Breaking into Offensive Security

There’s been a lot of talk around this topic lately. As I’ve been working to solidify my team’s bond, I also have the challenge of helping those interested in getting involved in the offensive security world. This quest has helped me identify some things you might consider when trying to break into offensive security.

Things to consider

Have a well rounded knowledge of “advanced fundamentals”

Being able to sort out basic permission issues or understanding general functionality of major operating systems are not part of offensive security. However, understanding intricacies within operating systems and troubleshooting problems on the fly are.  Operators encounter countless complications in the field and rarely are they basic.

Those considering a career in offensive security should have a solid understanding of a wide range of technical topics. A successful attacker doesn’t necessarily know all the answers, but definitely takes the time to learn as much about the fundamentals of a target as possible.

Find your niche

It’s important to know a little bit about everything, but it’s equally important to find a specialty. Offensive security teams are often built around the strengths of the members. Members are often selected when engagements arise that require additional skills being added to the bench. Depending on the service offering of the team(s) you’re involved with, bringing relevant expertise to the table is important.

My personal passions lie in social engineering and physical security. Other members  of my team are stronger in other areas than I. In the field, weather operating alone or as a unit, we rely on each other for help. Knowing the strengths and weaknesses of the membership, proper preparation, and thorough documentation all allow the team to tailor to the engagement.

Know how to think, research, and study

An offensive security operator doesn’t know everything about all the things.  Successful operators know how to profile and research a target and study the engagement in preparation. Additionally, they’re also able to think their way through unforeseen circumstances and overcome adversity in the field.

No matter how accurate the profile, no matter how much intelligence has been gathered in preparation, problems and unexpected situations are inevitable in the field. Operators must be prepared for everything and still be able to think their way through the myriad of things that can go wrong.

Be hungry for knowledge

You have to want to learn. Everyone wants to be a hacker, to be Neo but not everyone wants to put in the work to bend the spoon. Someone wiser than I once said it takes 10,000 hours to become an expert at something. If you’re only learning during the 8-5, that’s roughly a 5 year path.

Don’t get lazy. Complacence is one of the biggest challenges to offensive security operators. They end up thinking they know it all and stop chasing the dragon, or they burn out along the journey. All too often, offensive security operatives fall prey to the latter, but the former is just as dangerous.

Have a strong work ethic

Offensive security teams typically operate based upon the needs of the engagement. if that means working late nights, early morning, or weekends, then we work when there is work to be done. As a team, members need to be available whenever the engagement requires. It’s important that operators are prepared to be dedicated to the team.

This isn’t as bad as it sounds. Learning the work/life balance, and learning how to work remotely, come with the territory. My team is expected to be available when it matters but they’ve also mastered the art of global availability. Weather it means fielding social engineering calls from the beach or conducting a vulnerability assessment from the audience of a school play, successful operators manage the demand of the workload while still trying to maintain a life.

Fourth quarter is the exception to this point. During fourth quarter, offensive security operators should expect to be running full bore with little room to breathe. The cyclical nature of fiscal business means that this is inevitable.

Be flexible

Field Marshal Helmuth Karl Bernhard Graf von Moltke  once said “no plan of operations extends with any certainty beyond the first contact with the main hostile force.”  Nowhere is that more true in the field of offensive security. Neither scope nor plan nor backup plan nor change order can account for the infinite number and combination of things that can go wrong in the field.

Offensive security operators need to accept this and be able to adapt, and overcome, in the field. While process and procedure are important in business, flexibility during an engagement is vital to operational success. The objective is what matters, the means do not- as long as they’re within the rules of engagement.

Take notes

At the end of the day, offensive security is still a business. We must be able to prove what we do (and don’t do), and we have to turn all the data into some actionable data that the client can use after. Successful operators live, and die, by their documentation. Not only for self reference, but the team should be able to pick up notes from other members and run with an engagement, if necessary.

Documenting the engagement as it happens, especially when milestones or objectives are met, are vital to keeping accurate record of what happened. The more data that gets collected during the engagement, the more detailed and accurate the reporting and debriefing will be. However you decide to do it, take good notes.

Don’t be afraid to make mistakes

Offensive security is a kludge of computer science, performance art, and voodoo. Much of the information exists in available documentation but there is much more to be written. And even when we think we’ve covered it all, there will still be niches and nuances and caveats that can’t be accounted for.

Be willing to take calculated, educated risks in the field. Realizing the objectives are what matter, operators need to be willing and able to take some creative freedoms in the field. This also means facing the consequences of those actions.

Own your attitude

In one of my favorite movies, Training Day, Jake Hoyt (Ethan Hawk) talks about how you can only control your smiles and cries. In the field, attitude and response to adversity are two  of the very few things an offensive security operator can control. It’s important to maintain this control and to remember that clients are looking to us as experts. If they see us responding poorly or carrying the dead weight of negativity, it will most certainly effect their overall experience.

Don’t let the little things get to you. Realize that we live in imperfect chaos and the chances of anything going the way we want it to is highly unlikely, bordering on impossible. The successful offensive security operator maintains composure in the face of frustrating circumstances. The information security community is small and professional reputation is fragile. If the time comes that you’re struggling to stay positive, keep your head held high and remember how hard you worked to get where you are.

Don’t forget the soft skills

I work with computers because I really don’t like people. On the same hand, it’s important that an offensive security operator be able to interact with people effectively when deployed on an engagement. At the end of the day, the client is expecting a positive experience. The more pleasant a team makes it, and presuming quality work is submitted, the more likely they are to come back for repeat business.

The offensive security operator is burdened with the responsibility of taking a mass of data, and an often unpleasant message, to a client in a manner which they understand and can relate to. This translation process, in my opinion at least, is one of the single most important components of a successful engagement. Without making the data  actionable for the client, the value in the service is diminished.

Advice from a perpetual noob

The sad truth is that not everyone is cut out to do every job. While I will always advocate for everyone having an opportunity to try out for their dream job, it’s an indisputable fact that not everyone makes the cut to play in the NFL or to act in a Hollywood film. You have to be more than just “computer literate” to make the cut on an offensive security team. If you’re not striving for absolute excellence, you’ll be swimming in an endless stream of mediocrity. I believe anyone reading this has the ability to reach the goal of becoming an offensive security operator. Having the drive, however is a different story.

In my final thought, I want to stress that there is more to being an offensive security operator than just breaking things. In the field we are regularly placed in delicate environments with exposure to sensitive data. Morals and ethics are values of paramount importance to the offensive security operator. Degradation of these values may lead to loss of freedom in extreme case, but it will most certainly result in damage to the professional image of an operator. Reputation takes years to build but only moments to damage, and repair is long and tedious.

For those of you working to break into offensive security, I hope these tidbits offer you a little insight into my perspective into the consulting world. As a team leader and mentor, I wish you the best along your journey. As a fellow hacker, I look forward to learning with you!

New Year, New Vulnerabilities

Well, we got to ring in the new year with some major excitement, haven’t we? 2018 has met us with a nasty 1-2 punch combination, no doubt! First, the exposure of a vulnerability that effects millions of GPS tracking devices. Security researchers were able to access location history, send commands to the device (the same commands that would be sent via SMS), and activate or deactivate geo fencing alarms. All this was said to be possible with no authentication needed.

This was immediately followed up by the Meltdown and Spectre vulnerabilities in what is essentially anything device connected to the internet. From mobile phones, to tablets, to laptop and desktop PCs, these flaws do expose us to some pretty significant risk. But the world is not, in fact, over. Not yet at least.

The RedLegg team has been fielding calls from clients, friends, and family about these vulnerabilities that have been drawing a lot of attention this week. There is significant implication as to the damage that could result from successful exploit of these issues, but we wanted to present some additional facts for consideration. Here’s what we know:

Meltdown

This vulnerability allows any application to access all system memory, including memory allocated for the kernel. Patches are being , and in some cases have been, rolled out and should be applied as soon as possible. So far, research indicates that only Intel chips have been shown to be vulnerable.

Spectre

This vulnerability allows an application to force another application to access arbitrary portions of its memory, which can then be read through a side channel and affects nearly every CPU built on the x86 architecture. This vulnerability may require changes to processor architecture in order to fully mitigate. According to leading research, this vulnerability impacts Intel, AMD, and ARM chips. Due to the development life-cycle implemented by processor manufacturers, this issue will likely be around for a very long time.

Exploitation is possible. Security researchers produced and release proof of concept exploit code within roughly a day. There is no reason to believe that the bad guys will be working feverishly to weaponize these and deploy them for nefarious means. And while there definitely is significant risk associated with these vulnerabilities, there is no proof or reason to believe weaponized exploit code is in use in “the wild”.

Consider taking an inventory of all your systems by processor type, be sure to apply vendor patches as they become available, and track the progress of the updates as they’re released.

  • Microsoft has issued a patch for Windows 10, while other versions of Windows will be patched on the traditional Patch Tuesday on January 9, 2018.
  • MacOS 10.13.2 mitigates some of the disclosed vulnerabilities, but MacOS 10.13.3 will enhance or complete these mitigations.

For anyone using Qualys Vulnerability Management, Qualys will continue to release QIDs for any vendor patches that mitigate this vulnerability. A list of currently-released QIDs is being maintained in this Qualys Support article.

It’s an increasingly interesting time to be in the world of security, and an increasingly dangerous time to fall victim. Take the time to read the information that’s out there on these issues, there is a lot. But be sure to understand what you’re reading. Proof of concept exploits for these issues continue to surface, and with each release the potential for a weaponized exploit increases. Considering the number of devices impacted here, we really need to be watching the horizon as the research develops.

Happy New Year. Stay safe out there!

 

My New Year’s Resolution

How did we get here?

As I was enjoying the Christmas holiday with family, a revelation washed over me. My affinity for technology, once a healthy hobby, had devolved into a sick dependency and an addiction. This experience sparked some intense reflection into how I used to love getting my hands on the keyboard and getting online but now the internet is ubiquitous and ingrained into pretty much every aspect of my life. The joy had faded into an expectation and now, when I’m not connected, I find myself wondering what’s happening. I had to acknowledge that I’d fallen prey to FOMO.

I started to become more conscious of this over the days since and I started to see how much time I’d spent on some digital device looking at social media. But it was worse. After spending all day with my face in a screen, rather than have conversations over a meal I would thumb through Facebook and continue to evade the human connection. I started to look back on how many times someone would post something on Facebook or @ me on Twitter when we were in the same room.

How does it happen?

The root of the problem is that we are all, at our base roots, drug addicts. You may not drink. You may not smoke. You may avoid caffeine. But you’re human and therefore you’re an addict. There are some really great articles which explain this in deeper detail than I’ll cover here, but the fact is that we are all driven to seek satisfaction. With the internet, twitter, and texting we now have almost instant gratification of this desire to seek. We no longer have to leave a message on someone’s answering machine, wait for them to get home to listen to the message, and wait for a return call. Now you can just shoot a quick text. This increased level of instant gratification can create a dopamine induced loop. The dopamine starts you seeking, which leads to rewarding satisfaction, which sets us on another search. It becomes harder and harder to stop looking at email, stop texting, or stop checking your cell phone to see if you have a message or a new text.

Taking action

Well, now that I’ve realized how big this dependency has become, I have to do something about it. And being on an endless quest for knowledge and growth, I’ve devised a plan to not only break me from my obsession, but to use the opportunity to level up my skills in psychology and situational awareness.

Cutting the cord

The first step in my plan is to delete the social media applications from my phone. Not only will this help to my aim of breaking the compulsion to be connected, but also from the perspective of fewer distractions from the notifications associated and increased battery life on my smartphone. When I saw this tweet on the topic, I knew I was on the path to doing something right.

Filling the silence

As I’ve been mentally preparing myself for this endeavor, one that I admittedly expect to be quite challenging, I started forcing myself to slowly stop using the phone. When I become conscious that I’m surfing social media, I force myself to put the phone away and reinsert myself into real life. This has helped me to realize how I was getting the added benefit of escaping what was in front of me. Faced with this increased opportunity to engage people I have been enjoying more conversations where there used to be nothing but silence.

And hacking…

As with all things, one only takes from an experience what they put in. While this New Year’s resolution will certainly allow me to get closer with my friends and family, there is also a more nefarious method to my madness. In my continuing quest to improve my social engineering techniques, I intend to increase my use of various tactics during these random encounters with strangers. While these skills might be used for evil, my intent will be more to exercise my conversational techniques so that I might apply them in the field during penetration testing.

Using conversational signals, and techniques like projection, I’ll be working to learn more about how to profile people during random engagements, how to read them on the fly, and how to find the combination of conversational tactics that bring them to a place where I can extract a piece of data.

Conclusion

Today, I delete these apps from my phone. I’ll only be using social media from my laptop, when I’m online and connected. With every day that passes, I feel more and more like I’m living in a society prophesied in the movie Idiocracy. People are simultaneously becoming increasingly harder to deal with and decreasingly smart, and social media on demand only makes it worse. My intention is to learn more about people, learn more about myself, and generally become more present in the moments I have the privilege of experiencing as I navigate the choppy sea of life. Here’s to growth and adventure in 2018!

Profiling a WordPress Attack

Hacking the Hackers

WordPress SecurityWelcome back to those of you playing along at home. This site has been down for a considerable amount of time, but I’m back! And I bring with me tales from the battlefield. Let’s talk a little about WordPress and security, shall we?

A WordPress honeypot

Some time ago, while doing maintenance on the site, I identified an opportunity for a research project. I decided it would be fun to turn the WordPress installation into a honeypot and collect some threat intelligence.  I decided it was time once again to delve into the current state of WordPress security. So I disabled the security controls, stopped updating the software and sat back to watch the world burn.

It didn’t take long before I started seeing scans pour in. And in a matter of days I captured some malware and began to catalog the attack patterns of WordPress attackers. It’s fascinating to see the evolution of PHP malware as related to WordPress specifically. I spent some time doing extensive research into the breach, analyzing the attack patterns, and even tracing the honey data that was posted in various parts of the internet. Eventually I’ll be writing that up as a blog series later in the year to show you how it all played out, but for now I’m getting things back online and ready to roll it out, so here we go!

So welcome back and thanks for joining me for the next chapter of the adventure! I’ll be repopulating the database in the near future to re-establish a lot of the old content, and going forward if there is content you like please say so and I will mark it for salvation in case this happens again. As always, if you have questions or if there is some content you’d like to see covered here, don’t hesitate to contact me! I’m always happy to engage others and to push myself to produce desired content. I appreciate you for taking the time to visit and hope to see you around the internet.

Grand Re-Opening