jonw's mayhem academy

courtesy pixabay.com

Hacking is like art. No, hacking IS an art. And, much like art, you can spend years in school learning things like perspective and color theory, but if you can’t actually draw, all that knowledge won’t get you anywhere. Just as no two artists will paint the same scene the same way, no two hackers plan their attacks in the same way. This makes the job of infosec defenders very hard.

Most hackers are not the 1337 Mr. Robot style of multi-talented, morally driven, drug addled global activist. Most hackers are low-skilled folks that re-use published tools written by actual skilled hackers. These tools can be used by almost anyone to find and exploit vulnerable servers. This type of hacker isn’t well rounded, isn’t targeting any person or server in particular, and is happy to play the numbers game to test millions of servers to find 1 or 2 they can get into. We call this class of hacker a “script kiddie” or, more commonly, “skiddies”.

Skiddies live on zero day exploits. One of the severity factors of any given exploit is its age. The older an exploit, generally the less of a problem it is. This is because once sysadmins and code authors are aware of an exploit, they take steps to remediate it and the number of exploitable servers drops, so our hacker friends have less low-hanging fruit to pick from. A zero day exploit is an exploit nobody knows about yet — it is “zero days “old. Because nobody knows about it, nobody is remediating it, and that is the window during which hackers can find a large number of exploitable servers until defenders become aware of the vulnerability.

Like any trade, there is a set of base skills required to get the job done. In the military these are called Individual Operator Skills — the original “IOS” before Apple appropriated the acronym. Infosec defenders such as sysadmins, corporate Blue Teams, and cybersecurity professionals have a much harder job than the attackers. Attackers only have to win once; defenders have to win every damn time. Attackers do not need a broad skill set; they just need to know how to do the one thing they’re planning. Defenders need a broad set of skills to detect and mitigate the attack, regardless of what form it takes. Defenders need to be much more skilled than attackers.

Attackers only have to win once. Defenders have to to win every. Damn. Time.

Some disciplines are very binary. If you want to be a database administrator, take a DBA course. If you want to be a developer, take a programming course. Aspiring network admins can take a wide variety of network certifications, but infosec defender isn’t as cut and dried a discipline.

At a minimum, the defender’s IOS need to include proficiency in networking, operating system configuration, and coding. These are the Individual Operator Skills of an infosec professional. Why do defenders need such a broad skill set? Because…

Attackers won’t tell you when or how they’ll attack

I am aware of how dumb this sounds. Of course attackers won’t give you advance notice. But I’ve lost track of the times I’ve been in a room with a bunch of tech types pontificating about how they’ll “kick a hacker out of the network when they discover them”. The truth is, most system owners don’t find out they’ve been hacked until their customer database shows up on the dark web and by then it’s far too late to be thinking about kicking someone out in real time. Many defenders have this romantic notion of battling an attacker head on. I blame the 1995 movie Hackers for this, despite the fact that many current-day hackers weren’t even born yet. Don’t poke holes in my logic.

Because defenders can’t know what form an attack will take or when it will happen, they need to deploy a wide variety of tools to secure their systems from attack. They also need to know how to look for Indicators Of Compromise (IOC, not to be confused with IOS) that the system has been hacked in spite of the safeguards. The tools and IOCs are different for the different parts of the defence-in-depth (network, operating system, etc), which means defenders have to know a lot of stuff about a lot of different things to do their job well.

Defenders also have to know what reconnaissance looks like. Many hackers will perform advance reconnaissance to determine if a system is vulnerable so they can come back later and do the actual damage. A rise in traffic from a geo-region not previously seen, lots of failed brute force logins, an increase in company-wide phishing emails — these are all signs of possible recon and even if they are repelled, the attacker has at least gained some insight into the defenders’ capabilities.

So how do we train infosec defenders? Where do they come from? How do I become one? The truth is that competent infosec defenders are usually already seasoned professionals in one or more technology disciplines. There are very few infosec jobs for new grads or people just entering the workforce because junior will be pwned again and again due to his lack of experience in the face of non-stop multi-pronged attacks by hackers.

The “junior” jobs in infosec generally go to intermediate or senior developers, network admins and system admins. This is mostly because these professionals already know a wide range of tools, they have experience with production systems in the wild, and they already know what “normal” looks like in their field. This makes them better at identifying IOCs such as unexplained files on a system, badly formed network packets manually formed by a tool like Scapy and code that is obfuscated for no apparent reason. They’ve also made a lot of mistakes in their career already, and can use that knowledge to fortify the system security.

Therein lies the answer. To become a competent and employable infosec worker, spend a few years gaining experience in one of the fundamental disciplines that form the base skill set of an infosec professional. Once you’ve mastered(ish) one or more of those areas, you will be in a much better place to display your knowledge to prospective employers or clients by doing things like creating little proof-of-concept exploits and writing knowledge pieces like this.

A good next step is to consider meaningful infosec certifications such as the highly respected Offensive Security Certified Professional (OSCP) to further bolster your credibility as an infosec defender.

Happy hacking!

my shorter content on the fediverse: https://the.mayhem.academy/@jdw

---