August 14, 2016
Back in July, I had the privilege of participating in my first SANS course and I would like to share some of that experience and my journey to certification which is a direct result.
As I prepared for SEC504, I have to admit that I wasn’t sure what to expect. Anyone worth their salt in InfoSec knows that SANS is the highest and most respected and far-reaching security education outfit anywhere, hands down.
I was lucky enough to have Mr. Jonathan Ham as an instructor who is both incredibly intelligent and equally seasoned in our industry. The class itself was an awesome experience complete with lab work and an amazing amount of information.
At the advice of everyone who has ever taken this exam, I’m painstakingly going back over ALL of the course material (6 books, 6 days…not kidding) and manually indexing all of it.
Some of my indexing so far has included the stages of Incident Response which I have forced into my memory, PICERL…
P – Planning, ensure that procedures and policies are appropriately laid out and all expectations are set.
I – Identification, taking appropriate steps to identify incidents and reduce false positives.
C – Containment, once an incident has occurred, ensuring that triage is performed in a timely matter as to not affect production or other lines of business.
E – Eradication, as cool as it sounds. Find it, fix it, squash it and generally bounce back.
R – Recovery, per your contingency plan, should the asset be wiped or just re-provisioned etc…? The main goal here is to minimize the production impact and either restore or replace affected computers.
L – Lessons Learned…Don’t let it happen again!
Hope everyone enjoys this little insight, I’ll try to keep current with this as I’m studying.
September 13, 2016
So, my plan was to use this blog to help keep me honest and committed to getting this certification under my belt. I’m not kidding, it’s tough. Sometimes things like this don’t always “fit” into real life. I’m doing my best and slowly crawling through the information so I thought I would share a little piece. This time, my studying is really harping on DNS issues so I thought I would touch on what I’m working on this week…
What is DNS? Lame you say? How else would I open this… -_-
DNS, or Domain Name System, is something that we all use every single day, often without realizing it. Basic networking teaches us that every network node has a unique address assigned much like your home address. In computer land, however, this address is a series of numbers used to identify you as a stop on the “map”. DNS does for us what our memories will not. We can ask DNS to help us find Google for example and it’s nice enough to look through the “phone book” and find out that Google is actually 188.8.131.52. I don’t know about you but if I had to remember that, I would never make it. Operating happily over port 53, DNS politely does this for us and asks for little in return.
Why am I rambling about this? To explain something called DNS Zone Transfers and why this is a thing. In many organizations, there is a need for internal DNS servers to do things like map application servers, email, etc.… DNS does a great job of telling everyone where they need to go. Now any company worth its salt is going to care about disaster recovery and availability so what if we throw another DNS server in there so the first one isn’t lonely or overworked. Now we have two independent DNS servers that are serving the same domain but how do we know that they are reading from the same “phonebook”? This is where Zone transfers become necessary. A DNS Zone Transfer is the process of synchronizing multiple DNS servers by way of a secondary server requesting a full information dump from the primary server. This is completely normal and allows fluid operation regardless of which DNS server you may be querying. Ok, so this is pretty weak so far, nothing exciting. Now put your black hat on. How sweet would it be if the company you are attacking would let you connect from the internet and ask their internal DNS for all of this information…and you got it? It’s very necessary for companies to restrict this procedure to known trusted DNS hosts only and to never allow internet entities to ask for or receive this info. We are talking about “keys to the kingdom” stuff here people. Full profiling of your entire network walking right out the door. Food for thought, good study topic. See below for a great example of a zone transfer from Microsoft.
This is wickedly useful in both the wrong hands and the right hands. Our thinking around things like this has to include the fact that while we may be cognizant of our own operations, are we sure that normal maintenance tasks are being carried out how we think they are? For example, if you are used to seeing this zone transfer chatter on the network, is a recon mission that originated from some basement in Asia going to look weird enough to notice? Ok, maybe…hacker.cn is milking your DNS…I pray that it would be detected immediately; but what about the remote worker who is running drive by malware and just did a zone transfer from an IP range that you trust? Are you still going to see your hacker on the other end? Are you even going to notice? Are you even going to notice -_- ……?
DNS: TCP Length = 445 (0x1BD) DNS: Query Identifier = 0 (0x0) DNS: DNS Flags = Response, OpCode - Std Qry, RA Bits Set, RCode - No error DNS: 1............... = Response DNS: .0000........... = Standard Query DNS: .....0.......... = Server not authority for domain DNS: ......0......... = Message complete DNS: .......0........ = Iterative query desired DNS: ........1....... = Recursive queries supported by server DNS: .........000.... = Reserved DNS: ............0000 = No error DNS: Question Entry Count = 1 (0x1) DNS: Answer Entry Count = 16 (0x10) DNS: Name Server Count = 0 (0x0) DNS: Additional Records Count = 0 (0x0) DNS: Question Section: domain.com. of type Req. for zn Xfer on class INET addr. DNS: Question Name: domain.com. DNS: Question Type = Request for zone transfer DNS: Question Class = Internet address class DNS: Answer section: . of type SOA on class INET addr.(16 records present) DNS: Resource Record: domain.com. of type SOA on class INET addr. DNS: Resource Name: domain.com. DNS: Resource Type = Start of zone of authority DNS: Resource Class = Internet address class DNS: Time To Live = 86400 (0x15180) DNS: Resource Data Length = 41 (0x29) DNS: Primary Name Server: server.domain.com. DNS: Responsible Authorative Mailbox: administrator.domain.com. DNS: Version number = 26 (0x1A) DNS: Refresh Interval = 300 (0x12C) DNS: Retry interval = 120 (0x78) DNS: Expiration Limit = 600 (0x258) DNS: Minimum TTL = 86400 (0x15180) DNS: Resource Record: domain.com. of type Host Addr on class INET addr. DNS: Resource Name: domain.com. DNS: Resource Type = Host Address DNS: Resource Class = Internet address class DNS: Time To Live = 86400 (0x15180) DNS: Resource Data Length = 4 (0x4) DNS: IP address = 184.108.40.206 DNS: Resource Record: domain.com. of type Auth. NS on class INET addr. DNS: Resource Name: domain.com. DNS: Resource Type = Authoritative Name Server DNS: Resource Class = Internet address class DNS: Time To Live = 86400 (0x15180) DNS: Resource Data Length = 10 (0xA) DNS: Authoritative Name Server: server.domain.com. DNS: Resource Record: Dell.domain.com. of type Host Addr on class INET addr. DNS: Resource Name: Dell.domain.com. DNS: Resource Type = Host Address DNS: Resource Class = Internet address class DNS: Time To Live = 86400 (0x15180) DNS: Resource Data Length = 4 (0x4) DNS: IP address = 220.127.116.11 DNS: Resource Record: JH40PS.domain.com. of type Host Addr on class INET addr. DNS: Resource Name: JH40PS.domain.com. DNS: Resource Type = Host Address DNS: Resource Class = Internet address class DNS: Time To Live = 86400 (0x15180) DNS: Resource Data Length = 4 (0x4) DNS: IP address = 18.104.22.168
September 14, 2016 (Part 2)
Ok, so I really had intentions of updating this like a diary as I study for my GCIH certification. Unfortunately, the real world has caught up to me much like a speeding freight train, as it often does, and I received this lovely note from the GIAC folks advising me that I only have 60 days left to sit for my exam. Needless to say, now I’m scrambling around like an idiot trying to prepare and yeah…lame.
In any event, let me get this done and I will be back to write a huge post outlining all of my adventures!
November 12, 2016
I apologize for my brief absence, but so many things have happened! After my last post, I stopped to take a deep breath and re-evaluate why I wanted this certification.
After those two seconds had passed, I decided it was time to get serious. With JHamms advice, I tried to stick to 60-75 minutes a night of studying and note taking before forcing myself to do something else. Take a walk, hang out with the family, whatever it took to let my mind cool off. (“netlocksecurity” if you’re an XBox Live-er 🙂
I used several different resources, which I’ve listed below, to help with ideas for my index. I can’t tell you how important this process was. Due to the sheer amount of knowledge that you’re digesting, the process of going through the material, line by line, forced me to retain so much!
November 30, 2016
Alright. What do you say we put this ridiculously long and superfluous rant to bed? After creating my index and stressing terribly over both the length of time that it took me to complete my practice exam and the amount of information that I wasn’t 100% clear on, I went through once more. I made sure that I understood buffer overflows correctly and I practiced my own format string attacks to cement these things into my mind. I have a good friend who is a CIS major and we had several discussions about the application stack and memory allocation. As grueling as this all sounds, I’m happy to report that on test day, I shook off my nervousness. I convinced myself that I had learned the information and that at the end of the day, I really did “know what I’m doing”. I came into a test center, and to my utter shock, I am the ONLY person scheduled for the entire day. If you’ve ever taken a certification exam in one of the cramped little “centers”, then I’m sure that you can imagine how beautiful this truly is. In addition to the pressures associated with any difficult exam, being crammed into a broom closet with a room full of seemingly asthmatic, fidgety, and equally nervous adults does not do much for your state of mind. I’ve said all this to say that you truly never know what to expect when you walk into one of these exams so you must be prepared for the experience as well as the actual exam.
In mid-October, I completed this exam with a 90% and given the work that I put in to it, I don’t mind revealing my score publicly. This was, by no means, an easy test nor was it an easy class as boot-camps go. Now, here is the best part. If an exam taker passes any of the GIAC tests with a 90%+, there may be a couple of interesting fringe benefits that present themselves. The SANS Mentor program is a great way to get started as a SANS instructor. You may also receive an invitation to the GIAC Advisory Board where you can exchange ideas, logic, and so on, with other information security professionals.
Would I take another SANS course?
Absolutely, I can’t wait. The detail of the material and the depth of the instructor’s personal knowledge goes well beyond what I expected.
Would I sit for another GIAC exam?
I thought the format was great, the information was relevant and their certification portfolio is respected worldwide. Again, I can’t wait for my next adventure with GIAC.
Thank you for taking the time to visit this post. I hope the information that I’ve shared here is helpful and I would love to hear what you think! Please feel free to leave a comment below.