IntroductionSo, you’ve decided to go down the path of Information Security, eh? Rather than get banned from /r/netsec for asking “H0w doe ! get n2 P3nt3$$ting????” – You decided to frequent your community of Level 1 Techs for expert advice.
Instead, you found this
Welcome to my Information Security primer. Now, I say my Information Security primer, what I really mean is my introduction. I would like this to be a living document, something that the L1T community can actively contribute to, and eventually it will evolve into something that rivals that of Carlos Perez and Chris Sanders!
If you don’t know who they are, don’t sweat it. If you prefer books, real advice, or Podcasts, check out the list at the end of this post. Otherwise, keep reading!
Useful Tips for Beginners
Never log in to your accounts on a shared computer.
Use different passwords/different patterns.
For exampe: Say your password is C@nt4@ckM3! You put in a lot of work making this password, but you don’t trust password managers and you don’t want to spend time and energy making 40 different passwords for all of your accounts. So, what do you do? Break the domain and the password in half, and concatenate the halves. C@nt4Level1@ckME!Techs is your new password. Ridiculous? Too long to type every time? Welcome to infosec
Don’t blindly trust scripts and software. explainshell.com and virustotal.com are great for looking at something iffy. These are not failsafes, though. Windows and Linux are not foolproof, no matter how much hardening you think you have done. YOU are the best antivirus.
Never share your passwords with anyone.
NO ONE. A vendor (Blizzard, Steam, Microsoft), a coworker, or someone in your I.T. Department. Forget it. If you need to have something serviced and have no choice, reset your password to something temporary before giving it over.
Do not Trust hardware.
If you find something in the street, don’t plug it in to your computer. Resist! Anything from USB drives, to Cds/DVDs/BluRays, hard drives, SSDs, etc.
Lock down your browser.
So many people live in their browsers today, but refuse the tools to lock it down.
Adblocker (uBlock Origin is what I prefer)
Anti-Tracker/Anti-Footprint (Ghostery is good)
Auto delete history on closing browser
Disable Cookies (if you can, I know my school required cookies to use some of the Universities features).
JavaScript blocker (some sites are rendered useless with this, use it at your discretion).
Disable autofill and password managers (arguments are there for both sides, use what you trust and can verify).
If you feel morally opposed to item number 6 due to costing business precious revenue and customers, consider this: You can debate whether or not more people are hurt by ads than benefit from them. But, think of it as an incentive for the “market” to get their shit together. If you can guarantee your ads will not attack or damage me in anyway, I’ll disable my tools.
Disable SSID Broadcasting
This is more of a “trick”, than anything. People in the know can still find your network even if “hidden”. But, this is just more layers of protection, in my opinion. Disable SSID broadcasting and you’ll be more resilient to people passively searching or performing drive-by hits.
Change SSID and Router Password
Never leave the default router SSID or Password. Change both immediately. Don’t be cute, like “FBI Surveillance”, you’re asking to get rekt.
Tips for Advanced Users
Build a Lab
Get Windows 7, Windows 10, CentOS 7, Ubuntu 16.04, and anything else you feel like blowing up. You’ll need pfSense, vyOS, or another routing solution to secure your lab. The best method I’ve practiced is have your bridged adapter work for the WAN on the pfSense, and create a virtual adapter for the lab LAN. There are a lot of good guides out there for securing and air-gapping your environment. The primary concern YOU should have if you are going to analyze malware is to make damn sure nothing is going to come over to your host. You can do a couple of things.
1a) Use a Linux host and a Windows VM.
This is the lazy way of going about it. It is secure enough for analyzing Windows malware, but VM escapes can still target Linux kernel vulnerabilities.
1b) Configure pfSense to block traffic.
Ah, now you’re learning something! Networking! The best asset anyone in Information Security, Systems Administration, or Software Development can have.
We want two different networks. For my home setup, I’m on a 10.0.0.0/24. For my Lab, I have it set up as 192.168.11.0/24.
On my Windows 7 Lab machine, I have the IP set to 192.168.11.125. pfSense is set to 192.168.11.1. I have created a rule in pfSense to Deny 192.168.11.0/24 access to 10.0.0.0/24.
I have also setup rules to deny 192.168.11.0/24 from accessing 192.168.11.1:443 and 192.168.11.1:80
Further down the list, I have allowed 192.168.11.0/24 access to Any destinations on ports 80 and 443.
These rules in this list allow the malware to make http and https requests, while prohibiting those requests to my local network.
Great! You have taken your first step in securing your malware lab. More to come on this subject in the future.
Check the Hash
When you download something off the Internet, you should validate the checksum (if it’s an option). A lot of software (like Debian and pfSense) have it as a companion to the download. You can use command line tools to confirm the hash.
md5sum debian.iso
Then check the debian.md5 file and verify the match.
If you get the hash and the file from the same site, the hash is effectively only good to validate the integrity of your download.
Checking the hash of a file where the hash is hosted on a separate server from the file can be an effective security check.
It’d be much better if software vendors stopped pretending that it’s okay to use unauthenticated hashes to validate the authenticity of a download.
I am NOT going to recommend Security Now with Steve Gibson. He is a hack and has given misinformation over the years. Not to say the others haven’t, but the way he goes about himself bothers me on a different level. Someone else is more than welcome to make the recommendation. I’ve not listened to him in more than two years, so maybe things have changed.
So, you guys have had time to think about rocking some infosec? Yeah? YEAH?
No?
My bad. I failed to follow up like I had intended. I got caught up in work and some terrible distro hopping disease. However, there was a post about someone asking the community for advice on careers, and I felt it was a good time to revisit this. The OP still stands, but I want to dig a little deeper into the subject of “what it takes”.
First, do not confuse my passion, enthusiasm, and weird, dark sense of humor for elitism, condescension, or pompousness. I value all contributions in the workplace, and with the right culture, I.T., InfoSec, Accounting, Marketing, and Development can all mingle, serve the business, and get along just dandy.
But, let’s get something straight. Information Security is a huge, wide, and diverse field. Almost like saying “I work in I.T.” could be anything from Sysadmin, Helpdesk, Desktop Support, bench tech, Systems Engineer, Network Admin, Network Engineer, Cloud Engineer, SAN/Storage Engineer, DBA, Devops, Sysops, Netops, Sales/Solutions Engineering, to a mixed bag of all of the above, saying you want to be in Information Security doesn’t mean much on the surface. Sadly, for a lot of companies, saying “I work in InfoSec” does not mean you have a technical role. Sometimes, it means that they are policy pushers, policy writers, compliance managers, and auditors (of technology, not money). This is NOT a bad thing. A lot of people in these roles are incredibly intelligent and end up saving the company millions of dollars. However, if this is not what you envisioned information security being, you need to ask certain questions in the interview:
“How often will I be in a sandbox?” – This is a good question if you’re applying to be a blue teamer. If you want to analyze or reverse engineer malware, you’re typically given a lab environment to work in. Sometimes you’ll do other things, like sit in boring ass meetings or read logs. But if it’s a technical role this question will give you an idea of how often you’ll get to flex your skills.
“When tasked with Incident Response, what would my involvement be?” – This will narrow down the policy pushing/generating work for other departments degree. For some companies, incident response involves getting an alert, and pushing the work onto helpdesk or IT Ops.
“Do I have access to the network infrastructure?” – This is a big one, because at some companies the alert will go to InfoSec, but you will not implement the fix. Netops/Sysops/other Sec team will. If you want to be apart of that, move to a smaller company, a software/AV company, or an InfoSec company/consulting agency for the best opportunities.
“Will I audit the network?” – Sometimes technical, looking for vulnerabilities with passive scanners, reading logs, poking around on the application servers. Sometimes it’s boring compliance that involves talking with bureaucrats and making spreadsheets so they can blame you 7 months down the line when something happens, even though they turned down your budget request. Word this how you will, if you’re not satisfied with the answer ask for more details or ask point blank “Will I extract signatures and apply those to the firewall/IPS?”
NEVER trust a hiring manager or recruiter to tell you that this job will get your foot into the door and you can move over to a more technical role. Sometimes that is true, but you need to ask why the position is open, what happened to the last person in this role, what’s the escalation path, what is the next step in career progression, things like that. Those questions can give you an idea if the last people quit because of lack of growth, if they got promoted into a pentester/reverse engineer/network security role, and what you can aspire to if hired on at the company.
Now we’re going to talk about BUZZWORDS.
Cybersecurity, InfoSec, Hacking, PenTesting, Fileless Malware, Exploit, Phishing, Whaling, Conference, Bro, Brewski, Mac, and many, many more words are going to be used by people that have no idea what they mean (see @AdminDev for what a poser looks like ).
The best advice I can recommend to you is learn a system, and learn it well. Get certified if you want. Don’t ask what the best language is, what the best OS for hacking is, what the best OS for security is, don’t start with Kali, etc. None of those things matter right now. I would start with learning the basics of Networking and Linux, and then learning something like Python or PowerShell. After you’ve become more proficient, I would start working with tools like Kali, Backbox, writing tools in Python or Go, and PowerSploit. I would get familiar with Metasploit, but don’t rely on it. I don’t remember where I read it, but someone said: “The difference between offensive security professions and script kiddies is building your own tools versus using someone else’s…” That has always stuck with me, and I often reflect on that every time I consider copying and pasting someone else’s code.
If you can blaze through a Linux terminal, write your own scripts, know the OSI model, what each layer represents, and how to troubleshoot that layer, can capture and analyze packets, understand the basics of encryption and communication protocols, can write comfortably and confidently in Python and PowerShell, you are 1000x ahead of the game compared to a lot of people in the field. If you’ve made it that far, you at least have some sort of curiosity, interest, passion, or all of the above regarding information security and information technology. That’s good, because you’re going to need that for what comes next.
Sleep is for people who are broke…
Working in the information security industry is easy. You get a few certs, a couple of years of experience, and there’s not a place on this planet you can hide from recruiters. You’ll make a good living, probably end up a great company with vested stock options, retirement plans, sweet benefits, and a cush office job.
Excelling in the information security industry is hard. It takes a certain tenacity bordering on obsession to separate yourself from the policy and compliance folks. Your day isn’t over after the 9 to 5, because you’re still reverse engineering that ransomware in your lab at home. In fact, your 9 was at 6:00 AM the previous morning, because you’ve been hunting some motherless shrew knocking on your firewall… Making little punctures to the hull, attempting to cause a crack, a leak, and a breach…
A day in the life…
You first noticed the logs were bulkier than normal… Running a search for failed logins, there was a common IP address among an overwhelming amount of the failed attempts. They tried, hard, the first morning, and then came back at that afternoon. You pop over to help desk and ask if anyone called or submitted a ticket for a strange e-mail, a site being down, or malicious file. All was quiet on their end. Hm… It’s never quiet on Helldesk.
Back at your hub, you start checking the scanners for the company sites. No luck there, either. You do a few checks for cross-site scripting, and check domain names for similar spelling of your site. The compliance team had a meeting on this last year, and AdmenDev.com as well as AdmunDev.com were in the clear. Your search didn’t yield anything. You hit up the company Facebook and see if there has been any odd customer complaints or spam pushed over to the site. Nothing. Still quiet… The only indication of something awry is the 340,000 failed login attempts from 1.2.3.4… There should have been a lockout.
Just then, your e-mail dings. You open the notification:
You reference the Snort rule: alert tcp any any -> $HOME_NET any (msg:"CyberEYE RAT Session Establishment"; content:"|41 4E 41 42 49 4C 47 49 7C|"; classtype:trojan-activity; sid:123456789; rev:2;)
You’ve got a RAT on your hand, and this can’t be a coincidence. Hating that you have to delegate, you IM the person on the Helpdesk you spoke with earlier. You give the name of the workstation and ask that they remove it from the network and bring it to you ASAP. However, you have time to prep. You load up your analysis VM in the sandbox. Help desk drops the laptop off at your computer just as your patching the last of your tools. You copy the contents of the drive, and find a few suspicious files. It doesn’t take you long to find the problem child (thanks VirusTotal).
Time for some dynamic analysis and reverse engineering.
You create a fresh snapshot on your patched VM and copy the files from the drive over to your VM. You fire off the application after setting up the system for some packet captures. You spin up another VM and start disassembling the program.
After spending some time deciphering the communication, you manage to establish that the communication between the infected computer and another node is some system specs and screenshots of the desktop. So, it looks like someone got in on YOUR network. That is unacceptable.
You extract the signatures and send those over to the network team, but you notice on your VM that’s been running the malware that your files are encrypted.
“What the f–”
You jerk back to your other workstation with the disassembled code and start skimming. The RAT was just Stage 1, it used PowerShell to pull down and execute ransomware.
Devious little bastard.
Fortunately, you had protections in place to alert you as soon as this happened, so the client computer was not encrypted (not that that matters, as daily snapshots of roaming profiles are taken, so they would have had most of their work back).
The network team confirms that the Palo is configured and that it shouldn’t happen again. But, you have the weapon… Now to find the killer…
I’ll add my own perspective here for a minute. You will never stop learning in Infosec. Attackers are always coming up with creative ways to abuse protocols, and most devs write for function and not security. As such, you’ll always be learning something new. Love that? Infosec may be for you. Hate it? Well, like OP said, you can cruise for a while. But I’m guessing that’s not what got you into the field in the first place and most places don’t want people who cruise “guarding the gates” so to speak. Want to get your passion back? Go watch some Defcon talks, you’ll be reversing malware at 3 AM wondering why you’re not in bed yet. (can confirm).
If that doesn’t scare you, a little advice to all you college/high school folks out there. Let your passion show. Find ways to be curious and improve procedures. If you’re in high school, start learning linux/scripting now. You’ll thank me later. If you’re in an entry level help desk job, reach out to the infosec folks at your current job, find out how you can collaborate with them to improve response times to malware on boxes/infections on network, etc. That networking goes a long way when they are looking for their next security analyst, especially if you have knowledge of the organization already.
I would recommend going to a Convention or two, but don’t worry if you don’t have the funds. Most cons record their talks and put them online. They are a great resource.
If you’re interested, Find a local Bsides meetup. There is likely one close to where you live, and they are normally very low cost to attend.
As far as resources go, I would add the Cyberwire podcast to the mix. It’s another daily podcast that summarizes news/trends in infosec. Internet Storm Center (linked above by OP) also has a great 5-10 minute podcast that also gives a summary of news/trends.
Finally, if you’re looking at all these links going, “Yeah, I like the idea of being in infosec, but that’s a lot to learn.” I would recommend just starting by listening to one or two of the podcasts. I’ll second the Defensive Security Podcast and ISC podcasts as a starting set. You’ll get enough infosec news/perspective to wet your whistle. Next, take a look at what your skillset is and what you would love to learn. Want to figure out how to break things and then responsibly tell people how to fix them? Look into Pentesting. Want to experience the thrill of hunting down some Command and Control traffic in your network and shut down the bad guys? Look into DFIR (Digital Forensics/Incident Response).
Don’t forget, once you’ve made it into this field, turn around and help the next guy. I’m only where I’m at because truly passionate people took time to help me learn and mentored me.
Slight exaggeration aside, the life described above CAN be yours with a bit of persistence and hard work. Most of what my experience has taught me is application comes first, lab and practice second, education and certs are a distant, distant third. Unfortunately, most Cybersecurity degree plans can’t teach you a fraction of what you need to know. There are a plethora of books out there, and a ton of sites to get you started.
One certification path is definitely the OSCP. This is not a multiple choice exam, with countless hours of memorization and 1,000 questions. No, this is a real network, you are given a scope, and you are given 24 hours to breach, exploit, and steal. You have a report on your findings at the end of it.
A bit dated, but the VM is still on the No Starch Press website. Core concepts remain valid.
Shellcoder’s Handbook
Same as above, dated, but incredible skills worth having. If you go this route, I would read AoE first before diving into this one.
A Guide to Kernel Exploitation
Deep, deep guide into the kernel of Unix, Linux, and Windows operating systems. Rootkits and other low level malware. Great read, a bit more recent than the others.
The Art of Memory Forensics
This book debunks the whole “fileless malware” buzz. If the computer has memory, you can find malicious activity. Goes over Linux, Windows, and OS X.
Practical Malware Analysis
Dated, but valuable knowledge. Goes through analyzing malware in a Windows 7 VM. You can download all the exercises from the website. In-depth analysis at the end of every chapter and in the appendix. Worth it for the analysis bits alone.
Malware Analyst’s Cookbook
Another older, but gooder book. Goes into analysis and protection against malware.
Practical Packet Analysis
Chris Sanders is THE Blue Teamer. This book takes you through Wireshark and TCP dump for packet analysis. Networking is the number one asset to ANYONE in Information Security. This book serves as a great start, regardless of the specialty you want to get in.
PowerShell in a Month of Lunches
Love it or hate it, it’s not going away. With tools like PowerSpoilt and the PowerShell offsec toolbox, it’s only going to make you a more valuable employee for knowing this. Follow up with:
PowerShell Scripting in a Month of Lunches
Blackhat Python
Python 2, but still relevant and a damn good skill to have in InfoSec.
Honorable mentions:
The Web Application Hacker’s Handbook
Troubleshooting with the Windows Sysinternals Tools
The Hacker’s Playbook 1 and 2
All of the above are great, fantastic reads, especially HPB 1 and 2. But, I would build your Linux, scripting, and network knowledge before tacking those.
If you’re looking to get into the field and have a hard time finding work, try for a dev or systems admin gig and implement security practices into your role. Build a lab at home, make a blog via Ghost or Wordpress, and document everything you’ve learned and accomplished. Show the world that you’ve got the skills to add value to a company, security or otherwise. Follow pentesters and analysts on Twitter, get a LinkedIn, and get a centralized reader like Feedly to follow infosec news. Listen to Podcasts: Southern Fried Security, Paul’s Security Weekly, Source Code, Down the Security Rabbit Hole, Brakeing Down Security, and any others you may be interested in. Don’t close your mind when it comes to this stuff, if you only listen to one or two shows, or read one or two sources, you’ll miss out on another universe of opportunity.
I am far from an expert, I have junior to mid level experience, and I am still learning every day. The next bit will dig into more networking if this generates enough interest. Otherwise, I will see you on the other side.
Unauthenticated hashes are problematic. A big example is Linux Mint. For a period of time they were dishing out an exploited version of their ISO. Now in that case, it was found out because people saw that the md5 hash didn’t match. It took a couple of months before someone stumbled across that little gem, but consider this…
The attacker was able to modify the website. What if the attacker had the foresight to modify the md5 hash as well? Then we would have been left with validating the PGP signature on the text file that contained a copy of the md5 has.
Can you tell me why they do that? Checking the md5 hash that is posted to the same site as the download you are retrieving is bad in that it gives you a false sense of security. But they’re going to go through the trouble of giving us an authenticated signature of a text file that contains the md5 hash. Why not just post the authenticated signature of the download in question? With a PGP/GPG signature, you validate the authenticity and the integrity at the same time.
So to update this particular section.
If you get the hash and the file from the same site, the hash is effectively only good to validate the integrity of your download.
Checking the hash of a file where the hash is hosted on a separate server from the file can be an effective security check.
It’d be much better if software vendors stopped pretending that it’s okay to use unauthenticated hashes to validate the authenticity of a download.
^I’m stealing this because it also applies to everything I say as well.
First of all, @anon79053375 nailed this summary. I agree with everything he stated here. I am also a fellow Infosec poser, and can honestly say that this summary is one of the most accurate ways I’ve ever heard Infosec described.
I’ll add my own perspective here for a minute. You will never stop learning in Infosec. Attackers are always coming up with creative ways to abuse protocols, and most devs write for function and not security. As such, you’ll always be learning something new. Love that? Infosec may be for you. Hate it? Well, like OP said, you can cruise for a while. But I’m guessing that’s not what got you into the field in the first place and most places don’t want people who cruise “guarding the gates” so to speak. Want to get your passion back? Go watch some Defcon talks, you’ll be reversing malware at 3 AM wondering why you’re not in bed yet. (can confirm).
If that doesn’t scare you, a little advice to all you college/high school folks out there. Let your passion show. Find ways to be curious and improve procedures. If you’re in high school, start learning linux/scripting now. You’ll thank me later. If you’re in an entry level help desk job, reach out to the infosec folks at your current job, find out how you can collaborate with them to improve response times to malware on boxes/infections on network, etc. That networking goes a long way when they are looking for their next security analyst, especially if you have knowledge of the organization already.
I would recommend going to a Convention or two, but don’t worry if you don’t have the funds. Most cons record their talks and put them online. They are a great resource.
If you’re interested, Find a local Bsides meetup. There is likely one close to where you live, and they are normally very low cost to attend.
As far as resources go, I would add the Cyberwire podcast to the mix. It’s another daily podcast that summarizes news/trends in infosec. Internet Storm Center (linked above by OP) also has a great 5-10 minute podcast that also gives a summary of news/trends.
Finally, if you’re looking at all these links going, “Yeah, I like the idea of being in infosec, but that’s a lot to learn.” I would recommend just starting by listening to one or two of the podcasts. I’ll second the Defensive Security Podcast and ISC podcasts as a starting set. You’ll get enough infosec news/perspective to wet your whistle. Next, take a look at what your skillset is and what you would love to learn. Want to figure out how to break things and then responsibly tell people how to fix them? Look into Pentesting. Want to experience the thrill of hunting down some Command and Control traffic in your network and shut down the bad guys? Look into DFIR (Digital Forensics/Incident Response).
Don’t forget, once you’ve made it into this field, turn around and help the next guy. I’m only where I’m at because truly passionate people took time to help me learn and mentored me.
@anon79053375 Thank you so much for such a great insight into what it’s like to be in InfoSec. To me that sounds absolutely exciting and something to strive for. I appreciate your sense of humor, and I wish more people could understand it (as I have a similar difficulty conveying it). For now I have my head buried in some books (Linux+, Network+ [N07, new one], Server+ [already bought voucher]) and I am trying to get used to Arch at the same time.
Side note, I used to listen to ‘The WAN Show, Awesome Hardware, TechTalk’, etc. I heard about ‘Security Now’ and thought it was an absolute gem and got me more interested in InfoSec. Now that I have your recommendations, I can see just how much I was missing out on. Thanks again.
