It’s January, it’s cold, and I have a day off, so that makes for a great time to get introspective and look at my plans and goals for learning and training this year! Sometimes I look to make themes out of my years, and this year I’m probably due to stretch my red team/offensive legs again. I also had a shorter list last year, and this year seems like I’m swinging back into things. Hopefully not too heavily that I get burnt out, but I do have some pressure valves built in that I can pump. On the plus side, I don’t really have any intense things to renew all year.

Formal Training & Certifications

CISSP – It’s barely worth mentioning, but I do need to note to myself that my CISSP expires in April 2024, so I should renew that early on. That’s mostly about getting my CPEs entered.

CSA CCZT – A few years ago I took the CSA CCSK and passed. I saw last year they now have similar material and certificate centered on Zero Trust topics. I’m sketchy, but serviceable on the topic, and I’d like to just properly prove and improve that. This is fairly low pressure, too.

ISACA CISM – I’m not sure how or why this got on my list, but it’s on my official list for work, so I’m including it here until I decide to not do it. Or just do it. This isn’t a cheap exam, but is relatively inexpensive to study for other than the time. We’ll see where I can fit this in. Part of that equation is evaluating the benefits of this cert and its maintenance.

Informal Learning

I have access to a year of Antisyphon On-Demand courses that started very last in 2023. This means I have 25+ courses to consume. Low pressure, and I don’t intend to do all the labs, so this can be something I tackle in pieces.

I also have access to a year of HTB Academy. I mostly got this to gain eventual access to the tier 3 and tier 4 topics, but the rest of the modules can act as refreshers. There is a cert that is slightly intriguing in the Pen Tester path, but I’m not in the mood to entertain that right now.

…and access to MITRE ATT&CK Defender for a year. I’m not entirely sure what this will be, but I had some work budget to spend at the close of 2023, so signed up here. This is partly to see what this service is about and whether I suggest it to others on my team.

…and access to BlueTeamLabs. I’ve been doing this for several years now, and will have another year of access. This is mostly maintenance mode, which means doing new releases every few weeks and helping others.

OffSec Learning Unlimited has been a thing I’ve been eyeballing since it was first offered, and this year I’m putting it on this list. The above things I’ve already gotten access to, but this one is a heavier purchase and if work is willing to provide part of the cost, I’ll cover the rest, including the time commit. And a commit it will be, which is another reason I’ve not yet opened up this subscription. I want to make sure I’m in a place where I can spend a good portion of time for the price. I don’t have any plans to take another OffSec exam, but if I did I’d target the OSWE.

It’s hard to plan a red team year without some HTB time commit thrown in. I hope to dabble on this site again some more. I’m unsure if I’ll spring for VIP yet, but it’s possible, especially if it helps reinforce and practice HTB Academy modules using retired boxes. (On the downside here, HTB is a lot different in its user base than it was years ago. It’s very perturbing to do innocent searches for error messages or exploits against a technology only to find spoilers for live boxes quite readily available. This never happened years ago unless you knew the right people…)

It’s hard to commit to Defcon as it tends to be a big expense, plus risk of sickness. But, I’m putting it on here to figure out this plan before too late. I’d like to go, but it’s also OK to not go. And if I do go, it’s not just about planning hotel, flight, and budgets, but also activities such as any competitions I may want to prepare for.

Other & Parting Thoughts

Last year right around Defcon, I started taking up running for the second time in my life. I loved it, but got away from it late in the year as I was trying to figure out some mysterious ankle pain (on my right Achilles area). During my time, I lost about 35 pounds, and more than the raw number, I could tell the difference. So, I want to get back to exercising properly again, in however fashion I can, even if running ends up being too much impact. This has always just been about being lazy; I love the burn, I love the (good) soreness, and it’s never boring to me.

Lastly, work has a decent influence on what I do, since, well, they pay me and often I’m using budget for the above learning opportunities. I’m hoping to bring some gentle purple team sensibilities and practices to our team in 2024, which aligns with my own personal time focus. Not everyone has an interest in doing both attack and defense, and I consider that adaptability to be one of my strengths. One which I want to keep honing into the future. It’s really either that or continuing to build practice cloud experience in Azure and AWS! 🙂

I didn’t do a bunch of flashy things in 2023 on a learning or training front. I think I did more in 2023 that set up my 2024 than I actually accomplished! But, I really like to do these year over year. Of my goals

1. Renewed AWS Security Specialty – Renewed isn’t a great way to say it, really. I tested and passed the exam so that I could keep claiming this cert. This continues to still be one of the denser and harder tests I’ve taken in my professional career.
   
2. Renewed SANS GWAPT – This one is a proper renewal that takes cold hard cash and some CPEs. In return, I get new Web App Pen Testing materials and the opportunity to keep saying I have it!
   
3. Maintained top 3 in BlueTeamLabs – Mostly in maintenance mode on this site, and I do new challenges as they come out. Good practice for blue team skills!
   
4. Huntress CTF – I may do a few CTFs in a year, but never over a whole month of time. The Huntress CTF took place over the month of October. My solo team finished 46/4210 teams and finished all 58 challenges. Pretty fun!
   
5. HackTheBox – I got back into HTB for a brief spell, doing about 5 boxes including an Insane one dealing with Active Directory and Windows networks. I’ve since dropped back into the shadows here, but I know I’ll get back in again.
   
6. Antisyphon On-Demand courses subscription – I’ve had this in the pocket for a while to get, and used some end-of-year budget to get this set up. This provides a year of access to all on-demand courses, which is pretty sick value. This was late in the year.
   
7. HTB Academy subscription – Also spending some end-of-year budget to get access to this set of modules on HTB for a year.
   
8. Defcon – I went to Defcon. I’ll hopefully go again.

That seems to be all I wrote down or wanted to mention! Did I miss a few things from my goals? Not really, but I did not spend as much time as I’d still like to with Kali Purple or the Splunk Attack Range. It probably helped that I didn’t post about my yearly plans until last June.