how to be an infosec geek
TRANSCRIPT
Resources for Technical Skill Progression
How to be an InfoSec Geek
Table of Contents
• Overview• Twitter• Security Blogs• RSS Reader• Free Resources for Skill Progression• Technical Security Training and Certifications• Lab Setup• Vulnerable VMs• Pcap Resources• Malware Repositories• Python Scripting Resources• Books• Conferences• Security Podcasts• Capture The Flags (CTFs)• Summary
Overview
• Staying updated is a critical part of being an InfoSec Geek
• This presentation will divide staying updated in two categories:
– Latest Vulnerabilities, Threat Intelligence, Exploits, Tools, etc.
– Updating Skills and Continuous Learning
• We wont be covering everything, but hopefully enough to get you started
Overview Cont.
• In order to continue to be technical in InfoSec you need to be devoted to continuous learning
• We will cover a large array of topics within InfoSec. My advice is pick an area you enjoy and dive as deep as you can go into that topic
• Lab, lab, lab: Technical skills are best built through hands on experience
• Twitter: The best resource for staying up to date. – News is tweeted before blogged!
– Some people to follow to get your network started:• @TrustedSec, @deepimpactio, @redteamsblog,
@ModSecurity, @carnal0wnage, @everythingburp, @brutelogic, @sqlmap, @sansappsec, @acunetix, @PrimalSec, @PortSwigger, @n1tr0g3n_com, @sethmisenar, @secureideas, @nVisium, @Burp_Suite, @JardineSoftware, @g0tmi1k, @mubix, @exploitdb,@lanmaster53, @secureideasllc, @SpiderLabs, @TheHackersNews, @threatpost, @briankrebs, @alienvault, @FireEye, @offsectraining, @jaimeblascob, @hdmoore, @malwaremustdie
Twitter Cont.
• The slide above can be used to get your twitter profile and network started
• You’ll want to continue to follow people that tweet out interesting news to build out your network
• I normally quickly scan through twitter once an hour to grab news
Security Blogs
• Some Blogs to Follow:– http://thehackernews.com/– https://isc.sans.edu/– https://www.reddit.com/– http://www.theregister.co.uk/– http://krebsonsecurity.com/– http://threatpost.com/– https://www.alienvault.com/open-threat-exchange/blog– http://www.fireeye.com/blog/– http://blog.spiderlabs.com/– http://blog.nvisium.com/– http://www.exposedbotnets.com/– http://blogs.technet.com/b/srd/– http://malware.dontneedcoffee.com/
Security Blogs Cont.
• Some Blogs to Follow Cont.:– http://packetstormsecurity.com/– http://www.lanmaster53.com/– https://www.trustedsec.com/news-and-events/– http://www.acunetix.com/blog/– http://blog.portswigger.net/– https://www.jardinesoftware.net/– https://www.corelan.be/– https://blog.g0tmi1k.com/– http://www.room362.com/– http://www.exploit-db.com/– http://carnal0wnage.attackresearch.com/– http://malwaremustdie.org/– http://www.reddit.com/r/ReverseEngineering/comments/is2et/can_we_colle
ct_interesting_reverse_engineering/
RSS Reader
• Setting up an RSS reader can help you keep track of blogs
• I tend to favor the twitter route, but many prefer the RSS route
• Many RSS readers available, I have had good experience using digg reader:– http://digg.com/reader
• Some people like using feedly:– https://feedly.com/
Free Resources for Skill Progression
Useful Resources (Free Courses, Tutorials, etc.):• Pentesterlab.com: Great labs and tutorials for web app testing
– https://www.pentesterlab.com/
• Metasploit Unleashed: Free course on Metasploit– http://www.offensive-security.com/metasploit-unleashed/Main_Page
• OWASP: Loads of free resources on web application security– https://www.owasp.org/index.php/Main_Page– OWASP AppSec Tutorial Series:
https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series
• Open Security Training: Many free InfoSec courses– http://opensecuritytraining.info/Training.html
• Great Read on Web Application Hacking:– http://www.gironsec.com/WebHacking101.pdf
Free Resources for Skill Progression Cont.
Useful Resources (Free Courses, Tutorials, etc.) Cont.:• Youtube (resources)
– Loads of good conference talks: https://www.youtube.com/user/irongeek– 12 Part Web Hacking Course: https://www.youtube.com/watch?v=rNkR1Joz4eU
• Most Security Conference Talks are uploaded to Slideshare:– http://www.slideshare.net
• FuzzySecurity: Good exploit tutorials– http://www.fuzzysecurity.com/
• Nvision Security Casts: Free web application security training videos– https://www.seccasts.com/mror/
• Free Reverse Engineering and IDA Pro Course:– http://www.woodmann.com/TiGa/
• Reverse Engineering blog and tutorials:– http://www.xchg.info/
Free Resources for Skill Progression Cont.
• G0tmilk’s Blog: Good exploit tutorials and privilege escalation guides– https://blog.g0tmi1k.com/
• Pauldotcom Security Weekly: Podcast, news, tutorials:– http://securityweekly.com/
• Good blog and tutorial series for web application penetration testing:– https://www.pentestgeek.com/2014/07/02/burp-suite-tutorial-1/
• Metasploit Minute by Hak5:– https://www.youtube.com/playlist?list=PLW5y1tjAOzI3n4KRN_ic8N8Q
v_ss_dh_F
Free Resources for Skill Progression Cont.
• Corelan: Good exploit tutorials– https://www.corelan.be/
• Unofficial Kali Documentation “pwnwiki”:– https://github.com/pwnwiki/kaliwiki
• List and Descriptions of top 125 security tools:– http://sectools.org/
• SecurityTube: Loads of free videos and tutorials– http://www.securitytube.net/
• Great paper on PHP source code analysis:– http://www.exploit-db.com/papers/12871/
Free Resources for Skill Progression Cont.
• Code Academy: Good HTML/CSS, PHP, JavaScript courses– http://www.codecademy.com/
• W3 Schools: HTML/CSS, PHP, JavaScript, JQuery, tutorials– http://www.w3schools.com/
• Ruby Monk: Interactive Ruby Tutorials– https://rubymonk.com/
• Learn Java: Interactive Java Tutorial– http://www.learnjavaonline.org/
Technical Security Training and Certifications
• Offensive Security: OSWP, OSCP, OSCE, OSWE, OSEE– http://www.offensive-security.com/– Extremely hands on and lab oriented training. There is no hand holding you
need to “Try Harder”. Their premier course, Penetration Testing with Kali (PWK) simulates a real penetration test throughout the lab and exam.• Good price for the training and labs (~1k/course and 90 days lab access)• The exams are hands on demonstrations of skills vs. multiple choice questions
• SANS: GCIH, GCIA, GPEN, GWAPT, GWEB, GREM, GCFA, etc.– http://www.sans.org/– These courses are designed to be 5-6 day crash courses on a topic. SANS
training is less hands on compared to Offensive Security, but SANS does make a decent effort to incorporate labs.• Very good instruction and both offensive and defensive content• Costly training (~5k/course)
Technical Security Training and Certifications Cont.
• SecurityTube: Loads of good tutorials and full courses– http://www.securitytube.net/– Good price($200-300), some courses are free
• Pentester Academy: Similar content as SecurityTube just a montlysubscription ($40/month)– http://www.pentesteracademy.com/
• eLearnSecurity: Many different courses, all with labs– https://www.elearnsecurity.com/– Good price (~1k w/lab access)
• DerbyCon: Excellent security conference with training few days before the conference– https://www.derbycon.com/training-courses/– Good price (1k for conference ticket and training)
Lab Setup
• In order to keep your technical skills sharp you need to have a lab
• Labs don’t have to be complex or really cost you any additional money
• Virtualbox is a free virtualization platform that allows you to deploy VMs and network them together with ease using “Host -only” networking:– http://www.virtualbox.org/manual/ch01.html
Lab Setup Cont.
• If you have some hardware to play with you might consider building a VMware ESXi server:– http://www.virtualizationadmin.com/articles-
tutorials/vmware-esx-and-vsphere-articles/installation-and-deployment/getting-started-esxi-5-part1.html
• Amazon Web Services (AWS) offers free tier servers that could extend your lab:– http://aws.amazon.com/free/
Vulnerable VMs
• Practicing against a vulnerable VM is a great way to sharpen your skills
• Vulnhub.com is an excellent resource to download vulnerable VMs and practice your TTPs against the VMs– Practice attacking the VMs before you read the write
ups– Collection of many different vulnerable VMs
• Great way to get a quick lab setup
Vulnerable VMs Cont.
• Metasploitable:– www.rapid7.com/metasploitable
• Kioptrix Challenges:– http://www.kioptrix.com/blog/test-page/
• WebGoat:– https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
• RailsGoat:– http://railsgoat.cktricky.com/
• Damn Vulnerable Web App(DVWA):– http://www.dvwa.co.uk/
Vulnerable VMs Cont.
• Mutillidae:– https://www.owasp.org/index.php/Category:OWASP_Mutillidae
• SQLol:– http://blog.spiderlabs.com/2012/01/introducing-sqlol.html
• Exploit KB / exploit.co.il Vulnerable Web App:– http://exploit.co.il/projects/vuln-web-app/
• OWASP Hackademic Challenges Project:– https://www.owasp.org/index.php/OWASP_Hackademic_Challe
nges_Project
Vulnerable VMs Cont.
• Hack.me: Web Application hacking challenges– https://hack.me/101229/web-app-hack-tutorial.html
• XSSeducation:– https://hack.me/101136/xss-education.html
• PyGoat:– https://www.owasp.org/index.php/OWASP_Pygoat_Project
• Google’s Firing Squad:– http://public-firing-range.appspot.com/
• Labs associated with Web Application Hackers Handbook v2– http://mdsec.net/
Pcap Resources
• Netresec has compiled a large compilation of pcap resources from malware, CTFs, and other cyber challenges:
– http://www.netresec.com/?page=PcapFiles
• Pcap from malware:
– http://contagiodump.blogspot.com/2013/08/deepend-research-list-of-malware-pcaps.html
Malware Repositories
• Large Summary of Malware Resources:– http://contagiodump.blogspot.com/2010/11/links-and-resources-for-
malware-samples.html
• Contagio Blog:– http://contagiodump.blogspot.com/
• Kernelmode:– http://www.kernelmode.info/forum/
• Malware.lu:– https://www.malware.lu/
• Malshare:– http://malshare.com/
Malware Repositories Cont.
• Malwr:– https://malwr.com/
• MalwareChannel:– https://twitter.com/MalwareChannel
• VirusShare:– http://virusshare.com/
• OpenMalware:– http://openmalware.org/
Python Scripting
• You really need to break down and learn a scripting language. – I highly suggest that language be Python
• Start out learning the syntax and then start to solve simple problems:– Build a web parsing script, port scanner, automate OS commands, etc.
• You will need to set aside some time to practice regularly in order to grow this skill
• Scripting helps any technical security position
Python Scripting Cont.: Resources
• Resources to Learn Python:– Books (Violent Python, Black Hat Python, Gray Hat Python)– Python tutorials:
• https://docs.python.org/2/tutorial/• https://wiki.python.org/moin/BeginnersGuide/Programmers• http://www.primalsecurity.net/tutorials/python-tutorials/• http://www.codecademy.com/en/tracks/python• https://www.youtube.com/user/DrapsTV/playlists
– Python Courses:• Google’s Free Python course:
– https://developers.google.com/edu/python/
• SecurityTube.net’s Python Scripting Expert course:– http://www.securitytube-training.com/online-courses/securitytube-python-
scripting-expert/
Books
• Really good summary of InfoSec Books:– http://www.dfir.org/?q=node/8
• Safari Books is a great resource that allows you to view large library of books by paying a monthly fee:
– https://www.safaribooksonline.com/
• Web Application Hackers Handbook v2:– http://www.amazon.com/The-Web-Application-Hackers-Handbook/dp/1118026470
• Violent Python:– http://www.amazon.com/Violent-Python-Cookbook-Penetration-Engineers-ebook/dp/B00ABY67JS
• Black Hat Python:– http://www.amazon.com/Black-Hat-Python-Programming-Pentesters/dp/1593275900
• Gray Hat Python:– http://www.amazon.com/Gray-Hat-Python-Programming-Engineers/dp/1593271921
Books Cont.• Red Team Field Manual:
– http://www.amazon.com/Rtfm-Red-Team-Field-Manual/dp/1494295504
• Blue Team Handbook:– http://www.amazon.com/Blue-Team-Handbook-condensed-
Responder/dp/1500734756/
• Malware Analyst Cookbook:– http://www.amazon.com/Malware-Analysts-Cookbook-DVD-
Techniques/dp/0470613033/
• Practical Malware Analysis:– http://www.amazon.com/Practical-Malware-Analysis-Dissecting-
Malicious/dp/1593272901/
• The Art of Memory Forensics:– http://www.amazon.com/The-Art-Memory-Forensics-
Detecting/dp/1118825098
Books Cont.
• Metasploit: The Penetration Testers Guide:– http://www.amazon.com/Metasploit-The-Penetration-Testers-Guide/dp/159327288X
• Database Hackers Handbook:– http://www.amazon.com/The-Database-Hackers-Handbook-Defending/dp/0764578014
• Linux In A Nutshell:– http://www.amazon.com/gp/product/0596154488/
• TCP/IP Illustrated v2:– http://www.amazon.com/TCP-Illustrated-Protocols-Addison-Wesley-
Professional/dp/0321336313/
• Free Introduction to Penetration Testing E-book:– http://averagesecurityguy.info/2014/10/30/beginners-guide-to-pentesting/
Books Cont.
• The IDA Pro Book:– http://www.amazon.com/The-IDA-Pro-Book-
Disassembler/dp/1593272898/
• The Shellcoder’s Handbook:– http://www.amazon.com/The-Shellcoders-Handbook-Discovering-
Exploiting/dp/047008023X/
• Practical Reverse Engineering:– http://www.amazon.com/Practical-Reverse-Engineering-Reversing-
Obfuscation/dp/1118787315/
• Hacking: The Art of Exploitation:– http://www.amazon.com/Hacking-The-Art-Exploitation-
Edition/dp/1593271441/
Security Podcasts
• Pauldotcom Security Weekly Webcast/Podcast:– http://securityweekly.com/
• Securabit Podcast:– http://securabit.libsyn.com/
• Social Engineer Podcast:– http://www.social-engineer.org/category/podcast/
• Breaking Down Security Podcast:– http://brakeingsecurity.com/
• SANS Internet Storm Center Podcasts:– https://isc.sans.edu/podcast.html
• DevelopSec Podcast:– http://developsec.libsyn.com/
Security Podcasts Cont.
• Risky Business Podcast:– http://risky.biz/netcasts/risky-business
• Defensive Security Podcast:– http://www.defensivesecurity.org/category/podcast/
• Trustwave SpiderLabs Radio:– http://blog.spiderlabs.com/spiderlabs-radio/
• Primal Security Podcast:– www.primalsecurity.net
• Down the Security Rabbithole Podcast:– http://podcast.wh1t3rabbit.net/
• OWASP Podcast:– https://www.owasp.org/index.php/OWASP_Podcast
Conferences
• Large list of security conferences:– http://www.concise-courses.com/security/conferences-of-2014/
• DerbyCon – Louisville Kentucky in September. The conference talks are put on Youtube next day– https://www.derbycon.com/
• ShmooCon – Washington DC in January. Defensive conference and tickets sell out quickly– http://www.shmoocon.org/
• Black Hat – Vegas in August. Very commercialized conference, many good talks are mirrored at Defcon– http://www.blackhat.com/
• Def Con – Vegas in August. Very packed, lots of good talks– https://www.defcon.org/
Conferences Cont.
• Bsides – Happen all the time depending on the region. Smaller conference, that is more community driven– http://www.securitybsides.com/
• ISSA – Different chapter conferences are held throughout the year:– http://www.issa.org
• OWASP AppSec – Denver in September. Very focused on application security and secure coding best practices and trends. Many talks make it to YouTube:– www.appsecusa.org
• NoVA Hackers – Monthly meetup in VA (2nd Monday of every month) – they do conference talks and host a CTF:– http://novahackers.blogspot.com/
• RVAsec – Holds a smaller local conference and CTF in June– http://rvasec.com/
Capture The Flags (CTFs)
• Good write-up CTFs for people who have no experience:– http://webbreacher.blogspot.com/2014/10/top-5-ctf-tips-from-no-longer-ctf-virgin.html
• CyberLympics:– http://cyberlympics.org/
• Maryland Cyber Challenge:– https://www.fbcinc.com/e/cybermdconference/challenge.aspx
• DerbyCon CTF:– https://twitter.com/derbyconctf
• Def Con CTF:– https://www.defcon.org/html/links/dc-ctf.html
• Ruxcon:– https://ruxcon.org.au/slides/
Capture The Flags (CTFs) Cont.
• CSAW NYU School of Engineering CTF – Good Write-ups online:– http://gaasedelen.blogspot.co.uk/2014/11/landing-agres-links-500-csaw-ctf-2014.html
• CTF365:– https://ctf365.com/
• MITRE CTF:– http://mitrecyberacademy.org/competitions/index.html
• CCDC (College-level) Challenge:– http://www.nationalccdc.org/index.php/component/content/
• Hack.lu CTF:– http://2014.hack.lu/index.php/CaptureTheFlag
• RVAsec CTF:– http://rvasec.com/
Summary
• In order to stay up to date in InfoSec you need to constantly strive for new skills and knowledge
• Staying up to date on the latest vulnerabilities, exploits, tools, etc. requires the person diligently search the internet for news– We strongly suggest keeping an eye on twitter
throughout the day
• Build, break, secure, and learn to write code