passed gwapt

Less than 2 months ago I sat for SEC542 at SANS East in New Orleans, and this past Friday I sat for the GIAC Web App Penetration Tester exam and passed with a 97%.

My goals and background. My purpose for taking this course and exam was to gain more experience and comfort with web app pen testing methods. I’ve worked in web server/client environments as a sysadmin and security admin for many years, and I’ve had some exposure to web offense tactics and tools from the PWK/OSCP days and from various HTB boxes as well. I’ve not made or maintained any “modern” web sites, but I have some web coding experience back in the painfully early years of the web and feel comfortable reading or tinkering with most preexisting code. Going into this course, I already knew some of my weaker points: I am not entirely confident with SQL and sqlmap; my exposure to Burp Suite seemed limited (and exposure to ZAP being nil); and I also had not done much with Python in regards to requests and web work.

It speaks more to myself than to the course that I probably overestimated the material a bit (or underestimated what I already know). Pretty much across the board, with my offensive experience above I had probably seen and performed most of the attacks that we went over. That said, my weaknesses listed above were largely addressed. But, beyond working more with Burp, ZAP, sqlmap, and python, I really ended up being somewhat ready to move past this material. Now, that’s not to say I’m ready for advanced stuff, but I think it might be more accurate to say I’m ready to gain more progressive hands-on experience with testing web apps, either live or vulnerable testing apps.

My study process. After taking my first SANS/GIAC exam last year, I formulated what I would expect to be my repeatable process for studying for future exams. But, for SEC542, I definitely deviated from that process and skipped quite a few things. Once getting back from class, I started skimming through the material, doing a first pass on highlighting key terms and concepts. I have a process of highlighting tools and external resources that are tool-like, like cheatsheets, with an orange highlighter, terms and definitions and concepts with a green highlighter, and I underline in pen anything else useful so that they catch my eyes when I’m looking for answers later. If a topic continues on the next page, I put a highlighter arrow to the next page.

After that, I worked through all of the labs again, which I admit, was a very quick breeze as none of the labs are really that complicated or long. In doing so, I also highlighted information in the Workbook just like I did the other books.

The index process. Next, I started work on the index. Now, this course has a Day 6 CTF book, and in the back of this book is a very rough index. Sadly, I didn’t really like the index, but I also didn’t want to leave a trove of information on the table, so to speak, so I spent a few days transposing that index into my own index spreadsheet. Once done, I then started with Book 1 and began augmenting that given index with my own index items, as well as the definitions and concepts I wanted for each term. I did this for all of the daily books (except the CTF one) and the Workbook.

The way I make my index is to just have three columns: term, notes, page (1-101 format). I don’t shy away from expanding the size of a row if I need lots of text (word wrap). I separate each book into its own sheet, and I copy/paste those sheets into a master sheet which I then order alphabetically. The workbook is referenced as w-101. If I add something from another source, like a practice exam answer explanation, I’ll just mark it as x. I’ll then later get it printed and bound at Kinkos. This time around, it took $19 to print and was pretty thick…

I took particular time this go around to make note of any commands and screenshots of tools. This way, if on the exam I am looking at a tool output or some command, I have a shot at finding a comparable bit of output in the materials for comparison. Often, I would put the command verbatim into my description for that line, as nothing but sqlmap were really long.

The goal of an open book exam is to be able to efficiently and correctly answer questions by using those materials, and to do that, you have to manage your seek time. And that seek time plus tolerance for recollection or finding exact answers is going to differ from person to person. For me, I like enough context on each line of my index that I can tell where I should look for something about XSS types when I have 15 individual references to “XSS.” I don’t expect to always find answers just in my index, but I do give myself a shot at doing so. Ultimately, however, I expect to get into the books and find the “for sure” answer quickly. I do this with my index, but also sometimes with tabs along the tops of the books for key pages, tools, and topics.

In retrospect, I’m not really sure how useful the provided index ended up being, as I trust my own index was probably going to cover the bases. Honestly, the given index had some mistakes and included some weird terms from some weird places that added nothing. In the end, it maybe just resulted in a larger index than the FOR508 index I mast last year (and I think that material more warranted a larger index).

One note about the SEC542 material that I noticed. Way too often for my tastes, the authors didn’t actually define terms. Instead, they would describe them anecdotally, and maybe list some uses for that term to be gone over in more depth in later pages. This made defining terms very strange, and it added extra references for terms. For instance, Stored XSS is mentioned well before it is actually dealt with, but I had to keep both references. (I suppose you don’t have to, but *I* had to, if you know what I mean.) I also challenge you to find a succinct definition of XSS somewhere. I think I would have appreciated a bit more structure in that regard, but the material is effective either way. On the flip side, I like the “attacker perspective” that closed out various attack topics.

The rest of the preparation. Once I had my index finished, I tabbed the tops of the book pages. This makes for easy flipping to sections when I know generally or exactly where a topic is in the materials, letting me skip the index completely sometimes. This was more useful in the FOR508 exam which has more repeated reliance on tables and charts, but I did find myself using these on the exam as well. For example, a digest authentication question is going to be in the….drum roll….digest authentication section! There’s really no hunting around needed in that case.

Before sending off my index to be printed, I first took my first practice exam. I used the books and electronic spreadsheet (without using the search features) during this practice exam, and also did not use Google or other references. During the practice exam, I specifically turn on the ability to see explanations of all answers, rather than just the ones I miss (sometimes I may guess and get it right, but not be sure why!). If something is missing from my index, I’ll write down the topic or term quick. In the end, I scored 90% on the first practice with about 10 minutes to spare.

After that, I intended to do an actual read through of the material as well as listen to the mp3 audio of the course (given by the other author!). I only did about day 1 on both of those and decided to forgo those steps in my process. I took the second practice exam just like the first one, and scored 90%. After that, I sent my index off to be printed. Until exam day (about a 2 week gap), my only studying was just occasionally opening the books to flip through the topics and keep the layout and topics somewhat fresh in mind

Alternate material. Now, not everyone can afford SANS courses, but the information in SEC542 can actually be very easily gotten from other sources.

For practical lab-like experience, work on things like DVWA, Mutillidae (both of these were heavily used in the course labs), and OWASP Juice Shop. In addition, every attack can be found somewhere in the HTB boxes (ask someone who’s popped most of the boxes if they can guide you to good candidates, or browse IppSec’s YouTube videos and sample each one for web app opportunities). If you’re lucky enough to have access, the PWK labs also have plenty of web app practice available. Between all of those items, you should be exposed to every attack in this course and beyond.

On the tools, it really absolutely helps to have some Burp exposure and some Python exposure. I actually really recommend courses on PluralSight for both topics. There is a course or two by Sunny Wear going over how to use Burp that is just awesome. And there are a few beginner Python courses as well that helped me quite a bit to get started. (If you do pick up a sub to PluralSight, it also has decent courses on many of these web attacks, too, by Dawid Czagan and Troy Hunt.)

Everything I know about ZAP came from this material, and I suspect just a 20-minute video on ZAP examples would cover it well enough. I just don’t have any particular ones to list here. Of all the topics, I’d have to say web fuzzing is the hardest topic to pick up on one’s own.

For other tools, exposure in the course is light, so just using sqlmap or nikto or recon-ng or nmap or wpscan or beef somewhere on some target is probably good enough to understand it enough. For Python, focus on understanding the basics of Python and then also the requests library.

For attacks, just go through the syllabus and the OWASP 2017 Top 10 web flaws. This course pretty much sticks to that list. Do know how to find and perform Shellshock and Heartbleed attacks, though. (HTB has those boxes!)

Otherwise, just go through the course syllabus and the exam topics item by item until you feel comfortable talking about them and their differences

One thing the course doesn’t go over much at all is source code analysis, but pretty much everything in the labs is open source (umm, you control the VM!), so an enterprising student could look at the flawed code on their own. This is probably a step I need to incorporate as I look at further practice.

After all of that, honestly, you don’t need the course anymore! (But let’s face it, the extra advice from the instructor, the full coverage on the topics, and meeting other professionals in person adds to the course value.)

My next steps. After GWAPT, my next steps on the web application attacking front is to gain more casual experience through practice via self-study on DVWA, Mutillidea, OWASP Juice Shop, and others. I want to particularly make a point to use various tools for the attacks, rather than sticking to just one. And I also want to make sure I can do things manually or with Python scripts when appropriate, and review source code whenever I can for practice identifying flaws (and maybe fixing them?). I have a sub to Pentester Academy which also has extensive web hacking tracks

Will I take SEC642? What about AWAE from Offfensive Security? Maybe, but SANS will entirely depend on whether my employer wants to support me in that next step, and I may be able to swing AWAE on my own if I can carve out that time.

Will I get to any of these this year? I do have other goals and things for this year, but the continued self-study is one I want to stick to. I don’t today do web assessments for internal sites at work, but that opportunity may be right around the corner, and I intend to be part of that.

do you need a degree to be good at what you do?

Still reading through Tribe of Hackers. I, like most everyone, definitely holds back on punches when it comes to the, “Do you need a degree/certification…? question. So it was a nice moment this morning to read up on some industry blogs to run across Harlan Carvey swing and hit on his responses to the questions in that book, particularly about needing a degree/cert. I think he’s right, but it’s important to note the clarifier: ” Do you need a degree to be good at what you do?”

That said, all of his other answers are wonderful, too! Of particular note are tidbits about engaging on social media, mentoring and sharing, realizing that we make some mountains bigger than they are, and bosses don’t like surprises!

That sort of reminds me of the old school way the sysadmins are born. Often, a more senior admin will get a junior-ish new hire and throw them into the fire without much help. Basically sink or swim. No one really liked that, but it just sort of happened, probably since back then many of us tech geeks were socially awkward…hence being in IT! Today, mentoring in any formal or informal fashion is the way to win allies and friends. Transparency is a close cousin.

attended sec542 and netwars at sans east

About a week or so ago, I and a coworker attended SANS East in New Orleans. I was in town to take SEC542 and he was taking FOR610. We arrived a day before registration was open.

I just have to say that I absolutely enjoyed New Orleans! I’ve been to a few cities in recent years for training, and most really have pretty generic character; they’re just another city with maybe good weather. But New Orleans and especially the French Quarter has a great character to it with absolutely wonderful food, fun people, shops galore, and music everywhere. Combine that with beautiful weather (50-70 degrees in February winter is beautiful to me!) and thick mysterious fog every morning and I loved it.

We were in town the night of the Super Bowl, so after registering for classes, we navigated an impromptu Boycott Bowl block party (New Orleans Saints had their Super Bowl berth stolen from them two weeks prior and they’re a little sensitive!) to join the SANS opening reception at Fulton Alley for open buffet, bowling, and bar. Super excellent time out there, and I would visit New Orleans again some other winter.

My background gives me a good foundation for this course. I’ve not only managed my own sites and servers, including their (somewhat simple) code, for many years, but I also spent about 15 years as a security/sysadmin in charge of hundreds of critical business web sites and servers and working closely with developers. I’ve also gone through the PWK course and earned my OSCP, and done many HTB boxes over the past few years, all of which has given me exposure to web app vulnerabilities, exploit execution, and red team tools. In all, I feel comfortable with web applications, but my confidence isn’t all there when it comes to efficiently and accurately performing a “real” pen test against a site. (More on this later.) I’ve used some of the tools we’d use in the course, like Burp and wpscan in the past, but others I have not, like ZAP and BeEf.

To prep for the class, I mostly brushed up with courses on web app testing on YouTube or PluralSight. The most notable courses that really helped were 2 courses for 3 hours of Burp Suite on Pluralsight by instructor Sunny Wear and a series by Dawid Czagan on web app hacking also on Pluralsight.

The SEC542 class itself consisted of 5 days of lecture followed by a CTF competition on day 6. The class is pretty solid in covering the basics of web application technology, OWASP Top 10-styled weaknesses and exploits, and the beginnings of conducting web application assessments. The instructor (Eric Conrad) was excellent in adding value to the course with personal stories, advice, examples, and encouragement.

There were maybe about 30ish labs over the 5 days. Some labs are very basic where you just follow the directions to perform a quick directory traversal or XXE attack. But others later on offer a little more chance to choose your own difficulty and how many hints/guidance you take, which works especially well in something like the Python-related labs where I just needed a few pointers from Google and the books on how to do a few things and I could mostly do them with my own script. That sort of open-ended lab actually doubles as nice practice, rather than just pure introduction and copying

The day 6 CTF was an absolute blast and my penultimate experience at SANS East and SEC542. We split into fairly random teams based on when people came in. I think one team was somewhat pre-picked, but ours was pretty much, “Yeah, sit down, join up!” We had 3 teams in our class (online teams competed only against each other), 2 consisting of 5 students, and ours with 4 students.

As we got going, I started doing scans of the network using nmap and nikto, and doing really quick assessments on the results to draw attention to any suggested targets (“WordPress here! SSL here! CGI script there!”). My other teammates cleared out the level 1 book questions while this happened. I had my back to the classroom screen, so I didn’t see the jumping around of the team scores very much, but my impression is that for the most part first place traded hands quite a bit.

My team was amazing. I’ve never really had many chances to work on a pen test or assessment (or even a CTF) as part of a team, and this was absolutely wonderful. We all made progress and everyone contributed investigation and success into the things they were tackling. Someone scored out the questions on one section, I took another, and another two were done before I had even looked at them. We even had one guy make some ridiculous lucky guesses to score wins, and as I said when that happened, “That’s half of hacking, making guesses and getting it right!”
In the end, we had the lead, but bought hints on the final few questions which dropped us back into second place for a while. We got pretty hard stuck on a few things, but eventually figured it all out except one last question that was bothering me badly as I knew I was almost there (turns out I was). In the end, we bought one final hint, scored the question out, and then scored the final question to take the lead in the last 6ish minutes and held it until time ran out. Super fun to earn that coin and get first, but honestly it was more awesome to run through that well-paced CTF on a team that worked so well together. We made some mistakes, but nothing so big that it messed with our energy.

So, how did I feel about this course? This is a weird space, as is much of information security disciplines where you need a certain baseline of fundamental knowledge, otherwise your uphill climb can be difficult. But the material can quickly be overpassed with just a little bit of experience (which is kind of the point of the course, yeah?). And that really leads to my only down side of the course. But it’s really not even a problem with the course, but rather with me. For almost all of these exploits and attacks, I’ve done them before between OSCP/PWK and HTB lab environments. So, honestly, good portions of this course were sort of a review for me, or rather a reinforcement. But, make no mistake, I did learn a few new things, especially the value-add stuff from the instructor.

My biggest takeaway, much like so much in information security, is that this discipline and doing these assessments takes constant and regular practice. Practice, practice, practice. Which is really the place that I am right now with my skills and level of confidence. I simply need to iterate through the things I know, over and over, get quicker and more familiar with the tools, and maybe start doing some assessments at work on our sites to compliment the things our QA teams do.

Still, could someone pass over this course with self-study and a cheaper budget? Yes, and probably not that hard, either, unlike other high level SANS courses. A student could study up on various cheaper courses or even free YouTube courses going over OWASP Top 10 attacks. And honestly, there are free tutorials on doing DVWA, OWASP Juice Shop, and Mutillidae II out there for free, which will cover the Top 10 and more. Add in doing some HTB boxes and watching along with Ippsec on Youtube doing retired boxes shows many of the attacks in a more live situation. From there, it’s really about learning the tools, and you get use out of them from HTB or PWK/OSCP, plus additional courses on those tools which may cost a small subscription to view for a few months. Still, that’s quite a bit cheaper than SANS, especially if looking to do this on your own dime. You won’t necessarily get a certificate, or exposure to other smart students, or the Netwars experience, or the value from the instructor, but I honestly think students can get past SEC542 on their own with some personal dedication.

And that now brings me to Netwars. For a third, and probably last time until they update the content, my coworker and I competed in Netwars Core. We sat at the front, which must have been a good area to sit, since the winning team and most of the individual top 5 were sitting. After two nights, I finished in first place for a coin and trophy, and my coworker fought a super close battle for 4th place! My placing was pretty undramatic, but that fight for 3rd through 6th was pretty tight. I might do Core if I ever attend a coinapalooza event (and have coins to acquire), but barring Core being updated to a version 6, I’ll likely duck into DFIR or Cyber Defense in future events now

GWAPT and the future. So, that leaves me with what’s next. I’ll be studying the materials again, making my index, and going through the labs once more in preparation for the GWAPT exam. I have pretty high confidence going into this one unlike my GCFA. During and likely after this, I will also be trying to get a practice regimen started. At a bare minimum, I want to tackle web-heavy HTB boxes, not to necessarily root them, but to practice assessment steps and tools usage (I need more confidence in fuzzing, sqlmap, for instance). I also will look into those vulnerable open source boxes for further practice (Mutillidae, DVWA, Juice Shop). I am also woefully inexperienced with REST/API and SOAP assessments, so I’ll likely find some courses or guidance on that. And lastly, I’ll also work to continue to further my Python and even Javascript exposure. I do also have a Pentester Academy sub, and they have some web content and challenges as well.

That sounds like quite a lot, but honestly this is about forming a long-term practice and experience habit for web assessments. And to my viewpoint, being conversant and ready-to-go with web app assessments is a core pillar for anyone looking to be on or near red teams/offense.

Will I take SEC642? I don’t know. Some of those topics definitely are things I’m less comfortable with today, so it is still in my top several classes to look at if I get another opportunity to attend something. But other options are tempting as well, such as SEC573 (Python), SEC617 (Wireless Pentesting), SEC660 (Exploit Writing), FOR610 (Malware Reversing), SEC588 (Purple Teams), SEC545 (Cloud Security), and FOR572 (Network Forensics). It might just depend on what lines up best with what I and my company need when the chance opens up.

my tribe of hackers contribution, part 4 of 4

This post is a continuation of my answers to the questions posed in the Tribe of Hackers book. I am answering these questions before reading the other responses in the book in an attempt at self-assessment.  And to mark any changes of insight after consuming the book. This is part 4 out of 4.

(Part 1) (Part 2) (Part 3)

12. What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?

Be aware of what you’re putting online about yourself and whether that is important to you in any way. Ultimately, live life and don’t shy away from technology.  Turn on automatic patching. Use unique passwords, and change them regularly.

13. What is a life hack that you’d like to share?

I don’t really have life hacks, or at least I don’t think of them that way. Just keep learning and improving. If something rubs you wrong or doesn’t seem like it is in its right place, fix it and/or move it, or change your attitude about it and move on. Be happy, but not at the expense of others.

14. What is the biggest mistake you’ve ever made, and how did you recover from it?

Professionally, I’ve not really made any large mistakes that have made me fearful about my job or even an annual review. However, I will cover a personal mistake, a professional mistake, and a career mistake anyway.

My biggest personal mistake may be my phoning in of high school and early college years, which led to low motivation in college and being 100% unsure about what career and life I wanted. I nearly failed out of college, but pulled myself back up after 2.5 years in a major that wasn’t calling me, and switched over to one that was, to successfully salvage the experience. I wish I had applied myself more in my younger years, but more so I wish I knew what I wanted earlier than I did. We are asked as young people to make life decisions very early, and often without enough preparation. That becomes a weighty decision experience. Then again, I wouldn’t change anything that has happened to me, as I enjoyed my childhood, and everything before now has directly led to where I am and who I am today.

My biggest professional mistake was probably assigning an ip address to a server that was an undocumented in0use address on the interface of our perimeter firewall. This address conflict brought down that interface, halting all traffic to and from the Internet. Obviously, troubleshooting this brought things back in 5 minutes, but that’s a pucker moment you’d rather not have to go through. Lessons learned, though: document everything, consult that documentation, and verify anyway.

For my career, my biggest mistake should be not having as confident a voice about my skills and knowledge that reflects my actual skills and knowledge. I have warred with imposter syndrome in the past, and I probably still war with it today when I think other people already know what I know, so why speak the obvious, right? But that’s folly. Even if that were true, speaking up still stokes the sociality of life, work, career, and networking with peers, which leads to connections, friends, learning, and growth. This is probably a small war I’ll fight until such a day as I am regularly teaching others in some measure of a formal setting.

At the end of the day, mistakes make us stronger and have made us who we are today. Learn from them, don’t be afraid of them. Go deeper. Try harder.

my tribe of hackers contribution, part 3 of 4

This post is a continuation of my answers to the questions posed in the Tribe of Hackers book. I am answering these questions before reading the other responses in the book in an attempt at self-assessment.  And to mark any changes of insight after consuming the book. This is part 3 out of 4.

(Part 1) (Part 2) (Part 4)

9. What is the best book or movie that can be used to illustrate cybersecurity challenges?

Of all of these questions, this is the one I have left blank for the longest, and I still honestly do not know what fills this the most. The only work that comes to mind might be Daemon by Daniel Suarez. I read this shortly after it came out, and it was scintillatingly wonderful and scary at the same time. For movies, Sneakers is the only example that comes to mind now. Maybe if I revisit this list, I’ll have better answers by then!

10. What is your favorite hacker movie?

Movies are a pastime of mine. I definitely have hacker-related movies that are guilty enjoyments like Antitrust, Swordfish, eXistenZ, Enemy of the State, Foolproof, Ghost in the Shell, Weird Science, and even a great movie like The Matrix.

However, my favorites boil down to two choices. Sneakers is wonderfully cute and I absolutely love the hacker team dynamic, but Hackers is alone near the top of my favorite movies. It has the best soundtrack (Halcyon On + On is my desert island song), great pacing, acting, and writing, and while it is somewhat ridiculous, it reflects a certain counter-culture caricature of how hackers viewed themselves in the 80s and early 90s. Yes, it is dramatized and unrealistic, but it never seems to take itself too seriously. It really captures a certain hacker ethic and culture in the process. Ultimately, it’s just fun and I could watch it over and over forever.

11. What are your favorite books for motivation, personal development, or enjoyment?

For personal and professional topics, at various times in my life, I tend to come back to The Book of Questions by Gregory Stock and The Rules of Work by Richard Templar. I will also dig up and re-read the full collection of Calvin & Hobbes as well.

For enjoyment, I come back around to reading fantasy books on occasion. I started reading adult level fantasy books around the 4th grade, and devoured them up to college years. I still play Dungeons & Dragons and fantasy video games, but sitting down with a good fantasy book allows me to revel in nostalgic moments exhumed from my childhood many innocent years ago. Those were some pure times.

my tribe of hackers contribution, part 2 of 4

This post is a continuation of my answers to the questions posed in the Tribe of Hackers book. I am answering these questions before reading the other responses in the book in an attempt at self-assessment.  And to mark any changes of insight after consuming the book. This is part 2 out of 4.

(Part 1) (Part 3) (Part 4)

4. Do you need a college degree or certification to be a cybersecurity professional?

No, but they can help. A college degree is less important than it used to be, but the experience can teach many life skills at an age when young adults are busy finding themselves. Beyond that, you can learn a lot about a profession as well, and a degree can get you past HR filters that may otherwise reject those without a degree.

Certifications are a useful vehicle to learn topics and have something tangible that at least somewhat attests to some knowledge on those topics. These are things that can add to your marketability, either for yourself or as an agent of another entity. At the end of the day, though, those are just tools, and they don’t replace being an expert in your chosen domain. Regardless how you get there, be a master of your domain.

5. How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?

I’ve always had a love of puzzles, mysteries, and a sense of curiosity and creativity. I first thought about IT security back around 2000 when I wrote a long-gone article for a video gaming community about what sorts of careers someone who grew up with PC gaming could get into, and information security was one of them. But, it wasn’t until I picked up a random IT book at Barnes & Noble to continue my post-graduate learning: Hack Attacks Revealed by John Chirillo, that I fell in love with the topic.

For my career, I officially got started having a security interest while doing normal IT desktop, technical support, and sysadmin duties. If something related to security came up, I would tackle it, set it up, configure it, or evaluate it. I remember sitting with government pen testers and showing them Metasploit shortly after it came out. I spent nearly 15 years with a general sysadmin title, but largely doing security-related things. In recent years, my title has shifted to officially be a security one, which makes selling myself a little bit easier!

I would advise someone beginning a career in cybersecurity to have one or more career goals in mind, and some ideas written down on how to get from where you are today to those goals in 1, 3, 5, or 10 years. And pursue that. Keep your eyes on the horizon, and move towards it. Seek advice from peers and those you want to emulate. Always be learning and always be active, whether in a cybersecurity role at the start of your career, or in a more general IT role. Either way, you can effect changes in security postures, learn more, and build skills that will directly carry over to the time when you arrive at your cybersecurity goals.

I would also suggest being involved. Share your knowledge, teach others, meet other professionals and hobbyists locally, and be part of the cyberspace and meatspace infosec communities.

6. What is your specialty in cybersecurity? How can others gain expertise in your specialty?

I don’t really have one, which might mean my specialty is about being generally good at many things. But, if I had to pick one, it would be about thinking like an attacker; playing five moves ahead and solving those problems.

And to get anywhere, it is all practice, practice, practice. Don’t be afraid to fail and learn. Practice, fail, practice, do better, practice, succeed, practice, improve.

7. What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?

Be a good person, be intelligently enthusiastic, be an expert, and be honest about your desire to effect appropriate improvements. Be honest, about everything, including things you don’t know.

But one of the most important things in business and security is about selling yourself and selling your ideas. Speaking and selling are key ingredients for effectiveness in getting things done and leading.

I don’t run a company in cybersecurity, but if I did, I imagine my biggest stressor would probably be making sales and being good about that. I think that might be my biggest advice; gain the sales skills or align with someone who can.

8. What qualities do you believe all highly successful cybersecurity professionals share?

The willingness to say what is right, the integrity to stick to what is right, and the self-awareness to know when you might be wrong or it is just not the correct message for the day. Security is a cost and gets in the way of convenience. Being on the security team is rarely a good choice for someone who desires only to be liked and not rock the boat when it is needed. But, perfect security will never be accomplished, which sometimes mean we have to move on, and know when we’re wrong about something, and yet still walk forward with head held high to the next battle.

I digress, though. Other qualities I admire in people in general are enthusiasm, passion, integrity, constant learning, being a good person, and being an expert. Some of my favorite celebrities are like that; Adam Savage, Wil Wheaton, Matthew Mercer, Steve Irwin. These are qualities to live one’s life, and qualities to bring into one’s career.

my tribe of hackers contribution, part 1 of 4

I’ve gotten my hands on a copy of the new hotness in the cybersecurity community, Tribe of Hackers by Marcus J. Carey & Jennifer Jin. This book is a compendium of cybersecurity and hacker luminaries answering a battery of questions about themselves, cybersecurity in general, and advice for aspirants to the industry. I loved the idea for this. And I figured I would go through a self-exercise related to the book by going through the questions myself. I wanted to compose answers before reading any other responses in the book, and then later after reading the book, go back and see if any of my answers can or should be adjusted based on possible shifted perspectives. This might take quite some time, as this book is bigger than I expected!

Since the questions are sometimes weighty, and I tend to be somewhat verbose, I also figure to break the questions up into logical groupings though maintaining their original order.

1. If there is one myth that you could debunk in cybersecurity, what would it be?

There are two myths that I tend to poke at with a long stick during quiet moments. One is the idea posited by many a marketing team that some tool or process is absolute and will provide any sort of “perfect” security (while their security engineers say there are no silver bullets). Very few things are so absolute, and those that seem to be, tend to be smaller in scope. Segmentation, binary yes/no access, walls.

The other is that we, as information security defenders, can “win.” There is no winning in a sense that the attackers will be beaten and we can ride off into the sunset; there is no checkmate or surrender. This dance is going to go on forever, and we do the best we can to secure the things we have control over, and hopefully that is enough for our constituents. Never get disheartened that this fight seems to be never-ending, because that’s exactly what it is. The war won’t end, but we can win battles. Embrace that, and play the game with enthusiasm and positivity.

2. What is one of the biggest-bang-for-the-buck actions that an organization can take to improve their cybersecurity posture?

I imagine answers to this reflect where someone’s mind is, tactical or strategic. Strategic answers are a little easier, since it may mean doing multiple tactical things as part of that initiative. So, I’ll stick tactical.  Every few years I post a blog about the top 10 things I tell small/medium businesses that they should focus on to improve or start tackling cybersecurity. Pretty much any of those items is a good value option.

For this open-ended question, though, three things bubble up to the tap: 1) Know what you are responsible for. Keep an inventory or systems, data, accounts, and software. Defend accordingly. 2) Patch management. Just. Patch. The Things. 3) Least privilege. And it is this last one that I think may be the more important for this particular question, for me today. Limit privileged access, limit privileges on workstations, limit access to data. Attackers can compromise people and systems, but we need to make them work harder and longer to get to the things they want, which in turn will give defenders more chances to detect them.

3. How is it that cybersecurity spending is increasing but breaches are still happening?

Security always follows insecurity. It’s just the nature of the beast. As our technology grows more ubiquitous with life, it also becomes more complex, and thus fails complexly. Technology, the internet, and cyber-things are still in a rapid growth phase, and are showing no signs of slowing down to allow us to catch our breath. And so too are cyber attackers. And let’s face it. If no one is ever going to break into your house, there’s really no need to maintain security. Insecurity fuels this industry and our jobs. It just goes back to that never-ending dance we do.

(Part 2) (Part 3) (Part 4)

my netwars core tournament of champions experience

Earlier in 2018, I attended the SANS West training conference in San Diego and competed in the Netwars Core competition. This was my first Netwars experience, and I was surprised by not only placing second in the individuals bracket, but by doing so also received an invitation to the year-end Tournament of Champions. I had no idea this was a thing I would get (more on this later), but I was excited to have done well. And, as luck would have it, my work leader was in attendance, got excited as well, and offered to budget out the cost to allow me to attend the ToC event!

So, I headed out to DC for the Netwars Core Tournament of Champions (ToC) held the evenings of Dec 16 and 17, 2018, during SANS CDI. DC was rainy, but I got in a day early to relax, get some grub and supplies nearby, and otherwise spend that evening and most of the next day taking it very easy.

I suppose at this point I should mention that Netwars Core is a hybrid technical question-and-answer competition (jeopardy-style CTF wrapped in a wonderful Star Wars-themed story) and castle-vs-castle top tier played out in 5 Levels over the course of 2 evenings (3 hours each) during most SANS events. Competitors are given a USB stick with some files and a virtual machine to import, and are asked to sign up for an account on the scoreboard where scores and questions are housed. Levels 1 and 2 consist largely of your typical infosec CTF questions like which Linux command does this, or run this command on the provided event virtual machine and find the flag or decode this password. These questions range from non-technical through the gamut of many skills and tidbits of knowledge such that even novices have a good shot at having plenty to do. And for those questions that are unfamiliar, you can “unlock” hints for free which definitely get most people on the right path for answers. As competitors submit answers and score points, more questions are unlocked. At some point, Levels 3 and 4 are unlocked which starts competitors down the path of offensively probing and attacking systems on another network altogether. And, unlock enough points, and you can get up to level 5, which is a whole new competition in itself. At Level 5, the game becomes a more classic CTF where competitors get a castle of services they need to defend and keep up while trying to also take over and bring down the castles of other teams to score points.

For anyone daunted by that Castle part, at least be comforted that not every SANS Netwars Core event has people get far enough to unlock Level 5. Most of that top tier competition comes from the pentest-focused events like SANSFire or Hackfests or here at ToC or on the separate Netwars Continuous package.

I didn’t have much to prepare for or with. I scored 275 points in the earlier event, which took me up almost entirely through levels 1 and 2 and into some clear stopping points in Level 3 and 4. Unfortunately, I hadn’t saved any questions or code or scenarios from those higher levels, so I only had vague memory to go by. I didn’t know 2nd place got an invite nor how all of this works! I had saved the questions page for the initial levels (most of which can be answered in the provided VM), but I had most of those already solved, so there wasn’t much to do there. See, the game itself closes after the event, so you can’t go back and see the old questions or hints. Even worse, once you hit Level 3 (I think), the scoreboard and targets are on a different network that you connect to which also isn’t available outside the event itself. Lesson learned, my friends, lesson learned: Leave windows open, copy/paste, download what you can, save shit, suspend your VM if you can.

Registration and check-in took place about 4pm or so Sunday afternoon, where we basically just got our guest badge. And at about 4:30pm we were allowed into a reception room for free drinks, appetizers, and mingling with fellow security geeks. During this reception, Jason Blanchard and Ed Skoudis gave a presentation about the event and some of the rules specific to ToC that we need to know about. Also, one of them made mention to look around the room and take in the fact that lots of excellent and smart people were in that room. To be honest, that was one of the better moments of the event for me: being in the company of some super smart and dedicated people. We also got handed our swag (a custom t-shirt and an athletic polyester long-sleeved black half-zip shirt), had a chance for some forced mingling with fellow competitors, and then slowly wandered down into the competition seating area.

When I got down to the seating area, some teams were already moving desks to face each other, and I picked out a spot for myself between some teams so as not to get in the way. ToC players had seats on the left side of the room reserved. Turns out, I sat behind the team that would end up winning the overall prize. I got set up, got a drink, and waited out the rules presentation before getting started! I will say, while the rules went on a surprisingly long time, I actually really enjoyed Jeff McJunkin’s energy and enthusiasm as the emcee/host of the event.

As this was just my second Netwars event, I was in for an unexpected start. I spent the first 45 minutes keying in answers I already had, unlocking more portions of the scoreboard, and just turning my mind to mush. It was pretty awful once I sat back in my chair near the end of this marathon submission session, and I wondered how the heck I would find my groove back and actually “get into” the VM and the mindset of the challenges I was up cleared for, especially since some of the things you do in early challenges set up the VM to be ready for the later ones. I think once all of my answers were submitted and I was feeling pretty lost, I got up to get a drink and take a small break. I can definitely see why the established teams have their answers all scripted and submitted within minutes! (I’ll have to save the web page code and figure that out next time.) The team ahead of me, of course, submitted all 645 points of answers and sat back for their Level 5 access. Turns out, there were some technical issues with the Castles, and those teams ended up sitting around waiting for about 90 minutes.

Now, I will say just reading this during my proof-read, I can realize how someone will look at this and wonder why compete if there are whole teams that just script the answers up to Level 5? Well, as part of the ToC rules given during the reception, players were awarded prizes in 4 groups: Level 5 teams, Level 5 individuals (I believe there were only two brave enough to tackle Level 5 alone), other Teams, and other Individuals. So, even if you didn’t have Level 5 unlocked, you could still earn something by crawling up higher into Level 4. I do not know when Level 5 actually opens, but if it’s at 645 points, you can see there is still a gap in the field based on the screenshots at the end of this post.

Once sitting back down, I got my head in the right place and started making progress. For the rest of that evening, I felt pretty good with my progress, but I definitely had and still have a long way to go. By the end of that first evening, I had clawed some points above and beyond what I already knew, and felt confident in my progress. I made sure to keep scoreboards open and save files, questions, and hints for research later that night and the next day. Looking back, my biggest wins that day was the experience of that first marathon of answer submitting, and the saving of relevant data/info for research later.

If I had any complaint on the event, I may as well get it out of the way here. The music played during the hacking activities was largely 80s and early 90s rock. Things like Van Halen, Bon Jovi, Billy Idol, Starship, and so on. And while I grew up in those times and am quite comfortable with that music, I did not need to listen to “Don’t Bring Me Down….Bruce!” 3-4 times (the only re-repeat I remember hearing), nor do I really want to listen to that rock for 3 hours a night while doing hacking things. It was distracting at times. But that’s me; I’d prefer some sort of techno/electronic genre (deep house, lounge, chill, psytrance, trance, or anything in between). Or maybe at least a slightly better curated 6 hours of rock. (It’s honestly not that long, but can feel long.)

One tip before the night of the event is to make sure you know how to import or add a new virtual machine to whatever VM platform you use. Once sitting down in the competition hall at a desk, be sure to keep your head up and look for whomever is handing out the Netwars USB sticks and instruction sheets and be sure to get one of both. If you don’t get an instruction sheet, ask to take a picture of someone else’s near you.

In fact, here’s a general checklist for someone sitting down to Netwars 5.0 for the first time:

  1. Prep: Bring a mouse. Bring a second portable monitor if you have one. Both of these make the experience so much better. Bring headphones and music if that helps you. Make sure you have whatever virtual platform of choice you prefer already installed and ready on your system. As far as other software, you don’t really need much else on the host; most things are either present in the VM or can be downloaded into it from the Internet later. I’d also suggest being at least a little familiar with Linux command line (things like ls, cd, cat, file, cp, rm, touch, chmod, chown…that level of stuff). I don’t suggest using a work laptop, unless you have the power to turn off security protections so as not to kill/quarantine what you’re doing! I used an old Thinkpad X230 upgraded to 16GB RAM and 500GB SSD, running Win 10 and VMWare Workstation 15 Pro, with an AOC 16-inch portable monitor; the portable monitor is a lifesaver as the X230 screen size can be limiting alone.
  2. Sit down and set up your computer; power strips should be nearby.
  3. Once booted up, get on the netwars core wireless (will either be on the instruction sheet or on the screen up front). I suggest writing this down.
  4. After that, get your hands on the USB and start copying all of the files to your system. It’s always better to work off the local copy than straight off the USB.
  5. Once copied, fire up the VM platform of choice, and import/add the .ova file as a new VM.
  6. Once added, I strongly suggest increasing the RAM on the system above the default if you can spare it, and also add some video RAM if using VMWare (if you can’t find this setting, then don’t worry about it, it’s just to have better full screen sizing on some versions; probably not a problem with a laptop).
  7. It should work by default, but I also strongly suggest being familiar with testing and enabling (if needed) copy/paste from the VM to your main system.
  8. When ready, start the VM and log in (should be on the instruction sheet or it will just autologon for you). There’s no reason to not at least start up the VM and test Internet connectivity. Maybe even poke around the system a bit.
  9. I don’t recall ever needing to deal with installing VMWare Tools, but maybe I just do this automatically and remember it. I’m adding it here as a reminder to think about if something isn’t working.
  10. Once ready, feel free to get a drink or two and for the love of all that is pure, lock your system when you walk away.

During the event, you do what you need, but I strongly suggest taking a break now and then. Get up, stretch, get a fresh drink, take a small walk, get your eyes and brain off the screen a bit, tip the bartender, start up a quick intro conversation with any others back there in line, with them luck, and get back down to business.

I know some people bank points until the final 30 minutes of the last day when the scoreboard is hidden from view, but honestly, I’m not sure who does that, since the more points you submit, the more new stuff you unlock. And I think in most cases, it is better to unlock things early than in the waning minutes. There may be some more easy points waiting!

I wish I knew the cutoffs in points where things unlock. Maybe next time I’ll try to pay attention to that….

On day 2, I sat in a different place behind a team from the Army branch. I honestly don’t know how they did (not top 3 at least), and I’m unsure if they are displayed on the scoreboards and have a made-up team name or something.

Day 2 was a more heads-down day working on some of the new challenges, and I made some progress by the end of the night, totaling 328 points and finishing in the middle of the pack at 31st place. Unfortunately, I didn’t really unlock anything by the end of the trip that I shouldn’t have already had from my first Netwars experience, but at least this time I am better able to take some studying points home to work on directly.

In reflection on my experience, I feel like there are probably 4 very different experiences you can have with Netwars.

  • First timer – This is the purest experience as someone completely new sitting down at a blank scoreboard with questions to bang away at and answer. This was absolutely a blast and I encourage everyone attending a SANS event to give Netwars Core at least this first try. It has accessible questions so everyone can ramp up slowly into more involved stuff.
  • Experienced aka “the level 4 doldrums” – After the first experience, no matter the performance, coming up next are what I would call the level 4 doldrums where a competitor has completed the things they find easy, and are now working harder on the trickier or less familiar topics. This lasts until one can unlock level 5. Large swaths of an event may be spent working on just a handful of challenges at hand. This is definitely where I am. I unlocked Level 4 on my first event, and now I get to spend a lot of time making slow progress through it (and finishing challenges inside Level 3). The one caveat that may change this experience is joining up on a team of others in the same boat, but I have mixed feelings about teams prior to level 5.
  • Level 5 unlocked! (fanfare music) – This is probably the next big jump, where one emerges from the Level 4 doldrums and unlocks Level 5! …And then is lost while trying to figure out the castles, defend them, and somehow also attack. The first experience in Level 5 is probably pretty rough, especially so for an individual. But, you gotta have a first time at some point so you know what’s coming up next time and how to start preparing for it. Because, let’s face it, there’s only a small number of posts about the experience of Level 5. It might be interesting getting to this experience on a team, either of those who’ve made it before or all newbies to Level 5, as at least then you can get some boots on the virtual battlefield quicker. And even at some of the larger non-champion events, there may not even be any other Level 5 teams! I think in that case, even if unlocked, you don’t get your Castle early, as that might be a little unfair to later entrants, but I don’t know that for sure.
  • Level 5 veteran – Lastly, all that is left is to dive into Level 5 with eyes wide open, probably as a member of a team. This is the penultimate experience, and I hope to get there someday to at least give it a try once. I’ve never competed on the blue side of a castle-style CTF like that (only the red team, and it’s been years).

One nice small benefit I received after the event was a discount to Netwars Continuous. While still a large chunk of money, I might have to think about that if I want to experience Level 5 competition and get some practice. (Assuming I get up to it!)

Would I do this again? I think so, but I don’t know. I don’t really learn much from it directly, but I love the access and mingling with other extremely smart people, just like any other SANS event. I am qualified for two years, so I’ll have to think hard about it. My participation may depend on others on my work team being able to go, or my progress towards Level 5, and of course budgets. That said, the meeting of other people and the chance to further hone skills is always welcome in this ever-learning industry. If I were on a Level 5 team, I absolutely would!

Would I suggest others do this? Yes! If you can budget this out (keeping in mind you don’t necessarily have to be taking a course at CDI to attend ToC!), I think this is a great event to experience at least once. Even better if you get the chance to experience this at Level 5 with a team. There really are not that many chances to experience something at that level and I think they would be worth it.

What’s next for me? I have a very long ways to go, and the number of questions I have in front of me to answer has dwindled quite a bit. Basically, I’m at that point where I need to answer a question to open the road to answer the next question, and so on. My choices are limited, and while that means I can focus my studies a bit, it also means I have no idea what’s behind those doors.

I’ll next be at SANS East the first week of February with a coworker. I plan to sit again for Netwars Core rather than trying out DFIR yet. And this time, I’m taking a course that I need more confidence and speed with (SEC542) which hopefully gets me another small step or two through the Level 4 doldrums!

(images via CounterHack team and Sean Donnelly)

us-cert and questions ceos should be asking about cyber risks

US-CERT has posted up a nice list of Questions Every CEO Should Ask About Cyber Risks. I can’t say I disagreed with anything here!

It’s nothing much, but I did look a bit hard at the metrics section where it says, “An example of a useful metric is the time it takes an organization to patch a critical vulnerability across the enterprise.” While I agree with this, most organizations still need to adequately find or be told about a vulnerability first and get it into the analysis and remediation pipeline, before they can start measuring how long it takes to patch it. Or maybe a better wording is to allow for the fact that a vulnerability may have existed before an organization learned of it and started work to patch it. I wouldn’t want someone to think the measure is just from when it was learned to when it was fixed.

I also understand that “industry best practices” can be a little flexible and arbitrary, but I don’t have a great alternative to that beyond constant review and improvement with multiple eyes and documented reasons and justifications for policies and standards.

the three laws of opsec

Just saving for future reference.

Three laws of OPSEC (Kurt Haase)

  1. If you don’t know the threat, how do you know what to protect.
  2. If you don’t know what to protect, how do you know you’re protecting it.
  3. If you are not protecting it, the dragon wins.

the position of threat hunting

It couldn’t be more timely to see a couple blog posts on the topic of threat hunting, one from Robert M. Lee and another by Richard Bejtlich. (Updated to also add some Twitter comments links, as I think I agree with this position.) Reason? The past couple weeks I’ve been reading papers and other posts and job descriptions of “threat hunting,” as I try to figure out what that means and what it does in a security organization.

See, I’ve been part of the infosec community since around 2001 in some for or other. But around 2014-2015 or so, I fell a bit out of touch; I didn’t read much from twitter or other blogs and feeds of mine and didn’t really do any cons or other learning. As such, I turn around in 2016 and plug back in, and things like “kill chain” and “threat hunting” take me a bit by surprise at how suddenly they’ve popped up. And in the case of the latter term, I’ve been trying to figure out where it came from and what it really means. I mean, I like the idea of the task, but it doesn’t seem like a full time position to me; it seems like an amalgamation of other duties, or maybe just a way to save money on external pen/red team tests by getting internal offense members, and concocting some additional things for them to do so you don’t lose them to boredom.

(Side note, it’s an interesting time, where organizations want to do more than just strictly blue things, but it’s hard to make sure your offense-minded folks don’t get bored or jump for those flashy full-time pentesting gigs. Likewise, blue tools and signatures are reaching their limits of usefulness, but other techniques and detection and analysis require more effort, intelligence, and experience to wield for proper value; enter offensive minds.)

My confusion stems from hearing about the tasks, and not being sure if the hunter is looking for latent, active compromises in dark corners of the enterprise, or if they are testing for weak points in an organization’s posture and providing fixes. Or maybe they are like architects for new tools like UBA/UEBA as they attempt to emulate attackers and define how detection tools may help identify them better, especially when you have to rely on behavior and anomalies rather than hard signatures or IoCs (hey, there’s another surprise term that is new!). To me, security is not just about watching alerts in a SOC, but about constantly improving the position of the security functions. In a sense, I’m always looking for ways to have more complete visibility, or at least know where my blind spots may be. Role-playing and tabletop exercises help stimulate that thinking as well. Things like analyzing a new vulnerability announced and how to tell if that affects or has already affected me, or a new minor incident and what pieces of information are annoying to procure. Every blue question has a chance to improve the environment.

Also, is a threat hunter part of the blue team, part of the IR team, or part of an internal red team? Or maybe some combination of two or more of those areas; a sort of way to fill in some time between other tasks. Is it a way to get your SOC members something a little more mentally stimulating than watching alerts all day? Does it complement or replace role-playing exercises?

Anyway, I don’t have these answers yet, but these were timely articles on a topic I’ve been currently wrestling with.

learning and career goals for 2019

Yearly, I try to make an achievable plan for studying and career goals and ideas. I’m not getting any younger, but even now my eyes are wider than my free time when it comes to wanting to learn things. It’s a “problem” I’ve had forever, but I definitely want to make sure as I make these year-long plans that I at least maintain some sanity. I’d mapped out my previous 2 years, and I am super happy with the process and my results, so I’ll push myself again some more this year. I’ve added 4 certs (plus the learning!) to my belt over the past 2 years (OSCP, OSWP, CCNA Cyber Ops, GCFA), plus all of the learning and growth that come with them, and I have some more lined up this year.

My theme for 2019 is going back to the offense, and specifically web app testing with some binary exploitation thrown in. Every year, I’ve been striving to alternate between being defense-focused or offense-focused in my formal training. We’ll see how well I keep that plan up!

For some of the items below, I have more fleshed out maps and resources to pursue than what I list here.

Formal Certs and Courses

  • SANS SEC542 (GWAPT) at SANS East – GWAPT has been at the top of my list for SANS certs for a while. I have a long history of working with web servers, sites, coding, and attacking, but I still feel somewhat of a neophyte when it comes to web app testing (and I probably am intermediate at worst). I really want to beef that up, or at least give me something tangible for reassurance. I also want to take care of this earlier in the year than I did last year’s SANS course in May, so I’m hoping to get signed up for SANS East somewhat soon. This will be a cert I pursue, too, so that will add a few months of studying. Specifically, I want to feel better wielding BurpSuite (and other tools), attacking SQLi issues, and doing some automated and manual web app scanning and testing.
  • TBD Second major training: Black Hat USA Trainings or SANS SEC573 (GPYC) Python or SANS SEC545 Cloud – I want to see what I can push for out of my work budget, so I’ve requested a second major training opportunity, but have left it more open-ended. I’ve also tried to pick things where I wouldn’t necessarily exit the event with the commitment of lots of studying for a follow-up cert. SEC573 will give me some excellent Python experience and I could still optionally pick up the cert. SEC545 was added later as a sort of acknowledgment that my AWS/Cloud specifics are a little weak in practice yet, and if work wants to send me to that, I’d be ok with using my second slot for it. If Black Hat gets chosen, I’d probably look for some further web app or other red team course to take, and then stay for Defcon on my own. This is pretty aggressive for me, but I’ll be super excited if I can make this happen.
  • Linux+ – I wanted to get this slotted in this year for reasons (a study-buddy or two). I consider this a slightly more informal certification to pursue, and I already have a Linux Academy subscription anyway. My goal here is just to get better with formal Linux knowledge and try out some peer support/mentoring. I’ve long had this cert on my distant radar as one of the few ways to demonstrate Linux comfort on a resume.
  • SLAE (+ OSCE prep) – OSCE continues to be on my radar, but it might be too much this year to slot it in for a full commitment. However, I would like to pursue my roadmap prep list to get there, which starts with tackling the SLAE from Pentester Academy and maybe some other companion topics. SLAE is very open-ended and I expect to learn a lot of things I’ve just not been exposed to before (assembly, shellcoding, etc).
  • CCSP (Cloud) – Another nod to being a work-influenced topic, but I wouldn’t mind spending some time studying up for the ISC2 CCSP (Certified Cloud Security Professional) cert. Definitely the lowest priority on my list. I could even replace this with the AWS Architect certification, which I can study for through Linux Academy.
  • Pentester Academy tracks (+Red Team Lab?) – I just recently signed up a subscription for Pentester Academy and want to make further plans to slot regularly learning from it into my free time. They have a Red Team Lab that I want to keep in mind, but is a lower priority (and extra cost).
  • Linux Academy – Just an acknowledgement that I have this subscription active. What’s great is this will support not only Linux studies, but also cloud-related things.
  • Splunk Fundamentals & Power User – I want to get better with Splunk, and the first steps will be to pursue the free Fundamentals training and certification, and then look at Power User. This may get higher priority if work pushes it, or if I get sent to Splunk .conf again in 2019, where I can take a course or the exam on site. This one really depends on some external work influence to prioritize it higher.

That’s serious aggressive for me. Even at my most conservative estimate, I should walk away from 2019 with GWAPT (2-4 months), Linux+ (month or two), SLAE certifications (2-4 months). With CCSP and Splunk and OSCE lurking around the corner. That’s some serious work I’d have cut out for me, and I totally know it. And I haven’t even gotten to informal topics I want to dive into over the next year! Thankfully, a few of them overlap…

Informal Topics

  • Web app topics and GWAPT prep – I have several books and topics that will go into my preparations for the SEC542 (GWAPT) course. This item really is just about making sure my web app work neither starts nor ends this year with just this course.
  • Binary exploitation / buffer overflows / reversing – I also feel inadequate when it comes to reversing, fuzzing, binary exploitation, and handling buffer overflows. This goes into my preparation for OSCE as well. I have some HTB boxes/challenges, courses, books, and a few other topics listed out behind the scenes that slot into this bullet item. This overlaps with more Python work, too.
  • Bloodhound (AD mapping) – A tool I want to not only try out, but incorporate at work.
  • HTB some more! RastaLabs / Offshore and POO/Endgame – I nearly got HTB out of my system this summer by hitting Omniscient with challenges and boxes. However, beyond just catching up on new boxes, HTB still has some offerings (free and paid) that I have yet to take advantage of. I’d like to. I currently have VIP access, but I’ve not decided if I will renew that next year. So this does mean I want to set aside some time to go through all of the retired boxes (along with IppSec walkthrus as needed). This platform is great to jump in and out of in bursts to keep my attacker skills from getting too rusty.
  • Books – I have a list of books/ebooks that I want to consume. It’s not large, but significant enough that I wanted to put onto my goals. I have a love-hate relationship with infosec/tech books. I used to collect these far more than I do today, but the number that never really got used outweighed those that I found useful to some degree or other. I’ve trimmed my collection down about 75% over the past 5 years, but I’m slowly picking out new ones to consume that I know will either be useful references or good actual reads/lessons.
  • BurpSuite – I list this here because I still want to get better with BurpSuite. I have a course identified that will help, but I imagine SEC542 will help as well.
  • Python and PowerShell – I continue to yearn to get back up to speed and beyond on PowerShell and Python again. If I can take SEC573, that will certainly bring my Python comfort way up. Grabbing onto some work projects can help with these as well.
  • Scapy – Scapy is something I want to learn as I pick up Python. It’s long been on my list, and I admit it’s still waiting due to lack of me needing it day to day.
  • PluralSight – I normally don’t just list a subscription I have, but I wanted a reminder that I have this subscription open, and if I don’t find uses for it in 2019, I should trim that cost off.
  • Home lab / Blog / Github – I have a whole list of things to do on the home lab that I won’t list (and commit to!) here, but it’s a thing on my radar. One thing this does include is cleaning up this blog a bit and using my github for more things. The main immediate item will be moving all my links on the right pane over to a github page and maintaining it there for the future.
  • Leadership – From the triple threat route, the one place I have no demonstrable experience is infosec leadership (vs offense and defense). So if I have chances, I should try to tackle and succeed with project management, vendor relation, team mentoring, and presentation opportunities. I’ve long been a team leader/mentor type, but have rarely translated that into something demonstrable, visible, or upward-facing, if that makes sense.


  • SecDSM – Monthly meet-up that I always attend and will continue to do so.
  • BSidesIowa – Local Bsides event that I’ve always liked. I may focus more on the CTF this year than talks, though.
  • SecureIowa – This was only ok for me, but it helps that it takes place during the work week.
  • Wild West Hackin’ Fest? – I’ve love to try and get to this next year. Slotting it in, but not sure yet.
  • Splunk .conf 2019 – If work wants to send me to this, I’ll think about going. It’s in Las Vegas, so a little less exciting than before.
  • ArcticCon? – This is a red team vetted-invite con in Minnesota. I doubt I “qualify” for an invite, since I don’t have a red team job, but I sure would love to go.
  • Defcon – If I get a chance to be sent out to Black Hat USA, I’ll stay a little longer on my own dime to attend Defcon again. If not, it’s pretty unlikely I’ll go on my own.

Cert renewals

  • CISSP – This is just my yearly CPE maintenance. As long as this is easy to maintain, I’ll keep it up, since I have no real reasons why I shouldn’t.

ranting and could care less about obscurity

Maybe it’s because summer has given up the fight and it’s diving colder today for the weekend, but I feel ranty.

My other rant this morning is about security through obscurity. I hate seeing people say that this is bad. I mean, passwords fit into this category! The proper frame of mind is to say, “security through *only* security” is bad. I can move my SSH port to tcp 32154. Does that make SSH more secure? Not in itself. Does it make it harder to find and thus adjust my risk factor? Yes, somewhat. All those port 22 scans on the Internet will pass me up. Obscurity can certainly, and almost always is, part of one’s security posture.

Also, I hate when people say, “I could care less.” Well, that means you could in fact care less, which means you care. You mean to say, “I couldn’t care less.”

*curmudgeonly sounds*

pessimistic on security awareness vs technological controls

(This post is going to sound exceedingly pessimistic about us humans. It’s purposely slanted a bit to make some points, but also to let me rant just a bit.)

I just got done reading a rather large post elsewhere about information security training. And it was long, and detailed, and probably more detailed than anyone actually does, anywhere, without multiple full-time staff dedicated just to training.

Which brought me to the question: why do I take a slightly more pessimistic view of security awareness training? I like awareness training, but I put more emphasis on actual technology controls, than I do trusting people to do the right thing. I’ll trust, but I’ll verify. I’ll say security awareness training is necessary, but I won’t say it’s one of my key tenets I lean on to provide security or one of the most important things one can do in the business to improve security.

To me, training has a few achievable goals (this probably isn’t my exhaustive list, just a quick one):

1. checkbox. Let’s face it, requirements are a driver.
2. education on process – Make sure everyone knows how to deal with incidents or questions. Know to dial 911.
3. education on best practices – Enough knowledge to have a chance to make the correct decisions.
4. education on bottom-line performers – Provide education to those who truly didn’t know these things.
5. education about controls – What they are, why they’re in place, how they help. How to work with them instead of against them.
6. education about things too nuanced for actual controls (lots of social engineering falls here, and this is the elephant in this post).

That makes it sound like I want to deliver lowest denominator training, but that’s not true. I actually think training should challenge the audience a little bit, and make sure it improves knowledge, rather than baseline it. I prefer trainings that add value, even a little bit, to the audience, rather than “yet again” going over the same ol’ bullet points. I want people to learn something and not feel talked down to. One of the main problems is such learning can get into technical weeds pretty quickly. Questions like, “Well, why is this password weak?” or “What do you suggest to be more secure at home?” get deep very quickly, if you’re not careful and empathetic to the audience. Also, random attendance can mean you get non-technical folks in with the developers, and those developers love to ask questions about password complexity, because it’s arguable and there’s no real good right answer, which muddies the experience.

But, why do I get pessimistic about awareness training? For the same reasons I think people suck when they make risk decisions while driving. Unless there are radar detectors or tickets waiting around a corner, many drivers will drive at a speed that matches their own desires and risk tolerance; which often seem to be 5-15 mph over the posted speed limit, but sometimes more. Let’s just say 30% push this boundary marker on any given road.

These are the same people in the business as are on the road. And in the business, they have their own goals and things to get done for their job, boss, and customers. In fact, I would guess that 30% of employees will do whatever they need to do to get their jobs done efficiently, even if that runs contrary to security policies, as long as they’re not outright prevented. Need to trade a document with a client, but the client balked at the clunky “email encryption” solution you utilize? It’ll be ok to use Dropbox this one time. Email is too clunky? It’ll be ok to use Messenger on my phone. I need to work on this highly confidential document at home this weekend and I don’t want to bother VPNing in? It’s ok this one time to put it on my personal USB stick.

People will do what they can get away with if it is in their best interests. People are innovative, creative, selfish, and usually pretty passionate and determined. None of that should imply malicious, but there are malicious actors lurking as well.

This means you need to pair up education with technological controls. Actually stop the unwanted behavior as much as possible, or detect/alert and provide feedback when it occurs. And educate about those controls and why they are in place. It also means that breaking security policies should cost users more than they gain, making it actually in their best interest to follow the policies.

Education goes so far. You can post signs about children at play, school zones, speed zones, and even radar detection enforcement. But you have to have controls in place that properly detect, prevent, stop, and penalize unwanted activity if you truly want to reduce and change behavior.

I do think people generally want to do the right thing, but that often slides to the side when someone needs to get something done.

If a control impedes business or seems like it stifles innovation or “getting the job done,” then it needs to be discussed and the reason why such controls are needed. This way alternative solutions can be identified and tried out, rather than users crying about security and security crying about users. Both sides need to know the lines, the controls, and where the business itself wants to draw them.

my certifications and how they helped or did not help the career

A thread recently came up on forum about the order one got their certifications and which ones helped their career or were unnecessary. I typically don’t try to regurgitate my life story in random places, but I liked the question enough to ruminate on it a little bit. My certification path is a “stop and start” type and requires a few extra timeline points to explain some things.

~1998/1999 – Started blogging – Just a personal milestone for me.

2001 – MIS 4-year degree – A career milestone. I may have felt a little obligated to get this; I mean, after high school, you go to college, right?

2001 – Found a deep interest in information security – Several factors came together to this realization (writing a gaming site post about finding a career by using your PC gaming skills and getting into Linux distros, for instance), but the singular event that really informed me was picking up a random thick book from Barnes & Noble in my earliest efforts to keep learning after school: Hack Attacks Revealed by John Chirillo. The knowledge and attack/defense tools stoked a fire that will not be going away.

~2001/2002 – Started blogging about tech/security & first vanity domain – At some point, I started blogging regularly about tech stuff and security topics, mostly just interesting links and tools. Many of these posts are either lost or buried in another data file backup somewhere along with personal blog postings. After leaving school and leaving their nice hosting, I also picked up my first vanity domain.

2002 – First “real” job – Basically, the real start of my career!

2002-2006 – Lull #1 – My 4 years at this job marked two things. First, I learned an absolute ton and had an absolute blast doing it. I grew by leaps and bounds during this period. Which probably is the reason this period is also marked by no formal learning of certification. I was underpaid by a company that also wouldn’t pay for training, but I didn’t much mind it since I was learning so much on the job. So, this was my first lull in learning, but it didn’t really feel like it. I have a strong nostalgia factor from these years of my career, work- and enthusiasm-wise.

2006 – Security+ – A job change later and I wanted to demonstrate my interest in security better. Before LinkedIn, you really only had in-person networking and your resume to demonstrate security acumen. If your job title was generic, but you managed security devices, it was difficult to show it. Also, I wanted to learn more. Security+ worked great for this. Spent personal time studying books and passed the exam. At the time, this was also a lifetime cert, which was a bonus I wouldn’t understand at the time.

2006 – domain – At this point, my technical blogging eclipsed my personal stuff in both effort and frequency, so I separated them with a second vanity domain. I took some effort to pull old technical posts into this blog, but some much older stuff I wouldn’t bother with.

2009 – CISSP – I also pursued this one on my personal time using self-study books. I would happily pass on my first attempt. Even at this time, there were threads of CISSPs being derided for not actually knowing anything (one guy at my testing center that I talked to was a sales guy on his third attempt, because it was required for his sales position…), but there was and probably still is no better certification to demonstrate interest in and at least some wisdom about security. In fact, this cert probably opened the most doors and got me the most recruiter attention of anything else I’ve picked up, by far. It’s definitely a gateway cert, and I think everyone in security should at least have this on their roadmap. Sure, you can skip it if you have good demonstrable security work and/or good networking, but for most of us, this makes a statement itself. Even now, almost 10 years later, I’m not sure when I will burn it or let it lapse… On the down side, I didn’t get a raise for this, paid for it myself, and didn’t use it to springboard into another job. Maybe a wasted opportunity for me, but I like where I am today for it.

2009-2017 – Lull #2 – During this period, I grew quite a bit with my skills during work hours, but for the most part, I did not pursue any formal education. I signed up for the PWK/OSCP (PWB at the time) cert, but work threw me, well…work, and I didn’t have the time to devote to it, so I let it slide. It didn’t help that my company did not really budget for training nor encourage it; in fact, I had a manager whose teams always seemed to stagnate and work behind the times with old tech/code/habits. I wouldn’t say I coasted during this period, but I was very comfortable and my days were filled with work at a manageable pace.

2017 – OSCP – Finally started getting that bug to get better jobs and re-find my enthusiasm and learning passion that I had in my first “lull” and early years. I decided to pursue the OSCP again on my own time and dime, and achieved it after about 4 grueling months. Of all of my certs so far, this one gave me the most street cred, and for hiring managers who know it, it definitely gets their attention. Particularly the 24-hour exam.

2017 – OSWP – I knew I wanted to keep learning, and I remember the hey-days of war-driving and backtrack wireless cracking, so I wanted to revisit those activities with what I knew was a much lighter cert in the OSWP. Took about 2-3 fairly casual weeks from start to finish. Really enjoyed it, and left me hungry for more.

2018 – CCNA Cyber Ops – I don’t remember how I learned about this, but Cisco basically gave out free training and certification exams for lots of people who already had various industry certs, so I got this certification for free, though I did have to devote plenty of personal time to get it. This didn’t improve my resume at all, but I did like the experience. And I have to be honest, while I kept up with security blogging over many years, from about 2015-2016 I got a little out of touch with the security industry. And taking the Cyber Ops course filled in some gaps of new ideas and things like “threat hunting” and the “cyber kill chain” and “diamond models” which had been basically introduced at the time. Ultimately, this course pursuit got me back up to speed of the buzzwords of a SOC. Unless Cisco builds something compelling around it, I don’t plan to renew this one.

2018 – GCFA – For me, this is the first time in my career I’ve had corporate backing for education, and also marks a culmination of the next part of my career where I have strong, specific goals for growth. Also, a point where I stepped just slightly outside my comfort zone to formally learn something new that I identified as a weak spot.

One thing I will notice in my timeline compared to some other postings in that thread is how some people earn certs and are immediately rewarded with it leading to a new job or a raise of some sort. But, my timeline has almost none of that; many of my certs were earned and I would not say they directly led to a future job. Maybe a few interviews, but certainly not in the same calendar year as the cert was earned. I’ve also had the luxury of not having jobs that required extra study.

I also noticed that I never had (until this year) company or managerial backing for growth like this, and I also never had peers or colleagues who pursued certs or further formal education. That certainly makes a difference, as I do become influence by those around me, as most do. I had to find the effort to self-start, most of the time.

There’s really no way to say it without sounding conceited, but all of my certs came from my own motivation and my own desire to learn and/or demonstrate knowledge in security. That’s not any less or more than other reasons to get certs, but I found that enlightening for me. It also helps illustrate what makes me happy, what drives my passion for this industry, and informs my plans for the future.