lots of people looking for mentors these days

Everyone wants a course or cert or mentor that will teach them how to be master hacker or to hit the ground running with a cheatsheet in hand. But the only real path requires two legs: practice and curiosity (self-study to learn the things that are still unknown). A course can help with the former, but courses can only cover a miniscule amount of all the unknown things you’ll run into. Dive in, get guidance as needed, but there is no substitute for practice and doing something by yourself. Apply for and land a job, find a mentor there, or find yourself being the mentor. Do, do, do.

That said, just ask direct questions.

the soc or siem of tomorrow

Monster post of the week goes to Gunter Olmann’s NextGen SIEM Isn’t SIEM blog post.

To paraphrase the first half, basically SIEM’s main weaknesses have been fidelity and trying to integrate newer sources. These newer sources are pushing that fidelity and active response away from the SIEM and down closer to end endpoints/attackers/events.

…Interjecting my own thoughts for a moment: Also, in the past, a SIEM was only as good as the intelligence behind it, which was often fueled entirely by the staff sitting directly in front of it. I’m sure every SIEM and MSSP vendor has been asked, “So, what do we look for out of these million logs entries?” by every single one of their clients, and the answer is always, “It depends,” or, “What do you want to find?” (You’d think intelligence would get pushed downhill, but I think only the most obvious of intelligence ever gets outside a singular organization’s walls, including those that share it!) The best (luckiest) shops have SIEM ninjas in house, but most just flounder wetly about in the hallway. Now, back to Gunter…

And he frames the transition correctly by saying these new tools typically do only a narrow scope of things really well.

Honestly, I’m not sure asking what the “next gen SIEM looks like” is exactly the right question. I’d take a small step back and say, “What does the next SOC look like?” (I’m writing this as I read the article, and Gunter goes to the same direction!) Do we still strive for one pane of glass? Do we have many panes of glass with best of breed tools?

I like Gunter’s bullet points on what the next SOC/SIEM should do or look like.

But I do want to add one other factor into this. The shops that have the budgets to get things like big SIEM tools and various other Threat Hunting or SOC-supporting tools are also the ones fighting with a ridiculous technology change pace in their own networks, and those that have manageable environments are the ones too small for the best tools. Between cloud, IOT, mobile devices, and advancing system sprawl, it’s a huge endeavor for a SOC just to keep up with its own organization.

Anyway, just to interject a wonderful (or nightmarish) vision of the future…we keep taking steps forward towards actual Gibson/Shadowrun-like ICE!

q2 2018 training and learning plans

So, what’s on my structured training list now that I’ve finished CCNA Cyber Ops? I have a 2018 goals post, but obviously things can change… I don’t blog about many of my training things, largely because I have a separate, private OneNote instance that has a huge breakdown and list of things I want to do this year, next year, and discussions on everything else that my career may entail beyond. I have a long term section, and a list of things I’m basically doing right now.

Right now, I have a small lull until I head to SANS West in two months and pick up my first SANS course, GCFA FOR508. I’ve decided to forego some courses people tend to take early on in their SANS experience, and dive into the deep end by skipping GSEC (SEC401), GCIH (SEC504), GPEN (SEC560), and GCFE (FOR500). I’ve never had the opportunity to do SANS courses before, and rather than go easy and do something I may know pretty well already, I decided not to wait years and instead get to a course that will certainly be a challenge.

To that end, I’m already doing a little bit of prep work to brush up on some forensics/IR topics so that I don’t entirely need to catch my mindset up much to hit day 1 at a brisk walk. I’ll be watching some random YouTube clips of the course and related topics, reading a few books I have sitting around on forensics and data collection, and otherwise preparing my workstation.

Beyond that, I’m likely going to do a little preparation for NetWars as well, though to be honest, I don’t expect much as a first timer. But I want to finish a bit more in my RHCSA/LFCS courses, refresh using Metasploit Unleashed (a course I’ve long since just never gotten through) to get my mind back in offense, and then do some retired HTB boxes to oil those wheels further.

I’ll also be at C2E2 (Chicago) in the middle of all of this, so that likely is enough planning for now to see me through to the midpoint of 2018.

getting domain admin before lunch

I always hesitate to link to Medium articles, as I find the platform somewhat dubious, but this article was good and included further good links at the end. The article is “Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition)” by Adam Toscher. I actually skipped the part at the top and thought to myself, gosh, this sounds like a SpiderLabs update to their old article on the same topic. Sure enough, he mentions that!

The bottom of the article includes wonderful links for more information, such as A Toast to Kerberoast and the Inveigh PowerShell tool and Relaying Credentials Everywhere with ntlmrelayx.

review of the cisco ccna cyber ops scholarship program and cert

Let’s start off getting the logistics out of the way. I started Cisco CCNA Cyber Ops scholarship program a week before the official start date of 12/28/17 (cohort 5). I took and passed the first exam, SECFND 210-250, on 02/02/18 with a comfortable score. Study time was about 2 hours per day average for about 5 weeks, and I did end up watching most of the mentor sessions, in addition to all of the Cisco online course material and labs. I purchased the Cisco Press SECFND book, but honestly did not lean on it at all.

The SECOPS 210-255 material was far shorter and took overall less time to consume. I spent about 1.5 weeks sick in the middle of my studies, but thankfully I was already ahead of the course dates. I was able to take and pass the SECOPS exam on 03/09/18 with a very comfortable score. I did not actually do any mentor sessions. On the day I passed the exam, they were only up to Chapter 8 out of 15 with 4 additional exam prep sessions later on. I borrowed a copy of the Cisco Press book for the SECOPS course, but I admit I did not use it. (Ok, I looked up one thing I was foggy on from the Cisco exam blueprint, but it actually wasn’t where it claimed to be in the book; it was flat out missing, so I set it aside for good.) SECOPS also requires some outside sources, so I read the CVSS specification and user guide, NIST 800-61r2, NIST 800-86, C2M2, Diamond Model paper, Kill chain paper, and I took a 2-hour refresher course on Regex basics from PluralSight (I have a standing account there). I would have brushed up on Wireshark usage a bit more, but I’m very comfortable with it.

I admit, I rushed this, but I also wanted to get this out of the way of other things going on in 2018, and I didn’t want it to drag on too long. And I was very successful in carving out time to dig into the materials to get an exam take as soon as possible. I took notes in OneNote on the courseware (usually played at 1.5x speed), regularly reviewed the courseware end-of-section questions, and transferred key topics to Quizlet for review the week before each exam.

What did I think of the provided materials and guidance in the scholarship? Well, it was all free other than the books which I opted to acquire on my own, plus my time spent. The online course itself was really good, though I admit it dove pretty deep and sometimes beyond the scope of what was tested. But it was all good information pertinent to what I would expect from an entry level SOC analyst. The Cisco exam blueprints were very accurate. The SECFND courseware and labs were far longer than the SECOPS materials. The courseware was very consistent, however there was one awkward lab in the SECOPS course where the word “pivot” was abused badly. Clicking on a link on a web page is not pivoting, clicking to a new window is not pivoting. Beyond that, they were very consistent and helpful. Amusingly, I was distracted by one narrator referring to Metasploit as Megasploit multiple times.

I do also want to call out that some of the courseware delved into Cisco products, and one or two small sections sounded like marketing wrote them. But the exams themselves did not test over anything specific to Cisco, other than Netflow.

The labs I actually especially enjoyed. I had zero technical issues with the labs, even running Chrome on Ubuntu 17. And honestly, I really liked the setup and the content that was presented to the students. The step-by-step instructions were also clear and accurate. To be honest, I don’t know that I learned anything absolutely new, other than being able to play with Security Onion more than I had in the past. But, I loved the thought of this material being consumed by more entry-level types of students. This is far more than was necessary to meet the exam requirements, but I would always suggest students consume those labs if they are new to the industry as there is a lot of good experience in there. If nothing else, it allows students new to Windows or Linux to run some tools and commands, or perform some attacks they’ve never seen before, including returning back their first root shell. Students who know absolutely nothing about Linux may struggle to navigate a Linux terminal here and there, but this isn’t a course introducing Linux to students.

The mentor sessions were a bit chaotic and unorganized at times, but my biggest complaint is the use of Webex as the delivery platform. I primarily run on Linux as my main desktop, and I could not get the Webex to connect on Linux, nor watch the recorded playback at all. Thankfully, another student downloaded the recordings, converted them to a regular video file, and posted them to Dropbox. An absolute godsend! That said, the mentors seemed far more at ease with any pure networking material than with security topics, and I suspect I probably know more than them about most of the topics presented. In fact, stalking on LinkedIn a bit reveals my gut feel on that is pretty correct.

And that somewhat brings up what I would consider just an observation of this scholarship. In order to get approved, one has to already possess specific recognized industry certs (my CISSP and Security+ both qualified me up front, but the OSCP would have as well if I had asked) and one has to pass a preassessment exam. That preassessment exam was not kind or easy, and had some very CCNA R&S-esque questions and some rather surprisingly deep Windows/Linux questions. In fact, the preassessment exam was the hardest thing in the whole program. But what this means is that people taking the CCNA Cyber Ops in the scholarship program are a bit stacked towards experienced infosec professionals, rather than the entry/associate level that it should be geared towards. I understand why Cisco would do this, but that might skew my experience, results, and opinion a little bit. For anyone jumping into CCNA Cyber Ops without the scholarship, there are no prerequisites or requirements; this can be your first Cisco cert, in fact. I’d consider that a huge plus.

How were the exams?
The biggest thing that I will remember about the exams was the grammar. SECFND 210-250 questions were absolutely awful. I pride myself with being able to understand communication from people with poor grammar, but more than a few of the questions felt like they were written by two different non-English speaking people and then spliced together. This is even more pronounced as the SECOPS 210-255 questions were far better (though I did find two awkward moments that made me sit back and think a lot [kinda like CISSP questions] and one question that was flat out talking about the wrong thing). Either way, the experience was ok, I passed both on the first try with 900+ scores, and about 30-40 minutes of actual question answering. The content seemed to match the exam blueprints very well, and I really wasn’t surprised by any foreign content with just one or two exceptions I can’t reveal, but I suspect weren’t even scored questions. Not everything is covered in the Cisco scholarship course, but they did call out to external resources. So, nothing should be surprising: it was called out in the course and mentioned in the blueprint.

What do I think about the certification and where it is positioned in the infosec world?
Cisco states: “The CCNA Cyber Ops certification prepares candidates to begin a career working with associate-level cybersecurity analysts within security operations centers.”

I think the program is positioned excellently for entry level students looking to get into SOC analyst positions. Students get a solid mix of exposure to TCP/IP networking, security concepts, Windows analysis, and Linux analysis, and that mix of exposure is difficult to get without real experience on the job.

I would honestly suggest anyone looking to hire for or get hired for a SOC position should consider this course their first stop on the journey.

That said, a SOC analyst position is not the most common position I see posted in infosec in my market, and is really only prevalent in MSSPs or very large organizations that can afford and need a SOC.

I’d consider this course to fall just a half step above the CompTia Security+ course. Security+ gets pretty technical into the security concepts (very trivia-like), but really offers less actionable knowledge of things like Windows, Linux, or networking. If you pass Sec+, you still won’t feel like you can do the job, but with Cyber Ops, I think students can feel like they could walk into a SOC and be useful in the first day or (Disclosure: I have a lifetime Sec+ since I got it so long ago…so the content may have improved). I find the CCNA Cyber Ops to be more directly useful in certain day-to-day jobs. I’d consider it maybe a half step below the SANS GSEC course (Disclosure: I have not seen that course, but am basing this on anecdotes from others.). It doesn’t really compare to the CEH, as one is offense and the other defense, but I’d consider the Cyber Ops course to be more useful to defenders or SOC analysts than the CEH by quite a margin. I’d consider the CISSP certification to be about a step and a half above the CCNA Cyber Ops.

In fact, I would honestly say that if someone can make it through the CCNA Cyber Ops, they will have demonstrated a certain (small) command of Windows and Linux analysis, networking acumen, and security concepts. And I think students could take a serious look at the OSCP or jumping pretty much anywhere else in the infosec training and certification tracks. And I definitely think anyone with this certification should be ready for their first 1-2 years of defender jobs. And there are no prerequisites, making this an approachable first security cert to get, though students will be helped by having a decent technical background of a few years, even if just troubleshooting their own systems and watching the infosec landscape via Twitter and blogs from afar.

That said, there are a few small issues with the certification.

The first and largest problem is apparent when looking at the certification roadmap at Cisco. The CCNA Cyber Ops has no CCNP tier, and it does not lead anywhere else. If you want to pursue any CCNP tier cert, you need to slide over to another CCNA track and get started there. That hopefully will change in the future, but for now, the cert doesn’t let you get anywhere else in the Cisco house. Hopefully they figure out what to do with this.

Second, this is an associate or entry level certification. If a student has even 6 months working in a SOC, I think they should look above this cert. If a student has 4+ years of IT work with servers and some security technologies or networking, I don’t think they will learn a ton from this. That said, if this is part of an identified roadmap to improvement and learning, this is a good step to include. And honestly, I think any SOC should require this of their entry-level staff within 6-18 months of employment, or prior.

Lastly, there is the problem that Cisco has a CCNA->CCNP track for Security, which really means working with Cisco’s security software such as the Cisco ASA Firewall, ISE, Firepower, AMP, and so on. That track will allow you to work as a Security Administrator, where you deploy, configure, and troubleshoot those tools. A SOC Analyst would leverage those installed tools to consume their output. In my market area, I find more opportunities for using the CCNA Security cert than the Cyber Ops one, simply based on job duties.

I found this blurb on the Internets which I think sums up the positioning of the CCNA Security and CCNA Cyber Ops courses:

“As far as the other poster’s question goes about CCNA Sec vs CyberOps, they have completely different career paths in mind. The CCNA Sec is for someone who wants to be a network security admin, setting up appliances and firewalls. This kind of job specialty you’ll likely only find at larger companies, although the knowledge can still be useful in a small environment where you have to do a little bit of everything. The CCNA CyberOps is for someone who wants to be a SOC analyst, examining packets and flows on a dashboard. Two very different certs. For someone who wants to work in the security field, CyberOps will be more valuable by far. CCNA Sec, ironically, is more for someone already in the networking field who’s moving to specialize in security appliances.”

I admit, all the people I know that have CCNA Security or higher come from the network admin side of IT.