Wednesday, June 15, 2016

Why Legal Studies?

A question I get a lot (in real life) and occasionally online is why are your pursuing a Masters in Legal Studies?  The follow up is usually, so you can be a lawyer?  To answer the second part first, a Masters in Legal Studies does not allow you to practice law.  If you were looking for a directly related position it would typically fall in line with a Paralegal.  Now to the first question!

1.  Learning to think like a lawyer - there is something pretty unique in how lawyers think and in one of my class sessions I learned how to best put this for people.  Lawyers learn and become good at poking holes into things.  Lawyers have a very good concept of what the risks are and where problems may arise.  This is not too much unlike how a Cyber Security Professional operates, albeit we do it in regards to technology where a lawyer does it for just about any situation they are working in.  There are times, as Cyber Security Professionals, where the problem may not lie in the technology, but perhaps in the policy.  Or in how you apply the technology to the regulation you have to comply with.  Being able to analyze a problem and see the risks/pitfalls from all angels can be a very good skill to have.

2.  Improved writing ability and communication skills - now I will say off the batt that I am a decent writer and typically don't have an issue making a point.  But that is not to say that I couldn't improve especially in the area of speaking to the level of my audience.  When I'm briefing my Director or perhaps a C-level executive there is a very good chance they don't have a full understanding of the technology or technical concept being discussed.  Or at the very least not to the degree that I do.  Now of course they don't need to because that is what I'm paid to do, but the idea is I need to be able to articulate it in a manner in which they can understand so that they can make the required decision.  This also means that when I say describe something that I be accurate in my portrayal because they will be the "face" speaking about it.  Also, reading case law has vastly improved my writing ability and cyber case law has given me many examples that can be used to explain technical concepts.

3.  Criminal aspect of my job - I work for a law enforcement agency and assist in some of the criminal aspects of the the agency's mission (on top of the regulatory mission we have).  Having an acute knowledge of the way to operate a criminal investigation is very important.  My specialization in school is Criminal Law for the very reason that I want to hold all my investigations to that legal standard (beyond a reasonable doubt).  One can safely assume that if you can bare the burden of "beyond a reasonable doubt" then you've satisfied the standard of "by a preponderance of the evidence".

4.  I work with lawyers on an almost daily basis - sit in a room with lawyers for a day and you'll see how little you know.  Now this plays to point one (thinking like a lawyer), but when you're in a meeting it helps to at least have a vague idea of what they might ask.  Some questions will probably be self evident, but others ones might have not occurred to you and then you're stuck with nothing to say.  By learning about the law and the legal system I am better prepared to think of the questions or comments they may come up with.  With that thought process I can then come up with the data or information I need to answer those questions.

5.  Becoming a cyber security expert - at some point I might want to start to lend my services to legal teams to serve as an expert.  Now legal knowledge isn't necessarily required, but it definitely helps.  Having an understanding of the laws that govern the actions of a defendant or the prosecution can only serve me better in this capacity.

6.  I might want to become a lawyer - in my program I receive the same knowledge in two years as a law student would receive in their first year.  If nothing else that gives me a leg up.  I didn't start out thinking I wanted to become a lawyer, but as I began learning about the law (and enjoying it) I started thinking "I could be a lawyer".  Now that I am taking a Cybercrime class (which is an actual law course, not a Legal Studies course) and am doing well I tend to think I might go that route.  Especially since cyber security attorneys are desperately needed and yet there aren't many people with either the skill or desire to do it.

In the end, at the very least, I will have a Masters degree in less than a year.  If I pursue law school my hope is with my high GPA (3.93!) and my course work being in law that I might be able to get a full ride to law school.

Friday, June 10, 2016

Hunt Teams - What are they? Should you consider one?

Hunt Teams are exactly what they sound like: teams of security professionals who prowl the network looking for compromise. The prevailing theory is that most companies are compromised and just don't know it yet. Members of the hunt team will begin looking for signs of a compromise and then go about fixing it. To rattle off the numbers (and I'm probably slightly off) a company didn't detect a compromise for an average of around 200 days. Also, when they did become aware of the compromise, it was because of a third party reaching out and telling them (be it the government, a payment processor or company infected thru them).

Thus we have to operate under the assumption that we have been compromised and now have to find them. As we find them we can plug the holes and develop policies to allow us to catch them earlier. The end game here is detection and remediation while limited the effect an attack has. A win nowadays is getting compromised and being able to say "they only got X number of Y". 

SAN SEC511 is a course that covers hunt teaming extremely well and teaches you the tricks of the trade. Continuous Monitoring is the big thing with hunting. You have to know what to look for and setup a means to detect it. As an example, a systems log is suddenly cleared for an unknown reason. Now depending on your monitoring tools you might have a two scenarios:

Scenario A: you have no monitoring or weak monitoring in place thus you miss it and are compromised. If the person is good, they're doing everything low and slow (like BBQ). They're mapping your network and finding out exactly what's out there. From there they'll start establishing beach heads, areas where they can come in when needed in the event their initial point is taken out. They'll establish a persistent presence and will blend into your everyday operation. After some time, they'll find their point of exfiltration and begin getting whatever it is they're after out.

Scenario B: you have monitoring. You're team is watching and while they might miss the initial compromise, they catch the clean up from the entry point (logs are cleared, new software is installed, weird program running in the background, etc). Now since you have the monitoring in place you are able to go back through the logs and note that in the past eight months the server logs have never been cleared. Uh-oh. Thus you begin to isolate, investigate and remediate. You should be declaring an incident, informing your management team (providing updates on a regular basis) and following your incident response plan. It will probably be months before you can say "we have a clean bill of health", but the point is you limited the exposure. Maybe you catch it in the beginning and they get nothing, but even if you get it in the middle that is still a victory.

I've seen cases where a compromise was caught within the first 24 hours and the perp didn't get a chance to get what he was after out. I consider that to be pretty successful. Now if you don't learn from what lead to the infiltration you have no business remaining in your position, but if you do learn and update your processes you'll be even better prepared. Most of the people who are compromising companies have a very specific playbook and if you can get them off script at even just one step of the process it throws them off big time.

In the end, it's a big game and you need to play to win. Having a hunt team or being a member means you are looking at the overall security posture of your organization. It means that you have a comprehensive security program that deals with end users, policies, procedures and the technical aspects that make up the posture you are wanting to achieve. The process has to be treated as if it were alive, continually evolving so not to be sedentary.

Probably a lot more than you needed, but I was bored at lunch.

Wednesday, December 9, 2015

OSCP - Taking the Long Break

The past two weeks I've been off from the daily grind of graduate school.  During that period I had time to evaluate where I am, where I want to be and how will I get there.  That time of reflection included what demands I will be making at work.  We're going to be on boarding a new person, I've been picking up some slack for an undermanned unit and there are items I really want to explore to improve systems we utilize every day.  I also had to focus on the fact that I will be training next week and the holidays are coming.

At this point the OSCP certification is not in the cards.  The biggest item is the fact that I will not be performing any penetration tests in the near (3-5 years) future.  The knowledge I had garnered from completing the lectures have definitely been beneficial.  But without the plan of leaving my current position the certification isn't going to garner me anything.

So for now I am shelving it and will return to it if/when it becomes more beneficial to pursue it.  My focus will be turning back to big data and development as to continue to support my unit's mission.

Tuesday, December 1, 2015

OSCP - Short Detour

The next three weeks are going to be pretty busy.  I have a business trip on Thursday and Friday.  I have two finals to complete for my graduate courses.  Finally, in two weeks I am going for training for four days.  Given that time table I am going to try to power through the Powershell for Penetration Testers course I picked up at SecurityTube.  I figure it will help me out with OSCP and also give me a chance to review the course.  Look for the posts starting tomorrow!

Saturday, November 21, 2015

OSCP - Six Boxes Down!

Thursday into Friday I took down five boxes!  Granted they were the low hanging fruit, but sometimes that is all that you need.  I learned how much I love the Meterpreter!  It is vastly easier to get password hashes with it and to download/upload files.  Obviously, you can't relay on it solely, so I have good documentation on how I would exfil data in the event that I don't have a Meterpreter shell.

Also, I finally figured out why Ophcrack wasn't working for me:  have to download rainbow tables for it.  Typically I was using the bootable cd so it wasn't an issue, but the installed version only has a small amount of tables.  Once I loaded two table sets in, I cracked about a dozen passwords.

I'm taking a break tonight, but will spend most of Sunday trying to get the other boxes.  Definitely going to take some work, but I'm confident!

Thursday, November 19, 2015

OSCP - Crack My First Box!

Tonight, after I spent some time setting up my laptop and studying for one of my graduate courses, I cracked my first box in the lab!  I'm a little disappointed for two reasons.  One, I had to be a script kiddie and use Metasploit.  The positive to that is I found the vulnerability and the exploit needed to compromise it.  It was also funny to see it not work at first and then when I tried again it took.  Something to remember for next time!

The second disappointment was with the amount of time it took me to do it.  I'd say it took about two hours to get on the box, setup the tftp to download and upload files and to get the hashes.  I know I need a lot of work.

One thing I was especially happy about was in figuring out a password without any tools.  I was running a cracker and decided why not guess a couple.  Low and behold, I guessed correct :)

Lots to do, but well on my way!

Wednesday, November 18, 2015


I started a new image and reconfigured OpenVAS.  That seemed to make things go a lot smoother and it was running pretty quick.  So I leave it overnight to have it get stuck at 42%.  At least this time I was actually able to download the report (for the hosts it had scanned).  At this point I at least have something to go off of so I will attack the hosts with the info I have and do individual scans for the other ones.

Tonight, after setting up my new laptop (which just arrived) I will begin the plunge :)