SOCNET: The Special Operations Community Network

SOCNET: The Special Operations Community Network (http://www.socnet.com/index.php)
-   Technology and Communications (http://www.socnet.com/forumdisplay.php?f=87)
-   -   Signal to Cyber: The How-To of Getting Involved (http://www.socnet.com/showthread.php?t=121922)

CV 22 October 2014 12:31

Signal to Cyber: The How-To of Getting Involved
 
It's lunch time and I'm tired of staring at boring things. As such, here is a good primer for those that are interested in careers flush with cyber-based offensive capabilities. This post is for all-comers, from the curious to the advanced. I'm sure there will be a lot of others who will reply and chime-in with their own anecdotal information, or provide insight into their pieces of the pie.

Background
I won't post a resume or bonafides, but if someone with a BTDT under their name replies giving the thumbs-up, that should suffice to validate my background. Other than that, I've been tinkering with electronics, computers, and all-sorts of associated equipment since I can remember. Even as an adult, I've enjoyed some really fun gigs over the years.

"Hackers" are for the Public
Meaning, the term hacker has been abused and mutilated over the years. In the beginning (and what many still believe it to be), a hacker was someone who could take something and devise a way to use it in ways it was not intended. For example, if you have ever taken a coat-hanger, un-winded it, and used it to unclog a drain, you are a hacker!

The term turned negative during the boom of the Internet during the mid-90s, due largely to media. Once the world became interconnected, hackers found ways to manipulate the rules governing the Internet to make it do things it was not intended. It should be noted that hacking is generally not a bad or malicious act. Most of the really cool technology and software we see today is a result of ďhacking.Ē

As the years drew on, the need for a distinction was created. This is where we get the color-coded hats for hacking; white, grey, and black.

White: someone that hacks with prior-approval to find flaws.
Grey: someone that hacks to find flaws, but does not have prior approval to do so--but also doesn't do anything wrong with what they find.
Black: assholes that are maliciously trying to bring systems down, or manipulate data.

Thereís even sub-levels of these, but honestly it doesnít matter. These are the primary ways that people categorize hackers.

From Faux pas to Chic
For the longest time, hacking has been viewed as voodoo. People, companies, and organizations viewed it as taboo and something to keep a distance from. Well, this fucked the western-world royally. As a result of 9/11, and exponential growth in technologies, the need to shift from a defensive mode, to offensive started to evolve. Leadership in all sectors started to see that a war was being conducted and that they were losing very badly (I contend we have already lost, and are in triage modeóbut thatís for another post).

The once coveted defense-in-depth principles we had been force-fed were now starting to include not only counter-measures to cyber-based attacks, but counter-attacks! Soon (mostly within the past 5 years), hacking, quickly renamed Vulnerability Assessing, Auditing, and Penetration Testing became cool, and is now a coveted skill-set.

Training and Certifications!
The fun part. With any good crisis comes an opportunity for business. I donít begrudge the entrepreneurs that established the baselines for these certifications, as they are valuable. Iím just jealous I didnít have the foresight to think of it first!

Certified Ethical Hacker (CEH)
This certification is known by most organizations, making it easily one of the higher-paying ones to obtain. I used to poo-poo the certification, but it is now on version 8, and is actually quite good in terms of technical capabilities. If I were to higher a penetration tester, I would take someone with this certification over a CISSP. The actual content of the coursework leading up to the exam covers the methodology of hacking, and focuses more heavily on the use of tools than actual tool development.

GIAC Penetration Tester (GPEN)
This certification is a lot like CEH, but has less of a focus on individual tools. Some think it is broad (and I agree), but it isnít necessarily more challenging. I say this because some professionals I have worked with claim it is more difficult. I think itís just more different. Not many industries are hip to this certification yetóat least not as much as CEH.

Certified Information Systems Security Professional (CISSP)
This has been the gold standard for information security professionals for years. It is a challenging exam that also requires you to submit proof that you have worked in the field. They do this to keep people who are good at test-taking from walking in and getting certified. This certification still yields the most worth in the field, but it should be noted that it is NOT a technical examóthus why I would hire someone with a CEH over a CISSP if they were applying to be a penetration tester.

Offensive Security Certified Professional (OSCP)
It seems no one outside of penetration testers really know, or care about this certification. That will change, I am sure. If youíre chasing money over bad-assery, then leave this one alone for now. That said, this is possibly one of the hardest exams for a no-shit penetration tester (hacker). Itís a real-world exam where no multiple-choice questions are provided. You are literally given some basic notes and told to go to town on a mock system (usually a fake Bank). You literally have to break into a system by identifying and exploiting vulnerabilities, and ultimately work to gain administrative access/control. It. Is. Awesome.


I'm back to work. Post questions, comments, or dumb remarks. I'll help the best I can. I'll try to follow-up with some how-to's in getting off the ground. As per admin-instruction based on a thread posted awhile ago, no methods or actual vectors will be discussed.

Local 22 October 2014 12:39

I will be paying close attention to this.

- Local

Golden Tiger 22 October 2014 13:29

Good post. I had followed some advice from here a couple of years ago and pulled off the no tech background -> help desk -> network engineer thing on the way to more infosec focused work. Right now I'm looking to make the leap into that realm and have my Security+ (and probably my CCNA security here as soon as I find time to schedule the exam).

What kind of leap would I be looking at to go for, say, the CEH? I looked at GIAC and you're right, it's crazy expensive unless you luck out and get one of the work study spots for a conference.

CV 22 October 2014 13:36

CEH is about methodology, and then the tools used in each of the methodology's phases. It would absolutely help to already have a solid baseline in networking. You will want to know what certain things are, like DNS, NetBIOS, LDAP, SMB, etc...

You can learn all of this without prior knowledge, but it is not recommend. Too much of it will be over your head. If you're a network engineer, you should have that foundation.

Local 22 October 2014 13:46

I got my Security+ .... it was kind of silly.

EnCE was no joke.

not sure where I'll go from here.

Golden Tiger 22 October 2014 13:53

Quote:

Originally Posted by CV (Post 1058431461)
CEH is about methodology, and then the tools used in each of the methodology's phases. It would absolutely help to already have a solid baseline in networking. You will want to know what certain things are, like DNS, NetBIOS, LDAP, SMB, etc...

You can learn all of this without prior knowledge, but it is not recommend. Too much of it will be over your head. If you're a network engineer, you should have that foundation.

Cool. And yeah I'm pretty solid on routing & switching and network admin basics. So next step would be running though one of the EC Council's classes for the CEH? I've done a fair amount of self study to get to this point so I'm good with just some books and tools if that's a viable option.

Quote:

Originally Posted by Local
I got my Security+ .... it was kind of silly.

Right there with you. The exam was underwhelming to say the least.

MountainBum 22 October 2014 14:02

CV do you see the pen test market being commoditized? If so, how does a pen test firm decommoditize itself to stand out from the fly by night orgs.

CV 22 October 2014 15:52

Quote:

Originally Posted by MountainBum (Post 1058431471)
CV do you see the pen test market being commoditized? If so, how does a pen test firm decommoditize itself to stand out from the fly by night orgs.

It already is. I work for one right now. All we do are vulnerability assessments and penetration tests. There are others as well. The biggest being Rapid 7 -- devs of the Metasploit distro.

Edit to add: Organizations need to be careful on hiring a full-blown firm depending on their actual needs. I would much rather you contact me and see if what you need can be accomplished with a simple 1099 contract. I would save many organizations a ton of money ;) -- When you're talking about compliancy and M&O paperwork, that's where these specialized firms (such as the one I work for) shine.

CV 29 October 2014 22:08

Another update and addendum: learn all you can about web servers. There are almost a billion (yes, with a 'b') websites in the world. Most of those reside on shared servers (servers that host multiple web sites). The majority of web servers provision the web pages using Apache (over 50% of all sites), compared to Microsoft's IIS (just over 10%). So, that tells you where to focus your attention.

If you don't know what Apache and/or IIS is, time to read up. There are others, but you get the point. Also, master the OWASP Top 10. It's a list of the most commonly exploited vulnerabilities found in web applications.

Apache - httpd.apache.org
IIS - http://www.iis.net/
OWASP - https://www.owasp.org/index.php/Main_Page

CV 30 October 2014 16:12

More fun info…

Before continuing, I wanted to explain further that security is vast and deep. There are so many areas that one can specialize in, that it would be a huge waste of time trying to explain it all. Instead, here is a great-distilled overview.

At the very top, I usually start by explaining Governance, Risk Management, and Compliance (GRC). Each of these has it’s own discipline, and there are SMEs that exist in each without ever dipping in the others—though all should know what they are.

Governance represents the management’s approach to the implementation of a security program. It exists at the executive level and revolves around high-level decision making for implementing (paying for) controls. Usually, a CISO (Chief Information Security Officer) heads all issues related to governance. This is the land where policies are born.

Risk Management is the use of processes or frameworks for identifying and analyzing risk. There’s a lot that can be put here, but this is where the rubber meets the road for industry standardization and compliance. Risk Management Frameworks RMFs are the roadmaps for this area. If you work in the financial sector, you've likely heard of SOX (Sarbanes–Oxley Act of 2002). DOD folks are used to DIACAP, though it's being phased out for FISMA (Federal Information Systems Management Act). There's a ton more, but they're all very similar. If you know NIST SP 800-53, you can likely figure them all out.

Compliance is nothing more than meeting (or exceeding) any given requirement from up the food chain. Compliance is almost always based on a set of existing RMFs, but isn’t always. For instance, an organization may want to create their own custom RMF (though, 99.9% of the time they’re based on an existing one).

Google GRCs and learn more. There are entire volumes of information you can read about each. This is the tip of the iceberg, as it were.

-- Pay Attention --
Some technical gurus in the world of penetration testing like to ignore RMFs (or think they can). These folks may find a niche gig somewhere, but it will pay ten-fold to learn about, and master, some of the RMFs. It's absolutely critical to your job. You will be more valuable to your organization if you understand them. As mentioned above, learn to love NIST SP 800-53 (and the family of other publications). Even if you're a super-duper, secret-squirrel, Jason Bourne, you will only benefit from knowing RMFs. You will know exactly what controls your opponents are (most-likely) using.

Fubar 30 October 2014 16:28

Amazing. While on a lunch break, bored, CV takes a data dump, casually shitting gold bricks of knowledge....

CV 30 October 2014 16:46

Quote:

Originally Posted by Fubar (Post 1058432928)
Amazing. While on a lunch break, bored, CV takes a data dump, casually shitting gold bricks of knowledge....

To be fair, I was stuck in a dumb mass-teleconference and the topic of RMFs came up. If you know one, you can really easily figure them all out. Just learn the control groups.

bravodelta 31 October 2014 13:49

Outstanding. I'm looking to get my CEH, and FedVTE does offer some pretty good information if you have access to it.

CV 31 October 2014 16:01

Quote:

Originally Posted by bravodelta (Post 1058433097)
Outstanding. I'm looking to get my CEH, and FedVTE does offer some pretty good information if you have access to it.

Just bear in mind that being CEH certified doesn't equate to being an efficient and effective penetration tester. Like most certifications, it just means you're solid with the foundation. All the cool stuff exists in what you learn through experience.

Best of luck on your journey. Let me know if any questions come up. I have no problem in helping out.

CV 3 November 2014 14:04

OSINT - Open Source Intelligence

OSINT includes any information that can be discerned through public, non-intrusive means.

90% of my work revolves around this prior to any actual exploitation. This is an entire topic in and of itself, but lining up all of your ducks prior to an attack is the most efficient and effective way to be successful in compromising a system.

I'm going to defer everyone to Google, but the TTPs for this are massive, and diverse, depending on your organization and industry. There's countless methods in this.

Sun Tzu had a good quote about this that I don't recall at the moment. Something to the effect of knowing your enemy and you'll never lose a battle. Go in prepared prior to the attack, and you'll whip ass.

You would be surprised what can be found out about your organization (and you) through methods of data extraction on the open web.

Magyc 4 November 2014 11:56

Quote:

Originally Posted by MountainBum (Post 1058431471)
CV do you see the pen test market being commoditized? If so, how does a pen test firm decommoditize itself to stand out from the fly by night orgs.

Many industries that rely on having their data secure (and require some sort of insurance on that) must have a legitimate pentest run (and obviously mitigate the findings) by a known/respected company. Probably on a regular schedule.

This will keep firms with good reps standing out and being used over Basement Bob.


and for CV:

"It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle."
-Sun Tzu

Magyc 4 November 2014 12:03

Find and learn how to use the many many free tools to do the various stages of a pentest.

e.g.
Nmap/Zenmap
Wireshark/Network Miner
Kali Linux Distro (and all the fun stuff bundled)
Metasploit/Armitage

Then be happy when your gig buys very expensive stuff like CORE Impact which helps execute & manage entire tests in one tool.

Learning simple languages like python is also good for being able to script up some quick and easy tools.

CV you want to compile a list of tools and or reading materials that may be helpful?

BOFH 4 November 2014 21:21

Quote:

Originally Posted by Magyc (Post 1058433846)
Learning simple languages like python is also good for being able to script up some quick and easy tools.

Seconded. I highly recommend a book called "Violent Python." I'm not much of a programmer, but I've had to learn some python to make things happen here and there...that book has been invaluable.

MountainBum 4 November 2014 23:53

Quote:

Originally Posted by BOFH (Post 1058433937)
Seconded. I highly recommend a book called "Violent Python." I'm not much of a programmer, but I've had to learn some python to make things happen here and there...that book has been invaluable.

Great book. Taught myself Python using it, ended up building my own wifi direction finding device using some of the code.

Magyc 5 November 2014 14:48

Thirded :)

Violent Python is a great book (and one I had in mind when bringing up Python in the first place). Have it on my desk here at the office.

Just stick with Python 2.x (2.7.8 is the latest). Python 3.x makes things harder (but more efficient?)...not needed for the kludge job coding to get you started


All times are GMT -4. The time now is 20:09.

Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2018, vBulletin Solutions Inc.
Socnet.com All Rights Reserved