desirable red team candidates article

I liked this post by Tim MalcolmVetter: How to Pass a Red Team Interview. Some takeaways from it are definitions of what red team means and characteristics of a good red team candidate.

Trustworthiness – I tend to stick to the term integrity, but mostly because I think it has similar, but broader meaning.

Know the role/know yourself – Kind of goes without saying.

Healthy competition – I like this one, and it should go without saying, but still unfortunately needs said. The offensive teams exist to help test, inform, and improve the blue team. This often just means being able to help the blue team stop attacks that get through and missed weaknesses, but could mean much deeper interaction.

Creativity – This is one thing I really like about security. In terms of normal IT operations, sure you can be creative with solutions and dealing with people, but often you’re still playing within the bumpers of a bowling lane, i.e. technology capabilities and limitations (developers excepted). With security, you can creatively look between the lanes, over the lanes, under the lanes. You get to poke in the places not normally poked and do so in creative ways on a red team. Good security is as much an art as an objective, to me.

Operational IT experience – I like seeing this item here, though I’m sure entry level security aspirants hate seeing it. But it continues to be true, even more so for a red team member whose goal is to inform the blue team intelligently. In order to do so, you need some measure of understanding about what the blue team is doing, how they do it, why they do it, and why the business needs get weaved into that. It’s not just to know the gaps in the blue team defenses (because you’ve felt those gaps from being on the blue team). It also helps when being creative with attacks and when setting up testing labs.

Development skills – This tends to be one of the harder places to get started. 1) Learn some language or scripting tool, 2) find ways to get practice, and 3) find more ways to keep practiced. It’s those last two that can be difficult and often takes real effort unless you have some corporate project set in front of you that you can use that knowledge against. The author’s point here is excellent (though I would add in some Bash knowledge): “Red Team candidates should at least script in python or powershell. Candidates who can build web apps, implants in C/C++, and manage infrastructure will have a huge leg up.” I really like the inclusion of being able to build a web app, maybe not necessarily an “app” as much as a dynamic web page, but along with that comes valuable knowledge in web architecture, server configuration, coding, SQL, etc.

Unique skills – I also like seeing this item, though it’s a hard pill to swallow for so many. But that’s the point of true red teams; a team of people who fill various roles and specializations. A team of people who all kinda do the same thing isn’t very efficient. Now, that’s not to say every person should come into a new team and be the absolute expert on a particular thing or technology or technique, but they should be the expert of that thing on their team. Until you find a good team to call home for a long time, it’s good to be broad and/or have things one is better at, but definitely look for those gaps in any team you interview with and see if you can fit those openings. Chances are good candidates can adapt and utilize their experience, integrity, and creativity to fill most gaps in a red team.

Lastly, I wanted to just flat out quote the author, “…if you can phish and think like a covert systems administrator, then you can probably be successful on a red team.” But also know that, …”If you want to end up doing red team work, then do yourself a favor and get a variety of roles and exposure before moving into red team — it will still be there when you’re ready.”

threat hunting – a quick introduction

If you’re in infosec and you blinked, you’ll notice today that “threat hunting” is a thing. It’s more than a thing, it’s quite the movement (though probably ranking below blockchain, machine learning, and AI as far as infosec marketing buzzwords). Wikipedia’s page on the subject was created mid-2016. I spent about an hour doing Google searches trying to find earlier mentions of the term/process, but really found nothing. I think Sqrrl/David Bianco [pdf] was one of the earlier describers of threat hunting.

So, where did threat hunting come from?

First, threat hunting is about looking for threats already in your environment. Underlying this process is the assumption that attackers can and have gotten in, and that your current protections are not enough (with an optionally-implied “advanced threat” assumed). This process identifies weaknesses, compromises, and informs defenses. This stands in contrast to reactive technologies like IPS and SIEM alerts, or preventative processes like Antimalware defenses. Threat hunting by skilled analysts has them creatively hypothesizing about attackers, examining evidence and logs for confirmation of a weakness or presence of an attacker, and then informing defenses to protect against them.

Threat intelligence is often pulled into this mix, which is just a fancy way to saying, “increasingly detailed, technical information about attackers and the things they do when attacking.” If you have a mature threat hunting process, you’re helping create that internal intelligence, rather than just consuming outside sources.

Cool, but where did this come from? Why weren’t we doing this 10 years ago?

Ten years ago, we had blue teams (defenders) against red teams, pen testers, and real attackers. The blue team would wield various security tools and try to prevent, detect, and mitigate against those attackers with somewhat standard playbooks and relatively rigid signatures and alerts.

We’ve had various enlightened members on both sides who have contributed to threat intelligence over the years, and plenty of blue team members who have tried (probably largey in vain) to squeeze more out of their tools and high level access in their environments to sleep better at night. So, many of the tasks that a threat hunter may go through are known, but certainly had never before been truly organized, planned, or laid down in writing; they’re tasks many of us have tried to go through when work is light (hah!). One difference today is the ability to gather and parse massive amounts of data collected in an environment.

It has been long found that environments are becoming more complex (i.e. the attack surface keeps increasing, networks are becoming less efficient to defend, and no external consulting source can quickly given guidance beyond broad strokes and “well, it depends…” conversations) and relatively static signature-based tools don’t find even mediocre incidents. Blue teams have traditionally been poor about internalizing red team findings and creating effective mitigations. And red teams, particularly vulnerability assessment and pen testing teams have become a crowded market with several of their tasks somewhat commoditized through automation and point-in-time limitations.

Threat hunting teams can shore up plenty of these weaknesses. Rather than a point-in-time external pen test, threat hunting teams can act as internal, always-on pen testers; they think like attackers, study attacker methods, determine IOC, and inform and test defenses.

Threat hunting helps turn an infosec team from believing they are not compromised, to at least knowing they are not compromised via X, Y, or Z. And in today’s landscape, the X, Y, and Z incidents hitting the news are what board members ask about.

Threat hunting also acts as an outlet to some otherwise mundane tasks in infosec: analyzing logs and alerts and directing the rollout of a new patch every week. A way to exercise some creativity, learn more about attacker methods and tools (poppin’ root shells, my dudes!), and actually test internal controls and visibility.

They also fill a small gap in between security tools, blue teams, and red teams. Sure, red teams can detect weaknesses and security tools can act as a locked door or tripwire, but what about things the red team misses, or what about attackers who have already leveraged those weaknesses to get into an organization and evade security tools?

Ten years ago, threat hunting probably only went as far as a blue team admin finding something “weird” happening on a server or workstation, and investigating it to find an existing compromise. They fix the compromise, wonder how someone/something got in, wonder if it impacted anything else, and then likely moved on when those answers were not going to be efficiently forthcoming.

Sounds like a no-brainer to start doing this, yeah? Well, not so fast.

To my mind, the main challenge with threat hunting is being able to log, capture, and know everything (or enough) in an environment such that testing a hypothesis is efficient. An organization that is poorly logging things, has poor standards, and struggles to control the environment, will have a very uphill battle to do any real threat hunting. At that point, you’re walking into a forest inferno and looking for dumpsters that are on fire.

cis top 20 critical security control version 7 released

I missed this getting announced, but a few weeks ago a new CIS Top 20 Critical Security Controls doc came out, version 7. There is a registration wall to get past (and one of the few times I had mailinator denied ever), but that shouldn’t be a problem for anyone in security.

This new version chops the list of 20 slightly differently, and actually moves the previous #3 item about secure configurations down to #5. Instead of typically advising to tackle the top 5 items as a priority, the top 6 items are now considered “Basic” controls. Items 7 through 16 are “Foundational” controls, and 17 through 20 are “Organizational.” While adding a different visualization/chunking to the list, this really doesn’t change anything. I do like that this results in vulnerability management appearing at #3 right below the two inventory controls. I think this is appropriate. Secure configurations are hard (“yuck, documentation!”), and so many people lose steam at that control.

I do like the change to 17 away from the awkward skills assessment and gaps wording to being more standard as a “Security Awareness and Training Program.” Previously, this always sounded like a way to train internal security staff (and was probably worded that way to promote training from the previous custodians of the list, SANS), which then left questions about security awareness programs in general.

There are also many more individual sub-controls under each control, which I really like. In the past, I could usually add one or two extra bullets under each control just to fill it out a bit, but I feel like these are fairly solid so far.

There are still some minor gaps, however. For instance, traditional physical security isn’t present, though that usually falls into a facilities sort of department. Cloud security isn’t really a thing on its own, though clearly every control on-prem will have analogous controls in the cloud, depending on what sort of cloud presence is maintained. I’d love to see Threat Hunting functions get rolled into Pen Test/Red Team Exercises. I always have to think twice about control #7: Web and Email Security. It just seems like it should be included in other items, but it’s a large enough attack surface that I get pulling it out. And I also always wince that an entire appsecdev section gets shoved into a single control down at #18.

There are also very few call-outs to documentation and diagrams. They’re so valuable for insiders, outsiders, new employees, new vendors, and so on to get a quick handle on how a network is laid out, critical data flows, attack surface, and high level posture. No space ship general lacks for a holographic display of the important pieces, and I wish most items called out more artifacts like policies, diagrams, and such in the sub-controls.

Lastly, #10 Data Recovery Capabilities is always a tough one for me. In my mind, this is control #0 that every organization should have: Backups! And it’s also probably the one control that has the smallest infosec scope in the list. Do you do it? Is recovery proven and ready? Retention is set in policy? Cool, move on! Eliminating this as a top 20 control would free up a slot for something else. Some inflate this item into BCP/DR processes or otherwise blow it up into Availability or Resiliency in general. I get it, but the sub-controls don’t reflect it.

Overall, are these huge changes? No, but they do reflect incremental changes in our landscape that bring the list up to modern standards. And this list remains one of my primary and initial roadmaps for infosec in organizations.

case study of fail of the week so far – panera

Panera is going through a bit of a debacle last night and today. The original security researcher posted about it in detail after shit hit the fan. Near the end, he poses a few reflective questions. I figured I would poke at them!

“1. We could collectively afford to be more critical of companies when they issue reactionary statements to do damage control. We need to hold them to a higher standard of accountability. I honestly don’t know what that looks like for the media, but there has to be a better way to do thorough, comprehensive reporting on this.”

I think everyone in media and public relations would say this is about understanding the short attention span of media and their audience. Plus, every media outlet wants to get out there first, at least amongst their peers. (This is probably why, as a fan of CNN, I continue to be appalled at their lack of spelling and grammar over the past couple years…) But, yes, I’ve been sick of the vague, cookie-cutter statements for 15 years now. “We take security seriously…” and, “affected by a sophisticated, advanced attack…” and, “no further signs of abuse/disclosure (within only 60 minutes of discovery)…” The problem is one of transparency. The company usually has no reason to be very detailed, which means someone in the know (either inside or the researcher or someone who pieces it together and rediscovers it independently) needs to reveal the details responsibly. And I usually fall on the side of full disclosure as opposed to no disclosure or “responsible disclosure, which really just means stifling it with a smile.” It’s the best way for all of us to learn and get better, and also make educated choices about where to do business.

As far as holding accountable overall, that’s a rough one. While security companies and other Business-to-Business (B2B) firms can struggle after a breach, I don’t know of any retailers or food service companies that have been terribly impacted by a breach. Food quality scares can threaten Chipotle, but breaches seem to get ignored. This Panera one is a little different as the platform affected was a mobile ordering app, which is probably used by slightly more connected and savvy users; those that may never use it again due to this, but will probably will eat at Panera.

“2. We need to collectively examine what the incentives are that enabled this to happen. I do not believe it was a singular failure with any particular employee. It’s easy to point to certain individuals, but they do not end up in those positions unless that behavior is fundamentally compatible with the broader corporate culture and priorities.”

This is a meaty issue, for sure. I think many security issues don’t get exposed or talked about, because it is always (always!) easier to consciously or unconsciously ignore it. It’s hard finding security issues; sometimes you have to really try. And many people are just trying to complete their tasks and get through their days. The security team (if there is one) has this responsibility, but in a world where development wants to go at the speed of agile, no one can slow them down. Security has to move at that speed as well, which is difficult since security inherently is always behind the curve a little bit, and often perceived as adding no value.

This starts with a mandate or at the very least interest in security from a high level. It’s fine enough to say, “We don’t want to be the next Equifax/Panera/Boeing.” From there, security management needs to be based on fact, and not belief. It also needs to constantly be questioned and improved. None of us know how to secure everything; we learn incrementally or seek assistance/ideas elsewhere, and then weave that into our internal security fabric over and over and over. When that improvement process stops, gaps will appear. (To me, this is where threat hunting is becoming a thing; you can get pretty good with your security posture and do the basic things well to go, but to keep improving, you need that unit that keeps hunting, poking, learning, and injecting further information into the whole.)

“3. If you are a security professional, please, I implore you, set up a basic page describing a non-threatening process for submitting security vulnerability disclosures. Make this process obviously distinct from the, “Hi I think my account is hacked” customer support process. Make sure this is immediately read by someone qualified and engaged to investigate those reports, both technically and practically speaking. You do not need to offer a bug bounty or a reward. Just offering a way to allow people to easily contact you with confidence would go a long way.”

I basically agree with this, but also make sure that investigations are done properly (carefully) by your IR team, and make sure someone has a quick line to PR/legal if questions arise or things escalate. Lack of response can be appropriate, but that should be stated and at least give the correspondent some indication an email was successfully delivered. Basically, security@ email address should suffice, and optionally a quick mention on an appropriate Contact Us page.

a rant about rants about password rotations

Here’s a rant that makes me look pretty stable. 🙂 Nick Selby’s post, “Do You Make Users Rotate Passwords? Well, Cut It Out.” I agree with the general sentiment, and I get the annoyance, but not so much the general way this is presented without making some qualifications.

Just to get the elephant in the room out of the way: All of this discussion is somewhat moot once we throw in the requirement of multi-factor authentication. Which makes sense, especially as biometrics (slowly) continues to make headway, which is like a password we won’t ever be able to change.

I’m also not making any assumptions on password strength, either chosen or forced. I can’t expect every user to practice good password hygiene, so I can’t really add that to my arguments. I’m also not going to make assumptions on complexity requirements forced on users by the system.

OK, let’s first make some distinctions: corporate/employee* vs consumer sites. There are two major types of accounts I have in mind with this discussion. First, accounts that an enterprise uses to identify its employees, usually set up and managed by IAM/Help Desk folks and rotated every 90 days or so, and removed upon termination. These employees typically come to an office and sit at a workstation to log into. Second, there are accounts used on consumer sites such as Gmail, Amazon, DreamHost, FaceBook, etc. These are usually set up via self-serve and probably don’t force changes except when compromise is suspected to some degree.

In the former, there are arguable times when these account passwords may get divulged or known, such as a Help Desk worker doing “something” on your system to troubleshoot an error over a lunch break and wants to log in after the screensaver kicks in (hey, another rant-worthy piece of bait!). There are too often small one-offs where an account password is shared. I hate it, but I understand it happens. There are still two use-cases for enterprises to use proactive password rotations. If a user has a shared password and needs that friendly reminder to change it, or if an unknown compromise of a password has occurred, the forced rotation of a password will close both of these gaps.

For consumer site accounts, users are left to shoulder the responsibility of the confidentiality of their passwords. If they share it with someone else, it’s on them to change the password after usage expectation has ended (ever “borrow” someone’s Hulu account longer than intended?). For consumer sites, the onus for keeping your password to yourself is on the user, with the only exception being a failure in the security of the site, which can have two outcomes. First, a compromise is suspected/known and all affected users are asked to change their password. Second, the compromise and exposure of a database that contains user passwords in reversible format, but where this compromise may not be known for months or years.

In the past, this conversation has sort of been about rotating passwords faster than most attackers can crack accounts, but I’d argue that’s less the case, and the real way it should be worded is to limit the window of opportunity for an actor to possess something that is still valid that they should not possess. Whether that means cracking times or exposure to an unknown compromise, I don’t really care.

Has password rotation ever “increased security?” I’d argue not really, but it helps deal with *decreased security* scenarios, namely someone has your password and you didn’t know it, or you did, and failed to change your password after the need to know it has passed. In the past, this also includes the scenario of password cracking. On the other hand, perhaps rotating passwords at varying levels has helped prevent situations where users use the same password for many accounts. Rotating passwords at varying times may decrease password re-use across accounts and actually be slightly better for security, but that’s just strange to think about.

Users create predictable variations from existing passwords, though! I suppose, if you know the base form of that password. For some, it’s easy to guess. New account in April? Try Spring18 or Spring2018. Then things get a bit more predictable, sure. For corporate accounts, at that point we’re already starting to get close to account lockouts or other alarms. For consumer sites, it’s harder to guess that base form, in my estimation. That said, I would say this argument has some weight. I’d bet some old passwords for users, if cracked, probably would inform their future choices (Bulls2015 may today be Bulls2016 or Bulls2017 or Bulls2018). But I suppose a cracked password that requires guesses to get the current password is better than a cracked password still being valid?

Users hate it and are inconvenienced! This is less a substantive argument and more a commentary that security and convenience are always at odds, and finding the sweet spot between them is a dance between objective and subjective discourse. Ask 20 infosec pros any scenario and you’ll get 22 different answers, all of which are varying shades of correct.

Why 90 days? Why not 30 minutes? I don’t know, I don’t think that’s the point? I think this is just acknowledging that security is not about finding *THE* right answer, but finding what works between the goals and people. Ok, fine, I think 30/60/90 days requirements back in 2003 were about cracking times for typical Windows account hashes. Roughly. Very roughly…

At any rate, all of this is pretty anecdotal, as is probably 99% of the discussion on this topic. Even places that try to say there is “lots of evidence” one way or another never really seems scientific or defensible from twisting the statistics around to form an opposing hypothesis or just have too small a sample. (Yeah, this is my way of dismissing stats and not wasting my time pouring over academic papers to support whatever my position is or will be. If paid to do that, I’ll be happy to!)

(Now, all of this said…I’m playing a little bit o’ Devil’s Advocate here. I won’t defend either position on password rotations terribly hard or to the death. But I think defaulting to password rotation in corporate account cases is the better approach and defaulting to unchanging passwords for consumer sites is also the better approach, with MFA swinging things away from rotations.)

* There is also the small slice of the puzzle with actual shared enterprise accounts or service accounts. The former being maybe a shared login to something low value (for instance, each concurrent user is a cost or something). The latter being your normal service accounts where various admins may be able to retrieve the password or set it up on a new server. I won’t deal with this, since it should be obvious these are rotated regularly, especially as employees leave the enterprise or lose their need-to-know.

lots of people looking for mentors these days

Everyone wants a course or cert or mentor that will teach them how to be master hacker or to hit the ground running with a cheatsheet in hand. But the only real path requires two legs: practice and curiosity (self-study to learn the things that are still unknown). A course can help with the former, but courses can only cover a miniscule amount of all the unknown things you’ll run into. Dive in, get guidance as needed, but there is no substitute for practice and doing something by yourself. Apply for and land a job, find a mentor there, or find yourself being the mentor. Do, do, do.

That said, just ask direct questions.

the soc or siem of tomorrow

Monster post of the week goes to Gunter Olmann’s NextGen SIEM Isn’t SIEM blog post.

To paraphrase the first half, basically SIEM’s main weaknesses have been fidelity and trying to integrate newer sources. These newer sources are pushing that fidelity and active response away from the SIEM and down closer to end endpoints/attackers/events.

…Interjecting my own thoughts for a moment: Also, in the past, a SIEM was only as good as the intelligence behind it, which was often fueled entirely by the staff sitting directly in front of it. I’m sure every SIEM and MSSP vendor has been asked, “So, what do we look for out of these million logs entries?” by every single one of their clients, and the answer is always, “It depends,” or, “What do you want to find?” (You’d think intelligence would get pushed downhill, but I think only the most obvious of intelligence ever gets outside a singular organization’s walls, including those that share it!) The best (luckiest) shops have SIEM ninjas in house, but most just flounder wetly about in the hallway. Now, back to Gunter…

And he frames the transition correctly by saying these new tools typically do only a narrow scope of things really well.

Honestly, I’m not sure asking what the “next gen SIEM looks like” is exactly the right question. I’d take a small step back and say, “What does the next SOC look like?” (I’m writing this as I read the article, and Gunter goes to the same direction!) Do we still strive for one pane of glass? Do we have many panes of glass with best of breed tools?

I like Gunter’s bullet points on what the next SOC/SIEM should do or look like.

But I do want to add one other factor into this. The shops that have the budgets to get things like big SIEM tools and various other Threat Hunting or SOC-supporting tools are also the ones fighting with a ridiculous technology change pace in their own networks, and those that have manageable environments are the ones too small for the best tools. Between cloud, IOT, mobile devices, and advancing system sprawl, it’s a huge endeavor for a SOC just to keep up with its own organization.

Anyway, just to interject a wonderful (or nightmarish) vision of the future…we keep taking steps forward towards actual Gibson/Shadowrun-like ICE!

q2 2018 training and learning plans

So, what’s on my structured training list now that I’ve finished CCNA Cyber Ops? I have a 2018 goals post, but obviously things can change… I don’t blog about many of my training things, largely because I have a separate, private OneNote instance that has a huge breakdown and list of things I want to do this year, next year, and discussions on everything else that my career may entail beyond. I have a long term section, and a list of things I’m basically doing right now.

Right now, I have a small lull until I head to SANS West in two months and pick up my first SANS course, GCFA FOR508. I’ve decided to forego some courses people tend to take early on in their SANS experience, and dive into the deep end by skipping GSEC (SEC401), GCIH (SEC504), GPEN (SEC560), and GCFE (FOR500). I’ve never had the opportunity to do SANS courses before, and rather than go easy and do something I may know pretty well already, I decided not to wait years and instead get to a course that will certainly be a challenge.

To that end, I’m already doing a little bit of prep work to brush up on some forensics/IR topics so that I don’t entirely need to catch my mindset up much to hit day 1 at a brisk walk. I’ll be watching some random YouTube clips of the course and related topics, reading a few books I have sitting around on forensics and data collection, and otherwise preparing my workstation.

Beyond that, I’m likely going to do a little preparation for NetWars as well, though to be honest, I don’t expect much as a first timer. But I want to finish a bit more in my RHCSA/LFCS courses, refresh using Metasploit Unleashed (a course I’ve long since just never gotten through) to get my mind back in offense, and then do some retired HTB boxes to oil those wheels further.

I’ll also be at C2E2 (Chicago) in the middle of all of this, so that likely is enough planning for now to see me through to the midpoint of 2018.

getting domain admin before lunch

I always hesitate to link to Medium articles, as I find the platform somewhat dubious, but this article was good and included further good links at the end. The article is “Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition)” by Adam Toscher. I actually skipped the part at the top and thought to myself, gosh, this sounds like a SpiderLabs update to their old article on the same topic. Sure enough, he mentions that!

The bottom of the article includes wonderful links for more information, such as A Toast to Kerberoast and the Inveigh PowerShell tool and Relaying Credentials Everywhere with ntlmrelayx.

review of the cisco ccna cyber ops scholarship program and cert

Let’s start off getting the logistics out of the way. I started Cisco CCNA Cyber Ops scholarship program a week before the official start date of 12/28/17 (cohort 5). I took and passed the first exam, SECFND 210-250, on 02/02/18 with a comfortable score. Study time was about 2 hours per day average for about 5 weeks, and I did end up watching most of the mentor sessions, in addition to all of the Cisco online course material and labs. I purchased the Cisco Press SECFND book, but honestly did not lean on it at all.

The SECOPS 210-255 material was far shorter and took overall less time to consume. I spent about 1.5 weeks sick in the middle of my studies, but thankfully I was already ahead of the course dates. I was able to take and pass the SECOPS exam on 03/09/18 with a very comfortable score. I did not actually do any mentor sessions. On the day I passed the exam, they were only up to Chapter 8 out of 15 with 4 additional exam prep sessions later on. I borrowed a copy of the Cisco Press book for the SECOPS course, but I admit I did not use it. (Ok, I looked up one thing I was foggy on from the Cisco exam blueprint, but it actually wasn’t where it claimed to be in the book; it was flat out missing, so I set it aside for good.) SECOPS also requires some outside sources, so I read the CVSS specification and user guide, NIST 800-61r2, NIST 800-86, C2M2, Diamond Model paper, Kill chain paper, and I took a 2-hour refresher course on Regex basics from PluralSight (I have a standing account there). I would have brushed up on Wireshark usage a bit more, but I’m very comfortable with it.

I admit, I rushed this, but I also wanted to get this out of the way of other things going on in 2018, and I didn’t want it to drag on too long. And I was very successful in carving out time to dig into the materials to get an exam take as soon as possible. I took notes in OneNote on the courseware (usually played at 1.5x speed), regularly reviewed the courseware end-of-section questions, and transferred key topics to Quizlet for review the week before each exam.

What did I think of the provided materials and guidance in the scholarship? Well, it was all free other than the books which I opted to acquire on my own, plus my time spent. The online course itself was really good, though I admit it dove pretty deep and sometimes beyond the scope of what was tested. But it was all good information pertinent to what I would expect from an entry level SOC analyst. The Cisco exam blueprints were very accurate. The SECFND courseware and labs were far longer than the SECOPS materials. The courseware was very consistent, however there was one awkward lab in the SECOPS course where the word “pivot” was abused badly. Clicking on a link on a web page is not pivoting, clicking to a new window is not pivoting. Beyond that, they were very consistent and helpful. Amusingly, I was distracted by one narrator referring to Metasploit as Megasploit multiple times.

I do also want to call out that some of the courseware delved into Cisco products, and one or two small sections sounded like marketing wrote them. But the exams themselves did not test over anything specific to Cisco, other than Netflow.

The labs I actually especially enjoyed. I had zero technical issues with the labs, even running Chrome on Ubuntu 17. And honestly, I really liked the setup and the content that was presented to the students. The step-by-step instructions were also clear and accurate. To be honest, I don’t know that I learned anything absolutely new, other than being able to play with Security Onion more than I had in the past. But, I loved the thought of this material being consumed by more entry-level types of students. This is far more than was necessary to meet the exam requirements, but I would always suggest students consume those labs if they are new to the industry as there is a lot of good experience in there. If nothing else, it allows students new to Windows or Linux to run some tools and commands, or perform some attacks they’ve never seen before, including returning back their first root shell. Students who know absolutely nothing about Linux may struggle to navigate a Linux terminal here and there, but this isn’t a course introducing Linux to students.

The mentor sessions were a bit chaotic and unorganized at times, but my biggest complaint is the use of Webex as the delivery platform. I primarily run on Linux as my main desktop, and I could not get the Webex to connect on Linux, nor watch the recorded playback at all. Thankfully, another student downloaded the recordings, converted them to a regular video file, and posted them to Dropbox. An absolute godsend! That said, the mentors seemed far more at ease with any pure networking material than with security topics, and I suspect I probably know more than them about most of the topics presented. In fact, stalking on LinkedIn a bit reveals my gut feel on that is pretty correct.

And that somewhat brings up what I would consider just an observation of this scholarship. In order to get approved, one has to already possess specific recognized industry certs (my CISSP and Security+ both qualified me up front, but the OSCP would have as well if I had asked) and one has to pass a preassessment exam. That preassessment exam was not kind or easy, and had some very CCNA R&S-esque questions and some rather surprisingly deep Windows/Linux questions. In fact, the preassessment exam was the hardest thing in the whole program. But what this means is that people taking the CCNA Cyber Ops in the scholarship program are a bit stacked towards experienced infosec professionals, rather than the entry/associate level that it should be geared towards. I understand why Cisco would do this, but that might skew my experience, results, and opinion a little bit. For anyone jumping into CCNA Cyber Ops without the scholarship, there are no prerequisites or requirements; this can be your first Cisco cert, in fact. I’d consider that a huge plus.

How were the exams?
The biggest thing that I will remember about the exams was the grammar. SECFND 210-250 questions were absolutely awful. I pride myself with being able to understand communication from people with poor grammar, but more than a few of the questions felt like they were written by two different non-English speaking people and then spliced together. This is even more pronounced as the SECOPS 210-255 questions were far better (though I did find two awkward moments that made me sit back and think a lot [kinda like CISSP questions] and one question that was flat out talking about the wrong thing). Either way, the experience was ok, I passed both on the first try with 900+ scores, and about 30-40 minutes of actual question answering. The content seemed to match the exam blueprints very well, and I really wasn’t surprised by any foreign content with just one or two exceptions I can’t reveal, but I suspect weren’t even scored questions. Not everything is covered in the Cisco scholarship course, but they did call out to external resources. So, nothing should be surprising: it was called out in the course and mentioned in the blueprint.

What do I think about the certification and where it is positioned in the infosec world?
Cisco states: “The CCNA Cyber Ops certification prepares candidates to begin a career working with associate-level cybersecurity analysts within security operations centers.”

I think the program is positioned excellently for entry level students looking to get into SOC analyst positions. Students get a solid mix of exposure to TCP/IP networking, security concepts, Windows analysis, and Linux analysis, and that mix of exposure is difficult to get without real experience on the job.

I would honestly suggest anyone looking to hire for or get hired for a SOC position should consider this course their first stop on the journey.

That said, a SOC analyst position is not the most common position I see posted in infosec in my market, and is really only prevalent in MSSPs or very large organizations that can afford and need a SOC.

I’d consider this course to fall just a half step above the CompTia Security+ course. Security+ gets pretty technical into the security concepts (very trivia-like), but really offers less actionable knowledge of things like Windows, Linux, or networking. If you pass Sec+, you still won’t feel like you can do the job, but with Cyber Ops, I think students can feel like they could walk into a SOC and be useful in the first day or (Disclosure: I have a lifetime Sec+ since I got it so long ago…so the content may have improved). I find the CCNA Cyber Ops to be more directly useful in certain day-to-day jobs. I’d consider it maybe a half step below the SANS GSEC course (Disclosure: I have not seen that course, but am basing this on anecdotes from others.). It doesn’t really compare to the CEH, as one is offense and the other defense, but I’d consider the Cyber Ops course to be more useful to defenders or SOC analysts than the CEH by quite a margin. I’d consider the CISSP certification to be about a step and a half above the CCNA Cyber Ops.

In fact, I would honestly say that if someone can make it through the CCNA Cyber Ops, they will have demonstrated a certain (small) command of Windows and Linux analysis, networking acumen, and security concepts. And I think students could take a serious look at the OSCP or jumping pretty much anywhere else in the infosec training and certification tracks. And I definitely think anyone with this certification should be ready for their first 1-2 years of defender jobs. And there are no prerequisites, making this an approachable first security cert to get, though students will be helped by having a decent technical background of a few years, even if just troubleshooting their own systems and watching the infosec landscape via Twitter and blogs from afar.

That said, there are a few small issues with the certification.

The first and largest problem is apparent when looking at the certification roadmap at Cisco. The CCNA Cyber Ops has no CCNP tier, and it does not lead anywhere else. If you want to pursue any CCNP tier cert, you need to slide over to another CCNA track and get started there. That hopefully will change in the future, but for now, the cert doesn’t let you get anywhere else in the Cisco house. Hopefully they figure out what to do with this.

Second, this is an associate or entry level certification. If a student has even 6 months working in a SOC, I think they should look above this cert. If a student has 4+ years of IT work with servers and some security technologies or networking, I don’t think they will learn a ton from this. That said, if this is part of an identified roadmap to improvement and learning, this is a good step to include. And honestly, I think any SOC should require this of their entry-level staff within 6-18 months of employment, or prior.

Lastly, there is the problem that Cisco has a CCNA->CCNP track for Security, which really means working with Cisco’s security software such as the Cisco ASA Firewall, ISE, Firepower, AMP, and so on. That track will allow you to work as a Security Administrator, where you deploy, configure, and troubleshoot those tools. A SOC Analyst would leverage those installed tools to consume their output. In my market area, I find more opportunities for using the CCNA Security cert than the Cyber Ops one, simply based on job duties.

I found this blurb on the Internets which I think sums up the positioning of the CCNA Security and CCNA Cyber Ops courses:

“As far as the other poster’s question goes about CCNA Sec vs CyberOps, they have completely different career paths in mind. The CCNA Sec is for someone who wants to be a network security admin, setting up appliances and firewalls. This kind of job specialty you’ll likely only find at larger companies, although the knowledge can still be useful in a small environment where you have to do a little bit of everything. The CCNA CyberOps is for someone who wants to be a SOC analyst, examining packets and flows on a dashboard. Two very different certs. For someone who wants to work in the security field, CyberOps will be more valuable by far. CCNA Sec, ironically, is more for someone already in the networking field who’s moving to specialize in security appliances.”

I admit, all the people I know that have CCNA Security or higher come from the network admin side of IT.

red team tools or bas, it’s still about validating your controls

I was catching up on some blogs and came across a thought-sparking post from Augusto Barros titled “From my Gartner Blog – It’s Not (Only) That The Basics Are Hard…” In this post, he talks about how basic controls fail, for example keeping accurate inventory when someone forgets to follow the process. In other words, how do you make sure you’re still doing the basics accurately?

I don’t necessarily get what is new with BAS (Breach and Attack Simulation tools) or whether this signifies the coming of age of internal red teams or a new way to market these tools, but making sure basic controls are in place is part of the purpose of things that, I can see from a particular point of view, attacker types of tools play into.

In the case of inventory control, this is where you have network discovery and internal recon (vuln scans, NSM…) or tripwires (NAC, ISE…) catch things that miss the inventory process. You find them and treat them as rogue until proven otherwise. In the process, you also care about certain zones more than others. An isolated server deployed in an internal segment is one thing, but a server in the DMZ with a few ports exposed to the Internet is another. In the latter case, another potential detection point is external footprint scanning, something that is very important to know, as this is where attacker eyeballs will also be looking.

Maybe this fits more into internal threat hunting or having an internal security team that at least thinks and designs controls and internal intelligence with a thought towards how an attacker would see things.

the internet is not so effortlessly making us smarter anymore

(I’ve had this incomplete through brewing for several weeks now, but never really put it down in writing. I finally have. I didn’t like the presentation, but have posted it below anyway since I didn’t want to spend any more real time on it. So it is half-baked, but here for my own posterity.)

I’m just over 40 years old. I grew up both without and with the Internet. During the early years, I felt like so much information was available to us that had never been exposed before. Rather than relying on libraries or television shows or word of mouth to find something out about whatever arbitrary topic one had, the information could be self-served via Google. Life was wonderful! I feel like we’re collectively getting smarter!

Fast forward to around 2015-2016, and I feel like a tipping point may have been reached. So many people are online now, and social media has allowed so many people to highly efficiently pipe in with their own take on things (even if it’s just a mass of Likes or upvotes), that we now have a problem where I don’t feel like we’re collectively getting smarter quite so effortlessly anymore. It actually takes effort to make sure you’re not learning falsehoods or buying into someone’s bullshit.

There are two factors to this: 1) The dumb ones are on social media now, and 2) so many of us are on social media in general.

Anyone and everyone can post a comment or make a social media post that states something as fact. For instance, someone posts an image on Imgur that is inspiring or funny for some reason, and a highly-voted comment purports that this person did XYZ and was from ABC. But if you dig into it, you find the real story on Snopes or some other resource that paints an entirely different picture. The first comment? They may or may not have realized they were promoting false facts. And due to tone and group think, someone probably walked away from that comment telling someone else the same false fact. Even just walking away with a false reality to the original image is bad. That’s a problem, especially if you have more people who believe a falsity than who know the truth.

This is how rumors and conspiracy theories spread. And it’s ok when those echo chambers don’t impact people not looking for it, but social media has allowed these bits of “dumbed down” information to spread to those not even looking for it. This is how good news sites that practice some form of democratized content eventually become overrun with funny things that don’t matter at all to life.

It’s also becoming useful to someone or other to influence popular opinions and facts, which anyone should have been able to predict someday, especially anyone whose grown up with the Internet’s start. Plant some seeds and watch the flames grow on their own!

Are we still getting smarter? Yes, but it’s not so effortless anymore; it takes work to verify stories and opinions, and work through pages upon pages of a thread to get up to speed.

adding comments into wireshark and pcaps

Read a post today that blew my mind. SANS Diary made mention of adding comments into Wireshark pcaps! Holy crap that is awesome, not only to put comments into a pcap, but adding a new column into the display to show them all is an amazing way to notate a capture set.

The diary entry also talks about Moloch and CloudShark. Moloch is a tool to download/install and set up, which will take packet capture feeds and index, store/display them for easy referencing, and for adding extra comments (tags) through a web interface. This doesn’t replace an IDS, but will augment the ability to manage traffic displays and packet feeds. I can see using this to carve out and save normal traffic examples or malicious incident snippets or just as a budget-conscious way to start indexing traffic patterns.

CloudShark is a cloud or on-prem solution that will do much the same thing, only probably more polished.

The bottom line, though, is I had no idea comments could be added to pcaps in Wireshark! (Save format defaults over to pcap-ng as well, to save the extra data.)

upgrading the gaming rig for 2018

(I wrote this about a month ago, and it got stuck in drafts. But now I’m pulling it back out and letting it loose.)

I’ve watercooled my gaming systems since around 2002. My last gaming system build was actually around 2012, and since then I’ve just been coasting on that system. I reworked the water loop into two loops a few years ago, adding a closed loop over the CPU (Corsair H60) and keeping a custom build over the GPU. Very cool. About 6 months ago my day-to-day system (an older gaming system) water cooling loop got some contaminants in it (after not having had any in many years) and I had an algae explosion. Rather than clean it up or even replace parts, I just scrapped the whole system and replaced it with a spare (better!) system I had sitting around doing nothing important.

Now, this week, my main gaming system suffered my first leak ever. A reservoir/pump combo drive bay unit was seeping water somewhere inside it. While the leak didn’t damage anything, it did cause me to rip out the loop and begin the process of replacing the air cooling (fan and heat spreaders) on the GPU. Water cooling was initially done to reduce the sound of my computers; but these days, fans are larger and far quieter such that the reduction in sound is negligible anymore. Somewhere in either that process or just the process of touching/moving things that hadn’t been much touched in many years, the motherboard decided to stop posting at all. I gutted everything out, but no improvement. Well, I was actually going to look at upgrading the system next year anyway!

(PS: After much fiddling, I actually got the old motherboard posting again, but this was after I had rebuilt the system. So it’ll still see life in an ancillary machine for testing/playing.)

So I’m taking the time to upgrade the motherboard, CPU, and RAM, and SSD. What’s interesting is how gaming hardware hasn’t really changed so much in the past 5 years, such that some of my components can actually be re-used. This marks the first time I’ve done an actual large upgrade rather than just building new from scratch.

I really wanted to get an Intel i5-8400 CPU, but I can’t find any available for at least several weeks. So I decided to spend a bit more for the Intel i5-8600. This requires an 1151 socket board which is covered in 300-level motherboards. So I’m picking up a Gigabyte Z370 AORUS Gaming 5 motherboard. This means I need new DDR4 memory, so I’ll pick up 16GB of G.SKILL Ripjaw 8×2 sticks. I kept the option to keep a closed water loop on the CPU with a new Corsair H60. I also had an unused SSD sitting around, so I’m making use of that as my system drive (though my old case really wasn’t built with SSDs in on the market yet, so it’s really just kinda hanging out in there…).

I really didn’t want to make these purchases right now, but things happen. Probably my computer telling me to make use of the Steam sale-driven Skyrim Special Edition that I purchased over Thanksgiving weekend!