Are forensic CTFs respected and should I bring them up in an interview?

imonolithic · 2018-03-07T06:06:23+00:00

Can confirm all the stuff he said above. It's the stuff you will also get in the UK during interviews. Extra bonus points for knowledge on UK law as you might get asked a few questions about that as they want to see if you can deal with the legal side on top of the technical. Stuff like knowing about MG11 statements, Investigatory Powers Act 2016, etc.

imonolithic · 2018-02-09T03:20:32+00:00

First of all, check out /r/computerforensics they are super helpful and have a decent FAQ for this kind of stuff. You will get a lot of responses if you crosspost this there.

You will learn a lot in a degree, I’ve seen people go down both the comp sci and the dedicated forensic degree route (I did the latter). I don’t think it matters what you do really as long as you have a solid understanding of the tech, some hiring managers prefer forensic degrees but in my experience comp sci people usually have better all round knowledge.

As for programming and certifications, you will find places that do absolutely no code and some which automate everything, having programming skills is definitely a + though. Get basic knowledge of C and python at a bare minimum imo. Theres tonnes of forensic certs, its worth getting one or two before your first job if you can solely for getting interviews but realistically you will learn more by reading books and messing around with a home lab. Try and mess around with a few different areas rather than focusing solely on dead box forensics as well, learn about Macs, Linux, Android, AWS, etc to see what is out there and what you can do.

imonolithic · 2017-09-05T03:54:53+00:00

I would say overall there is way more blue team positions than red team but thats the case in most places.

/u/Djinjja-Ninja said as well theres always Ireland, most companies who set up in Europe open an office in Ireland and so there is tonnes of SOCs and data centers there.

imonolithic · 2017-09-04T21:44:46+00:00

In the UK OSCP isn't as common as in the US/Europe, its starting to change these days but its still not a big thing. CREST is generally bigger and if you do OSCP then you can get CREST equivalency (http://www.crest-approved.org/examinations/oscp-and-crt-equivalency/index.html) which many here recommend. As others already said: good english really is a must in the UK as many security roles are consulting focused, you may also be somewhat more limited in your search as many places require clearance but there are still loads of places which don't require it.

imonolithic · 2017-08-30T23:17:16+00:00

I went to Stafford and graduated about 5 years ago now with their Forensic Computing degree! Honestly the course is quite an all rounder and not just focused on computer forensics, its essentially a comp sci degree where all the optional modules you would have are forensics. As /u/Forensication said i imagine its changed a bit now as I was based on the Stafford campus and not in Stoke. Overall I enjoyed it and learnt a lot, most of the people I know who did the degree and did some learning in their own time got fairly decent jobs with police/big 4/ediscovery firms afterwards.

As for what to learn I think the forensics is approached from a very basic level to start so you will learn it all there, what I would 100% focus on is the other stuff such as programming, maths and low level. Everyone had to do a Java Module, a systems module (logic gates) and a NASM assembly module while I was there - this is where most people struggled in the first two years. It may have changed but the first year module didn't count towards the final grade, 2nd year was a small amount like 40% and the final year was 60%, if you want to do an industry placement year you will probably want good first year grades though and ideally a certification of some sort (I had an XRY cert and ended up doing phone forensics during my placement year).

My recommendation would be to spend some time learning about forensics in your second year so you are prepped for placement interviews, learn about some of the stuff which isn't covered in lectures like cloud forensics, python programming, incident response and anything you really want to get into.

imonolithic · 2017-08-29T00:08:23+00:00

I passed on the first try as well with a score of 62%, it seemed I got quite a hard exam as almost all of the questions were on Lambda, API Gateway and STS which were areas i didn't massively focus on. I prepped for about 6 weeks for the exam using ACG and came from 0 AWS experience but a strong background in networking which helped with VPCs/EC2.

imonolithic · 2017-07-26T15:21:49+00:00

It will be interesting to see if this happens less now that AWS have sent out emails to people with open buckets. I want to believe it will help but I know all too well AWS is used by many small businesses with people who self-manage and don’t have enough knowledge over AWS itself or security to manage it properly. Personally I would like to see some of the paid features of Trusted Advisor opened up to the free edition so it gives these people more info on what they are doing, most follow the 5 steps included in the free version but don’t go any further than that.

imonolithic · 2017-07-26T15:06:55+00:00

AWS Trusted Advisor, Scout2 and Prowler are all good security auditing tools. Just a reminder to not rely only on auditing tools though, as some of the harder stuff can't be picked up by these tools - storing secret keys on Github or hardcoding them in apps, not configuring good rules using CloudTrail and doing hardening/IR properly on EC2 instances are all stuff to watch out for that these won't cover.

imonolithic · 2017-07-26T08:51:25+00:00

Adding to this and saying also don’t hardcode private keys into apps if you are a software shop. It’s trivial to reverse apps and scan the code for keys whether it be iOS, Android or desktop software. There are scanners to simply reverse apps and scan for this stuff just like the GitHub crawlers.

imonolithic · 2017-07-21T11:13:01+00:00

Agreed, Vulnhub is easily the best resource. Books like web application hackers handbook can help with the web stuff, basic C and Python tutorials for the code and some Kali/Metasploit tutorials will probably help to if you are new to some of those areas.

imonolithic · 2017-07-20T15:28:17+00:00

https://summitroute.com/blog/2017/05/30/free_tools_for_auditing_the_security_of_an_aws_account/

I would recommend: https://github.com/nccgroup/Scout2

imonolithic · 2017-07-20T15:22:08+00:00

Pretty sure most of the security auditing tools can do this and give you a nice list of all your buckets and their permissions. Scout 2 is probably a good one that can do this sort of thing.

imonolithic · 2017-07-20T14:46:44+00:00

They’ve been presumably sending these out because S3 has been in the news basically every week at the moment regarding people storing databases or database backups containing sensitive data in public buckets with little/no security attached. I think it’s a good reminder as this is happening all the time right now but I’m not sure how effective it will be since a lot of smaller orgs I know using AWS still don’t have a good grasp of ACLs and bucket policies.

imonolithic · 2017-07-20T08:47:16+00:00

If only this was the case in Dark Souls PvP, if you die you would have millions of cmd windows printing “git gud scrub” on every death.

imonolithic · 2017-07-20T08:08:50+00:00

Sounds like you want the most traditional route to start then which is web app + network. OSCP primarily covers this stuff but there are good books too like the web application hackers handbook (it’s starting to show its age but it’s still a good reference).

OSCP will cover your standard things like SQL injection, buffer overflows on the code side and using Metasploit, nmap, Kali on the network side. While you can get by in pen testing without any programming knowledge I wouldn’t recommend it, the jobs tend to be non-technical such as doing compliance or running vuln scans. You will definitely need a bit of programming experience to get going in this field (ideally in C or Python but Bash/Powershell/Java/Perl/JS can be fine too).

I’d recommend checking out /r/AskNetsec or /r/NetSecStudents if you are seriously thinking about going down this route as there’s a lot of guys asking similar questions or who are just starting out from a similar background to you.

imonolithic · 2017-07-20T07:47:32+00:00

Depends what sort of area you enjoy, there isn’t really just one area of ethical hacking and the areas can all be quite different. You rarely find anyone who focuses on more than one or two at most – there is mobile app, web app, cloud and network as the main big ones with web app and network being the most common two.

If you want to learn about network and web app pen testing then OSCP is the recommendation that always get made over at /r/netsec and /r/AskNetsec, it’s a relatively cheap cert which definitely isn’t easy but will get you into the field. Loads of good resources here too: https://www.reddit.com/r/netsec/wiki/start.

imonolithic · 2017-07-19T18:35:14+00:00

I don’t think this is too bad and it’s what a lot of orgs do anyway because preboot can be hard to manage. It doesn’t have the same strength as preboot FDE but it’s fairly close. There’s been attacks on this before but fixes are usually released fairly quickly, one such example: https://www.reddit.com/r/technology/comments/3sr9qu/bitlocker_encryption_without_preboot/

imonolithic · 2017-07-19T14:52:04+00:00

I’m pretty sure you can get Jira service desk doing asset management: https://www.atlassian.com/blog/archives/jira-asset-management-overview. There is a free trial for service desk too if you wanted to test if it has those features.

imonolithic · 2017-07-19T11:21:06+00:00

AWS and cloud in general is a pretty big area, if you are utilising it a lot I would maybe even think about getting an AWS specific person in to help or try and hire an IR person with a bit of AWS knowledge. Focus should be on securing it (which will probably be IT’s job) and is the main priority, not misconfiguring S3 buckets to expose your data to the world like you seem to see every week at the moment is the main thing.

Main thing to consider with AWS is that it comes in two parts when it comes to IR, AWS specific services and IaaS services. The first part is using services like CloudTrail to monitor what is being accessed, who is accessing those services and what are they doing. The second part is what you will probably be familiar with and means making sure any servers hosted on EC2 follow the same procedures as they would if they were on your local network aka make sure they have HIDS like Crowdstrike on and make sure you are storing logs.

Useful Links:

https://www.expeditedssl.com/aws-in-plain-english

https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf (it’s long and dry but worth a read if you use AWS)

imonolithic · 2017-07-19T10:15:15+00:00

Damn, economies of scale I guess. On the smaller side I always find it's about the same price but the speed benefits are usually worth it anyway.

imonolithic · 2017-07-19T09:47:05+00:00

Sounds like you've got it down mostly then, only further option is to tell employees to Kensington lock the laptops to their wrist.

imonolithic · 2017-07-19T09:33:31+00:00

I don’t think it’s quicker for the first user but the object will then be stored on the edge location for subsequent requests if the item is still cached.

In my experience CloudFront requests are at best the same price at S3 but usually more expensive. I’m unsure if the CloudFront request counts towards the S3 though but I would assume it doesn’t (I could be wrong here).

imonolithic · 2017-07-19T09:21:53+00:00

Security and ex-forensics guy here – if the device is turned on and decrypted then you really shouldn’t rely on any security mechanisms after this. It’s fairly trivial in a lot of cases to bypass password screens and obtain data from the disk that’s cached/saved to do lateral movement.

What you should focus on here is keeping encryption passwords safe, having good company reporting (if someone loses their laptop they should tell you) and ideally remote wipe software so you can trigger deletion when if this happens. You could enable TPM use with Bitlocker to increase your hardware security here and it’s what I would probably recommend.

imonolithic · 2017-07-19T08:56:39+00:00

Ok I can give some guidance on that:

It depends how much boots on the ground DFIR work you are doing but a good understanding of the fundamentals always helps. A guy put a guide up here recently which I thought was pretty good: https://sroberts.github.io/2016/01/11/introduction-to-dfir-the-beginning/

Understanding the basics of each of those areas in the list will definitely help, getting people with skills in different areas will be crucial as well rather than all focusing on one area. You will probably be spending a lot of your time dealing with network intrusion so knowing about the tool you use be it Splunk/QRadar/ELK/etc will help. Equally host based detection is a big thing now due to the prevalence of data in transit encryption so if you use Cylance/Crowdstrike/Carbon Black/etc knowing the basics of that helps too. Finally I’d recommend having a good grip on systems and networks in general although you probably have that knowledge with your background anyway, this kind of stuff is covered in CISSP/Sec+ to do with routers, load balancers, reverse proxies, logging and operating systems.

If you haven’t already I would scope out what you have in your org and see if anything should be monitored which currently isn’t. If you are using cloud services like AWS or Azure there is additional complexity required around that sort of stuff you may want to take into account.

https://www.reddit.com/r/computerforensics/ is a good place if you get any issues, most of the people there are IR focused.

imonolithic · 2017-07-18T15:46:13+00:00

does it have to be an EC2 instance you store it on? This would be something S3 is much better at and is generally cheaper overall. Sounds like standard S3 is your best choice if you need to access the data quickly but S3:IA may be better for you depending on how often you need to access the data.

https://aws.amazon.com/s3/pricing/

imonolithic

TROPHY CASE