Posted in Blog, Resources, Review

Workshop Review – DevOps for Hackers with Hands-On Labs w/Ralph May (Black Hills Information Security)

I’ve been wanting to get some exposure to deployment options like Ansible and Terraform, so when a Black Hill Information Security (BHIS) workshop popped up in my LinkedIn feed taking about using both for hackers, I mashed the registration link as fast as I could.

My “why” for taking the workshop was to have a better idea of how I can use Ansible and Terraform to better manage my lab environments. Since I tend to pop up and destroy cloud resources, it made sense to learn more and see if it could help. Plus it’s not going to hurt to know the basics of either one. That the workshop used Digital Oceans was a bonus. It’s nice to get out of the AWS and Azure worlds to see something new.

The TL:DR, if you see a Black Hills Information Security, Wild West Hackin’ Fest , or ActiveCountermeasures webinar or workshop that covers something you are interested in, sign up. It will be a good use of your time.

Workshop Resources

Workshop YouTube Recording: DevOps for Hackers with Hands-On Labs w/ Ralph May (4-Hour Workshop) – YouTube

Workshop Website (looks like Ralph May turned this into a public Notion page, so I’m linking that rather than the original): DevOps for Hackers with Hands-On Labs w/ Ralph May (4-Hour Workshop) (notion.site)

The original website was https://workshop.hackerops.dev

Workshop Overview

This 4 hour (plus an hour for setup) workshop included 4 labs (Terraform, Ansible, Docker, and C2 Deployment). Ralph did an introduction of each topic before walking through the lab. A huge help was that he provided completed lab files. Using the completed files I was able to keep up with the labs. There’s no way I could have typed fast enough. I might have been able to if I were more familiar with the platforms, but this approach worked for me. My plan is to go through the workshop again at my own pace where I can build the lab files myself knowing I have functional files to check things against if needed. The initial hour for setup was helpful since I had a brain fart about unpacking the VM and didn’t put it in a specific folder prior to extracting. The BHIS Discord was very active during the setup time, and everyone I saw having issues was able to get moving in the right direction before things started. I really appreciate this extra time because labs don’t go well when your environment is wonky. This lab setup was same day, which I think may be a more effective method. An earlier workshop sent the lab files earlier, and I think that is more likely to get put off until it’s time for the workshop. But that was also a pretty large VM download, so there may have been a need to spread that traffic out. I think you would get a decent amount out of the workshop just following along and not working on the labs during the live portion. I prefer to do what I can hands-on during the live portion so I have a better idea of what I want to go back to.

Presentation slides and lab guides were available for download, and it looks like those will be available on the Notion site for at least a little while. They mentioned Ralph is developing this into a full 16 hour workshop, and I think for anyone who is managing infrastructure for pentesting or red teaming, it could be a good time investment. I could see using this approach to pop up custom infrastructure quickly for each engagement and easily keep things separated out. The BHIS team also built in breaks every hour, so you could have a few minutes to step out for a bio break, check in on work, or wander aimlessly for a bit. That approach is working well for their 4 hour workshops that I’ve been in.

My Takeaways

I wanted to get a good idea of what things were and how they were used – mission accomplished in that regard. These are my brief, extremely high level takeaways. There’s a lot more to it, but these are the things that I want to have stored in my head so I have an idea of what I might want to reference for different projects.

  • Terraform – infrastructure as code, manage infrastructure, fast and consistent, free/open source, great for cloud and API
  • Ansible – infrastructure as code, configuration management, Python and YAML, slower, OS config
  • Docker (this was what was most familiar to me in the workshop) – containers, CI/CD, runs on all the things, application isolation, clean up your images
  • C2 deployment – there are a lot of C2 options available (and a lot of fun logos), calling some just a C2 framework is underselling their capabilities
    • Mythic – Docker(!), cool but there’s a lot going on, need to research more if I want to effectively use this, can be deployed with Ansible
    • I need to look up the ones I’m not familiar with (not being a pentester these aren’t something I can justify a lot of time playing with) to keep up with what’s out there. I need to look at some of these for labs so I’m not just using Metasploit, Empire, etc. because those are the ones I’m most familiar with. But also beware of chasing shiny things.

Post-Workshop To Dos

I want to go back through and do the labs by creating the files myself. Spending that time will help internalize the capabilities of Terraform and Ansible. I’ll probably do this using Digital Ocean initially, but I think the next time I’m building labs in AWS or Azure, I want to at least try setting things up with Terraform or Ansible as appropriate.

I probably would not go for the 16 hour workshop right now just because what it would cover are not my primary responsibilities. If I were in a role where I could use this approach to be more efficient, I’d be jumping at the opportunity. BHIS and WWHF have some of the most reasonable training rates around. And they are offering even more with a cyberrange as part of their Antisyphon training stuff, so keep an eye on their training schedule.

Wrap Up

The content was well prepared and well presented. Labs worked and had files available so you could keep up if needed. I have an understanding of how Terraform and Ansible can be used. I know where I can go to find out more and ways to practice using them. I wouldn’t even call myself a beginner, but I know enough to learn more. That’s a big part of why I take things like this.

Bottom line, this was a good use of my time. I will continue to take advantage of the training from BHIS/WWHF/ACM as much as I can.

Posted in Review

Book Review – ADKAR: A Model for Change in Business, Government and Our Community

TL:DR

ADKAR is a critical read for anyone implementing change. It’s less about theory and more about action, but it provides sufficient background to understand the basic theory. Change, whether personal or organizational, is hard. Having a framework to work within helps. The info is especially helpful for security professionals who need to find ways to shape behavior and get people on-board with security initiatives.

Quick book review…

The ADKAR book (Awareness, Desire, Knowledge, Ability, and Reinforcement) basically puts the workshop into a quick read. I think it gives you enough to put the information to work, but attending the workshop/doing the certification would probably be helpful if you’ve got the funds. I don’t know that anything is ground-breaking or earth-shattering, but I found the content to be concise and easy to apply. For someone who is process oriented, ADKAR provides a process to actually get changes made. I don’t think the material is really standalone in the sense that it’s the only change/project management thing you need, but I think the pieces covered in ADKAR are a huge help. It’s a quick read, and I found myself connecting the material to projects I’ve been involved with throughout the book. Being able to take the concept, match it to something I’ve been involved with, and pinpoint how the task had been done (or not) was helpful. I could look at things and see where things had been done well (in terms of the ADKAR model) and where things could have used some improvement. For infosec professionals, I think it’s a great resource that can help put policy changes and the security program in a more person-focused light.

Application

If you question whether this info is applicable to IT/infosec, Cisco uses it as the basis for their transformation methodology. The info is actionable enough to let you incorporate it into current projects. You may need to start over in some cases, but there are things you can incorporate at any step of the project if you aren’t willing to go back to the beginning. Security awareness training would be an obvious place to apply the model, but it works for just about anything.

For me, I liked that this was very actionable. I’ve read most of Switch: How to Change Things When Change Is Hard and while the concepts were clear, they weren’t as actionable. Though I suppose I should finish the last few chapters before I say that with certainty (my meh attitude toward finishing it probably says a lot). I do think Switch offers a lot of insight into change and the different ways that people approach change, but it was not as easy to put into practice for me. Plus it’s a longer book.

Closing Thoughts

Overall, I don’t think ADKAR is the be-all-end-all, but I think it’s a valuable tool. I’ve been learning more about project management and process improvement, and I think ADKAR is a nice addition. Having familiarity with PMI, ADKAR, Six Sigma, Lean, etc. will be beneficial as I work with people in a variety of backgrounds. Each is filling different knowledge gaps for me and is helping me with how I approach things. I guess I look at it similarly to how I looked at the various certifying bodies for personal training – each has strengths and weaknesses so I don’t want to be tied into just one. If you are at an organization that mandates a particular approach, you know which to go with. But if you aren’t locked into one, I think being aware of the concepts to be able to pull from a wide background is helpful. You should probably minimize mixing and matching for a single project, but I can see where for certain things, one might be more helpful than others.

Posted in Blog, Review

Book Review: Deep Work by Cal Newport

TL:DR

Deep Work is worth spending the time to read if you are willing to examine your workflow and habits to maximize your effectiveness. Deep work is hard and takes practice to maintain for longer periods of time. Find what works for you and stick to it. Adjust as your life changes and be aware of the impact of stress, etc. The info is valuable regardless of where you are career-wise but recognize that the nature of your position will impact how much you can implement things in your work life.

Quick book review…

I have spent a lot of time working on my time management, efficiency, and understanding how I work best. If you haven’t spent time figuring these things out for yourself, I highly recommend taking some time to do so. Find a planning system that works for you, figure out when you have peak mental function, etc. I believe in working hard, but I believe even more in working smart. This is something that Cal Newport has also invested a lot of time in.

Deep Work focuses on dealing with distractions to an extent. This book goes in depth to distinguishing deep and shallow work and the value achieved through both. He provides some ideas about how to maximize your capabilities and focus more on deep work. He also covers the difficulties associated with deep work. One of the key factors addressed is distraction. I don’t necessarily agree with the conditions he places for being distraction free – but that’s just a function of our brains working differently. The concept, however, is critical. I think the concepts can be applied to many fields, but it is especially relevant to cybersecurity. It can be really easy to focus on the shallow work (like clearing low level alerts) and neglect the deep work (building a solid program). A big chunk of the book is dedicated to working through the rules for deep work and enough examples are given to help you apply the information to your specific temperament and environment.

Application

A book like this doesn’t do a lot of good if you don’t take it beyond the pages. Finding a way to set aside time for deep work is absolutely vital. And also incredibly difficult for many professions. Security analysts can’t say alert triage will be done for X hours per day and X hours will go for other responsibilities. Ignoring alerts isn’t really an option. Given the current state of cybersecurity and breaches, the pressure to treat every alert like it’s potentially career ending is very real. So how do you apply these concepts within the reality of the profession?

I do think scheduling out your day is a good first step. Adjust as needed as you go through the day and do this for at least a few days to get an idea of your time. Then you should be able to get a better idea of where you can make time for deep work. Be very conscious of how much time email takes up. Unsubscribe, etc as much as you can. And find a way to be at peace with not being able to respond to every email. Getting off social media or limiting it is another big one. I think in cybersecurity, that can be a double-edged sword. InfoSec Twitter contains a wealth of information. But it’s also easy to get sucked into the cesspool. Set a timer, clear data so you have to log in every time, or find something else that works for you to keep your time on social media focused and not infinite scrolling. The book also talks about minimizing shallow work, which I do think is important. However, I also recognize that many of us may not have that much control over limiting shallow work. As a college professor, yeah, you can do a lot to minimize shallow work. It’s a little different in a more standard work day. See what you can eliminate, but recognize some shallow is likely going to remain. If you are in a position to help your direct reports reduce shallow work, look carefully at the options and see what can be done. There may have to be some adjustment of expectations, but the ROI is likely worth it.

Probably the biggest takeaway someone should have is to figure out a ritual that will drop you into a state to accomplish deep work. This is absolutely vital. All of the sports psych stuff that I’ve done helped a lot with this. If you are struggling with figuring this out, checking out some of the sports psychology books on peak performance can be really helpful. I benefitted from In Pursuit of Excellence by Terry Orlick. That one has a definite sports focus, but also addresses life in general. If you don’t care for the sports flavor, I enjoyed Mindset by Carol Dweck and Grit by Angela Duckworth. Regardless of the approach you take, being able to essentially flip a switch and drop into a productive workflow is an invaluable skill. The downside of ritual can be feeling like you have to do the ritual to be productive. Be aware as you are developing your ritual that you may not always be able to follow it fully if it’s very long or complicated.

Last thoughts on application is that deep work is taxing. It’s hard. Being able to sustain deep work for long periods of time will take practice. There may be times when you are less capable of deep work because of other stress going on in your life. I’ve found it important to have ways to be productive that require differing levels of mental focus. That can help improve the return on your more shallow work when you genuinely may not have the capacity to do extended deep work. You have to be willing to have the hard conversations with yourself to determine if you are truly fried and approaching burnout or just being lazy.

Note: I haven’t included links to the books here other than Newport’s website. All can be found on the platforms you would normally buy books. Also consider checking your local library for these. I’ve been able to get many of the books I’ve read recently on e-book from the library.

Posted in AWSPTwK, Blog, Review

Book Review: Hands-On AWS Penetration Testing with Kali Linux

Alright, book done time for a book review. I think this one merits a review with recommendations for labbing effectively because while a great book in many ways, there were some huge points of frustration.

Overall Impression

Biggest takeaway – don’t let the issues scare you away. If you are wanting to improve your AWS pentesting skills, this is a valuable read. There are parts that were more general pentesting than AWS pentesting, but I understand including that info for context and to make the book available for a wider audience. I really liked the parts that focused on the AWS aspects. It’s worth your time, but I think you might be able to work through the book more efficiently than I did. There were some things that weren’t clear, some errata, and other things that you often see in tech books. I hope that my notes can help people work through the labs with less frustration than I had.

Thoughts on order

I feel like the organization of the book was modified at some point based on the mismatch of where things were in the Github versus the book chapters. I also think since some of the later sections went through setting things up in greater detail than earlier sections, that supports an order revision later in the writing process. I totally get it – something of this scope is insanely difficult to get to press and keep things connected. The AWS documentation is strong enough to help you get through missing pieces, but it would have been helpful to have certain things earlier.

The order as presented was reasonable – it was more a few pieces had more details later in the book that made it look like it got moved. I would have liked the Pacu chapter at the start of using Pacu. I understand the placement – I just would have preferred the info upfront.

Do you need to do X chapter?

If you want to focus on AWS, you can basically skip sections 1 and 2. Those are really focused on setting up Kali and then using traditional pentesting techniques, just targeting an EC2 instance. You can pick and choose the things that interest you and be ok. You don’t “need” to do all of the chapters if you are wanting to just learn more about specific services. I would recommend doing the IAM and logging portions since those do impact the other services, but you can do the book piecewise if you want.

Do you need to keep X for future chapters?

For the most part, the chapters can standalone. Especially if you have familiarity with AWS. Sections 1 and 2 built on each other a bit, but after that everything should be doable with some minimal additional setup. If you have an AWS lab set up already, you should be able to user a fair amount for this book. Setting up a VPC is something that you will need to do, but it’s not used for everything. The VPC and IAM users/roles are the big things that you need throughout the book. Having a couple S3 buckets available to make public and exploitable as needed is also helpful, but those are so easy to create that making new ones isn’t a big deal. Honestly, it’s all so easy to spin up that the only thing that I would want to keep setup is the Kali instance that had been setup with Guacamole. I didn’t use it for a lot of the later stuff, but you might want to for the pentesting stuff. Since that involved some setup, even just saving it as an AMI that you can create and terminate as needed would be worth it.

Who would benefit from this book?

I feel like this book was a good match for my pentesting skill level. There were a lot of familiar things that were nice to refresh and lots of new things. I think a beginner to pentesting with a decent tech background would be okay, but there would be a fair amount of frustration. For more experienced pentesters who want targeted AWS info, pick and choose what you are looking for. For cloud folks, good info on securing AWS with ideas you can transfer to other platforms. I would not recommend the book for complete beginners (little/no knowledge of networking, security concepts, etc.). But if you’ve got some basic IT experience or are adventurous, go for it.

I noticed a fair amount of frustration from book club members with the initial few chapters. I think it scared some people off from working through the rest of the book because it was taking a lot of time. I know I spent a ton of time trying to get the forensics stuff to work, and when you keep running into roadblocks when you are following the labs, the ROI drops significantly. I’m not sure how much of that the authors could have eliminated given how quickly cloud moves. There are some things that should have been caught (like how forensics work on EXT4…), and I think a little more frustration than I’ve had with labs in other books. But not enough to scare me off from other Packt books or say don’t bother with this particular book.

Costs and how to minimize cost

My costs ran about $10.00 to $15.00 USD each month, and it took me about 6 months to complete. You can definitely work through this more quickly if you are focused. I was doing this on the schedule with book club and had my CASP+ exam in there, plus the whole COVID-19 pandemic thing and work and life. You can reduce costs by terminating your EC2 instances – this and stopping the EC2 instances when you aren’t actively using them are the best ways you can minimize your costs. I used micro instances for most things and boosted my Kali instance up to a medium or large when I needed more power. I also used a CIS image for the Win 2008 R2 server, which had some minimal costs. You can opt for free OS options to further keep costs down.

Realistically, after the initial portion, you don’t have to keep any of the EC2 instances running. You can save your Kali instance as an AMI and pop it up as needed, but I did very little with the created instances after section 2. Without the EC2 instances, the spend would have probably been less than $5.00 USD per month. I also removed the RDS I created once finished because that service can add up. Overall, a very affordable book to work through if you are taking steps to minimize your costs.

Quick list:

  • Total cost was $10.00 – $15.00 USD per month, for a total cost of around $70.00 USD.
  • By terminating the EC2 instances after section 2, cost could have likely been reduced by half.
  • Shut down EC2 instances when not in use.
  • Use the smallest EC2 instance possible and only increase size when needed.

Parting thoughts

Overall, I really enjoyed working through this book. I had a lot of frustrating moments, but I like figuring stuff out. That led to spending more time trying to troubleshoot than I probably should have spent, but I consider that learning experience. I would have liked the info about if things would be needed as the book moved along just to help with cost management. I hope the pieces I’ve put down here and throughout the blogs give enough info for others to learn from my experience and keep their costs down even further.

I would definitely encourage others to blog their notes in at least some format (for anything you are working through). I’m finding it a great way to stay accountable as I work through things. And I know I internalize the information better writing it out for someone else to read. Plus it helps remind you of what you have done and at least point you in the right direction when you can’t remember exactly what you did.

Posted in Review

LOD – Learn on Demands Systems Review

I do a LOT of labs. I think labs are critical for developing skills and help you learn ways to effectively execute proof of concept trials. Plus it’s the only way you can work on a lot of things without risking messing up something in production. I’m a big fan of building out home labs using virtual machines and cloud hosting, but sometimes pre-built labs are a better choice because of time or skill constraints to set everything up. I’ve been doing a bunch lately from Learn on Demand. So I wanted to share a few thoughts on the platform for those looking to develop training that will use labs. The info is good for students too, but the platform is really more for those developing training.

Sidenote: I’ve been doing these through Cybrary (where I’m a TA), so they haven’t been purchased through a class or other training.

The Good

I’ve found these labs to be well done with stable environments. I’ve had a few with issues, but for the most part the labs run smoothly. There are a lot of pre-built labs covering a lot of platforms. There are typical labs where you work through the tasks with instructions. There are also “IT Pro Challenges” where instead of the steps you get directions about what to do without the steps. The different levels of these vary with how much help you have available and seem appropriately challenging.

They also make a decent number of labs available to try for free. You have to enter contact enter to get a link, which I’m not thrilled about, but I understand. The free labs include options for AWS, Azure, and Linux. So you can get a really good idea of what the labs look like. From a student’s perspective, it gives you a chance to pick up some new skills for minimal/no cost.

There are lab offerings for several specific training courses, including Microsoft…but they aren’t really available for purchase as an individual.

The Bad

Finding cost info for these labs is very difficult. I’ve yet to find a way without having to submit info. I don’t like that approach, but given the platform is more for instructors to offer labs to classes they are teaching than for students to purchase labs, I do understand it. Just not really a platform for students to pick up labs.

Occasionally I’ll run into issues with virtual environments taking a long time to load or not functioning properly. I’ve found the issues to be less common on this platform than others I’ve used. And I’ve found support to be very responsive when contacted. Even when things are a bit slow to load, the time allotted is usually more than enough. There is only 1 lab I can think of where I ran out of time because the lab architecture was being crabby.

Just like any lab with virtual machines, using keyboard commands can get interesting. Figuring out which CTRL key stays with the VM can make the labs an adventure, but I don’t often find this to be an issue. There have been a few times when entering a CTRL command resulted in my browser window closing. A little annoying, but I was able to relaunch and pick up where I left off.

The Verdict

Bottom line, I like when I am taking a training that uses Learn on Demand labs. I know the labs will be stable and well done. I would like for the platform to offer a way for students to easily access the labs without going through training, but I understand this isn’t the focus. There may be more options available if you go through contacting the sales, but I haven’t tried that since I have access through other means. I can see using the labs to verify skills when interviewing for positions or to assess where a new employee needs training. I really like the challenge approach to the labs. The different levels (Getting Started, Guided, Advanced, and Expert) build well and offer some clear learning pathways. I’ve found that by working through the Getting Started and Guided challenges on a topic I’m usually in really good shape for the Advanced and Expert labs.

Probably the best thing I can say about Learn on Demand is that I would consider their labs if I were developing training. Having taught online for a good while, I’m quite picky about the resources I use. I would have no problem using LOD as the platform for my labs, and the availability of pre-built labs makes it a great way to save a bit of time on class prep.