|
Jeesis posted:Anyhoo, any advice for someone trying to get into the security field? Is there a particular area in security that you are interested in? I can't help much on the pentesting/red team front but I can offer suggestions in the incident response and forensics area. This post will have a very heavy slant towards investigating targeted threats since that's what I do for my day job. If you want to get into incident response and forensics, I recommend picking up a copy of Incident Response & Computer Forensics which is written by several Mandiant guys. "Chapter 12: Investigating Windows Systems" has a very good primer on Windows forensics. It doesn't touch on everything but covers a lot of the main areas. Overall, some general areas that I recommend starting to be familiar with in order to be successful in incident response and forensics are: Malware Persistence Understand at a minimum the main ways malware can persist on a system across reboots on a Windows box. The most commonly used methods for persistence are Windows services followed by registry "Run" keys. Other ways malware can persist is through the Windows startup folders, the "UserInit" registry key, "Active Setup\Installed Components" registry key, scheduled task, WMI event, DLL search order hijacking, and a stupid number of other ways. If you want to get a pretty good idea on ways malware can persist, grab a copy of the Sysinternals tool Autoruns and just run it on your local system to see ways legitimate binaries are persisting on the system. Autoruns does a great job of showing where the persistence mechanism actually sits such as the full registry key paths or the full file path for say the startup folder. Lateral Movement You'll want to understand the ways an attacker can laterally move within an environment from system to system. Protip, 95% of the time an attacker will laterally move the same way a legitimate admin would. Quite literally, WMI, Powershell, PsExec, Windows scheduled task (named and unnamed), and RDP cover most cases. You'll want to be familiar with the forensic artifacts on the source, destination, and on the network (at a minimum being familiar with what ports each of those use) for those methods of lateral movement. If you want some hands on experience with investigating lateral movement forensic artifacts, then grab VMWare player (free), create a Windows VM, perform one of the ways you can laterally move to the VM from your localhost then grab a copy of Mandiant's Redline to create a collector that collects at a minimum a file listing, registry listing, and event log listing. Run the collector in your VM and analyze the data on your local host with either Redline or if you hate Redline, parse the Redline XML output documents to csv. You'll be able to timeline the event logs, registry, and file system around the time of your lateral movement test to see what it does on the target system. The Attack Lifecycle The attack lifecycle is the general overview of the what an attacker will do in an environment at a high level. It's good to know since you can use it as a predictor of what the attacker has done to get to where he is if the discovery of the breach is late in the lifecycle or what to expect the attacker to do if the discovery is early in the attack lifecycle. FireEye had a decent webinar on this topic. Frankly, if you are knowledgeable in the three above topics you'd be a good pick for an entry level incident response analyst regardless of your education background. If malware analysis is your interest, Practical Malware Analysis is a very good book, though as a heads up, the learning curve gets very steep several chapters in. If you want to learn more about assembly, I recommend some of the Open Security Training videos, specifically Introductory Intel x86 If anyone else has any questions about incident response or forensics let me know, I'm happy to answer them.
|
#
¿
Jan 12, 2016 05:44
|
|
|
|
| # ¿ Apr 25, 2024 12:16 |
|