Recently I was extended an opportunity to speak at an undergraduate class of computer science. The topic I was to speak on was how I got into cybersecurity and my experience of different roles within the public and private sector of cybersecurity. I outlined what I would go over for the class so I thought I'd share my story here as well.

Introduction

My name is Michael Banks and I am a practicing cybersecurity professional. I am currently a Security Engineer at Amazon Web Services (AWS) on the Security Operations Team. If you are not familiar with AWS offers an extensive array of reliable, scalable, and inexpensive cloud computing services. I am also a Signal Officer in the United States Army Reserve. I graduated from Augusta University (AU) in 2015 with a Bachelors of Science in Applied Information Systems & Technology with a Minor in Military Science. In December 2019, I graduated with a Masters of Science in Information Security Management.

First off, I want to thank you for taking the time today and allowing me to share my experiences in the cybersecurity industry. Today I plan to go over how I discovered and got started in cybersecurity. I will go over the roles and experiences that I have had in the industry. Lastly, I will give you some tips that I believe will make you successful in the industry.

How I started in cybersecurity

I was always savvy and interested in technology and computers since my family got a Compaq Presario with Windows 95. I would play things like Carmen San Diego, Math Blaster, and Reading Blaster. When I would go to one of my Aunt’s houses, they happened to have Oregon Tail on 5 ½ floppies, and I enjoyed that game. Internet wasn’t that mainstream yet, so when I got a break from the games, I would tinker with the other programs and even play around with the command prompt and figure out the commands and what they did. I say all of this to say that when it was time to choose a major, I knew it would be something like Computer Science or Information Technology (IT). I knew I wanted to do something with computers, but I didn’t know what I wanted to do with computers. I always say to this day that I am willing to do anything but create video games. The game would never be completed because it would still be something I wanted to change or make look better.

When in the junior year of my undergraduate degree, I was in a system administration class for Linux. You would all the time here about events and different things related to computer science that you would get extra credit for attending, and I would not miss one of them because if it’s free, it’s for me and free credit for a class something you don’t pass up. Not to mention a lot of the events had free food. The opportunity that was shared was a BSides. For those not aware, as stolen from their web page, “BSides is a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation beyond the traditional confines of space and time. It creates opportunities for individuals to both present and participate in an intimate atmosphere that encourages collaboration. It is an intense event with discussions, demos, and interaction from participants. It is where conversations for the next-big-thing are happening.” The school was assisting sponsoring a BSides conference called BSides Augusta.

It was the 2nd annual one that was hosted at our school at the time. One of the things my school required to graduate at the time was a requirement to complete either an internship or a senior capstone. Doing an internship was already on my mind that year. It just so happened that there was a speaker presented at the conference at this conference. At the end of his presentation, he mentioned he was looking for interns. I thought that was convenient, so I went up to him after his talk and told him I was looking for an internship. The only thing he asked me was could I code. Luckily at the time, I had experience with Java and C Sharp, so I told him yes, and turned out he was the owner of a cybersecurity consulting firm and a former soldier and reverse engineer for the National Security Agency (NSA).

When I started my internship I didn’t know what to expect, but I got to do some fantastic things like penetration tests for companies and organizations in many public and private sectors. I got to sideload custom firmware on wifi routers that are still used today. I even got the opportunity social engineer my way into corporate and retail locations for companies I know you’ve heard of. My internship was how I discovered a love for and got into cybersecurity.

My Career Path

Information Security Consultant

Fast-forwarding a bit, even though my internship as far as the school’s requirement for it was over, I continued to intern with that organization until I graduated. That work turned into my first job as an Information Security Consultant.

As a consultant, it’s a broad position, which is a gift and a curse. What you do is dependent on the client and the case you’re given. I have done many different things from penetration testing. Ransomware recovery, digital forensics, insider threat cases, network build outs, Siem monitoring, phishing, and even auditing. Sometimes and most of the time, I’d haven’t done it before, but one thing about me is I am determined to figure it out, and when you have a good base of the fundamentals, at the end of the day when computers are concerned everything is 1’s and 0’s.

Often, you have to go to the client to do the work, so there was quite a bit of travel that came along with the job. I recall one year, I traveled 100 of the 365 days that year. Luckily for me, I love to travel, so it was amazing to see all of the places. An average week at one point was flying out on Sunday afternoon, working from the client site that week, flying back home Friday and enjoying the Saturday, and flying out the next day to do it all over again. On top of doing the job and the technical aspects, It required to write reports and documenting aspects of your work. So if you thought after school, you’re done writing papers. I will go ahead and burst your bubble now. You will always be writing.

While being a consultant, one of the things unique to the organization that I was at was that they wanted you to do at least two public presentations a year. I think it was good publicity for the firm, but it was also a method to build up your communication skills, and with such a customer-facing role as a consultant, it was a way to get you comfortable with getting your name out there. I got to do some BSides conferences and speaking at some other conferences around the country. Another goal I set for myself was doing two industry certifications a year. So far, to this day, I have been able to continue that goal. I currently have about a dozen active industry certifications.

Security Engineer

My next opportunity happened pretty interestingly and out of the blue. I always maintained a social presence, as mentioned before, with my previous job. One day a technical recruiter reached out to me on LinkedIn or “slid in my DM” as we say it nowadays. He mentioned a position for a Security Engineer in the D.C. Metro area in Northern Virginia. I expressed that I’d like to hear more about the job. I sent him my resume, and about five days had gone by and hadn’t heard from him; it turned out there was a typo on my resume for the email. THANKFULLY no one with that email didn’t take the job I was going for now. I gave the recruiter another email and got set up to do a couple of phone screens to test my technical knowledge. They flew me out or “got flewed out” to their offices in Northern Virginia to examine my technical knowledge again but this time to also see if it was the right fit for the company. About a week later, they sent me an offer to be a Security Engineer on the Security Operations team.

The AWS Security team is responsible for the security of all of the services offered by AWS. As a Security Engineer on the Security Operations team, I work cross-functionally to assess risk and help deliver countermeasures that protect customers and company data. I operate more in a leadership role in responding to security issues across the world’s largest cloud provider, which is pretty rewarding in an experience within itself to solve security problems at such a large scale.

My day to day job responsibilities include:

• Analyzing massive data sets to perform risk assessments
• Develop tooling and security controls to mitigate risks
• Support design reviews for developer tools to ensure that security objectives are met
• Work across teams at AWS to refine your plans and obtain buy-in.

Army Officer

In parallel with my cybersecurity career. I’ve had a career in the United States Army Reserve. I enlisted back in 2011 at the beginning of my sophomore year in undergrad as a private first class. I did basic training or boot camp, along with some advanced individual training, and resumed school. I continued my Army Reserve experience with a Military Intelligence Unit in various roles until I graduated and commissioned as a Signal Officer in a Theater Tactical Signal Brigade. For those not aware of Signal, it’s the equivalent of the communications infrastructure that connect soldiers on the battlefield to one another and the Department of Defense Information Network (DODIN). I have recently moved to a Cyber Protection Team to do more cyber-related things for the Army Reserve.

Conclusion

Advice

I have had the unique opportunity to work at a private security firm out of college, a Fortune #2 public company, and serve in the federal government for almost ten years. If I can leave you with any advice on what I would want to know if I were starting my freshman year would be the following:

1. Get/Keep your writing game up! All organizations write reports, articles, documentation and you will never get out of it.
2. Learn in-depth and as much as you can around the fundamental principles of computer science. Everything from the networking protocols, how packets work, to the makeup of computers, assembly, and the operating systems like Mac, Windows, and Linux. All of the jobs, companies, and vertices that exist in the industry build on top of that. No matter what job you do or position you’re in, the more knowledge you have on the fundamentals will only propel you further because remember, at the end of the day in the computer world, it’s all just 1’s and 0’s.
3. Get as much experience as you can before you graduate, whether it’s personal projects, research, patents, work studies, or projects. I had my own virtualized lab by my junior year with an extra PC, but you can get experience by doing it yourself. Try to get internships because it’s a great way to have a job before you even start looking for one. It will set you apart from your peers that don’t have it, and organizations are looking for people with experience.
4. Network! Network! Network! Get your name out there. I am sure you all know that sometimes it’s not what you know but who you know will get you ahead in life. It’s how you get noticed and build relationships. Visit some conferences, start submitting talks to them. Keep a blog around the things you are doing. You never know who will be “sliding in your DM” offering a job.

Thank You

Thank you for the opportunity to share my story. I hope this information helps, and I hope my experience gives you some idea of some of the options you have in the cybersecurity industry. I’ll be happy to take any questions you might have for me around anything in the cybersecurity realm or the military sphere. Also, feel free to connect with me on Twitter or Instagram at @4MikeBanks. Also, here’s my LinkedIn https://www.linkedin.com/in/mrmikebanks/.

Earlier this year, a group of industry professionals that I know started to talk about interesting books they've read. There was a book, in particular, that sparked a particularly interesting conversation. We all wanted each other's perspectives around what they read and thus own our very own cyber book club began. It doesn't have a sexy name yet, but I will refer to it as the Cyber Book Club (CBC). Free time and focused reading are at a premium in my life, so to accomplish participating in something like a book club, required something more productive than just reading quietly in a corner with some wine. So, I decided to utilize Audible (not an ad). Since I have a commute and traveled quite a bit (pre-COVID), it served me very well to be able to listen and get through books in that fashion.

If you are interested in Audible, here's a referral link if you're interested. (PLUG/AD) -> When you try Audible, you will get 2 free audiobooks: https://amzn.to/39tAv3v

The CBC convenes every month. We have a meeting to talk about the book we staged for the month, our opinion, an overall review of the content in the book. After the review and discussion, we look at the wish list of books the other members have added in a shared environment, then we set a date for the next meeting and start reading the decided novel. It's a pretty simple system, and that's how we get through it and continue to broaden our horizons. Participating in a group environment layers a sense of peer pressure and accountability to read and get through the book, instead of saying you will do something and not following through with it.

Book List

Participating in the book club has given me a broad selection of books that I would have possibly never have discovered. The club has started me to now keep track of a running and ever-evolving list of books that I genuinely believe EVERYONE in the field and industry should read. The books I have chosen aren't overly difficult to understand, and you don't have to be an overall technical person to enjoy them, as they break down many concepts within the books pretty well. I will say, however, that I do believe you should be in the industry to get an appreciation for them. The list I am providing below demonstrates the right mix of things from history, entertainment, shared knowledge, and perspectives on some of the events that have taken place in the community that many might not know, and some may know. All of the books are not "full-on" cyber, but they relate and have knowledge that will help a cybersecurity professional navigate the profession.

Note: This list is just an overall recommendation list; the books ranked below are from 1-5. If you are only going to read a couple, start at #1. If you are going to read all five, then ingest them in any order. I promise there are no spoilers in my brief reviews below.

#1 - Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers

why?

If you ever wondered how cybersecurity could go from being just about computers, bit, and ones and zeros to actual kinetic and realized consequences, in the physical realm, this is the book for you that will answer those questions. This book follows the journey of the group called Sandworm. It follows the professional's and the firm's experiences that dealt with and discovered a lot of their activity. The book goes over how they got their name and some of the other events that follow around that time. This book goes over Stuxnet, Shadow Brokers, Project Aurora, and much more. This book should allow you to understand why critical infrastructure and industrial control systems have been discussed a lot in the past decade. If you are familiar with some of the big players in the community, you will notice a lot of the names from the book.

#2 - Mindf*ck: Cambridge Analytica and the Plot to Break America

why?

I had heard about this book as the accounting of how Facebook allowed the mishandling of their data, but it turned out to be much more. You hear all of the time, I am sure, about the presence of information warfare, fake news, and deep fakes. This book gives you an accounting of an actuation organization that operationalized it, and it lays out a bit of how they did it. It even lays out a bit around the science around the concept. It touches on the politics and the perspectives of some of the whistleblowers and their experiences. Lastly, it talks about the downfall of the organization as well. The book will give you an account of how it's possible for things like data weaponization and manipulation. After reading the book, it should allow you to have a better understanding to be more conscious of the tools, programs, and other works you allow your organizations to have.

#3 - The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage

why?

This book accounts for an adventure of cat and mouse from system administration (SysAdmin) point of view of trying to catch a hacker in his network. My incident response (IR) and sysadmin guys will get a kick out of this one. Some nostalgic parts accompany some of the technology used during that period and throughout the book. It's told in a pretty entertaining way that keeps you wanting more and what the next thing that is going to happen. It is not as predictable as you might think, and some of the players and organizations involved will keep you interested as well. It's a serious book that professionals can relate to, while at the same time being a story that you can truly enjoy.

#4 - Permanent Record

why?

I won't comment on my stance on Edward Snowden and what he did was right or wrong. However, I think his perspective and how he reached the conclusions and decisions he did is worth hearing. The book does an exciting job of laying out that story, background on him as a person, and ends with the challenges he dealt with after making the decisions he made. I think the bonus piece that I liked about the book is the accounting from his significant other on how it affected her life and some of her accounting of events. The book allows you to keep in mind some of the things some "whistleblowers" might have to deal with internally. It also provides you insight around what could happen as a result of "blowing the whistle."

#5 - Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World

why?

This book I struggled to enjoy as a story. Still, I think it's essential to understand history because it gives us a look at one of the entry points to how the information security (InfoSec) community formed and how some of the tools we used today came to existence. Some of the infamous people that we know in the community mentioned in this book. It follows one group and a subset of people, but it's a good representation of how the community began and flourished throughout time.

Honorable Mentions

I am only recommending five books, but there are still others that are worth mentioned and that are pretty good as well. Below are a few more that I have read that are worth mentioning.

• @War
• The Phoenix Project
• The Fifth Domain
• The Ghost Ship

Upcoming Reads

• Small Wars, Big Data: The Information Revolution in Modern Conflict
• LikeWar: The Weaponization of Social Media
• Red Team: How to Succeed By Thinking Like the Enemy
• The Watchers: The Rise of America's Surveillance State
• Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker
• Spam Nation: The Inside Story of Organized Cybercrime - from Global Epidemic to Your Front Door
• Hacking the Hacker: Learn From the Experts Who Take Down Hackers

Recommendations

So! What'd I miss? What books should be added to my list?

As with all things in life, the only constant is change itself. A couple of years ago, I wrote a blog post about my website and the evolution that it has gone through over the years. I have come to learn in my journey as a security engineer that it's better to make progress in accomplishing something by creating a minimum viable product and then continue to iterate and make that product better constantly and gradually. It's easier to do than it is not to release something and wait for it to be perfect. I've read that "perfection is the enemy of progress." (PEOP)

Background

In 2017, I switched from a web-hosting platform that wasn't very costly to a "serverless" architecture that costs me pennies to maintain and operate every month. However, one of the downsides to running such a system was managing the site with pure HTML, JavaScript, and CSS. If I wanted to implement things like a blog, or anything that would be more complex, it requires many code changes and pushing objects straight to S3.

Core Implementation

The following implementation is my core architecture that powers my main website and my blog. I publish the static assets to a private Amazon S3 bucket (thou shalt not have a public S3 bucket). Amazon CloudFront, a content delivery network, pulls the assets form the bucket using an origin access identity (OAI) and serves them to the internet. Amazon Route 53 and AWS Certificate Manager provide the DNS and HTTPS for the CDN. Later I did decide to separate the blog from the main site and put this into separate buckets. The main site would be mostly static and wouldn't typically require much change, and I didn't want to manage a full blog in that way.

Doing some research and via a couple of recommendations, I decided to give the system called ghost a try. Ghost is a free and open-source blogging platform written in JavaScript and distributed under the MIT License, designed to simplify the process of online publishing for individual bloggers and online publications. The platform, based on NodeJs, has a handy APIs that you can utilize to generate a blog entirely static so it can facilitate deployment on sites like S3. That gave me the leverage to run Ghost locally on my machine, create the static assets, and then push them to deploy to S3.

That system worked well and all, but I needed a little more automation and wanted to streamline the process in such a way to where I could get some versioning control, previews, and be able to roll back changes easily if I wasn't satisfied with what would be on the site before I made the changes. The following is the Continuous Integration/Continuous Delivery (CI/CD) pipeline and workflow that I came up and use today that gives me that control.

The Workflow

Post Generation and Settings

Starting from my local machine, I use it to host a local copy of my main site and a separate folder for ghost instance of my blog. The key here is that I don't need to keep the aforementioned machine connected to the internet, running, or accessible at any given point of time and only as I need it! When I have a post ready to go, I publish it in the CMS, and then run the static site generator and have it publish to a folder to start the review and deployment phase. You can check out other features of Ghost and the static generator I use.

Review, CI/CD, Testing, and Approval

The previously mentioned folder that holds the exported posts and overall blog resides in a GitHub initiated repository. At this point, I could run a script to automate pushing the pages to GitHub with a timestamp or something as the commit message. I manually do this with an alias for now (refer to PEOP above). Once that is committed and pushed, that's when the automation takes over.

I use AWS CodePipeline to facilitate the CI/CD. Within CodePipeline, you can set webhooks to invoke when code makes it to an AWS CodeCommit or GitHub repository. For my use case, I have CodePipeline invoking and using AWS CodeBuild to create a staging bucket to temporarily push the blog to view the changes, how the site would look, and ensure everything works supposed to. It sends me an email to approve or deny, along with a link to view the website.

Publishing

If I am ok with the changes and approve the deployment, it will tear down the bucket and deploy to the production bucket ready for the next CloudFront sync or request. If I am not ok with it, then I deny the deployment, make the changes, and it starts from the beginning. This workflow is the same for the main site, except it's just pushed to GitHub and published to a different bucket.

Costs (As of July 2020)

Fixed Costs (Yearly)

• Domain (Route 53): $12
• DNS (Route 53): $6

Variable Costs (Monthly)

• Amazon S3: $0.023 per GB for the first 50 TB, then cheaper from there.
• Amazon CloudFront: $0.085 per GB for the first 10 TB of data transfer out to the internet, then less expensive from there.
• AWS CodePipeline/Build: $1 if you use it once. $0 if you don't for the month.
• GitHub: $0

A lot of these services are also free tier eligible, so most of these won't even incur costs after the first 12 months. My infrastructure costs end up being about $1.02 per month of variable expenses, and with the fixed costs, it brings my total all into about $2.52.

Conclusion

The negligible costs, implementations, and ease demonstrate why so many organizations and workflows make their way to the "cloud." It has made my life easier. I will continue to iterate on this architecture, make things better, and track future metrics.

Don't let perfection be the enemy of progress!

Years past, I looked for a resource for checking the trustworthiness for Internet Protocol (IP) address as VirusTotal has become the go-to resource for file hashes and other file-based indicators. While IPs are a different beast altogether since you have considerations like virtual private network (VPN), everchanging, IPs, and I won't even mention the overall aspect of attribution.

AbuseIPDB

About half a decade ago, I took a look at the internet landscape at what was out there to accomplish this check. Some extensions did this check for IPs, but there were very few free services that did this at any scale. I stumbled up a site called AbuseIPDB.

Straight from their website (at time of publishing):

AbuseIPDB is a project dedicated to helping combat the spread of hackers, spammers, and abusive activity on the internet.

Our mission is to help make Web safer by providing a central blacklist for webmasters, system administrators, and other interested parties to report and find IP addresses that have been associated with malicious activity online.

I enjoyed their mission and the community aspect that they enabled, but a particular feature they offered for free is application programmable interface (API) access.

API Access

Now they do note on their website that "due to limited resources, free accounts currently have 1,000 requests/day for both IP check and report actions..." That within itself isn't bad for the average person to check a couple of IPs that someone might be concerning. Verified webmasters or anyone that controls their domain that can apply a DNS TXT record is allowed 3,000 requests/day. Since I have had a domain name for 10+ years, this was a no brainer and didn't cost me anything. Lastly, they offer people who support the site even more API requests, and this can also be free. If place an SVG badge on a website you host, then your account will automatically be granted the "supporter" role, this role can boost the check & report limits on the API to 5,000 per day. The badge doesn't need to be on your homepage. The badge can reside on an internal page or even a post like the one you're reading right now.

Note: The number displayed in the badge is a cached value, and updates every day or so.

Tooling

Once I discovered this site and saw they had an API, I took a look at their documentation, and to my surprise, it was pretty good. To use the API, all you have to do was a basic curl like the following:

curl -G https://api.abuseipdb.com/api/v2/check \
  --data-urlencode "ipAddress=8.8.8.8" \
  -d maxAgeInDays=90 \
  -d verbose \
  -H "Key: $YOUR_API_KEY" \
  -H "Accept: application/json"

I could have just accomplished this with BASH, but I had other code that I need this work with, and when I could use this in other tooling and reports, I turned my sights to Python. I decided to write a python script to scan and check IPs from files and generate a report from the findings. I initially wrote the infancy of this script in 2015 and decided to include it to GitHub on Dec 10, 2016. The problem I had at the time was the beginning of AbuseIPDB Scanner.

I am by no means a software development engineer (SDE), but I continued to add and make the script better with time and included other file formats. I had some contributors to make the python script better and added some features as well. Beginning with some pure python and regex, the python script now supports JSON, country blocks, and more things as time progresses. To get started, all you have to do is have python3, as well as, git installed and then execute the following commands:

git clone https://github.com/mikebanks/AbuseIPdbSCAN.git
pip3 install -r requirements.txt
python3 AbuseIPDB.py -i 1.1.1.1

Conclusion

There are many things out there. You should always use a defense-in-depth approach to checking for malicious these things. AbuseIPDB is just one free tool I added to my tool bag. It was something that solved my problem and can scale with an API, and that was affordable. What resources do you use to accomplish the same thing? Do you look at IP reputation? What other tools do you use?

Like all things in our industry, things change and evolve. Years ago, I started a personal website. I believe everyone should have a presence somewhere that explains who you are and what you do. In today's digital world I think it will lead to credibility in the future. One of the things I noticed was that my website architecture has changed over the years that I have learned and evolved with the technology that I have been exposed to. This is my opportunity to share what that evolution was.

V1 (SHARED HOSTING/CPANEL/WORDPRESS)

My website started off, like many, with a WordPress content management system. The site utilized a shared hosting plan with cPanel and a domain. The cost there was $9.99/yr, for the domain name and $5.95/mo. This encompassed the hosting and no SSL cert because back then they used to charge for them. The last cost here was for a static IP address which costs $2.00/mo. Total annual cost per year was $105.39. Except for the lack of SSL on the site, this setup is probably the standard for most personal websites and some typical businesses. This architecture and service offering in will undoubtedly accomplish most use cases out there. The hosting provider I was using was ok, even though downtime was a bit shotty since the site went down for a few seconds a few times a month. In today's technology, any downtime is not a testament to the quality of service that a provider is giving to a customer; especially when it happens repeatedly. An annual cost of about one hundred dollars isn't bad, but it was 2017 at the time and time for a change.

Costs:

• Domain: 9.99 /year (No WhoIS Protection)
• Hosting: 5.95 /month
• SSL: $2.00 /month
• Total: $105.39

Security:

Looking back and putting my security hat on for a second; One of the challenges with being on shared hosting is that it is, in fact, multi-tenant(shared). If there is a compromised on the central system, then all of the customer's websites' and data on that system is compromised. Another looking back moment I had was that it was WordPress, but we will leave that there. :-)

Negatives:

One of the annoyances and challenges I still had to do even with shared hosting was keeping things up to date. WordPress needed to be updated. PhpMyAdmin had to be updated, and don't even get me started on themes and plugins.

V2 (WEB HOSTING PLATFORM)

One of the experiments I wanted to try and do to get off of shared hosting was to utilize one of the popular one-stop-shop website hosting platforms. They were designed for those that didn't have time to do design and didn't want to hire a web designer to make a site. So, you could choose a template and had a content management system on the backend that provided the same functionality that WordPress provided. The designs and offering got better by the year, and there were a few clear leaders. Going with the most well-known leaders offering was a comprehensive offering of covering the DNS, hosting, SSL, and design placed the overall inclusive price of $144 per year. However, this offering didn't include the domain. The domain is still $12 per year since I now decided to get WhoIS guard.

Costs:

• Platform: $12 /month (CMS & SSL)
• Domain: $12 /year
• Total: $156.00

Security:

This model shifts the attack surface down quite a bit since you don't have to worry about updating things and the risk transfers to the team managing the platform.

Negatives:

The only piece here that concerning with this approach is visibility. You have no clarity of where your data is and is being stored or what happens to it.

Even with that slight inconvenience, in my opinion, most people would not be bothered with that point. The convenience that the platform offers with the "Point, Click, & Write" model it is easy to create content and not have to worry about the other pieces. This model for most people would be my recommended option, even though the price is high for what it necessarily is.

V3 (SERVERLESS ARCHITECTURE)

One of the new "hotnesses" this year (2018) was/is the concept of serverless. Serverless computing allows you to build and run applications and services without thinking about servers. Serverless applications don't require you to provision, scale, and manage any servers. You can create them for nearly any type of application or backend service, and everything needed to run and scale your application with high availability handled for you. Utilizing it for static or dynamic content is one of the things it's good for serving.

Currently, the architecture that I found that I could utilize that was S3 and CloudFront. S3 is object storage built to store and retrieve any amount of data from anywhere. It has the ability to serve websites. CloudFront is a programmable content delivery network (CDN). Utilizing these services together to serve static content is an efficient system. The site's configuration that you are reading this article on is served by loading the HTML, CSS, and JavaScript in an S3 bucket and pushed to a CloudFront distribution that has points of presence that hosts content to the US, Canada, and Europe. I am utilizing Route 53 (AWS DNS) and ACM (AWS Certificate Manager) to provide SSL.

One of the neat things here is the pricing model. S3 charges you for space you consume and the transfer costs on the CloudFront is minimal as well since it does most of the caching and doesn't need to transfer static content unless it has changed. Currently, it's $0.085 for the first 10TB/month. Since the site is HTML, CSS, JavaScript, and images, the size is minimal. The other charge is for DNS. For route 53 it's $.50 per month for routing to the different points of presence. As with SSL for the most part nowadays is free and doesn't cost anything. The last charge that I can't decrease the domain. I chose to pay an all-inclusive $12 which provides all of the privacy features everyone should have in today's information age. With all of these implementations, the average yearly bill for me is around $20.

Costs:

• Domain: $12 /year (WhoIS Protection)
• DNS: $.50 /month (AWS RT 53)
• Hosting: ~$2 /year (AWS S3 & CloudFront)
• SSL: $0 /month (AWS ACM)
• Total: ~$20.00

Security:

The most significant benefit here to me, other than the money, is the attack surface. Since it's serverless, I don't have to update any servers, plugins, or themes. My attack surface to the attacker is now all the way down to the architecture that AWS provides. Now the risk is transferred to their teams. The thing I have to keep in mind now from a security aspect is keeping in mind that anything I put in the bucket is publicly accessible. A benefit that you now have though is logging and a massive level. You can access logs and actual distribution logs to who is accessing your site, what they are accessing, where they are accessing it from, and many dashboards are available to see these calls. Since these logs on-demand can go to an S3 Bucket, you can perform even more complex analytics to it as well. This architecture offers options that you can't get anywhere else other than standing up on-premises hardware and hosting it on the internet.

Negatives:

The only downside is now I have to manage and code this site. I go back to the roots of using just a notepad and web browser to preview the site. It's a slow process but does give you complete control in the area of designing and laying out your site. While some might prefer this, it is a slow process than the standard point, click and write model I had with v2. I will take the hit thought for the price. Along with the technical debt incurred by needing to know web design, you now have to understand how to work AWS architecture. Depending on how you pick things up can be more daunting than learning web design.

CONLUSION

While I don't have a website with vast amounts of traffic, but if I did, I wouldn't have to change a thing. It could scale to serve any load of traffic, and I would have to pay pennies since a Content Delivery Network backs it. To provide massive amounts of dynamic content is where you would utilize more serverless architecture like API Gateway, AWS Lambda, and Dynamo DB. Serverless is where you can optimize the material and offerings that you have to set up the static areas of your site to a serverless model like this to save you time and money and not have to worry about servers, updating, and other time-wasting aspects.

In the end, one of the freedoms of the internet is choice, and there are many ways to host a website. This site is just my architecture and how I roll. Challenge yourself, innovate, and reach higher.

Granted, I don't believe companies should post online precisely what they are doing, but some level of reassurance is warranted. Like larger reach out to organizations to ensure their money is well spent. Similarly, like security conscious organization bound by compliance and audit requirements, seem to do to reassure their organizations are compliant to things like PCI and SOC, should be how all organizations and industries operate. Individuals should do that same due diligence to research how the services they store, transmit, and process. At least at the base level of understanding.

For example, here’s something posted on a email service website (not an ad):

While they don’t exactly share all the goods of what they are doing in detail, this company at least demonstrate that they are using “secure implementations of AES, RSA, along with OpenPGP.” With this declaration, that they claim, I don’t have to wonder if they are using MD5 (not encryption) and relying on security through obscurity. It gives some ease knowing that they are saying the right things even if I can't ensure they are doing the right things. Don’t you wonder if other providers and custodians of your data are even attempting to protect your data?

Recently I visited and toured a practicing medical facility that was taking and seeing patients. I looked in the basement and to my surprise, I come to find patient records in Saran Wrap. I'm not sure if they believe the Saran wrap will make sure none of the files walk away. I am also not sure if their customers would feel reassured if their data was only separated by a single door with glass that anyone could walk along the building, smash the window and make away with their medical records. I can strongly hypothesize the answer to that though. :-) It's a fact that medical records are worth more than personal ones, and even credit card information. You would think medical facilities would operate better since they house such data and have been the target of a lot of adversaries recently. I know this is only paper records, but if they treat these files like this, just imagine what they are doing with a patient’s electronic records, which I am sure most have less of a knowledge of how to protect.

Would you be a patient at a place that treats your files like this? Well, you might be already. #justSaying! I am personally going to start inquiring more about the things I am paying for when it comes to choosing one company or provider over another for services. I don't even want to know how their electronic data is stored.

I believe in time; the best companies will prevail after breaches continue to be revealed to the public eye. People decide with their dollars. Maybe one day all data a company collects on a user will be encrypted and not just usernames and passwords. Until then, ask more questions about their practices. The old saying, “ignorance is bliss” will only go so far.

This has been just an amazing year. Met some great new friends and lost some old ones as well. If you have followed me this year, you know I stay on the move. I have flown about 50,000 miles (47,820) in the sky on an airplane and got to see so much of the US in a short amount of time. I have spent 101 days on the road and have stayed in many Marriott's and Hiltons.

EDUCATION

I graduated college a while ago and you think hey, classes are finally over. WRONG! In this industry education and expanding your knowledge in the industry is a constant because Security is a back and forth sport that is forever changing. This year I took many 40+ hour courses and certifications. Some of the courses I took were:

• Industrial Control System Cybersecurity from The Department of Homeland Security ICS-CERT Division
• Windows Forensic Analysis from the SANS Institute
• Vulnerability Assessor from Mile2

MEMORIES

Interacting with clients is a normal and frequent task that goes with my job, but this year I had the pleasure to do something that is broadening for someone in this industry; speaking and presenting at security conferences. I submitted abstracts of a project that I am working on at two conferences. One was a BSides and One was an EC-Council event. As result of one of the presentations at the EC-Council, I was invited to present at another one of their conferences because it was favorited by the audience. If you ever have an opportunity to present at conferences, take it. Here are the names of the conferences I spoke at.

• TakeDownCon
• Hacker Halted
• BSidesAugusta

Honestly, every time I hear or use the word "lab" it reminds me of one of my favorite childhood shows; Dexter's Laboratory. It reminds me a certain sentiment I see in this industry of inventing things and learning.

A lab is a critical tool that any InfoSec professional should have from forensics, reverse engineering, and even a pentester. I know many hiring managers and organizations as part of an interview process, asks the question, " What's in your lab?" or " What does your lab look like?"

Honestly, there's no real excuse not to have one. Cost really shouldn't be a factor in today's technology landscape. At the cheapest end of the spectrum, you could use your main computer and load VirtualBox (free) and a variant of Linux (free) to test programs and capabilities. At a costlier end of the spectrum, you could have a 42U server rack with servers, switches, and firewalls segmented using ESXi to manage virtualized networks and servers to recreate environments to find weak spots.

Come across malware and want to know what it does? Snapshot your OS, throw it in your lab that is blocked off from the internet, and see what it does. Come across an exploit that affects Windows Server 2012 r2? Deploy a W2K12r2 server and figure out how the exploit works and understand how it works and even how the patch mitigates the attack.

Interested in building a lab and want to know where to start?

If you have a spare computer (desktop or laptop) here's what I recommend (it's a method):

1. DOWNLOAD ESXI (A HYPERVISOR)

VMWare offers a free license of VMWare vSphere Hypervisor (ESXi). I know major organizations that utilize VMWare's systems. Using ESXi will also give you an opportunity to use virtualization software that translates across other products as well. It also offers work experience with virtualization software that enterprises are using. If you are not convinced yet and entirely sold on the idea of dedicating an entire computer for a virtualization server operating system like ESXi or Xen, you can run a program based hypervisor as well, like VirtualBox, Vagrant, Hyper-V, vmWare Workstation or vmWare Fusion for my Mac people out there. If you want to play with the new stuff, try out containers and play with Docker.

vmWare vSphere: https://www.vmware.com/products/vsphere-hypervisor

2. DOWNLOAD PFSENSE (FIRST VM)

pfSense is an open source firewall and router. pfSense will allow you to get a feel for firewalls, rules, and give you better control of your network than what ESXi has built in. Also, it's a router so it can provide DHCP to the other virtual machines (VMs) that you might deploy in the future. However, if you have limited RAM, I would skip this one and go with the built-in controls of ESXi  or your hypervisor of choice if it has that capability built in. It also has DHCP, and I would just keep a close eye on your internet connections that you provide your hypervisor and VMs.

pfSense: https://www.pfsense.org/download/

3. PICK YOUR POISONS (OPERATING SYSTEMS)

Most distros of Linux are Free. Pick one, install it, and go to town. You can deploy network security monitoring (NSM), like security onion, or openNSM. You can also go the penetration tester route and install Kali along with some vulnerable operating systems like Metasploitable.

• Windows VMs: https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/
• Vulnerable VMs: https://www.vulnhub.com/ (Love this place, but be careful!)

4. COLLABORATE AND REFINE

Just like everything else in the world, nothing is perfect, and things are ever changing. Find your peers that have a lab and see what they are using now and continually refine your setup (lab). New technologies come out, storage gets cheaper, expand your storage, and get more ram. The problems and management pain points that you go through with your lab relates to what IT departments and managers go through. Employers respect having that point of view in someone and others that have a lab instantly can relate to " the struggle."

DISCLAIMER

Keep in mind; this is only a method. There are tons of options out there to try and experiment that I am not mentioning and can accomplish the end goal. All of this could be done by running something like Docker on a laptop, but that wouldn't make a fun conversation, and you will miss out on dealing with hypervisors.

In InfoSec, I have come to learn that it is largely about passion and experience. Could be the difference in that interview. Before you know it you have yourself a nice playground that will aid in the future for research, experience, and something you can be proud of when that interviewer asks you "What does your lab look like?"

Continuing education and furthering one's toolset in their profession is a critical part of anyone's life. An information security (infosec) consultant many times has to be agile in more than one vertical of one's industry, hence why I am embracing Digital Forensics. I took the whole digital forensics course in school, but as my undergrads out there I am sure echo that a single college course does NOT prepare for work. In college, it is about principles, comprehension, and understanding of a concept and not in depth "actions on" with the tools, procedures, and industry best practices. Another inevitability of an infosec consultant is certifications. When you marry the two together, I guarantee you run into the word SANS somewhere in that conversation. This reason is why the Windows Forensic Analysis is just right for me to take. It is their introductory course to Digital Forensic & Incident Response arm of their institute. This post is by no means a commercial for SANS because SANS is not paying me a dollar, just talking about my experience of the course and general information about the course.

WHAT TO EXPECT

Currently, the Windows Forensic Analysis is a 6-Day course covering the windows operating system spanning from Windows XP to the most recent Windows 10. The course gives you a view of the operating system that most won't see. It educates you on what's happening behind the scenes along with the tools, tactics, and procedures veterans in the field are using to accomplish a task.

• DAY 1: WINDOWS DIGITAL FORENSICS AND ADVANCED DATA TRIAGE
• DAY 2: WINDOWS REGISTRY FORENSICS AND ANALYSIS
• DAY 3: USB DEVICES, SHELL ITEMS, & KEY WORD SEARCHING
• DAY 4: EMAIL, KEY ADDITIONAL ARTIFACTS, AND EVENT LOGS
• DAY 5: BROWSER FORENSICS: FIREFOX, INTERNET EXPLORER & CHROME
• DAY 6: WINDOWS FORENSIC CHALLENGE

HOW THE COURSE BEGINS

The first day you cover the basics of forensics in the aspect of capturing images. The unique aspect of day one that they cover is the concept of utilizing the triage. If you know anything about forensics and how it is usually done you take a full disk image of the box. When time is of the essence, you can make a triage image grabbing specific pieces of the entire machine to do the analysis to answer questions that need answering quickly. Afterward, for due diligence, do the full disk image. "It is a method."

HOW THE COURSE ENDS

This ends when you put it all in action. There is a  challenge that is a great reinforcer of the material throughout the course. You team up with your peers in the class and work a forensics case. You receive an image, a situation, and you FORENSICATE. At the end of the time allotted, you present your findings of the evidence you discovered to your peers and they vote on the best presentation of the facts.

WHAT I LIKED MOST ABOUT THE COURSE

There are exercises throughout the courses that reiterate what was explained and taught in a section. I enjoyed that you learn the manual workings of analyzing artifacts, where their location is, and the relevant areas to them. After doing that then they would reveal the tool that does a lot of the heavy lifting for you. There are so many organizations, courses, and workshops that just tell you to run the tool, and the magic happens, and you do not know what it is doing. When you operate that way, you really can't explain to an audience what happened and how the data comes to be.

WHAT TO KEEP IN MIND WHEN TAKING THIS COURSE

There is much information to acquire and only five days to do it in. Day 6, while you have assistance, you are basically, performing. There were many people in the course that you can tell were at that saturation point when their brain was about to explode of forensic artifacts that fly by section after section. The other perpendicular aspect to watch for is to make sure you are clear from distractions during the course. If you lose focus on the material, you might miss an incredibly important piece that could set you back about 30 minutes to an hour on an issue that you could have solved by just one click in an interface.

TAKE-A-WAY

Digital Forensics and Incident Response is a critical piece that organizations should prepare for and at Rendition InfoSec it is a cornerstone of what we do. Excellent course to take and it can prepare you for the next week going out and applying the procedures to real forensic and incident response cases. Before you know it you will be among the other DFIR professionals in the community contributing back to others that want to learn about forensics in the future. Just remember there is more than one way to get to a conclusion and this course might not be right for everyone, but there are many shadow copies out there that you can get something out of. ;-)

If you decide that you are interested in taking this course more information can be found here.

Project Slam is an initiative to utilize open source programs, operating systems, and tools to aid in defending against nefarious adversaries. The overall focus is to research adversary’s behavior and utilize the data that can be captured to generate wordlists, blacklists, and expose methodologies of various threat actors that can be provided back to the public in a meaningful and useful way.

The Slam Report will be a report that will be generated Jan 2017 with the results that were found throughout the year along with a data dump of the information that was aggregated throughout the year.

2016 (v1): A medium interaction executed on a US cloud based deployment honeypot to aggregate attempted brute force wordlists including most commonly brute forced usernames and passwords. Project Slam is also aggregating IPs and methods from people accessing the honeypot interface.

2017 (v2): A full interaction honeypot utilizing docker and a full network of operating systems to identify an attackers methodologies.  Version 2.0 is still in the development phase and will go into testing later this year. If you are interested in testing or developing the infrastructure shoot me an email and we will brainstorm how you can get involved.

There is already a 5-month partial data dump on some of the information that we have found and some of the passwords that we have found on GitHub as a Repository. You can check it out here.

If you have ideas on how Project Slam could be better also shoot me an email.

One of the frequent realities of being an Information Security Consultant is traveling. Nine out of the ten times it is going to involve flying. While being at the airport a lot, you tend to end up noticing some not so flattering things. In general, it's been my experience that all airlines/airports have issues. Delta is my personally preferred airline, so I tend to see some unflattering things from them more than others. Learning is an important aspect of being a consultant, so let's walk through some of the things you may run into at the airport and let's not make them in any organization. All of them apply to any business with a network.

Recently, on my way home from an engagement, I was sitting in the waiting area for my flight and I noticed a kiosk right behind me. It didn't look like one of those kiosks that anyone could use. This brings us to our first tip.

Tip #1: You probably shouldn't place a non-public kiosk in the view of the public.

Even if this is a public kiosk, you probably shouldn't place it in such a manner where anyone can see what a user is doing. I don't know about you, but I don't want everyone my business. From a glance at the screen, it doesn't seem like a workstation for the public. With that in mind, let's say that this isn't public, that brings us to another tip.

Tip #2: When not at a workstation, ALWAYS lock it.

In trusted or untrusted environments, there is nothing wrong with locking your workstation. I shouldn't even have to write anything to convince anyone that locking the workstation is a good idea, so I will leave it at that; even though you will probably run into it out there.

Tip #3: Don't advertise your shortcomings (Make It Easy).

We are halfway through 2016, and Windows 10 has been released almost exactly a year now. I will concede to the fact that Windows 8 and Windows 8.1 were not such stellar incremental upgrades from an operating system standpoint, but for an airport/airline to be just now upgrading to Windows 7 makes me cringe. Could it be that they never changed the wallpaper, and they upgraded it years ago? I don't know, but I hope so. Either way, it shouldn't be advertised. A nefarious attacker, without getting on the network or scanning any boxes, now knows what operating system is in use and what operating system exploits to focus on to achieve exploitation into the network.

Tip #4: Segmentation, Segmentation, Segmentation

I don't know what the networking segmentation situation is of this system, how exposed it is, or what other sensitive systems it is connected to because:

1. I'm not stupid enough to tamper with systems without authorization.
2. I didn't want to touch something and cause damage, just in case the airport didn't segregate the system from other major systems needed for an airport/airline.

BUT! Someone can do a lot of homework on the network and configuration with a machine just sitting there. This system wasn't just like this for a couple of seconds, but vacant the entire time I was there waiting for my flight (~40 mins). Hopefully it's segmented, that would be a nightmare if it was not. Also please segment more than by just using a vLAN tag id.

Tip #5: Address the simple things first.

All your security won't help if you don't even turn it on. Security is hard! Fixing and continually addressing the simple things or the "low hanging fruit" should be everyone's top priority. It is the first thing an attacker will try.

While this wasn't an assessment and more of an observation for the airport/airline in question, BUT at Rendition InfoSec, where I work, we do assessments and we would be happy to discuss possible opportunities to do an assessment to make your security better.

Conferences (Cons) and training events where people from the same industry have become a great resource for people in the industry to networks, share research and give back. I submitted my call for papers and got picked up to participate in TakeDownCON by the EC Council foundation in Huntsville, AL. The conference was a two-day conference that featured vendors, a capture the flag competition and loads of great opportunity to network. The first day was the red team track and the second was the blue team track. This was my first information security presentation at a conference and I definitely had a blast. I have been to about half a dozen conferences, but participating as a speaker is a slightly different experience. I would say that is the best of both worlds. I attended all of the talks and placed 2nd in the Booz Allen Hamilton capture the flag competition.

My talk was on " Defending against 1,000,000 Cyber Attacks ."  The basic overview of the talk was covering the notion that every time you look around some company or government organization is spouting out some huge number of “cyber-attacks” to their network every day. By no means is defending networks easy, but could it be that there is a little exaggeration of the actuality of the encounters with intruders on the net? One thing that is apparent is that there is surely a misconception in reporting and the understanding of the attack itself in how organizations account for them. There are “attacks” like port scanning and brute force attempting all across the internet at all hours of the day. Spreading awareness about them will inform the public on just how “intense” these attacks are. To demonstrate this, I bought a nice attractive domain and coupled it with a honey-pot and let the fun begin.

Here are the slides from my presentation: Download