TLDR This course focuses on the information that we can leverage from cloud logs and highlights the “gotchas” of when and how they are generated/collected. Compared to traditional forensics, cloud does not offer the same depth of artifacts due to it’s abstracted nature. As a threat hunter, I walked away with a better understanding of where to find various types of activity within the different cloud providers.
Overall Thoughts Content FOR509 was a well-paced course without much fluff that dives deep into the content right out the gate on day one.
Resume Mindset Resumes ARE not intended to be an archaeological record of everything you did in every role in your career. If you build it that way it’s going to be a swamp of bullet points that will take a recruiter a ton of time to sift value from.
The purpose of a resume is to communicate relevant experience as succinctly as possible to prove that you can do a certain role at a certain company.
Once an attacker gains access to a machine, the timer starts ticking for the defender to notice their activity and kick them off the system. This could be done by terminating a network connection or changing the password on a compromised account. Because of this, threat actors are always trying to find ways to persist in an environment, in other words leaving a backdoor unlocked to let themselves back in. An easy way to do this is to create a new account on a machine to log back into at a later time.
While I’ve been in the industry for a while, I’ve never had the opportunity to work in an environment where commands were monitored or recorded for analysis. For most of the red team exposure I have been focused on gaining initial access using hacking tools (nmap, mimikatz, metasploit, etc) rather than persisting in an environment.
As a result of this background, there’s a bit of a gap in my knowledge around what native applications that attackers use to live off the land and persist inside of environments.
TLDR I use a method to prepare for GIAC certifications that isn’t the quickest or the easiest but it builds reference material that’s useful during and after the exam. The two outputs of this method are a binder of your notes boiled down from the full course content and a set of GIAC course books that have been carefully tabbed for quick reference.
This is not the ONLY method, but it has worked well for me.
This post, assumes that you have a solid understanding of tcpdump bit-masking, if you need a refresher you can check out my other post: tcpdump Bit-Masking (with Sticky-Notes!)
WHY SAMPLE PACKETS INSTEAD OF FULL PACKET CAPTURE? If you are on a busy network and want to get a feel for what is running on that network, dumping 100% of packets will create a cumbersome file very quickly. You may find yourself having to use tiny capture windows to keep the size down which may not give you a complete view of what types of activity if it is happening outside of that small time frame.
PLEASE DO NOT ASK FOR MATERIALS FROM THE COURSE OR INSIGHT INTO THE QUESTIONS ON THE EXAM. TLDR This course did an excellent job of building a solid foundation around how protocols/services are intended to work before showing how to exploit them manually. While this course is not designed to produce world-class, cutting-edge red-teamers, it does lay the groundwork to begin that journey if you want to pursue it further. Many of the techniques used are great for illustrating exploits/methodologies but require additional strategies to bypass modern defenses.
Of all the topics I have taught to new analysts coming into the SOC, bit-masking was continually the most difficult one for me to articulate. For the longest time I tried to teach bit-masks to students by explaining it logically using math and XOR. Re framing bit-masks as a collection of tiny sticky notes provided a much needed bridge to help students mentally tie this concept to something tangible.
TCP FLAG PRIMER While tcpdump bit-masking can be used on any byte/nibble, it is often used to isolate combinations of TCP flags so that is the example that we will use here.
TLDR: The exam itself was a fair assessment of the candidate’s knowledge around engineering an Elasticsearch cluster. All of the required tasks on the exam were grounded in real-world use cases that would be part of an ES engineer’s day-to-day work. Not only did I learn a ton about the engineering side of Elasticsearch but I am a stronger analyst because I better understand where my data is coming from and how it is processed.
TLDR: The virtual format makes humor difficult, have a fallback plan for internet/power outages, and you don’t need a fully completed presentation to enter a submission to a conference.
Doing my best to avoid letting 2020 hold me back, I achieved one of my personal goals and presented a talk at a infosec conference this year! My preference would have been to do something local and in-person but because of COVID, those hopes were dashed.