Part 3 --------- Intro: What are your learning goals (as defined in your personal learning plan). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | The facts: - What are your finished, running, and planned learning activities? Blue team ~~~~~~~~~~~~ Learning tasks --------------- +--------------------------------------------------------+----------+----------+-------------+--------+ | Task summary | Category | Duration | Requirement | Status | +========================================================+==========+==========+=============+========+ | Follow workshops related to blue teaming | T | 0.5day | Must | Done | +--------------------------------------------------------+----------+----------+-------------+--------+ | Take part of Red v Blue team event | T+N | 1day | Must | Done | +--------------------------------------------------------+----------+----------+-------------+--------+ | Expand IDS knowledge(Zeek & Suricata) | T | 2days | Must | Done | +--------------------------------------------------------+----------+----------+-------------+--------+ | Try monitoring techniques (netflow, flow monitoring) | T | 1-2days | Must | Done | +--------------------------------------------------------+----------+----------+-------------+--------+ | Try out SIEM and dashboarding (i.e Elastic Stack) | T | 2days | Must | Done | +--------------------------------------------------------+----------+----------+-------------+--------+ | Learn reverse engineering and apply to malware | T | 2-3days | Should | Open | +--------------------------------------------------------+----------+----------+-------------+--------+ | Blue-team visit a local building and document findings | N | 1day | Should | Cancl | +--------------------------------------------------------+----------+----------+-------------+--------+ | Set up and experiment with a Web Application Firewall | T | 1day | Should | Done | +--------------------------------------------------------+----------+----------+-------------+--------+ | Set up vulnerability scanning with OpenVAS | T | 1day | Should | Done | +--------------------------------------------------------+----------+----------+-------------+--------+ Research & development tasks ----------------------------- +---------------------------------------------------------+----------+----------+-------------+-------------+ | Task summary | Category | Duration | Requirement | Status | +=========================================================+==========+==========+=============+=============+ | Visit the infosecurity.nl convention | R | 1day | Should | Cancelled | +---------------------------------------------------------+----------+----------+-------------+-------------+ | Visit seminars related to SIEM/CERT and make a blogpost | R | 1day | Should | Cancelled | +---------------------------------------------------------+----------+----------+-------------+-------------+ | Organize or join a session to analyze a vuln. | R | 1-2days | Should | Open | +---------------------------------------------------------+----------+----------+-------------+-------------+ | Setup a SoC and a SIEM with a registration system | R+T | 5days | Should | Done | +---------------------------------------------------------+----------+----------+-------------+-------------+ | Setup a malware analysis lab for static and dynamic | R+T | 5days | Could | Open | +---------------------------------------------------------+----------+----------+-------------+-------------+ Professional application tasks ------------------------------- +----------------------------------------------------------+----------+----------+-------------+--------+ | Task summary | Category | Duration | Requirement | Status | +==========================================================+==========+==========+=============+========+ | Define threat use cases | N+P | 1day | Must | Open | +----------------------------------------------------------+----------+----------+-------------+--------+ | Develop and tune an IDS sensor for an operational env. | R+T | 3days | Must | Done | +----------------------------------------------------------+----------+----------+-------------+--------+ | Set up security monitoring(IDS,logging,SIEM,dashboard) | R+P+T | 5days | Must | Done | +----------------------------------------------------------+----------+----------+-------------+--------+ | Set up vuln.scan in an operational network with OpenVAS | R+N+P | 2days | Must | Done | +----------------------------------------------------------+----------+----------+-------------+--------+ | Set up a register system for triage, analysis, priority | R+N+P | 2days | Should | Done | +----------------------------------------------------------+----------+----------+-------------+--------+ | Run security monitoring on an operation env. | P+T+N | 2-4days | Must | Done | +----------------------------------------------------------+----------+----------+-------------+--------+ | Report a security incident in an operational env. | N+P | 1day | Could | Done | +----------------------------------------------------------+----------+----------+-------------+--------+ Custom tasks ------------- +----------------------------------------------------------+----------+----------+-------------+--------+ | Task summary | Category | Duration | Requirement | Status | +==========================================================+==========+==========+=============+========+ | Setting this server up | T | 1day | Must | Done | +----------------------------------------------------------+----------+----------+-------------+--------+ | Set up reverse proxy using NGINX | T | 1day | Must | Done | +----------------------------------------------------------+----------+----------+-------------+--------+ | Provision servers with certbot SSL | T | 1day | Must | Done | +----------------------------------------------------------+----------+----------+-------------+--------+ | Implement a secure password manager | T/N/R/P | 1day | Should | Open | +----------------------------------------------------------+----------+----------+-------------+--------+ | Implement sensor monitoring like Zabbix/Nagios/PRTG | T | 1day | Should | Open | +----------------------------------------------------------+----------+----------+-------------+--------+ ------------ Red team ~~~~~~~~~ Learning tasks --------------- +----------------------------------------------------+----------+----------+-------------+--------+ | Task summary | Category | Duration | Requirement | Status | +====================================================+==========+==========+=============+========+ | Follow the workshops related to hacking & red team | T | 0.5day | Should | Done | +----------------------------------------------------+----------+----------+-------------+--------+ | Study pen testing methodologies and practices | T+P | 2days | Must | Done | +----------------------------------------------------+----------+----------+-------------+--------+ | Take part of the Red v. Blue team | T+N | 1days | Must | Done | +----------------------------------------------------+----------+----------+-------------+--------+ | Own one of the Linux based machines on Htb | T+N | 2-3days | Must | Done | +----------------------------------------------------+----------+----------+-------------+--------+ | Own one of the Windows based machines on Htb | T+N | 2-3days | Must | Done | +----------------------------------------------------+----------+----------+-------------+--------+ | Learn how reverse engineering works | T | 2-3days | Should | Open | +----------------------------------------------------+----------+----------+-------------+--------+ | Pick a lock | T | 1day | Should | Done | +----------------------------------------------------+----------+----------+-------------+--------+ | Experiment with phishing tools in a contained lab | T | 1day | Should | Open | +----------------------------------------------------+----------+----------+-------------+--------+ | Visit building with a red team perspective | N | 1day | Should | Cancl. | +----------------------------------------------------+----------+----------+-------------+--------+ | Learn how cryptography works | T | 2-3days | Could | Open | +----------------------------------------------------+----------+----------+-------------+--------+ Research & development tasks ----------------------------- +-----------------------------------------------------+----------+----------+-------------+--------+ | Task summary | Category | Duration | Requirement | Status | +=====================================================+==========+==========+=============+========+ | Visit seminars related to developments in red team | R | 1day | Should | Done | +-----------------------------------------------------+----------+----------+-------------+--------+ | Organize/join a session to analyze new vuln. | T+P | 2days | Must | Cancl. | +-----------------------------------------------------+----------+----------+-------------+--------+ | Set-up environment for pen testing and red teaming. | T | 2days | Must | Done | +-----------------------------------------------------+----------+----------+-------------+--------+ | Develop a dropbox that can be used in red team | R+T | 3days | Should | Open | +-----------------------------------------------------+----------+----------+-------------+--------+ | Research covert channels and set-up one | R+T | 2days | Should | Open | +-----------------------------------------------------+----------+----------+-------------+--------+ | Research typical and known vulnerabilities in cloud | R+T | 2-3days | Should | Done | +-----------------------------------------------------+----------+----------+-------------+--------+ Professional application tasks ------------------------------- +---------------------------------------------------+----------+----------+-------------+--------+ | Task summary | Category | Duration | Requirement | Status | +===================================================+==========+==========+=============+========+ | Acquire Red-team pentest with a PiE and report | P+T+N | 4days | Must | Done | +---------------------------------------------------+----------+----------+-------------+--------+ | Perform a pen-test on a shippable product | P+T+N | 2days | Must | Done | +---------------------------------------------------+----------+----------+-------------+--------+ | Perform a test on a site with responsible discl. | P+T+N | 2days | Must | Done | +---------------------------------------------------+----------+----------+-------------+--------+ | Perform vuln. analysis on IoT & report findings | P+T+N | 3days | Should | Open | +---------------------------------------------------+----------+----------+-------------+--------+ Summary --------- | This was requested at my last portfolio update, and the estimations are most likely off by a few days. This does not pertain the time spent on the group project. +--------------------------------+--------+ | Details | # | +================================+========+ | Time estimated in days | 75 | +--------------------------------+--------+ | Time estimated in hours | 600 | +--------------------------------+--------+ | Time spent in days | 62 | +--------------------------------+--------+ | Time spent in hours | 496 | +--------------------------------+--------+ | Open tasks | 12 | +--------------------------------+--------+ | Done tasks | 29 | +--------------------------------+--------+ | 'Must'-priority tasks done | 18(+3) | +--------------------------------+--------+ | 'Must'-priority tasks not done | 1 | +--------------------------------+--------+ | What tasks and responsibilities do you have in the project: research, development, professional skills? - Research - I had a global overview of all the things that need to be done within our research framework and regularly guide and give people tasks. Furthermore I've been responsible for the SoC research - I delivered a SoC PoC with Security Onion and presented it to our customer - I researched the best way to have a noise generator and rule triggering script that would be the engine of the game - I did research into TheHive to see if we could use it for our SoC - Development - I assisted in creating the SoC - I configured parts of the Wazuh SoC we're currently using - I created a Suricata Kibana dashboard interface - I created all of the Suricata rules which include the flags for the CtF game - I made a script that triggers those Suricata rules periodically to test out if they work - I created another script that combines all of the various triggers of the Suricata local rule set - I combined the database created by other teammembers for the front-end with my own script triggering rules conditionally - I implemented various servers and services such as the Suricata IDS and connected it with the Wazuh SOC - I defined many threat use cases in TheHive and majorly helped with the integration of various tasks and incident responses - I made the storyline for the majority of the flags - Professional skills - I've been a self-appointed project leader since the beginning with the assistance of Tom as well. It's been a bit rocky, and there's room for improvement but -- it has been pretty smooth sailing up until now. - I always set up a stand up meeting when we physically met - I developed threat use cases - I've finetuned an IDS sensor in the operational environment | What products do you have for the finished activities (personal learning, project work, professional skills)? | See tables above. | How can you show for the completeness and quality of your work? - My work is shown on this documentation system; in it I've shown taking a very methodoligical approach. There are many more examples, but alas the template asks for a short impression. | Give a short impression of your portfolio and PDR that demonstrates your work and evaluations. .. toctree:: :maxdepth: 2 learning/redteam/ownlinux learning/blueteam/setupsocsiem | What did your learning and project tasks bring you in relation to your learning goals? - Most of the tasks described in my learning plan correlated with features the project required - such as setting up a SoC; I used the PoC for my own SoC as a PoC in the project and that worked well - Developing things like threat use cases was new to me and is also tied in the learning goals - Creating security incidents was done in the project as well - Experimenting with OpenVas was also a part of this, as we discovered a potential false positive in the pfsense network (log4j) | What are your strengths according to group members, teachers, client, stake holders, or other externals involved. - Group members: - The common thought in my group is that I bring/am: - Good ideas - Creative ideas - Hard working - Solution driven - Enthusiastic - But also... - Involve the rest of the group better - When speaking on behalf of the group use 'we' instead of I (i.e. when describing the completion of a task) - Spend time on parts of the project I personally don't enjoy working on - Reconsider priorities periodically | What critical aspects do you see for yourself, based on feedback and personal evaluation. - I think I'm very chaotic to work with; and that may not suit everyone - I also feel a great deal of ownership concerning certain tasks, so much so that I forget that it often is a group effort - I really enjoy working on some topics within the Cyber domain and will neglect other work I don't find as enjoying as a result | How do search for balance in technical learning, non-technical aspects, and professional skills? - Conclusions and Advice: - What conclusions can you give on your learning thus far and the plan for second half of the semester? - Find order in the chaos and continue challenge yourself(myself) - Reconsider priorities more often - Any advice to yourself or to us? - More guest lectures/workshops -- but this is something I've been saying all semester long. - Create your own virtual stack instead of using SecLab