Ask Lesley InfoSec Advice Column: 2017-04-26

I was sent some very challenging scenarios this week, from entry level remote work to anonymity. As always, submit your problems here!


 

Hi Lesley,

I’ll add a little background before my question I’ve always wanted to break into the infosec industry as I love tinkering and figuring out how things work. I managed to get my first IT job on a helpdesk, which has taught me loads, and continues to everyday, however I’m not content with sticking to support. I’ve been very lucky in being accepted onto the Cisco CCNA CyberOps scholarship. My question is, do the course objectives look to be industry relevant?

First exam objectives – https://learningnetwork.cisco.com/community/certifications/ccna-cyber-ops/secfnd/exam-topics
Second exam objectives – https://learningnetwork.cisco.com/community/certifications/ccna-cyber-ops/secops/exam-topics

I’m going to sit the course and try pass it regardless, I’m just interested on how it is viewed by an infosec professional

– A keen n00b 🙂

Hi Keen,

Congratulations on your scholarship. The CCNA SECOPS and SECFND objectives are good, and cover many fundamentals every security professional should be able to describe and define at a minimum. Think of the program as your ten thousand foot view of many different niches and professions in security. Use the opportunity to pick out things that interest you personally, and dig into a couple farther. This might be indicative of the field you want to eventually work towards. Conversely, if you find at that high level you’re weak in any specific areas,  then it’s definitely a sign you need to study up on that subject.


Dear Lesley,

I’m a programmer, last year I quit my job and started to study infosec and systems programming at home, around December I reached the conclusion that I wouldn’t be able to turn this hobby into anything profitable (“pay-the-rent” profitable, not Zuckerberg profitable). I don’t live in the US, UK or any other major country, so these positions just don’t exist locally, information security is a non issue here.

The only way out of this that i could see are bug bounties, but even then, bounties don’t seem like a reliable source of income, surely i could make some good money in some months, but i can’t pay the rent only “in some months”, you know?

So that’s my question, how would you go about making infosec your main source of income if you can’t work for local companies nor relocate?

-Nasher Alagondar

Hi Nasher,

It’s really commendable that you want to get into security despite there not being much of a field, community, or market where you live.

You’re in a tough situation. If you were able to move I would definitely recommend going abroad with an internship or entry level position to get your foot in the door for a while before working remotely. The independent bug bounty market is a tough one, and it’s a mess of very skilled to totally unskilled people trying to make a living. Lots of companies don’t pay out bounties, and some even pursue legal action against people who submit them. If you could build up credibility with a dedicated bounty firm like Bugcrowd, that would probably be the best case scenario, but it’s still a cutthroat industry filled with many people in similar situations to you. If you go this route, you will really need to rise to the top in responsiveness and skill to be successful.

There are some remote low-level blue team cybersecurity jobs, particularly at big managed security providers. Their nationality requirements are going to vary, and it’s very likely they will require you go to their office for a period of time for training. Perhaps some commenters on my blog have specific suggestions of firms. This seems the most ideal option for stable work.

A third option is making it a issue in your area. Cybersecurity is in the news more and more lately, and malware like ransomware really has an visible impact on even very small businesses. I’m not sure where you live, but if there are businesses, hospitals, or schools that use computers, you can probably sell them general IT service consulting with a side of basic security configuration and response. That’s going to take a lot of initiative and entrepreneurship on your part, and requires enough of a market to make a living.

Either way, please reach out digitally and do all the networking you can with other security professionals. It can’t hurt to have friends who can hire!


Dear Lesley,

I’ve been in IT for over 10 years, with a focus on security the last 4. I want to continue in the security field and am really interested on the defensive side of things.

The problem I have is that most certifications, books and resources online seem to be aimed at Red Team folks. I know the best way to defend against attacks is to learn how the attackers work, so I do see the value in learning things like pen-testing etc. My question is what else can I do to strengthen my Blue Team skills and also grow my career?

Thanks!

– I Want to Be Blue Like A Smurf

Hi Smurf,

Yes, red team skills are directly translatable to the blue team, as are general systems administration skills. There are plenty of defensive courses and certifications, but they are not as broad as red team certs like OSCP or CEH.

  • For instance, if you’re interested in reversing, you should be looking at books like Practical Malware Analysis, conferences like REcon, courses like SANS 610 or Applied Reverse Engineering with IDA Pro, and certs like GREM.
  • If you’re interested in forensics, you should be looking at books by Harlan Carvey and Brian Carrier, courses like those from Volatility Labs or SANS 408, 508, 526, and certifications like EnCE, GCFA, GCFE.

And so on and so forth. There are many defensive niches and they each have specific training, tools, and certifications. The broadest defensive certifications are Security+ and CISSP, and those are pretty high level for a reason. With your years of experience, I would suggest specializing a bit.


Dear Lesley,

In today’s world guarding our personal information has become more important than ever and maintaining our privacy has become more difficult and exhausting whether we like it or not. My first question is what do you think we can do to protect our privacy while we looking for a job or socializing with other people …etc… and second do you thing it’s worth creating a pseudo-name (pseudo-identity) and give it to the people we meet inside and outside of our field instead of your real name as a layer of privacy and maybe protection?. Thank you for your time.

– cautious paranoid

Hi Paranoid,

I can’t tell you whether it’s better for you personally to use a real name or a pseudonym online. This requires a series of judgement calls you have to make yourself, and you will have to weigh costs and benefits. I can tell you that I use my real name because the exposure I get is tremendously beneficial to my credibility and ability to speak and train people. This comes at a cost. I have friends who use pseudonyms which can be traced back to them with effort, and others who have decided to be as anonymous as possible so they can discuss subject matter their employers disapprove of. If you use your real name, you should carefully craft your online persona and avoid posting offensive or sensitive personal information. If you use a pseudonym, you must be cognizant that it could be traced back to you tomorrow, or in ten years.

Unfortunately, this is one of those situations where you must weigh convenience and ability to function in society versus personal privacy, and try to maintain a balance between the two that works for your individual situation.


Dear Lesley,

First of all, thank you for this question series and for the Infosec Megamix. It really helps self-doubting me to get back on my feet and continue their path in the infosec world. Now, I recently obtained an infosec certification and it turned out to be an eye-opening experience which played well along my broad-and-shallow approach to learning. But ultimately I want to specialize in some sphere and my interests are (in no particular order) threat intelligence, forensics and research/exploit development. Which are the topics I should get familiar with that are essential to all these spheres? (or maybe 2 out of 3?) I’m currently picking up some low-level knowledge (reversing, OS insides etc.) and there are so much to be learned, so some guidance will be very helpful. Thanks again and keep the good work!

– The Inkmaster

Hi Inkmaster,

Congrats on your hard work and certification. I’m really glad it inspired you.

The three areas you mentioned are pretty functionally disparate. The two you are most likely to see overlap in a role are forensics and threat intel, but that’s not super common.

Threat Intel requires a lot of soft skills, OSINT research, and geopolitical understanding. Forensics requires a lot disk, memory, and operating system knowledge. Exploit research is entirely a different can of reverse engineering worms on the red team side of things. However, I like your question because it brings up a point I rail on a lot – system and network fundamentals are critical for every red team or blue team person.

Off the top of my head, some things that will overlap between those fields:

  • OS architecture, system function, and file systems – Forensics and Exploit Research
  • TCP/IP, ports and protocols, and internet architecture – All Three
  • Scripting with Python – All Three
  • Exploit methodology and the ‘kill chain’ – All Three

Dear Lesley,

I would like to know when performing various things over the internet like hacking/scanning someone’s network and other stuff that can alert the authorities, how can I perform those tasks without them knowing who I really am(like my IP and stuff and most uses proxies but i have a gut feeling it’s not only that) ? I would like to know how professionals cover themselves up over the Internet of course 🙂

-QuesT-Ion

Hi QuesT-Ion,

First, the caveat – I don’t recommend or condone illegal hacking and you should only exploit systems that belong to you or you have clear written permission to test.

No, it’s not only about proxies. Sure, many a hacker has screwed up and forgotten to tunnel one piece of traffic, and many an ISP and VPN provider has been successfully subpoenaed, but IPs alone are not the end-all way to catch a hacker. Not only can attackers use proxies, but they can also use another compromised system as an attack platform, so the whole fields of DFIR and Threat Intelligence are pretty much dedicated to associated detective work.

There are lots of hard and soft indicators that can give away the nationality, location, or even identity of a hacker. Hard indicators include solid evidence like IP, MAC, system fingerprinting, metadata on files that shows a creator or source device, or geolocation data. Many an attacker has screwed up and left an internal hostname, handle, or local SSID behind in commands or code. Soft indicators, when put together, can also paint a great picture of an attacker. They are things like the time zone the attacker worked in, the language their tools and keyboard were set to, the specific malware variants or tools they selected to use, when they took breaks or made errors, and their methodology.

Of course, many an attacker has just been caught by much more embarrassing means, like bragging about their attack without enough caution, or getting caught in a sting operation.

Real life attackers try to eliminate all of those mistakes and soft and hard indicators, but as threat intelligence reports will show, that’s very hard to do completely.

2 thoughts on “Ask Lesley InfoSec Advice Column: 2017-04-26

  1. Pingback: Ask Lesley InfoSec Advice Column: 2017-04-26 | Hacker News Info

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s