myself with being able to understand communication from people with poor grammar, but more than a few of the questions felt like they were written by two different non-English speaking people and then spliced together. This is even more pronounced as the SECOPS 210-255 questions were far better (though I did find two awkward moments that made me sit back and think a lot [kinda like CISSP questions] and one question that was flat out talking about the wrong thing). Either way, the experience was ok, I passed both on the first try with 900+ scores, and about 30-40 minutes of actual question answering. The content seemed to match the exam blueprints very well, and I really wasn’t surprised by any foreign content with just one or two exceptions I can’t reveal, but I suspect weren’t even scored questions. Not everything is covered in the Cisco scholarship course, but they did call out to external resources. So, nothing should be surprising: it was called out in the course and mentioned in the blueprint.

What do I think about the certification and where it is positioned in the infosec world?
Cisco states: “The CCNA Cyber Ops certification prepares candidates to begin a career working with associate-level cybersecurity analysts within security operations centers.”

I think the program is positioned excellently for entry level students looking to get into SOC analyst positions. Students get a solid mix of exposure to TCP/IP networking, security concepts, Windows analysis, and Linux analysis, and that mix of exposure is difficult to get without real experience on the job.

I would honestly suggest anyone looking to hire for or get hired for a SOC position should consider this course their first stop on the journey.

That said, a SOC analyst position is not the most common position I see posted in infosec in my market, and is really only prevalent in MSSPs or very large organizations that can afford and need a SOC.

I’d consider this course to fall just a half step above the CompTia Security+ course. Security+ gets pretty technical into the security concepts (very trivia-like), but really offers less actionable knowledge of things like Windows, Linux, or networking. If you pass Sec+, you still won’t feel like you can do the job, but with Cyber Ops, I think students can feel like they could walk into a SOC and be useful in the first day or (Disclosure: I have a lifetime Sec+ since I got it so long ago…so the content may have improved). I find the CCNA Cyber Ops to be more directly useful in certain day-to-day jobs. I’d consider it maybe a half step below the SANS GSEC course (Disclosure: I have not seen that course, but am basing this on anecdotes from others.). It doesn’t really compare to the CEH, as one is offense and the other defense, but I’d consider the Cyber Ops course to be more useful to defenders or SOC analysts than the CEH by quite a margin. I’d consider the CISSP certification to be about a step and a half above the CCNA Cyber Ops.

In fact, I would honestly say that if someone can make it through the CCNA Cyber Ops, they will have demonstrated a certain (small) command of Windows and Linux analysis, networking acumen, and security concepts. And I think students could take a serious look at the OSCP or jumping pretty much anywhere else in the infosec training and certification tracks. And I definitely think anyone with this certification should be ready for their first 1-2 years of defender jobs. And there are no prerequisites, making this an approachable first security cert to get, though students will be helped by having a decent technical background of a few years, even if just troubleshooting their own systems and watching the infosec landscape via Twitter and blogs from afar.

That said, there are a few small issues with the certification.

The first and largest problem is apparent when looking at the certification roadmap at Cisco. The CCNA Cyber Ops has no CCNP tier, and it does not lead anywhere else. If you want to pursue any CCNP tier cert, you need to slide over to another CCNA track and get started there. That hopefully will change in the future, but for now, the cert doesn’t let you get anywhere else in the Cisco house. Hopefully they figure out what to do with this.

Second, this is an associate or entry level certification. If a student has even 6 months working in a SOC, I think they should look above this cert. If a student has 4+ years of IT work with servers and some security technologies or networking, I don’t think they will learn a ton from this. That said, if this is part of an identified roadmap to improvement and learning, this is a good step to include. And honestly, I think any SOC should require this of their entry-level staff within 6-18 months of employment, or prior.

Lastly, there is the problem that Cisco has a CCNA->CCNP track for Security, which really means working with Cisco’s security software such as the Cisco ASA Firewall, ISE, Firepower, AMP, and so on. That track will allow you to work as a Security Administrator, where you deploy, configure, and troubleshoot those tools. A SOC Analyst would leverage those installed tools to consume their output. In my market area, I find more opportunities for using the CCNA Security cert than the Cyber Ops one, simply based on job duties.

I found this blurb on the Internets which I think sums up the positioning of the CCNA Security and CCNA Cyber Ops courses:

“As far as the other poster’s question goes about CCNA Sec vs CyberOps, they have completely different career paths in mind. The CCNA Sec is for someone who wants to be a network security admin, setting up appliances and firewalls. This kind of job specialty you’ll likely only find at larger companies, although the knowledge can still be useful in a small environment where you have to do a little bit of everything. The CCNA CyberOps is for someone who wants to be a SOC analyst, examining packets and flows on a dashboard. Two very different certs. For someone who wants to work in the security field, CyberOps will be more valuable by far. CCNA Sec, ironically, is more for someone already in the networking field who’s moving to specialize in security appliances.”

I admit, all the people I know that have CCNA Security or higher come from the network admin side of IT.

red team tools or bas, it’s still about validating your controls

I was catching up on some blogs and came across a thought-sparking post from Augusto Barros titled “From my Gartner Blog – It’s Not (Only) That The Basics Are Hard…” In this post, he talks about how basic controls fail, for example keeping accurate inventory when someone forgets to follow the process. In other words, how do you make sure you’re still doing the basics accurately?

I don’t necessarily get what is new with BAS (Breach and Attack Simulation tools) or whether this signifies the coming of age of internal red teams or a new way to market these tools, but making sure basic controls are in place is part of the purpose of things that, I can see from a particular point of view, attacker types of tools play into.

In the case of inventory control, this is where you have network discovery and internal recon (vuln scans, NSM…) or tripwires (NAC, ISE…) catch things that miss the inventory process. You find them and treat them as rogue until proven otherwise. In the process, you also care about certain zones more than others. An isolated server deployed in an internal segment is one thing, but a server in the DMZ with a few ports exposed to the Internet is another. In the latter case, another potential detection point is external footprint scanning, something that is very important to know, as this is where attacker eyeballs will also be looking.

Maybe this fits more into internal threat hunting or having an internal security team that at least thinks and designs controls and internal intelligence with a thought towards how an attacker would see things.

the internet is not so effortlessly making us smarter anymore

(I’ve had this incomplete through brewing for several weeks now, but never really put it down in writing. I finally have. I didn’t like the presentation, but have posted it below anyway since I didn’t want to spend any more real time on it. So it is half-baked, but here for my own posterity.)

I’m just over 40 years old. I grew up both without and with the Internet. During the early years, I felt like so much information was available to us that had never been exposed before. Rather than relying on libraries or television shows or word of mouth to find something out about whatever arbitrary topic one had, the information could be self-served via Google. Life was wonderful! I feel like we’re collectively getting smarter!

Fast forward to around 2015-2016, and I feel like a tipping point may have been reached. So many people are online now, and social media has allowed so many people to highly efficiently pipe in with their own take on things (even if it’s just a mass of Likes or upvotes), that we now have a problem where I don’t feel like we’re collectively getting smarter quite so effortlessly anymore. It actually takes effort to make sure you’re not learning falsehoods or buying into someone’s bullshit.

There are two factors to this: 1) The dumb ones are on social media now, and 2) so many of us are on social media in general.

Anyone and everyone can post a comment or make a social media post that states something as fact. For instance, someone posts an image on Imgur that is inspiring or funny for some reason, and a highly-voted comment purports that this person did XYZ and was from ABC. But if you dig into it, you find the real story on Snopes or some other resource that paints an entirely different picture. The first comment? They may or may not have realized they were promoting false facts. And due to tone and group think, someone probably walked away from that comment telling someone else the same false fact. Even just walking away with a false reality to the original image is bad. That’s a problem, especially if you have more people who believe a falsity than who know the truth.

This is how rumors and conspiracy theories spread. And it’s ok when those echo chambers don’t impact people not looking for it, but social media has allowed these bits of “dumbed down” information to spread to those not even looking for it. This is how good news sites that practice some form of democratized content eventually become overrun with funny things that don’t matter at all to life.

It’s also becoming useful to someone or other to influence popular opinions and facts, which anyone should have been able to predict someday, especially anyone whose grown up with the Internet’s start. Plant some seeds and watch the flames grow on their own!

Are we still getting smarter? Yes, but it’s not so effortless anymore; it takes work to verify stories and opinions, and work through pages upon pages of a thread to get up to speed.

adding comments into wireshark and pcaps

Read a post today that blew my mind. SANS Diary made mention of adding comments into Wireshark pcaps! Holy crap that is awesome, not only to put comments into a pcap, but adding a new column into the display to show them all is an amazing way to notate a capture set.

The diary entry also talks about Moloch and CloudShark. Moloch is a tool to download/install and set up, which will take packet capture feeds and index, store/display them for easy referencing, and for adding extra comments (tags) through a web interface. This doesn’t replace an IDS, but will augment the ability to manage traffic displays and packet feeds. I can see using this to carve out and save normal traffic examples or malicious incident snippets or just as a budget-conscious way to start indexing traffic patterns.

CloudShark is a cloud or on-prem solution that will do much the same thing, only probably more polished.

The bottom line, though, is I had no idea comments could be added to pcaps in Wireshark! (Save format defaults over to pcap-ng as well, to save the extra data.)

upgrading the gaming rig for 2018

(I wrote this about a month ago, and it got stuck in drafts. But now I’m pulling it back out and letting it loose.)

I’ve watercooled my gaming systems since around 2002. My last gaming system build was actually around 2012, and since then I’ve just been coasting on that system. I reworked the water loop into two loops a few years ago, adding a closed loop over the CPU (Corsair H60) and keeping a custom build over the GPU. Very cool. About 6 months ago my day-to-day system (an older gaming system) water cooling loop got some contaminants in it (after not having had any in many years) and I had an algae explosion. Rather than clean it up or even replace parts, I just scrapped the whole system and replaced it with a spare (better!) system I had sitting around doing nothing important.

Now, this week, my main gaming system suffered my first leak ever. A reservoir/pump combo drive bay unit was seeping water somewhere inside it. While the leak didn’t damage anything, it did cause me to rip out the loop and begin the process of replacing the air cooling (fan and heat spreaders) on the GPU. Water cooling was initially done to reduce the sound of my computers; but these days, fans are larger and far quieter such that the reduction in sound is negligible anymore. Somewhere in either that process or just the process of touching/moving things that hadn’t been much touched in many years, the motherboard decided to stop posting at all. I gutted everything out, but no improvement. Well, I was actually going to look at upgrading the system next year anyway!

(PS: After much fiddling, I actually got the old motherboard posting again, but this was after I had rebuilt the system. So it’ll still see life in an ancillary machine for testing/playing.)

So I’m taking the time to upgrade the motherboard, CPU, and RAM, and SSD. What’s interesting is how gaming hardware hasn’t really changed so much in the past 5 years, such that some of my components can actually be re-used. This marks the first time I’ve done an actual large upgrade rather than just building new from scratch.

I really wanted to get an Intel i5-8400 CPU, but I can’t find any available for at least several weeks. So I decided to spend a bit more for the Intel i5-8600. This requires an 1151 socket board which is covered in 300-level motherboards. So I’m picking up a Gigabyte Z370 AORUS Gaming 5 motherboard. This means I need new DDR4 memory, so I’ll pick up 16GB of G.SKILL Ripjaw 8×2 sticks. I kept the option to keep a closed water loop on the CPU with a new Corsair H60. I also had an unused SSD sitting around, so I’m making use of that as my system drive (though my old case really wasn’t built with SSDs in on the market yet, so it’s really just kinda hanging out in there…).

I really didn’t want to make these purchases right now, but things happen. Probably my computer telling me to make use of the Steam sale-driven Skyrim Special Edition that I purchased over Thanksgiving weekend!

building your personal brand in infosec

A post by Harlan Carvey as he ties up some draft thoughts on 2017 piqued my attention. Part of the post deals with building a personal brand in infosec, which channels information from a post by CryptoCypher over on AlienVault on the same topic.

I particularly dig this bit of advice when looking to build your brand online and using a blog as a means to that: “The first step is understanding that you do not have to come up with original or innovative content. Not at all. This is probably the single most difficult obstacle to blogging for most folks.” That really is it; it’s very hard to come up with original content. Often, the best bet is to build upon or give personal opinion about other topics, or just share information/links about things that others may not have seen. If nothing else, it’s also good practice for formulating opinions and thoughts on various topics, ahead of when a VP or developer comes walking up with questions (or a sales guy slides you into an ambush at a conference!).

And I totally agree when he says this about one of the purposes of a blog: “…a blog post is a great way to showcase your ability to write a coherent sentence.” If nothing else, a blog can do that and give an employer a hit on a Google search that will demonstrate interest in the industry. Everything else accomplished beyond that is bonus.

What I’m grateful for, though, is being pointed to the other article by CryptoCypher. This article is a very complete, and actionable bit of advice for anyone in infosec. And I think the guy practices what he preaches. For instance, I’m aware of the Twitter handle and see him participate in discussions, and recognize the handle/bio image elsewhere. (Granted, it might not always be positive recollection, as things like n–bsec can teach us, but images and the people you associate with can be cleaned up with sincerity and effort and old-fashioned time.)

Getting back to the blogging part, he had this bit of truth to add: “A lot of people do not blog at all so just by having one you are already ahead of most students in that regard.” Not just students, but most professionals!

I really love the rest of his items. Getting involved in college and hackathons (or CTFs) and conferences is a huge boon of contacts and experience. I know, there are many introverted infosec insiders out there (myself included!), but there needs to be some focus on just saying, “Hi, what-do-you-do/what-brings-you-here?” to someone random at an event where you both clearly have intersecting interests to some degree.

Even more so, I love the inclusion of mentoring, though I would say this goes both ways: being mentored and being a mentor. I don’t care if the mentoring is formal in person or informal over Discord/Slack, but mentoring and teaching what you know is the best way to solidify what you actually know, and paves the way to share ideas, improvements, and consume even deeper topics. Be positive, be approachable, be helpful, be sincere.

I also believe many of us just need some friends in our lives, to share our lives with and stay on a positive track.

I also believe that we need far less mentoring than we think we do. If you can pass Sec+ or other entry level certs/material, you can truly consume anything in the industry given some measure of time and effort. Infosec is a half step up from “just” being a sys/desktop/network admin or other IT grunt. But it’s just a *half* step up. The imposter syndrome can be very real, but that devil just needs to be ignored and relegated to a basement office.

And, as the author mentions, I believe Twitter is one of the best places to cultivate a personal brand. You get immediate exposure and access to like-minded persons. Likewise, Slack and Discord and even Reddit can offer similar opportunities to get on board.

If anything is missed in all of these mentions, I think it would be developing a Github presence and populating it with some scripts and other pieces of work (it can also double as a wiki or place you keep links/resources or something).

A personal brand isn’t for everyone. There are plenty of infosec folks who do not define themselves by their day job; they do not hang out on Twitter with us or go to more than 1 local con every few years. They probably have their own interests and ways to spend their life’s time. And that’s perfectly fine. But putting in some effort on a personal brand can certainly help anyone with the interest to invest. And this applies to things outside infosec as well.

week 1 cisco cyber ops content observations

I’ve sampled much of the material for the first half of the Cisco CCNA Cyber Ops certification material, namely for the Understanding Cisco Cybersecurity Fundamentals (210-250 SECFND) portion of the program, and I’ve gotten through about half the material in depth. (Disclaimer: I am taking the self-paced e-course through a Cisco scholarship, so I am not paying for it.*)

So far, I really like the material that is collected as it pertains to a SOC Analyst position. And let me tell you, Cisco makes constant mention that this material is meant specifically for a SOC Analyst. I think it effectively overviews the general things I think an entry level SOC Analyst should know coming in, or have learned about in their first 6 months. And this includes not just book knowledge, but ability to utilize some tools and troubleshooting and log/alert reviews (aka analysis!).

I would slot this material about one half step above Security+ (It’s been years since I took this) and at a similar level to the SANS GSEC course. (I have not taken that, but the topics covered seem to match very closely). I think someone could conceivably skip GSEC if they hold the Cyber Ops cert, and vice versa. Moving from something like the CCNA R&S track over to pick up Cyber Ops could be conceivable for maintaining the latter and expanding a career path. I would expect that a 2- or 4-year degree in infosec would be at least equivalent to CCNA Cyber Ops cert.

Keep in mind there are two exams that make up the Cisco CCNA Cyber Ops Certification. The above-mentioned SECFND as well as the Implementing Cisco Cybersecurity Operations (210-255 SECOPS), which dives deeper into actual SOC processes and procedures. I have not reviewed that material other than a cursory glance at the exam topics.

Should the CCNA Cyber Ops cert be mandatory for entry-level SOC Analyst candidates?
Of course not. But a candidate with this is going to be looked upon favorably. Personally, I think most any sort of IT background or degree (plus security interest) is enough to get someone in the door as a SOC Analyst. This will help a) provide training for someone already in the door, or b) help set someone just a little bit above their peers. I’m not sure I’d pick someone with GSEC, Sec+, or Cyber Ops over the others in that grouping, but any sort of interest and proven knowledge is good. I think the cert should allow for more lenience on any actual years of experience, though. That is probably the balls-iest thing to say in all of this. I would honestly say that someone who can consume and learn from this material has knowledge that is gained in 0.5-2 years in a SOC by someone without that prior learning.

Is the CCNA Cyber Ops geared towards students with 0 professional experience or those that have some level of prior knowledge/experience?
Here’s the breakdown of what I feel someone should know coming into this material:

security and cryptography concepts at a Security+ level.
enterprise networking concepts (LAN, WAN, sec tools) at a 0.5-2 year professional level
Windows troubleshooting/experience at a 0.5-2 year professional level (desktop/server blend)
Linux troubleshooting/experience at a 0.5-2 year professional level
Programming/coding/web dev experience to some degree
Cisco product exposure, CCNA R&S exposure to some degree

While I don’t think someone needs, say, 0 Windows experience, I think they need to know Windows (or conversely Linux or networking) to a degree that someone could work at an entry-level Windows admin job, for instance. If a candidate has 0 Windows administration/troubleshooting knowledge or 0 networking knowledge (ever set up home LANs?), I’d point them first to an A+ or Security+ course track. For Linux, I’d probably point to Linux+ as a primer. However, I think someone with decent personal Windows/networking/Linux knowledge can succeed here, even without having had that experience on a professional job. Also, a 2- or 4-year IT degree should suffice.

Some of the topics and technologies you really don’t get without having some exposure to security processes in an organization, but the concepts shouldn’t be foreign (i.e. LDAP management, IPS/IDS tools, endpoint security tool features, log collection and analysis). And I think the material does a good job introducing it enough that a new SOC Analyst can hit the ground running in their first week.

Honestly, much of this material matches things I’d ask in interviews for mid-level Windows server or desktop admins. It’s just stuff someone really should know if they pursue a long-term career in IT, let alone security.

Would this be a good option for an experienced IT admin looking to transition into security?
If someone has several years of admin work and wants to get into security, I think this is a decent way to go, depending on goals and prior knowledge. A network admin can get up to speed on security and systems topics, and a system admin can get up to speed on security and network topics. But I think very experienced persons could look further up the chain if they want. But, the reality is sometimes you have to start somewhere when doing a career shift into infosec, and I wouldn’t look down on someone starting here.

What about someone who has 3+ years of security experience?
Honestly, I doubt that student will learn much new, but if the cert helps with job searches or is essentially free, then go ahead. But otherwise I think that level of experience could be looking further upwards. If there is any sort of current security person who could benefit, it’s one who is tasked with building out a brand new IR process, new SOC team, or applicable topics. I can see some good learning happening in that sort of a situation, particularly in the second exam of the two.

Would this be applicable to a non-Cisco shop?
I actually think so, but obviously much of the countermeasures and solutions have a distinct Cisco product slant. Again, I consider the GSEC to be somewhat analogous to this cert, so that can be a substitute.

What could come after CCNA Cyber Ops?
What I also like about this cert is where someone with Cyber Ops can go. I can honestly see this as a jumping point to almost every “advanced” security certification/training path out there, even going into PWK/OSCP, and definitely to CISSP/CISA/CISM or CCNA Sec. I think I might start considering this not just an entry-level-ish cert, but a gateway cert to everything else (much like Security+, GSEC, an actual infosec degree, and even CEH [until the US Gov finally drops it]).

*Would I have taken the course/exams had it not been offered for free?
I honestly doubt it. I’ve been doing IT and infosec work for 15 years, and as such, I’m really not learning much through the course that is brand new to me. Some topics are difficult as I just don’t need some particular trivia every day. But I’d really say I’d have pursued something further up the chain in place of this had it not dropped into my lap. If I pass, I’ll certainly add it to the resume/LinkedIn page, but I think my job experience over the past few years and a CISSP already demonstrate the same commitment and knowledge that this cert would. Given the next 4 months free, I would have spent the time elsewhere.

training and goals for 2018

A function of getting older and adulting more (somewhat) is knowing I just don’t have time for everything I want to do or learn for a given day, week, month, or year (video game habits have suffered the most for this). I’ve found it’s useful to make some lists and goals for the year. In past years, I would make a new year resolution to learn some new hobby or personal skill, things like learning how to play guitar or learn more about cocktails. Recently, I’ve found this is a great habit to have with the career side of my life. In particular, I found other people doing something similar on TechExams.net, where colleagues would make achievable yearly goals that get them where they want to go.

This year, I don’t plan to do a whole lot as far as building a new hobby or interest, but rather hone what I have now, fill in gaps I didn’t get to (I never did learn how to play a guitar very well), play a few more video games (deep-seated job in this activity), and focus on work/career and relationships for 2018.

This list isn’t complete. I have some personal goals I won’t end up sharing here, plus also various notes on topics I’d like to get to, but don’t see myself committing to at this time. Also, some of these items are brief, while I have more detail in my private notes on how I’d like to proceed.

training and career goals for 2018

  • keep doors of learning open for both blue (defense) and red (offense) sides of the field. I’d like to know both deeply, and it helps keep me well-rounded and ready to tackle most anything that may come my way.
  • balance career growth opportunities along with actual learning. I find as I get further into my career, I need less letters after my name, and have more yearning for learning actual things. In my earlier years, I found I was deeply driven by learning enthusiasm, and it’s so nice when the job itself is aligned with fulfilling that drive. I can point out years I had this, and which years I did not.
  • balance of work-driven (paid) and personal growth learning opportunities. Some wonderful training is cost-prohibitive, or requires access to hardware/software that has a dollar tag on it that is hard to achieve outside the workplace. I feel behind the curve with pursuing this due to previous management frugality.
  • Keep the job! I initially left this off, since it’s part of day-to-day life with me and not a question, but I suppose it needs stated. I like my job outlook this year, and hope to use the entire year to become amazing at it.

structured learning/training

  • Q1-2 Cisco Cyber Ops Scholarship Program
  • Q2-3 SANS FOR508 (GCFA)
  • Q1-4 finish LinuxAcademy RHCSA/LFCSA courses (and finish this subscription)
  • Q1-4 Metasploit Unleashed course (I’ve never really sat down and gone through this…)
  • Q3-4 SLAE-> CTP/OSCE (tentative, or just prep)
  • Q1-2 Maintain CISSP (hey, already done!)

unstructured learning

  • HackTheBox VIP sub (keep offensive skills from getting rusty)
  • work topics (placeholder for work-related learning)
  • Web Hacking 101 book
  • Burp Suite improvement/growth (courses, videos, etc)
  • Python improvement/growth (undetermined)
  • PowerShell improvement/refresher (undetermined)
  • expand Home Lab with automated AD builds
  • pen testing Linux distros to check out
  • CTF participation (as it fits in)
  • learn Scapy usage

improvement topics

  • incorporate Feedly, Pocket, Discord, Slack in day-to-day habits
  • expand OneNote use
  • work on linkedin/career stories and goals (1-page resume for fun)(sec boss interview questions)
  • work on better anonymity online/VPN service for personal use
  • continue to hone and improve and tighten this and other learning/career lists

personal non-career goals/priorities

  • exercise (regular habit build; should take up biking in spring) and eating better (continued)
  • caring for relationships and friends

using the new noscript addon with firefox 57 (quantum)

Recently, Mozilla has been pushing out its new Firefox 57 aka Quantum. The main reason I still use Firefox as my primary browser is the ability to turn off all scripting with full control using NoScript (IE can’t really, and Chrome I don’t trust fully with it’s built-in allows for Google). So it was extremely jarring when one of my systems updated to Quantum and removed my ability to use NoScript. Turns out, NoScript needed to be rewritten from scratch in order to work in new Firefox versions, which apparently was a rude surprise for even the author. Since then, he’s been working to get the new version stood up and functional.

When NoScript got started again as a WebExtension, it lacked any sort of temporary permissions control, which I use constantly. Soon, it got a global “temporary allow all” which is not something I would even touch. Now, however, we do have more granular control on temporary permissions. Unfortunately, the UI isn’t very clear on what’s happening.

My Use-Case: I browse the webs with Firefox+NoScript. When starting a fresh browser install, I install NoScript immediately and remove all the defaults so that I trust nothing at all. Then I browse what I normally browse. As pages don’t load or functionality isn’t working, I’ll examine what is blocked by NoScript. I then make a judgement call on whether to permanently trust (i.e. allow a script to execute on that page) or temporarily allow it, which means only as long as my browser process is active. Tomorrow, temporary permissions will disappear and I’ll start all over again. Clearly, websites I visit often will have a few permanent allows, but by and large, I leave everything blocked that doesn’t interfere with my ability to consume a web site.

So, let’s get back to the UI. How do I do what I was doing for many years in the new NoScript UI? (WARNING: The add-on is currently in active development, and these screenshots and steps may become obsolete in weeks or days. The version I’m referencing here is

Here’s what I see on ESPN.com:

And here’s a view after I change a few things:

So, what do I do with my typical use-case now? I browse to a site and see it’s not displaying properly. I click the NoScript addon icon (or ALT+Shift+N) to open the drop-down window with all sorts of scripts that want to execute. I click the blue “S” next to one I want to allow. This defaults to temporary allow, and whichever HTTP/HTTPS protocol it pertains to. If the site switches to HTTPS, I’ll need to do this again. If I see a bunch of subdomains under a domain that I trust, I’ll make my choice next to the entry that starts with a “…”. This latter situation is good to use with CDNs which can come from one of many subdomains.

Typically, I choose one script to allow, let the page reload, and keep repeating until I’m either satisfied with how the page looks/works, or I’ve exceeded my level of personal risk with the scripts I’m loading. Sometimes, I see 50 scripts that want to run and just decide the content is not worth wrestling with scripts to get it to work (often video embeds will be quite the hunt to get to work).

This sounds like I might be complaining about my cheese being moved. And partly I am. But, let’s face it, the change is needed and we’ll end up with even more granular control over script execution with this new NoScript version with features I’ve not even touched in this post. If anything, I’m annoyed with Mozilla for putting users like me in this situation where, for several weeks, I effectively was browsing the web with my pants down or not browsing it at all.

2017 goals in review

Late last year and into this year I made some training and professional goals for myself. I thought I had posted about them, but turns I didn’t really post those tidbits (I have a whole host of things in my own notes), but I figured I would provide an update on what I did in 2017 in regards to those goals.

I spent about 2 months preparing for the PWK/OSCP lab and exam pairing, and over 3 more months in the course lab, and passed that exam. Probably one of the most satisfying things I’ve accomplished in my career. Really, anything I say about it and what it means to me is an understatement.

Through the summer months, I was bogged down a bit with a job that I have just since decided to move on from (I have a week off this week!), and I had really set aside more time for a possible OSCP re-take. Failing a first attempt on that exam is not an uncommon, but this did leave me with some extra time for the year.

I also had told myself I should check off another Offensive Security course and cert pair: WiFu/OSWP. I can happily say that I signed up for this course just over a week ago, and this week passed the exam. It’s definitely something I wanted to get done in 2017, and having a week or two off has given me the time to focus on it.

I spent significant time taking some courses on Linux Academy, namely reviewing the Linux Essentials course and RHCSA prep course. I’ve used Linux at home for many years, but have never really had any true formal study in Linux, so this has been nice to fill in some gaps in my knowledge. The Essentials course is mostly review for me, but I have learned a few things. The RHCSA cert itself is not something I will pursue (since my title does not include Linux in it), but I do find it useful to have that level of aptitude and workability in Linux. I started this course as part of an obligation to my employer, and since I’m changing jobs, I’ve put this one more into casual studying over the past few months. This is one of those nice items where my own personal goal fit with my job duties and training requirements.

Among other less tangible goals, I’ve made progress in building out my home lab this year based around ESX running on an Intel NUC. As with any lab, it still needs plenty work, and that will roll into 2018. I’ve also built the habit of attending local security meet-ups, namely SecDSM, through the year. And I’ve also gotten my hands on a few extra old laptops that I can use for additional exposure to non-Kali pen testing platforms.

Job-wise, this was a really big year. This marks the second full year for me being a true full-time security professional. Through the rest of my career, security has always been a part of my duties, but I was still always a sysadmin first and a security admin second (for those who have had that sort of hybrid role, you know what I mean). Last year and this year have been good in this regard; it really does make a world of difference to be able to devote serious time to improving security rather than constantly getting interrupted with small and large operational tasks.

All told, it’s been a transition year for me, and a very good one on almost every front. And while I have some individual accomplishments in the bag, my biggest takeaway has been just being conscious of my career direction, my learning habits, and my continued training. I slacked off over the past several years, and getting back on track has been a huge deal to me and my happiness and enthusiasm.