SOCNET

Go Back   SOCNET: The Special Operations Community Network > Areas of Expertise > Technology and Communications

Reply
 
Thread Tools Display Modes
  #161  
Old 6 December 2018, 17:35
Atrax's Avatar
Atrax Atrax is offline
Confirmed User
 
Join Date: Sep 2005
Location: CONUS
Posts: 360
A buddy sent me the following links a while back. I haven't looked into them too deeply, but they seem like a good resource for those of us starting out.


https://www.cisco.com/c/en/us/about/csr/stories/veterans-program.html

https://www.cybervets.virginia.gov/training-programs/cisco-training-program/
Reply With Quote
  #162  
Old 6 December 2018, 18:55
anachranerd's Avatar
anachranerd anachranerd is offline
Confirmed User
 
Join Date: Jul 2010
Location: In the wind
Posts: 169
Quote:
Originally Posted by HighDragLowSpeed View Post
If you are thinkng about getting into the security space, don't prepare for the wrong war. Much of what's been written in this thread will be of limited relevance in 10 years.

What?!? Has HDLS gone crazy?

Some questions to ask yourself: In 10 years, will orgs have the same balance of servers to be pen tested in data centers as they do now or will most of that capability be moved to the cloud? I believe that most of the capability that resides in servers and VMs today will be serverless in 10 years. Also, think about how security skillsets will shift to meet this new need. How many people are training for security today's infrastructure? Will we have a bajillion mo-fos running around with certifications to pen test and defend traditional data center servers and user endpoints? Yes. How much work will there around patching and compliance on endpoints? In ten years, with companies realizing that spinning up VMs in the cloud doesn't tak full advantage of cloud scaling, not much.

It isn't your fault. Really, it isn't. Security conferences are still focused on fighting the last war. Perhaps 2% of BlackHat was focused on cloud defense while offensive cloud courses ("hacking AWS/Google/Azure") was about 10%. I went to a regional three day security conference and there was one session on cloud security. One. Even twitter and linkedin tend to focus on today's endpoints.

But the indicators are in place that there is a big shift coming. 171k people attended Salesforce's DreamForce conference. There were over 50k attendees at the recent AWS conference and 20k at Microsoft Ignite for Azure. That speaks to how many organizations are at least seriously considering starting their cloud journey. Even for users, Microsoft already has shifted to O365 and is working on a thin client Windows version that runs in the cloud. So, where will you be able to apply many of the skillsets discussed in this thread and, more importantly, how many others will be fighting for work defending the same shrinking infrastructure?

Don't be that guy. If you are less than 40 years old and not focused on learning how to defend the serverless cloud, you're setting yourself up for future failure.

If you are thinking that your endpoint focused IT security skills will directly translate to the cloud, you are (1) focused on a small percentage of organizations that are likely doing cloud wrong and (2) demonstrating that you don't fully know about the cloud. You'll be lost when governance/security needs to be expressed as code, need to secure APis that feed into Salesforce, or need to define the access and compliance guardrails users will have when they spin up cloud instances. Worse yet, anyone living in some third world mudhut with some smarts, access to $50 of cloud credits, an internet connection, and a shitload of free time now has a path to riches by figuring out how to breach cloud respositories....anywhere in the world. Probably yours if you don't know what I am referring to above. In other words, good luck.

So, as you read through this thread and are amaking decisions about where to focus your career, think about if you are preparing for the last war in terms of IT security. We can close our eyes and pretend that this shift isn't happening....or you can start developing your relevant security expertise now. You heard it here first.
Thank you for posting that, sir.
__________________
"Seems like not having friends from all walks of society might mean missing out on a lot of what the world has to offer."

-SOTB
Reply With Quote
  #163  
Old 8 December 2018, 15:10
usmc_3m's Avatar
usmc_3m usmc_3m is offline
Confirmed User
 
Join Date: Jun 2013
Location: PR of Kali
Posts: 1,053
HDLS's post is spot on. But to add some additional context - and I am going for some cross-thread points here on the "Blue Team" thread (also a great thread)...

There is far too much focus and effort on offensive/Red Team/Pen-test capabilities. This is not disparaging these skills and capabilities. But, at a minimum, an equal - or greater - level of focus needs to be given to defensive capabilities. I am not talking CSM (continuous security monitoring). I am talking full-scale, 24x7 defensive operations - that were designed to accomplish this purpose. Highly capable analysts. Infrastructure that provides full visibility and control points.

I am constantly amazed how few folks actually understand what the cyber kill chain actually is. And how to implement it as an organization to develop real (key word "real") threat intelligence.

To carry this into HDLS's post - if you can figure out how to integrate these types of defensive capabilities and skill sets into cloud environments - you are setting yourself up for success. But defensive skills aren't "sexy". And they are much more aligned to being an excellent analyst vs. a skilled pen-tester. The mindsets and skills are different here. Both are valuable. And yes, I get the argument that you need to understand the offensive aspect in order to be a good defensive analyst. But that understanding can be achieved without becoming a dedicated red teamer/pen-tester.

I have lived both sides of this equation. It took me a long time to realize the value to the organization/program of these defensive capabilities. These defensive capabilities are, IMO, cyber security risk management in action. Blue teams are often only looked at as point-in-time assessments, or are marginalized to a small scope. Enterprise/organizational defensive capabilities are an absolute must for any organization to have a platform to effectively combat cyber attacks.

I would strongly recommend folks getting into the field to consider this combined path - i.e. cyber defense in cloud environments.

Or - as Jimbo stated - go fix everything with quantum cyber computing
__________________
"He who does not punish evil commands that it be done." -- Leonardo Da Vinci
Reply With Quote
  #164  
Old 8 December 2018, 19:11
HighDragLowSpeed's Avatar
HighDragLowSpeed HighDragLowSpeed is offline
Been There Done That
 
Join Date: Dec 2006
Location: Only Place For Me
Posts: 5,253
usmc_3m gets it. I'll add to his post by being a bit more prescriptive so folks know where to point their efforts.

The key to cyber defense in the cloud is automation. Here is where security differs from compliance. To be secure in the cloud, every single offensive use case that ends in having something out of compliance or at risk needs to be corrected or remediated in an automated way.

That means three things

1) You are going to need to learn to code. If you lead a team, the whole team too.

2) Every single aspect of your cloud policies and standards needs to have detection and remediation expressed in code. You hould be able to pull a string on each standard and jiggle some template that creates the guardrails that establish that standard when the environment spins up, some controls that applies to the detection of that standard being out of compliance, and code that remediates the out of compliance issue.

3) You'll need to think through your desired security outcomes. (hint: none of these will be part of your compliance standards or control frameworks and none of the Cloud Ops guys have these as their rock to carry). As one of N examples, if we detect certain malicious indicators in our AWS environment, we'll spin off that instance into a different namespace (without the attacker's knowledge), slipstream in a cloud template that has no privileges (neutralizing any threat) , and retain that live compromised instance for cloud forensics purposes. Meanwhile a new clean instance has been spun up in the original namespace so the service for customers continues unabated. All this is done in an automated way.

Security in the cloud is about thinking beyond tool configurations and ensuring automated response to everything.
__________________
"I know of no country in which there is so little independence of mind and real freedom of discussion as in America." - de Tocqueville, 19th century

God made machine language; all the rest is the work of man.
Reply With Quote
  #165  
Old 8 December 2018, 20:53
usmc_3m's Avatar
usmc_3m usmc_3m is offline
Confirmed User
 
Join Date: Jun 2013
Location: PR of Kali
Posts: 1,053
^^^^^
Boom.

The only other thing I would add is that the coded controls, automation and response mechanisms are aligned to the appropriate step(s) of the kill chain. And store all that data from the attacks - every single bit that you can - for further ongoing analysis. This can allow you to: a) discover new threats from historical analysis - or b) trace current threats/attacks retroactively based on new intel/indicators.

Weave all of this together and you are going to have an extremely effective defensive posture.
__________________
"He who does not punish evil commands that it be done." -- Leonardo Da Vinci
Reply With Quote
  #166  
Old 8 December 2018, 22:39
MountainBum's Avatar
MountainBum MountainBum is offline
Vivat Fraternitatis
 
Join Date: Apr 2004
Location: OCONUS
Posts: 926
Quote:
Originally Posted by HighDragLowSpeed View Post
usmc_3m gets it. I'll add to his post by being a bit more prescriptive so folks know where to point their efforts.

The key to cyber defense in the cloud is automation. Here is where security differs from compliance. To be secure in the cloud, every single offensive use case that ends in having something out of compliance or at risk needs to be corrected or remediated in an automated way.

That means three things

1) You are going to need to learn to code. If you lead a team, the whole team too.

2) Every single aspect of your cloud policies and standards needs to have detection and remediation expressed in code. You hould be able to pull a string on each standard and jiggle some template that creates the guardrails that establish that standard when the environment spins up, some controls that applies to the detection of that standard being out of compliance, and code that remediates the out of compliance issue.

3) You'll need to think through your desired security outcomes. (hint: none of these will be part of your compliance standards or control frameworks and none of the Cloud Ops guys have these as their rock to carry). As one of N examples, if we detect certain malicious indicators in our AWS environment, we'll spin off that instance into a different namespace (without the attacker's knowledge), slipstream in a cloud template that has no privileges (neutralizing any threat) , and retain that live compromised instance for cloud forensics purposes. Meanwhile a new clean instance has been spun up in the original namespace so the service for customers continues unabated. All this is done in an automated way.

Security in the cloud is about thinking beyond tool configurations and ensuring automated response to everything.
I like your post detection automation example. Where can one find similar playbooks / containment / response TTPs specifically for the cloud and focused on automation?
Reply With Quote
  #167  
Old 9 December 2018, 09:41
HighDragLowSpeed's Avatar
HighDragLowSpeed HighDragLowSpeed is offline
Been There Done That
 
Join Date: Dec 2006
Location: Only Place For Me
Posts: 5,253
Quote:
Originally Posted by MountainBum View Post
I like your post detection automation example. Where can one find similar playbooks / containment / response TTPs specifically for the cloud and focused on automation?
Your question goes back to one of my original points

Quote:
Originally Posted by HighDragLowSpeed View Post
It isn't your fault. Really, it isn't. Security conferences are still focused on fighting the last war. Perhaps 2% of BlackHat was focused on cloud defense while offensive cloud courses ("hacking AWS/Google/Azure") was about 10%. I went to a regional three day security conference and there was one session on cloud security. One. Even twitter and linkedin tend to focus on today's endpoints.
The cloud providers' security have made great strides over the past year. That said, much of the discussion is still sharply focused on Ops issues as many infrastructure focused folks just relabeled themselves with cloud security titles. I've stumped vendors by telling them that I don't have responsibility for the operations side and to only focus their discussion on the security aspects of their solution. Awkward conversation generally ensues.....

That said, everyone is still learning. There is still a lot of green field out there. We've had to think through many of our playbooks from the nuggets that we've dug up here and there - primarily hallway discussion at conferences and by finding talented "cloud only" offensive focused folks (almost exclusively from BRIC countries) and sussing out what they focus on.

We need more smart people who get defending the cloud and can generate the same social media discussions and TTPs that benefitted endpoints and data centers.
__________________
"I know of no country in which there is so little independence of mind and real freedom of discussion as in America." - de Tocqueville, 19th century

God made machine language; all the rest is the work of man.
Reply With Quote
Reply

Thread Tools
Display Modes

Our new posting rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT -4. The time now is 11:19.
Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2018, vBulletin Solutions Inc.
Socnet.com All Rights Reserved
SOCNET 1996-2018