For this fourth installment of advice columns aimed at people who are interested in learning more about security as a craft or profession, I reached out to Richard Bejtlich, a prominent security blogger who last year moved from a job as director of incident response at General Electric to chief security officer at security forensics firm Mandiant.
Bejtlich responded with a practical how-to for a security novice looking to try on both attacker and defender hats. Without further ado…
Bejtlich: Providing advice on “getting started in digital security” is similar to providing advice on “getting started in medicine.” If you ask a neurosurgeon he or she may propose some sort of experiment with dead frog legs and batteries. If you ask a dermatologist you might get advice on protection from the sun whenever you go outside. Asking a “security person” will likewise result in many different responses, depending on the individual’s background and tastes.
Rather than try to devise a thorough curriculum that provides balanced coverage of the dozen or more distinct disciplines that one might call “digital security,” this article covers one aspect: magic. More specifically, this advice strives to dispel the notion that digital security is a realm where only magicians can perform superhuman feats involving computers and data. Rather, the point is to provide a way for beginners to get a feel for convincing a computer to take actions probably not expected by its original programmers. For those with a more technical inclination, the article provides a means to watch what is happening at the network level.
Many mainstream press pieces about digital security include the terms “cyberwar” or “cyber weapons.” Cyber weapons sound as though they can penetrate thirty feet of concrete and eliminate targets with precision unmatched by kinetic weapons. In some ways they can, but not because they possess magical properties. The cyber weapon chosen for this article is Metasploit, called a cyber weapon by none other than its creator, HD Moore.
For those with some technical inclination and an interest in trying a cyber weapon hands-on, I recommend visiting the Rapid7 How to set up a penetration testing lab site. Follow the instructions to download and try Metasploit, possibly extending the experience through Offensive Security’s “Metasploit Unleashed” online class. The easiest way to deploy Metasploit is to start with a prepared distribution like BackTrack Linux and launch exploits against a distribution designed to be vulnerable like Metasploitable.
By using Metasploit to take over vulnerable services on a computer, the user will learn that using cyber weapons is often a question of patience, judgment, planning, and operational tradecraft. Besides being a motivational exercise, the user will likely learn that humans are the most interesting element of digital security, not mindless malware or other malicious code.
To add an element of Network Security Monitoring (NSM) to the experience, deploy three separate laptops or PCs connected to a dumb 10 Mbps hub, such as a NetGear EN104TP hub. The first platform runs Metasploit via BackTrack Linux. The second platform runs Metasploitable. The third platform runs a NSM distribution called Security Onion, created by Mandiant’s Doug Burks.
Now, when launching attacks from Metasploit against the Metasploitable targets, the Security Onion NSM platform will see the traffic and potentially alert the user to the activity. Alternatively, evidence of the attacks and follow-on exploitation activity will be logged for deeper manual analysis. In any event, seeing the same activity from the perspective of an attacker and defender is highly motivational and educational. That is the reason I chose a similar approach for my own TCP/IP Weapons School 3.0 class.
For a novice, this experience is enough to dispel the magic that “cyber weapons” are silver bullets. In the end, it’s all software that depends on the creativity and discipline of developers, operators, and defenders to make a difference.