Cybersecurity, pentesting & general IT

So jeah it’s been a wihile since last time I posted on here, and there has been times where I had the possibility to post about it. But to be frank, it was but on the famoud “back burner”.

So there was quiet a few reasons as to why I have changed field, I was working as a SOC operator. Working shifts that where out of this world. I did not think working shifts would be a problem, thinking that is not going to be a problem. Oh was I ever wrong, I did not handle the shift work well at all. I basically could not get enough sleep when we changed start time 2-3 times a week. Let’s say I began 07:00 Monday, Thuesday, then off Wensday. But then start 23:00 on Thuesday etc…. We had a shcedule that had changes like that 2-3 times a week, pluss the 2 weekend shifts friday-sat-sun 12 hours.

Problems falling a sleep resulted me in staying awake from shift to shift change to be able to go to work at all, turns out this was a pretty shitty strategy it turns out…. Well it came a point where I was loosing so much weight, it was becoming a serious health concern. I was left with no choice really other than to get a job where I had normal working hours.

At the same time I was asked if I would be interested in working in another department for the same company, there was essentially a shortage of man power. The department was basically not able to handle the workload that they were assigned, there was done some lack luster “changes” done to the department structure. The good old “lets smack several departments togeather and call it a day” Because then they would be more ppl in the department that is struggeling with work load ? Well that is not how it works, the workload remains shared over the same number of ppl…..

So I was asked if I where interested in joining the Server/vm (linux vnware) team. I said yes in a heart beat….

So how does one transition from SOC to a production/Infrastructure team? I had no prior experience working in this side of the field, well I was an apprentice handling support for a county, but still cant be compared to the infrasturcture we have at my current possistion. So how did I handle the transition ?

READ BOY READ!!!!!

If i got a dollar for each subject I lacked experience / knowledge in or was totally blank… Oh I would be well-off, Ive constantly been reading up on new topics, rereading material on things I hadn’t touched since I was studying in school. Keep in mind that I took a 2 year “after education” for Network and IT security. So never really focused on the production side of it, so I have to double down on the apparently gaping holes.

You know nothing John Snow….

I have come to pretty harsh realization these past few months, I really felt like i knew something about protocols, infrastructure, services etc…. NOPE

Well let me be more specific, there was a wast amount of stuff relating to HOW and WHEN and WHERE I was pretty much oblivious to, since I was never exposed to the production side of IT. It where never something I had to consider/worry about, one might argue that it is “practical application” of the technologies. As one of my biggest inspiration sources once said…

“The more I learn, the more I realize how much i don’t know”- Albert Einstein

Its kinda a sadistic truth to those words, what I have come to realize is that the more I learn about a technology, the more I see how it can be used in conjunction with other technology and built upon. And how that again can be used in other cases etc, it is like an never ending sea of possible combinations. And we are moving at a speed in deleting new technologies that improve, replace or both existing technology that again have new ways of being used in “practical application”

The back log….

So that is where I am now, in the Covid-19 days, working from home. Reading up on subjects I have discovered I need to know more about, that is basically how I have managed this transition. I’ve kept logging every subject that I have came across that i need to learn more about, like say spanning leaf, FCoE, Fabrics, Storewize, Ansible, Tower, Forman, Catello, SpaceWalk, Puppet, Winrm, And I have also been designated as a member of the group that is working with implementing new solutions for automation, and new use cases for our infrastructure. There are challenges ahead, but do I welcome them with open arms….. I’m overwhelmed with the possibility to challenge my self and contributing, something I see now I was lacking. Turns out its not healthy for my sanity to be sitting idle for to long. I need something to “solve/fix/do/fiddle” with, and I am apparently not the only one finding the aspect of comming to work and not doing anything the most dreadful thing, where as most “normal” people might find that “lucrative” I do not. My head always has some “cogs” turning twisting about in there, so for my part and many with ADD/ADHD “idleness is the root of all evil”. I’ve never been more satisfied with my career than I am today, even tough it seem stressful. I find it peaceful to think about that I have something to do everyday, and I am able to work on projects from start to finish!

Not so long ago there was reporting of DNS servers being used for amplificaiton attacks, a DNS amplifiction attack is when the respons from the reply is X times greater than the query. This is mostly if not always done by using the EDNSO DNS protocol, or by DNSSEC which uses certain cryptographic features. Through the mentioned means and other, the DNS request of 60 bytes can be setup to get a response of 4000 bytes. In this scenario we get a 70:1 amplification vector.
This type of attack is often seen in conjunction with bot nets, there you can send spoofed requests from unknowing participants and no one is the wiser. Done with enough “bots” and the results can be devastating for the targeted server/host.

If we look at the targeted host/server for the attack as a shop with 1 entrance door, if the store (in this case the targeted system) have a capability of handling 100 customers per minute, and there all of a sudden 10 000 ? The doorway is clogged, no customers is served and the shop is closed.

A DNS amplification can be broken down into four steps:

The attacker uses a compromised endpoint to send UDP packets with spoofed IP addresses to a DNS recursor. The spoofed address on the packets points to the real IP address of the victim.

Each one of the UDP packets makes a request to a DNS resolver, often passing an argument such as “ANY” in order to receive the largest response possible.

After receiving the requests, the DNS resolver, which is trying to be helpful by responding, sends a large response to the spoofed IP address.

The IP address of the target receives the response and the surrounding network infrastructure becomes overwhelmed with the deluge of traffic, resulting in a denial-of-service.

So what does a real world DNS amplification attack look like ?

A Youtube video of an practical demo, its an older video but still great for learning about this type of attack.
I find it personally much easier to grasp something if i can play arround with it, its easy to read about some fancy concept in theory. But I find my self understanding it in a whole new way when I get “hands” on with it.

In a report i came by whilst scrolling through the subreddit /r/cybersecurity “The Need for a Breakthrough in Cybersecurity” Richard Villadiego. He makes a interesting case on how the current status of the cybersecurity environment is falling behind, despite the increase in spending there is also an increase in breaches. He argues in the report that the number of breaches has gone from 783 in 2014 to 1632 in 2017, well I believe there is a multitude of reasons as to why, and I will come back to those later. The report also discuss why we are in this situation and makes the following key arguments

1. Ever evolving threats
2. Unlimited capital
3. As a result of the two mentioned the defense architectures have grown in complexity
4. Instant gratification (aka we want things now instantly not in 2 months etc)

While I do see where he is coming from with these points on how we got here, i don’t feel the report got the whole picture. The nature of where cybersecurity is normally placed in the corporate environment is one of the most, if not the most challenging aspects of the field. Yes surly the matter of the fact that there is new bugs in software, previously unknown vulnerabilities, patches that introduce a vulnerability and any other changes can lead to a security hole in the network doesn’t help. Just in the first statement “ever evolving threats” should give us a strong indication of why we are seeing an increase in compromises, but the matter of the fact is that its never been so profitable before.

 Breaking into systems have become a lucrative business, and the criminals are making bank. In ways cybersecurity operates as the boarder patrol for businesses, and the borders are getting an increasingly amount of traffic. Adding to this is the fact that new and untested technologies are being introduced, often not informing properly. This can be a contributing factor to increasing the attack surface of the organization, this I argue is one of the most overlooked factors in management. The time between a vulnerability is disclosed and patched by vendors, have historically been awful. Not to mentioned well known about exploits not being patched in a timely manner by systems administrators, we don’t need to look further behind then to bluekeep. Publicly exposed RDP on “older” Windows server versions, firstly why? Shodan yielded searches long after the patch where released. This is something the attackers will use for everything its worth. What other commercial industry faces nation state funded adversaries? Not that one need to be attacked by an APT group to get compromised, far from it. Any employee in your organization clicking on any phishing mail could do the job, or visiting a compromised site. NASA was compromised by an unauthorized raspberry pi, installed without authorization by an employee for crying out loud.

The report further argues the making of the right decisions is difficult due to the necessity  to base them on hypothetical incidents. And therefor must base their assessment on their experience and knowledge. Which I largely agree with.

So how do we defend our organizations?

Well lets just admit that what ever we do, no system is going to be 100% secure unless its powered off. I believe in order to defend ourselves, we need to properly understand our attack surface. What does my organization have public, what does the employees do ? Having a baseline of what normal operational traffic would look like is an place to start, its hard to detect anomalies when you don’t have anything to compere it to (trust me) Blacklisting domains younger than 30 days etc. controls like these are good. But its not what’s going to make or break a good security department, I believe having the time and assets for security teams to do research and keep up to date, and regularly attending talks, seminars etc is going to make it easier to keep once head above water. Letting the staff work with the material, building a solid understanding of how the stuff works. Instead of outsourcing it. Having the deep knowledge inhouse is something I think is going to become more important in the coming future

Not to long ago taken the Comptia Sec+ certification, and is no working on the pentest + cert. The Sec+ was accually the first certification i took. I did accually passed the test on my first attempt, even tough i sat in the exam room with a failure of certain feeling of failure. And was already starting to plan how to study for the next attempt around, imagine my suprice when it said CONGRATULATIONS on the screen….The funny thing is that i passed with a ok margin to. I scored something like 870 points, where the 750 mark is the passing score.

So how hard wass the cert ? I’ve started to explain its difficulty in its width, meaning the broad range of topcis, rather then the depth of the topics themselfs. You see the Comptia Sec+ isnt a technically deep certiffication. Its difficulty comes from the broadness, and beeing able to sort out the best answer for each question given any setting in the exam. Because the exam is after the best answer not necessarily the “one and only” answer, making you have to understand the context of the question before answering it. I personally think the coricilum lack depth way to much teoretical conecpts, yes we have to undertand the underlying reasoning as to why we need x,y and z. But I would argue the need to know how to implement the solution in an enviorment is as important. And that might be because Comptia is a vendor neatural certification, and it will have its posetives and negatives.

Still I am aiming for Pentest+, if for nothing more than to have a pice of paper that i can point to and say heres the evidence I have some understanding of this. For the more distant future i hope to get started on OSCP in the not to distant future, I wan to act whilst the iron is still red as the saying goes.

Hi!

This is where I will post my content i make along the way, this may be projects for my home lab along side the other things like gudies, ctf’s, news etc. So this is where i will post all my futur content for the most part, something might end up on the main page, Ill be sure to make a note of it if i have posted somthing on the main page (hopefully)

So what exactly can we expect to be posted here?
Here you will find everything I think is worth putting here, projects, ctfs, news and my two large cents, baiscally everything i feel is worth mentioning or i think is usefull. As I am pretty sure I will post some “guides” and howto’s on here, I always find them usefull and feel like its time to give some back to the community. But lets be realistic, but i dont think its going to be the best quality content as i will learn as we go when it comes to making and publishing content others may read.