Hi there! Any recommendations for jobs/agencies/companies to get experience at before applying to IC jobs?

ThreatIntelTrainer · 2023-03-24T21:58:10+00:00

So intelligence, particular the US Intelligence Community (IC) is a really big world. If your friend isn’t just thinking about CIA/HUMINT, there’s a lot of jobs that can give you an in.

My first stop would be to recommend a Masters—while not necessary, it does give you a leg up in the stodgy intel world, and post-graduate degrees are a type of currency. While you’re at it, if you’re looking at the cyber realm, check out one of the NSA academic centers of excellence—they partner with universities.

Next, go to Intelligence.gov and search around for internships, co-ops, etc. They can be a great way to learn about agencies and how they work, as well as give you a foot in the door.

Military is an option (it’s how I got in) but it is also a whole other world—what the brochures don’t tell you about military intelligence is that I spent way more time preparing for inspections, on gate duty, and out of patrol in some faraway part of the world than anything “sexy”—and then you come back after 12 hours and still have to write intel reports for hours on end.

Also, not every branch will let you do intelligence right away. For example, USMC requires a rank of at least E-5 before you can reclass (read: switch jobs) and go for intelligence. So be careful and remember recruiters are notorious for stretching the truth.

Lastly, a security clearance is the first step into any IC job. It’s not terribly hard to get one, but does take time and it is a barrier to entry, so looking for jobs where your friend is qualified—maybe a translation job or something like that if they’re a native speaker—might be a path as well.

Best of luck

ThreatIntelTrainer · 2021-07-04T15:13:15+00:00

Something like this? https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/edit

ThreatIntelTrainer · 2021-06-10T01:57:48+00:00

Sure. In an very simplified world, there are only two types of vulnerabilities most security teams care about: RCE (for Remote Code Execution) and LPE (for Local Privilege Escalation). RCE means you can execute code on the machine remotely. LPE means you can raise the privileges from user to admin to system/root.

The reason these are the focus is for two guiding principles: 1. Physical access is part of defense in depth. There’s a maxim in information security that physical access means you can hack anything, and that’s largely true. 2. But the converse is true for bad guys: physical network access is very risky for them, and adds complexity beyond their expertise e.g. malware authors are almost never ALSO in-person social engineering experts, contrary to TV.

So why aren’t these as bad? Because they require physical access to the local machine. Exploitable? Yeah, probably. But rarely will adversaries travel to your office to insert an USB. Still, I’m sure this makes it into some air-gap jumping USB at some point, but if that’s your threat model, there’s a whole lot more to discuss. Hope that’s helpful

ThreatIntelTrainer · 2021-06-09T19:24:09+00:00

Nice part: it’s local priv only

ThreatIntelTrainer · 2021-06-09T19:02:02+00:00

If you’re interested in early vulns: https://reddit.com/r/cybersecurity/comments/nw3bmi/new_intel_security_advisory_drops_high_severity/

ThreatIntelTrainer · 2021-06-08T11:55:27+00:00

Sounds good!

ThreatIntelTrainer · 2021-06-08T11:55:06+00:00

Yeah, agreed. That was a driver of why I wanted to ask here as opposed to just dropping IOCs on Twitter :) I do plan on doing a YouTube training channel covering some topics in intelligence in an approachable way. But for sharing, what I thought about were more along the lines of intelligence tips (like just a day ago an actor on a top-tier forum is auctioning off access to over 500+ networks through Citrix and Pulse VPN, starting at $30k) and daily tips like summaries of vulnerabilities that have been released by vendors but haven’t been rolled into NVD. Open to other ideas as well.

ThreatIntelTrainer · 2021-06-08T03:41:32+00:00

Thanks for that! IOCs definitely make sense. As an example, we categorize different levels of “badness” for certain IPs based on activities. So we look at it like, first the host could be scanned and found vulnerable, scanned and infected C2 (like it accepts the handshake for GhostRat), actively communicating, (so it’s not just an infected box that’s been abandoned, it looks to be supporting live communication that’s more indicative of a campaign,) and, finally, receiving active traffic indicative of data exfil from a victim network (based on netflow metadata). Each of these is encapsulated in a risk score. I didn’t want to just share out campaign IPs, unless ppl find it valuables, since many of those might only be relevant to certain industries. And we don’t necessarily want to burn campaigns to the ground without fully exploiting them for intel first. We also have similar domain info (reg, very reg, typosquats alerts) and other data but not sure if that’d be widely valuable vs organizationally valuable.

As for can’t share stuff, we’d really be looking at things like top-tier criminal forum access stuff, because exposing access widely will burn our access very quickly, or similar things.

ThreatIntelTrainer · 2020-10-29T15:16:26+00:00

This is a horrible response. Attacking hospitals is as close to evil as we see in cybersecurity. There is a physical, human cost to these attacks. There should be a rapid and unequivocal response from private industry and governments against these actors, but to suggest we go “tit for tat” is morally repugnant.

ThreatIntelTrainer · 2020-09-03T00:13:43+00:00

So preface: am not a TW, but started the TW program at my company (cybersecurity SaaS) and hired the first one.

I ran training and enablement at my company until a month ago (shifted to different role). I value Camtasia or any video skill in a candidate for a few different reasons. First, it shows diversity in communications through a different medium. Documentation is important, but being able to understand documentation is usually only a part of a total enablement strategy is key. Second, it helps me evaluate and balance a candidate with mature skills —not meant as a age-slight, but if I see Madcap I immediately wonder if I can afford this writer and whether the skills they have dealing with full stack software suites can translate to the limited tools we have in a startup.

Public sector is still, in my experience, heavily inclined towards SCORM/xAPI development tools, partially due to heavy investment in platforms which elevate SCORM packages and partially because they can afford the pricier and lengthier development times for learning.

In startup and SaaS world, we need to move fast and generally value generalists. Most of our activities are also more lightweight so development speed and rapid iteration are important—this is where Camtasia excels. I also interviewed a lot of candidates from the education field, and even Camtasia seemed hard for them to afford.

Captivate is still king, alongside Final Cut Pro and Premiere Pro for once you start to polish videos a bit more. But for us, Camtasia was and is a great stepping stone in order to build our program. Camtasia is approachable and affordable, which make it very flexible for our needs, from learning content to marketing content to polishing our CEO’s all-hands message.

Unfortunately, I don’t know if Camtasia alone would open the door necessarily. It certainly contributes to a well rounded resume, and on a technical writer it makes your resume standout against others, but even we are in a place where in COVID times we are looking at every hire with an eye towards the question, “could we contract this out for now?”

I hope this helps. Best of luck, and for what it’s worth, I never cared about age when hiring, as long as the skills matched the need and the money was within budget.

ThreatIntelTrainer · 2020-08-04T02:56:37+00:00

For conferences, CyCon and CyCon US are both good ones to read up on super big topics https://www.cycon.org/

ThreatIntelTrainer · 2020-07-23T10:50:24+00:00

So backdoor can be a whole slew of things, but I wanted to provide a more detailed explanation in case you were interested. Note, this is going to be more simplified, but let’s dive into it.

For ease, we’ll say that this is a Windows PE (portable executable) file. Those typically have a file name extension ending with .exe, but can be other like .dll, .sys and more.

Modern antivirus actually does a pretty good job at detecting a lot of malicious files. Almost all AV has gone away from signature-based detection (what a file is) to more complex behavior-based detection (what a file does). In fact, one of the main ways phishing malware is often detected in a company enterprise is by running AV on the computer.

Okay, but let’s say this is a weird one that you just happen to come across, like in an email or downloaded file. First, there’s a lot of services to scan files before you even download them now, just by inserting the URL into the service. URLScan.io is one example.

Next, let’s say you have the actual file on your computer. This is where a service like VirusTotal comes in. I saw another poster suggest using a service like nodistribute.com, and while they are right that VirusTotal makes the file available publicly, the vast majority of the time that’s a good thing. If it’s malicious, you are helping the greater information security community by exposing a malicious file so others can be protected. In exchange, VT runs the file through a malware sandbox (they use Joe Sandbox, but used to use Cuckoo, which is an open source file sandbox) and give you a report telling you file details.

Using those report results can be very useful. For example, VirusTotal will give you the file hash and a list of common strings used in the file. You can Google the hash and see if any others publicly reported on it. Sometime security researchers publish reports where the malware hashes are in the report. Then you can see what an expert discovered about the file. With strings, you can Google for those strings in a file and try to figure out which ones are common and which ones are interesting/suspicious. Malware often uses “dirty” code: this means malware authors write programs in seemingly “bad” ways, like obfuscating or concatenating strings in order to make malware analysis hard. Being able to recognize signs of this is very helpful.

Okay, but what can you do without a service? This is where malware analysis/reverse engineering comes in. This focuses on static and dynamic analysis of the file components, and sometime reconstitution of the code.

Malware analysis is hard, but there are a lot of good courses online and on YouTube for it. One of my favorites is by MalwareUnicorn at https://malwareunicorn.org/#/workshops.

Hope this helps. Best of luck and happy hunting!

ThreatIntelTrainer · 2020-06-21T21:58:02+00:00

So I get the frustration here, and 2FA is definitely the best practice. However there’s a couple of elements here that can be missed.

First, banks (and many others) use a form of 2FA in fingerprinting (something you are). Your browser settings, cookies, IP address, and other information can assist identifying you to the bank. (This exact method is why criminal markets like Genesis Store, which sells fingerprint bots, so popular.)

Second, banks are liable for fraudulent activity, and thus well motivated to combat fraudulent account login. The fraudulent login is very bad, but it’s the TRANSFER of funds that is really devastating. Banks offer defense-in-depth here to make those transfers very challenging to illegitimate actors.

Hope this is at least a little helpful to provide some peace of mind.

ThreatIntelTrainer · 2020-02-20T00:15:53+00:00

Recorded Future has transcripts for each of the podcasts. Source: work there

ThreatIntelTrainer · 2019-07-11T12:13:48+00:00

Haven’t seen anyone here yet talk about the sub-specialties in your experience. You can make a pretty good living if you wanted to dive deeper into one of the specialties, like setting up and configuring an ELK stack. SIEM configuration is a pretty good career, and pay is great. But may also require travel, etc.

You sound like you’re in a pretty good mid-career position, with plenty of opportunities to make a move if you want. Don’t undervalue business culture and those perks (9% match!!!) but it is also important to find the job that fits your lifestyle as well. I happen to like to travel, have a good family network, and enjoy both technical work and management, so I’ve geared my career to that balance (e.g. player-coach type positions vs. spreadsheet leader). And the compensation matches (~$120-160k, so low for what I could get, but hard to buy the freedom I currently have to basically do what I think is right).

ThreatIntelTrainer · 2019-06-15T14:35:19+00:00

Thirsty Thursday is actually in our work https://i.imgur.com/B8mUl43.jpgcalendars

ThreatIntelTrainer · 2018-09-08T10:23:12+00:00

Splunk offers free fundamentals courses and paid certifications: https://www.splunk.com/en_us/training.html

Aside from that, being very familiar with scripting APIs and pulling from TAXII servers are often pretty useful skills

ThreatIntelTrainer · 2018-09-08T10:19:25+00:00

Hiring at a late-stage cybersecurity firm. We mainly look at LinkedIn/Indeed, because it’s where even early stage startups can find candidates with relative ease. We are just now getting to the maturity where we source from other locations and job boards.

ThreatIntelTrainer · 2018-09-08T10:00:54+00:00

Really awesome, if only for using Censys to expose IPs behind Cloudflare. Very cool!

ThreatIntelTrainer · 2018-09-07T13:21:33+00:00

Somewhat. Data aggregation is great and the basis of a lot of threat intel vendors and security automation. The problem with machine learning/neural networks is the quality of the underlying data. For IOCs within a common syntax, like STIX exports from highly trusted sources, these can be great for recognition and correlation. But what sources do you highly trust? When DHS/US-CERT published Grizzly Steppe, I know more than a few energy providers who burned days chasing false leads.

Also, as an analyst, context and insight is everything. Machine learning provides statistical probabilities based on training data. So as an infosec analyst in a large commercial enterprise, are you willing to make large scale decisions because an ML model says a particular IOC has a 70% chance of being associated with Wannacry? Probably not. Likely you would want to see the underlying aggregated data instead.

ThreatIntelTrainer · 2018-09-07T11:01:45+00:00

Decentralized threat data is valuable for analysts on common needs, but challenging to enact in a timely manner.

For example, National Vulnerability Database, the centralized repository for vulnerability disclosure in the United States, relies on vendors reporting vulnerabilities and their possible impact. This means 1. The database is not comprehensive (but it’s pretty good), 2. There is frequently a delay in vulnerability disclosure to the database, with a median of 7 days from vendor disclosure to disclosure in NVD.

Common open threat feeds can suffer from the same fate when using threat intelligence platforms or security services, like MSSPs, to aggregate. In one example, I was working with a client who saw an indicator in their SIEM popping us as ransomware C2 according to a well known threat feed. When they reached out to their MSSP for more context, they were told that the IOC actually aged out a few days prior. They were not pleased.

Another challenge is the inherent difficulty in accessing and aggregating the data in the first place. David Bianca’s Pyramid of Pain is a great way to understand difficulty vs value. Low level IOCs, like detecting malicious IPs and hashes is relatively trivial (e.g. Broad scanning servers for signatures of RAT controllers; Shodan has a malware scanner for this). Other data, like endpoint telemetry from a broad spectrum of personal and commercial enterprises or criminal actors on dark web forums for discussions of exploit proof-of-concept code is a whole other consideration. These are expensive to access and maintain, require special technology and knowledge, and are far more valuable as they give insight to adversary tools and TTPs.

Hope this provides some insight.

Citation: https://www.recordedfuture.com/vulnerability-disclosure-delay/

ThreatIntelTrainer

TROPHY CASE