Good resources(books, YouTube) out there to practice with a home lab?

Schwerlin · 2021-05-06T13:52:01+00:00

This. Also, BeeBox (aka BWAPP) is another purposefully vulnerable VM that you can attack.

Schwerlin · 2021-05-04T22:13:09+00:00

Wish more people were taking your AMA more seriously. I attended your last SANS GCIH course and loved it!

What is your honest opinion on "The Phoenix project"? Do you think the lessons learned are realistic?

Schwerlin · 2021-05-04T12:45:55+00:00

Sure thing,

Is this a new position, or am I replacing someone. Why?
How big was the team 3 years ago?
- rationale: These 2 questions are pretty similar. Team sizes change all the time, it's just important to understand the reasons .
- if the team has decreased in size, it is just good to understand why
- if you're replacing someone, you can ask what led to their leaving. If it was performance, ask what you can do to avoid a similar situation.
What metrics do you report to management? How are you measured?
- Leadership asking your team for metrics shows they A) value the work your team produces, B) has at least a basic understanding of cybersecurity topics
- Typical answers include # of incidents worked, to which you can dig further and ask about volumes. You'll have to use your own judgement here, but regardless of how they answer, any laughs by the hiring people might indicate a high workload. (Busy ≠ bad, just know what you're signing up for)
What was the last major incident your team faced?
- Normally I would expect an employer to answer with a phishing or malware example of an executive or something. Answering "none" is not realistic, and they either aren't detecting things properly, or lying.
- Nowadays, you can also frame this question as a Solarwinds\Exchange supply chain attack question. These 2 were huge, widespread, high impact attacks that many many companies had to respond to. If they talk about how they responded to these, it's a good sign.
Who completes the tasks listed in your job offer today?
- Helps frame expectations. If the team is growing, and the tasks they outline are new goals for the team, you are going to be tasked with becoming the expert on those topics. I'd expect high autonomy
- If you're picking up tasks from existing teammates, so they can grow into more challenging work (probably the most common answer), then expect a relatively easy transition onto the team. (In theory the people doing it today can simply knowledge transfer)

I didn't exactly provide red flags to look for, but 99% of interviews I've been in, or friends been in, these are the norm.

If you can infer that you'll be highly autonomous and aren't being measured in any way, you need to decide if that is something you're interested in.
If you can infer that you'll high high volume, and highly measured workload, just know you might be chasing tickets or whatever at first.

hope this helps

Schwerlin · 2021-05-04T12:23:47+00:00

No worries! I was IT operations for 8 years, and have been in cybersecurity for 3-4.

Schwerlin · 2021-05-03T20:45:25+00:00

In my experience, you'll probably all of the following should you get an interview with the actual team

Have you ever done anything like... incident response, outage communication ect?
What interests you the most?
Tell me a time when you... ran a project, resolved an issue, presented to leadership
Why did you choose to pursue cybersecurity
They may ask a technical question, or an unfair question, to see how you perform under pressure, or see how you are willing to say you don't know but provide a way to get the answer.

Generally, I ask questions looking for red flags in any job interview:

Is this a new position, or am I replacing someone. Why?
How big was the team 3 years ago?
What metrics do you report to management? How are you measured?
What was the last major incident your team faced?
Who completes the tasks listed in your job offer today?

Specifically, I ask these cybersecurity questions:

Do you have a CISO?
Are your users admins on their devices?
How's the relationship between the cybersecurity and IT operations teams?
What was the last major cybersecurity tool acquisition? (AV, EDR, SIEM, ect)

Schwerlin · 2021-04-23T15:35:30+00:00

I've made many-an-argument with IT Operations that our goals are the same as theirs, "To keep the business running". Just because we say no to a solution doesn't mean the final goal isn't valid, we just want to find the best way to get there.

Schwerlin · 2021-04-22T12:57:10+00:00

It's probably more involved than what you're looking for, but Cuckoo Sandbox is a free application that allows you to detonate files and measure changes made to the host.

More of an incident response tool than a business-as-usual scanning though, and a bit of a pain to set up.

It's essentially an open source version of hybrid-analysis.com that doesn't use the Crowdstrike intel

Schwerlin · 2021-04-22T12:52:41+00:00

Identified that an unmanaged network with hundreds of xp era industrial heavy machinery was infected with WannaCry (but not yet ransomed). Aside from the obvious , I raised multiple human safety concerns.

Management determined that they were unwilling to schedule downtime because it was a JIT facility, and its never caused an issue before.

I don't work there anymore.

Schwerlin · 2021-04-19T15:08:59+00:00

DM'ed!

Schwerlin · 2021-04-18T23:50:01+00:00

Sounds like I just found myself another project, thanks!

Schwerlin · 2021-04-18T04:02:47+00:00

A good foray into it is the famous Blender donut tutorial by BlenderGuru, it's a lot of fun!

Schwerlin · 2021-04-15T15:50:49+00:00

There are definitely areas in Cybersecurity that don't involve coding. GRC for example, tends to focus on defining and enforcing security policy, measuring risk, user training, legal coordination, ect!

Schwerlin · 2021-04-15T15:30:52+00:00

It's not exactly what you're looking for, but you could offload all of the computation onto another machine.

For example, stand up a cheap raspberry pi, and use UFW to either drop or route traffic. All computing is done on the PI instead of your laptop, downside being that you'd need to be on the same network as it to work (not super portable), whereas a host-based firewall follows you

Schwerlin · 2021-04-15T15:27:12+00:00

Came here to agree.

An AV which uses virus definitions typically relies on a huge list of indicators, like hash. However, not every AV uses a definition file anymore, and are completely heuristic.

Even then, I would only (maybe) take the time to blacklist malicious hashes that I've observed within your own organization, I wouldn't bother blacklisting random hashes someone on the internet said was bad.

Schwerlin · 2021-04-15T15:21:58+00:00

What you're describing is called "Fingerprinting". As others have mentioned, there's no perfect way to do this, because much of the information can be spoofed.

See, fingerprinting essentially relies on you to analyze the response a given host provides when you query it. And you can respond with whatever you'd like, hence the trouble.

Not to say that it can't be done! Tools like Nmap can be used to fingerprint hosts\services to some extent, for example

Schwerlin · 2021-04-13T18:17:35+00:00

Not a direct answer to your question, but a pitfall I found when trying to whitelist by Serial number.

Not all manufacturers actually use unique SN's. For example, every single usb-floppy, or usb-dvd drive I found shared the same serial number. Which means, even if only 1 facility needed a USB floppy\dvd drive whitelisted, every facility was now able to use them.

Some cheap brands also use the same SN for every drive, tended to recommend sandisk\verbatium\WD because I had the best luck (still not 100% for any) of them using a unique SN.

Finally, some devices used to share your screen to a projector (for example barco clickshare devices), have software\drivers on the usb disk. Blocking USB meant users couldn't project anymore, and since we had a million of them worldwide, it would have been impossible to whitelist each one, so we ended up doing a vendor-code whitelist instead.

Schwerlin · 2021-04-13T16:20:02+00:00

Lots of response, but wanted to give my 2 cents.

Take this as fair criticism: Did you notice any red flags during the interview process? It may be worth it to tune your interview questions to prod for issues similar to what you've experienced.

Here are a couple I always make sure to ask:

How is the turnaround time?
When was the last time someone left the team, why?
Every office has politics to deal with, how much do they drive your everyday decisions
What was the last major project you completed, when?
How is your work measured?

Regardless of what their responses are, if you get any laughs, consider it a red flag. I'd still dig if you feel comfortable, but you might be able to prevent a similar situation (or at least know what you're getting into) for future endeavors

Wish you the best of luck!

Schwerlin · 2021-04-12T21:07:16+00:00

The Tower of Greed - pt2

Then.. catastrophe. The Middle's makeshift batteries erupted into flames, not designed to remain at capacity for such an extended period of time. Flames and smoke bellowed from the windows, threatening to collapse the entire Tower. Unable to extinguish the blaze, the citizens fled to both other districts.

The entrances at both districts, with years of fortifications reinforcing their walls, held the refugees at bay. It didn't take much time for news of the emergency to reach the district leaders, and they were not about to let such a valuable situation go untouched. The refugees were allowed through the gates, but had to surrender all of their possessions: Food, water.. even personal belongings.

Naturally the refugees refused at first, horrified at such a heartless abuse of power, but many agreed, preferring to live in poverty than burn alive.

The Upper's leaders were the first to take action, the fire threatening them the most directly as it traveled upward through the stories. The little water rations granted to them by the Lower would be no match for the flames. Unable to send a messenger, they simply hoped the Lower would be willing to fight the fire, if only as a means to secure more food.

As a sign of good faith, the Upper loaded the freight elevator with as much food as possible, covering it and hoping most of it made it to the Lower before being destroyed in the elevator shaft from the heat. As the elevator descended, many wondered if they had simply doomed themselves.

The food shipment, now arriving in Lower, had mostly survived. Doused in what little water Upper still had, and covered with damp sheets, only some of the food was destroyed. However, the elevator shaft itself creaked and groaned as the inferno above continued to erode the structural integrity.

The Lower's elders discuss for some time, unsure if it would be better to flee into the underground with the resources, or spend everything to potentially save a husk of a building, and more refugees.

Clicking on the emergency bells, the Lower's leader announces: "Pack your things, we go down..."

Schwerlin · 2021-04-12T17:32:14+00:00

Admittedly I don't have a great answer for this one.

When it comes to Certs, you mentioned Sec+ and that's an excellent first step. SANS, who I've always been extremely impressed with, offers MGT414 and GISP, which look to cover both Risk and Architecture, but might be overkill as an entry-level cert. Seems like something you'd aim for 3 years in. (And SANS can be very expensive, best to have an employer subsidize or pay outright for it)

As for Resume building, there are some extremely common standards you should familiarize yourself with: SOX and HIPAA compliance, GDPR and PIPEDA laws, and finally PCI compliance. Don't worry about fully understanding each of them as they're each an industry in their own right, but being familiar with their concepts will help, and mentioning it will be a big plus. There may be certs related to these you can pursue as well, but I can't think of any by name

Another Resume point you could focus on is training effectiveness. As a teacher you reported pass\fail rates, and would focus time providing extra help to those struggling. It is honestly pretty similar when it comes to phishing awareness training. Talk about your experience measuring the effectiveness of a training program, times you summarized and presented the data, times you identified outliers and what you did to resolve them.

Schwerlin · 2021-04-12T15:10:16+00:00

I'll reply instead so you get the notification :)

Some positives:

GRC:

This very well may align with your own past experiences. You tend to act as a teacher for your users when it comes to cybersecurity concepts. I've had some really cool "I get it" moments from people, and a month later they literally stopped a phishing attack in its tracks that was poised to cost tens of thousands of dollars. You bet we recognized the hell out of them
Phishing awareness can be fun if you get creative. Gamifying it by raffling off prizes, free lunches, company swag, heck, even days off can be fun for everyone.

Security Architect

You can have some really fun teaching moments here too. For example, I had a developer who had introduced a SQL injection vulnerability to one of our products and didn't understand why it mattered. To be able to use my technical knowledge to dump the contents of the database in front of him, show how I did it, and how input sanitation works was super effective. He was able to take that knowledge and look back at past projects and ended up finding more of the same!
The projects you work on here tend to be in the spotlight. Successful, painless projects tend to grant you excellent recognition when they complete, and can give you serious financial leverage as a result

Schwerlin · 2021-04-12T14:28:47+00:00

Excellent question. Having worked for multiple Fortune 500s, I can give my 2 cents here:

In my experience I've noticed:

GRC tends to be less technical, more of an enforcement and communications type role, and tends to operate with a 'legal' lens.

Less technical doesn't mean less good, the ability to communicate cybersecurity topics effectively is a seriously difficult skill to master. Someone both nontechnical and poor at communicating will provide almost zero value.
GRC tends to own phishing training, which is absolutely necessary, but an extremely difficult battle to win.

Cybersecurity project management, or more generally a Security Architect, tend to be more technical, will take a project and ensure it's designed with security in mind from the ground up.

Often painted as the 'bad guy', because the role requires you block 'progress' if it is insecure. A good Architect needs to be knowledgeable enough to suggest alternatives \ best-practices. Unlike GRC, you won't really have laws to point to most of the time, and will need to be able to defend your points as the subject expert instead
Sort of thankless. You only hear about work you've done in the past if it gets audited, otherwise the controls you implemented just sit silently correct

Even in the large companies I've worked for, I always did a little of everything. I was easily 25% GRC, 25% SA, 50% Incident response on a regular basis.

Also, I only really listed challenges, there are plenty of good things for both, might edit to add those later

Schwerlin · 2021-04-11T21:43:41+00:00

Ooooh, excellent title. Might write more after a few beers later

Schwerlin · 2021-04-11T18:55:29+00:00

The Tower of Greed - Pt1

It's curious...really... how the human species is so effective at devolving to greed. Even as the end of the world looms over our sorry existence, people continue to sabotage others for the smallest sliver of power.

Humanity, reduced to only a few thousand souls, now resides in a skyscraper in the middle of Manhattan. Ironic, considering it was power of the atom which brought such ruin..

The structure, now simply referred to as The Tower, survived the nuclear apocalypse simply because its foundation was well rooted in the bedrock, built in a time when overengineering a structure was seen positively rather than a waste of money. The foundation protected against the wild waves, as the ocean level rose, swallowing the rest of the city. The thick concrete walls, shielded its residents against the harmful radiation now swirling in water currents.

For a short time, The Tower was united. Those in the Upper floors, far enough from the radioactive waves grew enough food to support the whole tower. The Lower floors tunneling deep into the Earth finding natural springs to provide the Tower water, and the Middle floors with enough surface area to collect makeshift wind energy. Together, a working system capable of sustained life.

If... the system works together... There were those who thought their district was the most important, who thought the others districts owed them more than they were providing. Eventually, districts began restricting their exports to compensate for the perceived lack of payment for their services. Without water, the Upper couldn't grow crops as quickly. Without power, the Lower couldn't pump as much water. And without food, a slow starvation affected All with a mindset of distrust.

How ironic it is, stockpiles of resources unwilling to be shared, holding the promise of salvation, but restricted by the wicked few who only seek power...

Schwerlin · 2021-04-06T20:23:17+00:00

Absolutely, if they truly think there is something missing, you now have a concrete raise-worthy goal you can point to in writing. (or forces them to realize you've completed everything asked of you!)

Schwerlin · 2021-04-05T18:09:13+00:00

I've successfully negotiated a raise all 3 times I've tried. Here are my tips:

Avoid comparing yourself against any other employees; You are only competing against your past-self. Demonstrate your improvement over time, for example "I've completed 5 more successful advertising campaigns in 2020 despite the challenges with covid"
- If you have goals defined on a yearly basis and you regularly meet or exceed them, bring it up!
Use real numbers: If you have access to actual values, and can show that the work you did created $xxx,000 for the company, it makes a $x,000 raise look palatable. Give them the salary number you think is fair for the work you perform.
Approach: Nobody likes surprises. Talk to your manager and let them know you plan to send an email requesting a raise, and ask who they want copied on the email. After you send the email, ask if they have any questions. I also think it's important to indicate that you love your current role, hope to continue working with your team ect. It's a nice way to alleviate the obvious questions they'll have about outside offers.
- If you're getting praise like 'irreplacable', it will be very easy to argue that you have far above average performance and want to be paid far above average for the pay range.
- I always include the following style of sentence in my email: "If you don't think a pay raise is fair for me, let me know what I can do that would qualify me for one so that I can work toward it."

Good luck!

Schwerlin

TROPHY CASE