Go Back   SOCNET: The Special Operations Community Network > Areas of Expertise > Technology and Communications

Reply
 
Thread Tools Display Modes
  #41  
Old 3 December 2014, 00:33
GirlwithaGlock's Avatar
GirlwithaGlock GirlwithaGlock is offline
Russian Tycoon
 
Join Date: Apr 2011
Location: Ottery St Catchpole
Posts: 3,447
Quote:
Originally Posted by CV View Post
OSINT - Open Source Intelligence
A decent place to get started on this subject is NSA's Untangling the Web: a Guide to Internet Research.
__________________
Dodge This!
Reply With Quote
  #42  
Old 3 December 2014, 01:12
malventano malventano is offline
Confirmed User
 
Join Date: Mar 2014
Location: Florence, KY
Posts: 53
Quote:
Originally Posted by CV View Post
Wow, that is money right there. Good looking out.
That's definitely good stuff. I had the pleasure of taking Lenny's GREM course. He is absolutely one of the sharpest reverses out there, and you'd better be prepared to drink from a fire hose for a week if you take it. Already knowing your way around Olly and IDA is an absolute prerequisite. GI Bill should also cover the test, which you have to take at a local test facility after the course itself. It's open book, but the questions dive deep into Lenny's material, so have it well bookmarked prior to attempting it or younger run out of time.
Reply With Quote
  #43  
Old 3 December 2014, 01:16
malventano malventano is offline
Confirmed User
 
Join Date: Mar 2014
Location: Florence, KY
Posts: 53
Quote:
Originally Posted by malventano View Post
reverses
reversers
Quote:
Originally Posted by malventano View Post
younger run out of time.
*you'll* run out of time.

(Damn autocorrect! :))
Reply With Quote
  #44  
Old 27 December 2014, 23:09
CV's Avatar
CV CV is offline
Ungood
 
Join Date: Apr 2003
Location: US
Posts: 7,327
So, we're in some interesting times. It would seem this thread is more than appropriate when considering the issues with Sony, and other organizations. Let's move on to actually articulating threats and starting the process of securing personnel, systems, and their assets.

Threat Modeling

This is step [one] in any consulting that I perform. During this phase, it is crucial to determine if the client is interested in being defensive or offensive. I love football, so I often use terms associated with it when speaking to clients. People generally understand the concepts.

Defensive: This is reactive, and in many cases not adequate in securing people, systems, and assets against a truly persistent threat. That doesn't mean it isn't important, or valuable. It just has some areas of concern that I can try to address further when I have more time. Vulnerability assessments tend to favor defensive remediation. Actions such as software updates, and critical patches. These are important, so don't ignore the fact they exist. It usually leads to exploitation.

Offensive: This is more adversarial and often includes varying degrees of penetration testing (talked about earlier).

A really dumb, simple analogy would be a situation in which you want to protect your home from bears. Defensive threat modeling would dictate that you should probably keep your food stowed away behind a locked refrigerator, and maybe even put up a fence. These are generally good practices that we can imagine would work. Offensive threat modeling would force us to literally act like the bear and try to get in. Only through being the bear, do we find exactly where the weaknesses exist.

Please don't get these mixed up as both are important. It's also a matter of degree in terms of risk and loss expectancy (much deeper conversation, but chime in if you want to learn more about it).

In all cases of threat modeling, there are many sub-steps that go into drafting up the final documentation. Everyone has their own way of doing, and some existing risk frameworks require specific information. In general, you'll do the following:

1. Define requirements: What do you want to protect from the bears?
2. Model architecture: What material will the fence be made of?
3. Identify threats: Are they black or brown bears?
4. Assign Risk: Do bears exist in my neighborhood? If so, how many, and of what variety?
5. Update the model as needed.

The above is extremely simplified. I don't have the time to draft it all out, but you hopefully get the gist.

Send questions or comments.
__________________
It's a hipster filter. Keeps your kind out. -Jimbo
Reply With Quote
  #45  
Old 28 December 2014, 02:00
MountainBum's Avatar
MountainBum MountainBum is offline
Vivat Fraternitatis
 
Join Date: Apr 2004
Location: Australia
Posts: 729
/Raise hand.

The general assitude of industry is:

1) Because they're so inept at securing the gates, or conversely:
2) The bears have infinite time and budgets to recce the gates for weaknesses

that future acquisition/budget/CND effort should go toward neutralizing the ones that will inevitably get through, as rapidly as possible. Thoughts on the transition to such an "incident response heavy" paradigm?
Reply With Quote
  #46  
Old 29 December 2014, 09:02
CV's Avatar
CV CV is offline
Ungood
 
Join Date: Apr 2003
Location: US
Posts: 7,327
It's the new popular flavor. It has to be a holistic approach, depending on business needs and processes, in order to be effective.

Incident response is one cog in the gear, and in the case of Sony, was only proportionately used in in conjunction with their forensic efforts (I'm assuming).

By the way, what you're describing above is a very simplified overview of how our credit card companies operate. They don't really worry about the low value transactions and instead focus on protecting the overall mothership. PCI-DSS compliancy even has breadcrumbs throughout, relating to notion.

As for the overall information security industry, you're seeing a lot more focus on external and internal penetration tests conducted by individuals, or what I call 'parlor' shops (companies that solely focus on pentesting). Orgs want to know where the true weaknesses lie, beyond vulnerability assessing. They want to know how the cockroaches can lie, cheat, and steal their way into critical data.

I hope this answered you question. The main places that I see an emphasis on IR is in the government sector.
__________________
It's a hipster filter. Keeps your kind out. -Jimbo
Reply With Quote
  #47  
Old 4 January 2015, 19:39
CV's Avatar
CV CV is offline
Ungood
 
Join Date: Apr 2003
Location: US
Posts: 7,327
Does anyone have questions? I'm kinda firing all over the place. If you have any specific topics you want me to touch on, I can. I just got off of a nice internal pentest and wrapped up my reporting on it. Lot's of fun.
__________________
It's a hipster filter. Keeps your kind out. -Jimbo
Reply With Quote
  #48  
Old 6 January 2015, 10:30
Golden Tiger's Avatar
Golden Tiger Golden Tiger is offline
Confirmed User
 
Join Date: Oct 2004
Location: NC
Posts: 381
This kind of goes back to the beginning of the thread, but is there a preferred method of studying for the CEH? Wasn't sure if it was like the GIAC Certs where you're at a bit of a disadvantage of you don't do the seminar. Starting a new network engineering job this week and I'd like to really go after the CEH once I'm settled in here.
__________________
"Keep a sharp knife, shiny boots and be on time." - James E. Williams
Reply With Quote
  #49  
Old 6 January 2015, 12:27
CV's Avatar
CV CV is offline
Ungood
 
Join Date: Apr 2003
Location: US
Posts: 7,327
Quote:
Originally Posted by Golden Tiger View Post
This kind of goes back to the beginning of the thread, but is there a preferred method of studying for the CEH? Wasn't sure if it was like the GIAC Certs where you're at a bit of a disadvantage of you don't do the seminar. Starting a new network engineering job this week and I'd like to really go after the CEH once I'm settled in here.
That depends if you want to just pass the cert, or actually learn how to pentest. I say that not to poo-poo the certification, but there are paths of least resistance. If you want to learn a valuable skill, in addition to furthering your career, I recommend checking out the EC-Council online labs. You literally boot up servers and go through the process of penetration testing. I forget the cost, but it's around $150 for 6-months of access (if I recall right).

You can also use this section of SOCNET. Keep in mind that specific TTPs won't be discussed, but I can point you in the right direction if you need help.
__________________
It's a hipster filter. Keeps your kind out. -Jimbo
Reply With Quote
  #50  
Old 6 January 2015, 15:32
Golden Tiger's Avatar
Golden Tiger Golden Tiger is offline
Confirmed User
 
Join Date: Oct 2004
Location: NC
Posts: 381
Quote:
Originally Posted by CV View Post
That depends if you want to just pass the cert, or actually learn how to pentest. I say that not to poo-poo the certification, but there are paths of least resistance. If you want to learn a valuable skill, in addition to furthering your career, I recommend checking out the EC-Council online labs. You literally boot up servers and go through the process of penetration testing. I forget the cost, but it's around $150 for 6-months of access (if I recall right).

You can also use this section of SOCNET. Keep in mind that specific TTPs won't be discussed, but I can point you in the right direction if you need help.
Definitely looking to expand my skill set. Way too many paper cert types in my current field, so I want to be as hands on as I can. I'll definitely be checking out those labs. Thanks!
__________________
"Keep a sharp knife, shiny boots and be on time." - James E. Williams
Reply With Quote
  #51  
Old 12 January 2015, 14:02
CV's Avatar
CV CV is offline
Ungood
 
Join Date: Apr 2003
Location: US
Posts: 7,327
A tool called nmap was mentioned in another thread, so I figured it would be a good addition to this thread. Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing.

Disclaimer: The tool is not inherently a means to exploit, but it has some capabilities that advanced users can use to great effect. If you’re an idiot and run into trouble while scanning a site, there’s no plausible deniability.

Okay, with all of that aside, as I said, nmap is a great tool for troubleshooting and enumeration. Go to the site listed above and read all about it. Learn to love it. If you master it, you’ll have added a valuable tool to your toolbox. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets to determine what hosts are available on the network, what services those hosts are offering, what operating systems they are running, what type of packet filters/firewalls are in use, and dozens of other things.

http://nmap.org/
__________________
It's a hipster filter. Keeps your kind out. -Jimbo
Reply With Quote
  #52  
Old 21 January 2015, 14:58
CV's Avatar
CV CV is offline
Ungood
 
Join Date: Apr 2003
Location: US
Posts: 7,327
It's All About the Toolbox

Bouncing off of my small nmap comment.

Just like any profession, a pentester needs to have a toolbox available and the knowledge of how to properly use them. A good analogy would be the garage of a friend who is a really good mechanic. I would never call myself a vehicle mechanic, even if I know more than a common person. I can perform all of the routine maintenance on my vehicle, change brake rotors, pads, and bleed them accordingly. That doesn't mean I'm a stud. In fact, there's a lot more damage I could do than I could solve.

The same goes for penetration testing. There are endless tools out there that can make your job a little easier, but if you don't what you're doing, you can (and will) royally screw things up for your client, and yourself. There's an epidemic of unskilled penetration testers using tools they know nothing about. Make sure you know what you're working with, and when something goes wrong, you have to know why it went wrong.

More to follow...
__________________
It's a hipster filter. Keeps your kind out. -Jimbo
Reply With Quote
  #53  
Old 27 January 2015, 11:01
CV's Avatar
CV CV is offline
Ungood
 
Join Date: Apr 2003
Location: US
Posts: 7,327
Instead of going through tools, which would be madness (there’s far too many), use your elite Google-Fu skills to find information. Honestly, especially if you're just starting out, look up Metasploit and start there. It's a suite of exploitation tools that many pentesters use on a regular basis. I believe I mentioned it earlier. That should be a good indication of its value.

For now, let’s go over red team/blue team functions and activities.

Red Team
The red team during an engagement works to challenge security controls and policies that have been put into place to protect things such as people, places, and assets. For our military folks, a red team is no different than OPFOR—the aggressors of various activities.

Blue Team
If it wasn’t easy enough to discern, blue teams are the defensive force against red team activities. Note that being on the blue team doesn’t mean you shouldn’t have offensive capabilities. In fact, an effective riposte from a red team attack can be crippling to your opponent.

From a very high-level management point of view, red teams are attackers, and blue teams are defenders.
__________________
It's a hipster filter. Keeps your kind out. -Jimbo
Reply With Quote
  #54  
Old 12 February 2015, 09:32
CV's Avatar
CV CV is offline
Ungood
 
Join Date: Apr 2003
Location: US
Posts: 7,327
Started the OSCP path. It is very challenging and is currently the industry bigboy in terms of value (as previously mentioned). The mantra of 'try harder' is great. It is not for those new to the field, but has definitely gained mega-traction in the last year.
__________________
It's a hipster filter. Keeps your kind out. -Jimbo
Reply With Quote
  #55  
Old 17 February 2015, 09:04
Tracker's Avatar
Tracker Tracker is offline
MSMD
 
Join Date: Jan 2015
Location: Midwest
Posts: 145
I would like to thank CV and the others who have contributed knowledge to this thread. It had been extremely informative. I should have my CEH within 6 months, and with any luck a new career within a year.
Reply With Quote
  #56  
Old 17 February 2015, 13:25
CV's Avatar
CV CV is offline
Ungood
 
Join Date: Apr 2003
Location: US
Posts: 7,327
Quote:
Originally Posted by Tracker View Post
I would like to thank CV and the others who have contributed knowledge to this thread. It had been extremely informative. I should have my CEH within 6 months, and with any luck a new career within a year.
If you need any help, don't hesitate to ask here (or a new thread). CEH can appear like drinking from a waterhose if you don't have a background in it, but it's not too shabby once you understand the principles. Remember, it's a stepping stone. CEH won't make you a hacker.
__________________
It's a hipster filter. Keeps your kind out. -Jimbo
Reply With Quote
  #57  
Old 7 March 2015, 19:29
Atrax's Avatar
Atrax Atrax is offline
Confirmed User
 
Join Date: Sep 2005
Location: CONUS
Posts: 344
I'm curious what everyone thinks of this program: http://scsonline.georgetown.edu/

I'm computer literate but lacking a tech background, and frankly, don't want to be rubbing two sticks together while everyone else has Zippos in 20 years. Any thoughts as to the marketability of something like this?
Reply With Quote
  #58  
Old 9 March 2015, 11:51
Tracker's Avatar
Tracker Tracker is offline
MSMD
 
Join Date: Jan 2015
Location: Midwest
Posts: 145
Atrax, I have no idea about the marketability of the program you linked to, but it definitely won't help you obtain a tech background. It all management courses.
Reply With Quote
  #59  
Old 9 March 2015, 14:01
assertnull's Avatar
assertnull assertnull is offline
Confirmed User
 
Join Date: May 2011
Location: SE Texas
Posts: 3,056
Concur with Tracker. Looks to be geared moreso towards Amway salesmen looking to make a move into the technology sector, than to building any sort of practical know-how.

Or, more realistically, for someone stuck in a subordinate IT position whose upward mobility depends on a "relevant graduate degree", and needs a bunch of fluff to fob off on HR.

Little of practical value, near as I can tell.
Reply With Quote
  #60  
Old 9 March 2015, 19:04
CV's Avatar
CV CV is offline
Ungood
 
Join Date: Apr 2003
Location: US
Posts: 7,327
When I look for teammates, college is good and all, but it is never a deciding factor unless a contract specifically calls it out as a requirement (mostly government contracts, which are written by people who have no idea what they're talking about).

Security, as discussed earlier, can be broken down into management, operational, and technical. If you want to be hands-on, breaking into, or security, systems, that degree path won't help you.
__________________
It's a hipster filter. Keeps your kind out. -Jimbo
Reply With Quote
Reply

Thread Tools
Display Modes

Our new posting rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT -4. The time now is 05:07.
Powered by vBulletin® Version 3.8.3
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Socnet.com All Rights Reserved
SOCNET