SOCNET

Go Back   SOCNET: The Special Operations Community Network > Areas of Expertise > Technology and Communications

Reply
 
Thread Tools Display Modes
  #181  
Old 25 January 2019, 10:39
BOFH's Avatar
BOFH BOFH is offline
I aim to misbehave
 
Join Date: Jul 2004
Location: \\Gibson\garbage
Posts: 4,329
Quote:
Originally Posted by usmc_3m View Post
I had to develop the usual “ice breaker” content for an upcoming cyber/info security event. I decided to go with “How did you get into cyber/info security? And/or – what was the first security tool you ever used?” Kinda like the typical “what was the first computer you owned?”

When I got off active duty (Navy--IT2), I swore I'd never again work on computers or work for the government. I worked as a welder and carpenter for a while, but eventually found myself stranded in San Antonio. I needed money, and found that my principles crumbled pretty quickly in the face of hunger...so I took a job doing intrusion detection for the USAF. First security tool I used, though...was probably ethereal/wireshark...but that really depends on how you define "security tool."
__________________
"...for those who man the battle line, the bugle whispers low, and freedom has a taste and price the protected never know..."


While true:
Continue
Reply With Quote
  #182  
Old 25 January 2019, 15:41
usmc_3m's Avatar
usmc_3m usmc_3m is offline
Confirmed User
 
Join Date: Jun 2013
Location: PR of Kali
Posts: 1,359
Quote:
Originally Posted by MountainBum View Post
Not exactly.
Given this thread and the topic, that was pretty silly of me. "E" = exploitation.
__________________
"He who does not punish evil commands that it be done." -- Leonardo Da Vinci
Reply With Quote
  #183  
Old 27 January 2019, 13:44
usmc_3m's Avatar
usmc_3m usmc_3m is offline
Confirmed User
 
Join Date: Jun 2013
Location: PR of Kali
Posts: 1,359
Quote:
Originally Posted by BOFH View Post
When I got off active duty (Navy--IT2), I swore I'd never again work on computers or work for the government. I worked as a welder and carpenter for a while, but eventually found myself stranded in San Antonio. I needed money, and found that my principles crumbled pretty quickly in the face of hunger...so I took a job doing intrusion detection for the USAF. First security tool I used, though...was probably ethereal/wireshark...but that really depends on how you define "security tool."
I still use wireshark on occasion today. But your point about what makes something a security tool is well taken. I guess technically speaking - my first tool was that ASM disk editor program.
__________________
"He who does not punish evil commands that it be done." -- Leonardo Da Vinci
Reply With Quote
  #184  
Old 2 July 2019, 11:19
CV's Avatar
CV CV is offline
Authorized Personnel
 
Join Date: Apr 2003
Location: US
Posts: 8,149
Just revisiting this to help evolve and update.

The basics remain the same:
  • Learn the protocols and services before hoarding certifications
  • Master web applications. Learn all you can about them, and not just from a security perspective (that comes later)
  • There are so many free resources out there to learn all about Operating Systems, Networks, Applications, and more... Everyone wanting to work in cyber has everything they need at the end of a Google search
I can't emphasize Cloud Security enough. Understand it from the ground up. All of this still goes back to what I harp on: know the protocols and services. Protocols are simply rules that everyone agrees to abide by. If you know the rules, you can learn to break them (offensive security). If you know how people break the rules, you can help identify and defend against it (defensive security; incident response); or you can help organizations figure out how it was done (forensics).
__________________
It's a hipster filter. Keeps your kind out. -Jimbo
Reply With Quote
  #185  
Old 2 July 2019, 15:37
anachranerd's Avatar
anachranerd anachranerd is offline
Confirmed User
 
Join Date: Jul 2010
Location: In the wind
Posts: 177
I had to take a break from OSCP for some months due to other stuff going on. I just fired up my lab access again- damn this shit is fun! Im starting over, right now working on reverse shells etc.

Im definitely taking HDLS, BOFH, CV, and others advice- once this is done, moving onto Cloud security.
__________________
"Seems like not having friends from all walks of society might mean missing out on a lot of what the world has to offer."

-SOTB
Reply With Quote
  #186  
Old 2 July 2019, 17:05
CV's Avatar
CV CV is offline
Authorized Personnel
 
Join Date: Apr 2003
Location: US
Posts: 8,149
OSCP can be a beast. Stick with it and try harder

Keep in mind one of the 25 point boxes on the exam is for Buffer Overflow. Spend some time learning that to get an “easy” win (easy is relative). Keep at it.
__________________
It's a hipster filter. Keeps your kind out. -Jimbo
Reply With Quote
  #187  
Old 3 July 2019, 19:24
anachranerd's Avatar
anachranerd anachranerd is offline
Confirmed User
 
Join Date: Jul 2010
Location: In the wind
Posts: 177
Quote:
Originally Posted by BOFH View Post
.... First security tool I used, though...was probably ethereal/wireshark...but that really depends on how you define "security tool."
I was just having a conversation about this with my parents - both retired from the medical field. So called "security" or "hacking" tools are just diagnostics tools that have multiple purposes.

Just like a syringe- whether you are injecting lifesaving medicine or poison, the function is exactly the same.
__________________
"Seems like not having friends from all walks of society might mean missing out on a lot of what the world has to offer."

-SOTB
Reply With Quote
  #188  
Old 6 July 2019, 21:42
usmc_3m's Avatar
usmc_3m usmc_3m is offline
Confirmed User
 
Join Date: Jun 2013
Location: PR of Kali
Posts: 1,359
BlackHat 2019

Anyone going to BlackHat or DefCon this year?
__________________
"He who does not punish evil commands that it be done." -- Leonardo Da Vinci
Reply With Quote
  #189  
Old 7 July 2019, 01:11
BOFH's Avatar
BOFH BOFH is offline
I aim to misbehave
 
Join Date: Jul 2004
Location: \\Gibson\garbage
Posts: 4,329
Quote:
Originally Posted by usmc_3m View Post
Anyone going to BlackHat or DefCon this year?

Still debating Blackhat. I really don't bother with DefCon.
__________________
"...for those who man the battle line, the bugle whispers low, and freedom has a taste and price the protected never know..."


While true:
Continue
Reply With Quote
  #190  
Old 9 July 2019, 07:12
CV's Avatar
CV CV is offline
Authorized Personnel
 
Join Date: Apr 2003
Location: US
Posts: 8,149
Freely available tools that I use regardless of my position (Analyst, Engineer, Consultant, Penetration Tester, Manager, Director, ...everything).
  • Nmap (seriously, you need to know how to use this tool. It needs to be a priority to learn)
  • Wireshark (command-line, or go home)
  • Netcat

Scripting languages to help automate the tools above. If you can script and automate, you'll add 20%+ value to any team you serve on.
  • Python
  • Bash
  • Go
  • Powershell (for MS environments)

Somewhat specific tools, based on what you're looking at in an environment
  • Metasploit (free version is fine for a lot of purposes)
  • Aircrack-ng (wireless assessments)
  • BurpSuite (WebApps; spend the money to get a license to unlock all the benefits)
  • OWASP Zap (not unlike BurpSuite, but is completely free. Not as versatile in my opinion).
  • sqlmap (databases/WebApps--can use a plugin to add it to BurpSuite)

Kali Linux has most of this pre-installed with the distro. Go get it and have at it.
__________________
It's a hipster filter. Keeps your kind out. -Jimbo
Reply With Quote
  #191  
Old 14 July 2019, 10:23
HighDragLowSpeed's Avatar
HighDragLowSpeed HighDragLowSpeed is offline
Been There Done That
 
Join Date: Dec 2006
Location: Only Place For Me
Posts: 5,506
I'd add sysmon to the above list....It's free and there are few better tools for quickly recreating what actually happened on a potentially compromised windows box and then getting to "Patient Zero".

osquery is also a free tool written by Facebook that will let you query windows, mac, and linux endpoints for key incident information. Like sysmon, it will even quickly hash all of an endpoint's processes without having to resort to digital forensic tools.

A MUCH better approach would be to know the oddities and weaknesses of your own tools as your visibility of your network gets better. I hardly ever see this on blue teams to which I am privy.

Some examples:

- Our vulnerability management tools throws out all sorts of malicious looking WMI scripts (obviously to test for..well..vulnerabilities). Learn what WMI is nomal for these tools and alert on anything else.

- If you have tools running privileged accounts that touch every box in your network, look at frequency and activities of "normal touches" as well. An increase in frequency and/or changes in the normal may indicate a low visibility compromise.

- Write custom alerts for when evey one of your security tools arent working.

- Even tools like sysmon have their own issues. Sysmon only uses a reverse lookup for their remote connection information. If the IP hosts a bunch of domains, you may not get visibility of the malicious one. You'll need to supplement the sysmon information for DNS client logs which will show the actual hostname for the connection.

- Most network tools don't perform analysis at the ASN level. Why? I don't know. I've built a tool outside of work that takes net flow data, associates it with ASNs, and looks for anomolies....which are much easier to sport at the ASN level than the IP or country level.

- Have an approval process for excluding or turning off noisy alerts until they are tuned. These aren't decisions that should be based on the whim of a single analyst.

- Do research on the net of how red teamers or actual bad actors get around the specific security tools that you have. Put compensating controls in place. This may include things (where possible) like changing process or service names, detective controls for when a service stops, or alerting on artifacts of the things that you learned are used to defeat your tools.
__________________
Come for the infosec, stay for the dumpster fires.

God made machine language; all the rest is the work of man.
Reply With Quote
  #192  
Old 14 July 2019, 22:12
CV's Avatar
CV CV is offline
Authorized Personnel
 
Join Date: Apr 2003
Location: US
Posts: 8,149
Osquery, good solid recommendation
__________________
It's a hipster filter. Keeps your kind out. -Jimbo
Reply With Quote
  #193  
Old 6 August 2019, 09:10
CV's Avatar
CV CV is offline
Authorized Personnel
 
Join Date: Apr 2003
Location: US
Posts: 8,149
Wow, I can't believe this thread is coming up on 5 years.
I decided to go back through this thread and read what I put earlier. It seems I have a hard-on for 'nmap'. Truth is, using this tool, or existing CLI commands to accomplish the same, is a huge part of being able to automate gathering intel about your systems (or the systems you're trying to take over).

There's a lot to this field, so please pass along any specific questions or comments. My basic advice remains the same: learn the rules of technology; aka the protocols. Protocols are just rules everyone agrees to abide by. As I've said before, if you know the rules, you can figure out how to break them.

Delve into the OSI model and find protocols from there: https://en.wikipedia.org/wiki/OSI_model

I really won't want to write another book, so I'll leave it at that.
__________________
It's a hipster filter. Keeps your kind out. -Jimbo
Reply With Quote
  #194  
Old 8 August 2019, 05:09
HighDragLowSpeed's Avatar
HighDragLowSpeed HighDragLowSpeed is offline
Been There Done That
 
Join Date: Dec 2006
Location: Only Place For Me
Posts: 5,506
Quote:
Originally Posted by usmc_3m View Post
Anyone going to BlackHat or DefCon this year?
It's always great to put a face to a SOCNET handle. It was great meeting you at BlackHat. I'm sure that we'll touch base again.
__________________
Come for the infosec, stay for the dumpster fires.

God made machine language; all the rest is the work of man.
Reply With Quote
  #195  
Old 8 August 2019, 12:39
usmc_3m's Avatar
usmc_3m usmc_3m is offline
Confirmed User
 
Join Date: Jun 2013
Location: PR of Kali
Posts: 1,359
Quote:
Originally Posted by HighDragLowSpeed View Post
It's always great to put a face to a SOCNET handle. It was great meeting you at BlackHat. I'm sure that we'll touch base again.
Roger that, HDLS. Same here - looking forward to future conversations.
__________________
"He who does not punish evil commands that it be done." -- Leonardo Da Vinci
Reply With Quote
  #196  
Old 18 August 2019, 15:03
HighDragLowSpeed's Avatar
HighDragLowSpeed HighDragLowSpeed is offline
Been There Done That
 
Join Date: Dec 2006
Location: Only Place For Me
Posts: 5,506
There is a lot of opportunity out there if you can establish yourself.

Quote:
Cybersecurity pros name their price as hacker attacks swell

It took a $650,000 salary for Matt Comyns to entice a seasoned cybersecurity expert to join one of America’s largest companies as chief information security officer in 2012. At the time, it was among the most lucrative offers out there.

This year, the company had to pay US$2.5 million (AU$3.7million)to fill the same role.

“It’s a full-on war for cyber talent,” said Comyns, a managing partner at executive search firm Caldwell Partners who specializes in information security. “CEOs know that, so they play hardball. Everyone’s throwing money at this.”

The threat of digital breaches — and the fines, lawsuits and occasional executive resignations that sometimes follow — has left companies scrambling to scoop up scarce security experts. The growing compensation packages and broadened responsibilities are a dramatic shift for a group of workers who once confined to obscure IT departments, little more than an afterthought to senior management.

Equifax paid Jamil Farshchi US$3.89 million (AU$5.6 million) in 2018 to take the job as chief information security officer. He joined from Home Depot, which had hired him in the wake of a 2014 breach that exposed credit-card information belonging to 56 million customers.

https://www.seattletimes.com/busines...attacks-swell/
__________________
Come for the infosec, stay for the dumpster fires.

God made machine language; all the rest is the work of man.
Reply With Quote
  #197  
Old 19 August 2019, 15:00
BOFH's Avatar
BOFH BOFH is offline
I aim to misbehave
 
Join Date: Jul 2004
Location: \\Gibson\garbage
Posts: 4,329
Quote:
Originally Posted by HighDragLowSpeed View Post
There is a lot of opportunity out there if you can establish yourself.
Lots of truth to this. I'm not making anywhere close to that kind of money, but then again, I'm not a CISO (and I live in GA, where the money goes a lot further). That said, I'm looking at picking up a "side gig" as a virtual CISO, and figured 10 hours a week at $90/hr would be really reasonable. In a world where side gigs are usually minimum wage, there's a LOT of opportunity in infosec.
__________________
"...for those who man the battle line, the bugle whispers low, and freedom has a taste and price the protected never know..."


While true:
Continue
Reply With Quote
  #198  
Old 21 August 2019, 18:49
CV's Avatar
CV CV is offline
Authorized Personnel
 
Join Date: Apr 2003
Location: US
Posts: 8,149
Quote:
Originally Posted by BOFH View Post
Lots of truth to this. I'm not making anywhere close to that kind of money, but then again, I'm not a CISO (and I live in GA, where the money goes a lot further). That said, I'm looking at picking up a "side gig" as a virtual CISO, and figured 10 hours a week at $90/hr would be really reasonable. In a world where side gigs are usually minimum wage, there's a LOT of opportunity in infosec.
You could charge that x4 depending on the vertical. Find a nice FINTECH or IAM/IDM opportunity with a start-up and you can really do a lot of good for your wallet as an advisor/consultant.
__________________
It's a hipster filter. Keeps your kind out. -Jimbo
Reply With Quote
  #199  
Old 9 October 2019, 13:20
CV's Avatar
CV CV is offline
Authorized Personnel
 
Join Date: Apr 2003
Location: US
Posts: 8,149
Reading back through this thread, there's a common vein I want to highlight. So, I want to make sure we're setting up everyone interested in cybersecurity the right way.

Information Assurance, Information Security, Cybersecurity--whatever you want to call it--used to be (and still is) a specialization on existing technology positions. These days, colleges and universities, to include certification bodies, are all hocking their education as the silver bullet to protecting your organization from hackers and/or malware. Many times, they produce candidates that are book smart, but not functionally wise.

The truth is, not unlike the SOF Truths, quality security professionals cannot be mass produced. This means that you need to dig in and learn from the ground up if you're not coming into the field with experience. Reread this thread and the links shared. Master the basics. I can't emphasize this enough.

Repeat after me: Protocols are just rules, and rules can be broken. If I understand how the rules work, I can break the rules or protect against them being abused against me.
__________________
It's a hipster filter. Keeps your kind out. -Jimbo
Reply With Quote
Reply

Thread Tools
Display Modes

Our new posting rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT -4. The time now is 02:44.
Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2019, vBulletin Solutions Inc.
Socnet.com All Rights Reserved
© SOCNET 1996-2018