Security experts leverage offensive, defensive tools

Justin Hall is Director – Security Services for CBTS. In the last post of this 3-part series, Justin discusses ways to learn the tools used by security practitioners. In Part 1, Justin discussed the process of developing a background in enterprise IT. Part 2 focused on how to better understand the “attacker mindset.”  

An understanding of the purpose and operation of commonly used security tools not only gives you practical capabilities, but helps to shape that mindset we discussed last time – the attacker’s goals and how they plan to technically accomplish them.

It’s a common theme in security to cut the industry in half and call one side “offense” and one side “defense.” Offense is the practice of compromising a network, while defense is about protecting a network against those efforts.

Every time I speak to a group of students looking to get into the security industry and I ask what excites them about the field, invariably a few of the students respond: “We wanna hack things for a living!” I can’t say I blame them. It’s certainly been one of the more entertaining elements of my career. In that vein, many folks assume that learning the tools used by security practitioners means only the offensive tools.

Offensive tools in security

Learning offensive tools is rewarding on many levels: Gaining practical experience, solving problems when the tools don’t work as expected, and exposing your brain to the approaches taken by an attacker. Probably the most common path is to grab a collection of tools in a package like Kali Linux (built around penetration testing) or SamuraiWTF (built around web application testing) … but then what next? We recommend trying some “capture the flag” (CTF) exercises where you can actually attempt common goal-based attacks in a safe environment. You can also participate in live CTF competitions at security conferences. You might also play around with purpose-built virtual machines and applications that are built solely to practice offensive techniques.

Defensive tools in security

Defensive tools might not be as exciting, but are equally valuable from a learning and career preparation perspective. As they’re typically commercially sold products, we recommend grabbing free versions of some of the more popular tools, such as:

• Splunk, the log management platform. Splunk also offers a great add-on module (a “Splunk app”) called Security Essentials that’s meant solely for learning how to build, run, and use the product as a security monitoring and incident response tool.
• OpenDNS, the DNS/web security product. I use this on my home network to filter malicious and adult traffic, and it’s a great, low-impact project to deploy and maintain a fairly simple but incredibly effective security control.
• Immunet, an endpoint security product. If you use Windows, you can certainly learn a bit about endpoint protection by messing with the configuration of the built-in Defender antivirus product, but Immunet goes a step beyond by leveraging threat intelligence gathered automatically from infections caught by other deployed Immunet clients.
• Nessus, a vulnerability scanner. Use this to scan your home or lab network for vulnerabilities, and then read up on what it discovered, and fix them. Nessus is free for use in the home for up to 16 hosts.

Understanding common IT applications

Security practitioners don’t just use tools that are designed for security work. It is just as important to learn the role played by common applications that IT professionals sit with every day. Some examples:

• Active Directory and Group Policy. In a Windows environment, these applications control system configuration, authentication, role-based access, service interoperability … and yet many security practitioners have no fundamental understanding of how these tools work and are used.
• I love Chris Campbell’s description of Powershell as Microsoft’s post-exploitation language – most security folks think of this tool solely as a mechanism to attack a target system and not get caught, while IT ops folks think of it as a powerful scripting platform that can automate a ton of functions. Either way you see it, if you’re in IT or security in 2018, it’s worth the effort to gain fluency.
• Prefer Linux? Get to know the shell you use (probably bash) and common GNU command line tools like grep, sed, and awk. The Command Line Kung-Fu blog is an excellent resource. Learn regular expressions and bpf while you’re at it.

I’ll put down the firehose for now and encourage you to start anywhere in this list of topics – any and all of them will be helpful to get you moving in your journey to a security career, and build off the other components as well as your existing knowledge. We’re looking forward to having you. Good luck!

Read more about Security offerings from CBTS.  And read this case study to learn how CBTS helped an enterprise client form  a security strategy to advance their maturity, increase their risk management capabilities, reduce the attack surface for each business line, and improve their overall corporate security posture.