the position of threat hunting

Posted on by michael

It couldn’t be more timely to see a couple blog posts on the topic of threat hunting, one from Robert M. Lee and another by Richard Bejtlich. (Updated to also add some Twitter comments links, as I think I agree with this position.) Reason? The past couple weeks I’ve been reading papers and other posts and job descriptions of “threat hunting,” as I try to figure out what that means and what it does in a security organization.

See, I’ve been part of the infosec community since around 2001 in some for or other. But around 2014-2015 or so, I fell a bit out of touch; I didn’t read much from twitter or other blogs and feeds of mine and didn’t really do any cons or other learning. As such, I turn around in 2016 and plug back in, and things like “kill chain” and “threat hunting” take me a bit by surprise at how suddenly they’ve popped up. And in the case of the latter term, I’ve been trying to figure out where it came from and what it really means. I mean, I like the idea of the task, but it doesn’t seem like a full time position to me; it seems like an amalgamation of other duties, or maybe just a way to save money on external pen/red team tests by getting internal offense members, and concocting some additional things for them to do so you don’t lose them to boredom.

(Side note, it’s an interesting time, where organizations want to do more than just strictly blue things, but it’s hard to make sure your offense-minded folks don’t get bored or jump for those flashy full-time pentesting gigs. Likewise, blue tools and signatures are reaching their limits of usefulness, but other techniques and detection and analysis require more effort, intelligence, and experience to wield for proper value; enter offensive minds.)

My confusion stems from hearing about the tasks, and not being sure if the hunter is looking for latent, active compromises in dark corners of the enterprise, or if they are testing for weak points in an organization’s posture and providing fixes. Or maybe they are like architects for new tools like UBA/UEBA as they attempt to emulate attackers and define how detection tools may help identify them better, especially when you have to rely on behavior and anomalies rather than hard signatures or IoCs (hey, there’s another surprise term that is new!). To me, security is not just about watching alerts in a SOC, but about constantly improving the position of the security functions. In a sense, I’m always looking for ways to have more complete visibility, or at least know where my blind spots may be. Role-playing and tabletop exercises help stimulate that thinking as well. Things like analyzing a new vulnerability announced and how to tell if that affects or has already affected me, or a new minor incident and what pieces of information are annoying to procure. Every blue question has a chance to improve the environment.

Also, is a threat hunter part of the blue team, part of the IR team, or part of an internal red team? Or maybe some combination of two or more of those areas; a sort of way to fill in some time between other tasks. Is it a way to get your SOC members something a little more mentally stimulating than watching alerts all day? Does it complement or replace role-playing exercises?

Anyway, I don’t have these answers yet, but these were timely articles on a topic I’ve been currently wrestling with.

learning and career goals for 2019

Posted on by michael

Yearly, I try to make an achievable plan for studying and career goals and ideas. I’m not getting any younger, but even now my eyes are wider than my free time when it comes to wanting to learn things. It’s a “problem” I’ve had forever, but I definitely want to make sure as I make these year-long plans that I at least maintain some sanity. I’d mapped out my previous 2 years, and I am super happy with the process and my results, so I’ll push myself again some more this year. I’ve added 4 certs (plus the learning!) to my belt over the past 2 years (OSCP, OSWP, CCNA Cyber Ops, GCFA), plus all of the learning and growth that come with them, and I have some more lined up this year.

My theme for 2019 is going back to the offense, and specifically web app testing with some binary exploitation thrown in. Every year, I’ve been striving to alternate between being defense-focused or offense-focused in my formal training. We’ll see how well I keep that plan up!

For some of the items below, I have more fleshed out maps and resources to pursue than what I list here.

Formal Certs and Courses

  • SANS SEC542 (GWAPT) at SANS East – GWAPT has been at the top of my list for SANS certs for a while. I have a long history of working with web servers, sites, coding, and attacking, but I still feel somewhat of a neophyte when it comes to web app testing (and I probably am intermediate at worst). I really want to beef that up, or at least give me something tangible for reassurance. I also want to take care of this earlier in the year than I did last year’s SANS course in May, so I’m hoping to get signed up for SANS East somewhat soon. This will be a cert I pursue, too, so that will add a few months of studying. Specifically, I want to feel better wielding BurpSuite (and other tools), attacking SQLi issues, and doing some automated and manual web app scanning and testing.
  • TBD Second major training: Black Hat USA Trainings or SANS SEC573 (GPYC) Python or SANS SEC545 Cloud – I want to see what I can push for out of my work budget, so I’ve requested a second major training opportunity, but have left it more open-ended. I’ve also tried to pick things where I wouldn’t necessarily exit the event with the commitment of lots of studying for a follow-up cert. SEC573 will give me some excellent Python experience and I could still optionally pick up the cert. SEC545 was added later as a sort of acknowledgment that my AWS/Cloud specifics are a little weak in practice yet, and if work wants to send me to that, I’d be ok with using my second slot for it. If Black Hat gets chosen, I’d probably look for some further web app or other red team course to take, and then stay for Defcon on my own. This is pretty aggressive for me, but I’ll be super excited if I can make this happen.
  • Linux+ – I wanted to get this slotted in this year for reasons (a study-buddy or two). I consider this a slightly more informal certification to pursue, and I already have a Linux Academy subscription anyway. My goal here is just to get better with formal Linux knowledge and try out some peer support/mentoring. I’ve long had this cert on my distant radar as one of the few ways to demonstrate Linux comfort on a resume.
  • SLAE (+ OSCE prep) – OSCE continues to be on my radar, but it might be too much this year to slot it in for a full commitment. However, I would like to pursue my roadmap prep list to get there, which starts with tackling the SLAE from Pentester Academy and maybe some other companion topics. SLAE is very open-ended and I expect to learn a lot of things I’ve just not been exposed to before (assembly, shellcoding, etc).
  • CCSP (Cloud) – Another nod to being a work-influenced topic, but I wouldn’t mind spending some time studying up for the ISC2 CCSP (Certified Cloud Security Professional) cert. Definitely the lowest priority on my list. I could even replace this with the AWS Architect certification, which I can study for through Linux Academy.
  • Pentester Academy tracks (+Red Team Lab?) – I just recently signed up a subscription for Pentester Academy and want to make further plans to slot regularly learning from it into my free time. They have a Red Team Lab that I want to keep in mind, but is a lower priority (and extra cost).
  • Linux Academy – Just an acknowledgement that I have this subscription active. What’s great is this will support not only Linux studies, but also cloud-related things.
  • Splunk Fundamentals & Power User – I want to get better with Splunk, and the first steps will be to pursue the free Fundamentals training and certification, and then look at Power User. This may get higher priority if work pushes it, or if I get sent to Splunk .conf again in 2019, where I can take a course or the exam on site. This one really depends on some external work influence to prioritize it higher.

That’s serious aggressive for me. Even at my most conservative estimate, I should walk away from 2019 with GWAPT (2-4 months), Linux+ (month or two), SLAE certifications (2-4 months). With CCSP and Splunk and OSCE lurking around the corner. That’s some serious work I’d have cut out for me, and I totally know it. And I haven’t even gotten to informal topics I want to dive into over the next year! Thankfully, a few of them overlap…

Informal Topics

  • Web app topics and GWAPT prep – I have several books and topics that will go into my preparations for the SEC542 (GWAPT) course. This item really is just about making sure my web app work neither starts nor ends this year with just this course.
  • Binary exploitation / buffer overflows / reversing – I also feel inadequate when it comes to reversing, fuzzing, binary exploitation, and handling buffer overflows. This goes into my preparation for OSCE as well. I have some HTB boxes/challenges, courses, books, and a few other topics listed out behind the scenes that slot into this bullet item. This overlaps with more Python work, too.
  • Bloodhound (AD mapping) – A tool I want to not only try out, but incorporate at work.
  • HTB some more! RastaLabs / Offshore and POO/Endgame – I nearly got HTB out of my system this summer by hitting Omniscient with challenges and boxes. However, beyond just catching up on new boxes, HTB still has some offerings (free and paid) that I have yet to take advantage of. I’d like to. I currently have VIP access, but I’ve not decided if I will renew that next year. So this does mean I want to set aside some time to go through all of the retired boxes (along with IppSec walkthrus as needed). This platform is great to jump in and out of in bursts to keep my attacker skills from getting too rusty.
  • Books – I have a list of books/ebooks that I want to consume. It’s not large, but significant enough that I wanted to put onto my goals. I have a love-hate relationship with infosec/tech books. I used to collect these far more than I do today, but the number that never really got used outweighed those that I found useful to some degree or other. I’ve trimmed my collection down about 75% over the past 5 years, but I’m slowly picking out new ones to consume that I know will either be useful references or good actual reads/lessons.
  • BurpSuite – I list this here because I still want to get better with BurpSuite. I have a course identified that will help, but I imagine SEC542 will help as well.
  • Python and PowerShell – I continue to yearn to get back up to speed and beyond on PowerShell and Python again. If I can take SEC573, that will certainly bring my Python comfort way up. Grabbing onto some work projects can help with these as well.
  • Scapy – Scapy is something I want to learn as I pick up Python. It’s long been on my list, and I admit it’s still waiting due to lack of me needing it day to day.
  • PluralSight – I normally don’t just list a subscription I have, but I wanted a reminder that I have this subscription open, and if I don’t find uses for it in 2019, I should trim that cost off.
  • Home lab / Blog / Github – I have a whole list of things to do on the home lab that I won’t list (and commit to!) here, but it’s a thing on my radar. One thing this does include is cleaning up this blog a bit and using my github for more things. The main immediate item will be moving all my links on the right pane over to a github page and maintaining it there for the future.
  • Leadership – From the triple threat route, the one place I have no demonstrable experience is infosec leadership (vs offense and defense). So if I have chances, I should try to tackle and succeed with project management, vendor relation, team mentoring, and presentation opportunities. I’ve long been a team leader/mentor type, but have rarely translated that into something demonstrable, visible, or upward-facing, if that makes sense.

Cons/Meetups

  • SecDSM – Monthly meet-up that I always attend and will continue to do so.
  • BSidesIowa – Local Bsides event that I’ve always liked. I may focus more on the CTF this year than talks, though.
  • SecureIowa – This was only ok for me, but it helps that it takes place during the work week.
  • Wild West Hackin’ Fest? – I’ve love to try and get to this next year. Slotting it in, but not sure yet.
  • Splunk .conf 2019 – If work wants to send me to this, I’ll think about going. It’s in Las Vegas, so a little less exciting than before.
  • ArcticCon? – This is a red team vetted-invite con in Minnesota. I doubt I “qualify” for an invite, since I don’t have a red team job, but I sure would love to go.
  • Defcon – If I get a chance to be sent out to Black Hat USA, I’ll stay a little longer on my own dime to attend Defcon again. If not, it’s pretty unlikely I’ll go on my own.

Cert renewals

  • CISSP – This is just my yearly CPE maintenance. As long as this is easy to maintain, I’ll keep it up, since I have no real reasons why I shouldn’t.

ranting and could care less about obscurity

Posted on by michael

Maybe it’s because summer has given up the fight and it’s diving colder today for the weekend, but I feel ranty.

My other rant this morning is about security through obscurity. I hate seeing people say that this is bad. I mean, passwords fit into this category! The proper frame of mind is to say, “security through *only* security” is bad. I can move my SSH port to tcp 32154. Does that make SSH more secure? Not in itself. Does it make it harder to find and thus adjust my risk factor? Yes, somewhat. All those port 22 scans on the Internet will pass me up. Obscurity can certainly, and almost always is, part of one’s security posture.

Also, I hate when people say, “I could care less.” Well, that means you could in fact care less, which means you care. You mean to say, “I couldn’t care less.”

*curmudgeonly sounds*

pessimistic on security awareness vs technological controls

Posted on by michael

(This post is going to sound exceedingly pessimistic about us humans. It’s purposely slanted a bit to make some points, but also to let me rant just a bit.)

I just got done reading a rather large post elsewhere about information security training. And it was long, and detailed, and probably more detailed than anyone actually does, anywhere, without multiple full-time staff dedicated just to training.

Which brought me to the question: why do I take a slightly more pessimistic view of security awareness training? I like awareness training, but I put more emphasis on actual technology controls, than I do trusting people to do the right thing. I’ll trust, but I’ll verify. I’ll say security awareness training is necessary, but I won’t say it’s one of my key tenets I lean on to provide security or one of the most important things one can do in the business to improve security.

To me, training has a few achievable goals (this probably isn’t my exhaustive list, just a quick one):

1. checkbox. Let’s face it, requirements are a driver.
2. education on process – Make sure everyone knows how to deal with incidents or questions. Know to dial 911.
3. education on best practices – Enough knowledge to have a chance to make the correct decisions.
4. education on bottom-line performers – Provide education to those who truly didn’t know these things.
5. education about controls – What they are, why they’re in place, how they help. How to work with them instead of against them.
6. education about things too nuanced for actual controls (lots of social engineering falls here, and this is the elephant in this post).

That makes it sound like I want to deliver lowest denominator training, but that’s not true. I actually think training should challenge the audience a little bit, and make sure it improves knowledge, rather than baseline it. I prefer trainings that add value, even a little bit, to the audience, rather than “yet again” going over the same ol’ bullet points. I want people to learn something and not feel talked down to. One of the main problems is such learning can get into technical weeds pretty quickly. Questions like, “Well, why is this password weak?” or “What do you suggest to be more secure at home?” get deep very quickly, if you’re not careful and empathetic to the audience. Also, random attendance can mean you get non-technical folks in with the developers, and those developers love to ask questions about password complexity, because it’s arguable and there’s no real good right answer, which muddies the experience.

But, why do I get pessimistic about awareness training? For the same reasons I think people suck when they make risk decisions while driving. Unless there are radar detectors or tickets waiting around a corner, many drivers will drive at a speed that matches their own desires and risk tolerance; which often seem to be 5-15 mph over the posted speed limit, but sometimes more. Let’s just say 30% push this boundary marker on any given road.

These are the same people in the business as are on the road. And in the business, they have their own goals and things to get done for their job, boss, and customers. In fact, I would guess that 30% of employees will do whatever they need to do to get their jobs done efficiently, even if that runs contrary to security policies, as long as they’re not outright prevented. Need to trade a document with a client, but the client balked at the clunky “email encryption” solution you utilize? It’ll be ok to use Dropbox this one time. Email is too clunky? It’ll be ok to use Messenger on my phone. I need to work on this highly confidential document at home this weekend and I don’t want to bother VPNing in? It’s ok this one time to put it on my personal USB stick.

People will do what they can get away with if it is in their best interests. People are innovative, creative, selfish, and usually pretty passionate and determined. None of that should imply malicious, but there are malicious actors lurking as well.

This means you need to pair up education with technological controls. Actually stop the unwanted behavior as much as possible, or detect/alert and provide feedback when it occurs. And educate about those controls and why they are in place. It also means that breaking security policies should cost users more than they gain, making it actually in their best interest to follow the policies.

Education goes so far. You can post signs about children at play, school zones, speed zones, and even radar detection enforcement. But you have to have controls in place that properly detect, prevent, stop, and penalize unwanted activity if you truly want to reduce and change behavior.

I do think people generally want to do the right thing, but that often slides to the side when someone needs to get something done.

If a control impedes business or seems like it stifles innovation or “getting the job done,” then it needs to be discussed and the reason why such controls are needed. This way alternative solutions can be identified and tried out, rather than users crying about security and security crying about users. Both sides need to know the lines, the controls, and where the business itself wants to draw them.

my certifications and how they helped or did not help the career

Posted on by michael

A thread recently came up on TechExams.net forum about the order one got their certifications and which ones helped their career or were unnecessary. I typically don’t try to regurgitate my life story in random places, but I liked the question enough to ruminate on it a little bit. My certification path is a “stop and start” type and requires a few extra timeline points to explain some things.

~1998/1999 – Started blogging – Just a personal milestone for me.

2001 – MIS 4-year degree – A career milestone. I may have felt a little obligated to get this; I mean, after high school, you go to college, right?

2001 – Found a deep interest in information security – Several factors came together to this realization (writing a gaming site post about finding a career by using your PC gaming skills and getting into Linux distros, for instance), but the singular event that really informed me was picking up a random thick book from Barnes & Noble in my earliest efforts to keep learning after school: Hack Attacks Revealed by John Chirillo. The knowledge and attack/defense tools stoked a fire that will not be going away.

~2001/2002 – Started blogging about tech/security & first vanity domain – At some point, I started blogging regularly about tech stuff and security topics, mostly just interesting links and tools. Many of these posts are either lost or buried in another data file backup somewhere along with personal blog postings. After leaving school and leaving their nice hosting, I also picked up my first vanity domain.

2002 – First “real” job – Basically, the real start of my career!

2002-2006 – Lull #1 – My 4 years at this job marked two things. First, I learned an absolute ton and had an absolute blast doing it. I grew by leaps and bounds during this period. Which probably is the reason this period is also marked by no formal learning of certification. I was underpaid by a company that also wouldn’t pay for training, but I didn’t much mind it since I was learning so much on the job. So, this was my first lull in learning, but it didn’t really feel like it. I have a strong nostalgia factor from these years of my career, work- and enthusiasm-wise.

2006 – Security+ – A job change later and I wanted to demonstrate my interest in security better. Before LinkedIn, you really only had in-person networking and your resume to demonstrate security acumen. If your job title was generic, but you managed security devices, it was difficult to show it. Also, I wanted to learn more. Security+ worked great for this. Spent personal time studying books and passed the exam. At the time, this was also a lifetime cert, which was a bonus I wouldn’t understand at the time.

2006 – terminal23.net domain – At this point, my technical blogging eclipsed my personal stuff in both effort and frequency, so I separated them with a second vanity domain. I took some effort to pull old technical posts into this blog, but some much older stuff I wouldn’t bother with.

2009 – CISSP – I also pursued this one on my personal time using self-study books. I would happily pass on my first attempt. Even at this time, there were threads of CISSPs being derided for not actually knowing anything (one guy at my testing center that I talked to was a sales guy on his third attempt, because it was required for his sales position…), but there was and probably still is no better certification to demonstrate interest in and at least some wisdom about security. In fact, this cert probably opened the most doors and got me the most recruiter attention of anything else I’ve picked up, by far. It’s definitely a gateway cert, and I think everyone in security should at least have this on their roadmap. Sure, you can skip it if you have good demonstrable security work and/or good networking, but for most of us, this makes a statement itself. Even now, almost 10 years later, I’m not sure when I will burn it or let it lapse… On the down side, I didn’t get a raise for this, paid for it myself, and didn’t use it to springboard into another job. Maybe a wasted opportunity for me, but I like where I am today for it.

2009-2017 – Lull #2 – During this period, I grew quite a bit with my skills during work hours, but for the most part, I did not pursue any formal education. I signed up for the PWK/OSCP (PWB at the time) cert, but work threw me, well…work, and I didn’t have the time to devote to it, so I let it slide. It didn’t help that my company did not really budget for training nor encourage it; in fact, I had a manager whose teams always seemed to stagnate and work behind the times with old tech/code/habits. I wouldn’t say I coasted during this period, but I was very comfortable and my days were filled with work at a manageable pace.

2017 – OSCP – Finally started getting that bug to get better jobs and re-find my enthusiasm and learning passion that I had in my first “lull” and early years. I decided to pursue the OSCP again on my own time and dime, and achieved it after about 4 grueling months. Of all of my certs so far, this one gave me the most street cred, and for hiring managers who know it, it definitely gets their attention. Particularly the 24-hour exam.

2017 – OSWP – I knew I wanted to keep learning, and I remember the hey-days of war-driving and backtrack wireless cracking, so I wanted to revisit those activities with what I knew was a much lighter cert in the OSWP. Took about 2-3 fairly casual weeks from start to finish. Really enjoyed it, and left me hungry for more.

2018 – CCNA Cyber Ops – I don’t remember how I learned about this, but Cisco basically gave out free training and certification exams for lots of people who already had various industry certs, so I got this certification for free, though I did have to devote plenty of personal time to get it. This didn’t improve my resume at all, but I did like the experience. And I have to be honest, while I kept up with security blogging over many years, from about 2015-2016 I got a little out of touch with the security industry. And taking the Cyber Ops course filled in some gaps of new ideas and things like “threat hunting” and the “cyber kill chain” and “diamond models” which had been basically introduced at the time. Ultimately, this course pursuit got me back up to speed of the buzzwords of a SOC. Unless Cisco builds something compelling around it, I don’t plan to renew this one.

2018 – GCFA – For me, this is the first time in my career I’ve had corporate backing for education, and also marks a culmination of the next part of my career where I have strong, specific goals for growth. Also, a point where I stepped just slightly outside my comfort zone to formally learn something new that I identified as a weak spot.

Footnote
One thing I will notice in my timeline compared to some other postings in that thread is how some people earn certs and are immediately rewarded with it leading to a new job or a raise of some sort. But, my timeline has almost none of that; many of my certs were earned and I would not say they directly led to a future job. Maybe a few interviews, but certainly not in the same calendar year as the cert was earned. I’ve also had the luxury of not having jobs that required extra study.

I also noticed that I never had (until this year) company or managerial backing for growth like this, and I also never had peers or colleagues who pursued certs or further formal education. That certainly makes a difference, as I do become influence by those around me, as most do. I had to find the effort to self-start, most of the time.

There’s really no way to say it without sounding conceited, but all of my certs came from my own motivation and my own desire to learn and/or demonstrate knowledge in security. That’s not any less or more than other reasons to get certs, but I found that enlightening for me. It also helps illustrate what makes me happy, what drives my passion for this industry, and informs my plans for the future.

top ten strategies of world-class socs

Posted on by michael

I find it crazy that I’ve not seen this before, but I got linked today over to the MITRE Ten Strategies of a World-Class Cybersecurity Operations Center free book (pdf). Holy crap this is awesome. The rather large first section talks about building a SOC and the various considerations that go into it. And then the top 10 strategies build on that foundation to further guide the growth of the SOC.

Every section has wonderful nuggets of truth like this one in strategy #5 (Favor staff qualify over quantity):

Analysts must be free to analyze. It is indeed true that Tier 1 analysts have more structure in their daily routine for how they find and escalate potential intrusions. However, those in upper tiers must spend a lot of their time finding activities that just “don’t look right” and figuring out what they really are and what to do about them. Overburdening analysts with process and procedure will extinguish their ability to identify and evaluate the most damaging intrusions.

Honestly, this might be my second favorite technical book, up there with The Practice of System and Network Administration (Limoncelli).

2018 career goals review

Posted on by michael

I still have a few months left for 2018, but I feel like I’ve been pretty successful already with my goals on the year. This is really year 2 of me specifically tracking my career growth and learning. In 2017, I earned two offense/red team certifications, and this year I earned one defensive and one forensics certification, amongst other learning accomplishments. So, largely for my own benefit, here’s my summary on the year of the important stuff.

training and career goals for 2018

  • keep doors of learning open for both blue (defense) and red (offense) sides of the field – This isn’t a goal so much as a lifestyle statement, but I feel like I’m on track here. Even as I plan to alternate learning year over year, I’m keeping both sides in mind every year. I ultimately want to make sure my offense, defense, and forensics can all test and improve the others.
  • balance career growth opportunities along with actual learning – Going well on this! My enthusiasm has gone up quite a bit, and with the exception of the CCNA CyperOps cert, everything has been chosen for learning opportunities and not marketability. I think this pendulum will continue to swing permanently over towards learning as I get older and need certs and letters less.
  • balance of work-driven and self-led growth learning opportunities. – Even without leaning on corporate support financially, I feel like I’m achieving this. Like other items, this is less an item to satisfy and more of a theme or lifestyle statement to keep at the top of my yearly goals. I also try to keep a balance of formal and informal learning tasks.

structured learning/training/events

  • Cisco CCNA Cyber Ops course/certification (2 exams: 210-250/210-255) – completed in March and lasts 3 years. Keeping this depends entirely on what Cisco wants to do with this line. Did I learn much from this? I actually did, but it was also all pretty basic to me and easy to approach, consume, and test on. I honestly would not have done this had it not been free. The biggest benefit is now knowing where this fits into my recommendations for other students and newbies, and it’s a pretty good cert for someone looking at an analyst/SOC role.
  • SANS FOR508 (May 11-16 San Diego) + NetWars – completed in May. Absolutely loved my time on site in the course and studying later for my first SANS/GIAC endeavor. I purposely aimed at something challenging that was going to put me into some deeper waters (memory analysis), and I couldn’t be happier for it. Participating in NetWars was amazing, and set up my only remaining engagement yet this year: SANS CDI.
  • GIAC GCFA certification exam passed – completed in September and lasts 4 years. I likely won’t need to sweat renewals for this for a while, as I have a backlog of SANS courses I want to take, and certs I’ll opt into testing for. Overall, loved this process, and having an exam as an excuse to study more really made the material sink in and click for me. This is also an example of me stepping a little bit outside my comfort zone, as I’ve never done forensics like this before. I have a deep Windows administration and security background, but much of these methods and materials was a new approach for me.
  • Maintain CISSP – Completed, of course.
  • spunk .conf 2018 – Completed in October. Not only my first time at a Splunk event, but honestly, I think this is my first vendor-specific conference in my career. I really enjoyed this con, even if I didn’t actually learn a ton. But, I think I’ve learned how one should approach such a con like this, i.e. come with questions to start a discussion with vendors and subject matter experts or fellow attendees as needed.
  • BSidesIowa, SecureIowa, SecDSM – Kept up with the annual cons and the monthly SecDSM meetings this year so far. A bit of a softball in terms of goals, but I find it is important to keep a ling item for cons, local and remote, to stay current on.
  • SANS CDI Netwars ToC – Decided to opt into doing this as I may not get the chance again. Occurs in mid-December and I’m all set up to attend.

unstructured learning/self-study

  • Metasploit Unleashed Course (OffSec) – incomplete. I admit, this isn’t a big deal, and I’m just being stubborn at this point in keeping it on my TO-DO list. But it’s here, and some weekend I’ll just knock it away. (It’s not like this is updated and current anyway…)
  • finish LinuxAcademy RHCSA/LFCSA courses – All of the completed items stole time away from this and reduced its priority. Even if I still don’t get to this in 2018, it’s going to be a thing in 2019 for me as well.
  • SLAE-> CTP/OSCE (tentative, or just prep) – I knew it would be super aggressive and difficult to maintain sanity and also prep for this path, and I’m not surprised I have not even started it. It’s still on the list for possible late 2018 inclusion, or another lower priority in 2019.
  • HTB VIP Progress/Habit – Completed. I got back into HTB with a vengeance after realizing my offense skills were rusty during the SANS NetWars event this past spring. My goal was to hit 50% completion in HTB, shake off the attacker rust, and just build a small habit to keep with it. But, after getting going, I met some folks on the platform and got help when I needed it to achieve 50% completion by July, and 100% completion by August.
  • Burp Suite improvement/growth – Doing HTB got me good practice and experience with Burp, but I want to consider this only about 25% done, and something to continue working on.
  • Web Hacking 101 book – Haven’t started it yet.
  • Python (+scapy) improvement/growth – on hold, I still need to figure out how I want to tackle this
  • PowerShell improvement/refresher – on hold, I still need to figure out how I want to tackle this
  • CTF participation (as it fits in) – This was definitely the lowest priority of the year, so I feel even my minor work here completes it.
  • survive at work (work topics) – Completed!

improvement topics

  • incorporate Feedly, Pocket, Discord, Slack in day-to-day habits – I feel mostly completed on this one, with the very notable exception of the things piling up in Pocket.
  • expand OneNote use – Successful in moving from EverNote to OneNote.
  • work on better anonymity online/VPN service for personal use – I don’t feel I really started this.

my time at splunk .conf 18

Posted on by michael

A week ago I flew down to Orlando, Florida to attend Splunk .conf18. In thinking back on this, I have to say this is the very first vendor-specific conference I think I’ve ever attended in my 15 years in IT. Based on who you ask, the con itself had 7500-9500 attendees in its largest event to date. That’s pretty impressive! I attended as many talks as I could, and I left pretty happy with the content I consumed. The talks and slides are all available online for consumption.

Day 0 – Sunday
My goals for this day were just to get to Orlando and settled into the hotel and do some recon of the grounds and environment. On the plane, listened to some Darknet Diaries; finally finding some time to do some podcasts! Took some time to hit the Boardwalk on the ground and already get sick of the heat and humidity.

Day 00 – Monday
Goal today was to get registered for the con! The line was super quick, even at 10:30am with the masses to get checked in, get a badge, pick up the backpack/water bottle freebie, and then pick up the freebie hoodie. Beyond that, this day was pretty casual until the evening.

First Timer Orientation talk – This was a nice intro to the con, even though the room was moved and I didn’t hear about it until a co-worker texted me. I guess I need to click update notices in the event app! (Come on, I’m in security, I don’t click accept/download buttons unless I have to.) Also, this was the only talk that I attended with a drink-in-hand speaker. (I’m not a huge drinker or want others to drink, but to me, this still sets a tone and statement for the sort of partially or fully informal a venue may be. This is why I like smaller cons over larger vendor ones.)

Welcome Soiree – This was a neat way to get people to the vendor floor: an evening event with free food and alcohol stations throughout the vendor floor. Scoped out vendors, splunk experts, projects, and plenty of swag. And I will admit, I evaluate vendor booths on three things: 1) whether I know and like them as a product/company and want to say hi, 2) whether I want some of their swag or not (either for me or to give away to others), and 3) whether I want to buy them (and I’m not a purchasing approver, so that’s pretty much no one). I had fun down here, though someone kept turning on music every now and then and it was ridiculously loud.

Day 1 – Tuesday
Visionary and Roadmap Keynote + Breakfast – For the morning keynotes, buses took us to ESPN Arena where we picked up breakfast bags before taking seats. After the talk, I don’t think the bus crews were ready for the flood of people, and organization broke down pretty hard on one side of the venue, but we all got back in decent time (albeit later than intended due to the overlong keynote).
Security Super Session: Splunk Security Vision and Roadmap

Security Super Session: Splunk Security Vision and Roadmap – A strong, high-level look at Splunk and using it for security operations. Not much to say on this one. The diagrams are wonderful (and would be used in several talks I’d see over the course of the con) for designing your security operations around.

Find and Seek – Real-time Asset Discovery and Identity Attribution Using Splunk – I didn’t actually see this talk. Tuesday was the one day where I was all over the grounds for various talks, and required buses to get me places in time, and the buses were still a little chaotic. I was on time getting to this talk, but after about 15 minutes after the start time, we were all still waiting outside the room. Thankfully, it was right next to a sandwich distribution station, so I just left with my lunch to eat elsewhere. I’ll have to catch this recording later.

Let’s Get Hands-On with Splunk Enterprise Security, Splunk Phantom, and Real Boss of the SOC Data – This was the one “laptop required” talk I attended, and honestly one could have been just fine sitting back and watching along. This session had several hundred people in it, and as such you have to expect them to move on and not wait for anyone, and move on they did! Thankfully, this is the introduction talk for a broader and slower workshop for security people to get from Splunk throughout 2019. As it was, I really enjoyed getting hands-on a bit with some practice data for finding attacks. The data itself was used in the BOTS competition the previous evening. While I’m new with Splunk, it’s these hands-on demos and doing actual things with the data that get me excited, rather than high-level, perfect-situation statements.

Threat Hunting and Anomaly Detection with Splunk UBA – I really liked this talk and speaker. While nothing about Splunk and anomalies and hunting were new to me, I really loved the best/worst practices examples. That’s the sort of detailed, technical stuff that I eat up, rather than non-filling high-level statements.

Pub Crawl – Similar to the soiree from the previous night, only with craft beer stations and less food overall. Other than the alcohol and snacks, I didn’t really need a second round through the vendor hall.

House of Blues – We also got invites to a party at the House of Blues. The music was just passable, but it was an excellent buffet, and I got a chance to sample the infamous Voodoo Shrimp (which was basically forgettable, to me). The best part was just getting another evening without a food bill!

Day 2 – Wednesday
Product and Technology Keynote – I’m not a huge breakfast person, and I found out you can watch the keynotes online, so I didn’t even bother heading out to see this one live. I opted to stay near the hotels and not fight lines for a latte.

Hacking Your SOEL: SOC Automation and Orchestration – I love technical talks, less so high level ones. But if there is one talk that I’d recommend that is high level about SOEL, and SOAR, and SOC automation, I’d point people to this one. The speaker just plain made sense of all of this. Sure, it was high level, but also detailed enough to formulate a roadmap for the future on the topic. One of the more solid talks I attended.

Attack Surface Reduction: Using Splunk to Spot the Security Flaws in your Network – The description for this was probably reflective of a longer talk that got cut down. This talk ended up being basically a firewall review 101 session, but using Splunk to view your logs for activity on firewall rules under review. I did learn just one thing from this: monitor for sessions that hang, i.e. no endpoint listens on the target port anymore. I probably would have done that, but I think it’s important to keep that situation in mind. The rest was really pretty newbie material.

Which brings me to one of my main challenges: Finding the right level of talk for the topic. For instance, I’m a newbie with Splunk, but security concepts I’m very deep with, both defense and offense. I would love to have known this talk would be at a newer level of security, as I would have avoided it. This would apply to some of the threat hunting and SOC automation talks, which sometimes felt like they were just saying the same high level things over and over without a ton of deeper substance (i.e. for people less senior than I). This might not be a con issue, as it might just be my inaccuracy with using the con properly, i.e. less talks, more 1-on-1 and breakout discussions.

Cops and Robbers: Simulating the Adversary to Test your Splunk Security Analytics – Came into this very interested, but also skeptical on why the heck I’d want to spend time automating attacks like I’m some QA team. But this talk made a great case for why you do this, and how you approach it, particularly with Phantom and some other tools. Looks very cool for use on an internal testing team that evaluates not only internal response and controls, but also can test security products and even do some training exercises with your Splunk teams.

WMI – The Hacker’s Chocolate to their Powershell Peanut Butter – Probably the deepest technical talk I saw at the con dealing with attackers using WMI, WinRM, and Powershell in modern attacks, often going fileless, and how you could use Splunk and general logging to hunt these compromises down. I really enjoyed it, and was a great reflection on the Splunk security research arm.

Monitoring and Mitigating Insider Threat Risk with Splunk Enterprise and Splunk UBA – As a Splunk newbie, I wanted a mix of talks on some of their products and how I can wrap my security team around them and my own priorities and goals. This was a good talk about implementing insider threat detection using Splunk UBA. I’ll likely revisit this again as we start our own projects on this in the coming quarters.

Search Party! At Universal Islands of Adventure – Such an absolutely fun time having the park to ourselves to avoid lines and endless children in order to ride Hogwarts Express, Harry Potter’s Forbidden Journey, and the Jurassic Park river ride. The Express was super fun, and Forbidden Journey ride absolutely awesome, and the Jurassic Park ride a fun mess that stopped 3 times and ended up taking about 30 minutes to get through. The walk around the park was fun, though the back half through Marvel and the Comic Book zones were plenty unexciting compared to the other areas. Really wish we had more than 2-3 hours, but fun and free nonetheless!

Day 3 – Thursday
Guest Keynote: Steve Wozniak – I don’t really have a huge desire to listen to Woz; smart dude with lots of money and the ability to opine about technology. Fine. To make sure people made it to this talk, it was not broadcast like the other keynotes, so I just opted to skip.

Overall on this day, the food stations and snacks were far skimpier on this day. I still never had to visit the main food tents, but I definitely had to look for food myself otherwise.

“MAKE IT RAIN!” How to Save Money Monitoring, Managing, and Securing Your Cloud Using the Splunk App for AWS – By now, I know that I should expect high-level statements when I see CEO, CTO, or other high-level manager titles in the speaker list for a talk. And then a talk like this comes around to prove me wrong. (I’ve honed my stance on this to apply only to Splunk as a company itself when its higher-level managers speak.) This talk was an actionable demonstration of tying some important AWS logs into Splunk and showing how that is valuable for operations and even security. A slightly short talk, but really nice to sit through as someone new to Splunk, new to AWS, and subsequently new to doing them at one time.

From Threat Modeling to Automated Response – Identifying the Adversary and Dynamically Moving to Incident Response – Yet another talk about threat hunting and TTPs and adversary profiling. A good talk, but I don’t think it included anything that I didn’t already know.

If there’s anything in my year that will define it, it’ll be the prevalence of Kill Chains, Threat Profiling, and Threat Hunting. I can’t escape the same ol’ statements about them. I had it throughout the Cisco CCNA Cyber Ops course, the SANS FOR508 course, multiple talks at Splunk .conf, and beyond. I’ve long had a post waiting about how and why threat hunting is such a deal these days (it comes down to getting internal value and blending offense into the internal blue teams, plus trying to make sense of the new breeds of security tools that don’t just alarm on bad, but require human decision-making to piece together multiple things…).

Blueprints for Actionable Alerts – This apparently is a version of a talk done for several years, and it kinda feels like it. For some strange reason, I didn’t get much out of this, though on the surface I should have. It’s really a discussion in figuring out how to tackle an environment with 4000 alerts in a day, and reducing that piece by piece to be manageable and useful. I think everyone sort of does this their own way, which all sort of dance around the same gameplan.

Splunk P30X: Become a Lean, Mean, Splunkin’ Machine in 30 Days – Probably the best and most useful talk I attended at the con. The point is to have an actionable, lunch-hour plan to tackle and do various Splunk activities to culminate in being able to pass the Fundamentals exam at the end. I loved the actionable approach to this, as well as the follow-up activities the authors are releasing to support it that I can directly consume. Not only the 30-day plan, but also additional materials for newbies. Wonderful talk!

Day 4 – Friday
Nothing much exciting here, just a full day of getting back home.

Overall Thoughts
I loved the overall experience and benefits to going; it was fun, got to visit a fun park, and so on. This could double as a family vacation if you brings the family along. Next year, the con is in Vegas, and I’ll admit that has less appeal to me as a venue/area.

If I go again, and have others with me, I’ll lobby somewhat hard to get signed up for one of the competitions they hold, either Boss the of NOC or Boss of the SOC, where teams pour over and parse out data to answer questions about operations or security incidents, respectively.

getting into and growing inside the infosec industry

Posted on by michael

A revival of sorts on content from BHIS on getting into the Infosec industry, including A Career in Information Security FAQ Part 1. Pretty good stuff! But this section really stuck out to me:

The customer service, tech support, help desk, etc., these jobs are crucial to forming a solid background in computer science. Learn how to solve problems effectively. Learn how to discern between useful web search results and wastes of time. Employers don’t want to hire you for what you know. I generally believe that anyone (some computer background) can be trained to accomplish digital tasks. I can’t train you to manage your time well. We can’t train people to be nice, treat others like human beings, or to be steady under pressure. And truly, those are the skills that will put you at the front of the line. It worked for me and everyone else at BHIS too.

I would include other skills such as asking questions, being curious, being tenacious, looking at ways to break and fix things, and having a quick mind to solve puzzles.

And to be honest, that whole post is a wonderful bit of encouragement and advice for anyone to read, newbie or jaded veteran. Things like, “That motto is ‘Fail Fast, Fail Often, and Fail Forward’. When you are working on solving a problem spend more time failing and less time analyzing the problem from a distance,” and “One of the most critical skills in information security is the ability to go off script.” That’s gold right there, alone!

Addendum: I do want to point out the question towards the bottom of the post about the biggest hurdles in first getting started. And it might be obvious, but it bears constantly repeating that the two biggest items are 1) experience, and 2) imposter syndrome symptoms. The former is just something you get past after a few years of work. The second is a lifelong personality and internal compass issue where we just have to come to terms with the scope of infosec and how no person can begin to swallow that whole ocean. Learn what you can, balance your life, fail fast, move forward, get better, succeed.

the cat and mouse game of security improvement

Posted on by michael

I don’t often find fairly general articles to have enough interesting nuggets and quotes to bother saving, but sometimes they just flow so well and include plenty of head-nodding things to agree with, all with wording that I appreciate. One such article came across from Dark Reading, Think Like an Attacker, How a Red Team Operates. Dark Reading seems to like limiting the ability to read articles, so I don’t mind being a bit liberable in pulling out quotes I like.

“The whole idea is, the red team is designed to make the blue team better,” explains John Sawyer, associate director of services and red team leader at IOActive. It’s the devil’s advocate within an organization; the group responsible for finding gaps the business may not notice. I just love that sound byte. I want that to be my elevator job description.

“The main function of red teaming is adversary simulation,” says Schwartz. “You are simulating, as realistically as possible, a dedicated adversary that would be trying to accomplish some goal. It’s always going to be unique to the target. If you’re going to get the maximum value out of having a red teaming function, you probably want to go for maximum impact.” The early part of the article goes a great job of succinctly comparing pen testing and red teaming while also illustrating how these have changed as time has moved on. Old school pen testing has shifted to be called red teaming as a way to further differentiate as pen testing has become commoditized.

The team ends up chaining together a small series of attacks – low-level vulnerabilities, misconfigurations – and use those to own the entire domain without the business knowing they were there, he says. Typically, few employees know when a red team is live.

Red and blue teams may work together in some engagements to provide visibility into the red team’s actions. For example, if the red team launches a phishing attack, the blue team could view whether someone opened a malicious attachment, and whether it was blocked. After a test, the two can discuss which actions led to which consequences. Beyond actually enjoying it, this is my whole value proposition for my interest in offense and red teams: It makes my defense better. Which makes me get better on offense. Which makes my defense get even better… Getting a root shell or DA credential is the addiction, the satisfaction is passing on the information to make improvements.

More and more companies are starting to realize if they limit themselves to the core fundamentals of security, they’re waiting for something bad to happen in order to know whether their steps are effective, says Schwartz. Red teaming can help them get ahead of that… Many companies are building red teams in-house to improve security; some hire outside help.

The main reason behind building a red team internally is because as it grows and improves along with defenses. As security improves, so do the skills of red teamers. Offensive experts and defenders can attack one another, playing a cat-and-mouse game that improves enterprise security, he continues. Internal teams are also easier to justify from a privacy perspective.

Overall, the pros argue a full red team can help prepare for modern attackers who will scour your business for vulnerabilities and exploit them – but they’ll help you stop real adversaries.

“The difference between a red team and an adversary is, the red team tells you what they did after they did it,” Schwartz says.

That’s such a strong ending to this article, that I had to pull a bunch out right there. Wonderful!

rapid7 releases 2018 under the hoodie pentesting report

Posted on by michael

Rapid7 has released the second edition of their now-annual “Under the Hoodie” report, which is a compilation of information and statistics compiled across Rapid7’s penetration testing teams. There’s really probably nothing terribly surprising in here, but it’s always nice to have some raw numbers of anecdotes in pocket for various conversations. Here are a few interesting tidbits or quotes I wanted to pull out.

“Relying entirely on an automated solution or a short list of canned exploits is likely to meet with failure, while a more thorough, hands-on approach nets significant wins for the attacker.” This statement has importance for internal security testing, third-party testing, and also for defenses. The first two can be obvious, but the last one about defense helps frame models, for instance the impact of an internal threat or an attacker specifically targeting a company rather than just automating a search for opportunistic moments. It also speaks between the words that an attacker with some hands-on effort and not time-boxed like a pen tester can see success.

“Furthermore, these results imply that if the penetration tester is not detected within a day, it’s unlikely the malicious activity will be detected at all.” Detection is a big deal. I’d also throw in the practice of threat hunting to find successful attackers who have gotten past the outer layer of defense and alarms. I recently deleted a draft about the whys and hows of the rise of threat hunting/intelligence (I posited it was a combination of the reduction in AV/IPS signature success, the complexity of environments, the rise of offense-friendly staff looking for offensive things to do, and other factors…). Prevention is important, but solid and effective detection matters.

“The number one issue that causes the most consternation among penetration testers is solid network segmentation. If they cannot traverse logical boundaries between environments, it can be extremely difficult to leverage a set of ill-gotten workstation credentials to escalate to domain-wide administrative privileges; even if a powerful service account has been compromised, if there’s no route between targets, the pentester must effectively start over again with another foothold in the network.”

Other factors that cause frustration for pen testers are multi-factor authentication for accounts, least privilege practices on accounts, strong patching and vulnerability management practices, and awareness to spot and report phishing campaigns, social engineering, and other low-tech attacks. What’s fun is how these 5 items are disciplines that blend security with other, very different departments: The network team for segmentation, systems/developers for 2FA/MFA, systems for patching, IAM for least access, and everyone for awareness. You can’t just boost one area of the company (or just security itself).

changes to the site – sidebar links are a bit of a relic

Posted on by michael

Recently went through and cleaned out dead links in my Feedly news feeds. Not only did this kick in plenty of nostalgia, but also reminded me that I should update the sidebar links on my blog! While going through these, I sat back and thought about how time-consuming this process is, how annoying it is to update wordpress themes (just give me a raw txt file that I can put code in rather than wrestle with weird interpretations and random carriage returns!), and for what personal purpose this even mattered.

In short, I need to sit back and think about what exactly I am doing with this blog site and how to make it better for me. Moving to hosted WordPress has helped with site maintenance, but has made other things more difficult. In the past, I always edited files by hand and coded things directly, but these days I tend to use the WYSIWYG, but it’s not usually quite what you see…it’s more like wrestling with a slippery eel to get things to look the way I want, rather than the way the themes want. This makes updating the sidebar annoying. At best.

There’s really four parts to my blog: the posted content, the sidebar link list, comments to posts, and the links at the top that spider out to other things about me, with this blog page being the nexus point where they converge.

The sidebar links
The extensive sidebar list of links has been part of the site’s identity since the beginning, but it’s also an old school relic.

The list is somewhat save-and-forget, except for some of the most-used items. The rest, I honestly forget are here. For some, it’s still just better to use Google to get the latest, greatest.

These links are also best used by me, and probably not clicked on by anyone else ever. The list is roughly doubled up in: feedly, podcast subs, youtube subscriptions, twitter follows, discord server memberships.

I do know that clicking links will place referal pokes to the targets…maybe. It’s one of those ways to get noticed, but I’m not sure blogs and/or comments are “noticed” anymore or really followed at all. A blog used to be your focal point online that other things revolved around, but these days the social sites have supplanted them. There is also so much flow these days, that I don’t ever really “catch up” on blogs I’ve missed. They’re much like IRC or Twitter; you pop in and maybe look at the recent buffer, but the rest of the log is in the past and there’s no reason to spend that time reading backwards.

The bottom line: the link sidebar is a relic with questionable value to me, and is annoying to update.

The comments
The comments are easily forgotten, since I don’t get many and don’t expect many. The problem is the lack of two-way discussion. Comments on blogs are often post-and-forget, never looking back for an update without specific effort to do so. It’s far better to follow and tweet to someone on Twitter these days, or in extreme cases, find someone on a discord/slack/IRC.

In the past, prior to all the social networks, blog comments were useful to expand your exposure. Comment on someone else’s blog, put your own link in the comment, and likely get a poke or comment back in return. Again, though, today that is better done in Twitter/discord and by posting content that actually is useful to be consumed.

To be fair, comments are cool, akin to a Like, but dialogue anymore is best done elsewhere.

The bottom line: Ultimately, comments are an after-thought these days on any but the most popular blog sites, like Krebs’ blog.

The blog contents
But that does bring up the question of why I should ever update the blog? I honestly don’t look back on many things. The biggest two reasons: 1) shows off my interest and 2) allows me to organize and solidify thoughts. I may not reference the post itself ever again, but the act of writing something out helps ingrain the information and thoughts.

It’s not something I really do for anyone else except me, and as a way to sort of demonstrate my interest/enthusiasm/participation in the greater communities.

The posts I most-often re-reference myself are the personal ones like my yearly goals and results, or links to really informative checklists and processes; things that I struggle with putting links to in the sidebar only to forget them!

The bottom line: I still like maintaining the blog and it does have personal value to me.

The personal link nexus
I can’t see this going away anytime soon except maybe on a github page with a similar list of links. The whole point is to act as a point of convergence for my “stuff.” A place to find my Twitter link, LinkedIn page, Github page, and just a little bit about me (that age-old bio or About page that I feel is still necessary to tell your story properly).

Being able to control this convergence is still an interesting deal, as it lets me decide whether I want my personal name attached to a particular screenname somewhere, but as I get older, I also care less except with my own personal threat models.

As a bonus, I still love my personal domain.

The bottom line: I still plan to use this personal domain and resident site to be my nexus here, and I think I’ll expand the links a bit to include Github and maybe some other spots.

Plans
The links on the sidebar …could…be put into a github instead of this site, and probably more easily updated, too.

I could use github to also save backups of things like my podcast opml, feedly feeds export, and so on. Things that are not sensitive or inherently private.

A github is at least easier to update. And while it might not fix anything about my list of links and its usage, maybe it’ll help me pare it down a bit. Better yet, if I have a feedly export, why bother with the blog/news lists?

There is also the choice of having a private github for a few other things. I definitely don’t want to make it a huge “backup” of things, since that’s what other file-sharing services are sort of for, but at least some of my online presence and “home” page can be tailored a bit in private.

bloodhound, measuring how exposed a domain is

Posted on by michael

Recently watched a talk about a tool I’ve known about for a while, and just haven’t gotten to in my to-do list. I used the output of the tool briefly on a HackTheBox.eu target to much success. And after watching the talk at SecDSM, I’ve gotten excited again about employing this at work someday.

Bloodhound by researchers at SpectreOps is a tool that exposes Active Directory permissions and relationships with the goal to achieve Domain Admin (DA) or High-Value access into AD to pwn the domain entirely and win the game. This might sound unexciting if you only think about accounts and groups and group memberships. But Bloodhound goes deeper and wider by looking at actual underlying AD object permissions and how those objects relate to various computers in the domain.

During the talk linked above, one of the best parts is near the end when they talk about metrics, and I really loved these metrics which effectively measure how much exposure the domain has and how much effort an attacker will have to exert to pwn the environment with regards to AD permissions. It also illustrates opportunities to detect the attackers.

  • Users with Path to DA (target: 5%) – The lower, the better, as you really don’t want to think that every user that could be compromised could lead to the end of the domain.
  • Computers with path to DA (target: 5%) – Same story here, you don’t want to think most systems are just a few hops away from DA. Even a single malware/phishing success is dire!
  • Average Path to DA Length (target: 5) – The longer the better, as you want attackers to go through as many steps as possible to get DA.

hackthebox progress over the summer, meeting and exceeding my goals

Posted on by michael

Part of the reason it took so long to take my GCFA exam was the splitting of my study time with Hack The Box progress. Earlier this year I bought into VIP access to HTB, and I wanted to keep practiced up with, and learning new, offensive skills. I did more than I was expecting, and after making some friends smarter than I, was actually able to far surpass my goals and expectations to achieve 100% completion and top Omniscient ranking sometime in mid August. I still have to go back and properly learn some of the things I found way too difficult to do alone (let’s face it, the best people are the best due to learning through teams, and the best red teams have multiple people): namely binary exploitation and reversing. I get how they work, but I need my hand held way too hard right now! I still also have the “optional” sections to complete (Fortress and Endgame), and I’d like to dive into RastaLabs and Offshore, probably in 2019.

Really, my main goal was to keep the skills and processes I developed in the PWK fresh, while also learning new and more advanced tricks and tools and techniques. And I feel like I’ve succeeded in that aspect. These skills get dusty and rusty if not practiced regularly, either on one’s own or while in the course of work duties.