my netwars core tournament of champions experience

Earlier in 2018, I attended the SANS West training conference in San Diego and competed in the Netwars Core competition. This was my first Netwars experience, and I was surprised by not only placing second in the individuals bracket, but by doing so also received an invitation to the year-end Tournament of Champions. I had no idea this was a thing I would get (more on this later), but I was excited to have done well. And, as luck would have it, my work leader was in attendance, got excited as well, and offered to budget out the cost to allow me to attend the ToC event!

So, I headed out to DC for the Netwars Core Tournament of Champions (ToC) held the evenings of Dec 16 and 17, 2018, during SANS CDI. DC was rainy, but I got in a day early to relax, get some grub and supplies nearby, and otherwise spend that evening and most of the next day taking it very easy.

I suppose at this point I should mention that Netwars Core is a hybrid technical question-and-answer competition (jeopardy-style CTF wrapped in a wonderful Star Wars-themed story) and castle-vs-castle top tier played out in 5 Levels over the course of 2 evenings (3 hours each) during most SANS events. Competitors are given a USB stick with some files and a virtual machine to import, and are asked to sign up for an account on the scoreboard where scores and questions are housed. Levels 1 and 2 consist largely of your typical infosec CTF questions like which Linux command does this, or run this command on the provided event virtual machine and find the flag or decode this password. These questions range from non-technical through the gamut of many skills and tidbits of knowledge such that even novices have a good shot at having plenty to do. And for those questions that are unfamiliar, you can “unlock” hints for free which definitely get most people on the right path for answers. As competitors submit answers and score points, more questions are unlocked. At some point, Levels 3 and 4 are unlocked which starts competitors down the path of offensively probing and attacking systems on another network altogether. And, unlock enough points, and you can get up to level 5, which is a whole new competition in itself. At Level 5, the game becomes a more classic CTF where competitors get a castle of services they need to defend and keep up while trying to also take over and bring down the castles of other teams to score points.

For anyone daunted by that Castle part, at least be comforted that not every SANS Netwars Core event has people get far enough to unlock Level 5. Most of that top tier competition comes from the pentest-focused events like SANSFire or Hackfests or here at ToC or on the separate Netwars Continuous package.

I didn’t have much to prepare for or with. I scored 275 points in the earlier event, which took me up almost entirely through levels 1 and 2 and into some clear stopping points in Level 3 and 4. Unfortunately, I hadn’t saved any questions or code or scenarios from those higher levels, so I only had vague memory to go by. I didn’t know 2nd place got an invite nor how all of this works! I had saved the questions page for the initial levels (most of which can be answered in the provided VM), but I had most of those already solved, so there wasn’t much to do there. See, the game itself closes after the event, so you can’t go back and see the old questions or hints. Even worse, once you hit Level 3 (I think), the scoreboard and targets are on a different network that you connect to which also isn’t available outside the event itself. Lesson learned, my friends, lesson learned: Leave windows open, copy/paste, download what you can, save shit, suspend your VM if you can.

Registration and check-in took place about 4pm or so Sunday afternoon, where we basically just got our guest badge. And at about 4:30pm we were allowed into a reception room for free drinks, appetizers, and mingling with fellow security geeks. During this reception, Jason Blanchard and Ed Skoudis gave a presentation about the event and some of the rules specific to ToC that we need to know about. Also, one of them made mention to look around the room and take in the fact that lots of excellent and smart people were in that room. To be honest, that was one of the better moments of the event for me: being in the company of some super smart and dedicated people. We also got handed our swag (a custom t-shirt and an athletic polyester long-sleeved black half-zip shirt), had a chance for some forced mingling with fellow competitors, and then slowly wandered down into the competition seating area.

When I got down to the seating area, some teams were already moving desks to face each other, and I picked out a spot for myself between some teams so as not to get in the way. ToC players had seats on the left side of the room reserved. Turns out, I sat behind the team that would end up winning the overall prize. I got set up, got a drink, and waited out the rules presentation before getting started! I will say, while the rules went on a surprisingly long time, I actually really enjoyed Jeff McJunkin’s energy and enthusiasm as the emcee/host of the event.

As this was just my second Netwars event, I was in for an unexpected start. I spent the first 45 minutes keying in answers I already had, unlocking more portions of the scoreboard, and just turning my mind to mush. It was pretty awful once I sat back in my chair near the end of this marathon submission session, and I wondered how the heck I would find my groove back and actually “get into” the VM and the mindset of the challenges I was up cleared for, especially since some of the things you do in early challenges set up the VM to be ready for the later ones. I think once all of my answers were submitted and I was feeling pretty lost, I got up to get a drink and take a small break. I can definitely see why the established teams have their answers all scripted and submitted within minutes! (I’ll have to save the web page code and figure that out next time.) The team ahead of me, of course, submitted all 645 points of answers and sat back for their Level 5 access. Turns out, there were some technical issues with the Castles, and those teams ended up sitting around waiting for about 90 minutes.

Now, I will say just reading this during my proof-read, I can realize how someone will look at this and wonder why compete if there are whole teams that just script the answers up to Level 5? Well, as part of the ToC rules given during the reception, players were awarded prizes in 4 groups: Level 5 teams, Level 5 individuals (I believe there were only two brave enough to tackle Level 5 alone), other Teams, and other Individuals. So, even if you didn’t have Level 5 unlocked, you could still earn something by crawling up higher into Level 4. I do not know when Level 5 actually opens, but if it’s at 645 points, you can see there is still a gap in the field based on the screenshots at the end of this post.

Once sitting back down, I got my head in the right place and started making progress. For the rest of that evening, I felt pretty good with my progress, but I definitely had and still have a long way to go. By the end of that first evening, I had clawed some points above and beyond what I already knew, and felt confident in my progress. I made sure to keep scoreboards open and save files, questions, and hints for research later that night and the next day. Looking back, my biggest wins that day was the experience of that first marathon of answer submitting, and the saving of relevant data/info for research later.

If I had any complaint on the event, I may as well get it out of the way here. The music played during the hacking activities was largely 80s and early 90s rock. Things like Van Halen, Bon Jovi, Billy Idol, Starship, and so on. And while I grew up in those times and am quite comfortable with that music, I did not need to listen to “Don’t Bring Me Down….Bruce!” 3-4 times (the only re-repeat I remember hearing), nor do I really want to listen to that rock for 3 hours a night while doing hacking things. It was distracting at times. But that’s me; I’d prefer some sort of techno/electronic genre (deep house, lounge, chill, psytrance, trance, or anything in between). Or maybe at least a slightly better curated 6 hours of rock. (It’s honestly not that long, but can feel long.)

One tip before the night of the event is to make sure you know how to import or add a new virtual machine to whatever VM platform you use. Once sitting down in the competition hall at a desk, be sure to keep your head up and look for whomever is handing out the Netwars USB sticks and instruction sheets and be sure to get one of both. If you don’t get an instruction sheet, ask to take a picture of someone else’s near you.

In fact, here’s a general checklist for someone sitting down to Netwars 5.0 for the first time:

  1. Prep: Bring a mouse. Bring a second portable monitor if you have one. Both of these make the experience so much better. Bring headphones and music if that helps you. Make sure you have whatever virtual platform of choice you prefer already installed and ready on your system. As far as other software, you don’t really need much else on the host; most things are either present in the VM or can be downloaded into it from the Internet later. I’d also suggest being at least a little familiar with Linux command line (things like ls, cd, cat, file, cp, rm, touch, chmod, chown…that level of stuff). I don’t suggest using a work laptop, unless you have the power to turn off security protections so as not to kill/quarantine what you’re doing! I used an old Thinkpad X230 upgraded to 16GB RAM and 500GB SSD, running Win 10 and VMWare Workstation 15 Pro, with an AOC 16-inch portable monitor; the portable monitor is a lifesaver as the X230 screen size can be limiting alone.
  2. Sit down and set up your computer; power strips should be nearby.
  3. Once booted up, get on the netwars core wireless (will either be on the instruction sheet or on the screen up front). I suggest writing this down.
  4. After that, get your hands on the USB and start copying all of the files to your system. It’s always better to work off the local copy than straight off the USB.
  5. Once copied, fire up the VM platform of choice, and import/add the .ova file as a new VM.
  6. Once added, I strongly suggest increasing the RAM on the system above the default if you can spare it, and also add some video RAM if using VMWare (if you can’t find this setting, then don’t worry about it, it’s just to have better full screen sizing on some versions; probably not a problem with a laptop).
  7. It should work by default, but I also strongly suggest being familiar with testing and enabling (if needed) copy/paste from the VM to your main system.
  8. When ready, start the VM and log in (should be on the instruction sheet or it will just autologon for you). There’s no reason to not at least start up the VM and test Internet connectivity. Maybe even poke around the system a bit.
  9. I don’t recall ever needing to deal with installing VMWare Tools, but maybe I just do this automatically and remember it. I’m adding it here as a reminder to think about if something isn’t working.
  10. Once ready, feel free to get a drink or two and for the love of all that is pure, lock your system when you walk away.

During the event, you do what you need, but I strongly suggest taking a break now and then. Get up, stretch, get a fresh drink, take a small walk, get your eyes and brain off the screen a bit, tip the bartender, start up a quick intro conversation with any others back there in line, with them luck, and get back down to business.

I know some people bank points until the final 30 minutes of the last day when the scoreboard is hidden from view, but honestly, I’m not sure who does that, since the more points you submit, the more new stuff you unlock. And I think in most cases, it is better to unlock things early than in the waning minutes. There may be some more easy points waiting!

I wish I knew the cutoffs in points where things unlock. Maybe next time I’ll try to pay attention to that….

On day 2, I sat in a different place behind a team from the Army branch. I honestly don’t know how they did (not top 3 at least), and I’m unsure if they are displayed on the scoreboards and have a made-up team name or something.

Day 2 was a more heads-down day working on some of the new challenges, and I made some progress by the end of the night, totaling 328 points and finishing in the middle of the pack at 31st place. Unfortunately, I didn’t really unlock anything by the end of the trip that I shouldn’t have already had from my first Netwars experience, but at least this time I am better able to take some studying points home to work on directly.

In reflection on my experience, I feel like there are probably 4 very different experiences you can have with Netwars.

  • First timer – This is the purest experience as someone completely new sitting down at a blank scoreboard with questions to bang away at and answer. This was absolutely a blast and I encourage everyone attending a SANS event to give Netwars Core at least this first try. It has accessible questions so everyone can ramp up slowly into more involved stuff.
  • Experienced aka “the level 4 doldrums” – After the first experience, no matter the performance, coming up next are what I would call the level 4 doldrums where a competitor has completed the things they find easy, and are now working harder on the trickier or less familiar topics. This lasts until one can unlock level 5. Large swaths of an event may be spent working on just a handful of challenges at hand. This is definitely where I am. I unlocked Level 4 on my first event, and now I get to spend a lot of time making slow progress through it (and finishing challenges inside Level 3). The one caveat that may change this experience is joining up on a team of others in the same boat, but I have mixed feelings about teams prior to level 5.
  • Level 5 unlocked! (fanfare music) – This is probably the next big jump, where one emerges from the Level 4 doldrums and unlocks Level 5! …And then is lost while trying to figure out the castles, defend them, and somehow also attack. The first experience in Level 5 is probably pretty rough, especially so for an individual. But, you gotta have a first time at some point so you know what’s coming up next time and how to start preparing for it. Because, let’s face it, there’s only a small number of posts about the experience of Level 5. It might be interesting getting to this experience on a team, either of those who’ve made it before or all newbies to Level 5, as at least then you can get some boots on the virtual battlefield quicker. And even at some of the larger non-champion events, there may not even be any other Level 5 teams! I think in that case, even if unlocked, you don’t get your Castle early, as that might be a little unfair to later entrants, but I don’t know that for sure.
  • Level 5 veteran – Lastly, all that is left is to dive into Level 5 with eyes wide open, probably as a member of a team. This is the penultimate experience, and I hope to get there someday to at least give it a try once. I’ve never competed on the blue side of a castle-style CTF like that (only the red team, and it’s been years).

One nice small benefit I received after the event was a discount to Netwars Continuous. While still a large chunk of money, I might have to think about that if I want to experience Level 5 competition and get some practice. (Assuming I get up to it!)

Would I do this again? I think so, but I don’t know. I don’t really learn much from it directly, but I love the access and mingling with other extremely smart people, just like any other SANS event. I am qualified for two years, so I’ll have to think hard about it. My participation may depend on others on my work team being able to go, or my progress towards Level 5, and of course budgets. That said, the meeting of other people and the chance to further hone skills is always welcome in this ever-learning industry. If I were on a Level 5 team, I absolutely would!

Would I suggest others do this? Yes! If you can budget this out (keeping in mind you don’t necessarily have to be taking a course at CDI to attend ToC!), I think this is a great event to experience at least once. Even better if you get the chance to experience this at Level 5 with a team. There really are not that many chances to experience something at that level and I think they would be worth it.

What’s next for me? I have a very long ways to go, and the number of questions I have in front of me to answer has dwindled quite a bit. Basically, I’m at that point where I need to answer a question to open the road to answer the next question, and so on. My choices are limited, and while that means I can focus my studies a bit, it also means I have no idea what’s behind those doors.

I’ll next be at SANS East the first week of February with a coworker. I plan to sit again for Netwars Core rather than trying out DFIR yet. And this time, I’m taking a course that I need more confidence and speed with (SEC542) which hopefully gets me another small step or two through the Level 4 doldrums!

(images via CounterHack team and Sean Donnelly)

us-cert and questions ceos should be asking about cyber risks

US-CERT has posted up a nice list of Questions Every CEO Should Ask About Cyber Risks. I can’t say I disagreed with anything here!

It’s nothing much, but I did look a bit hard at the metrics section where it says, “An example of a useful metric is the time it takes an organization to patch a critical vulnerability across the enterprise.” While I agree with this, most organizations still need to adequately find or be told about a vulnerability first and get it into the analysis and remediation pipeline, before they can start measuring how long it takes to patch it. Or maybe a better wording is to allow for the fact that a vulnerability may have existed before an organization learned of it and started work to patch it. I wouldn’t want someone to think the measure is just from when it was learned to when it was fixed.

I also understand that “industry best practices” can be a little flexible and arbitrary, but I don’t have a great alternative to that beyond constant review and improvement with multiple eyes and documented reasons and justifications for policies and standards.

the three laws of opsec

Just saving for future reference.

Three laws of OPSEC (Kurt Haase)

  1. If you don’t know the threat, how do you know what to protect.
  2. If you don’t know what to protect, how do you know you’re protecting it.
  3. If you are not protecting it, the dragon wins.

the position of threat hunting

It couldn’t be more timely to see a couple blog posts on the topic of threat hunting, one from Robert M. Lee and another by Richard Bejtlich. (Updated to also add some Twitter comments links, as I think I agree with this position.) Reason? The past couple weeks I’ve been reading papers and other posts and job descriptions of “threat hunting,” as I try to figure out what that means and what it does in a security organization.

See, I’ve been part of the infosec community since around 2001 in some for or other. But around 2014-2015 or so, I fell a bit out of touch; I didn’t read much from twitter or other blogs and feeds of mine and didn’t really do any cons or other learning. As such, I turn around in 2016 and plug back in, and things like “kill chain” and “threat hunting” take me a bit by surprise at how suddenly they’ve popped up. And in the case of the latter term, I’ve been trying to figure out where it came from and what it really means. I mean, I like the idea of the task, but it doesn’t seem like a full time position to me; it seems like an amalgamation of other duties, or maybe just a way to save money on external pen/red team tests by getting internal offense members, and concocting some additional things for them to do so you don’t lose them to boredom.

(Side note, it’s an interesting time, where organizations want to do more than just strictly blue things, but it’s hard to make sure your offense-minded folks don’t get bored or jump for those flashy full-time pentesting gigs. Likewise, blue tools and signatures are reaching their limits of usefulness, but other techniques and detection and analysis require more effort, intelligence, and experience to wield for proper value; enter offensive minds.)

My confusion stems from hearing about the tasks, and not being sure if the hunter is looking for latent, active compromises in dark corners of the enterprise, or if they are testing for weak points in an organization’s posture and providing fixes. Or maybe they are like architects for new tools like UBA/UEBA as they attempt to emulate attackers and define how detection tools may help identify them better, especially when you have to rely on behavior and anomalies rather than hard signatures or IoCs (hey, there’s another surprise term that is new!). To me, security is not just about watching alerts in a SOC, but about constantly improving the position of the security functions. In a sense, I’m always looking for ways to have more complete visibility, or at least know where my blind spots may be. Role-playing and tabletop exercises help stimulate that thinking as well. Things like analyzing a new vulnerability announced and how to tell if that affects or has already affected me, or a new minor incident and what pieces of information are annoying to procure. Every blue question has a chance to improve the environment.

Also, is a threat hunter part of the blue team, part of the IR team, or part of an internal red team? Or maybe some combination of two or more of those areas; a sort of way to fill in some time between other tasks. Is it a way to get your SOC members something a little more mentally stimulating than watching alerts all day? Does it complement or replace role-playing exercises?

Anyway, I don’t have these answers yet, but these were timely articles on a topic I’ve been currently wrestling with.

learning and career goals for 2019

Yearly, I try to make an achievable plan for studying and career goals and ideas. I’m not getting any younger, but even now my eyes are wider than my free time when it comes to wanting to learn things. It’s a “problem” I’ve had forever, but I definitely want to make sure as I make these year-long plans that I at least maintain some sanity. I’d mapped out my previous 2 years, and I am super happy with the process and my results, so I’ll push myself again some more this year. I’ve added 4 certs (plus the learning!) to my belt over the past 2 years (OSCP, OSWP, CCNA Cyber Ops, GCFA), plus all of the learning and growth that come with them, and I have some more lined up this year.

My theme for 2019 is going back to the offense, and specifically web app testing with some binary exploitation thrown in. Every year, I’ve been striving to alternate between being defense-focused or offense-focused in my formal training. We’ll see how well I keep that plan up!

For some of the items below, I have more fleshed out maps and resources to pursue than what I list here.

Formal Certs and Courses

  • SANS SEC545 (GWAPT) at SANS East – GWAPT has been at the top of my list for SANS certs for a while. I have a long history of working with web servers, sites, coding, and attacking, but I still feel somewhat of a neophyte when it comes to web app testing (and I probably am intermediate at worst). I really want to beef that up, or at least give me something tangible for reassurance. I also want to take care of this earlier in the year than I did last year’s SANS course in May, so I’m hoping to get signed up for SANS East somewhat soon. This will be a cert I pursue, too, so that will add a few months of studying. Specifically, I want to feel better wielding BurpSuite (and other tools), attacking SQLi issues, and doing some automated and manual web app scanning and testing.
  • TBD Second major training: Black Hat USA Trainings or SANS SEC573 (GPYC) Python or SANS SEC545 Cloud – I want to see what I can push for out of my work budget, so I’ve requested a second major training opportunity, but have left it more open-ended. I’ve also tried to pick things where I wouldn’t necessarily exit the event with the commitment of lots of studying for a follow-up cert. SEC573 will give me some excellent Python experience and I could still optionally pick up the cert. SEC545 was added later as a sort of acknowledgment that my AWS/Cloud specifics are a little weak in practice yet, and if work wants to send me to that, I’d be ok with using my second slot for it. If Black Hat gets chosen, I’d probably look for some further web app or other red team course to take, and then stay for Defcon on my own. This is pretty aggressive for me, but I’ll be super excited if I can make this happen.
  • Linux+ – I wanted to get this slotted in this year for reasons (a study-buddy or two). I consider this a slightly more informal certification to pursue, and I already have a Linux Academy subscription anyway. My goal here is just to get better with formal Linux knowledge and try out some peer support/mentoring. I’ve long had this cert on my distant radar as one of the few ways to demonstrate Linux comfort on a resume.
  • SLAE (+ OSCE prep) – OSCE continues to be on my radar, but it might be too much this year to slot it in for a full commitment. However, I would like to pursue my roadmap prep list to get there, which starts with tackling the SLAE from Pentester Academy and maybe some other companion topics. SLAE is very open-ended and I expect to learn a lot of things I’ve just not been exposed to before (assembly, shellcoding, etc).
  • CCSP (Cloud) – Another nod to being a work-influenced topic, but I wouldn’t mind spending some time studying up for the ISC2 CCSP (Certified Cloud Security Professional) cert. Definitely the lowest priority on my list. I could even replace this with the AWS Architect certification, which I can study for through Linux Academy.
  • Pentester Academy tracks (+Red Team Lab?) – I just recently signed up a subscription for Pentester Academy and want to make further plans to slot regularly learning from it into my free time. They have a Red Team Lab that I want to keep in mind, but is a lower priority (and extra cost).
  • Linux Academy – Just an acknowledgement that I have this subscription active. What’s great is this will support not only Linux studies, but also cloud-related things.
  • Splunk Fundamentals & Power User – I want to get better with Splunk, and the first steps will be to pursue the free Fundamentals training and certification, and then look at Power User. This may get higher priority if work pushes it, or if I get sent to Splunk .conf again in 2019, where I can take a course or the exam on site. This one really depends on some external work influence to prioritize it higher.

That’s serious aggressive for me. Even at my most conservative estimate, I should walk away from 2019 with GWAPT (2-4 months), Linux+ (month or two), SLAE certifications (2-4 months). With CCSP and Splunk and OSCE lurking around the corner. That’s some serious work I’d have cut out for me, and I totally know it. And I haven’t even gotten to informal topics I want to dive into over the next year! Thankfully, a few of them overlap…

Informal Topics

  • Web app topics and GWAPT prep – I have several books and topics that will go into my preparations for the SEC542 (GWAPT) course. This item really is just about making sure my web app work neither starts nor ends this year with just this course.
  • Binary exploitation / buffer overflows / reversing – I also feel inadequate when it comes to reversing, fuzzing, binary exploitation, and handling buffer overflows. This goes into my preparation for OSCE as well. I have some HTB boxes/challenges, courses, books, and a few other topics listed out behind the scenes that slot into this bullet item. This overlaps with more Python work, too.
  • Bloodhound (AD mapping) – A tool I want to not only try out, but incorporate at work.
  • HTB some more! RastaLabs / Offshore and POO/Endgame – I nearly got HTB out of my system this summer by hitting Omniscient with challenges and boxes. However, beyond just catching up on new boxes, HTB still has some offerings (free and paid) that I have yet to take advantage of. I’d like to. I currently have VIP access, but I’ve not decided if I will renew that next year. So this does mean I want to set aside some time to go through all of the retired boxes (along with IppSec walkthrus as needed). This platform is great to jump in and out of in bursts to keep my attacker skills from getting too rusty.
  • Books – I have a list of books/ebooks that I want to consume. It’s not large, but significant enough that I wanted to put onto my goals. I have a love-hate relationship with infosec/tech books. I used to collect these far more than I do today, but the number that never really got used outweighed those that I found useful to some degree or other. I’ve trimmed my collection down about 75% over the past 5 years, but I’m slowly picking out new ones to consume that I know will either be useful references or good actual reads/lessons.
  • BurpSuite – I list this here because I still want to get better with BurpSuite. I have a course identified that will help, but I imagine SEC542 will help as well.
  • Python and PowerShell – I continue to yearn to get back up to speed and beyond on PowerShell and Python again. If I can take SEC573, that will certainly bring my Python comfort way up. Grabbing onto some work projects can help with these as well.
  • Scapy – Scapy is something I want to learn as I pick up Python. It’s long been on my list, and I admit it’s still waiting due to lack of me needing it day to day.
  • PluralSight – I normally don’t just list a subscription I have, but I wanted a reminder that I have this subscription open, and if I don’t find uses for it in 2019, I should trim that cost off.
  • Home lab / Blog / Github – I have a whole list of things to do on the home lab that I won’t list (and commit to!) here, but it’s a thing on my radar. One thing this does include is cleaning up this blog a bit and using my github for more things. The main immediate item will be moving all my links on the right pane over to a github page and maintaining it there for the future.
  • Leadership – From the triple threat route, the one place I have no demonstrable experience is infosec leadership (vs offense and defense). So if I have chances, I should try to tackle and succeed with project management, vendor relation, team mentoring, and presentation opportunities. I’ve long been a team leader/mentor type, but have rarely translated that into something demonstrable, visible, or upward-facing, if that makes sense.

Cons/Meetups

  • SecDSM – Monthly meet-up that I always attend and will continue to do so.
  • BSidesIowa – Local Bsides event that I’ve always liked. I may focus more on the CTF this year than talks, though.
  • SecureIowa – This was only ok for me, but it helps that it takes place during the work week.
  • Wild West Hackin’ Fest? – I’ve love to try and get to this next year. Slotting it in, but not sure yet.
  • Splunk .conf 2019 – If work wants to send me to this, I’ll think about going. It’s in Las Vegas, so a little less exciting than before.
  • ArcticCon? – This is a red team vetted-invite con in Minnesota. I doubt I “qualify” for an invite, since I don’t have a red team job, but I sure would love to go.
  • Defcon – If I get a chance to be sent out to Black Hat USA, I’ll stay a little longer on my own dime to attend Defcon again. If not, it’s pretty unlikely I’ll go on my own.

Cert renewals

  • CISSP – This is just my yearly CPE maintenance. As long as this is easy to maintain, I’ll keep it up, since I have no real reasons why I shouldn’t.

ranting and could care less about obscurity

Maybe it’s because summer has given up the fight and it’s diving colder today for the weekend, but I feel ranty.

My other rant this morning is about security through obscurity. I hate seeing people say that this is bad. I mean, passwords fit into this category! The proper frame of mind is to say, “security through *only* security” is bad. I can move my SSH port to tcp 32154. Does that make SSH more secure? Not in itself. Does it make it harder to find and thus adjust my risk factor? Yes, somewhat. All those port 22 scans on the Internet will pass me up. Obscurity can certainly, and almost always is, part of one’s security posture.

Also, I hate when people say, “I could care less.” Well, that means you could in fact care less, which means you care. You mean to say, “I couldn’t care less.”

*curmudgeonly sounds*

pessimistic on security awareness vs technological controls

(This post is going to sound exceedingly pessimistic about us humans. It’s purposely slanted a bit to make some points, but also to let me rant just a bit.)

I just got done reading a rather large post elsewhere about information security training. And it was long, and detailed, and probably more detailed than anyone actually does, anywhere, without multiple full-time staff dedicated just to training.

Which brought me to the question: why do I take a slightly more pessimistic view of security awareness training? I like awareness training, but I put more emphasis on actual technology controls, than I do trusting people to do the right thing. I’ll trust, but I’ll verify. I’ll say security awareness training is necessary, but I won’t say it’s one of my key tenets I lean on to provide security or one of the most important things one can do in the business to improve security.

To me, training has a few achievable goals (this probably isn’t my exhaustive list, just a quick one):

1. checkbox. Let’s face it, requirements are a driver.
2. education on process – Make sure everyone knows how to deal with incidents or questions. Know to dial 911.
3. education on best practices – Enough knowledge to have a chance to make the correct decisions.
4. education on bottom-line performers – Provide education to those who truly didn’t know these things.
5. education about controls – What they are, why they’re in place, how they help. How to work with them instead of against them.
6. education about things too nuanced for actual controls (lots of social engineering falls here, and this is the elephant in this post).

That makes it sound like I want to deliver lowest denominator training, but that’s not true. I actually think training should challenge the audience a little bit, and make sure it improves knowledge, rather than baseline it. I prefer trainings that add value, even a little bit, to the audience, rather than “yet again” going over the same ol’ bullet points. I want people to learn something and not feel talked down to. One of the main problems is such learning can get into technical weeds pretty quickly. Questions like, “Well, why is this password weak?” or “What do you suggest to be more secure at home?” get deep very quickly, if you’re not careful and empathetic to the audience. Also, random attendance can mean you get non-technical folks in with the developers, and those developers love to ask questions about password complexity, because it’s arguable and there’s no real good right answer, which muddies the experience.

But, why do I get pessimistic about awareness training? For the same reasons I think people suck when they make risk decisions while driving. Unless there are radar detectors or tickets waiting around a corner, many drivers will drive at a speed that matches their own desires and risk tolerance; which often seem to be 5-15 mph over the posted speed limit, but sometimes more. Let’s just say 30% push this boundary marker on any given road.

These are the same people in the business as are on the road. And in the business, they have their own goals and things to get done for their job, boss, and customers. In fact, I would guess that 30% of employees will do whatever they need to do to get their jobs done efficiently, even if that runs contrary to security policies, as long as they’re not outright prevented. Need to trade a document with a client, but the client balked at the clunky “email encryption” solution you utilize? It’ll be ok to use Dropbox this one time. Email is too clunky? It’ll be ok to use Messenger on my phone. I need to work on this highly confidential document at home this weekend and I don’t want to bother VPNing in? It’s ok this one time to put it on my personal USB stick.

People will do what they can get away with if it is in their best interests. People are innovative, creative, selfish, and usually pretty passionate and determined. None of that should imply malicious, but there are malicious actors lurking as well.

This means you need to pair up education with technological controls. Actually stop the unwanted behavior as much as possible, or detect/alert and provide feedback when it occurs. And educate about those controls and why they are in place. It also means that breaking security policies should cost users more than they gain, making it actually in their best interest to follow the policies.

Education goes so far. You can post signs about children at play, school zones, speed zones, and even radar detection enforcement. But you have to have controls in place that properly detect, prevent, stop, and penalize unwanted activity if you truly want to reduce and change behavior.

I do think people generally want to do the right thing, but that often slides to the side when someone needs to get something done.

If a control impedes business or seems like it stifles innovation or “getting the job done,” then it needs to be discussed and the reason why such controls are needed. This way alternative solutions can be identified and tried out, rather than users crying about security and security crying about users. Both sides need to know the lines, the controls, and where the business itself wants to draw them.

my certifications and how they helped or did not help the career

A thread recently came up on TechExams.net forum about the order one got their certifications and which ones helped their career or were unnecessary. I typically don’t try to regurgitate my life story in random places, but I liked the question enough to ruminate on it a little bit. My certification path is a “stop and start” type and requires a few extra timeline points to explain some things.

~1998/1999 – Started blogging – Just a personal milestone for me.

2001 – MIS 4-year degree – A career milestone. I may have felt a little obligated to get this; I mean, after high school, you go to college, right?

2001 – Found a deep interest in information security – Several factors came together to this realization (writing a gaming site post about finding a career by using your PC gaming skills and getting into Linux distros, for instance), but the singular event that really informed me was picking up a random thick book from Barnes & Noble in my earliest efforts to keep learning after school: Hack Attacks Revealed by John Chirillo. The knowledge and attack/defense tools stoked a fire that will not be going away.

~2001/2002 – Started blogging about tech/security & first vanity domain – At some point, I started blogging regularly about tech stuff and security topics, mostly just interesting links and tools. Many of these posts are either lost or buried in another data file backup somewhere along with personal blog postings. After leaving school and leaving their nice hosting, I also picked up my first vanity domain.

2002 – First “real” job – Basically, the real start of my career!

2002-2006 – Lull #1 – My 4 years at this job marked two things. First, I learned an absolute ton and had an absolute blast doing it. I grew by leaps and bounds during this period. Which probably is the reason this period is also marked by no formal learning of certification. I was underpaid by a company that also wouldn’t pay for training, but I didn’t much mind it since I was learning so much on the job. So, this was my first lull in learning, but it didn’t really feel like it. I have a strong nostalgia factor from these years of my career, work- and enthusiasm-wise.

2006 – Security+ – A job change later and I wanted to demonstrate my interest in security better. Before LinkedIn, you really only had in-person networking and your resume to demonstrate security acumen. If your job title was generic, but you managed security devices, it was difficult to show it. Also, I wanted to learn more. Security+ worked great for this. Spent personal time studying books and passed the exam. At the time, this was also a lifetime cert, which was a bonus I wouldn’t understand at the time.

2006 – terminal23.net domain – At this point, my technical blogging eclipsed my personal stuff in both effort and frequency, so I separated them with a second vanity domain. I took some effort to pull old technical posts into this blog, but some much older stuff I wouldn’t bother with.

2009 – CISSP – I also pursued this one on my personal time using self-study books. I would happily pass on my first attempt. Even at this time, there were threads of CISSPs being derided for not actually knowing anything (one guy at my testing center that I talked to was a sales guy on his third attempt, because it was required for his sales position…), but there was and probably still is no better certification to demonstrate interest in and at least some wisdom about security. In fact, this cert probably opened the most doors and got me the most recruiter attention of anything else I’ve picked up, by far. It’s definitely a gateway cert, and I think everyone in security should at least have this on their roadmap. Sure, you can skip it if you have good demonstrable security work and/or good networking, but for most of us, this makes a statement itself. Even now, almost 10 years later, I’m not sure when I will burn it or let it lapse… On the down side, I didn’t get a raise for this, paid for it myself, and didn’t use it to springboard into another job. Maybe a wasted opportunity for me, but I like where I am today for it.

2009-2017 – Lull #2 – During this period, I grew quite a bit with my skills during work hours, but for the most part, I did not pursue any formal education. I signed up for the PWK/OSCP (PWB at the time) cert, but work threw me, well…work, and I didn’t have the time to devote to it, so I let it slide. It didn’t help that my company did not really budget for training nor encourage it; in fact, I had a manager whose teams always seemed to stagnate and work behind the times with old tech/code/habits. I wouldn’t say I coasted during this period, but I was very comfortable and my days were filled with work at a manageable pace.

2017 – OSCP – Finally started getting that bug to get better jobs and re-find my enthusiasm and learning passion that I had in my first “lull” and early years. I decided to pursue the OSCP again on my own time and dime, and achieved it after about 4 grueling months. Of all of my certs so far, this one gave me the most street cred, and for hiring managers who know it, it definitely gets their attention. Particularly the 24-hour exam.

2017 – OSWP – I knew I wanted to keep learning, and I remember the hey-days of war-driving and backtrack wireless cracking, so I wanted to revisit those activities with what I knew was a much lighter cert in the OSWP. Took about 2-3 fairly casual weeks from start to finish. Really enjoyed it, and left me hungry for more.

2018 – CCNA Cyber Ops – I don’t remember how I learned about this, but Cisco basically gave out free training and certification exams for lots of people who already had various industry certs, so I got this certification for free, though I did have to devote plenty of personal time to get it. This didn’t improve my resume at all, but I did like the experience. And I have to be honest, while I kept up with security blogging over many years, from about 2015-2016 I got a little out of touch with the security industry. And taking the Cyber Ops course filled in some gaps of new ideas and things like “threat hunting” and the “cyber kill chain” and “diamond models” which had been basically introduced at the time. Ultimately, this course pursuit got me back up to speed of the buzzwords of a SOC. Unless Cisco builds something compelling around it, I don’t plan to renew this one.

2018 – GCFA – For me, this is the first time in my career I’ve had corporate backing for education, and also marks a culmination of the next part of my career where I have strong, specific goals for growth. Also, a point where I stepped just slightly outside my comfort zone to formally learn something new that I identified as a weak spot.

Footnote
One thing I will notice in my timeline compared to some other postings in that thread is how some people earn certs and are immediately rewarded with it leading to a new job or a raise of some sort. But, my timeline has almost none of that; many of my certs were earned and I would not say they directly led to a future job. Maybe a few interviews, but certainly not in the same calendar year as the cert was earned. I’ve also had the luxury of not having jobs that required extra study.

I also noticed that I never had (until this year) company or managerial backing for growth like this, and I also never had peers or colleagues who pursued certs or further formal education. That certainly makes a difference, as I do become influence by those around me, as most do. I had to find the effort to self-start, most of the time.

There’s really no way to say it without sounding conceited, but all of my certs came from my own motivation and my own desire to learn and/or demonstrate knowledge in security. That’s not any less or more than other reasons to get certs, but I found that enlightening for me. It also helps illustrate what makes me happy, what drives my passion for this industry, and informs my plans for the future.

top ten strategies of world-class socs

I find it crazy that I’ve not seen this before, but I got linked today over to the MITRE Ten Strategies of a World-Class Cybersecurity Operations Center free book (pdf). Holy crap this is awesome. The rather large first section talks about building a SOC and the various considerations that go into it. And then the top 10 strategies build on that foundation to further guide the growth of the SOC.

Every section has wonderful nuggets of truth like this one in strategy #5 (Favor staff qualify over quantity):

Analysts must be free to analyze. It is indeed true that Tier 1 analysts have more structure in their daily routine for how they find and escalate potential intrusions. However, those in upper tiers must spend a lot of their time finding activities that just “don’t look right” and figuring out what they really are and what to do about them. Overburdening analysts with process and procedure will extinguish their ability to identify and evaluate the most damaging intrusions.

Honestly, this might be my second favorite technical book, up there with The Practice of System and Network Administration (Limoncelli).

2018 career goals review

I still have a few months left for 2018, but I feel like I’ve been pretty successful already with my goals on the year. This is really year 2 of me specifically tracking my career growth and learning. In 2017, I earned two offense/red team certifications, and this year I earned one defensive and one forensics certification, amongst other learning accomplishments. So, largely for my own benefit, here’s my summary on the year of the important stuff.

training and career goals for 2018

  • keep doors of learning open for both blue (defense) and red (offense) sides of the field – This isn’t a goal so much as a lifestyle statement, but I feel like I’m on track here. Even as I plan to alternate learning year over year, I’m keeping both sides in mind every year. I ultimately want to make sure my offense, defense, and forensics can all test and improve the others.
  • balance career growth opportunities along with actual learning – Going well on this! My enthusiasm has gone up quite a bit, and with the exception of the CCNA CyperOps cert, everything has been chosen for learning opportunities and not marketability. I think this pendulum will continue to swing permanently over towards learning as I get older and need certs and letters less.
  • balance of work-driven and self-led growth learning opportunities. – Even without leaning on corporate support financially, I feel like I’m achieving this. Like other items, this is less an item to satisfy and more of a theme or lifestyle statement to keep at the top of my yearly goals. I also try to keep a balance of formal and informal learning tasks.

structured learning/training/events

  • Cisco CCNA Cyber Ops course/certification (2 exams: 210-250/210-255) – completed in March and lasts 3 years. Keeping this depends entirely on what Cisco wants to do with this line. Did I learn much from this? I actually did, but it was also all pretty basic to me and easy to approach, consume, and test on. I honestly would not have done this had it not been free. The biggest benefit is now knowing where this fits into my recommendations for other students and newbies, and it’s a pretty good cert for someone looking at an analyst/SOC role.
  • SANS FOR508 (May 11-16 San Diego) + NetWars – completed in May. Absolutely loved my time on site in the course and studying later for my first SANS/GIAC endeavor. I purposely aimed at something challenging that was going to put me into some deeper waters (memory analysis), and I couldn’t be happier for it. Participating in NetWars was amazing, and set up my only remaining engagement yet this year: SANS CDI.
  • GIAC GCFA certification exam passed – completed in September and lasts 4 years. I likely won’t need to sweat renewals for this for a while, as I have a backlog of SANS courses I want to take, and certs I’ll opt into testing for. Overall, loved this process, and having an exam as an excuse to study more really made the material sink in and click for me. This is also an example of me stepping a little bit outside my comfort zone, as I’ve never done forensics like this before. I have a deep Windows administration and security background, but much of these methods and materials was a new approach for me.
  • Maintain CISSP – Completed, of course.
  • spunk .conf 2018 – Completed in October. Not only my first time at a Splunk event, but honestly, I think this is my first vendor-specific conference in my career. I really enjoyed this con, even if I didn’t actually learn a ton. But, I think I’ve learned how one should approach such a con like this, i.e. come with questions to start a discussion with vendors and subject matter experts or fellow attendees as needed.
  • BSidesIowa, SecureIowa, SecDSM – Kept up with the annual cons and the monthly SecDSM meetings this year so far. A bit of a softball in terms of goals, but I find it is important to keep a ling item for cons, local and remote, to stay current on.
  • SANS CDI Netwars ToC – Decided to opt into doing this as I may not get the chance again. Occurs in mid-December and I’m all set up to attend.

unstructured learning/self-study

  • Metasploit Unleashed Course (OffSec) – incomplete. I admit, this isn’t a big deal, and I’m just being stubborn at this point in keeping it on my TO-DO list. But it’s here, and some weekend I’ll just knock it away. (It’s not like this is updated and current anyway…)
  • finish LinuxAcademy RHCSA/LFCSA courses – All of the completed items stole time away from this and reduced its priority. Even if I still don’t get to this in 2018, it’s going to be a thing in 2019 for me as well.
  • SLAE-> CTP/OSCE (tentative, or just prep) – I knew it would be super aggressive and difficult to maintain sanity and also prep for this path, and I’m not surprised I have not even started it. It’s still on the list for possible late 2018 inclusion, or another lower priority in 2019.
  • HTB VIP Progress/Habit – Completed. I got back into HTB with a vengeance after realizing my offense skills were rusty during the SANS NetWars event this past spring. My goal was to hit 50% completion in HTB, shake off the attacker rust, and just build a small habit to keep with it. But, after getting going, I met some folks on the platform and got help when I needed it to achieve 50% completion by July, and 100% completion by August.
  • Burp Suite improvement/growth – Doing HTB got me good practice and experience with Burp, but I want to consider this only about 25% done, and something to continue working on.
  • Web Hacking 101 book – Haven’t started it yet.
  • Python (+scapy) improvement/growth – on hold, I still need to figure out how I want to tackle this
  • PowerShell improvement/refresher – on hold, I still need to figure out how I want to tackle this
  • CTF participation (as it fits in) – This was definitely the lowest priority of the year, so I feel even my minor work here completes it.
  • survive at work (work topics) – Completed!

improvement topics

  • incorporate Feedly, Pocket, Discord, Slack in day-to-day habits – I feel mostly completed on this one, with the very notable exception of the things piling up in Pocket.
  • expand OneNote use – Successful in moving from EverNote to OneNote.
  • work on better anonymity online/VPN service for personal use – I don’t feel I really started this.

my time at splunk .conf 18

A week ago I flew down to Orlando, Florida to attend Splunk .conf18. In thinking back on this, I have to say this is the very first vendor-specific conference I think I’ve ever attended in my 15 years in IT. Based on who you ask, the con itself had 7500-9500 attendees in its largest event to date. That’s pretty impressive! I attended as many talks as I could, and I left pretty happy with the content I consumed. The talks and slides are all available online for consumption.

Day 0 – Sunday
My goals for this day were just to get to Orlando and settled into the hotel and do some recon of the grounds and environment. On the plane, listened to some Darknet Diaries; finally finding some time to do some podcasts! Took some time to hit the Boardwalk on the ground and already get sick of the heat and humidity.

Day 00 – Monday
Goal today was to get registered for the con! The line was super quick, even at 10:30am with the masses to get checked in, get a badge, pick up the backpack/water bottle freebie, and then pick up the freebie hoodie. Beyond that, this day was pretty casual until the evening.

First Timer Orientation talk – This was a nice intro to the con, even though the room was moved and I didn’t hear about it until a co-worker texted me. I guess I need to click update notices in the event app! (Come on, I’m in security, I don’t click accept/download buttons unless I have to.) Also, this was the only talk that I attended with a drink-in-hand speaker. (I’m not a huge drinker or want others to drink, but to me, this still sets a tone and statement for the sort of partially or fully informal a venue may be. This is why I like smaller cons over larger vendor ones.)

Welcome Soiree – This was a neat way to get people to the vendor floor: an evening event with free food and alcohol stations throughout the vendor floor. Scoped out vendors, splunk experts, projects, and plenty of swag. And I will admit, I evaluate vendor booths on three things: 1) whether I know and like them as a product/company and want to say hi, 2) whether I want some of their swag or not (either for me or to give away to others), and 3) whether I want to buy them (and I’m not a purchasing approver, so that’s pretty much no one). I had fun down here, though someone kept turning on music every now and then and it was ridiculously loud.

Day 1 – Tuesday
Visionary and Roadmap Keynote + Breakfast – For the morning keynotes, buses took us to ESPN Arena where we picked up breakfast bags before taking seats. After the talk, I don’t think the bus crews were ready for the flood of people, and organization broke down pretty hard on one side of the venue, but we all got back in decent time (albeit later than intended due to the overlong keynote).
Security Super Session: Splunk Security Vision and Roadmap

Security Super Session: Splunk Security Vision and Roadmap – A strong, high-level look at Splunk and using it for security operations. Not much to say on this one. The diagrams are wonderful (and would be used in several talks I’d see over the course of the con) for designing your security operations around.

Find and Seek – Real-time Asset Discovery and Identity Attribution Using Splunk – I didn’t actually see this talk. Tuesday was the one day where I was all over the grounds for various talks, and required buses to get me places in time, and the buses were still a little chaotic. I was on time getting to this talk, but after about 15 minutes after the start time, we were all still waiting outside the room. Thankfully, it was right next to a sandwich distribution station, so I just left with my lunch to eat elsewhere. I’ll have to catch this recording later.

Let’s Get Hands-On with Splunk Enterprise Security, Splunk Phantom, and Real Boss of the SOC Data – This was the one “laptop required” talk I attended, and honestly one could have been just fine sitting back and watching along. This session had several hundred people in it, and as such you have to expect them to move on and not wait for anyone, and move on they did! Thankfully, this is the introduction talk for a broader and slower workshop for security people to get from Splunk throughout 2019. As it was, I really enjoyed getting hands-on a bit with some practice data for finding attacks. The data itself was used in the BOTS competition the previous evening. While I’m new with Splunk, it’s these hands-on demos and doing actual things with the data that get me excited, rather than high-level, perfect-situation statements.

Threat Hunting and Anomaly Detection with Splunk UBA – I really liked this talk and speaker. While nothing about Splunk and anomalies and hunting were new to me, I really loved the best/worst practices examples. That’s the sort of detailed, technical stuff that I eat up, rather than non-filling high-level statements.

Pub Crawl – Similar to the soiree from the previous night, only with craft beer stations and less food overall. Other than the alcohol and snacks, I didn’t really need a second round through the vendor hall.

House of Blues – We also got invites to a party at the House of Blues. The music was just passable, but it was an excellent buffet, and I got a chance to sample the infamous Voodoo Shrimp (which was basically forgettable, to me). The best part was just getting another evening without a food bill!

Day 2 – Wednesday
Product and Technology Keynote – I’m not a huge breakfast person, and I found out you can watch the keynotes online, so I didn’t even bother heading out to see this one live. I opted to stay near the hotels and not fight lines for a latte.

Hacking Your SOEL: SOC Automation and Orchestration – I love technical talks, less so high level ones. But if there is one talk that I’d recommend that is high level about SOEL, and SOAR, and SOC automation, I’d point people to this one. The speaker just plain made sense of all of this. Sure, it was high level, but also detailed enough to formulate a roadmap for the future on the topic. One of the more solid talks I attended.

Attack Surface Reduction: Using Splunk to Spot the Security Flaws in your Network – The description for this was probably reflective of a longer talk that got cut down. This talk ended up being basically a firewall review 101 session, but using Splunk to view your logs for activity on firewall rules under review. I did learn just one thing from this: monitor for sessions that hang, i.e. no endpoint listens on the target port anymore. I probably would have done that, but I think it’s important to keep that situation in mind. The rest was really pretty newbie material.

Which brings me to one of my main challenges: Finding the right level of talk for the topic. For instance, I’m a newbie with Splunk, but security concepts I’m very deep with, both defense and offense. I would love to have known this talk would be at a newer level of security, as I would have avoided it. This would apply to some of the threat hunting and SOC automation talks, which sometimes felt like they were just saying the same high level things over and over without a ton of deeper substance (i.e. for people less senior than I). This might not be a con issue, as it might just be my inaccuracy with using the con properly, i.e. less talks, more 1-on-1 and breakout discussions.

Cops and Robbers: Simulating the Adversary to Test your Splunk Security Analytics – Came into this very interested, but also skeptical on why the heck I’d want to spend time automating attacks like I’m some QA team. But this talk made a great case for why you do this, and how you approach it, particularly with Phantom and some other tools. Looks very cool for use on an internal testing team that evaluates not only internal response and controls, but also can test security products and even do some training exercises with your Splunk teams.

WMI – The Hacker’s Chocolate to their Powershell Peanut Butter – Probably the deepest technical talk I saw at the con dealing with attackers using WMI, WinRM, and Powershell in modern attacks, often going fileless, and how you could use Splunk and general logging to hunt these compromises down. I really enjoyed it, and was a great reflection on the Splunk security research arm.

Monitoring and Mitigating Insider Threat Risk with Splunk Enterprise and Splunk UBA – As a Splunk newbie, I wanted a mix of talks on some of their products and how I can wrap my security team around them and my own priorities and goals. This was a good talk about implementing insider threat detection using Splunk UBA. I’ll likely revisit this again as we start our own projects on this in the coming quarters.

Search Party! At Universal Islands of Adventure – Such an absolutely fun time having the park to ourselves to avoid lines and endless children in order to ride Hogwarts Express, Harry Potter’s Forbidden Journey, and the Jurassic Park river ride. The Express was super fun, and Forbidden Journey ride absolutely awesome, and the Jurassic Park ride a fun mess that stopped 3 times and ended up taking about 30 minutes to get through. The walk around the park was fun, though the back half through Marvel and the Comic Book zones were plenty unexciting compared to the other areas. Really wish we had more than 2-3 hours, but fun and free nonetheless!

Day 3 – Thursday
Guest Keynote: Steve Wozniak – I don’t really have a huge desire to listen to Woz; smart dude with lots of money and the ability to opine about technology. Fine. To make sure people made it to this talk, it was not broadcast like the other keynotes, so I just opted to skip.

Overall on this day, the food stations and snacks were far skimpier on this day. I still never had to visit the main food tents, but I definitely had to look for food myself otherwise.

“MAKE IT RAIN!” How to Save Money Monitoring, Managing, and Securing Your Cloud Using the Splunk App for AWS – By now, I know that I should expect high-level statements when I see CEO, CTO, or other high-level manager titles in the speaker list for a talk. And then a talk like this comes around to prove me wrong. (I’ve honed my stance on this to apply only to Splunk as a company itself when its higher-level managers speak.) This talk was an actionable demonstration of tying some important AWS logs into Splunk and showing how that is valuable for operations and even security. A slightly short talk, but really nice to sit through as someone new to Splunk, new to AWS, and subsequently new to doing them at one time.

From Threat Modeling to Automated Response – Identifying the Adversary and Dynamically Moving to Incident Response – Yet another talk about threat hunting and TTPs and adversary profiling. A good talk, but I don’t think it included anything that I didn’t already know.

If there’s anything in my year that will define it, it’ll be the prevalence of Kill Chains, Threat Profiling, and Threat Hunting. I can’t escape the same ol’ statements about them. I had it throughout the Cisco CCNA Cyber Ops course, the SANS FOR508 course, multiple talks at Splunk .conf, and beyond. I’ve long had a post waiting about how and why threat hunting is such a deal these days (it comes down to getting internal value and blending offense into the internal blue teams, plus trying to make sense of the new breeds of security tools that don’t just alarm on bad, but require human decision-making to piece together multiple things…).

Blueprints for Actionable Alerts – This apparently is a version of a talk done for several years, and it kinda feels like it. For some strange reason, I didn’t get much out of this, though on the surface I should have. It’s really a discussion in figuring out how to tackle an environment with 4000 alerts in a day, and reducing that piece by piece to be manageable and useful. I think everyone sort of does this their own way, which all sort of dance around the same gameplan.

Splunk P30X: Become a Lean, Mean, Splunkin’ Machine in 30 Days – Probably the best and most useful talk I attended at the con. The point is to have an actionable, lunch-hour plan to tackle and do various Splunk activities to culminate in being able to pass the Fundamentals exam at the end. I loved the actionable approach to this, as well as the follow-up activities the authors are releasing to support it that I can directly consume. Not only the 30-day plan, but also additional materials for newbies. Wonderful talk!

Day 4 – Friday
Nothing much exciting here, just a full day of getting back home.

Overall Thoughts
I loved the overall experience and benefits to going; it was fun, got to visit a fun park, and so on. This could double as a family vacation if you brings the family along. Next year, the con is in Vegas, and I’ll admit that has less appeal to me as a venue/area.

If I go again, and have others with me, I’ll lobby somewhat hard to get signed up for one of the competitions they hold, either Boss the of NOC or Boss of the SOC, where teams pour over and parse out data to answer questions about operations or security incidents, respectively.

getting into and growing inside the infosec industry

A revival of sorts on content from BHIS on getting into the Infosec industry, including A Career in Information Security FAQ Part 1. Pretty good stuff! But this section really stuck out to me:

The customer service, tech support, help desk, etc., these jobs are crucial to forming a solid background in computer science. Learn how to solve problems effectively. Learn how to discern between useful web search results and wastes of time. Employers don’t want to hire you for what you know. I generally believe that anyone (some computer background) can be trained to accomplish digital tasks. I can’t train you to manage your time well. We can’t train people to be nice, treat others like human beings, or to be steady under pressure. And truly, those are the skills that will put you at the front of the line. It worked for me and everyone else at BHIS too.

I would include other skills such as asking questions, being curious, being tenacious, looking at ways to break and fix things, and having a quick mind to solve puzzles.

And to be honest, that whole post is a wonderful bit of encouragement and advice for anyone to read, newbie or jaded veteran. Things like, “That motto is ‘Fail Fast, Fail Often, and Fail Forward’. When you are working on solving a problem spend more time failing and less time analyzing the problem from a distance,” and “One of the most critical skills in information security is the ability to go off script.” That’s gold right there, alone!

Addendum: I do want to point out the question towards the bottom of the post about the biggest hurdles in first getting started. And it might be obvious, but it bears constantly repeating that the two biggest items are 1) experience, and 2) imposter syndrome symptoms. The former is just something you get past after a few years of work. The second is a lifelong personality and internal compass issue where we just have to come to terms with the scope of infosec and how no person can begin to swallow that whole ocean. Learn what you can, balance your life, fail fast, move forward, get better, succeed.

the cat and mouse game of security improvement

I don’t often find fairly general articles to have enough interesting nuggets and quotes to bother saving, but sometimes they just flow so well and include plenty of head-nodding things to agree with, all with wording that I appreciate. One such article came across from Dark Reading, Think Like an Attacker, How a Red Team Operates. Dark Reading seems to like limiting the ability to read articles, so I don’t mind being a bit liberable in pulling out quotes I like.

“The whole idea is, the red team is designed to make the blue team better,” explains John Sawyer, associate director of services and red team leader at IOActive. It’s the devil’s advocate within an organization; the group responsible for finding gaps the business may not notice. I just love that sound byte. I want that to be my elevator job description.

“The main function of red teaming is adversary simulation,” says Schwartz. “You are simulating, as realistically as possible, a dedicated adversary that would be trying to accomplish some goal. It’s always going to be unique to the target. If you’re going to get the maximum value out of having a red teaming function, you probably want to go for maximum impact.” The early part of the article goes a great job of succinctly comparing pen testing and red teaming while also illustrating how these have changed as time has moved on. Old school pen testing has shifted to be called red teaming as a way to further differentiate as pen testing has become commoditized.

The team ends up chaining together a small series of attacks – low-level vulnerabilities, misconfigurations – and use those to own the entire domain without the business knowing they were there, he says. Typically, few employees know when a red team is live.

Red and blue teams may work together in some engagements to provide visibility into the red team’s actions. For example, if the red team launches a phishing attack, the blue team could view whether someone opened a malicious attachment, and whether it was blocked. After a test, the two can discuss which actions led to which consequences. Beyond actually enjoying it, this is my whole value proposition for my interest in offense and red teams: It makes my defense better. Which makes me get better on offense. Which makes my defense get even better… Getting a root shell or DA credential is the addiction, the satisfaction is passing on the information to make improvements.

More and more companies are starting to realize if they limit themselves to the core fundamentals of security, they’re waiting for something bad to happen in order to know whether their steps are effective, says Schwartz. Red teaming can help them get ahead of that… Many companies are building red teams in-house to improve security; some hire outside help.

The main reason behind building a red team internally is because as it grows and improves along with defenses. As security improves, so do the skills of red teamers. Offensive experts and defenders can attack one another, playing a cat-and-mouse game that improves enterprise security, he continues. Internal teams are also easier to justify from a privacy perspective.

Overall, the pros argue a full red team can help prepare for modern attackers who will scour your business for vulnerabilities and exploit them – but they’ll help you stop real adversaries.

“The difference between a red team and an adversary is, the red team tells you what they did after they did it,” Schwartz says.

That’s such a strong ending to this article, that I had to pull a bunch out right there. Wonderful!

rapid7 releases 2018 under the hoodie pentesting report

Rapid7 has released the second edition of their now-annual “Under the Hoodie” report, which is a compilation of information and statistics compiled across Rapid7’s penetration testing teams. There’s really probably nothing terribly surprising in here, but it’s always nice to have some raw numbers of anecdotes in pocket for various conversations. Here are a few interesting tidbits or quotes I wanted to pull out.

“Relying entirely on an automated solution or a short list of canned exploits is likely to meet with failure, while a more thorough, hands-on approach nets significant wins for the attacker.” This statement has importance for internal security testing, third-party testing, and also for defenses. The first two can be obvious, but the last one about defense helps frame models, for instance the impact of an internal threat or an attacker specifically targeting a company rather than just automating a search for opportunistic moments. It also speaks between the words that an attacker with some hands-on effort and not time-boxed like a pen tester can see success.

“Furthermore, these results imply that if the penetration tester is not detected within a day, it’s unlikely the malicious activity will be detected at all.” Detection is a big deal. I’d also throw in the practice of threat hunting to find successful attackers who have gotten past the outer layer of defense and alarms. I recently deleted a draft about the whys and hows of the rise of threat hunting/intelligence (I posited it was a combination of the reduction in AV/IPS signature success, the complexity of environments, the rise of offense-friendly staff looking for offensive things to do, and other factors…). Prevention is important, but solid and effective detection matters.

“The number one issue that causes the most consternation among penetration testers is solid network segmentation. If they cannot traverse logical boundaries between environments, it can be extremely difficult to leverage a set of ill-gotten workstation credentials to escalate to domain-wide administrative privileges; even if a powerful service account has been compromised, if there’s no route between targets, the pentester must effectively start over again with another foothold in the network.”

Other factors that cause frustration for pen testers are multi-factor authentication for accounts, least privilege practices on accounts, strong patching and vulnerability management practices, and awareness to spot and report phishing campaigns, social engineering, and other low-tech attacks. What’s fun is how these 5 items are disciplines that blend security with other, very different departments: The network team for segmentation, systems/developers for 2FA/MFA, systems for patching, IAM for least access, and everyone for awareness. You can’t just boost one area of the company (or just security itself).