SOCNET

Go Back   SOCNET: The Special Operations Community Network > Areas of Expertise > Technology and Communications

Reply
 
Thread Tools Display Modes
  #141  
Old 24 November 2018, 23:14
anachranerd's Avatar
anachranerd anachranerd is offline
Confirmed User
 
Join Date: Jul 2010
Location: In the wind
Posts: 169
Quote:
Originally Posted by CV View Post

Offensive Security Certified Professional (OSCP)
It seems no one outside of penetration testers really know, or care about this certification. That will change, I am sure. If youre chasing money over bad-assery, then leave this one alone for now. That said, this is possibly one of the hardest exams for a no-shit penetration tester (hacker). Its a real-world exam where no multiple-choice questions are provided. You are literally given some basic notes and told to go to town on a mock system (usually a fake Bank). You literally have to break into a system by identifying and exploiting vulnerabilities, and ultimately work to gain administrative access/control. It. Is. Awesome.

I have a question. I have been working in End to End Testing as a technical team lead for some years now and am looking to move on. It seems like security and testing have a lot of overlaps as far as methodology and I am looking to get into the Infosec world. It sounds like fun work and a challenge.

Would the below prep class be worth the 800$? Sure looks to be comprehensive.

https://www.offensive-security.com/d...-with-kali.pdf
__________________
"Seems like not having friends from all walks of society might mean missing out on a lot of what the world has to offer."

-SOTB
Reply With Quote
  #142  
Old 24 November 2018, 23:24
MountainBum's Avatar
MountainBum MountainBum is offline
Vivat Fraternitatis
 
Join Date: Apr 2004
Location: OCONUS
Posts: 926
Quote:
Originally Posted by anachranerd View Post
I have a question. I have been working in End to End Testing as a technical team lead for some years now and am looking to move on. It seems like security and testing have a lot of overlaps as far as methodology and I am looking to get into the Infosec world. It sounds like fun work and a challenge.

Would the below prep class be worth the 800$? Sure looks to be comprehensive.

https://www.offensive-security.com/d...-with-kali.pdf
Yes.

OSCP is a highly regarded certification in the cybersecurity world and has yet to be diluted. Do your research on recommended preparatory work and what the final exam entails so that you know what you're getting yourself into.
Reply With Quote
  #143  
Old 24 November 2018, 23:43
anachranerd's Avatar
anachranerd anachranerd is offline
Confirmed User
 
Join Date: Jul 2010
Location: In the wind
Posts: 169
Thank you so much.
__________________
"Seems like not having friends from all walks of society might mean missing out on a lot of what the world has to offer."

-SOTB
Reply With Quote
  #144  
Old 25 November 2018, 00:05
CV's Avatar
CV CV is offline
Authorized Personnel
 
Join Date: Apr 2003
Location: US
Posts: 7,752
Your linked course is the course for OSCP.
__________________
It's a hipster filter. Keeps your kind out. -Jimbo
Reply With Quote
  #145  
Old 26 November 2018, 01:45
anachranerd's Avatar
anachranerd anachranerd is offline
Confirmed User
 
Join Date: Jul 2010
Location: In the wind
Posts: 169
Thank you everyone.
__________________
"Seems like not having friends from all walks of society might mean missing out on a lot of what the world has to offer."

-SOTB
Reply With Quote
  #146  
Old 26 November 2018, 03:12
MacSwarthy MacSwarthy is offline
Perpetual FNG
 
Join Date: Feb 2007
Location: <- Over there
Posts: 200
Quote:
Originally Posted by anachranerd View Post
...Would the below prep class be worth the 800$? Sure looks to be comprehensive ...
About a year or so ago I spent a month playing around in the lab they provide. Managed to pivot into all of the subdomains and control a little over half of the total hosts, but then got really busy and haven't had time to go back to it. The time spent in the lab was some of the most fun I've had at a computer and the single most effective training course I've ever taken. It is absolutely worth every penny.

-MacS
Reply With Quote
  #147  
Old 26 November 2018, 07:08
CV's Avatar
CV CV is offline
Authorized Personnel
 
Join Date: Apr 2003
Location: US
Posts: 7,752
The course also relies heavily on forcing you to do the research into how to pop a box. I get the principle they state, but really this is the org not having a professional curriculum development team to help flesh it out. That criticism aside, it really does force you to get down to the nuts and bolts of figure out how to work through the lab.

Note that the exam is nothing like the lab. You don't have to know how to pivot to other systems. Privilege escalation is king in the lab and being able to root out obscure vulnerabilities.

With hard work and dedication (sorry for the soapbox) you can get through it and earn the cert.
__________________
It's a hipster filter. Keeps your kind out. -Jimbo
Reply With Quote
  #148  
Old 27 November 2018, 15:42
anachranerd's Avatar
anachranerd anachranerd is offline
Confirmed User
 
Join Date: Jul 2010
Location: In the wind
Posts: 169
Quote:
Originally Posted by CV View Post
The course also relies heavily on forcing you to do the research into how to pop a box. I get the principle they state, but really this is the org not having a professional curriculum development team to help flesh it out. That criticism aside, it really does force you to get down to the nuts and bolts of figure out how to work through the lab.

Note that the exam is nothing like the lab. You don't have to know how to pivot to other systems. Privilege escalation is king in the lab and being able to root out obscure vulnerabilities.

With hard work and dedication (sorry for the soapbox) you can get through it and earn the cert.
Appreciate the advice fellas. Signed up, just doing connectivity verifications etc before the actual class starts.

Got a wonderful start already, managed to change the root pw on the Kali VM and then forget it
__________________
"Seems like not having friends from all walks of society might mean missing out on a lot of what the world has to offer."

-SOTB
Reply With Quote
  #149  
Old 27 November 2018, 19:44
CV's Avatar
CV CV is offline
Authorized Personnel
 
Join Date: Apr 2003
Location: US
Posts: 7,752
Thumbs up

Quote:
Originally Posted by anachranerd View Post
Appreciate the advice fellas. Signed up, just doing connectivity verifications etc before the actual class starts.

Got a wonderful start already, managed to change the root pw on the Kali VM and then forget it
Just fire up a new instance. It's all good. Feel free to pass questions if they come up. I can point you in the right direction. Without even worrying about the course itself, you're going to want to spend time mastering tools like nmap and Wireshark.

Happy hunting.
__________________
It's a hipster filter. Keeps your kind out. -Jimbo
Reply With Quote
  #150  
Old 28 November 2018, 18:02
Atrax's Avatar
Atrax Atrax is offline
Confirmed User
 
Join Date: Sep 2005
Location: CONUS
Posts: 360
Question on the OSCP: Would it be worth taking the course/test as a means to learn? Or is the material too advanced for that?

My apples to oranges comparison: When I took Security+ I didn't know anything about the terminology or material. But through the process of studying I learned a lot and subsequently passed, despite having been a total novice at first.

However slowly, would following a similar path for OSCP be possible, or would I drown pretty early on?
Reply With Quote
  #151  
Old 28 November 2018, 19:52
anachranerd's Avatar
anachranerd anachranerd is offline
Confirmed User
 
Join Date: Jul 2010
Location: In the wind
Posts: 169
Quote:
Originally Posted by Atrax View Post
Question on the OSCP: Would it be worth taking the course/test as a means to learn? Or is the material too advanced for that?

My apples to oranges comparison: When I took Security+ I didn't know anything about the terminology or material. But through the process of studying I learned a lot and subsequently passed, despite having been a total novice at first.

However slowly, would following a similar path for OSCP be possible, or would I drown pretty early on?
Can't really opine since I'm just getting started but here:

Here is a link to the syllabus

FYI
__________________
"Seems like not having friends from all walks of society might mean missing out on a lot of what the world has to offer."

-SOTB

Last edited by anachranerd; 28 November 2018 at 20:05.
Reply With Quote
  #152  
Old 29 November 2018, 07:22
CV's Avatar
CV CV is offline
Authorized Personnel
 
Join Date: Apr 2003
Location: US
Posts: 7,752
The course will put you on the right path. You'll just have to rely on secondary and tertiary sources to read up on and master it. If you want to be slow and deliberate, I usually recommend CEH first, then eCPPT before OSCP. But there's really nothing prohibitive in terms of just going to OSCP. You have to crunch hard either way.
__________________
It's a hipster filter. Keeps your kind out. -Jimbo
Reply With Quote
  #153  
Old 1 December 2018, 16:48
Atrax's Avatar
Atrax Atrax is offline
Confirmed User
 
Join Date: Sep 2005
Location: CONUS
Posts: 360
Gotcha, appreciate it.
Reply With Quote
  #154  
Old 4 December 2018, 06:47
HighDragLowSpeed's Avatar
HighDragLowSpeed HighDragLowSpeed is online now
Been There Done That
 
Join Date: Dec 2006
Location: Only Place For Me
Posts: 5,250
If you are thinkng about getting into the security space, don't prepare for the wrong war. Much of what's been written in this thread will be of limited relevance in 10 years.

What?!? Has HDLS gone crazy?

Some questions to ask yourself: In 10 years, will orgs have the same balance of servers to be pen tested in data centers as they do now or will most of that capability be moved to the cloud? I believe that most of the capability that resides in servers and VMs today will be serverless in 10 years. Also, think about how security skillsets will shift to meet this new need. How many people are training for security today's infrastructure? Will we have a bajillion mo-fos running around with certifications to pen test and defend traditional data center servers and user endpoints? Yes. How much work will there around patching and compliance on endpoints? In ten years, with companies realizing that spinning up VMs in the cloud doesn't tak full advantage of cloud scaling, not much.

It isn't your fault. Really, it isn't. Security conferences are still focused on fighting the last war. Perhaps 2% of BlackHat was focused on cloud defense while offensive cloud courses ("hacking AWS/Google/Azure") was about 10%. I went to a regional three day security conference and there was one session on cloud security. One. Even twitter and linkedin tend to focus on today's endpoints.

But the indicators are in place that there is a big shift coming. 171k people attended Salesforce's DreamForce conference. There were over 50k attendees at the recent AWS conference and 20k at Microsoft Ignite for Azure. That speaks to how many organizations are at least seriously considering starting their cloud journey. Even for users, Microsoft already has shifted to O365 and is working on a thin client Windows version that runs in the cloud. So, where will you be able to apply many of the skillsets discussed in this thread and, more importantly, how many others will be fighting for work defending the same shrinking infrastructure?

Don't be that guy. If you are less than 40 years old and not focused on learning how to defend the serverless cloud, you're setting yourself up for future failure.

If you are thinking that your endpoint focused IT security skills will directly translate to the cloud, you are (1) focused on a small percentage of organizations that are likely doing cloud wrong and (2) demonstrating that you don't fully know about the cloud. You'll be lost when governance/security needs to be expressed as code, need to secure APis that feed into Salesforce, or need to define the access and compliance guardrails users will have when they spin up cloud instances. Worse yet, anyone living in some third world mudhut with some smarts, access to $50 of cloud credits, an internet connection, and a shitload of free time now has a path to riches by figuring out how to breach cloud respositories....anywhere in the world. Probably yours if you don't know what I am referring to above. In other words, good luck.

So, as you read through this thread and are amaking decisions about where to focus your career, think about if you are preparing for the last war in terms of IT security. We can close our eyes and pretend that this shift isn't happening....or you can start developing your relevant security expertise now. You heard it here first.
__________________
"I know of no country in which there is so little independence of mind and real freedom of discussion as in America." - de Tocqueville, 19th century

God made machine language; all the rest is the work of man.

Last edited by HighDragLowSpeed; 4 December 2018 at 07:03.
Reply With Quote
  #155  
Old 4 December 2018, 07:46
CV's Avatar
CV CV is offline
Authorized Personnel
 
Join Date: Apr 2003
Location: US
Posts: 7,752
Your assessment is spot on. Cloud technologies are absolutely the future. Good post, HDLS.
__________________
It's a hipster filter. Keeps your kind out. -Jimbo
Reply With Quote
  #156  
Old 4 December 2018, 08:23
Fubar's Avatar
Fubar Fubar is online now
Been There Done That
 
Join Date: May 2009
Location: South Fork Ranch
Posts: 3,759
Respectfully - Exactamundo.
__________________
"The nice thing about Twitter, in the old days when I got attacked it would take me years to get even with somebody, now when Im attacked I can do it instantaneously, and it has a lot of power. You see some genius statements on Twitter. You see some statements coming out which are Ernest Hemingway times two." - The Trumpmeister
Reply With Quote
  #157  
Old 4 December 2018, 09:18
CV's Avatar
CV CV is offline
Authorized Personnel
 
Join Date: Apr 2003
Location: US
Posts: 7,752
Bouncing off of HDLS and tying it to this thread, a good progression for those looking to delve into Cloud Security training would be CCSK > CCSP. Also, Amazon has a ton a great (free) training for Cloud technologies in general, if you're starting out.
__________________
It's a hipster filter. Keeps your kind out. -Jimbo
Reply With Quote
  #158  
Old 5 December 2018, 18:01
cedsall's Avatar
cedsall cedsall is offline
giving you a number
 
Join Date: Aug 2010
Location: Washington, DC
Posts: 444
Quote:
Originally Posted by HighDragLowSpeed View Post
If you are thinking about getting into the security space, don't prepare for the wrong war. Much of what's been written in this thread will be of limited relevance in 10 years.

(and the rest of your post)
Great post.

I've been in the midst of some large scale DoD outsourcing over the past few years and what amazed me the most is how we're forcing the vendors into 20 year old security solutions.

Rather than push the vendors into compliance through their contracts and solid SLAs, there's still all this mumbling about "DoD data" and the very traditional router/firewall/idps model. It's an architecture out of "Building Internet Firewalls" (published 1995).

Folks talk about modernizing and streamlining government contracting but that's not going to help if the government continues to work within a 20 year old framework. Hell, we can't even get traction on IPv6. The US is going to find itself as the poor cousin of the Internet if we can't start wrapping our heads around current state technology.
Reply With Quote
  #159  
Old 5 December 2018, 20:21
Jimbo's Avatar
Jimbo Jimbo is offline
Scoundrel
 
Join Date: Nov 2001
Location: inside your OODA loop
Posts: 6,184
Quote:
Originally Posted by cedsall View Post
Great post.

I've been in the midst of some large scale DoD outsourcing over the past few years and what amazed me the most is how we're forcing the vendors into 20 year old security solutions.

Rather than push the vendors into compliance through their contracts and solid SLAs, there's still all this mumbling about "DoD data" and the very traditional router/firewall/idps model. It's an architecture out of "Building Internet Firewalls" (published 1995).

Folks talk about modernizing and streamlining government contracting but that's not going to help if the government continues to work within a 20 year old framework. Hell, we can't even get traction on IPv6. The US is going to find itself as the poor cousin of the Internet if we can't start wrapping our heads around current state technology.

Quantum computing is going to fix all that.
__________________

It's not a good idea to allow an unknown enemy force to attack your compound. Ever, really. -MixedLoad

"When the going gets weird, the weird turn pro." -HST

Secrets don't sleep til they're took to the grave. -BMTH
Reply With Quote
  #160  
Old 5 December 2018, 20:34
HighDragLowSpeed's Avatar
HighDragLowSpeed HighDragLowSpeed is online now
Been There Done That
 
Join Date: Dec 2006
Location: Only Place For Me
Posts: 5,250
Quote:
Originally Posted by Jimbo View Post
Quantum computing is going to fix all that.
I literally burst out laughing. Best comment in the thread!
__________________
"I know of no country in which there is so little independence of mind and real freedom of discussion as in America." - de Tocqueville, 19th century

God made machine language; all the rest is the work of man.
Reply With Quote
Reply

Thread Tools
Display Modes

Our new posting rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT -4. The time now is 13:06.
Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2018, vBulletin Solutions Inc.
Socnet.com All Rights Reserved
SOCNET 1996-2018