Wednesday, December 20, 2017

Transitioning from Blue Team to Red Team

I moved from Desktop Supervisor to Network Security in 2000. I did Blue Team for two companies from 2000 until early this year. At that point I was given an opportunity to move to Red Team as the company's in-house penetration tester. Starting in a new discipline in Network Security is a daunting task after spending so many years in another area, but a couple of things already were in my favor. I had taken two Red Team oriented SANS courses and certified in both and I had been doing deep dive intrusion analysis for all those years. I was exposed to a lot of methodologies and exploits.

But defending isn't attacking, and the learning curve was (is) still very wide. Fortunately, there are shared areas of knowledge between being an intrusion analyst and a pen tester. If you're just breaking into network security, those areas will serve you well regardless of what direction you go (or change to in the future).

1. Linux

Linux is the operating system of choice for the majority of tools for both pen testing and intrusion analysis. There are some exceptions, tools you can only run on Windows, but that's a very small subset. The more Linux you learn, the better prepared you'll be to use whichever tool is the correct one for any given situation. Fortunately, there's more free (and excellent) self training on Linux than any other subject I know of. You don't need to spend thousands of dollars taking training courses or get a Linux certification; there are hundreds of sites that will teach you step by step. Of course, if you're fortunate enough to work for a company that wants you to do RedHat or Linux Foundation training and will pay for it, by all means do so. Certifications will help you both move up in your current position and, if you should need to or choose to, find a new position. Redhat is the most well known name and bigger companies will be running it because of their excellent support, but there are other good courses and certs you can obtain. But by all means, spin up a Linux machine and get in it and learn. The more you learn, the better off you'll be.

2. Scripting

You don't need to be a programmer to do either job, but learning some scripting skills will really help you. Whether it's Bash or a language like Python or Ruby or Perl, being able to create a script to do repetitive tasks is an immense time saver. Another advantage is that if the tool you need to use is written in a shell or a language you understand, you can open it and follow the logic to see what it does, or even modify it, tweak and customize it, to suit your unique purpose. Python is extremely popular right now so a lot of the tools being released are written in it. And it's one of the easiest languages to learn. And, like Linux, there are a lot of free resources to learn Python.

3. Networking

Learning about networking is essential, whether you're running exploits or investigating an attack. Without a basic knowledge of how networks work and the components that comprise them, you'll be confused and lost in a short amount of time. You don't have to be a packet jockey to do intrusion analysis (the vast majority of attacks have switched from server side to client side anyways), but you will need to be able to follow the flow of traffic and understand the protocols in use to get a clear picture of the attack and whether it was successful or not. From a pentester's vantage point, you need to understand the network you're attacking to find the correct target and use the correct tool, and to be able to understand the responses your attack receives. If it's unsuccessful, you need to be able to determine why and what to change. The more you understand, and it's a vast and complex field, the better off you'll be.

Finally, whatever direction you go in, invest in yourself learning. The hardest part of doing that is your free time. You're not going to be able to learn everything you need to know while at your job or in a weeks worth of training once a year. If you want to advance, you'll need to sacrifice some of your own free time to study and learn. If it's something you naturally enjoy learning about, it won't be too big a burden. If you absolutely hate studying the subject matter, maybe it's time to step back and reassess if this is really what you want to do the rest of your life.

Good luck in your career, and Merry Christmas and have a Blessed New Year.


Monday, December 11, 2017

Making a simple network traffic graph with tshark and afterglow

Outputting a pcap file for CSV format for using afterglow. pl and neato (Graphviz) to create a graph
To make a simple source and destination graph..
First make the capture file using tcpdump
tcpdump -nn -i -q -w capture.pcap
Then use tshark to extract the source and destination IP address and output to a comma-separated file
tshark -T fields -nn -r capture.pcap -E separator=, -e ip.src -e ip.dst > output.txt
Sort and remove duplicates
cat output.txt | sort | uniq > output.csv
or just sort to see all connections
cat output.txt | sort > output.csv
Edit file to remove any lines with incorrect data (like just a comma)
Process the file through afterglow to format in dot graph format that Graphviz can use
cat output.csv | afterglow/afterglow.pl -t > output.dot
Create your graph in .png format
cat output.dot | neato -Tpng > output.png

Blog Archive