swannysec Musings on InfoSec

Talking Point - On Education - Pt. 1


Note: This post is the first of a series of non-technical topics relevant to information security and other aspects of technology at large.

Education’s Place in InfoSec - Or: Certs, Degrees, and Experience, oh my!

Earlier this week on Twitter, Christian P. (@CYINT_dude), Kyle Maxwell (@kylemaxwell), and myself had a brief conversation about education. Education is a somewhat divisive subject in our field and it was nice to hear from them on the issue. Like others, I have very strong feelings about education, shaped largely by my journey and the impact varying types of education have had on my personal development and career. This post and its second part will outline my take on the topic, which is wholly personal and meant as food for thought.

One of the questions I see asked most often in public communities is whether or not a four-year computer science or other IT-related degree is a hard requirement for working in the security field. Let me be completely honest: in some cases, yes. Many positions require that degree as a bare-minimum foot-in-the-door differentiator. Technical degrees such as Computer Science or Cybersecurity provide a great starting point for someone interested in Information Security. That said, I find a hard requirement for a technical degree foolhardy and obtuse.

College

You’re probably expecting me to say I don’t think a degree is important at all; you’ll be disappointed. While it should not be required in most cases, a degree still has a lot of value. What I do believe, however, is that the degrees sought should not be limited to CS/IT fields. My Bachelor’s Degree is in Political Science with a focus on International Relations and a minor in History. So what’s this liberal arts yuppie doing in InfoSec? What might surprise you is just how valuable that degree has been for me. A degree in Political Science/International Relations will ensure that you can effectively communicate, both verbally and in writing. It will ensure you are well prepared to build, relay, and defend an argument. It will give you the foundations of good research and analytical procedure.

In short, such a degree will give you the ability to enrich and exhibit your technical skills for the better. As an added bonus, a background in International Relations is extremely helpful in understanding the geopolitical aspects of attribution, global cybercrime, and cyber espionage and warfare.

The benefits of non-technical degrees don’t stop with Political Science. Education majors are great teachers and communicators. Marketing, Finance, and Business majors understand the needs and realities of operating a business. Communications and Art majors understand the art of communicating their message to varying audiences visually or in other useful forms. Science majors develop excellent troubleshooting and analytical skills. I could go on for days, highlighting some huge benefits of just about any undergrad degree. So please, if you’re a student interested in InfoSec, or a recruiter or HR person, give serious consideration to non-technical degrees.

So, what about a Master’s Degree? Is it necessary? Probably not. Is it helpful? Absolutely. A Master’s allows you a hone the communication skills you developed in the course of a four-year degree. It often requires you to work in a more “professional” format, communicating less academically, and working in groups to accomplish tasks. Sound familiar? Just like the real world. (Detour: do yourself a favor and get your Master’s as soon as practical. The further out you are from college and the more you have going on at home, the harder it will be.) I recommend you seek a Master’s that’s markedly different than your previous education. If you completed a four-year liberal arts or business degree, go get a technical degree, or vice-versa. I got a Master’s in Information Assurance. This ensures you add context, broaden your horizons, and prove you can tackle multiple disciplines. Information security is a broad domain and it requires tackling multiple disciplines; do the same in your education and benefit!

All that said, are degrees the be-all-end-all? Absolutely not. Some of the sharpest security professionals I know don’t have any degrees. I respect them no less than those with degrees, and they’re just as important to their organizations as those with degrees. Certifications and practical experience also have a role to play, which will be discussed in greater detail in Pt. 2 of this series. In closing, consider a degree, or two! Be open to non-technical fields; enrich yourself and add context to your work. Feel free to give me your feedback @swannysec!

Photo Credit: Got Credit

Building an Analysis Toolkit Pt. 1


“A wise man without a book is like a workman with no tools.” - Supposed Moroccan Proverb

Where we’re going, both knowledge (books), and analytical aids (tools) will be required. Anyone working in security can attest to the fact that there’s simply too much going on at any given time to process and store solely in one’s own mind. This is particularly true when investigating something that may lead to hundreds, if not thousands of related domains, IP addresses, e-mails, or file hashes.

Fortunately, the days of simple notepads are long behind us. And while I still use both paper notepads and Microsoft OneNote for spur of the moment scribbling and free-form thought storage, there are now a whole host of analytical aids that serve not only to store investigative material, but to enrich that data via lookups and API integrations of varying sorts. Such tools vary in focus, platform, cost, and complexity, so just about anyone should be able to find tools that are a good fit for their purpose, budget, and personal workflow.

In part two of this post, I’ll be covering my own personal choices for investigative tools and sharing how I set them up. The remainder of this post, however, contains the goods: a curated list of investigative and analytical tools that I’ve collected over time. Some of these are things I use daily and some are simply things on my to-do list to check out, but I think all of these have merit and are worthy of your time and attention to explore.

The list leans toward the free/cheap side of things so there won’t be a slew of enterprise-grade products contained therein. It should also be noted that some of the tools listed likely fall into more than one category depending on the breadth of their feature sets; therefore, I have tried to give them the most logical home according to my own twisted mind. Finally, individual threat feeds, honeypots, and tools with more specific technical purposes such as deobfuscation or reversing are largely beyond the scope of this list. Enjoy.

Swanny’s Big List of Security Analysis Tools

Journaling/Incident Tracking/Note-taking

Name Description
FIR Fast Incident Response. Lightweight IR management platform. Will track and correlate manually entered IOCs.
SCOT Sandia Cyber Omni Tracker. IR management platform with robust IOC tracking/correlation and plugins for integration with other tools.
RTIR Request Tracker for Incident Response. Just what it sounds like. RT with built in workflows for IR.
threat_note Lightweight IoC tracking and enrichment, designed as a research tool.
Microsoft OneNote Great notetaking app. Store notebooks locally, or on cloud storage.
Evernote Robust cloud based notetaking app with great tagging system. Take note: No client-side encryption.
Cherrytree Simple local note-taking app with an organizational system similar to Evernote.

Threat Intelligence/IoC Aggregation and Processing

CIF Collective Intelligence Framework. Collects, aggregates, normalizes, and outputs IoCs in a variety of formats for operationalization. Can search via API/browser extensions as well. Self-hosted.
IntelMQ Collects and processes large volumes of threat intelligence from traditional feeds, pastebin, twitter, and more. Self-hosted.
CriticalStack Collects and aggregates threat intelligence and outputs to Bro signature files. Get creative and shape the output to your needs or wait for more output formats.
AlienVault OTX Open Threat Exchange. Free web-based threat intel collector/aggregator. Big focus on information sharing.
ThreatConnect Full threat intel platform. Enterprise-grade with a nice free feature set ideal for tracking and sharing IoCs individually or in a small team.
MISP Malware Information Sharing Platform. Great IoC management platform. Allows a variety of inputs and outputs and has a robust sharing framework.
CRITS Collaborative Research Into Threats. Similar concept to MISP, with a bigger focus on analysis.

Web-based Research Tools

PassiveTotal Excellent source of context for malware or IoC analysis. Whois lookups, passive DNS, SSL cert history, and tie ins with VirusTotal, Domaintools, Alienvault and more. Good free feature set.
ThreatCrowd Great search engine for IoCs complete with visualizations and RSS feeds. Free.
threatRecon Nice IoC lookup from Wapack Labs. Free after registration for 1000 searches a month.
malwr Online cuckoo malware sandbox analysis. Free.
VirusTotal Does this need a description? Analysis of files and URLs against known malware signatures and reputation data.
urlQuery URL lookup, provides whois and reputational data as well as running the page load through Snort and Suricata with advanced subscriptions.

Reconnaissance/Context Enrichment

Automater Given a domain or IP, gathers a boatload of useful intel from various web sources. Lightweight Python script.
Machinae Similar to Automater with more sources of intel, cleaner config, and additional inputs/outputs.
dnstwist Feed it a domain and it will spit out any existing domains that are similar. Useful when looking for fraud, phishing, or typosquatting.
FOCA Windows based recon tool for exploring/mapping domains and finding files, injection opportunities, or other security issues. Free.

Log Analysis/SIEM

Splunk Fantastic log analysis tool\SIEM with loads of integrations and flexibility. Allows for a ton of free-form analysis. Free to 500 MB/day indexing.
ELK Stack Elasticsearch, Logstash, Kibana. Open source log collector with great visualization via Kibana.
graylog Slightly easier to setup and use than ELK, has a growing featureset in visualization and plugins.

Visualization/Relationship Research

Maltego Industry standard for this type of work. Expensive, but decent free feature-set for getting started.
Orange Open-source visualization and data analysis.

Bonus Items - Random Stuff I Like

Dashkiosk Awesome rotating dashboard creator for static displays. Great for a NOC/SOC. Chromecast friendly!
Loki Scans hosts for presence of a variety of IoCs.
Gavel Nifty transforms for Maltego that allow an analyst to query traffic records, a lot of human intel possible here.

Blog Setup


On choosing a blogging platform and setting up a no-nonsense blog.

When I decided to begin this endeavor, I almost decided not to blog the experience. I don’t enjoy narrative writing outside incident reports; it reminds me too much of my B.A. in Political Science. I’m also not a fan of most blogging platforms. Finding one that is a balance of ease of use, feature completeness, security (looking at you, Wordpress), and cost effectiveness can be a challenge.

I’m a big fan of clean and simple blogs. Brian Warehime’s Nullsecure.org is a prime example of what I like in a blog and served in large part as inspiration for this one. So initially I looked at the platform he chose, Ghost. Ghost is quite polished and preaches simplicity. It also seemed great from a feature standpoint, but as I dug in, it looked like many of the benefits were derived by subscribing as a Pro member, for $8/month. I’m a public sector employee working in education; needless to say, I don’t make a ton of money, so the idea of spending monthly just to host a blog didn’t sound appealing. I’d rather spend what I can on technical resources. Ghost does allow self-hosting for free, with fewer features, but I decided against that due to added complexity and a clunkier install process.

At that point, I went on the standard blog tour of many of the common names in the business such as Blogger and Wordpress, as well as some newer options like Medium. Ultimately, I stumbled into Tinypress. Tinypress offered dead-simple setup with a few clean themes, easy markdown drafting, and an Android app to boot. What I didn’t realize until I signed up was that it utilized GitHub Pages for hosting and Jekyll under the hood.

The setup process to get to a point where I could begin posting was no more than five minutes. Unfortunately, I quickly discovered the featureset for Jekyll running on GitHub Pages is somewhat limited due to the small number of GitHub Pages-friendly plugins. Basic things like social sharing buttons and tags are non-existent. So what did I do about it?

For social buttons, I initially looked at the buttons provided by the various social networks, but decided against these based on their need for javascript, the tracking inherently built-in to them, and their generally clunky nature. In the end, I chose the HTML button set provided by the kind folks over at SimpleShareButtons. These were easy to set up, they’re simple to add and format, and they do the job nicely without compromising anyone’s privacy. Check them out, they’re at the bottom of this post!

Getting tags up and running was a somewhat hairier proposition. There are loads of posts scattered across the internet regarding tag solutions and GitHub Pages. If you’re running a straight-up Jekyll instance, there are plugins for the purpose. As you might have guessed, GitHub doesn’t support these. After trying a number of solutions for GitHub-friendly tagging without any success, I found the solution provided by Sungjin Han over at meinside.pe.kr here. Again, straightforward and simple to set up with good results, mission accomplished!

My general impression of the Tinypress/GitHub Pages/Jekyll experience is that it’s a perfect option for either of two scenarios:

  1. You want a dead-simple no-frills blog free of any social integration or advanced features that can be easily edited and set up in minutes.
  2. You want a clean, straightforward blog and you’re willing to get your hands dirty with HTML, markdown (which is actually kramdown for those curious), and maybe some javascript to add in additional features such as social integration and post categorization that would otherwise be common to most blog platforms.

Overall I’m pleased with the results. I have a few minor issues to clean up, including a mixed content issue that appears to have been part of the Tinypress template I chose, but otherwise I’m satisfied with what I got for an evening’s worth of effort.

And Now for Something Completely Different...


In the words of the immortal Graham Chapman of Monty Python, “Right, what’s all this then?”

I have a confession: I’m burnt out.

I’ve been a security professional for the better part of seven years now. I’ve done everything from incident response, to network security (think firewalls/IDS), to risk assessments and security architecture. My industry demands that I be a jack-of-all-trades because we’re perpetually underfunded and undermanned. I’m the only person dedicated to security at an organization that protects almost 11-thousand users. Being spread that thin for that long will wear anyone out.

That said, I love my field. Information security is my passion and I want to continue to learn and grow. In an effort to focus that desire and avoid letting burnout beat me, I’ve decided to lay some groundwork for continuing professional development and share the journey here, mostly from a technical perspective.

So, other than a security professional, who am I? First and foremost, I’m the father of two wonderful children who challenge and delight me on a daily basis. I’m also a bit of a history/politics nerd, which actually serves me well in the information security field. I’m a football fan and a lover of craft beer. Finally, when I manage to carve the time, I still enjoy a good PC game; it’s hard not to when you were raised on Doom, Quake, and Descent.

What’s on tap? Much like Sir Bedevere, “I have a plan!”

Bedevere

Thankfully, my plan does not involve the misuse of Trojan rabbits. This blog will likely discuss professional development and my own journey from time to time, but the focus will be on the technical aspects of that work. I hope to share my experience as both a personal archive of the work and so that others may potentially benefit from the information. I have decided to focus my efforts on incident response, malware/intrusion analysis, and the curation and operationalization of threat intelligence. These are things I work on from time to time professionally, but despite the fact that I enjoy them immensely, they are not the focus of my job. I believe these areas are extremely valuable to any mature information security effort and I’d like to expand my horizons with regard to these specialties.

Thanks for reading, there’s more to come soon!



Author: John D. Swanson - Contact me at [email protected]
Opinions are my own and do not reflect those of my employer.
© 2022. All rights reserved.     Atom Feed