made it out to decon 31

It’s been since Defcon 22 that I made it out to Vegas for the premiere hacker summer camp, but I finally got a chance to go out again, post-covid. (Spoiler: I’ve been covid-free since the outbreak, but brought it back with me from Defcon, assume-ably. I first showed symptoms 3 days after the con. Thankfully, vaccines and boosters make for a smoother ride.)

My goals this year were to not attend any main track talks, not wait in line for any talks, and to just relax and have some fun in whatever fashion that presented itself. I feel like I accomplished those goals just fine!

Rather than itemize or talk about a bunch of stuff that can be found in other places, here’s my list of Good and Bad things from my experience. Though, let’s be clear, this was overall a great time.

Bad

  1. 20,000+ people (I’m estimating) plus all the norms. So, my first Defcon was DC16 with about 8,000 folks, and then DC22 with about 22,000. And in those locations, you would walk around the casino area and probably 80%+ of the people present would be hackers. Right before the covid19 pandemic, Defcon was topping 30,000 attendees! That’s a huge mass of humanity! Now that Defcon is at Caesar’s Forum, this means the con sprawls across several Caesar’s properties. It also means as you wander the properties, there are also far more norms walking around, probably even about 50% of the people around at any given time. Personally, I’d rather be more surrounded by my people. Still, that’s a lotta people in small places, and it makes for some less than comfortable environs for an introvert who likes his space like myself. Thankfully, I know myself and my limits pretty well and can handle things just fine. And having more people means more con, so…the fact of having so many people together is both good and bad, but probably overall good.
  2. Still COVID. There’s still Covid around, which sucks. Thankfully wearing a mask the whole weekend is quite acceptable with this crowd. The problem is I don’t normally wear a mask for hours a day, and I realized I got pretty warm with one on all day. My body isn’t used to regulating down that heat with limiting mouth freedom! Between that and the dry air, it was pretty easy to start sweating.
  3. I was ill-prepared, tech-wise. I didn’t take much tech with me, basically a laptop. Turns out, I wanted to do contests! And get on the defcon wireless network! I sure could have used a portable monitor. More laptop resources. A better wifi adapter. Notes for next time, especially if I want to try more contests, which I do.
  4. Some villages were… I swung by almost all of the villages, and I got into several that were super fun and interesting (and packed). But some I didn’t get into at all due to busy talks taking up all the room capacity and creating lines outside. And some villages were literally just talks unless you pre-signed up for something. These latter villages left me super disappointed and made it feel like these are just alternate talk tracks and nothing else. App Sec, Cloud, and Red Team villages, to me, were simply not useful or accessible to me and I never got into any of them. And they were among my priority ones.
  5. I wasn’t prepared for the other events. Lots of Defcon content and contests start months in advance. The moment I commit to attending, I need to continually visit the site and forums and start getting an idea of what is available and what I’d like to do or check out.
  6. Food and Drink Prices. Oof, $12 beer bottles, $24 burgers, yikes. Thankfully there was an easily-found Walgreens just 3 minutes north of Harrah’s that was open 24/7 and provided essential fluids, snacks, and sandwiches to keep costs down. Close, fast, efficient.

Good

  1. So many contests! It’s been since DC22 since I’ve attended, and the ability for Defcon to entertain and challenge 20,000+ people has matured a lot! I swung through the contest area several times, and each time I saw new things I missed previously. Even the villages had contests. I spent a day fighting up into the top 9 (of 220) of the Blue Team Village CTF, played and beat some demo game about Intelligence Operations and CTI, submitted threat model suggestions (which is something I’ve never formally done before), and poked at numerous puzzles and challenges. I probably would have spent far more time on the con floor doing these contests around like-minded folks if not for the covid spectre hovering about.
  2. Linecon + Merch. This is my second time staying up all night for Defcon registration. It’s now official, as Linecon! While we pre-registered already, my friend and I opted to still stay up all night and we were essentially first in line on the pre-reg side. We got in line at about 5pm, had our badges in hand at 7:05am the next morning, were among the first 30 in line for Merch, and hit up the vendor area shortly after. We were back in the room by 9am to upload loot and freshen up. While I’m not getting younger and the last time I stayed up all night was a previous Defcon, there are good points for this. First, there’s not a TON of things going on at Defcon on Thursday. Second, Linecon itself is fun and the people are excellent. (I also got my picture taken on the official Defcon stage as if I were giving a talk!) Third, you get full and first crack at merch and vendor gear and you get it out of the way before lines take hours and things sell out. This helps free up the rest of the con time for other things! (Or other lines to stand in!)
  3. Chillout room + SomaFM. Dude, I love SomaFM. I’ve been a listener since 2002. I love the chillout room at Defcon when you can get a reasonable seat and just do some contest shit or whatever. It’s still lots of people, but grab a drink or two and relax as you can! It’s just the perfect vibe.
  4. I was never lost! At the Riv or Rio I was constantly lost. I never really found myself lost in the Caesar’s properties. So, that’s cool!
  5. Villages with things to do. Hands on things at Lockpick and Physical Security villages were awesome. Even the Tampering village off to the side was informational!
  6. Movie night. I did movie night at DC16 and loved it, though it was pretty packed, but kinda skipped at DC22 in favor of parties/live music. But, this year I was spending time doing contests and had been sitting in the Chillout room. Then, when the live music started booming there, I took the vibe over to the movie night room and sat behind everyone else and continued doing hack stuff while also enjoying the movies. There was something about the vibe that just worked.

The Future

I have no idea how often I’ll get back to Defcon, but if I can do it ever year, I am not sure I’d mind. Flying was 0 hassle this year, and really everything with regards to logistics and costs were fine. If I do go back, there are some things I want to keep in mind.

  1. Pre-plan more, especially contests. Man, seeing those black badge contests get wrapped up was super invigorating. While I have no skills that would help in the main Capture the Flag, there are other events I have a chance at if I can do some pre-planning and research/practice. I’d like to start on time with next year’s Blue Team Village CTF, and I’d love to try out the Capture the Packet. This pre-planning also means making sure I have gear that helps provide for success. Beefier laptop and portable monitor and wifi adapter, for starters. SE and Lockpicking could be fun contests, too, but definitely research the forums!
  2. Scav Hunt. The scan hunt always looks super interesting, and if I continue to know more people and first-timers at the con (e.g. coworkers), I might push to make doing the Scav Hunt a priority. That said, knowing a native in Vegas would probably help!
  3. Linecon. I’ll definitely do Linecon again. This year I took is easy as I was super wary about whether I can handle lack of sleep at my age, but things went fine. However, I’d like to bring a game or two, and maybe some sort of chair.
  4. BSides. I have never done BSides LV, but for a couple extra days, that seems like a fine way to go to actually see some talks and do a bit more casual conversing.

learning and training goals for 2023

It’s already June, which means almost half the year is over. But, I’d still like to post about my thoughts and goals and ideas for 2023. I should probably slow down and spend more time on other things, but even if I do that, these are still things I’d like to pursue or think I can get to this year.

I have a shorter list this year. Due to gentle life changes and getting older, one habit I’ll go on record (to keep myself accountable) is getting physically active again. I’ve already been going down this path, but it needs to be continued and expanded.

Formal Training/Certifications

Renew GIAC GWAPT (SEC542). This is completed already, though I still have an need to go through the new material and course recordings.

Renew AWS Security Specialty certification. This is completed already.

Renew CISSP. Also already done. This is just a fee plus CPEs, but I keep this on my list every year as a reminder

Antisyphon course at WWHF. I’ve been doing training through Antisyphon for several years now, and there are still courses on offer that I want to attend. I may opt for a subscription format someday, but if not, I’d like to take something later this year with WWHF, either virtually or in person.

That’s really it for formal things. I only had one renewal exam to take this year, and no other major certifications on tap to pursue, though there are some topics that I could pursue, such as some red team courses/certs, or access to Offensive Security via subscription, or MS Azure/M365 certs. But, I just don’t want to commit time and/or money to them at this time. I suppose those could all be stretch goals or something to slot in if I feel the bug.

Informal Learning

Defcon. It’s been more than several years since I’ve been to Defcon. I’m going this year.

Books. I have lots of books to go through on various topics.

Courses. I have lots of course materials and/or things that I would like to get to on a more informal basis.

BlueTeamLabs.online. I still go through new content they release, but this is super infrequent and I otherwise have all of their content solved.

Purple team home lab. I’d actually like to stand up the Splunk Attack Range or Kali Purple or another blue team lab setup in my home lab. I already have a lab, but I don’t have, say, a full SIEM stood up or an attacker emulation environment set up at any given time (do you run the leaked and untrusted Cobalt Strike code on your home network?). I’d like to hone that process and then also consume it with self-directed activities like further C2 and attacker emulation practice. Basically, I want to be able to practice all aspects of purple teaming (blue and red) at home, including malware analysis and red team tradecraft. The key is being able to do this efficiently. It’s one thing to want to study advanced topics, but too often students like myself spend all their time on the environment and burn out before getting to the real juice. Standing up this environment needs to be as painless to me as standing up an AD environment or a Kali attack box or my normal home lab with firewalls and isolation. And often this comes down to rote practice, familiarity, and the right level of automation that isn’t itself onerous to maintain.

Parting Thoughts

That’s also really it on the informal side. This is the first year in a long time I’ve not had a subscription to some learning content that I was paying for on my own. I’ll get back to that for sure, but I’m taking a small break from pre-scheduled things.

And it’s not like I don’t get plenty of learning and geekery otherwise. I’m in year 23 of an IT and infosec career and work daily as a senior analyst with my blue and red feet in many ponds at the same time. There are really no days that go by where I’m not learning something new, practicing skills, or sharing my knowledge to someone.

reviewing my learning goals from 2022

Every year I try to make some learning and training goals and review my prior goals. This has gotten a lot looser in recent years, maybe due to time stretching outward in these crazy times.

I did lots of maintenance in 2022.

Formal Training/Certifications

Completed the Offensive Development course with Antisyphon virtually through Wild West Hackin’ Fest in the latter half of 2022 (yes, the link is to this year’s syllabus). This course was a 2-day exploration of writing and editing malware to get past EDR for successful execution on protected endpoints using Cobalt Strike and other red team structures. I really enjoyed this course as it really pushed my boundaries a bit. I just wished I had the time to go over it a second time for maximum uptake. The course says it is intermediate, but I would think this is really an advanced course if you want to follow along by doing the labs successfully.

Renewed my AWS Solutions Architect Associate certification (which also renewed the AWS Cloud Practitioner). See my post for these details.

Renewed my GIAC GCFA (FOR508) certification. This is really just paying a fee to get renewed plus updated materials and course recordings and lab files. I still need to actually go through the new stuff.

Renewed my CISSP. Again. Just fees and CPEs that needed recorded.

Informal Training

I spent a ton of time in the early third of 2022 on the BlueTeamLabs.online (BTLO) site doing their lab investigations. I did this enough to eventually land in the #1 spot on the leaderboard. I’ve posted a bit about their labs already, and I’ve even done some write-ups on retired content. Even at the time of this writing, I’ve been trading off with a few others for the #1 thru #3 spots as BTLO releases new content.

I also continued to spend time on PentesterLab earning most of their badges and finishing something like 450 of 480 challenges (not all of which were actually available). I have since let this subscription lapse, but fully intend to get back on again when I have some time and money to spend. (And also finally figure out the code review 11 challenge that has been my bane!) This was nothing done over just one year, but rather multiple years.

I’ve finally gotten on board TryHackMe for the first time last year. While I like the platform, it’s definitely a different environment than HTB or BTLO. I’ve like to do more here, but I also have to make sure I do things that are worth while as there is lots of content that is geared more towards entry knowledge levels. I spent most of my time on the Red Team tracks as I found these to be nice ways to review old skills, brush some dust off, and even learn some new tricks and tools.

Practical Malware Analysis book. I include this because it’s not just a book to casually peruse or even fully read, but is also a collection of exercises and labs to progress knowledge and practice techniques. I was turned further onto this than normal due to the “Counter” investigation on the BTLO platform. I didn’t get as far as I wanted on this last year, but I made progress and pushed my boundaries when it comes to using a debugger. I hope to do more.

renewed my aws security specialty certification

A few weeks ago I took an exam that renewed my AWS Security Specialty certification for another 3 years. This is an advanced “specialty” certification offered by AWS centered around, surprisingly, implementing and managing security within the AWS cloud platform.

I first took this back in 2020 and passed with a really good score. Reading my prior notes, I have many of the same thoughts this year as I did back then; this exam is frustrating to take. The questions are long, 30-40% felt like multiple answer questions. There were times I would just sit back in my testing chair, fold my arms over my chest, and get comfortable to read a long question several times. The longest question/answer was literally 4 screen lengths.

Study Plan

This time, I had access to Udemy through my employer, so I made use of several courses on that platform. I covered about 50% of the course content in “Ultimate AWS Certified Security Specialty SCS-C01” by Stephane Maarek. I also covered about 50% of the course content in “AWS Certified Security Specialty Course SCS-C01 (2023)” by Neal Davis. I then also went through practice exams for the certification on the Tutorials Dojo site by Jon Bonso.

I started with the Maarek course, but I honestly got through much of it and didn’t feel very confident. I was much happier going through the Davis course which included him going over hands-on show-and-tell segments which I find better than doing my own labs. It might be that I liked Davis, because I did Maarek first and got the wheels greased. The practice exams on the courses and the dedicated offering on Tutorials Dojo were all good questions, with the latter site being…let’s say…very close to exam types of questions.

If I were to do this again, I might look to see if my prior study course by Adrian Cantrill was still maintained and offered somewhere, otherwise I’d go back to Davis and Maarek for studying and Bonso for practice exams. I’m not sure I’d need anything beyond that other than my own experience and exposure in AWS through work and other various labs and study adventures.

What’s next?

I’m not sure. If I want to do anything else in AWS, I would probably sneak in the AWS Developer Associate somewhere. I’ve seen some study material on it, and I have to say there is a bunch of material that feels pretty basic for someone relatively new to IT overall. But, the things that go beyond those basics could be useful. I’d probably want to do that this year or in 2 years, though, just to get renewal lined up better? If I dive further into AWS cloud security, I would certainly do it as well as look into Solutions Architect Professional and the Networking specialty. At least to take them once and forever learn some new things. The Sysops Associate could be interesting, but I wonder if I might not learn a ton new from it that is useful to my current work anyway.

renewed my aws solutions architect associate certification

Almost 3 years ago, I earned my AWS Solutions Architect Associate certification. This past week, I took the exam again and passed in order to renew that certification for another 3 years. I drive about 90 minutes to my preferred Pearson VUE exam location, but this time I had to make the 90 minute drive back without knowing my exam outcome. Amazon now reviews things afterwords. I received no email yet, but within 24 hours my Exam History section on their certification portal was updated with my outcome. AWS has given me scores immediately on my last three exams; the technology exists, so give me a score right away and review things later to make it official if you need to. Anyway!

I did not study as much as I wanted or should have this year. I hadn’t intended to take the exam in October, but at the start of the month when I looked for times to book, my preferred venue had all sorts of times in October, and none at all in November or December. So, I snap booked as far out as I could, and got to work studying. Unfortunately as timing would go, Wild West Hackin’ Fest occurred which I not only attended virtually, but took some intense training in the first few days as well. I’ll come back to this later as notes to my future self 3 years from now.

Last go around, I used A Cloud Guru courses, Linux Academy courses (namely Adrian Cantrill’s excellent course), and practice exams from Jon Bonso (Tutorials Dojo). Since then, the landscape has changed as both Linux Academy and A Cloud Guru have been swallowed up by other players, and more honesty has been openly shared about the latter’s quality of offerings. (I really wasn’t terribly impressed 3 years ago, but ACG seemed to be everyone’s darling at the time.) This year I also have access to many Udemy offerings for free through my employer.

I started out purchasing and going through Jon Bonso’s Tutorials Dojo SAA-C03 course on his own platform. I loved his practice tests 3 years ago, so I figured I’d also do his course. In retrospect, this course wasn’t right for me, nor did I enjoy the platform. The platform doesn’t give me a good idea how long the whole course or sections are, and the player never saved the speed settings I preferred (1.25x-1.5x speed). The course itself was also…for lack of a better way to put it…not filling enough of my knowledge taste. Lots of slides. There is something to be said about even watching someone else use the AWS console to do things, which helps show the features and settings in more context. There was very little of that in this course.

Next, I started doing the set of SAA-C03 2022 Practice Exams on Tutorials Dojo. These are still absolutely excellent. Previously there were 6 exams, but now there seem to be 6 timed ones, 6 that show the answer as you go, and several other topical sets. There are times where it feels some questions reappear from one test to another, but I still feel these are the best practice questions that reflect both the subjects and the feel/style of the official AWS questions. Highly recommend.

Lastly, I went through most of the Udemy course, Ultimate AWS Certified Solutions Architect Associate SAA-C03, by Stephane Maarek. This is a phenomenal course that I absolutely loved. I have nothing bad to say about it at all. I love that Stephane goes through the materials, but then also goes through many of the services and concepts hands-on in the console where we get to see him build things and tear things down such that we could do these in our own AWS Accounts if we want to. I made it about 50% through this course and focused on my weaker areas.

And that was all the time I found I had to study, which left me rather worried and feeling less prepared than I prefer to feel for exams like this.

For future me, here’s my suggestions. First, schedule early even months out. This provides the most flexibility to study appropriately while also allowing plenty of time to do all the practice tests and really get used to the topics over time. Normally, I am very good about this and my planning, but this year has been hectic. Second, look up these authors (in any order) and take their courses: Adrian Cantrill, Stephane Maarek, Neal Davis, Jon Bonso (practice exams). Maarek and Davis also have practice exam sets, but I did not get a chance to sample them. Third, look at the AWS exam guidelines and scope document, but do not get distracted by new and specialized services. Keep focus on the core important services. You’re far more likely to get 5+ questions on Lambda than on AWS Polly. For the latter, know their elevator pitch, purpose, and if there are sub-services to know. Fourth, do practice exams every few days if possible. Don’t go through any a second time, as that is just an exercise in memorization/recall of specific questions. Amongst the authors above, there are *months* of practice exams to consume for relatively little cost. Do them, and the real exam will feel like a familiar place.

I think I said it before, but I’ll say it again this year: I feel that every single question on the exam is directly sourced from either the AWS official documentation or from the AWS blogs/whitepapers which cover using services, service features, or designing for certain use-cases/situations. And while that may seem obvious, it bears repeating to let that sink in: read the things. Also, any hands-on whether it’s watching someone else or doing it yourself in a lab or for your own personal or work stuff is necessary in order to see features and settings in context and in action. I mean, this certification is meant for people with 1+ years experience in the role!

Next up is renewing my AWS Security Specialty certification, and then in 3 years deciding what to renew or advance.

lab write-ups for blueteamlabs

I’ve done many labs and CTFs and lots of studying and taken so many notes (…so many notes…), but one thing I don’t think I’ve ever done is compose and publish a write-up on something. When BTLO retired a few lab investigations a few weeks ago, I thought maybe I’d spend some time to create a template and reorganize my notes into a public write-up I can share. And I did two of them!

First, I created a writeup for the PhishyV2 investigation which involved analyzing a phishing site and kit. This was a lab that was rated Hard on the BTLO site, and one of the earlier labs I completed after joining the site.

A week later, I made another writeup for the Obfuscated investigation. This one is geared around responding to an incident where an internal employee was given some malicious Python code which they executed and led to a compromise of their Linux workstation. The investigation is really broken down into two main parts. First, analyzing and deobfuscating a python script. And second investigating the Linux environment for signs of persistence.

I am no Word wizard, so this also let me brush some dust off my Word skills. I also normally do not take extensive screenshots for my personal notes, relying more often on text and terminal output. And this helps me also be more comfortable in quickly taking some screenshots to assist with my notes clarity. Often, taking screenshots has been something that gets me out of my normal flow of thought, and the only way to fix that is practice and ingraining it into my workflow.

Hopefully more labs retire in the future, and I’ll probably work on doing a few more write-ups for the harder or notable challenges.

my experiences on pentesterlab

In 2020, I started doing exercises on the PentesterLab (PTL) platform. To date, I’ve earned 16 badges (certificates) on the site, and have completed 440 exercises with only 13 currently available exercises left to tackle. Last night I became the 4th completion of the Brown Badge, and I realized I’ve never really shared or posted about my efforts or thoughts on the site.

PentesterLab is an online platform founded by Louis Nyfenegger which aims to teach students web application testing skills using hands-on curated labs that require practical skills to solve exercises. You know, for web pentesting and bug bounty hunting! The lab exercises are largely performed on a web application that the platform spins up, and students attempt to find a hidden key or achieve execution of a scoring binary on the target system to get the exercise completed. A huge section of code review challenges is an exception to this formula where students provide the file name, line number, and type of vulnerability present in order to score the exercise as completed.

All exercises include an introductory description, though some are quick and throw students right into the challenge, while others provide lengthy in depth discussions of the techniques and exploits utilized. I’ve always found these to be at the right level of detail for me to see success on the platform, with a nice mix of research, reflection, and rote practice.

Many exercises have video solutions posted by Louis, but if you play along early enough before they get posted, you don’t have the luxury of a solution key to fall back onto. Plenty of the exercises still today do not have solutions posted, adding to the challenge of completing some of the badges. But, most of them do, which allows students to challenge themselves at their own tolerance levels before peeking at the videos. Also, those videos don’t actually give you the scoring key. To score a completion, students still have to go through the practical steps to exploit and solve the exercises.

Overall, it’s been an excellent platform I’ve been on for a few years and has helped me learn a ton of things relating to web app security.

Surprisingly, the exercises have a decent replay value to them. With so many, by the time six months pass, I won’t remember all the solution details if I revisit something. But, more importantly, I can solve them in different ways. A good example is the HTTP badge, which can be entirely solved using curl commands, but I also have chosen to solve them with Python and Ruby scripts as well. Many solutions can be derived using a scripting language of choice, providing additional opportunity to hone new skills. The platform accommodates this as you can run the scoring binary again, and the site will tell you it was a fresh score. And obviously you can just retrieve the correct key from the site for those challenges.

Another thing I like about the platform is how it dances between the line of being a platform of exercises versus a platform that is just a course. It really ends up doing both, which I appreciate and fits into the way any penetration tester should be learning and tackling these things. Courses are great to teach things, but practical exercises are irreplaceable hands-on opportunities. And leaving some details out or fuzzy will cause the student to do some outside research, think a little, try and fail at things, and then try harder. And this is ultimately the mindset a tester needs to have, since they won’t normally have access to hints, nudges, or answers out in the real world of testing.

Much like almost any pentesting lab or series of challenges, there are also some very specifically vulnerable entries that are unlikely to be found in the wild, but they do act as ways to think about things differently, or open creative avenues that may be useful in the future, even if today that particular vulnerability is solved or just so derived that it’s not realistic.

My scripting skills have markedly improved in Python and Ruby during this course. Coming into this, I was passable with Python and had 0 experience with Ruby beyond maybe running an exploit of EDB or something. But, during this course I’ve had the chance to write more Python and Ruby scripts, or edit and adjust existing ones or those from the answer videos, that I feel comfortable digging into deeper topics and weaponizing exploits. In addition, students can walk away with scripts that can act as frameworks for future endeavors. Maybe a script to generate a tampered JWT will work in other engagements, or maybe that deserializer can be used the same way for a test a year from now.

Likewise, I’ve used Burp Suite for many years, but like any complex tool, that skill only sticks around as long as one greases the wheels on a regular basis and uses it. I get to drop into Burp on most exercises, and poke and prod and learn new things.

And just like any pentesting learning platform, all of this is often about three important things: exposure, experience, and practice. PTL ends up providing all three, which is great for building a body of experience and confidence in the skills.

For someone looking to prep for something like the OSCP, I’d say there’s no real hand-holding here to get your testing platform up and running or for easing into understanding and using Kali, Linux, Burp, HTTP, or other possible tools. Still, the badges I suggest below to start out will still be helpful to anyone going for their OSCP, as there is still plenty of web application exploits and targets present in the OSCP course and exam.

For someone looking to get into we app pentesting or bug bounties or even pentesting in general, I’d say do everything here! As far as skill level expected, I’d say something like the SANS SEC542 course and GWAPT exam probably can act as a more introductory-friendly way to dive into web app testing and understand the essentials, but I’d immediately follow that up with running through PTL. OSCP courses and things like eCPPT probably similarly can ease students less comfortable with things like Linux and Burp and web coding concepts.

Students who find the most success, though, should come to this platform with a comfort level in operating Kali Linux, web server architecture (most specifically Apache server operation), using Burp Suite (proxy and repeater, nothing intense), maybe a fuzzer like wfuzz, reading packet captures, and definitely have some comfort level in or ability to learn web code and scripting. Good examples will be some php, javascript, and java, but mostly python and ruby. This may sound daunting, but most of this is about exposure and being in a position to take the next steps and not be hung up on what Python is or what cat /etc/passwd means or how to intercept using Burp. I’m not sure PTL is good for “My First Reverse Shell From a Web Server,” but it’ll be the next steps after the first one.

The platform is not entirely clear what order to tackle the badges in. I’ll attempt to provide some guidance here, but generally speaking, tackle the ones that have the most completions first, and the ones with less completions later on.

I would suggest students or those with newer skill levels in the topics tackle these badges first: INTRODUCTION, ESSENTIAL, UNIX, RECON, HTTP, PCAP. These all really hone in on specific tasks and other foundational concepts that will be useful at all levels. And for those who know these topics, you may still learn something new of have an opportunity to solve them in different ways. For example, maybe parse the PCAP programmatically instead of in Wireshark. Or in the HTTP badge, script the solutions rather than use curl. The Essential badge is where you find your beginner types of web app topics.

From here, you can honestly go anywhere else, but continue on for general guidance.

The API badge could be something to tackle next. This badge isn’t totally released at the time of this writing, but the exercises are pretty basic to date and follow the ESSENTIAL badge topics pretty well.

Going down the rabbit hole of the other badges, here’s a good route to follow: WHITE, YELLOW, BLUE, SERIALIZE, GREEN, BROWN. Most of these progress naturally, though the BROWN badge sometimes feels like it has exercises that could be slotted into the other badges, but those badges were already complete when these new CVE’s or attacks came out, and just needed a place to land. Still, several BROWN exercises directly suggest solving some others scattered elsewhere first.

The INTERCEPT and ORANGE and AUTHENTICATION/AUTHORIZATION badges are more intense as far as requiring more work on the student to host things like a DNS server or a public endpoint to perform XSS or other reflection attacks. These definitely present a different set of challenges. The AUTHENTICATION/AUTHORIZATION badge is all about SAML and OAuth, but again often require you to host an endpoint that is part of the exploitation path.

The CODE REVIEW badge is a weird one in that you’re reading code and identifying the problems in that code. There are also tons of videos separate from the exercises. Some of these give a half-dozen lines making them kind of easy, while others are long sections of code across multiple files which increases the difficulty of finding the needle in the haystack, as it were. Since this badge is super long and not completed yet, I suggest tackling these in between other badges to keep things fresh. Also, I consider this badge super unique in that I’ve not really seen exercises elsewhere before that specifically target code reviewing skills.

The ANDROID and CAPTURE-THE-FLAG badges are sort of one-off badges students can do whenever. ANDROID is specific to Android applications, and I have no idea how difficult these really are. Java and Android are well outside my comfort zone, so I leaned heavily on the videos to progress through these. The CAPTURE-THE-FLAG badge contains some common CTF-like challenges that involve web or crypto-related topics. They’re fine, but definitely not common fare for web app pen testers.

To date, I have done none of the JAVA SERIALIZE or MEDIA badges, so I can’t comment on those.

Overall, my time in this platform has been good and I’ve learned a ton and gained lots of confidence when it comes to understanding and even walking through various web exploits and weaknesses. I’m no developer, but I think I can hold my own discussing security topics on a practical level like one, though.

ciso responsibilities

(Pet peeve: Articles that don’t have dates on them. Don’t be that type of site. Ok, I know the article I link to is dated in 2021 [if you turn on javascript], but the note that I made to myself referencing this article was made in 2019…)

A post over on CSOOnline, “How the CISO role is evolving,” goes over some interesting discussion points about the CISO role.

I initially targeted my notes on the list of skills for the CISO:

  • Security operations
  • Cyberrisk and cyber intelligence
  • Data loss and fraud prevention
  • Security architecture
  • Identity and access management
  • Program management
  • Investigations and forensics
  • Governance

Holy cow, is there anything in Infosec left untouched there? Then again, CISO is the top of that leadership pyramid, right? But, this illustrates to me how difficult the CISO’s job will be if they do not report into or next to the IT overall organization. Reporting outside of IT means lots of consulting and ultimately audit-like tasking that hopes all of the above items end up getting done (and likely won’t be). And I’ve yet to see IT auditing being even partially effective or useful.

Later in the article, it starts to get real about the most important job requirement for a CISO role not necessarily being the technical understanding. I think it’s true that at this level, a key skill is “advocating for security within the company leadership.”

I think leadership traits are also important, but that’s always a funny thing within any department, team, or organization. Particularly in a technical field. At least for me, technical credibility is a key trait of leaders I respect and react positively towards. Someone who does not understand the technical aspects and demonstrates this by being wrong on a regular basis, just do not get respected by me and will not be a good leader for me. And it’s not like I need them to be highly technical; but I need them to be technical enough to know and be open about their limitations, and big enough to allow others to fill in the gaps. Leaders who get technical things wrong, don’t understand that they’re wrong, and thus never seek information from their team in order to make proper decisions, are what cause security to take steps backwards.

And it’s not just me, but many technical teams will stop listening to security if the people they interact with are regularly wrong, or vague, or confusing, or belligerent, or just not keeping up. Technical people who know the right answer don’t tolerate people who cling to wrong answers.

Another way to say this is the CISO needs to know enough to know their team is performing as needed, or if they need assistance.

establishing a cybersecurity program

I don’t recall where I found this graphic, but at least it has citation on it. I liked it enough to keep it, and just wanted to move it out from my personal notes into here.

I do like these steps, though obviously there are plenty ways to tackle this problem. And if someone needs or needs to show some sort of process/plan, this makes a good pragmatic start.

One thing I would change on this is to make sure this isn’t like a 1-year process right here. I feel like steps need to be taken pretty quickly to start *doing* something and getting some output and value. For example, Step 7 shouldn’t be waiting for earlier steps to develop. Step 7 should strive to start as soon as positive movement can be achieved. Early, easy wins, or foundational pieces.

I also prefer to think in terms of maturity levels based on some sort of model. I think that’s what is meant here by tiers. That is just a difference in preferred terminology.

threat hunting, a great definition from fidelis

Threat hunting is a cool term. It’s so cool that so many people, managers, and marketers have latched onto it and used it to describe almost anything you can think of from pen testing to SOC operations to red teaming to incident response. It’s become a pet peeve of mine how badly “threat hunting” is mis-used and mis-understood.

And I’m still convinced that threat hunting started for two main reasons. First, to slip in between the major efforts already in play between detection engineering (the blue team SOC), incident response which tackles found things, and handling threat intelligence, which usually ends up being an automated feed and corrrelation mechanism within a SIEM. Another way to put it: the human in between the matured automated technical activities.

And second, something for bored internal red teamers, IR folks, and senior detection engineers to do in between the main projects. (I’m joking, but I’m not….but I am…)

I just skimmed through a free PDF that caused me to make this post to keep this link around and share it: Threat Hunting Essentials, Part 1: Threat Hunting Defined, by Fidelis Cybersecurity.

In this, they not only talk about a good definition of Threat Hunting, but also examples of what it is not. This is super important, because I’ve talked to way too many people from keyboard warriors in the trenches up to management and executive levels who have the wrong idea of what Threat Hunting is. And having it wrong almost certainly means the chances of a successful threat hunting team are limited, and they probably won’t be happy hunters if everyone is operating under slightly different missions. That is bad friction.

Fidelis gives this definition:

“Threat hunting is the proactive hypothesis driven discovery of artifacts, activity, or detection methods not accounted for in passive monitoring capabilities.”

And see, even trying to isolate a good definition like this will still be open to interpretation. It is best to read the entire paper, as they do an amazing job of framing the problem, tackling the problem with easily understood examples and language, and allowing it all to funnel down into something that I consider easy to handle. There’s lots of good examples and discussions over recent years, but it’s been hard to find one so clear and yet (mostly) concise enough to present to others.

And yes, it can still be done by bored internal red teamers, senior detection engineers who need a break, or incident responders that don’t have any incidents being currently worked. But the inputs, outputs, methods, results, and expectations need to get aligned in order for the mission to add value and be successful.

And I’ll also just add that Threat Hunting is an advanced activity. It should only be a thing with maturing security operations and engineers teams, and only for those with senior skills in understanding offensive tactics, forensics artifacts left behind, and where the gaps in blue team visibility occur.

learning and training goals for 2022

This is my sixth year openly posting about my learning and training goals, though it feels like I skipped a year. Last year was not a productive year on the personal training front, so most of my items here are not really new. And I’m already about a half year late making a post like this, which means a few of these items might already be done or in flight.

So, what do I have in play this year? I’ve sort of skewed things a bit towards the blue team side of things last year, and that’s still the plan this year. I pride myself with having deep knowledge of red, blue, and forensics skills and I possess a strong belief that each plays and improves upon the others, whether in a team situation or as a long wolf.

Formal Training/Certifications

AWS Solutions Architect Associate certification renewal. I’ve done this once, so should be good to do again, but I’ll be consuming courses on Udemy and ACloudGuru in this pursuit. I truly thought about doing the Professional version of this, but I’d like more consistent hands-on AWS work before it.

AWS Security Specialty certification renewal. I’ve also done this once, and am not too worried about this one, but I do distinctly recall these questions were dense and tricky. As with SolArch, I’ll be using Udemy and ACloudGuru to prepare.

CISSP renewal. This is really about paying the fee, yet again. With all the other stuff I do, the CPE tanks are always full.

GIAC GCFA (FOR508) forensics certification renewal. This is also just paying the fee. But, I then need to carve some time out to go over the updated course materials and labs.

Antisyphon training courses. I’ve really liked the format of the BHIS/Antisyphon courses, and the cost as well. I plan to continue to take courses here as long as they have interesting topics offered. I’ve so far taken three, and while I’d just take them all if I could, here are some leading choices: Applied Purple Teaming (Ickler/Drysdale), Enterprise Attacker Emulation and C2 Implant Development (Thyer), Hacker Ops (May), and various others that tend to lean into Red Team stuff.

OffSec. A stretch goal. Since getting my OSCP some 5 years ago, I’ve wanted to get back and do some more of the advanced courses, labs, and subsequent certs that Offensive Security offers. I just haven’t done it yet. I likely won’t get to this in 2022, but I think in 2023 I want to look very hard at the annual subscription which opens up materials for all of OffSec’s certs.

Informal Training

BlueTeamLabs.online. BTLO is a sort of blue team themed lab and gamified ladder, much like HTB is for red team skills. The company behind this also offers courses for blue teamers, but I’m more interested in the labs to practice skills, learn new tools, and improve what I know through hands-on trial and error in a safe environment. This has exceeded my expectations so far, and I’ve even exceeded my own goals on the platform. I started out just wanting to learn some things and maybe make the top 100. Today, I’m trading off the global #1 spot with several others.

Practical Malware Analysis book and Reversing, debugging. Getting into and even successfully through the RE challenges on BTLO has whet my appetite for continuing down this path some more. I’ve long dabbled very lightly in reversing, debugging, and dissassembly, but never to a degree that makes me feel skilled at it. I’ve broken through some barriers while doing BTLO challenges, and I’m wanting to keep that ball rolling. I’d like to go through exercises in the Practical Malware Analysis and Malware Analysis Techniques books while also getting started in TryHackMe’s related areas. I also still have access to the Zero2Automated course set, but that seemed a bit beyond me when acquired a few years ago.

Microsoft Azure and M365 stuff. I namely want to just go through materials for AZ-900 & AZ-500, and then also MS-900 & MSSC-500 and other stuff in the SC-series. I don’t really plan to pursue any of the associated certifications, but I’m not entirely ruling it out, either. This is mostly to get more exposed and build foundations in Azure and M365 offerings as they become more and more ubiquitous in the enterprise. Very similar to picking up AWS skills a few years ago. Also plan to learn more about Azure Sentinel.

Splunk Learning. I use Splunk at work, and I’ve long put off the more formal courses. Splunk has recently re-organized their certification and learning offerings, and while I can’t say I think they’re good changes, I still want to plug through the material at some point. Much like MS stuff, I don’t necessarily plan to do the certifications. These courses are definitely only worth it if the business or Splunk credits pay for them. It’s otherwise better to just sign up for Boss of the SOC (BOTS) (free!) on a regular basis to gain some hands-on experience.

TryHackMe (THM). I’ve only briefly used this platform once, and just have not made the time or effort to get back here. I think now might be the time. I’ve almost fully completed BTLO, I don’t really want to go back to HTB yet, I’ve gotten up to where I want to be on PentesterLab. And THM is just a blank spot for me that I shouldn’t have let go so long.

PentesterLab. I still have a sub to this lab site, and while I’m mostly caught up on what I want, they still push out content enough to keep me coming back, particularly on the Code Review badge lately.

C2 & Attacker Emulation. Last year I took a course in using various C2 platforms, but didn’t feel like I got quite enough out of it on the first run. I’d like to wield my home lab a bit further and try more C2 platforms out and just gain more familiarity. If I achieve other things before the end of the year, this could be a nice break before 2023 activities.

Gentle Career Aspirations

I don’t normally do this, as I don’t want to suggest to potential employers that these are the only things I want to do, but it’s good to at least tell myself these things in case career opportunities land in my lap. But, in a way, doing these for work in the next few years would probably make me a happy employee (not that I’m not happy now, but it’d be exciting to look forward to and then learn and do):

  • pentesting, red teaming, purple teaming…even just testing new exploit POCs
  • C2 and attacker emulation to test and improve controls, both technical and response
  • web app testing and other application/development security
  • architect-level planning and design and advisement, configuration hardening
  • ever-increasing hands-on in AWS and Azure/M365

awae / web-300 unused prep notes

Shortly after earning my OSCP I wanted to someday continue that push through the Cracking the Perimeter/OSCE certification as well. I never got around to it, and then OffSec retired that course while releasing AWAE(now WEB-300)/OSWE (and EXP-301/OSED), which I immediately also wanted to do. Part of my prep for a major certification is to Google up all sorts of reviews and posts about the certification and what other study materials and tips and insights other students found useful. This includes blogs, reddit posts, forum posts, and anything else that I could find or dig through. As such, I did plenty of this as preparation for the AWAE (WEB-300). I still plan to pursue this someday, but for now I wanted to share what I had compiled into my personal notes.

Some of these things I may have gained knowledge of through other less formal means over the past few years or just outright completed without really planning it, but AWAE is still pretty new and all of these resources are likely still relevant.

That said, never let too much preparation get in the way of getting access to the course and the labs for practice. You don’t just get sent off straight into an exam, and can always put that part off for later if some gaps in knowledge continue to linger.

Lastly, it should go without saying to click links below at your own discretion. All are external to this site.

My Goals

  • level up my hands-on web app pentesting
  • code review skills looking at vulnerabilities
  • writing exploits for web app vulnerabilities
  • actionable python (requests, etc)
  • learn much more about .NET, C#, nodejs, php, and some more on java…enough to feel comfortable reading source code and tracing requests and parameters
  • more familiarity with Visual Studio Code, debuggers

I do like to write out goals, as they do a few things for me. First, the goals help make sure I’m aligning my certification path and the preparation towards it with what I hope to get out of it. Second, it helps give me an idea what the certification path is all about, so that I can slot other possible preparation topics into it. In other words, managing expectations and summarizing the output.

This is my initial seeding of research and prep

Preparation Checklist

This is my reviewing of the above items and setting up some semblance of a plan. Considering what this cert is, I definitely don’t see myself signing up for this until the latter half of 2021. Worst case scenario, I am not entirely prepared, but sign up for the course anyway and either put off or fail the exam. Either way, I still come out of that with some learning, and extra time (and less stress based on deadlines), and a good idea of my next steps.

General things I need to do:

  • learn what MVC and OOP really mean
  • Python, writing small scripts to deliver exploits, handle requests <–should be comfortable with this
  • C#/.NET
  • nodejs/Javascript
  • php
  • java
  • learn debugging and decompiling tools, dnspy, de-gui
  • regex
  • more SQL injection
  • do various vulnerable web apps
  • Visual Studio Code
  • SublimeText
  • brush up on various in-scope web app vulnerabilities types
  • comfortable debugging the above on Windows and Linux, or at least aware of techniques

Actual things to do

Tools

  • dnSpy – .NET decompiler
  • Python requests and exploit building
  • de-gui for java?
  • use Visual Studio Code regularly (many benefits; hotkeys and debugging, going to modules/references)
    • leverage Visual Studio Code SSH extensions
    • understand the launch_json files in Visual Code
  • learn some SublimeText (for python)
  • Burp (set scope, intercept requests, manipulate requests…)

Languages / major themes / skills

General techniques to know about

Pre-course things to revisit before purchasing the course

  • read the footnotes and links, do the extra miles!!!
  • define a methodology: blackbox the app first, then white box source code (grep/ngrep?)
  • set up kali and note strategy
  • read offsec faqs and guidelines for course and exam

Lastly, make a list of things from the above to review halfway through the course, and another list to review before scheduling the exam.

Balancing Private Notes and Public Notes in 2022

Back in the early 2000s I often used my blog to hold notes, links, and things I’d consumed or done or would check deeper into or read or do. Over the years, this activity sort of moved away from being in a blog, and more to my own private notes, or into Pocket (never to be seen again!). I feel like some of this is the result of the growing avalanche of information at our fingertips from 2000 until now.

I’ve gotten to the point where I kinda want some of that stuff cycled out of my private notes, but not always entirely lost. Something I could possibly still search and re-reference, without maintaining my own mini-encyclopedia of topical notes and links and to-do lists. Honestly, sort of the same itch that a diary or journal serves for thoughts and experiences…or other blogs and feeds. And the same sort of thing that will just go away when I do as the domain/hosting expires. (See, that’s the good part of hosted blogs, like blogspot and blogger, right? They’ll stay around?)

So, maybe I should start to empty out a bunch of my private notes into my blog here! I mean, on the other hand, why not? And while not private, it’s not like a bunch of folks will read most anything I put in here. 🙂 I feel like the days of personal blog-popularity are long gone anyway.

I used to also have a personal wiki I hosted, but never really did too much with, that I could resurrect for some things. Or just move that sort of usage over to Github Wiki.

I don’t think I’ll ever use a blog as a “to-do” list, as that is way too suited to a notes app. But, I can at least have a way to trim things off without feeling like I’m forever losing a resource or reference. Thereby maybe regaining control of my “to-do” list! Let some things go, ya know?

Anyway, I’ll see how this goes.

btlo lab recommendations based on soc tiers

Regularly over the years I’ve had opportunities to give advice and direction on new or growing cybersecurity folks. I like to point out books, certifications, courses, resources, and most importantly other practical activities to grow knowledge and confidence as we all forge career paths. I’ve recently discovered and been playing on the Blue Team Labs (BTLO) platform which has, as the name suggests, blue team-themed exercises, challenges, and labs. There are nearly 200 labs and standalone challenges on the site, some of which are very difficult while others are relatively simple to solve.

Rather than discuss the platform itself at length, Dimitry Bennett wrote an article about his experience on the BTLO platform that basically says all that needs said on the topic.

But, there is still one thing I thought was daunting about the platform: Where to start when one is pretty new to cybersecurity? And this is the challenge any time I talk to someone else about where they’ve come from and where they want to go. All of us bring to the table different levels of experience, knowledge, and comfort with various technical and even non-technical topics. Some of us are very inexperienced with Linux, or have never written a program or script before, or maybe have done very little Windows system administration, but know Linux like no one’s business. What I wanted was a quick cheat sheet on what to suggest to students who wanted to quickly get their hands into the BTLO labs without immediately hitting walls.

This page is meant to help me prescribe labs and challenges to security analysts I encounter that are looking to build particular skills or experience what common SOC tier expectations exist.

I do want to make clear that the SOC tier expectations and levels of knowledge is just my take on the subject. I’m not going to be correct on all of these, nor will I be correct for how every organization/environment defines the job duties and expectations of each tier. I’ve just given this a best effort in the context of the whole of the labs, since I’ve gone through every single one, and my own experiences over years in the IT and security industry.

I also want to make clear that BTLO does allow students a chance to see what they’re getting into. Every lab has a difficulty level set to it, the date it was released, the general tools expected to be present, and even the number of solves that have been recorded since the lab was released. All of these can also help guide students to maybe avoid things they may find frustrating.

Here is a quick key to some of the columns in my table.

  • Diff(iculty): Difficulty 1-10, 10 being hardest. My personal subjective value of how difficult this exercise is. Usually this is influenced by how much effort and knowledge may be needed to complete.
  • SOC: My gut feel on what SOC analyst tier level I would expect to complete these exercises. Some tasks are pretty normal for tier 1 SOC analysts, whereas some of the more involved analysis may be reserved for higher tiers. I add a “+” if this task kinda overlaps into a higher tier. As an example, analyzing an image of live system memory or a PE executable file is typically reserved for more experienced analysts.
  • Skills: My summary of the tools needed. If you don’t know Wireshark and want to learn more, then look at the easier Wireshark exercises. Of particular note, I make sure to list an OS if knowledge of or comfort using that OS is a huge help in solving the exercise. Adding “administration” to the OS is my way of saying that experience being an administrator of this server would be very helpful.
  • Notes: My very quick reminder about what the main point of this is.

INVESTIGATIONS (by difficulty & SOC level)

NAMEDIFFSOCSKILLSNOTES
Deep Blue11Windows, Event Logs, PowerShellFocused, easy, good lesson (use the tool provided!)
Indicators21Windows, OSINT, PowerShell, exiftool, notepadBasic analysis of a strange file that is likely malicious
PhishyV121Linux, web, emailMostly entry level, and good foundational skills
Bits21Windows, Bits, Event LogsGood lesson, specific Windows tool (bits)
Exposed21+GitFocused on git, a bit offense-like
SOC Alpha 121+ELK, Windows administration/attackELK, logs of common attacker actions on Windows
Miner21+Wireshark, Network Miner, networking, pcapsSome not-beginner concepts using pcaps
Replaced21+Text editor, OSINT, Visual Basic, codeVery straight-forward Visual Basic code analysis
Fingerprint21Wireshark, ja3, Linux (to use ja3)Pcap that requires filter use, external ja3 tool
Eradication21+Yara, Linux, joesandboxRunning yara rules on linux
Mon21Windows, sysmon, IRSysmon and malware IR on Windows
Print21+Wireshark, Windows, sysmon, printersFocus on Windows and printer tricks
RDP21Windows RDPFocus on RDP tricks
Defaced31+ELK, web logs, web attacksELK, but another way to look at web attack
Doctor31+Linux, web logs, web attacksWeb compromise on Linux system
SOC Alpha 231+ELK, Windows administration/attackELK, Windows logs of a network attack/malware actions
Exxtensity31+Windows, browser extensions/settingsGood focus on browser extensions
Joppers31+Javascript, WindowsNo frills Javascript parsing
Browser Bruises31+Linux, dumpzilla (python), browser historyUsing dumpzilla to analyze local firefox artifacts
Defender31Windows DefenderAll about Windows defender logs
Awwdit31+Windows Admin, Audit Policies, Basic PEFocused on audit policies in Windows,  basic PE dynamic analysis
Lintro31+Linux compromiseBasic Linux compromise and PE analysis
Xhell31+Maldoc, olevba, LinuxOld Excel maldoc analysis on Linux, oddball
Venom31+Linux logsAnalyzing linux logs for intrusion
Heaven32Windows, PE static/dynamic analysisGood into to basic and dynamic PE analysis
Stealer32DnSpy, basic dynamic analysisPretty much all dnSpy and basic dynamic analysis
Trash31+Windows terminalWindows and recycle bin tricks
Shortcut31+Windows shortcutsWindows and shortcut tricks
Link31+Windows adminFun with Windows and lnk files
Maldroid31+APK, Java, LinuxIntroductory analysis of an Android APK on Linux
Ducker31+Linux, DockerIntroduction to Docker on Linux
Pie31+Linux, web attacksAnalyzing Linux logs in Linux for web compromise
Backstage41+Linux, Linux logs, wiresharkLinux IR looking at logs and pcap
Crypto41+Linux, Windows admin, wireshark, volatilityGood intro to volatility and IR with various artifacts
SharpAttack42Pdf maldoc, javascript, LinuxPurely a pdf maldoc analysis
Kill42Volatility, Sysinternals, PE basic dynamicGood intro to memory analysis and exe dynamic analysis
First Day42IDA, OSINT, Procmon, pestudioStarting point for PE-based statis analysis, no debugging, OSINT
Logger42Windows, basic dynamic analysis, SysinternalsA few more steps into dynamic analysis
Honey41+Windows admin, RedlineA good first romp into Redline, gotta know Windows, though
Total Recall (R)41+Windows admin, RedlineUsing Redline to investigation a Windows compromise
Ben42Windows admin, filesys image, dynamic analysisSome Windows dynamic analysis tricks for malware
Sam42Linux, Windows memory w/ volatility, wiresharkGood romp into volatility and a Windows compromise
Obfuscated52Linux, PythonRequires some Python work, Lite Linux IR
Peak 252Linux, wireshark, sysmon (linux)Analyze logs in Linux of a Linux compromise
Bot52Linux, OSINT, CTF-likeLinux and some CTF-like challenges
Pandemic52Windows admin, PE dynamic analysisStraight-forward Windows PE dynamic analysis
Dot52Windows admin, wireshark, ProcDOTTricky ProcDOT tool to track an advanced process compromise
anDRE51+APK, Java, LinuxDeeper analysis into an Android APK (static still)
PE51+Linux, ELK, Windows adminMore ELK, a bit tricky with osquery logs
Pretium51+WiresharkTricky wireshark tricks
Invoice (R)51+Linux, ELK, Wireshark, Windows adminKinda easy Windows IR investigation with plenty of artifacts
Sticky Situation52Windows admin, AutopsyAnalyzing artifacts to answer questions about USB usage
Countdown (R)52Windows, Autopsy, IRWindows IR investigation with some tricks
SOC Alpha 351+ELK, Windows administration/attackELK, Windows logs of malware activities, just deeper
Hashish52Windows IR, OffenseIR on a local Windows compromise, requires some red knowledge
Too Late52Windows admin/attack, WiresharkTricky look at Windows malware compromise and artifacts
Test52Linux, Linux filesys imageIntermediate Linux IR and filesystem image handling
Rigged52Windows admin, Wireshark, IRIntermediate IR into a Windows compromise
Peak (R)62Linux, ELK, Linux compromise, linux logsLinux knowledge and using ELK, Linux logs
The Last Jedi62+Wireshark, CFF (PE basic static), RedlineWindows malware infection, lite PE analysis, Redline heavy
Baby62Linux, Linux filesys imageLittle harder than Test, but Linux IR and image handling
Exceltium62+Linux, pdf maldoc, shellcode analysisMore advanced pdf maldoc analysis on Linux, involves shellcode
Gotham62Windows basic PE static analysis, IDA, OSINTBasic static analysis of a malicious executable
LOL (R)62Windows, IDA, Python uncompyle, OSINTMore RE static analysis
Recovery62LinuxLinux IR investigation with linux logs and knowledge
Rekcod62Linux, DockerTricky investigation into Docker again
PhishyV262+Linux, HTML, Phishing, PHP, tiny bit CTFPhish kit analysis, web site analysis, coding
Multi Stages63Linux, wireshark, Windows admin, grepping memoryUsing Linux to investigate Windows pcap, memory of attack
Poor Joe62Windows admin, Volatility, logsWindows compromise investigation, kinda tricky, logs and live memory
Triage62Windows admin, Volatility, logsWindows compromise investigation, kinda tricky, logs and live memory
Hooked62Linux logsAnalyzing Linux logs/host that has been compromised
Eric62+Linux, volatility on Linux memoryA twist on memory analysis with a Linux image
Signal62Windows admin, redline timeline, pcap, basic PEA mix of involved pcap and file timeline analysis, basic PE
Irritate72+Windows admin, dynamic analysisLogs of fighting with dynamic analysis and CTF-like hunt
Pretium v272Wireshark, Packet Whisper, lite CTFAnswering questions based on a pcap
Covert72+Wireshark, PowerShell codingDive into a C2 pcap, powershell coding required
Wargames72+Linux, volatilityMemory analysis of a Windows compromise
Ghosted72+Linux, Wireshark (pcap), suricataInvestigating a web recon and attack mostly with suricata
Evil Maid82+Linux, filesys image, SIFT, Windows attackWindows file system investigation on Linux (SIFT)
The Key82+Windows, file system imageWindows file system forensics (and some offense)
Bad Logic (R)82+Linux, Windows admin, wiresharkLarge artifacts in a Windows attack investigation
Stuck83Windows attack, memory analysisWindows compromise with lots of tricky pieces
Divorce Court93Windows attack, filesys image, IDAAnalyzing Windows compromise, light debugging
Supreme Court93Windows attack, filesys image, IDA, C#/PoSHAnalyzing Windows compromise, debugging
Counter93IDA, debugging/reversingPure debugging/reversing, intermediate dynamic analysis
Multi Stages 2103Linux, volatility, Windows admin, MFT/TimelineHeavy memory analysis and file timelines; very difficult questions

CHALLENGES (by difficulty & SOC level)

NAMEDIFFSOCSKILLSNOTES
D3FEND11Google (D3FEND Framework)Looking up things in the D3FEND material online
ATT&CK11Google (MITRE ATT&CK Framework)Looking up things in the ATT&CK material online
The Report11PDF readerLooking up things in MITRE report (pdf)
Phishing Analysis 221Text editor, ThunderbirdAnalyzing a phishing email
Phishing Analysis21Text editor, ThunderbirdBasic phishing email analysis
Meta21Exiftool, OSINTAnalyzing some basic info from image files
Brute Force31Linux, text editor, grepAnalyzing logs of an RDP brute force attack
The Planet’s Prestige31+Email client, text editorAnalyzing malicious email plus office type attachments
Suspicious USB Stick31+Linux, peepdf, strings, VirusTotal, hex editorBasic analysis of a malicious PDF
Powershell Analysis – Keylogger32Powershell, Text editorAnalysis of a malicious PowerShell script
Log Analysis – Privilege Escalation32Linux, bashIdentifying malicious commands in a bash log
Network Analysis – Malware Compromise42WiresharkAnswering some basic questions based on a pcap
Log Analysis – Sysmon41+Sysmon, Windows, PowershellUsing sysmon logs to answer incident questions
Malware Analysis – Ransomware Script42Text editor, LinuxAnalyzing bash script for ransomware
Log Analysis – compromised WordPress42Linux, Apache logsAnalyzing a web attack from Apache logs on Linux
ILOVEYOU42+Windows, text editor, sysinternal, regshotDynamic non-PE malware analysis
Follina42Windows, OSINT, text editorAnalysis of multi-stage maldoc 0-day
Melissa52+Oledump, text editorNon-PE malware analysis
Shiba Insider52Wireshark, Steghide, Exiftool, LinuxUnwrapping layers of hidden data and common artifacts
Network Analysis – Web Shell52Wireshark, Linux and attacker knowledgeAnalyzing a Linux attack using a pcap
Malicious Powershell Analysis52PowershellParsing a Powershell script and basic obfuscation
Spectrum62Fcrackzip, Photorec, Audacity, efitool, steghideUnwrapping layers of hidden data in less common artifacts
Employee of the Year62Photorec, scalpel, CyberChef, Linux, stringsRecovering and unwrapping various file types
Network Analysis – Ransomware62Wireshark, OSINTAnalyzing and even recovering files using a pcap artifact
Memory Analysis – Ransomware72+Volatility, Windows, OSINTMostly entry level volatility analysis of memory image
Paranoid72LinuxAnalysis of linux logs to answer incident questions
Secure Shell72Linux, text editor, OSINTAnalysis of an SSH log
The Package7CTFOSINT, CTF, Math/PythonDon’t recommend. Clever CTF-Like math riddle.
Reverse Engineering – Another Injection73IDA (Disassembler), Sysinternals, API MonitorPE analysis and debugging, not entry level, but close to it for malware analysis anyway
Barcode World8CTFLinux, PythonDecode flag from 9000+ image files; don’t recommend
Browser Forensics – Cryptominer82+Linux, FTK Imager, Javascript, WindowsAnalyzing image file for browser artifacts
Reverse Engineering – A Classic Injection83IDA, Sysinternals, WindowsStatic and dynamic analysis of a PE file
Injection Series – Part 383IDA, Sysinternals, WindowsStatic and dynamic analysis of a PE file
Squid Game8CTFSteghide, image editorCTF-like image stego; don’t recommend
Injection Series Part 483IDA, GhidraPE analysis using debugger
Secrets8RedPython, JWT, Linux probablyRed team web app attack against weak jwt
Veriarty8CTFHashcat, Veracrypt, Linux, Thunderbird, gpgRecovery and decoding of files; don’t recommend
D-Crypt9CTFBrowserlingsDecoding a string several times with minimal guidance
P2SEC – Minigame9RedWeb App attacking, OSINT, exiftool, PE analysisUnguided multi-stage mostly red team basics; long
Classical City10CTFSanityDecoding ciphers – don’t recommend

learning and training goals for 2021

This is my fifth year tracking my learning, training, and certification goals like this. I am approaching my 20th year in infosec and IT, and through many of those years I sort of idled or just did my job without a ton of real planning. So, now I do that sort of planning to keep me growing and progressing and owning the direction of my skills and career.

This year is already starting out slightly differently. It’s clear now that the world is a changing place with COVID-19 still impacting socialization and work. Also, even if good times, it does not look like my current Director at work has any interest in extensive training options that I’d brag about on here. Also, I’ve reached a level where there are not as many certifications for me to shoot for. All of this means my choices this year are more informal and geared around learning certain things, rather than specific exams to study for. Also, with all of the uncertainty floating around, this year is also looking to be a cheaper year for me personally as well.

Updated 2/9/2021: I added AWS Developer courses and AWS SysOps Associate courses. I also think I might be packing this again, since preparing for the AWAE is going to be pretty time-consuming.

Formal Training/Certifications

AWAE (WEB-300)/OSWE from Offensive Security – It’s been a while since I’ve done a formal course with OffSec, and I think it’s time to get back on one now that they’re revamping and expanding their offerings. What I’ll likely do is spend some time looking at reviews and other testimonials to get an idea of some pre-course topics to brush up on, and then clear a few months of personal time to dive hard. I’d actually expect to do this exam as well.

Applied Purple Teaming (WWHF/BHIS) – I almost took this course last year, but backed out of it. I enjoyed the value of the course I took from this group last year, so figured I’d check in again this year on it.

Informal Training

Pentester Academy – I still have this subscription, and I’d like to get back onto some of these courses again. I still have SLAE on my list… I also would really like to commit to their red team labs, but don’t want to quite hold myself to it yet.

PentesterLab – I still have this subscription as well, and I’ll carve out some time at some point to progress further on badges.

Zero 2 Automated malware analysis course – I meant to start this late 2020, but life got in the way. I’m adding it to this list to make sure I get it going again.

Azure and M365 courses (900, 500 levels) – Furthering my Azure and cloud knowledge, I plan to take some courses on Azure and Microsoft 365, focusing on the fundamental and security tracks. I don’t have plans to sit for these exams, but I could always decide to do so.

AWS Developer Associate and AWS SysOps Associate – While I don’t necessarily plan to take these associated certifications, I would like to sit down and just casually run through 1 or 2 courses on each subject. I feel like there are things I can learn and use from these two. I’ll probably lean towards looking at offerings on Linux Academy / ACloudGuru or maybe PluralSight if they have a free weekend.

Other

Other one-off courses – I have a bunch of free and acquired courses in my possession that I need to get through at some point. It’s really about sitting down for a weekend or a series of nights and just going through them. No real intense time-spend, but enough to gain some knowledge. Courses like those from Port Swigger or Mudge or Autopsy or other topics.

Books – I continue to have a backlog of books to go over or skim through.

Python, .NET – I’d like to get some introductory exposure to .NET/C#, but this might be asking a lot of me without actual projects on tap to perform.

Certs to renew

CISSP – I’ll renew this again.

CCNA Cyber Ops – This lapses this year, and I have no plans to renew it.