the oscp cocktail, preparing the pwk

A while back I earned my OSCP. I have written my reviews of it in two parts, once just on the logistics of my course experience, and another with advice to others. I often see requests on what to do to prepare for the OSCP or what it takes to earn it, and I have a saved response that I often give out to those learners. And I realized I’ve never really put it down here on my blog in complete format (a large chunk of it comes from the aforementioned advice post). So, here it is in entirety: my advice to people with the question, “Am I ready for the OSCP?” (A.K.A., part 3 of my OSCP series…)

Let’s first take a step back and ask this question: “What do you hope to get out of the OSCP experience?” In other words, “What is your purpose?”   

There are two main goals for the OSCP, though one really overshadows the other. First, the OSCP cert will open doors to pen testing and other security jobs; it’s a way to confer some immediate credibility amongst those who know what the cert is about. Secondly, and most importantly, the cert and lab are ways to teach pen testing methodology and frame of mind; how attackers work. It’s not about pwning more systems, or getting another add on the resume/CV; it’s about learning how to think like an attacker and efficiently evaluate systems and provide value for customers and admins.  

My OSCP prep advice is pretty much always the same, and yet it depends on what every student brings to the table. For me, if I were making an OSCP cocktail: 

  • 1 part Windows admin – know how to turn services on and off, add users, change passwords, browse through cmd and windows explorer, RDP, etc.
  • 1 part Linux experience – Know how to move around directories, read files, create files, use a text editor, create users, change passwords (linux essentials or linux+ prep courses will help)
  • 1 part LAN networking – TCP/IP knowledge, ports, arp, wireshark/tcpdump familiarity, firewalls (host and network), dns
  • 1 part security knowledge – general attack classes, goals, major OS vulns over the past 20 years; a pen test course or book works
  • 1/2 part Kali experience – poke around it a bit, experience installing it, logging in, location of some tools and the interface
  • 1/2 part Metasploit knowledge – have used it a bit, run through the free Metasploit Unleashed course
  • 1/2 part web server/client knowledge – nice to have hosted anything with apache/iis in the past and understand config files, ports, php/javascript a little, client vs server-side processing, dash of SQL syntax
  • 1 part coding/scripting logic/basics – if you can make a bash/perl/powershell/c/python script or have coded in the past enough to read and minorly edit script/code chunks, you should be good to start; nothing amazing
  • Sprinkle of efficient Google searching ability 

Bring all of that or more to the table, and you’re set to be slammed in the face with the course material and then hit the ground running in the labs.  

Keep in mind, the course is an entry into pen testing; it’s not a requirement to have popped root shells in the past. The course will grab your hand and start you off the on the path. 

If you want the best example of what you’re in for, go to cybrary and have a perusal at Georgia Weidman’s Advanced Penetration Testing course. It’s free, and will be the closest and quickest way to see what you’re in for. Vulnhubs and hackthebox are fine for practice and to understand the process of enumeration, but they’re not necessary at all. 

Google for OSCP reviews. They are full of suggestions and resources, and usually give a great idea of what the course and exam experiences will be. Don’t over-mystify the course or exam, and thus, don’t over-prepare! Dive in and get on it. 

Try to become familiar with the Kali Linux and the tools it has and the layout. This will be your home base for the course, and has pretty much everything you’ll need.

For those newer to Linux, start using a distro on a day-to-day system and find some online courses on Linux security and administration and shell scripting/commands. Linux+/LPIC-1 level skills are good, anything beyond is great. Also suggest a Bash Shell/Scripting primer.

For those newer to Windows, find some courses on Windows security and OS administration. This includes hosting server-type applications (e.g. web platforms).

Learn some Metasploit. It’s worth it and it’ll get used, whether in the course or beyond as a pen tester. Off Sec has a free Metasploit Unleashed course.

Learn some basic, free, staple tools and get comfortable with working various switches: nmap, unicornscan, curl. Google the top 100 security tools and at least know what you could use each one for. You don’t need to wield/install each one, but feel free to try any out.

To get familiar with some of the big security issues over the past 15 years, grab a copy of Hacking Exposed (McClure, Scambray, Kurtz).

For pen testing theory, check Penetration Testing: A Hands-On Introduction to Hacking (Weidman) or the slightly more up-to-date The Hacker’s Playbook 2 (Kim). The Hacker’s Playbook 3 is even more updated!

Have a decent enough grasp of networking to know how TCP/IP works in general, use and read some Wireshark/tcpdump output, and understand IP addressing, firewalls, and ports.

Have a decent grasp of how web technology works, from configuring web servers, looking at simple HTML/PHP/ASP code, simple SQL queries, and how browsers interact with the web server.

Install some security-related browser add-ons and poke around the Developer tools in place in every major browser these days (F12).

Dive into Python or Perl enough to get into Socket or web request programming. Very useful to start swimming in the ocean of editing or making exploit code or enumeration scripts. Having had a course or class in basic programming is great, as you can start to consume any language if you know the logic. (This is not necessary, but very nice!)

Start thinking like an attacker. This often comes with experience, but start thinking of ways you can get to Goal X or Access Y. What mistakes do you look for? What isn’t default?

Lastly, know that OSCP/PWK comes with course materials and videos that teach you everything you need. So don’t think you are going into this being tested from day 1 and spend 2 years trying to prepare for something that is meant to teach you new skills in the first place. You’re going to be learning from day 1 until day X.

So, what can you do to practice, if that’s what you feel you need to do? Download and install a Kali VM. Join Hackthebox (HTB). Watch Ippsec YouTube videos on retired HTB boxes and follow along. Download VMs from vulnhub and follow walkthrus on those boxes. Read OSCP reviews for more viewpoints. Pwn and have fun!

passed ccsk

In mid-August, I continued my studies into cloud security by tackling the Cloud Security Alliance Certificate of Cloud Security Knowledge (CCSK) v4 (2017). This is a vendor-agnostic certification based around guidance documentation for cloud security topics (commissioned from Securosis, by looking at the author list). This is a really good treatment of cloud security, with heavy applicability to pretty much everything other than procedures on how to actually do the things in various services.

Logistics. The cost is about $400 and comes with 2 attempts to take the 90 minute 60 question exam. The exam itself is mostly multiple choice with some true/false questions thrown in. Passing is 80%. The exam is also available online, so you can not only take it at home any time you want, but it is also an open book exam. The study materials are really threefold. About 87% of the exam is taken from the CSA Security Guidance v4 (2017) which is 152 pages long. The rest of the exam is pulled from the CSA Cloud Controls Matrix (a spreadsheet of controls) and the ENISA Cloud Computing Recommendations (~150 pages). If you’re absolutely crunched for time, I think a student could be fine just being aware of the ENISA and Controls documents. Though, honestly, they’re really good materials to consume, exam or not. Oh, also they’re all free to download past a register-wall you can fake out.

Exam Details. The exam questions from the ENISA and Cloud Controls Matrix materials are actually labeled to say they refer to those materials, so you don’t really have to guess. I had some questions with those dreaded “A and C” or “A and B” answers. I would also say that about half of the questions I could do a Find on the materials relatively easily, and less than half the questions were much harder to do that. It definitely helps to know the general format of the main document and where answers will come from and I found it pretty clear most of the time which domain a question came from. The only overlapping domains that get a little confusing are the Management Plane and Infrastructure Security domains. I ended up using 86 of the 90 minutes on my first pass through the questions, with an answer for every one. I then spent all but 20 seconds of the remaining time reviewing 6-8 questions I had marked for review. You do not get to see the answers after you finish, but you get an extensive breakdown on how you did on the 14 domains and 2 additional materials.

Realistic Expectations. I think someone with 1-2 years of cloud experience will still find something to learn through the exam. Someone with 2+ years of general infrastructure IT or IT security should be able to follow along pretty easily as well, and learn a lot about cloud computing considerations. This isn’t some crazy difficult senior level type of certification, but it’s also not a push-over either. I think it’s really the price tag that keeps it from being something you just do to pocket it, and you only do it when you actually want/need it. I think anyone working in cloud security or even engineering/architect should honestly have this cert unless their experience level is already beyond it. There is also training offered, but I honestly am not sure it would be necessary unless someone is new to IT.

My results. I have a long background in IT solutions and systems and security (15+ years), which means the material felt very comfortable to consume and made for easy (if dry in some sections) reading. My cloud experience is minimal, but growing right now (I passed the AWS Cloud Practitioner certification about 2 weeks before this one). When I sat to use my first attempt on this material, I did so not really being confident that I would pass, but wanting to see what the exam was like and what my gaps were. I typically have 2 desktop systems at my desk (3 monitors total) and I can set up another dual-monitor laptop when needed, which I did for this. Doing so allowed me to have all three documents up while also having the exam front and center. This let me look things up very nicely. I also had some somafm going on in the background as my preferred mood music. I felt good going through my first attempt, and was surprised by passing on that first try quite comfortably. I will say if I hadn’t been able to look up answers, I don’t think I would have passed this as the questions really do get a bit tricky. That said, the material along is well worth the time spend to read and reference as you or your organization make moves into modern cloud services.

passed aws cloud practitioner

A few weeks ago I took a couple exams and passed them both. One was the AWS Cloud Practitioner exam. This is the entry level AWS certification that teaches students how Amazon Web Services works, the services offered, and the pricing and billing concepts. AWS suggests people with 6 months of experience with AWS should attempt this course, but honestly that could probably be less.

I have been working in IT since 2002 and as a systems administrator since 2004 with heavy emphasis on web support and infrastructure. I have a deep level of knowledge on all sorts of concepts that helped digest and understand AWS offerings pretty quickly. But, other than maybe a singular hands-on workshop a few years ago, I’ve really not been hands-on or actively knowledgeable about AWS at all beyond hearing about insecure S3 buckets and this Lambda serverless craze. And really, my lack of knowledge has probably been around not having personal time to dive hard into it, and also until recently not having worked for a company that adopted anything cloud-based.

And that brings me to my motivations, which foremost includes the business I work for going hard into cloud adoption in the next couple years. Also, as I get older and technologies come and go, I do feel the need to remain current, or at least conversant with current stuff. And I really felt like there were two places I could improve and grow a lot: application security and cloud (AWS) security. So, to tackle the latter topic, I’d decided to soft-scope some AWS studying into the second half of 2019.

I opted to start with AWS Cloud Practitioner mainly due to the fact that I really didn’t think I knew AWS enough to pass that exam if I had taken it 6 months ago. And that would have been true! There’s zero chance I would have passed, and likely not even gotten anything but the concepts/benefits of cloud-computing correct. The goal is to go further, so this cert is just a stepping stone into AWS.

For study, I followed a pretty quick timeline lasting only about a month. I had planned to take a little bit longer when I was less sure about the scope of the material, but in my timeline I built in a review period where I would drop other ideas and tasks if I felt like things were progressing well and I had overestimated the exam depth. That was a good idea, as I ended up finishing the exam in something like 20 minutes with a 957/1000 score, and saved several additional weeks of work and study.

I first signed up for a 7-day trial at ACloud.Guru. I had read that they’re a great training resource, but maybe could go deeper into some topics and best consumed alongside a second resource. So I started there. I then cancelled my account on day 6, so I really spent no money on this step.

I took Introduction to AWS (1 hour), AWS Certified Cloud Practitioner 2019 (5 hours), AWS Certification Prep Guide (2.5 hours), and as a bonus to myself, the Mastering the AWS Well-Architected Framework course (4.5 hours). Most of this was pretty good, with the clear standout of the Well-Architected Framework course which was excellent, and easily digested due to my background. Still, I didn’t feel completely prepared for the exam. It’s hard to tell for sure, but I suspect I may have been a lot closer to the passing cut off if I had just done these courses.

I also started working through the Udemy “course” AWS Certified Cloud Practitioner Practice Exams 2019 by Neal Davis which I purchased when it was on sale for $20. These are 6 practice exams and probably ate up about 10-12 hours of effort to take and review them. I highly recommend going through these practice exams. The only caveat is that these exams are decently harder than the real exam I took. But, that’s a good thing! I scored around 76-86% on these.

I also have a Linux Academy subscription already, so I augmented my studies with a newer course AWS Cloud Practitioner (CLF-C01) by Tia Williams (11 hours) . There are also some labs scattered in here, which, while very much just follow the instructions and click things, was nice to get some hands-on time for me, since I really haven’t had any. Also, note how this course is much longer than the one from ACloud.Guru. In my estimation, had I stopped and not done this Linux Academy course, I’m not sure I would have passed the exam; it would have been close!

I also made a couple Coggle mindmaps during my studies to keep track of the groups of concepts and services. This was a wonderful idea I found mentioned on another blog review of the course. ( )

As a last step, I took a few hours to breeze through actual material from AWS, namely the Overview of Amazon Web Services, Architecting for the Cloud: AWS Best Practices, and How AWS Pricing Works whitepapers.

As I said, I had more things planned, but I suspected this is more than enough to pass the exam, and apparently I was correct!

Moving forward, I plan to do more cloud studying before the end of the year. Next, I’d like to read the materials for and pass the CCSK certification. I will then start preparing for the AWS Solutions Architect – Associate exam and start doing some AWS projects. My ultimate goal is to earn the Security Specialty in early 2020 and maybe the CCSP later in 2020 as well. I’m still being a little aggressive here, but I think this is doable and a little less pressuring like lots of my other heavy technical studies in the past few years.

I would also say that unless someone is comfortable discussing the various services in AWS, the benefits of the cloud, the pricing structure of AWS, and the support offerings, this cert is a good and pretty inexpensive (in time and money) option to get started. Otherwise, for others with comfort in the above topics, it may be worthwhile to just dive into one of the Associate level tracks.

passed linux+

A few weeks ago I took a couple exams and passed both. One was the Linux+ (powered by LPI) LX0-104, which is the second exam in the Linux+ certification track. This pass resulted in my earning both the Linux+ and LPIC-1 certs as I had taken and passed LX0-103 earlier this summer.

I’ve been a relatively casual user of Linux since about 2001. I’ve used it as my primary desktop at home for probably the last 10 years, but that doesn’t mean I’m any sort of power user. I know enough to pilot myself on Kali Linux through the PWK labs and the OSCP cert, and probably approach a Linux administrator job. My day-to-day tasks on Linux at home are just general web browsing and media playing on Ubuntu; things where you can just set things up and stay in the GUI all day every day.

Still, all of that exposure left me very comfortable in Linux and able to pick up on things very well to fill in my gaps of knowledge when studying the Linux+ topics.

And that is the main part of my motivation for this cert: To shore up my foundational knowledge on Linux. I’m comfortable, but I certainly have gaps as I am not a full-time Linux admin or power user. And having that strong foundation can carry over to many other things like cloud servers, linux forensics, linux pen testing, securing linux servers, etc. While I’m comfortable in Linux, I’ve seen the opposite end of the spectrum in something like the SANS forensics course FOR 508, where students with nearly 0 Linux experience have a huge learning curve just to be able to operate inside the main forensics tools and VMs. I’m glad I’m not at that point, but going even further helps that comfort.

I’ve also long looked at Linux+ as a cert I’d like to get to illustrate some knowledge of Linux, but have never really put the time or effort into pursuing it. At the start of this year, I found that CompTia was going to change this cert later this year by updating its content from v4 to v5, ending the relationship/connection with LPI, and also converting the lifetime status of the cert to by something you’d need to renew. I really like my lifetime Security+, so this change helped prompt a decision to make getting this cert a goal of mine for this year.

Since I already had a Linux Academy subscription, I used them as my primary resources for studying. As the Linux+ cert content is being updated, some of these courses are no longer useful, and I was initially confused on which courses I should be focusing on. I utilized the Linux Academy labs for tasks I wasn’t quite as familiar with. Their cloud-based ability to spin up a CentOS server for me to read man pages and help files was really nice!

I started with Linux Essentials (14 hours) last year, and finished it early this year.

I followed that up with LPIC-1: System Administrator Exam 101 (v5 Objectives) (21 hours), which was partly confusion on my part due to the exam changes, where I should have been looking at v4 content and not v5. Still, I welcome the learning.

Then I completed Linux+ and LPIC-1: System Administrator – Exam 101 (v4 Objectives) (20 hours) before taking and passing the first exam.

Lastly, I took Linux+ and LPIC-1: System Administrator – Exam 102 (v4 Objectives) (23 hours) before taking and passing the second exam.

From the exams, I don’t remember much about the first exam already, but on the second, I did score lower than I wanted to score. I blame that on taking a month to start studying AWS before my exam date, so most of my exam experience was pulled from ingrained experience rather than recent memory from studying things. To be fair, I only spent about 25 minutes on that second exam.

The exam was fine, but it was definitely off-putting to get several questions dealing with IPv6 vs IP4 and IP addressing and subnetting. I get the need, but should have been out of scope of this particular type of exam.

I was a little skeptical taking this on as a personal goal this year, as I already know plenty of Linux and it was maybe sort of a “I had this idea years ago and I’d like to complete it” sense of vanity. I also really had nothing to gain from the cert itself; it won’t land me my next job or trigger a raise. However, I’m glad for having done it, as it’s really my first formalized amount of training on Linux, which helped answer questions, fill in gaps, and learn some new things. (So, that’s why dual booting was such a pain so many years ago!)

I feel more even more confident in Linux now, which can open up further doors down the road like diving harder into Linux forensics, Linux pentesting, managing my own attacker platform better, and so on. These were all probably approachable already for me, but now even more so.

Moving forward, I don’t have any plans right now to get any other Linux certifications. The effort and cost for pursuing the Red Hat or Linux Foundation tracks when my job title does not include “Linux” just isn’t a priority for me. If I had to choose one, it would be difficult. Red Hat is more recognized, but Linux Foundation wouldn’t require travel. I wouldn’t entertain doing any more LPI as it is just multiple-choice.

For others looking to get this cert, I think for anyone looking to be a Linux administrator should make the Red Hat or Linux Foundation tracks a priority, with this an optional step along the way. I’m not really sure the cert itself is worth it, but the studying towards it would be. For someone with no or little Linux experience looking to put something on the resume, maybe for a blended security role, and not looking to do a hands-on admin practical, this makes for really one of the only options. After October, 2019, there will be Linux+ and LPIC-1 as separate, competing certs, but I’m not sure which would be preferred. Probably Linux+ as it could help support renewals of other CompTia certs, and vice versa. For someone comfortable in Linux, this really becomes a personal decision that could go either way, which is the boat I was in.

passed gwapt

Less than 2 months ago I sat for SEC542 at SANS East in New Orleans, and this past Friday I sat for the GIAC Web App Penetration Tester exam and passed with a 97%.

My goals and background. My purpose for taking this course and exam was to gain more experience and comfort with web app pen testing methods. I’ve worked in web server/client environments as a sysadmin and security admin for many years, and I’ve had some exposure to web offense tactics and tools from the PWK/OSCP days and from various HTB boxes as well. I’ve not made or maintained any “modern” web sites, but I have some web coding experience back in the painfully early years of the web and feel comfortable reading or tinkering with most preexisting code. Going into this course, I already knew some of my weaker points: I am not entirely confident with SQL and sqlmap; my exposure to Burp Suite seemed limited (and exposure to ZAP being nil); and I also had not done much with Python in regards to requests and web work.

It speaks more to myself than to the course that I probably overestimated the material a bit (or underestimated what I already know). Pretty much across the board, with my offensive experience above I had probably seen and performed most of the attacks that we went over. That said, my weaknesses listed above were largely addressed. But, beyond working more with Burp, ZAP, sqlmap, and python, I really ended up being somewhat ready to move past this material. Now, that’s not to say I’m ready for advanced stuff, but I think it might be more accurate to say I’m ready to gain more progressive hands-on experience with testing web apps, either live or vulnerable testing apps.

My study process. After taking my first SANS/GIAC exam last year, I formulated what I would expect to be my repeatable process for studying for future exams. But, for SEC542, I definitely deviated from that process and skipped quite a few things. Once getting back from class, I started skimming through the material, doing a first pass on highlighting key terms and concepts. I have a process of highlighting tools and external resources that are tool-like, like cheatsheets, with an orange highlighter, terms and definitions and concepts with a green highlighter, and I underline in pen anything else useful so that they catch my eyes when I’m looking for answers later. If a topic continues on the next page, I put a highlighter arrow to the next page.

After that, I worked through all of the labs again, which I admit, was a very quick breeze as none of the labs are really that complicated or long. In doing so, I also highlighted information in the Workbook just like I did the other books.

The index process. Next, I started work on the index. Now, this course has a Day 6 CTF book, and in the back of this book is a very rough index. Sadly, I didn’t really like the index, but I also didn’t want to leave a trove of information on the table, so to speak, so I spent a few days transposing that index into my own index spreadsheet. Once done, I then started with Book 1 and began augmenting that given index with my own index items, as well as the definitions and concepts I wanted for each term. I did this for all of the daily books (except the CTF one) and the Workbook.

The way I make my index is to just have three columns: term, notes, page (1-101 format). I don’t shy away from expanding the size of a row if I need lots of text (word wrap). I separate each book into its own sheet, and I copy/paste those sheets into a master sheet which I then order alphabetically. The workbook is referenced as w-101. If I add something from another source, like a practice exam answer explanation, I’ll just mark it as x. I’ll then later get it printed and bound at Kinkos. This time around, it took $19 to print and was pretty thick…

I took particular time this go around to make note of any commands and screenshots of tools. This way, if on the exam I am looking at a tool output or some command, I have a shot at finding a comparable bit of output in the materials for comparison. Often, I would put the command verbatim into my description for that line, as nothing but sqlmap were really long.

The goal of an open book exam is to be able to efficiently and correctly answer questions by using those materials, and to do that, you have to manage your seek time. And that seek time plus tolerance for recollection or finding exact answers is going to differ from person to person. For me, I like enough context on each line of my index that I can tell where I should look for something about XSS types when I have 15 individual references to “XSS.” I don’t expect to always find answers just in my index, but I do give myself a shot at doing so. Ultimately, however, I expect to get into the books and find the “for sure” answer quickly. I do this with my index, but also sometimes with tabs along the tops of the books for key pages, tools, and topics.

In retrospect, I’m not really sure how useful the provided index ended up being, as I trust my own index was probably going to cover the bases. Honestly, the given index had some mistakes and included some weird terms from some weird places that added nothing. In the end, it maybe just resulted in a larger index than the FOR508 index I mast last year (and I think that material more warranted a larger index).

One note about the SEC542 material that I noticed. Way too often for my tastes, the authors didn’t actually define terms. Instead, they would describe them anecdotally, and maybe list some uses for that term to be gone over in more depth in later pages. This made defining terms very strange, and it added extra references for terms. For instance, Stored XSS is mentioned well before it is actually dealt with, but I had to keep both references. (I suppose you don’t have to, but *I* had to, if you know what I mean.) I also challenge you to find a succinct definition of XSS somewhere. I think I would have appreciated a bit more structure in that regard, but the material is effective either way. On the flip side, I like the “attacker perspective” that closed out various attack topics.

The rest of the preparation. Once I had my index finished, I tabbed the tops of the book pages. This makes for easy flipping to sections when I know generally or exactly where a topic is in the materials, letting me skip the index completely sometimes. This was more useful in the FOR508 exam which has more repeated reliance on tables and charts, but I did find myself using these on the exam as well. For example, a digest authentication question is going to be in the….drum roll….digest authentication section! There’s really no hunting around needed in that case.

Before sending off my index to be printed, I first took my first practice exam. I used the books and electronic spreadsheet (without using the search features) during this practice exam, and also did not use Google or other references. During the practice exam, I specifically turn on the ability to see explanations of all answers, rather than just the ones I miss (sometimes I may guess and get it right, but not be sure why!). If something is missing from my index, I’ll write down the topic or term quick. In the end, I scored 90% on the first practice with about 10 minutes to spare.

After that, I intended to do an actual read through of the material as well as listen to the mp3 audio of the course (given by the other author!). I only did about day 1 on both of those and decided to forgo those steps in my process. I took the second practice exam just like the first one, and scored 90%. After that, I sent my index off to be printed. Until exam day (about a 2 week gap), my only studying was just occasionally opening the books to flip through the topics and keep the layout and topics somewhat fresh in mind

Alternate material. Now, not everyone can afford SANS courses, but the information in SEC542 can actually be very easily gotten from other sources.

For practical lab-like experience, work on things like DVWA, Mutillidae (both of these were heavily used in the course labs), and OWASP Juice Shop. In addition, every attack can be found somewhere in the HTB boxes (ask someone who’s popped most of the boxes if they can guide you to good candidates, or browse IppSec’s YouTube videos and sample each one for web app opportunities). If you’re lucky enough to have access, the PWK labs also have plenty of web app practice available. Between all of those items, you should be exposed to every attack in this course and beyond.

On the tools, it really absolutely helps to have some Burp exposure and some Python exposure. I actually really recommend courses on PluralSight for both topics. There is a course or two by Sunny Wear going over how to use Burp that is just awesome. And there are a few beginner Python courses as well that helped me quite a bit to get started. (If you do pick up a sub to PluralSight, it also has decent courses on many of these web attacks, too, by Dawid Czagan and Troy Hunt.)

Everything I know about ZAP came from this material, and I suspect just a 20-minute video on ZAP examples would cover it well enough. I just don’t have any particular ones to list here. Of all the topics, I’d have to say web fuzzing is the hardest topic to pick up on one’s own.

For other tools, exposure in the course is light, so just using sqlmap or nikto or recon-ng or nmap or wpscan or beef somewhere on some target is probably good enough to understand it enough. For Python, focus on understanding the basics of Python and then also the requests library.

For attacks, just go through the syllabus and the OWASP 2017 Top 10 web flaws. This course pretty much sticks to that list. Do know how to find and perform Shellshock and Heartbleed attacks, though. (HTB has those boxes!)

Otherwise, just go through the course syllabus and the exam topics item by item until you feel comfortable talking about them and their differences

One thing the course doesn’t go over much at all is source code analysis, but pretty much everything in the labs is open source (umm, you control the VM!), so an enterprising student could look at the flawed code on their own. This is probably a step I need to incorporate as I look at further practice.

After all of that, honestly, you don’t need the course anymore! (But let’s face it, the extra advice from the instructor, the full coverage on the topics, and meeting other professionals in person adds to the course value.)

My next steps. After GWAPT, my next steps on the web application attacking front is to gain more casual experience through practice via self-study on DVWA, Mutillidea, OWASP Juice Shop, and others. I want to particularly make a point to use various tools for the attacks, rather than sticking to just one. And I also want to make sure I can do things manually or with Python scripts when appropriate, and review source code whenever I can for practice identifying flaws (and maybe fixing them?). I have a sub to Pentester Academy which also has extensive web hacking tracks

Will I take SEC642? What about AWAE from Offfensive Security? Maybe, but SANS will entirely depend on whether my employer wants to support me in that next step, and I may be able to swing AWAE on my own if I can carve out that time.

Will I get to any of these this year? I do have other goals and things for this year, but the continued self-study is one I want to stick to. I don’t today do web assessments for internal sites at work, but that opportunity may be right around the corner, and I intend to be part of that.

do you need a degree to be good at what you do?

Still reading through Tribe of Hackers. I, like most everyone, definitely holds back on punches when it comes to the, “Do you need a degree/certification…? question. So it was a nice moment this morning to read up on some industry blogs to run across Harlan Carvey swing and hit on his responses to the questions in that book, particularly about needing a degree/cert. I think he’s right, but it’s important to note the clarifier: ” Do you need a degree to be good at what you do?”

That said, all of his other answers are wonderful, too! Of particular note are tidbits about engaging on social media, mentoring and sharing, realizing that we make some mountains bigger than they are, and bosses don’t like surprises!

That sort of reminds me of the old school way the sysadmins are born. Often, a more senior admin will get a junior-ish new hire and throw them into the fire without much help. Basically sink or swim. No one really liked that, but it just sort of happened, probably since back then many of us tech geeks were socially awkward…hence being in IT! Today, mentoring in any formal or informal fashion is the way to win allies and friends. Transparency is a close cousin.

attended sec542 and netwars at sans east

About a week or so ago, I and a coworker attended SANS East in New Orleans. I was in town to take SEC542 and he was taking FOR610. We arrived a day before registration was open.

I just have to say that I absolutely enjoyed New Orleans! I’ve been to a few cities in recent years for training, and most really have pretty generic character; they’re just another city with maybe good weather. But New Orleans and especially the French Quarter has a great character to it with absolutely wonderful food, fun people, shops galore, and music everywhere. Combine that with beautiful weather (50-70 degrees in February winter is beautiful to me!) and thick mysterious fog every morning and I loved it.

We were in town the night of the Super Bowl, so after registering for classes, we navigated an impromptu Boycott Bowl block party (New Orleans Saints had their Super Bowl berth stolen from them two weeks prior and they’re a little sensitive!) to join the SANS opening reception at Fulton Alley for open buffet, bowling, and bar. Super excellent time out there, and I would visit New Orleans again some other winter.

My background gives me a good foundation for this course. I’ve not only managed my own sites and servers, including their (somewhat simple) code, for many years, but I also spent about 15 years as a security/sysadmin in charge of hundreds of critical business web sites and servers and working closely with developers. I’ve also gone through the PWK course and earned my OSCP, and done many HTB boxes over the past few years, all of which has given me exposure to web app vulnerabilities, exploit execution, and red team tools. In all, I feel comfortable with web applications, but my confidence isn’t all there when it comes to efficiently and accurately performing a “real” pen test against a site. (More on this later.) I’ve used some of the tools we’d use in the course, like Burp and wpscan in the past, but others I have not, like ZAP and BeEf.

To prep for the class, I mostly brushed up with courses on web app testing on YouTube or PluralSight. The most notable courses that really helped were 2 courses for 3 hours of Burp Suite on Pluralsight by instructor Sunny Wear and a series by Dawid Czagan on web app hacking also on Pluralsight.

The SEC542 class itself consisted of 5 days of lecture followed by a CTF competition on day 6. The class is pretty solid in covering the basics of web application technology, OWASP Top 10-styled weaknesses and exploits, and the beginnings of conducting web application assessments. The instructor (Eric Conrad) was excellent in adding value to the course with personal stories, advice, examples, and encouragement.

There were maybe about 30ish labs over the 5 days. Some labs are very basic where you just follow the directions to perform a quick directory traversal or XXE attack. But others later on offer a little more chance to choose your own difficulty and how many hints/guidance you take, which works especially well in something like the Python-related labs where I just needed a few pointers from Google and the books on how to do a few things and I could mostly do them with my own script. That sort of open-ended lab actually doubles as nice practice, rather than just pure introduction and copying

The day 6 CTF was an absolute blast and my penultimate experience at SANS East and SEC542. We split into fairly random teams based on when people came in. I think one team was somewhat pre-picked, but ours was pretty much, “Yeah, sit down, join up!” We had 3 teams in our class (online teams competed only against each other), 2 consisting of 5 students, and ours with 4 students.

As we got going, I started doing scans of the network using nmap and nikto, and doing really quick assessments on the results to draw attention to any suggested targets (“WordPress here! SSL here! CGI script there!”). My other teammates cleared out the level 1 book questions while this happened. I had my back to the classroom screen, so I didn’t see the jumping around of the team scores very much, but my impression is that for the most part first place traded hands quite a bit.

My team was amazing. I’ve never really had many chances to work on a pen test or assessment (or even a CTF) as part of a team, and this was absolutely wonderful. We all made progress and everyone contributed investigation and success into the things they were tackling. Someone scored out the questions on one section, I took another, and another two were done before I had even looked at them. We even had one guy make some ridiculous lucky guesses to score wins, and as I said when that happened, “That’s half of hacking, making guesses and getting it right!”
In the end, we had the lead, but bought hints on the final few questions which dropped us back into second place for a while. We got pretty hard stuck on a few things, but eventually figured it all out except one last question that was bothering me badly as I knew I was almost there (turns out I was). In the end, we bought one final hint, scored the question out, and then scored the final question to take the lead in the last 6ish minutes and held it until time ran out. Super fun to earn that coin and get first, but honestly it was more awesome to run through that well-paced CTF on a team that worked so well together. We made some mistakes, but nothing so big that it messed with our energy.

So, how did I feel about this course? This is a weird space, as is much of information security disciplines where you need a certain baseline of fundamental knowledge, otherwise your uphill climb can be difficult. But the material can quickly be overpassed with just a little bit of experience (which is kind of the point of the course, yeah?). And that really leads to my only down side of the course. But it’s really not even a problem with the course, but rather with me. For almost all of these exploits and attacks, I’ve done them before between OSCP/PWK and HTB lab environments. So, honestly, good portions of this course were sort of a review for me, or rather a reinforcement. But, make no mistake, I did learn a few new things, especially the value-add stuff from the instructor.

My biggest takeaway, much like so much in information security, is that this discipline and doing these assessments takes constant and regular practice. Practice, practice, practice. Which is really the place that I am right now with my skills and level of confidence. I simply need to iterate through the things I know, over and over, get quicker and more familiar with the tools, and maybe start doing some assessments at work on our sites to compliment the things our QA teams do.

Still, could someone pass over this course with self-study and a cheaper budget? Yes, and probably not that hard, either, unlike other high level SANS courses. A student could study up on various cheaper courses or even free YouTube courses going over OWASP Top 10 attacks. And honestly, there are free tutorials on doing DVWA, OWASP Juice Shop, and Mutillidae II out there for free, which will cover the Top 10 and more. Add in doing some HTB boxes and watching along with Ippsec on Youtube doing retired boxes shows many of the attacks in a more live situation. From there, it’s really about learning the tools, and you get use out of them from HTB or PWK/OSCP, plus additional courses on those tools which may cost a small subscription to view for a few months. Still, that’s quite a bit cheaper than SANS, especially if looking to do this on your own dime. You won’t necessarily get a certificate, or exposure to other smart students, or the Netwars experience, or the value from the instructor, but I honestly think students can get past SEC542 on their own with some personal dedication.

And that now brings me to Netwars. For a third, and probably last time until they update the content, my coworker and I competed in Netwars Core. We sat at the front, which must have been a good area to sit, since the winning team and most of the individual top 5 were sitting. After two nights, I finished in first place for a coin and trophy, and my coworker fought a super close battle for 4th place! My placing was pretty undramatic, but that fight for 3rd through 6th was pretty tight. I might do Core if I ever attend a coinapalooza event (and have coins to acquire), but barring Core being updated to a version 6, I’ll likely duck into DFIR or Cyber Defense in future events now

GWAPT and the future. So, that leaves me with what’s next. I’ll be studying the materials again, making my index, and going through the labs once more in preparation for the GWAPT exam. I have pretty high confidence going into this one unlike my GCFA. During and likely after this, I will also be trying to get a practice regimen started. At a bare minimum, I want to tackle web-heavy HTB boxes, not to necessarily root them, but to practice assessment steps and tools usage (I need more confidence in fuzzing, sqlmap, for instance). I also will look into those vulnerable open source boxes for further practice (Mutillidae, DVWA, Juice Shop). I am also woefully inexperienced with REST/API and SOAP assessments, so I’ll likely find some courses or guidance on that. And lastly, I’ll also work to continue to further my Python and even Javascript exposure. I do also have a Pentester Academy sub, and they have some web content and challenges as well.

That sounds like quite a lot, but honestly this is about forming a long-term practice and experience habit for web assessments. And to my viewpoint, being conversant and ready-to-go with web app assessments is a core pillar for anyone looking to be on or near red teams/offense.

Will I take SEC642? I don’t know. Some of those topics definitely are things I’m less comfortable with today, so it is still in my top several classes to look at if I get another opportunity to attend something. But other options are tempting as well, such as SEC573 (Python), SEC617 (Wireless Pentesting), SEC660 (Exploit Writing), FOR610 (Malware Reversing), SEC588 (Purple Teams), SEC545 (Cloud Security), and FOR572 (Network Forensics). It might just depend on what lines up best with what I and my company need when the chance opens up.

my tribe of hackers contribution, part 4 of 4

This post is a continuation of my answers to the questions posed in the Tribe of Hackers book. I am answering these questions before reading the other responses in the book in an attempt at self-assessment.  And to mark any changes of insight after consuming the book. This is part 4 out of 4.

(Part 1) (Part 2) (Part 3)

12. What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?

Be aware of what you’re putting online about yourself and whether that is important to you in any way. Ultimately, live life and don’t shy away from technology.  Turn on automatic patching. Use unique passwords, and change them regularly.

13. What is a life hack that you’d like to share?

I don’t really have life hacks, or at least I don’t think of them that way. Just keep learning and improving. If something rubs you wrong or doesn’t seem like it is in its right place, fix it and/or move it, or change your attitude about it and move on. Be happy, but not at the expense of others.

14. What is the biggest mistake you’ve ever made, and how did you recover from it?

Professionally, I’ve not really made any large mistakes that have made me fearful about my job or even an annual review. However, I will cover a personal mistake, a professional mistake, and a career mistake anyway.

My biggest personal mistake may be my phoning in of high school and early college years, which led to low motivation in college and being 100% unsure about what career and life I wanted. I nearly failed out of college, but pulled myself back up after 2.5 years in a major that wasn’t calling me, and switched over to one that was, to successfully salvage the experience. I wish I had applied myself more in my younger years, but more so I wish I knew what I wanted earlier than I did. We are asked as young people to make life decisions very early, and often without enough preparation. That becomes a weighty decision experience. Then again, I wouldn’t change anything that has happened to me, as I enjoyed my childhood, and everything before now has directly led to where I am and who I am today.

My biggest professional mistake was probably assigning an ip address to a server that was an undocumented in0use address on the interface of our perimeter firewall. This address conflict brought down that interface, halting all traffic to and from the Internet. Obviously, troubleshooting this brought things back in 5 minutes, but that’s a pucker moment you’d rather not have to go through. Lessons learned, though: document everything, consult that documentation, and verify anyway.

For my career, my biggest mistake should be not having as confident a voice about my skills and knowledge that reflects my actual skills and knowledge. I have warred with imposter syndrome in the past, and I probably still war with it today when I think other people already know what I know, so why speak the obvious, right? But that’s folly. Even if that were true, speaking up still stokes the sociality of life, work, career, and networking with peers, which leads to connections, friends, learning, and growth. This is probably a small war I’ll fight until such a day as I am regularly teaching others in some measure of a formal setting.

At the end of the day, mistakes make us stronger and have made us who we are today. Learn from them, don’t be afraid of them. Go deeper. Try harder.

my tribe of hackers contribution, part 3 of 4

This post is a continuation of my answers to the questions posed in the Tribe of Hackers book. I am answering these questions before reading the other responses in the book in an attempt at self-assessment.  And to mark any changes of insight after consuming the book. This is part 3 out of 4.

(Part 1) (Part 2) (Part 4)

9. What is the best book or movie that can be used to illustrate cybersecurity challenges?

Of all of these questions, this is the one I have left blank for the longest, and I still honestly do not know what fills this the most. The only work that comes to mind might be Daemon by Daniel Suarez. I read this shortly after it came out, and it was scintillatingly wonderful and scary at the same time. For movies, Sneakers is the only example that comes to mind now. Maybe if I revisit this list, I’ll have better answers by then!

10. What is your favorite hacker movie?

Movies are a pastime of mine. I definitely have hacker-related movies that are guilty enjoyments like Antitrust, Swordfish, eXistenZ, Enemy of the State, Foolproof, Ghost in the Shell, Weird Science, and even a great movie like The Matrix.

However, my favorites boil down to two choices. Sneakers is wonderfully cute and I absolutely love the hacker team dynamic, but Hackers is alone near the top of my favorite movies. It has the best soundtrack (Halcyon On + On is my desert island song), great pacing, acting, and writing, and while it is somewhat ridiculous, it reflects a certain counter-culture caricature of how hackers viewed themselves in the 80s and early 90s. Yes, it is dramatized and unrealistic, but it never seems to take itself too seriously. It really captures a certain hacker ethic and culture in the process. Ultimately, it’s just fun and I could watch it over and over forever.

11. What are your favorite books for motivation, personal development, or enjoyment?

For personal and professional topics, at various times in my life, I tend to come back to The Book of Questions by Gregory Stock and The Rules of Work by Richard Templar. I will also dig up and re-read the full collection of Calvin & Hobbes as well.

For enjoyment, I come back around to reading fantasy books on occasion. I started reading adult level fantasy books around the 4th grade, and devoured them up to college years. I still play Dungeons & Dragons and fantasy video games, but sitting down with a good fantasy book allows me to revel in nostalgic moments exhumed from my childhood many innocent years ago. Those were some pure times.

my tribe of hackers contribution, part 2 of 4

This post is a continuation of my answers to the questions posed in the Tribe of Hackers book. I am answering these questions before reading the other responses in the book in an attempt at self-assessment.  And to mark any changes of insight after consuming the book. This is part 2 out of 4.

(Part 1) (Part 3) (Part 4)

4. Do you need a college degree or certification to be a cybersecurity professional?

No, but they can help. A college degree is less important than it used to be, but the experience can teach many life skills at an age when young adults are busy finding themselves. Beyond that, you can learn a lot about a profession as well, and a degree can get you past HR filters that may otherwise reject those without a degree.

Certifications are a useful vehicle to learn topics and have something tangible that at least somewhat attests to some knowledge on those topics. These are things that can add to your marketability, either for yourself or as an agent of another entity. At the end of the day, though, those are just tools, and they don’t replace being an expert in your chosen domain. Regardless how you get there, be a master of your domain.

5. How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?

I’ve always had a love of puzzles, mysteries, and a sense of curiosity and creativity. I first thought about IT security back around 2000 when I wrote a long-gone article for a video gaming community about what sorts of careers someone who grew up with PC gaming could get into, and information security was one of them. But, it wasn’t until I picked up a random IT book at Barnes & Noble to continue my post-graduate learning: Hack Attacks Revealed by John Chirillo, that I fell in love with the topic.

For my career, I officially got started having a security interest while doing normal IT desktop, technical support, and sysadmin duties. If something related to security came up, I would tackle it, set it up, configure it, or evaluate it. I remember sitting with government pen testers and showing them Metasploit shortly after it came out. I spent nearly 15 years with a general sysadmin title, but largely doing security-related things. In recent years, my title has shifted to officially be a security one, which makes selling myself a little bit easier!

I would advise someone beginning a career in cybersecurity to have one or more career goals in mind, and some ideas written down on how to get from where you are today to those goals in 1, 3, 5, or 10 years. And pursue that. Keep your eyes on the horizon, and move towards it. Seek advice from peers and those you want to emulate. Always be learning and always be active, whether in a cybersecurity role at the start of your career, or in a more general IT role. Either way, you can effect changes in security postures, learn more, and build skills that will directly carry over to the time when you arrive at your cybersecurity goals.

I would also suggest being involved. Share your knowledge, teach others, meet other professionals and hobbyists locally, and be part of the cyberspace and meatspace infosec communities.

6. What is your specialty in cybersecurity? How can others gain expertise in your specialty?

I don’t really have one, which might mean my specialty is about being generally good at many things. But, if I had to pick one, it would be about thinking like an attacker; playing five moves ahead and solving those problems.

And to get anywhere, it is all practice, practice, practice. Don’t be afraid to fail and learn. Practice, fail, practice, do better, practice, succeed, practice, improve.

7. What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?

Be a good person, be intelligently enthusiastic, be an expert, and be honest about your desire to effect appropriate improvements. Be honest, about everything, including things you don’t know.

But one of the most important things in business and security is about selling yourself and selling your ideas. Speaking and selling are key ingredients for effectiveness in getting things done and leading.

I don’t run a company in cybersecurity, but if I did, I imagine my biggest stressor would probably be making sales and being good about that. I think that might be my biggest advice; gain the sales skills or align with someone who can.

8. What qualities do you believe all highly successful cybersecurity professionals share?

The willingness to say what is right, the integrity to stick to what is right, and the self-awareness to know when you might be wrong or it is just not the correct message for the day. Security is a cost and gets in the way of convenience. Being on the security team is rarely a good choice for someone who desires only to be liked and not rock the boat when it is needed. But, perfect security will never be accomplished, which sometimes mean we have to move on, and know when we’re wrong about something, and yet still walk forward with head held high to the next battle.

I digress, though. Other qualities I admire in people in general are enthusiasm, passion, integrity, constant learning, being a good person, and being an expert. Some of my favorite celebrities are like that; Adam Savage, Wil Wheaton, Matthew Mercer, Steve Irwin. These are qualities to live one’s life, and qualities to bring into one’s career.

my tribe of hackers contribution, part 1 of 4

I’ve gotten my hands on a copy of the new hotness in the cybersecurity community, Tribe of Hackers by Marcus J. Carey & Jennifer Jin. This book is a compendium of cybersecurity and hacker luminaries answering a battery of questions about themselves, cybersecurity in general, and advice for aspirants to the industry. I loved the idea for this. And I figured I would go through a self-exercise related to the book by going through the questions myself. I wanted to compose answers before reading any other responses in the book, and then later after reading the book, go back and see if any of my answers can or should be adjusted based on possible shifted perspectives. This might take quite some time, as this book is bigger than I expected!

Since the questions are sometimes weighty, and I tend to be somewhat verbose, I also figure to break the questions up into logical groupings though maintaining their original order.

1. If there is one myth that you could debunk in cybersecurity, what would it be?

There are two myths that I tend to poke at with a long stick during quiet moments. One is the idea posited by many a marketing team that some tool or process is absolute and will provide any sort of “perfect” security (while their security engineers say there are no silver bullets). Very few things are so absolute, and those that seem to be, tend to be smaller in scope. Segmentation, binary yes/no access, walls.

The other is that we, as information security defenders, can “win.” There is no winning in a sense that the attackers will be beaten and we can ride off into the sunset; there is no checkmate or surrender. This dance is going to go on forever, and we do the best we can to secure the things we have control over, and hopefully that is enough for our constituents. Never get disheartened that this fight seems to be never-ending, because that’s exactly what it is. The war won’t end, but we can win battles. Embrace that, and play the game with enthusiasm and positivity.

2. What is one of the biggest-bang-for-the-buck actions that an organization can take to improve their cybersecurity posture?

I imagine answers to this reflect where someone’s mind is, tactical or strategic. Strategic answers are a little easier, since it may mean doing multiple tactical things as part of that initiative. So, I’ll stick tactical.  Every few years I post a blog about the top 10 things I tell small/medium businesses that they should focus on to improve or start tackling cybersecurity. Pretty much any of those items is a good value option.

For this open-ended question, though, three things bubble up to the tap: 1) Know what you are responsible for. Keep an inventory or systems, data, accounts, and software. Defend accordingly. 2) Patch management. Just. Patch. The Things. 3) Least privilege. And it is this last one that I think may be the more important for this particular question, for me today. Limit privileged access, limit privileges on workstations, limit access to data. Attackers can compromise people and systems, but we need to make them work harder and longer to get to the things they want, which in turn will give defenders more chances to detect them.

3. How is it that cybersecurity spending is increasing but breaches are still happening?

Security always follows insecurity. It’s just the nature of the beast. As our technology grows more ubiquitous with life, it also becomes more complex, and thus fails complexly. Technology, the internet, and cyber-things are still in a rapid growth phase, and are showing no signs of slowing down to allow us to catch our breath. And so too are cyber attackers. And let’s face it. If no one is ever going to break into your house, there’s really no need to maintain security. Insecurity fuels this industry and our jobs. It just goes back to that never-ending dance we do.

(Part 2) (Part 3) (Part 4)

my netwars core tournament of champions experience

Earlier in 2018, I attended the SANS West training conference in San Diego and competed in the Netwars Core competition. This was my first Netwars experience, and I was surprised by not only placing second in the individuals bracket, but by doing so also received an invitation to the year-end Tournament of Champions. I had no idea this was a thing I would get (more on this later), but I was excited to have done well. And, as luck would have it, my work leader was in attendance, got excited as well, and offered to budget out the cost to allow me to attend the ToC event!

So, I headed out to DC for the Netwars Core Tournament of Champions (ToC) held the evenings of Dec 16 and 17, 2018, during SANS CDI. DC was rainy, but I got in a day early to relax, get some grub and supplies nearby, and otherwise spend that evening and most of the next day taking it very easy.

I suppose at this point I should mention that Netwars Core is a hybrid technical question-and-answer competition (jeopardy-style CTF wrapped in a wonderful Star Wars-themed story) and castle-vs-castle top tier played out in 5 Levels over the course of 2 evenings (3 hours each) during most SANS events. Competitors are given a USB stick with some files and a virtual machine to import, and are asked to sign up for an account on the scoreboard where scores and questions are housed. Levels 1 and 2 consist largely of your typical infosec CTF questions like which Linux command does this, or run this command on the provided event virtual machine and find the flag or decode this password. These questions range from non-technical through the gamut of many skills and tidbits of knowledge such that even novices have a good shot at having plenty to do. And for those questions that are unfamiliar, you can “unlock” hints for free which definitely get most people on the right path for answers. As competitors submit answers and score points, more questions are unlocked. At some point, Levels 3 and 4 are unlocked which starts competitors down the path of offensively probing and attacking systems on another network altogether. And, unlock enough points, and you can get up to level 5, which is a whole new competition in itself. At Level 5, the game becomes a more classic CTF where competitors get a castle of services they need to defend and keep up while trying to also take over and bring down the castles of other teams to score points.

For anyone daunted by that Castle part, at least be comforted that not every SANS Netwars Core event has people get far enough to unlock Level 5. Most of that top tier competition comes from the pentest-focused events like SANSFire or Hackfests or here at ToC or on the separate Netwars Continuous package.

I didn’t have much to prepare for or with. I scored 275 points in the earlier event, which took me up almost entirely through levels 1 and 2 and into some clear stopping points in Level 3 and 4. Unfortunately, I hadn’t saved any questions or code or scenarios from those higher levels, so I only had vague memory to go by. I didn’t know 2nd place got an invite nor how all of this works! I had saved the questions page for the initial levels (most of which can be answered in the provided VM), but I had most of those already solved, so there wasn’t much to do there. See, the game itself closes after the event, so you can’t go back and see the old questions or hints. Even worse, once you hit Level 3 (I think), the scoreboard and targets are on a different network that you connect to which also isn’t available outside the event itself. Lesson learned, my friends, lesson learned: Leave windows open, copy/paste, download what you can, save shit, suspend your VM if you can.

Registration and check-in took place about 4pm or so Sunday afternoon, where we basically just got our guest badge. And at about 4:30pm we were allowed into a reception room for free drinks, appetizers, and mingling with fellow security geeks. During this reception, Jason Blanchard and Ed Skoudis gave a presentation about the event and some of the rules specific to ToC that we need to know about. Also, one of them made mention to look around the room and take in the fact that lots of excellent and smart people were in that room. To be honest, that was one of the better moments of the event for me: being in the company of some super smart and dedicated people. We also got handed our swag (a custom t-shirt and an athletic polyester long-sleeved black half-zip shirt), had a chance for some forced mingling with fellow competitors, and then slowly wandered down into the competition seating area.

When I got down to the seating area, some teams were already moving desks to face each other, and I picked out a spot for myself between some teams so as not to get in the way. ToC players had seats on the left side of the room reserved. Turns out, I sat behind the team that would end up winning the overall prize. I got set up, got a drink, and waited out the rules presentation before getting started! I will say, while the rules went on a surprisingly long time, I actually really enjoyed Jeff McJunkin’s energy and enthusiasm as the emcee/host of the event.

As this was just my second Netwars event, I was in for an unexpected start. I spent the first 45 minutes keying in answers I already had, unlocking more portions of the scoreboard, and just turning my mind to mush. It was pretty awful once I sat back in my chair near the end of this marathon submission session, and I wondered how the heck I would find my groove back and actually “get into” the VM and the mindset of the challenges I was up cleared for, especially since some of the things you do in early challenges set up the VM to be ready for the later ones. I think once all of my answers were submitted and I was feeling pretty lost, I got up to get a drink and take a small break. I can definitely see why the established teams have their answers all scripted and submitted within minutes! (I’ll have to save the web page code and figure that out next time.) The team ahead of me, of course, submitted all 645 points of answers and sat back for their Level 5 access. Turns out, there were some technical issues with the Castles, and those teams ended up sitting around waiting for about 90 minutes.

Now, I will say just reading this during my proof-read, I can realize how someone will look at this and wonder why compete if there are whole teams that just script the answers up to Level 5? Well, as part of the ToC rules given during the reception, players were awarded prizes in 4 groups: Level 5 teams, Level 5 individuals (I believe there were only two brave enough to tackle Level 5 alone), other Teams, and other Individuals. So, even if you didn’t have Level 5 unlocked, you could still earn something by crawling up higher into Level 4. I do not know when Level 5 actually opens, but if it’s at 645 points, you can see there is still a gap in the field based on the screenshots at the end of this post.

Once sitting back down, I got my head in the right place and started making progress. For the rest of that evening, I felt pretty good with my progress, but I definitely had and still have a long way to go. By the end of that first evening, I had clawed some points above and beyond what I already knew, and felt confident in my progress. I made sure to keep scoreboards open and save files, questions, and hints for research later that night and the next day. Looking back, my biggest wins that day was the experience of that first marathon of answer submitting, and the saving of relevant data/info for research later.

If I had any complaint on the event, I may as well get it out of the way here. The music played during the hacking activities was largely 80s and early 90s rock. Things like Van Halen, Bon Jovi, Billy Idol, Starship, and so on. And while I grew up in those times and am quite comfortable with that music, I did not need to listen to “Don’t Bring Me Down….Bruce!” 3-4 times (the only re-repeat I remember hearing), nor do I really want to listen to that rock for 3 hours a night while doing hacking things. It was distracting at times. But that’s me; I’d prefer some sort of techno/electronic genre (deep house, lounge, chill, psytrance, trance, or anything in between). Or maybe at least a slightly better curated 6 hours of rock. (It’s honestly not that long, but can feel long.)

One tip before the night of the event is to make sure you know how to import or add a new virtual machine to whatever VM platform you use. Once sitting down in the competition hall at a desk, be sure to keep your head up and look for whomever is handing out the Netwars USB sticks and instruction sheets and be sure to get one of both. If you don’t get an instruction sheet, ask to take a picture of someone else’s near you.

In fact, here’s a general checklist for someone sitting down to Netwars 5.0 for the first time:

  1. Prep: Bring a mouse. Bring a second portable monitor if you have one. Both of these make the experience so much better. Bring headphones and music if that helps you. Make sure you have whatever virtual platform of choice you prefer already installed and ready on your system. As far as other software, you don’t really need much else on the host; most things are either present in the VM or can be downloaded into it from the Internet later. I’d also suggest being at least a little familiar with Linux command line (things like ls, cd, cat, file, cp, rm, touch, chmod, chown…that level of stuff). I don’t suggest using a work laptop, unless you have the power to turn off security protections so as not to kill/quarantine what you’re doing! I used an old Thinkpad X230 upgraded to 16GB RAM and 500GB SSD, running Win 10 and VMWare Workstation 15 Pro, with an AOC 16-inch portable monitor; the portable monitor is a lifesaver as the X230 screen size can be limiting alone.
  2. Sit down and set up your computer; power strips should be nearby.
  3. Once booted up, get on the netwars core wireless (will either be on the instruction sheet or on the screen up front). I suggest writing this down.
  4. After that, get your hands on the USB and start copying all of the files to your system. It’s always better to work off the local copy than straight off the USB.
  5. Once copied, fire up the VM platform of choice, and import/add the .ova file as a new VM.
  6. Once added, I strongly suggest increasing the RAM on the system above the default if you can spare it, and also add some video RAM if using VMWare (if you can’t find this setting, then don’t worry about it, it’s just to have better full screen sizing on some versions; probably not a problem with a laptop).
  7. It should work by default, but I also strongly suggest being familiar with testing and enabling (if needed) copy/paste from the VM to your main system.
  8. When ready, start the VM and log in (should be on the instruction sheet or it will just autologon for you). There’s no reason to not at least start up the VM and test Internet connectivity. Maybe even poke around the system a bit.
  9. I don’t recall ever needing to deal with installing VMWare Tools, but maybe I just do this automatically and remember it. I’m adding it here as a reminder to think about if something isn’t working.
  10. Once ready, feel free to get a drink or two and for the love of all that is pure, lock your system when you walk away.

During the event, you do what you need, but I strongly suggest taking a break now and then. Get up, stretch, get a fresh drink, take a small walk, get your eyes and brain off the screen a bit, tip the bartender, start up a quick intro conversation with any others back there in line, with them luck, and get back down to business.

I know some people bank points until the final 30 minutes of the last day when the scoreboard is hidden from view, but honestly, I’m not sure who does that, since the more points you submit, the more new stuff you unlock. And I think in most cases, it is better to unlock things early than in the waning minutes. There may be some more easy points waiting!

I wish I knew the cutoffs in points where things unlock. Maybe next time I’ll try to pay attention to that….

On day 2, I sat in a different place behind a team from the Army branch. I honestly don’t know how they did (not top 3 at least), and I’m unsure if they are displayed on the scoreboards and have a made-up team name or something.

Day 2 was a more heads-down day working on some of the new challenges, and I made some progress by the end of the night, totaling 328 points and finishing in the middle of the pack at 31st place. Unfortunately, I didn’t really unlock anything by the end of the trip that I shouldn’t have already had from my first Netwars experience, but at least this time I am better able to take some studying points home to work on directly.

In reflection on my experience, I feel like there are probably 4 very different experiences you can have with Netwars.

  • First timer – This is the purest experience as someone completely new sitting down at a blank scoreboard with questions to bang away at and answer. This was absolutely a blast and I encourage everyone attending a SANS event to give Netwars Core at least this first try. It has accessible questions so everyone can ramp up slowly into more involved stuff.
  • Experienced aka “the level 4 doldrums” – After the first experience, no matter the performance, coming up next are what I would call the level 4 doldrums where a competitor has completed the things they find easy, and are now working harder on the trickier or less familiar topics. This lasts until one can unlock level 5. Large swaths of an event may be spent working on just a handful of challenges at hand. This is definitely where I am. I unlocked Level 4 on my first event, and now I get to spend a lot of time making slow progress through it (and finishing challenges inside Level 3). The one caveat that may change this experience is joining up on a team of others in the same boat, but I have mixed feelings about teams prior to level 5.
  • Level 5 unlocked! (fanfare music) – This is probably the next big jump, where one emerges from the Level 4 doldrums and unlocks Level 5! …And then is lost while trying to figure out the castles, defend them, and somehow also attack. The first experience in Level 5 is probably pretty rough, especially so for an individual. But, you gotta have a first time at some point so you know what’s coming up next time and how to start preparing for it. Because, let’s face it, there’s only a small number of posts about the experience of Level 5. It might be interesting getting to this experience on a team, either of those who’ve made it before or all newbies to Level 5, as at least then you can get some boots on the virtual battlefield quicker. And even at some of the larger non-champion events, there may not even be any other Level 5 teams! I think in that case, even if unlocked, you don’t get your Castle early, as that might be a little unfair to later entrants, but I don’t know that for sure.
  • Level 5 veteran – Lastly, all that is left is to dive into Level 5 with eyes wide open, probably as a member of a team. This is the penultimate experience, and I hope to get there someday to at least give it a try once. I’ve never competed on the blue side of a castle-style CTF like that (only the red team, and it’s been years).

One nice small benefit I received after the event was a discount to Netwars Continuous. While still a large chunk of money, I might have to think about that if I want to experience Level 5 competition and get some practice. (Assuming I get up to it!)

Would I do this again? I think so, but I don’t know. I don’t really learn much from it directly, but I love the access and mingling with other extremely smart people, just like any other SANS event. I am qualified for two years, so I’ll have to think hard about it. My participation may depend on others on my work team being able to go, or my progress towards Level 5, and of course budgets. That said, the meeting of other people and the chance to further hone skills is always welcome in this ever-learning industry. If I were on a Level 5 team, I absolutely would!

Would I suggest others do this? Yes! If you can budget this out (keeping in mind you don’t necessarily have to be taking a course at CDI to attend ToC!), I think this is a great event to experience at least once. Even better if you get the chance to experience this at Level 5 with a team. There really are not that many chances to experience something at that level and I think they would be worth it.

What’s next for me? I have a very long ways to go, and the number of questions I have in front of me to answer has dwindled quite a bit. Basically, I’m at that point where I need to answer a question to open the road to answer the next question, and so on. My choices are limited, and while that means I can focus my studies a bit, it also means I have no idea what’s behind those doors.

I’ll next be at SANS East the first week of February with a coworker. I plan to sit again for Netwars Core rather than trying out DFIR yet. And this time, I’m taking a course that I need more confidence and speed with (SEC542) which hopefully gets me another small step or two through the Level 4 doldrums!

(images via CounterHack team and Sean Donnelly)

us-cert and questions ceos should be asking about cyber risks

US-CERT has posted up a nice list of Questions Every CEO Should Ask About Cyber Risks. I can’t say I disagreed with anything here!

It’s nothing much, but I did look a bit hard at the metrics section where it says, “An example of a useful metric is the time it takes an organization to patch a critical vulnerability across the enterprise.” While I agree with this, most organizations still need to adequately find or be told about a vulnerability first and get it into the analysis and remediation pipeline, before they can start measuring how long it takes to patch it. Or maybe a better wording is to allow for the fact that a vulnerability may have existed before an organization learned of it and started work to patch it. I wouldn’t want someone to think the measure is just from when it was learned to when it was fixed.

I also understand that “industry best practices” can be a little flexible and arbitrary, but I don’t have a great alternative to that beyond constant review and improvement with multiple eyes and documented reasons and justifications for policies and standards.

the three laws of opsec

Just saving for future reference.

Three laws of OPSEC (Kurt Haase)

  1. If you don’t know the threat, how do you know what to protect.
  2. If you don’t know what to protect, how do you know you’re protecting it.
  3. If you are not protecting it, the dragon wins.

the position of threat hunting

It couldn’t be more timely to see a couple blog posts on the topic of threat hunting, one from Robert M. Lee and another by Richard Bejtlich. (Updated to also add some Twitter comments links, as I think I agree with this position.) Reason? The past couple weeks I’ve been reading papers and other posts and job descriptions of “threat hunting,” as I try to figure out what that means and what it does in a security organization.

See, I’ve been part of the infosec community since around 2001 in some for or other. But around 2014-2015 or so, I fell a bit out of touch; I didn’t read much from twitter or other blogs and feeds of mine and didn’t really do any cons or other learning. As such, I turn around in 2016 and plug back in, and things like “kill chain” and “threat hunting” take me a bit by surprise at how suddenly they’ve popped up. And in the case of the latter term, I’ve been trying to figure out where it came from and what it really means. I mean, I like the idea of the task, but it doesn’t seem like a full time position to me; it seems like an amalgamation of other duties, or maybe just a way to save money on external pen/red team tests by getting internal offense members, and concocting some additional things for them to do so you don’t lose them to boredom.

(Side note, it’s an interesting time, where organizations want to do more than just strictly blue things, but it’s hard to make sure your offense-minded folks don’t get bored or jump for those flashy full-time pentesting gigs. Likewise, blue tools and signatures are reaching their limits of usefulness, but other techniques and detection and analysis require more effort, intelligence, and experience to wield for proper value; enter offensive minds.)

My confusion stems from hearing about the tasks, and not being sure if the hunter is looking for latent, active compromises in dark corners of the enterprise, or if they are testing for weak points in an organization’s posture and providing fixes. Or maybe they are like architects for new tools like UBA/UEBA as they attempt to emulate attackers and define how detection tools may help identify them better, especially when you have to rely on behavior and anomalies rather than hard signatures or IoCs (hey, there’s another surprise term that is new!). To me, security is not just about watching alerts in a SOC, but about constantly improving the position of the security functions. In a sense, I’m always looking for ways to have more complete visibility, or at least know where my blind spots may be. Role-playing and tabletop exercises help stimulate that thinking as well. Things like analyzing a new vulnerability announced and how to tell if that affects or has already affected me, or a new minor incident and what pieces of information are annoying to procure. Every blue question has a chance to improve the environment.

Also, is a threat hunter part of the blue team, part of the IR team, or part of an internal red team? Or maybe some combination of two or more of those areas; a sort of way to fill in some time between other tasks. Is it a way to get your SOC members something a little more mentally stimulating than watching alerts all day? Does it complement or replace role-playing exercises?

Anyway, I don’t have these answers yet, but these were timely articles on a topic I’ve been currently wrestling with.