If you are a typical cyber sec manager, you most likely catch-up on the latest developments by visiting on-line sites like News Now, by reading various publications, and by periodically attending various vendor workshops. For the majority of executives, the daily work grind and life/work balance challenges diminish the prospects of going back to school and plowing through in-depth training.
Over the past two decades, the corporate cursus honorum for IT executives has been the much coveted MBA degree. In a large number of Fortune 500s, having an MBA from a good school was considered a prerequisite for an executive promotion. an MBA attested that an individual possessed all the current business acumen and the polish needed to take on any future corporate responsibility, it was the ultimate professional merit endorsement.
This trend—other than having the end result of a glut of MBAs on the market—has also resulted in a shortage of highly technical managers. Consider some of the wholesale data breaches in some of the largest US retailers for 2014 alone. Check out the biographical backgrounds of some of the CISOs of the impacted companies. Not surprisingly, you will find no shortage of MBAs from top tier schools. What appears to be missing are individuals with vocational specializations in cyber security, and I’m not referring to rank an file CISSPs.
Of course, a common counter argument to this is that as a manager you are not supposed to know the ‘nitty gritty’ details of every technology in your corporate inventory and instead are expected to delegate to and draw on the expertise of others.
I personally don’t think that this is the case. Cyber security is almost entirely a technological and procedural play and as such, a manager should not have gaping holes in his knowledge or overly rely on subordinates to make sense of threats and counter measures. After all, you wouldn’t accept a commercial airline pilot to have gaping holes in his aircraft operations knowledge or his delegation of actual flight responsibility to the cabin crew.
I’ve recently had a chance to witness just how limited classical enterprise defenses have become. This is especially true when it comes to Advanced Persistent Threats. In one incident that eventually became the catalyst for me going back to school, I witnessed how one cyber attacker managed within minutes to defeat all of the traditional enterprise defenses and counter measures without even braking a sweat.
Amazingly, even after the debriefing and root cause analysis, I was no closer to understanding how a properly configured and maintained brand name FW and an IDS/IDPS failed to stop the attack, let alone even detect it.
If you are thinking that this could not happen to you, think again. In the incident that I just described, all target boxes were patched, there were strict access control measures in place, the network was sub-netted, and there were effective audit and password management systems in place.
After recovering from my momentary shock, I had an epiphany and realized that I urgently needed to re-hone my skills. I’ve heard about the SANS Institute from a number of colleagues and after checking it out, I decided to enroll in their Penetration Tester program. After juggling account my schedule and their course availability and selected the following four courses:
- SEC504 Hacker Techniques Exploits & Incident Handling
- SEC560 Network Penetration Testing and Ethical Hacking
- SEC575 Mobile Device Security and Ethical Hacking
- SEC617 Wireless Ethical Hacking, Penetration Testing, and Defenses
The SANS courses tuition is on the expensive side, ranging from $6000-$8000 USD. Add travel and accommodations and you are looking at about $10K per class. Each course is delivered in about a week (40-60 hours of classroom activity). Classes are divided into lectures and hands-on labs with heavy emphasis on getting down and dirty.
Though it took me several months to complete the coursework, I have found the whole experience to be uplifting. In addition to getting access to practical, real-world expertise from some of the world’s best penetration testers, we learned the gray art of performing detailed reconnaissance on would-be targets including mining a social media, and infrastructure data from blogs, forums, search engines, social networking sites, and other Internet resources.
In each course, we used the latest cutting-edge attack vectors as well as the traditional low budget techniques that are still quite prevalent. The aim of the course was to push the envelope in each domain and not to merely teach a handful of hacks and tricks. Another great component was exploring various administrative questions such as legal issues associated with responding to computer attacks, employee monitoring, working with law enforcement, and the collection and handling of evidence.
When it came to performing the actual exploit, we got to use the best tools on the market. This included both, COTS components and custom written utilities and scripts. In each class we learned dozens of methods for exploiting target systems and how to gain access to the systems post-exploitation. Just to illustrate the extensive hands-on approach that SANS adapted in teaching Penetrating Testing, here is a list of tools and techniques that we used in just the SEC 504 course:
– RootKits and detection
– Hidden file detection with LADS
– HTTP Reverse Shells using Base64
– InSSIDer for Wireless LAN discovery
– Nmap Port Scanner and Operating System fingerprinting tool
– Nessus Vulnerability Scanner
– Windows Command Line Kung-Fu for extracting Windows data through SMB sessions
– Sniffers, including Tcpdump
– Sniffer detection tools, including ifconfig, ifstatus, and promiscdetect
– Netcat for transferring files, creating backdoors, and setting up relays
– Metasploit, Metasploit, Metasploit Lots of Metasploit
– ARP and MAC analysis for ARP cache poisoning attack detection
– Password cracking
– Cross-site scripting and SQL injection web application attacks
– Intercepting and forging session cookies
– Detecting and executing DoS attacks techniques
– Detecting backdoors with Netstat, lsof
– Covert channels using Covert TCP
– clandestine network scanning and mapping
– Exploitation using built in OS commands
– Privilege escalation
– Advanced pivoting techniques
The great thing about the SANS curriculum is that they go pretty far down into the rabbit hole. A few of the classes required hard core coding skills (we actually got to execute some buffer overflows). Other classes were procedural and got down to the wire in terms of the inner functioning of RFC and protocol. For example, in the Wireless Ethical Hacking we had comprehensive coverage of WiFi, cordless telephones, smart devices, embedded home devices, mash technologies like ZigBee and Z-Wave, Bluetooth, DECT, and NFCs.
In the Mobile Device Security we practiced reverse-engineering iOS binaries in Objective-C, reverse-engineering Android binaries in Java and Dalvik Bytecode, evaluating mobile malware threats through source-code analysis, defeating Apple FairPlay encryption for application binary access, and overcoming anti-decompilation techniques.
The participants in the classes came from diverse backgrounds, including three letter agencies, incident handling team members, and administrators. The classes are well-suited for anyone with a good command of TCPIP and networking and they would also greatly benefit architects and technical leads involved in security operations and R&D.
The delivery of the material is completely immersive. You go from 0-90 in one second. Each course is equivalent to a traditional graduate semester course of 4 credits so we had to complete an average of one textbook per day. At times, I felt like I was drinking from a fire hose.
Taking good notes and hitting the books at night helped me stay afloat. It goes without saying that the instructors were outstanding; they offered unlimited tutoring and were always available—even during lunch and after hours—to help answer questions and work through the labs.
Several interesting sessions in each class revolved around learning how to avoid being caught through various tactics and strategies for covering your tracks such as: File and directory camouflage, piggybacking on existing user Internet sessions to avoid detection, event log pruning, and performing memory cleanups.
For me, the best part of each course was the final session called “Capture the Flag”. There, in a culmination of all of the hard work, we got to practice everything we had learned over the previous week. Each class had different parameters for capturing the flag, but they tended to follow the same patterns. We needed to do some reconnaissance, reconstruct the network layout of our target, map our victim’s equipment and software inventory, and then proceed to execute the attacks. Once we breached the target, we would perform some additional exploits and start ‘living off the land”. The overall objective of this exercise was to collect flags that had been placed on various locations on the victims’ network by the instructor. Some of these flags contained encrypted files or messages that we needed to decrypt and use as clues for other attacks, others involved passwords that were being sent over VOIP, in memory session information, or data hidden in binaries.
The capture the flag event usually lasts a full day and ends when one team successfully recovers all flags. At that point, the competition is stopped, the results are verified, and the winners are awarded the coveted challenge coins.
If you are a cyber practitioner, I highly recommend that you take all four courses. Even if you can only afford one, go for it. It will change your prospective on pen testing forever and help you take a proactive role in keeping your company safe and out of the negative limelight.
Performing a good penetration test is much more than just hiring some outside help and rubber stamping an audit. Verifying the integrity of your corporate security, takes more than kicking the tires and lifting the hood these days. Anyone can throw a bunch of attacks against an organization and regurgitate the output of some automated tools in hundreds of pages of reports. Participating in this structured training will help you avoid this trap and allow you to fully grasp your company’s real security needs so that you can formulate the most appropriate plan of action to address these needs in the most cost effective and timely manner.
Going through the meat grinder, you get to witness first hand the process of hot dog making. It’s not a pretty sight, but its an informative one. One of my most profound takeaways from this whole experience was answering the existential question of the spoon. Yes, the spoon does exist, but only for the end-user, sysadmin, DBA, and auditors. There is no spoon if you are a proficient attacker. With the right attack strategy and tools, concepts such as access control, event log integrity, and passwords are meaningless and are but chaff before the wind.
I keep my hard earned challenge coins on my office bookshelf as a reminder that there is likely someone out there right now who is targeting my network through some kind a a clever attack. He has all the right tools and resources and he is as determined and hard working as I was to get his coins.
And as far as my earlier MBA comment is concerned, if you are curious to know just how many executives attended the classes that I did, the answer is just one. None of the 20-40 participants in each classes had senior managerial responsibility. In fact most of the folks I spoke to were surprised that a CTO would take time from his schedule and opt to get his hands dirty instead of just delegating this to one of his directs.
After all, ‘Isn’t that what a manager is supposed to do?’
© Copyright 2015 Yaacov Apelbaum All Rights Reserved.