July 17, 2012

For this fourth installment of advice columns aimed at people who are interested in learning more about security as a craft or profession, I reached out to Richard Bejtlich, a prominent security blogger who last year moved from a job as director of incident response at General Electric to chief security officer at security forensics firm Mandiant.

Bejtlich responded with a practical how-to for a security novice looking to try on both attacker and defender hats. Without further ado…

Bejtlich: Providing advice on “getting started in digital security” is similar to providing advice on “getting started in medicine.” If you ask a neurosurgeon he or she may propose some sort of experiment with dead frog legs and batteries. If you ask a dermatologist you might get advice on protection from the sun whenever you go outside. Asking a “security person” will likewise result in many different responses, depending on the individual’s background and tastes.

Rather than try to devise a thorough curriculum that provides balanced coverage of the dozen or more distinct disciplines that one might call “digital security,” this article covers one aspect: magic. More specifically, this advice strives to dispel the notion that digital security is a realm where only magicians can perform superhuman feats involving computers and data. Rather, the point is to provide a way for beginners to get a feel for convincing a computer to take actions probably not expected by its original programmers. For those with a more technical inclination, the article provides a means to watch what is happening at the network level.

Many mainstream press pieces about digital security include the terms “cyberwar” or “cyber weapons.” Cyber weapons sound as though they can penetrate thirty feet of concrete and eliminate targets with precision unmatched by kinetic weapons. In some ways they can, but not because they possess magical properties. The cyber weapon chosen for this article is Metasploit, called a cyber weapon by none other than its creator, HD Moore.

For those with some technical inclination and an interest in trying a cyber weapon hands-on, I recommend visiting the Rapid7 How to set up a penetration testing lab site. Follow the instructions to download and try Metasploit, possibly extending the experience through Offensive Security’s “Metasploit Unleashed” online class. The easiest way to deploy Metasploit is to start with a prepared distribution like BackTrack Linux and launch exploits against a distribution designed to be vulnerable like Metasploitable.

By using Metasploit to take over vulnerable services on a computer, the user will learn that using cyber weapons is often a question of patience, judgment, planning, and operational tradecraft. Besides being a motivational exercise, the user will likely learn that humans are the most interesting element of digital security, not mindless malware or other malicious code.

To add an element of Network Security Monitoring (NSM) to the experience, deploy three separate laptops or PCs connected to a dumb 10 Mbps hub, such as a NetGear EN104TP hub. The first platform runs Metasploit via BackTrack Linux. The second platform runs Metasploitable. The third platform runs a NSM distribution called Security Onion, created by Mandiant’s Doug Burks.

Now, when launching attacks from Metasploit against the Metasploitable targets, the Security Onion NSM platform will see the traffic and potentially alert the user to the activity. Alternatively, evidence of the attacks and follow-on exploitation activity will be logged for deeper manual analysis. In any event, seeing the same activity from the perspective of an attacker and defender is highly motivational and educational. That is the reason I chose a similar approach for my own TCP/IP Weapons School 3.0 class.

For a novice, this experience is enough to dispel the magic that “cyber weapons” are silver bullets. In the end, it’s all software that depends on the creativity and discipline of developers, operators, and defenders to make a difference.

10 thoughts on “How to Break Into Security, Bejtlich Edition

  1. bruce

    Is $2600 for 2 days the going rate for security training these days? That is the cost for the TCP/IP Weapons School 3.0 class being offered by Richard Bejtlich.

    By comparison Practicing Law Institute in NYC is only charging:

    $1,595 for their 2 day Advanced Patent Prosecution Workshop

    $ 1,695 for their 2 day Basics of International Taxation Workshop
    $ 1,695 for their 2 day Understanding the Security Laws Workshop

  2. Dan Herrmann

    I thought Richard’s comments were right on the money, especially his first paragraph. Information Security is a very broad field, and you can spend years in this business without concentrating on application security. Areas like incident response, disaster recovery, education, and information risk management are all areas that a new security practioner can explore successfully.

    One of the great things about information security is the dynamic nature of the profession. Of course, that dynamic nature brings with it the need to constantly re-educate yourself to keep on top of evolving threats and the ever-changing regulatory environment.

  3. Paul Masson

    This is a great description of how to wet the appetite of a novice security professional.
    I would also suggest the entry level Security+ cert from CompTIA. We also provide some open source security tools on our site as well.

  4. Daniel Downs

    “…humans are the most interesting element of digital security, not mindless malware or other malicious code.”

    I’m curious what exactly was meant by the comment above. I’m interested in malware and malicious code, as it seems to take some strategy to devise and distribute effectively. I wouldn’t call it mindless, rather less evolved in comparison to humans.

    Also, the step by step path to building a testing lab was well received. Looks like fun, thanks!

  5. Richard Steven Hack

    I agree that the description of a method for installing and using security tools to get real hands-on experience in how hackers use their tools is a good one.

    Another valuable resource are the many videos and slides of talks at the various security conferences – especially anything by Joe McCray, Jason Street and some others who demonstrate how current IT defenses are REALLY inadequate.

    Forget certifications – unless you’re angling to get through HR at a company – but don’t forget the information necessary to get a certification. But expand on that with the sort of tools Bejtlich recommends and build on the experience of the many highly experienced people in the infoseec field.

    But you’re going to need even more than that – you’ll need to know WHAT “security” is – and why it’s not possible – and what that means to infosec as a profession. Because that basic fact should inform every infosec decision made – whether you’re on the “white hat” side OR the “black hat” side.

    It goes way beyond the common lip service paid to “Yeah, we know no corporation is 100% secure…”

  6. Yuri

    Well, with all due respect I expected more from such prominent figure in security blogsphere .
    And by more I mean both in volume and quality .
    Thumbs down.

  7. Ryker E.

    I disagree. I’m no supreme expert on the subject, but I’m unsure how firing up MSF in a lab environment is going to break anyone into the security field.

    IMO the correct answer be spend countless hours on free online resources reading and learning (securitytube.com, /r/netsec, etc), reading relevant books (1597496553. WAHHv2, owasp testing guide, CISSP study guide for good overview of different security areas), attend as many local infosec meetups as you can (DefCon groups, ISSA, OWASP, etc.) , go to as many conferences as you can (Derbycon, defcon/blackhat, BSides, etc), try getting your feet wet performing cross functional duties at work, consider cert training courses to meet people in the industry and learn new skills? Throughout this process consider setting up a VM lab and work through what you find during the other activities. Consider buying into technet for access to standard enterprise software for testing.

    Overall one of the most important recommendations to consider is researching the many flavors of security roles, find the one that interests you, and target your knowledge to it.

    1. DeBuG

      Very well put, Ryker E.

      I would like to add network with others. You mentioned attending conferences like Defcon, Derbycon, and local meetups. But also make an effort to reach out to people. As computer folk, it is easy to be an introvert. The thing I like about these types of events is that most of the people there are like mineded and love talking about security. Its really an awesome feeling to feed off someone else’s enthusiasm.

      Also “get out of your comfort zone”. Whether it is helping someone with a security project or giving a talk at a local meetup, jumping in and getting some hands on is the best way to learn. Earlier this year I had the opportunity to teach my first college class. It was one night a week and was related to network security. Because I had never formally taught a college class, I was hesitant to accept the job. However, stepping out and doing this led to me really getting a deeper knowledge of the subject matter and rekindled my passion for learning.

  8. Mark

    I lost all repsect for the author and article when I read the plug for his training that he gives. Training that sounds like it could go nicely for someone that has just played with Metasploit…

  9. James

    This edition of the Breaking into Security isn’t worthy of posting on your site Mr. Krebs. I’ve lost a lot of respect for Mr. Bejtlich. As other posters have noted, this posting lacks not only in volume but in substance and ends up being just a cheap promo for his overpriced training. I suggest you archive this one, perhaps on Mr. Bejtlich’s site and stay with the quality content which keeps me coming back to your site.

Comments are closed.