week 1 cisco cyber ops content observations

I’ve sampled much of the material for the first half of the Cisco CCNA Cyber Ops certification material, namely for the Understanding Cisco Cybersecurity Fundamentals (210-250 SECFND) portion of the program, and I’ve gotten through about half the material in depth. (Disclaimer: I am taking the self-paced e-course through a Cisco scholarship, so I am not paying for it.*)

So far, I really like the material that is collected as it pertains to a SOC Analyst position. And let me tell you, Cisco makes constant mention that this material is meant specifically for a SOC Analyst. I think it effectively overviews the general things I think an entry level SOC Analyst should know coming in, or have learned about in their first 6 months. And this includes not just book knowledge, but ability to utilize some tools and troubleshooting and log/alert reviews (aka analysis!).

I would slot this material about one half step above Security+ (It’s been years since I took this) and at a similar level to the SANS GSEC course. (I have not taken that, but the topics covered seem to match very closely). I think someone could conceivably skip GSEC if they hold the Cyber Ops cert, and vice versa. Moving from something like the CCNA R&S track over to pick up Cyber Ops could be conceivable for maintaining the latter and expanding a career path. I would expect that a 2- or 4-year degree in infosec would be at least equivalent to CCNA Cyber Ops cert.

Keep in mind there are two exams that make up the Cisco CCNA Cyber Ops Certification. The above-mentioned SECFND as well as the Implementing Cisco Cybersecurity Operations (210-255 SECOPS), which dives deeper into actual SOC processes and procedures. I have not reviewed that material other than a cursory glance at the exam topics.

Should the CCNA Cyber Ops cert be mandatory for entry-level SOC Analyst candidates?
Of course not. But a candidate with this is going to be looked upon favorably. Personally, I think most any sort of IT background or degree (plus security interest) is enough to get someone in the door as a SOC Analyst. This will help a) provide training for someone already in the door, or b) help set someone just a little bit above their peers. I’m not sure I’d pick someone with GSEC, Sec+, or Cyber Ops over the others in that grouping, but any sort of interest and proven knowledge is good. I think the cert should allow for more lenience on any actual years of experience, though. That is probably the balls-iest thing to say in all of this. I would honestly say that someone who can consume and learn from this material has knowledge that is gained in 0.5-2 years in a SOC by someone without that prior learning.

Is the CCNA Cyber Ops geared towards students with 0 professional experience or those that have some level of prior knowledge/experience?
Here’s the breakdown of what I feel someone should know coming into this material:

security and cryptography concepts at a Security+ level.
enterprise networking concepts (LAN, WAN, sec tools) at a 0.5-2 year professional level
Windows troubleshooting/experience at a 0.5-2 year professional level (desktop/server blend)
Linux troubleshooting/experience at a 0.5-2 year professional level
Programming/coding/web dev experience to some degree
Cisco product exposure, CCNA R&S exposure to some degree

While I don’t think someone needs, say, 0 Windows experience, I think they need to know Windows (or conversely Linux or networking) to a degree that someone could work at an entry-level Windows admin job, for instance. If a candidate has 0 Windows administration/troubleshooting knowledge or 0 networking knowledge (ever set up home LANs?), I’d point them first to an A+ or Security+ course track. For Linux, I’d probably point to Linux+ as a primer. However, I think someone with decent personal Windows/networking/Linux knowledge can succeed here, even without having had that experience on a professional job. Also, a 2- or 4-year IT degree should suffice.

Some of the topics and technologies you really don’t get without having some exposure to security processes in an organization, but the concepts shouldn’t be foreign (i.e. LDAP management, IPS/IDS tools, endpoint security tool features, log collection and analysis). And I think the material does a good job introducing it enough that a new SOC Analyst can hit the ground running in their first week.

Honestly, much of this material matches things I’d ask in interviews for mid-level Windows server or desktop admins. It’s just stuff someone really should know if they pursue a long-term career in IT, let alone security.

Would this be a good option for an experienced IT admin looking to transition into security?
If someone has several years of admin work and wants to get into security, I think this is a decent way to go, depending on goals and prior knowledge. A network admin can get up to speed on security and systems topics, and a system admin can get up to speed on security and network topics. But I think very experienced persons could look further up the chain if they want. But, the reality is sometimes you have to start somewhere when doing a career shift into infosec, and I wouldn’t look down on someone starting here.

What about someone who has 3+ years of security experience?
Honestly, I doubt that student will learn much new, but if the cert helps with job searches or is essentially free, then go ahead. But otherwise I think that level of experience could be looking further upwards. If there is any sort of current security person who could benefit, it’s one who is tasked with building out a brand new IR process, new SOC team, or applicable topics. I can see some good learning happening in that sort of a situation, particularly in the second exam of the two.

Would this be applicable to a non-Cisco shop?
I actually think so, but obviously much of the countermeasures and solutions have a distinct Cisco product slant. Again, I consider the GSEC to be somewhat analogous to this cert, so that can be a substitute.

What could come after CCNA Cyber Ops?
What I also like about this cert is where someone with Cyber Ops can go. I can honestly see this as a jumping point to almost every “advanced” security certification/training path out there, even going into PWK/OSCP, and definitely to CISSP/CISA/CISM or CCNA Sec. I think I might start considering this not just an entry-level-ish cert, but a gateway cert to everything else (much like Security+, GSEC, an actual infosec degree, and even CEH [until the US Gov finally drops it]).

*Would I have taken the course/exams had it not been offered for free?
I honestly doubt it. I’ve been doing IT and infosec work for 15 years, and as such, I’m really not learning much through the course that is brand new to me. Some topics are difficult as I just don’t need some particular trivia every day. But I’d really say I’d have pursued something further up the chain in place of this had it not dropped into my lap. If I pass, I’ll certainly add it to the resume/LinkedIn page, but I think my job experience over the past few years and a CISSP already demonstrate the same commitment and knowledge that this cert would. Given the next 4 months free, I would have spent the time elsewhere.

training and goals for 2018

A function of getting older and adulting more (somewhat) is knowing I just don’t have time for everything I want to do or learn for a given day, week, month, or year (video game habits have suffered the most for this). I’ve found it’s useful to make some lists and goals for the year. In past years, I would make a new year resolution to learn some new hobby or personal skill, things like learning how to play guitar or learn more about cocktails. Recently, I’ve found this is a great habit to have with the career side of my life. In particular, I found other people doing something similar on TechExams.net, where colleagues would make achievable yearly goals that get them where they want to go.

This year, I don’t plan to do a whole lot as far as building a new hobby or interest, but rather hone what I have now, fill in gaps I didn’t get to (I never did learn how to play a guitar very well), play a few more video games (deep-seated job in this activity), and focus on work/career and relationships for 2018.

This list isn’t complete. I have some personal goals I won’t end up sharing here, plus also various notes on topics I’d like to get to, but don’t see myself committing to at this time. Also, some of these items are brief, while I have more detail in my private notes on how I’d like to proceed.

training and career goals for 2018

  • keep doors of learning open for both blue (defense) and red (offense) sides of the field. I’d like to know both deeply, and it helps keep me well-rounded and ready to tackle most anything that may come my way.
  • balance career growth opportunities along with actual learning. I find as I get further into my career, I need less letters after my name, and have more yearning for learning actual things. In my earlier years, I found I was deeply driven by learning enthusiasm, and it’s so nice when the job itself is aligned with fulfilling that drive. I can point out years I had this, and which years I did not.
  • balance of work-driven (paid) and personal growth learning opportunities. Some wonderful training is cost-prohibitive, or requires access to hardware/software that has a dollar tag on it that is hard to achieve outside the workplace. I feel behind the curve with pursuing this due to previous management frugality.
  • Keep the job! I initially left this off, since it’s part of day-to-day life with me and not a question, but I suppose it needs stated. I like my job outlook this year, and hope to use the entire year to become amazing at it.

structured learning/training

  • Q1-2 Cisco Cyber Ops Scholarship Program
  • Q2-3 SANS FOR508 (GCFA)
  • Q1-4 finish LinuxAcademy RHCSA/LFCSA courses (and finish this subscription)
  • Q1-4 Metasploit Unleashed course (I’ve never really sat down and gone through this…)
  • Q3-4 SLAE-> CTP/OSCE (tentative, or just prep)
  • Q1-2 Maintain CISSP (hey, already done!)

unstructured learning

  • HackTheBox VIP sub (keep offensive skills from getting rusty)
  • work topics (placeholder for work-related learning)
  • Web Hacking 101 book
  • Burp Suite improvement/growth (courses, videos, etc)
  • Python improvement/growth (undetermined)
  • PowerShell improvement/refresher (undetermined)
  • expand Home Lab with automated AD builds
  • pen testing Linux distros to check out
  • CTF participation (as it fits in)
  • learn Scapy usage

improvement topics

  • incorporate Feedly, Pocket, Discord, Slack in day-to-day habits
  • expand OneNote use
  • work on linkedin/career stories and goals (1-page resume for fun)(sec boss interview questions)
  • work on better anonymity online/VPN service for personal use
  • continue to hone and improve and tighten this and other learning/career lists

personal non-career goals/priorities

  • exercise (regular habit build; should take up biking in spring) and eating better (continued)
  • caring for relationships and friends

using the new noscript addon with firefox 57 (quantum)

Recently, Mozilla has been pushing out its new Firefox 57 aka Quantum. The main reason I still use Firefox as my primary browser is the ability to turn off all scripting with full control using NoScript (IE can’t really, and Chrome I don’t trust fully with it’s built-in allows for Google). So it was extremely jarring when one of my systems updated to Quantum and removed my ability to use NoScript. Turns out, NoScript needed to be rewritten from scratch in order to work in new Firefox versions, which apparently was a rude surprise for even the author. Since then, he’s been working to get the new version stood up and functional.

When NoScript got started again as a WebExtension, it lacked any sort of temporary permissions control, which I use constantly. Soon, it got a global “temporary allow all” which is not something I would even touch. Now, however, we do have more granular control on temporary permissions. Unfortunately, the UI isn’t very clear on what’s happening.

My Use-Case: I browse the webs with Firefox+NoScript. When starting a fresh browser install, I install NoScript immediately and remove all the defaults so that I trust nothing at all. Then I browse what I normally browse. As pages don’t load or functionality isn’t working, I’ll examine what is blocked by NoScript. I then make a judgement call on whether to permanently trust (i.e. allow a script to execute on that page) or temporarily allow it, which means only as long as my browser process is active. Tomorrow, temporary permissions will disappear and I’ll start all over again. Clearly, websites I visit often will have a few permanent allows, but by and large, I leave everything blocked that doesn’t interfere with my ability to consume a web site.

So, let’s get back to the UI. How do I do what I was doing for many years in the new NoScript UI? (WARNING: The add-on is currently in active development, and these screenshots and steps may become obsolete in weeks or days. The version I’m referencing here is 10.1.5.5.)

Here’s what I see on ESPN.com:

And here’s a view after I change a few things:

So, what do I do with my typical use-case now? I browse to a site and see it’s not displaying properly. I click the NoScript addon icon (or ALT+Shift+N) to open the drop-down window with all sorts of scripts that want to execute. I click the blue “S” next to one I want to allow. This defaults to temporary allow, and whichever HTTP/HTTPS protocol it pertains to. If the site switches to HTTPS, I’ll need to do this again. If I see a bunch of subdomains under a domain that I trust, I’ll make my choice next to the entry that starts with a “…”. This latter situation is good to use with CDNs which can come from one of many subdomains.

Typically, I choose one script to allow, let the page reload, and keep repeating until I’m either satisfied with how the page looks/works, or I’ve exceeded my level of personal risk with the scripts I’m loading. Sometimes, I see 50 scripts that want to run and just decide the content is not worth wrestling with scripts to get it to work (often video embeds will be quite the hunt to get to work).

This sounds like I might be complaining about my cheese being moved. And partly I am. But, let’s face it, the change is needed and we’ll end up with even more granular control over script execution with this new NoScript version with features I’ve not even touched in this post. If anything, I’m annoyed with Mozilla for putting users like me in this situation where, for several weeks, I effectively was browsing the web with my pants down or not browsing it at all.

2017 goals in review

Late last year and into this year I made some training and professional goals for myself. I thought I had posted about them, but turns I didn’t really post those tidbits (I have a whole host of things in my own notes), but I figured I would provide an update on what I did in 2017 in regards to those goals.

I spent about 2 months preparing for the PWK/OSCP lab and exam pairing, and over 3 more months in the course lab, and passed that exam. Probably one of the most satisfying things I’ve accomplished in my career. Really, anything I say about it and what it means to me is an understatement.

Through the summer months, I was bogged down a bit with a job that I have just since decided to move on from (I have a week off this week!), and I had really set aside more time for a possible OSCP re-take. Failing a first attempt on that exam is not an uncommon, but this did leave me with some extra time for the year.

I also had told myself I should check off another Offensive Security course and cert pair: WiFu/OSWP. I can happily say that I signed up for this course just over a week ago, and this week passed the exam. It’s definitely something I wanted to get done in 2017, and having a week or two off has given me the time to focus on it.

I spent significant time taking some courses on Linux Academy, namely reviewing the Linux Essentials course and RHCSA prep course. I’ve used Linux at home for many years, but have never really had any true formal study in Linux, so this has been nice to fill in some gaps in my knowledge. The Essentials course is mostly review for me, but I have learned a few things. The RHCSA cert itself is not something I will pursue (since my title does not include Linux in it), but I do find it useful to have that level of aptitude and workability in Linux. I started this course as part of an obligation to my employer, and since I’m changing jobs, I’ve put this one more into casual studying over the past few months. This is one of those nice items where my own personal goal fit with my job duties and training requirements.

Among other less tangible goals, I’ve made progress in building out my home lab this year based around ESX running on an Intel NUC. As with any lab, it still needs plenty work, and that will roll into 2018. I’ve also built the habit of attending local security meet-ups, namely SecDSM, through the year. And I’ve also gotten my hands on a few extra old laptops that I can use for additional exposure to non-Kali pen testing platforms.

Job-wise, this was a really big year. This marks the second full year for me being a true full-time security professional. Through the rest of my career, security has always been a part of my duties, but I was still always a sysadmin first and a security admin second (for those who have had that sort of hybrid role, you know what I mean). Last year and this year have been good in this regard; it really does make a world of difference to be able to devote serious time to improving security rather than constantly getting interrupted with small and large operational tasks.

All told, it’s been a transition year for me, and a very good one on almost every front. And while I have some individual accomplishments in the bag, my biggest takeaway has been just being conscious of my career direction, my learning habits, and my continued training. I slacked off over the past several years, and getting back on track has been a huge deal to me and my happiness and enthusiasm.

the wifu/oswp experience and alternatives

Just over a week ago I signed up for the Offensive Security WiFu/OSCP course and exam. This week I took and passed the exam. Much like the OSCP exam, this is a hands-on practical exam whose goal is to break into several wireless networks.

What sort of material does it cover? Well, there is a syllabus posted. But breaking it down, about a third of the material is about the 802.11 wireless spec, plus some tips on hardware and setting up wireless in BackTrack 5. Another third covers cracking WEP encryption with various attacks. Another roughly 20% covers WPA/WPA2 PSK cracking (old, insecure setups). The last roughly 15% covers graphing tools for wireless recon and MITM/client attacks using airbase-ng, airserv-ng, airtun-ng, and karmetasploit.

Is the course dated? Well, yes. But learning the basics is the first step to learning the harder stuff. And keep in mind, back in the early to mid-2000s, it was ridiculously exciting to see wifi hotspots popping up everywhere and start cracking insecure WEP and WPA configurations, all with the backdrop of grey, largely undefined laws regarding wifi shenanigans. That said, I do wish it covered more stuff or had an advanced version of the course to cover bluetooth, SDRs, mobile devices (to an extent), pineapples, and other fake AP/client shenanigans. But, I do understand there are severe channelges to the labs to accomplish all of that.

If it’s dated, is it worth the money? That’s always going to be a personal decision.

Can the same material be found elsewhere for less overall cost? Of course! And in lieu of actually purchasing the course, here are sources that should hold the same knowledge as presented in the course (and so much more!) for less monetary cost.

802.11 Wireless Networks (O’Reilly blue bats book) acts as the best technical reference for wifi. Incidentally, a new edition is due in 2018. The first third of WiFu is the briefest of summaries about the 802.11 spec.

Hacking Exposed: Wireless (Wright/Cache) is a complete book for wireless weaknesses and attacks, and will cover Bluetooth and SDRs. It’s not going to walk someone through every single issue, but will fuel google searches for more complete tutorials on pretty much everything.

Penetration Testing: A Hands-On Introduction to Hacking (Weidman). Weidman’s book devotes only a small chapter to wireless hacking, but it covers the bulk of what WiFu covers: WEP and WPA auth and key recovery.

Aircrack-ng tools wiki/documentation. The WiFu material reads pretty closely to the documentation of these tools, and will cover things like airserv-ng and airtun-ng.

Metasploit Unleased is a free course hosted by Offensive Security, and has a section devoted to a tool that I don’t think is covered by any of the above sources: Karmetasploit.

All of the above should cost less than the course, but provide just as much information and far beyond as well. (Which does translate into needing to spend more time doing and more time reading many more pages.) There are also undoubtedly plenty of related videos and how-tos over the years for these topics as well posted in various free and less-free sites.

traveling tips and notes from a cyber warrior

I’ve not had too much cause to travel all that much, but enough to know that these tips are pretty complete and excellent: The Infosec Introvert Travel Blog. For the most part, traveling is still often a personal matter; do what you feel you’re comfortable and secure with doing. Be safe, be happy, and find some measure of enjoyment, even if it’s just reading a book in the hotel bar.