learn

The Resourceful Will Find a Way

June 3, 2018 by Brianne

Since I recently finished the SANS SEC-503 course passed my GCIA exam, I’m enjoying my first week in a while without evenings full of intense studying. There have been fits of cleaning and organizing things I let go too long, and event a move to complete some of the small home improvement tasks I’ve put on the back burner.

This weekend I was working on a project.

For me, this means rolling a cart loaded with lock boxes filled with power tools into an alley and hoping for minimal interruptions. When you have something you want, you make do with what you have to make it happen.

This is exactly what happened.

I made a plan and laid out my mobile workspace. I hefted the materials I needed into the alley. I fired up the cordless circular saw and it immediately died. I did some troubleshooting on the battery and found out it was dead. And the backup battery was lame. But I already staged my materials and with a temporary mobile workspace, you don’t roll it all up and go home until you are finished.

I experimented with other tools I had at my disposal although they were less fitted for the task than the circular saw. I dug through my lock boxes looking for other options. Finally I spotted it – the jig saw I had not used for ages and had contemplated getting rid of in my last clean-through. If my project was the turkey and the cordless circular saw was an electric carving knife, the ancient jig saw was a rusty scissors.

Let me give you an idea of some of the things I worked around to finish the project. Getting a heavy, heavy industrial cart over some PVC pipes clamped down across my pathway. Dead batteries for the set of cordless tools. Not a long enough cord for the jig saw. Broken clamp. A wheel fell off the dolly while I was moving a pile of wood. The lights in the trash room were out and it was pitch dark. You’d think I was the bad news bears of DIY tasks.

So I coaxed and I pushed and I persevered and I finished the job. It was not pretty. It was not at all as I had planned. But it was finished.

I cleaned up my mobile work-site, made a list of things I needed to repair or replace before I came back for the next job. I celebrated the tiny victory of knocking a hard task off the list of things I wanted to finish.

I learned to be resourceful from my parents.

They encouraged us to stick with it. They challenged us to find another way when we hit a wall. They did not freak out at the mess that was made when I attempted to create what I needed myself. I can be a hustler and a hard-worker, and when I take time to think I can be smart about it. The willingness to be resourceful and either persevere or pivot to another way is important to me. It is one of the things I believe can translate into professional settings and differentiates between people who move on and people who finish hard tasks.

Try hard. Learn from the goods and the bads. Try again. Get better.

I Think, Therefore I Am An Analyst

April 6, 2018 by Brianne

There are a lot of tools to learn in the cybersecurity trade. There are a lot of sources willing to teach you about those tools. There are not many people interested in teaching you how to think like an analyst.

I just finished the 3rd course in my Chris Sanders’ Applied Network Defense trilogy: Investigation Theory. Before this course, I’d taken and reviewed Chris’ Effective Information Security Writing and Practical Packet Analysis.

Investigation Theory is a course designed to help an analyst develop a mindset to investigate any type of security event or alert. The course is built to take roughly 10 weeks and you can pace yourself to finish faster or slower. Although it is offered fully online, Chris organizes the course so that a new group starts it together every few months. The benefit of this is that no only do you have the ability to interact with the instructor Chris Sanders in the online course board, you also have the opportunity to post thoughts to and respond to questions from other students. I definitely took something away from reading other students’ answers to Chris’s posted questions at the end of many lectures.

In addition to lectures, the course includes student community discussion, recommended reading, bonus lectures, and interactive investigation labs.

Nothing helps ideas stick better than hands-on practice.

The labs were challenging. I had to try most of them several times before I submitted the correct answer. But I learned ideas of questions to ask and places to look for leads to those answers.

One of my favorite sections in the Investigation Theory course was built around explaining the value provided by different types of analysis data. It focused on the likely available sources in an investigation like packet captures, netflow data, IDS alerts, OSINT, and an armful of different log types. The lecture described the pros and cons of the source and highlighted opportunities to aggregate and pivot on data attributes provided.

I’m proud to have finished this course. I would recommend it. It is less technically specific than Practical Packet Analysis, but it is full of insights that will work for a security analyst no matter what tools and tactics you have experienced.

You can a course description, pricing, and registration information at the Applied Network Defense site.

Plan When You Can

March 30, 2018 by Brianne

Back around the first of this year I sketched myself a learning plan. I committed myself to 2 scheduled learning events this year by paying for them up front. I’m already a natural planner, but when you’re fronting the cash for a class yourself – you take your planning seriously. I’m motivated to be better and I’m driven not to waste time, money, or chances to help get there.

My first milestone event is in April; the next course in my pursuit of a SANS certificate in Core Cybersecurity Engineering. Months ago I researched the course prerequisites and syllabus to brush up on or at least introduce myself to the topics that will be covered. These courses are boot camp style, nearly 50 hours of lessons in 6 days, so I’ve got zero time to lose to being lost.

So I took a crack at experiencing packet analysis, watched through some targeted Hak5 playlists on YouTube, re-read my No Starch Press book covering The Practice of Network Security, tried out some open source IDS exercises online from Bro, and listened to some topical presentations from security cons recorded and posted on IronGeek.

Let me be honest, I am not amazing at any of these things.

But I would love to be and I believe that I can get there with practice and guidance. That’s the point of learning with live, in-person classes. You have access to an expert. The better informed I am, the more meaningful and specific questions I can ask of the instructor.

I allowed myself to wander from the plan.

I’m only human, I took a few sidebars that ate into the prep time I had laid out. I spent time blogging on my website. I took advantage of temporary free access to an online Digital Forensics e-learning course trial that was offered by (ISC)2, (helpful to gain some free CPEs to keep my CISSP active). I started watching a course on Lynda about Neo4j graph databases so I could play with some visualizations. I even sat on the couch to binge watch 2 entire seasons of This Is Us when I should have been on the computer.

I feel decent about my progress, bring on more of the hard stuff.

Make the Most of Thinking Differently

March 25, 2018 by Brianne

I believe in the idea that diversity of thought, style, and skill is good for a team. I try to keep in mind this quote I found attributed to Bill Nye.

My personal challenge is in listening well to others, asking good questions, and ultimately being open to changing my own perspective.

This is hard work.

I can always use inspiration and suggestions for practice to help me improve. I recently found such a book called Collaborative Intelligence: Thinking with People Who Think Differently by Dawna Markova, Ph.D. and Angie McArthur at my local library. After I read the borrowed library book, I purchased a copy for my personal bookshelf because I knew I would come back to this one and *gasp* might even want to write in this book.

The gist of the book is that if you understand how you or others are approaching the question, you can maximize the effectiveness of the thought. Sometimes the problem needs focused concentration, sometimes sorting and organizing, and sometimes brainstorming – but we can all use a solid “thinking partner” to bring out the best results. The authors have translated their research into a model for determining and working best with each person’s Mind Patterns and Thinking Talents.

The first thing I enjoyed about this book was its ability to summarize the materials contained in each chapter within a table on the last page of the chapter. Consider this the TL;DR of the book. The book comes to life for anyone reading it when it comes time to evaluate your own thinking styles. The authors even recommend what types of environments are most effective for generating types of thinking. Here’s a preview of what a KVA Mind Pattern like me should keep in mind:

I’m definitely planning on using the supplemental materials available on the the Collaborative Intelligence website to have my immediate team take the quiz to determine your own mind pattern. I’m looking forward to trying to put some of these Collaborative Intelligence practices to work.

Space to Work

March 16, 2018 by Brianne

There are a lot of influences on an event. Each of us have our own set of internal and external forces working on us as well.

My goal is to be able to draw from my headspace or my heartspace.

You know those days when your senses tingle to lead you to your lost keys and there’s no actual logic or reason to your discovery? That’s your heartspace. Your intuition, instinct, and natural internal abilities drive from the heart. You can close your eyes and lead from your heartspace with nothing but an idea and some imagination.

At other times nothing but numbers drive what you do next. You work smart with the tools you have at hand. You follow a procedure and endeavor to produce predictable results. You make a plan based on the likeliest outcome and use a tried and true technique to get there. Some days you don’t want to chase a guess so you follow a trusted formula and lead with your headspace.

Both of these methods are good methods. Finding a blend is even better.

I’m really in The Zone when I can work from both my headspace and heartspace. If I can build a plan based on the research, pay attention to the fails and the changes and then pivot into a new idea or a variation on the primary, I can persevere. Work with your peers and mentors, dig in to your headspace and your heartspace. Make questions and find answers and keep trying – be it forward, backward, or sideways – till you get your conclusive point.

I put together the above image with my free trial of MindJet Mind Manager 2018. I consider this a Venn diagram of the things that live within my own headspace and heartspace.

Find a Zone that works for you and build up your material understanding and experiential inclinations to grow it and support it.

Reputation by Site

March 10, 2018 by Brianne

Websites can get a reputation from the material they contain, the company they feature or attract, as well as from the internet reputation machines that scan and crawl them. My hypothesis is that if I can do some legwork to positively impact the machines and databases of the internet, it will help buy goodwill and trust that helps bridge into a more positive personal reputation.

What do the internet respectability engines think about BrianneFahey.com?

I like to come to a conclusion from an aggregate of data, so let’s check a few different options and put together a story of my website’s reputation. Two of the common sources of website safety information are included in the anti-virus and computer protection packages from McAfee and Symantec/Norton. Having one of these programs installed allows you to see some immediate feedback when you search for a website before you go to that site. It’s like looking through the peephole before deciding whether to open the door.

I would definitely be more comfortable visiting a site with a green check mark than a grey question mark or that evil red x. I installed the browser extension for both McAfee WebAdvisor and Norton Safe Search and navigated to BrianneFahey.com. Both plugins are greyed out, and when I mouse over them, they indeed say they are registering no reputation feedback. I’m relieved to not have to overcome any negative reputation marks, but to get to green we need to fill in this blank slate with facts.

The good news is that my reputation is mine to influence at this point.

Web crawlers can use the information posted on the site including text and images and other files to rank you, but they are not sentient so they may not be able to determine the intent of your site. It’s up to you to convince them that you have good intent and wish no harm on the people of the internet and you deserve a green check mark. My plan to establish a good reputation involves visiting the machines that are generating, collecting, and providing this information to make sure they are understanding my intent.

Review and Correct the Reputation and Categorization

Internet filters and proxies can rely on website categorization to determine what blocks of URLs to allow and what block to deny. You can review what the engines have categorized your site as and suggest a more appropriate category. If you start a small business and create a quick website – you need to be aware of whether entire enterprises are being blocked form viewing your website inside their corporate network because it is misclassified as Gambling or Adult/Mature Content or worse. There is some risk in being unclassified as well because some filters might be set to default block unclassified or very new sites to protect themselves from domain generating algorithms (DGA) that spin up and disappear within weeks to facilitate phishing attacks. You’re going to want to review the available categories and their definitions to make the most appropriate choice as any petitions to recategorize a site will be reviewed before they are accepted.

Symantec Norton SafeWeb
- I registered as the owner of my site and Norton sent me an email with a method to validate.
Symantec BlueCoat Web Pulse
- BrianneFahey.com was initially categorized as “Search Engines/Portals”. I submitted a request to have it classified as “Personal Sites” and “Computer/Information Security”.
WebSense ForcePoint
- BrianneFahey.com was initially uncategorized. I submitted a request to have it classified as “Societies and Lifestyles: Blogs and Personal Sites”
Trend Micro Site Safety Center
- BrianneFahey.com was initially categorized as “Untested” and “Newly Observed Domain”. I requested the site be retested and submitted that it be classified as “Personal Sites” and “Computers/Internet”.

Check the Pulse

Websites change and reputations evolve. It’s a good idea to regularly check in on your site’s ratings and feedback. A simple way to generically have the web checked for you is to setup Google Alerts for your domain and name.

Beyond the sites and tools mentioned above, here are a few other open sources of intelligence (OSINT) tracking website reputation and safety.

Website Name	Potential Feedback
URL Void
Virus Total
Google Safe Browsing
RiskIQ Passive Total

Good luck protecting your web domain’s reputation!

I like to go through an exercise of putting thoughts into a visual model that makes sense while I’m working through something. Time does not always allow (and alert queues are not always forgiving) but it leaves me with clarity and the easier ability to repeat a procedure if needed. I’m utilizing a 30-day free trial of Mindjet MindManager 2018. It is fantastic, but pricey for individual home use so I’ll evaluate my needs and priorities and I will miss it when it’s gone. Made use of MindManager by assembling a visual procedure to summarize the steps described in this post.

Packet Analyzing

March 3, 2018 by Brianne

I recently finished Chris Sanders‘ Applied Network Defense online course for Practical Packet Analysis. Before I give you my impressions of the course, let me give you an idea of where I’m coming from and what I expected.

I never captured a packet before mid-2017.

I knew I’d need some practice analyzing packets to maximize my experience in the SANS SEC503; Intrusion Detection in Depth course later this year. I’ve never had a job role that gave me the opportunity to work hands-on with networks so at times networking can be an Achilles heel of mine. I’ve done a lot of reading and a little bit of experimenting at home, so I was eager to pour myself into some labs and figure out what I could do and what I needed to work harder toward.

I purchased myself a course license and started chipping away at the materials in September. I also bought a copy of Chris’s Practical Packet Analysis book through No Starch to use as a reference.

The Practical Packet Analysis course runs on demand (you can start as soon as you purchase a license) and includes more than 100 videos and more than 20 lab exercises. It’s available to you for 6 months. I worked on it off and on a few hours a week for about 5 months and I noted a few lectures and labs I’d like to revisit in my last few weeks of access. Because it was that good.

This course covers so much material.

It does a really incredible job of incrementally walking the student through progressively more specific and challenging material. You start off with some high level network concepts and a lot of attention to the OSI Model, work into understanding how those protocols and activities manifest in real life, and then top it off with learning to efficiently comb through the packets captured from this network activity with tcpdump and Wireshark.

This course is worth every hour you put into it.

I will be able to use things I learned in this course immediately, even without needing to analyze packets daily in my day job. The lectures are well communicated. The material is current and specific. Chris Sanders doesn’t lean on expensive tools or on only one way to approach a question. He teaches you to think it through and answers questions by providing applicable advice instead of answers. Certainly you can skim past sections you already know and visit subjects you’re struggling with more than once. I particularly benefited from focusing on understanding the explanations for the malware labs analysis, examining HTTP responses, carving out transferred files, and exploring traffic manipulation.

I’m pleased to have finished the course and definitely open to taking any of the other Applied Network Defense Courses when I need to go deeper into the other available subjects.

Virtually No Room for Ego

February 9, 2018 by Brianne

You can’t watch from the sidelines forever…

One of the reasons I’m such a fan of continuous learning is for the perspective it brings. For me, going through a capture the flag (CTF) exercise or packet capture lab is a humbling experience.

Even if you’re confident in your grasp of the concepts, implementing them is a totally different experience. It reminds you to value people who have skills you don’t. It reminds you that doing something is harder than saying something. It reminds you to teach or show anytime you can to pay back so the help you ask of others. It reminds you that no one does it alone. It reminds you to celebrate small victories.

Last week I wanted to setup a clean Linux distribution virtual machine to enable practicing packet capture and analysis with an operating system different than my host machine. Again, the concepts are understandable, implementing in an environment you’re comfortable with is a challenge, and trying in a less comfortable environment is like writing with your not dominant hand: ugly unless you do it repeatedly.

When you can’t complete your original plan, recalibrate and regroup!

Short story long, I ran into hiccups with my Linux vm install, had to start over twice, and ended up putting hours into what should have been as easy as ‘start program’. Packets practice was an after thought to establishing a solid virtual environment. And I’m left feeling again like I’m learning to tie my shoes with boxing gloves on my hands.

To those who can do the things in my learning list; I commend you for your mastery of trades and topics that don’t come easy to most. I also would like to take you out for a coffee sometime and pick your brain. And when you need a tip about Excel, Process Flow Diagrams, or Buffy the Vampire Slayer, text me.