Short Review: x33fcon

x33fcon is a nice & small conference in Poland, Gdynia near to Gdansk.

“Welcome to x33fcon, a new gathering for IT security professionals and enthusiasts. It’s a new event where blue and red teams meet to exchange views and ideas, share experiences, and discuss the latest security challenges in the industry.”
From: https://www.x33fcon.com/

The ticket price is low (also if you plan to travel there privately), the content was really professional and interesting, a bit more than someone might expect when you see the size of the con. Kudos to the organizers for getting so many interesting speakers and talks. Besides the talks there is also a CTF and workshops, after the conference trainings take place. There is also some great food for lunch, in the breakes there is coffee and small snacks. The breakes are long, so you have some time to talk with speakers and other folks around. Seems to be that ATT&CK is the hot topic currently, at x33fcon alone they had three talks about that. 

From my point of view as a Red Teamer some more talks about breaking stuff on exploitation level would have been great. x33fcon is a great conference, the only critics from my side is that the attendees are being filmed in every talk from any perspective possible. At other conferences they ask when making photos or filming, maybe that might be an idea when not filming the whole audience.

Besides the conference Gdynia, Gdansk and the beaches around are really nice:

Conclusion: Highly recommended.

Coursera courses for free

Like for EDX, it is possible to take coursera courses for free. Here is a short example.

Login (or register if you have no account). Go to the course you want to attend to, in this example I take “Programming Languages, Part A”. Please note that the option described here are not possible for all courses.

On the course page select “Enroll”:

In the pop-up choose “Full course. No certificate” and continue.

And you can start:

Have fun!

EDX courses for free

EDX courses can be taken for free. Of course then you will miss the certificate, but the content is the same. Also you have a time limit for viewing the content, but in my experience it is more than enough.

Here is a short example:
After logging in with your account (register if you do not have one) search for the course you want attend to.

For the example I choosed “Introduction to Cybersecurity”.

Choose “Enroll now” on the course page:

Scroll down a bit and choose “Audit this course”:

One the next page you can just start the course. A dialog might be shown that you can earn the certificate, you can just ignore that or choose “Explore the course” here:

Enjoy and keep learning!

Start a Penetration Tester Career

This article is part of an article series about my personal experience and career in the penetration testing and security field.
Part 1: Start a Penetration Tester Career (this part)
Part 2: From Beginner to Expert as Penetration Tester
Part 3: Working at a CERT and shifting to Technical Lead

From Administrator to the first Penetration Tester Job

I am sharing this because people ask me often about how to get into information security and how to improve a career. In this post, I describe my personal career and learning path including recommendations for books and more learning material. This may not be perfect to other people, for me it just worked. In later posts, I will give some recommendations for a more idealized learning path for different careers, for example as a penetration tester or a forensics specialist.

When I was working as an administrator back in 2011, I began starting to think about how I might change my career. My job back then included some Windows and Linux administration as well as some PHP and VBA coding. Further, I had coding skills in C and Java. In October 2012 I started my first job as penetration tester.

At this time, it was not clear to me whether to go more into depth as a network admin or to security. Since it seemed to be a good idea to have some networking skills, I started to work out a plan for getting the CCNA. 

Network skills
I started with the Mikrotik MCNA, since there was a training possibility in the town where I lived, I only used the training material offered by this course, but if you want more information have a look at the official Mikrotik page: https://mikrotik.com/

Then CompTIA Network+ followed. For the test preparation, I relied on two sources. The first is the free video series from professor Messer, these are excellent and I used to make notes about the content and reviewed them before a new training session. After the videos, I bought the book
Mike Meyers’ CompTIA Security+ Certification Passport” that included some example questions for training.

The CCNA was my first “bigger” certification and I remember that I put a lot effort in it, for example I bought a bunch of old switches and routers for a home lab. This was not necessary, but of course, it added some fun at this time. Much easier is to use simulation software for doing some labs.

Besides my own experiments, I worked through the book CCNA Routing and Switching Complete Study Guide. The certification at this time included not only the multiple choice tests, but also lab exercises.

Security skills
Because it became clear to me that I wanted to go into Security in my career, I started the CompTIA Security+ certification. As like for Network+ I used the Professor Messer tutorials and the book Mike Meyers’ CompTIA Security+ Certification Passport. 

I wanted to work as a penetration tester; I decided to do the OSCP certification and I am happy I did choose it over the CEH. Here is my review in German, more reviews in English here.

I made the certification in 2012, and nowadays I do not think that you must have an OSCP necessarily, although I strongly recommend it. It is a great certification and it surely helped me especially when it comes to attitude, endurance and patience. However, it can be a frustrating experience and if you do not have enough time or motivation, it will be hard. For me it was fun!

During the OSCP preparation, I bought two books:
–      The German book “Hacking mit Metasploit” (Hacking with Metasploit) by Michael Messner, which helped me a lot because it also introduced some Exploit Development and Client Side Attacks.
–      Hacking: The Art of Exploitation by Jon Erickson 

After the OSCP, I was lucky to find my first Job as a penetration tester.

Besides the certifications I also did a course at coursera “Webapplication Engineering” which I liked but it seems it was not continued.

Together with a friend we published an article in the German issue of the pentest magazine about pivoting, which was good having it on my CV for the first job in the field.

Conclusion
If you want a job in this field, the most important thing for me is to show that you are motivated. Nowadays I had some job interviews “on the other side” from the perspective of an employer. So besides qualifying with certifications and courses you should consider:

  • Start your own blog
  • Start your own projects on github
  • Contribute to projects
  • Networking (when I looked for my first job as a penetration tester I used Xing and wrote to company owners and asking for a job, which was successful) 
  • Consider publish articles on platforms like Xing, LinkedIn, magazines etc.

In the next part, I will go from starting the first job to going for expert level.

Review EDX Course Security in Office 365 (Microsoft CLD245x)

Recently I took the course Security in Office 365 using the free Audit Access, the final exam and the Certificate are missing here.
The sections of the course are:
  • Threats and data breaches targeting your data
  • Office 365 Advanced Threat Protection
  • Office 365 Threat Intelligence
  • Auditing, alerting and reporting in Office 365
  • Advanced Security Management in Office 365
After each section there is a quiz, as well as an final exam with 20 questions (missing in the free version). I’ll go through each section adding some notes.
Introduction to Security in Office 365
Threats and data breaches targeting your data
  • how threat actors gain access
  • kill chain
  • how the work and threat landscape changed
  • on-premises environment vs “gray area” (cloud etc.) in terms of controll and security
  • phishing
  • malware
  • spoofing
  • escalation of privilege
  • data exfiltration
  • data deletion including ransom ware
  • data spillage (“Data spillage occurs when protected data is transferred to a system that doesn’t provide the same level of protection as the source.”)
  • as well as password cracking
  • malicious insiders
Security solutions in Office 365 
  • Exchange Online Protection (EOP)
  • Office 365 Advanced Threat Protection (Office 365 ATP)
  • Office 365 Threat Intelligence
  • Auditing and alerts
  • Advanced Security Management (ASM)
  • EOP (not End Of Protection 😉 but Exchange Online Protection)
  • Office 365 Threat Intelligence
  • Threat Dashboard
  • Auditing and alerts
  • Advanced Security Management (AMS)
  • Threat detection
  • Enhanced control
  • Discovery and insights
Introduction to Secure Score
  • Overview of Office 365 Secure Score
  • security related measurements
  • Office 365 Secure Score API
  • API & powershell
  • downstream data for other tools and SIEM etc.
  • The Secure Score dashboard
  • The Secure Score analyzer tab
  • Increasing your security posture
  • I liked some of the points:
    • Enabling multi-factor authentication on all admin accounts
    • Designating more than one global admin
    • Enabling auditing across workloads
    • Enabling mailbox auditing
    • Having a weekly review of sign-ins after multiple failures
    • Having a weekly review of sign-ins from unknown sources
    • Having a weekly review of sign-ins from multiple geographies
Implementing and Managing Office 365 ATP
Introduction to Exchange Online Protection
  • The anti-malware pipeline in Office 365
  • Zero-hour auto purge
  • ZAP, detect spam or malware that was undetected by heuristics and delivery patterns
  • Phishing and spoofing protection
  • SFP, DKIM, DMARC
  • Spoof Intelligence
  • Give overview of spoofing attempts, allow spoofing for certain senders for certain addresses
  • Managing spoof intelligence
Overview of Office 365 Advanced Threat Protection
  • How ATP expands protection provided by EOP
  • Safe attachments
  • sandbox/detonation chamber 😀
  • Safe attachment policy options
  • Safe links
  • URL detonation -> mix of safe links and sage attachements
  • Safe links policy options
Managing Safe Attachments
  • Creating safe attachment policies in the Security and Compliance Center
  • Creating safe attachments policies using Windows PowerShell
  • Modifying an existing safe attachments policy in the Security and Compliance Center
  • Creating a transport rule to bypass safe attachments
  • Safe attachments end user experience
Managing Safe Links
  • Creating safe links policies by using the Security and Compliance Center
  • Creating safe links policies using Windows PowerShell
  • Modifying an existing safe links policy
  • Create a transport rule to bypass safe links
  • Safe links user experience in email
  • Safe links user experience in Office 2016
Monitoring and reports
  • Threat protection status report
  • ATP message disposition report
  • ATP file types report
  • Malware detections report
  • Top Malware report
  • Top Senders and Recipients report
  • Spoof Mail report
  • Spam Detections report
  • Sent and received email report
  • Security & Compliance Report Demonstration
Using Office 365 Threat Intelligence
Office 365 Threat Intelligence
“Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.”
  • Microsoft Intelligent Security Graph
    • Source: Windows, Office 365, Cloud Services, 3rd party
  • Threat dashboard
    • reporting tool for C-level
  • Threat explorer
    • analysts, admins
Using the Threat Detection dashboard
  • Threat detections in your tenant
  • Security and malware trends
  • Alerts
  • More insights
  • Threat Intelligence Demonstration
Using Threat Explorer
  • Viewing options in Threat explorer
  • Filtering capabilities in Threat Explorer
  • Drilling for details
  • Incident reports
Implementing auditing, insights, and alerts
Overview of auditing in the Security & Compliance Center
  • Auditing architecture in Office 365
  • Audited activities
  • Office 365 Management Activity API
Enabling mailbox auditing in Exchange Online
  • Mailbox actions logged by mailbox audit logging
  • Enabling mailbox auditing
  • Specifying owner actions to audit
  • Changing the age limit for entries in the mailbox audit log
Searching the audit log
  • Enabling auditing in your tenant
  • Granting permissions
  • Searching the audit log
  • Viewing the search results
  • Filtering the search results
  • Exporting the search results to a file
  • Searching the audit log by using Windows PowerShell
  • Using a SIEM application to access your auditing data
Enabling sharing auditing for SharePoint and OneDrive
  • The SharePoint sharing schema
  • The SharePoint Sharing model and sharing events
  • How to identify resources shared with external users
Managing insights and alerts in the Security & Compliance Center
  • Introduction to insights and alerts
  • Types of insights that are available
  • Types of alerts that are generated
  • Alerts features in the Security & Compliance Center
  • Alert policy settings
  • Default alert policies
  • Viewing alerts
  • Managing alerts
Advanced Security Management
Overview of Advanced Security Management
  • Lesson introduction
  • Anomaly detection policies
    •     Login authentication failures
    •     Administrator activity
    •     Inactive accounts
    •     Location
    •     Impossible travel
    •     Device and user agent
  • Activity policies
  • Anomaly detection and activity alerts
  • Policy templates
  • Productivity app discovery
  • App permissions
Implementing policies and alerts
  • Enabling and accessing Advanced Security Management
  • Creating anomaly detection policies
  • Creating activity policies
  • Reviewing and taking action on alerts
  • Investigating activities in the Activity log
  • Grouping IP addresses to simplify management
Implementing app discovery
  • Log file requirements
  • Supported vendors and their data attributes
  • Creating app discovery reports
  • Reviewing app discovery findings
  • Troubleshooting errors when log files are uploaded
Implementing app permissions
  • App permissions architecture
  • Managing app permissions
  • Approving or banning an app
Conclusion
Unfortunately I do not have access to an Office 365 environment for testing. So I was thankful that the course gives a broad insight of the posibilites of the security configurations of Office 365. Lots of the topics come withshort  examples (like phishing, spoofing etc.) and a short video clip.

From my side more insight on the security mechanisms and more detail on Threat Intelligence would have been great.  The course goes into logging and how to find strange behaviour, malware and threat intelligence. Which was really nice to see how much effort Microsoft put into securing their cloud products.

A lot of the questions in the module assessements questions are more about configuration the platform itself or how tabs are named, I felt a bit like in a MS exam long time ago. Large parts of the content is text and not videos, most courses are a bit different here.

The course gave a good overview and insights for understanding Security in Office 365 for me, that’s what I was looking for.
Links

Recommended Talks for the New Year (mainly 35C3)

Like last here here some recommendations for starting into 2019. Mainly from 35C3 and one from Bluehat.

See the original thread from twitter here (It’s a bit messed up, but should be complete):

Review Cybrary Advanced Cyber Threat Intelligence

Since I found that some information was missing from this course https://govolution.wordpress.com/2018/06/30/review-udemy-certified-cyber-threat-intelligence-analyst/
I found a course on cybrary, which is only about 3 hours long and which is free.

So the review will also be a bit shorter. For the content please review:
https://www.cybrary.it/course/advanced-cyber-threat-intelligence/

Module 1 – Threat Intelligence Maturity Model is the intro, with an interesting analysis about maturity levels of organisations related to threat intelligence which I found pretty informative.

Module 2 – Campaigns and Open-Source Threat Intelligence comes with some information about OSINT and visualization, which is also covered a bit broader in the course that I took previously.

Module 3 – Sharing Operational Threat Intelligence is a bit more interesting, since here we start with “Sharing Operational Threat Intelligence”. This comes with some information about Crowdstrike & Alienvault, Yara, TLP, CybOX and STIX, TAXII. Finally some information about Tactical/Operational sharing, which was interesting, because the author seems to know that things like ROI etc. are also important when talking about security programs, the explanation of Analytic Confidence was also useful. The video about “Words of Estimative Probability” will almost certainly be useful in the future.
The tools are not explained in depth or compared to each other which is a pitty. I strongly suggest to have a look at sigma ;).

Module 4 – Strategic Threat Intelligence Analysis is something that was missing from the courses I viewed before. The topics here are:
Cognitive Bias and Logical Errors
Competing Hypothesis Analysis
Human Elements of Attribution
Nation-State Attribution
Strategic Review and Creating an Active Defense

Conclusion
For me the course was interesting and infomative, especially Module 3 & Module 4 brought a new perspective to me. Some of the example could be shown with more length. Further I got some more tools that I might try in future. I give the course 4/5 points.

 

Links
https://www.cybrary.it/course/advanced-cyber-threat-intelligence/
https://metadefender.opswat.com/#!/
http://virscan.org/
https://www.virustotal.com/
https://community.riskiq.com/
https://www.us-cert.gov/
https://github.com/VirusTotal/yara
https://github.com/Yara-Rules/rules
View at Medium.com

How to Write Simple but Sound Yara Rules

How to Write Simple but Sound Yara Rules – Part 2

How to Write Simple but Sound Yara Rules – Part 3


https://en.wikipedia.org/wiki/Information_Sharing_and_Analysis_Center
https://cybox.mitre.org/about/
https://stixproject.github.io/about/
https://github.com/Neo23x0/sigma

https://en.wikipedia.org/wiki/Analytic_confidence
http://www.tylervigen.com/spurious-correlations
https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/books-and-monographs/psychology-of-intelligence-analysis/index.html