Part 3
Intro: What are your learning goals (as defined in your personal learning plan).
What are your finished, running, and planned learning activities?
Blue team
Learning tasks
Task summary |
Category |
Duration |
Requirement |
Status |
|---|---|---|---|---|
Follow workshops related to blue teaming |
T |
0.5day |
Must |
Done |
Take part of Red v Blue team event |
T+N |
1day |
Must |
Done |
Expand IDS knowledge(Zeek & Suricata) |
T |
2days |
Must |
Done |
Try monitoring techniques (netflow, flow monitoring) |
T |
1-2days |
Must |
Done |
Try out SIEM and dashboarding (i.e Elastic Stack) |
T |
2days |
Must |
Done |
Learn reverse engineering and apply to malware |
T |
2-3days |
Should |
Open |
Blue-team visit a local building and document findings |
N |
1day |
Should |
Cancl |
Set up and experiment with a Web Application Firewall |
T |
1day |
Should |
Done |
Set up vulnerability scanning with OpenVAS |
T |
1day |
Should |
Done |
Research & development tasks
Task summary |
Category |
Duration |
Requirement |
Status |
|---|---|---|---|---|
Visit the infosecurity.nl convention |
R |
1day |
Should |
Cancelled |
Visit seminars related to SIEM/CERT and make a blogpost |
R |
1day |
Should |
Cancelled |
Organize or join a session to analyze a vuln. |
R |
1-2days |
Should |
Open |
Setup a SoC and a SIEM with a registration system |
R+T |
5days |
Should |
Done |
Setup a malware analysis lab for static and dynamic |
R+T |
5days |
Could |
Open |
Professional application tasks
Task summary |
Category |
Duration |
Requirement |
Status |
|---|---|---|---|---|
Define threat use cases |
N+P |
1day |
Must |
Open |
Develop and tune an IDS sensor for an operational env. |
R+T |
3days |
Must |
Done |
Set up security monitoring(IDS,logging,SIEM,dashboard) |
R+P+T |
5days |
Must |
Done |
Set up vuln.scan in an operational network with OpenVAS |
R+N+P |
2days |
Must |
Done |
Set up a register system for triage, analysis, priority |
R+N+P |
2days |
Should |
Done |
Run security monitoring on an operation env. |
P+T+N |
2-4days |
Must |
Done |
Report a security incident in an operational env. |
N+P |
1day |
Could |
Done |
Custom tasks
Task summary |
Category |
Duration |
Requirement |
Status |
|---|---|---|---|---|
Setting this server up |
T |
1day |
Must |
Done |
Set up reverse proxy using NGINX |
T |
1day |
Must |
Done |
Provision servers with certbot SSL |
T |
1day |
Must |
Done |
Implement a secure password manager |
T/N/R/P |
1day |
Should |
Open |
Implement sensor monitoring like Zabbix/Nagios/PRTG |
T |
1day |
Should |
Open |
Red team
Learning tasks
Task summary |
Category |
Duration |
Requirement |
Status |
|---|---|---|---|---|
Follow the workshops related to hacking & red team |
T |
0.5day |
Should |
Done |
Study pen testing methodologies and practices |
T+P |
2days |
Must |
Done |
Take part of the Red v. Blue team |
T+N |
1days |
Must |
Done |
Own one of the Linux based machines on Htb |
T+N |
2-3days |
Must |
Done |
Own one of the Windows based machines on Htb |
T+N |
2-3days |
Must |
Done |
Learn how reverse engineering works |
T |
2-3days |
Should |
Open |
Pick a lock |
T |
1day |
Should |
Done |
Experiment with phishing tools in a contained lab |
T |
1day |
Should |
Open |
Visit building with a red team perspective |
N |
1day |
Should |
Cancl. |
Learn how cryptography works |
T |
2-3days |
Could |
Open |
Research & development tasks
Task summary |
Category |
Duration |
Requirement |
Status |
|---|---|---|---|---|
Visit seminars related to developments in red team |
R |
1day |
Should |
Done |
Organize/join a session to analyze new vuln. |
T+P |
2days |
Must |
Cancl. |
Set-up environment for pen testing and red teaming. |
T |
2days |
Must |
Done |
Develop a dropbox that can be used in red team |
R+T |
3days |
Should |
Open |
Research covert channels and set-up one |
R+T |
2days |
Should |
Open |
Research typical and known vulnerabilities in cloud |
R+T |
2-3days |
Should |
Done |
Professional application tasks
Task summary |
Category |
Duration |
Requirement |
Status |
|---|---|---|---|---|
Acquire Red-team pentest with a PiE and report |
P+T+N |
4days |
Must |
Done |
Perform a pen-test on a shippable product |
P+T+N |
2days |
Must |
Done |
Perform a test on a site with responsible discl. |
P+T+N |
2days |
Must |
Done |
Perform vuln. analysis on IoT & report findings |
P+T+N |
3days |
Should |
Open |
Summary
Details |
# |
|---|---|
Time estimated in days |
75 |
Time estimated in hours |
600 |
Time spent in days |
62 |
Time spent in hours |
496 |
Open tasks |
12 |
Done tasks |
29 |
‘Must’-priority tasks done |
18(+3) |
‘Must’-priority tasks not done |
1 |
Research
I had a global overview of all the things that need to be done within our research framework and regularly guide and give people tasks. Furthermore I’ve been responsible for the SoC research
I delivered a SoC PoC with Security Onion and presented it to our customer
I researched the best way to have a noise generator and rule triggering script that would be the engine of the game
I did research into TheHive to see if we could use it for our SoC
Development
I assisted in creating the SoC
I configured parts of the Wazuh SoC we’re currently using
I created a Suricata Kibana dashboard interface
I created all of the Suricata rules which include the flags for the CtF game
I made a script that triggers those Suricata rules periodically to test out if they work
I created another script that combines all of the various triggers of the Suricata local rule set
I combined the database created by other teammembers for the front-end with my own script triggering rules conditionally
I implemented various servers and services such as the Suricata IDS and connected it with the Wazuh SOC
I defined many threat use cases in TheHive and majorly helped with the integration of various tasks and incident responses
I made the storyline for the majority of the flags
Professional skills
I’ve been a self-appointed project leader since the beginning with the assistance of Tom as well. It’s been a bit rocky, and there’s room for improvement but – it has been pretty smooth sailing up until now.
I always set up a stand up meeting when we physically met
I developed threat use cases
I’ve finetuned an IDS sensor in the operational environment
My work is shown on this documentation system; in it I’ve shown taking a very methodoligical approach. There are many more examples, but alas the template asks for a short impression.
Most of the tasks described in my learning plan correlated with features the project required - such as setting up a SoC; I used the PoC for my own SoC as a PoC in the project and that worked well
Developing things like threat use cases was new to me and is also tied in the learning goals
Creating security incidents was done in the project as well
Experimenting with OpenVas was also a part of this, as we discovered a potential false positive in the pfsense network (log4j)
- Group members:
- The common thought in my group is that I bring/am:
Good ideas
Creative ideas
Hard working
Solution driven
Enthusiastic
- But also…
Involve the rest of the group better
When speaking on behalf of the group use ‘we’ instead of I (i.e. when describing the completion of a task)
Spend time on parts of the project I personally don’t enjoy working on
Reconsider priorities periodically
I think I’m very chaotic to work with; and that may not suit everyone
I also feel a great deal of ownership concerning certain tasks, so much so that I forget that it often is a group effort
I really enjoy working on some topics within the Cyber domain and will neglect other work I don’t find as enjoying as a result
- Conclusions and Advice:
- What conclusions can you give on your learning thus far and the plan for second half of the semester?
Find order in the chaos and continue challenge yourself(myself)
Reconsider priorities more often
- Any advice to yourself or to us?
More guest lectures/workshops – but this is something I’ve been saying all semester long.
Create your own virtual stack instead of using SecLab