How To Start Your InfoSec Career

1. How to Start Your InfoSec Career

2. Build | Protect | Learn Agenda 2 • ~$ whoami • Overview • Platforms for Information • Tips For Skill Development • Find a Mentor • Education • Certifications • DoD 8570 Requirements • DoD vs. Commercial • Professional Networking • Networking, Linux, and Python • Life of a Pentester (Offense) + Example • Life of a Security Analyst (Defense) + Example • Practice • Recap • Useful Links

3. Build | Protect | Learn ~$ whoami • Founded in 2015 to deliver effective and sustainable cyber solutions • Currently provides technical services to the Federal Government and commercial sectors • Prides itself on leveraging technology advancements to solve our clients’ most critical cyber challenges General Major Service Areas • We embrace a “Geeky” company culture. • Engage with security community (Blog, Twitter, Exploit-db, Github, Conferences, etc.). • Large focus put on learning and sharing knowledge. • Company CTFs and other technical challenges to improve skills. Company Culture • Cybersecurity Assessments • Defensive Cyber Operations • Research and Development • Cybersecurity Training 3

4. Build | Protect | Learn Overview 4 • Let's get you started! • The goal of this presentation is to share our teams knowledge and lessons learned while working in the industry. • The keys to success in infosec can link to a continuous effort of knowing your environment and improving knowledge/skills. • Our industry requires not only knowledge of terms and topics, but also hands on the keyboard skills to succeed. • Ultimately being able to keep yourself up to date is a key component to being an InfoSec Professional.

5. Build | Protect | Learn Platforms for Information • One of the best resources for keeping yourself current is Twitter. • Often people will report news via a tweet before it’s even blogged. • Build Your Network! Follow various infosec professionals, vendors and companies. Twitter Blogs RSS Feeds • Learning from blogs can lead to lessons learned and discovery of new topics. • Blogs are a great way to share ideas and thoughts among the community. • Bookmark some of your favorite blogs and podcasts to check regularly for new interesting content. • If you want a combination of twitter and blogs consider an RSS reader (i.e. digg, feedly, etc) • A RSS Feed can help keep track of blogs and news items 5

6. Build | Protect | Learn 6 Tips for Skill Development • Technical skills require hands-on practice. • Labs can be simple: Your computer + VirtualBox or VMware + VMs Build a Lab Capture-the-Flag Exercises • If you want to acquire and/or maintain technical skills then you should participate in a CTF • Many online CTFs available: vulnhub.com • Good resource for learning how to excel in CPT events: https://trailofbits.github.io/ctf/vulnerabilities/source.html Free Training and Online Resources • You can also find most conference talks online: (Irongeek YouTube) • Loads of free training resources: Cybray, OffSec, etc.

7. Build | Protect | Learn 7 Find a Mentor

8. Build | Protect | Learn 8 Education • If in doubt go Computer Science. Programming skills are always in high demand. Learning to write your own scripts and tools will separate you from the pack. You do not need a CS degree to be able to write code. • Some jobs require it, others do not it is really a mixed bag. • Can be a good way to show you are worth investing in. • Can help you potentially skip lower-level IT roles (Help Desk and System Administrator) roles. You still need hands-on skills with the technology. • College is really what you make of it, challenge yourself to learn things beyond the scope of the class requirements.

9. Build | Protect | Learn 9 Certifications • Offers many entry-level certifications (Security+, Linux+, etc.). • Multiple-choice exam usually a couple hundred questions. CompTIA Offensive Security • Offers hands-on technical certifications (OSWP, OSCP, OSCE, etc.). • Skills-based exam (24 hours to break into 5 VMs and provide detailed penetration test report). SANS/GIAC • Offers a wide variety of technical and policy focused certifications (GSEC, GPEN, GCIA, GCIH, etc.) • Multiple-choice exam usually 75-150 questions and vary with passing percentage minimum. ISC2 and Others • Many other certifications that can help your career: CISSP, SSCP, Microsoft, Cisco, etc. • Depends highly on your specific career goals.

10. Build | Protect | Learn 10 DoD 8570

11. Build | Protect | Learn 11 DoD vs. Commercial • Mixture of Government (CIV) and Contractors employees working together • A lot of policy in place and separation of information (Unclassified/Classified) • Often requires a clearance or public trust • Compliance is a huge focus • Has Infrastructure that is on the Internet and on separate Govt Networks (NIPR, DODIN, etc) • Most contractor work will have to be bid upon before the government awards it. DoD/Govt. Commercial • Hired to work as an employee under a company or organization • Has regulations of compliance enforced (PCI, HIPPA, FISMA, etc) • Potential work with big businesses and small businesses • Has less policy enforcement (depends more upon the company's enforcement) • Often times will not require any clearance but may have company policy in place to protect information.

12. Build | Protect | Learn 12 Professional Networking • Helps build online professional profile “Google your Name” LinkedIn Twitter • Most active in the security community are on twitter. Personal Blog • Great way to share knowledge, showcase skills, and research. Opensource Projects (Github, Sourceforge, etc.) • Contributing or creating an open source project is a great way to get noticed by companies. LinkedIn Conferences • Expand your TTP's and knowledge in person.

13. Build | Protect | Learn Understand Basic Networking 13

14. Build | Protect | Learn Linux - Use It! 14

15. Build | Protect | Learn Python - Learn It! 15

16. Build | Protect | Learn Life of a Pentester (Offense) 16 • Lots of failure: Pentesting is all about failing over and over again. • Lots of research: Facing a new type of technology will force you to do a lot of research on the fly. • Lots of skill development: I find I have to spend a lot of time to sharpen skills. Staying up to date on vulnerabilities and attacks. • Consistently thinking like an attacker: Thinking how to misuse technology in creative ways? • Scripting: Normally this required for senior roles • Tools: Metasploit, Burp Suite, Nmap, Masscan, Recon-ng, Linux/Windows, Nessus, Acunetix, WebInspect, Mimikatz, Python, and many other tools in Kali Linux.

17. Build | Protect | Learn The World Needs Bad Men…. 17

18. Build | Protect | Learn Offensive Example: debug.php 18 • Step 1: Started out with a company name -> enumerate domains, and CIDRs.

19. Build | Protect | Learn Offensive Example: debug.php 19 • Step 2: Leverage Python/Shodan API to quickly enumerate external footprint

20. Build | Protect | Learn Offensive Example: debug.php 20 • Step 3: Systems/Ports/Systems are validated from Shodan results using Masscan and Nmap. Then web technology footprint enumerated with whatweb. * Linux utilities were used to build input files/parse output files (sed, grep, awk, egrep, sort, uniq)

21. Build | Protect | Learn Offensive Example: debug.php 21 • Step 4: Enumerate an unlinked resource "debug.php" that gives an HTTP 200 OK and blank screen. This is where automated tools stop.

22. Build | Protect | Learn Offensive Example: debug.php 22 • Step 5: Parameters are fuzzed in an attempt to enumerate inputs "page=" gives back a different response "Failed opening 'test' for inclusion".

23. Build | Protect | Learn Offensive Example: debug.php 23 • Step 6: Attempt to point the page parameter to local and remote resources and attempt to execute code on the server.

24. Build | Protect | Learn Offensive Example: debug.php 24 • Step 7: PHP was running as SYSTEM on the vulnerable application. An attacker could dump password hashes and pivot throughout the organization with admin privileges.

25. Build | Protect | Learn Life of a Security Analyst (Defense) 25 • Attention to Detail: Digging through logs, pcap, alerts, etc. requires a lot of attention to detail. • Hunting: Often going through large amounts of “normal” data to find what is “odd”. • Desire to Improve: Most Defensive jobs are what you make it, you can sit on facebook and check the box, or you can dig and go beyond alerts. • Scripting: Normally required for senior technical roles. • Lots of Research: It can often be hard to explain a network event using only pcap as a resource. Staying up to date on the latest attacks and vulnerabilities is important. • Tools: Tcpdump, Wireshark, Bro, Snort, SIEM Tools, Python, Windows/Linux, etc.

26. Build | Protect | Learn Hunt for the needle in the haystack... 26

27. Build | Protect | Learn When you first look at pcap... 27

28. Build | Protect | Learn Defensive Example: PCAP 28 • You leverage some tcpdump/bash Kung Fu to quickly summarize DNS. • You notice a domain that looks legit, but is misspelled! Can you see it?

29. Build | Protect | Learn Defensive Example: PCAP 29 • You investigate this further and notice some odd parameters in the corresponding HTTP traffic. What is interesting about the HTTP GET request below?

30. Build | Protect | Learn Practice ● We’ve created a CTF VM + Question and Answer guide to help expose you to various hands-on security challenges. 30

31. Build | Protect | Learn Recap ● Stay up to date with latest news and trends (Twitter, RSS Feeds, Blogs, etc.) ● Build a lab ● Learn Python! ● Use Linux ● Research and participate in Capture the Flag (CTF) events / Vulnerable VMs ● Be aware of the free online resources for technical training ● Find a mentor ● Learn about job requirements for target job (skills, certifications, education, etc.) ● Develop a professional/InfoSec network (Twitter, LinkedIn, etc.) ● Start a personal blog ● Consider contributing to or starting an open source project ● Attend conferences or watch conference talks on YouTube Find your passion...you’ll always go further if you really love the subject matter. Some really enjoy hunting through pcap, others by getting shells. Figure out what you like and sharpen those skills. 31

32. Build | Protect | Learn Useful Links 32 • Cybrary.it • OWASP • Pentesting Execution Standard (PTES) • SANS ISC • Vulnhub • Pentester Lab • Metasploit Unleashed • IronGeek YouTube channel • SecurityTube • Jason Haddix How to Shot Web Talk • How to be an InfoSec Geek Talk • Pcap Resources: http://www.netresec.com/?page=PcapFiles http://contagiodump.blogspot.com/2013/08/deepend-research-list-of-malware-pcaps.html • Malwr.com • Dump of common InfoSec interview questions (isdpodcast)

33. Build | Protect | Learn Connect with Us www.breakpoint-labs.com info@breakpoint-labs.com @0xcc_labs 33

How To Start Your InfoSec Career

How To Start Your InfoSec Career

Recomendados

Más contenido relacionado

Was ist angesagt?

Was ist angesagt?(20)

Similar a How To Start Your InfoSec Career

Similar a How To Start Your InfoSec Career(20)

Último

Último(20)

How To Start Your InfoSec Career