Thursday, July 20, 2017

Infosec Jobs

I unintentionally started a small storm on #infosec twitter the other day. In that storm I received responses in extremes that I didn’t even know existed. I wanted to give a bit more depth to that thread than what 140 characters can convey.

Let me clear the air a bit first. That was not an attempt to broadcast me searching for a job. I am not ‘on the market’ and no I didn’t apply to any of those jobs that I tweeted about. That was also not an attempt to phish for compliments, ego inflation, or many other interesting things I was accused of in private messages and subtweets.

The Backstory

Here is what happened. As a Senior Consultant for an Incident Response firm, I periodically take a look at other jobs that show up on the market for situational awareness. I have found that the industry titles seem to vary quite a bit as the responsibilities of my Senior title seem to be equivalent to other firms’ Principle, Lead, Manager, or even Director titles. There are Managers that don’t manage, and there are Leads who do. It is pretty spread out.

While looking at one of those postings, I said to myself “Hmmf. I can’t qualify for this job with the same title at a different firm.” I then did a mental inventory of my professional network and started identifying people I have connected with in the past that I could reach out to if I were to go through the application process for that job. That took me to another statement to myself, “How does someone with less time in the industry (and likely less connections) make it past any of these requirements.” Naturally, this mostly applies to folks that are very new to the industry. Then off to twitter I went.

The Response

The responses that I received came in through all different avenues: text, LinkedIn, Twitter, Email, even one on Instagram. I would have probably seen a few on Facebook, however I do not currently possess any credentials to logon to that god-forsaken website.

The responses also varied in their messages. I got a few that definitely do not need repeating, and I'm not exactly sure where the motivation came from behind them. On the other extreme, I received a response from someone (or someones) in my network at every one of those companies that I mentioned in a tweet. Many have very graciously offered to put me in touch with someone to get me hired there, and this would bypass the HR and recruiters to ensure that I was considered. I am thankful for all of those responses since it shows how much of a community I have with those individuals. That wasn’t my intent though, and I hope this post makes that more clear.

The Bypass

What makes me so special? Why did so many people offer to take me around the filters?

I have been in the industry for a really long time
This doesn’t mean I know what I am doing. At the most basic level, it means I have been able to fool enough people for a long enough time to stay employed. While that is not an accurate representation of me as a whole, my length of time makes no other indication.

I work for BigName firm
Yup, I do. I also know a lot of people that are very new to the industry and still have a lot more to learn that also work for big name firms. This also does not show anything about me.

I have followers on Twitter
Ya, I have some. There are plenty of people that have tons more followers than I do. There are also folks that I know who are extremely knowledgable and very good at their jobs with a double digit follower count or no Twitter account at all. It is quite easy to look smart on the internet when I have time to plan and research what I decide to make public.

I have a blog to share my thoughts and research
Now we are getting somewhere. My posts on this blog are a far better representation of who I am than some of the things mentioned above this. Although, it is still quite easy to look smart here because of the time allowed for planning and research. What is more difficult to fake, however, is my communication skills. My writing here is a clear demonstration of my abilities to convey points to a widely varied audience, although the majority of readers here seem to be more technically focused. We are finally looking at something that employers could use in their evaluation of me as a potential candidate.

I have spoken at conferences
Another point that gets more into who I am. We are also getting into an area that is a bit harder to fake. Sure, there is still prep and research involved ahead of the point in which I am delivering my talk, and I certainly do plenty of that. What is nearly impossible to fake is my presence in the room and my authority on a topic. As a bonus, there have even been recorded sessions I have delivered that are available publicly on the internet, and this allows me to provide another demonstration of me to a potential employer.

I know lots of people
This seems to be the most significant point in this list. My time in this industry has put me in contact with a large amount of people. People I have made enough personal connection with to where they care about my wellbeing in terms of being employed. People that have calculated the risk involved, and are still willing to put their reputation and connections on the line to help me.

The Takeaway

Every job I have held has been through some connection. I have not received any jobs where I applied through some web portal. I have tried some of those in the past, and have many times not even received a courtesy rejection letter. My experience is often not categorized as ‘cybersecurity’ or ‘infosec’ depending on which recruiter I talk to.

If you are struggling with breaking into the industry, here are my pointers (which is really an echo of so many others’ great advice as well):

  1. Start a blog and post about stuff. it can be research, thoughts, infosec challenges, or a number of any other topics. If you would like some help getting started on this, please feel free to reach out to me. I enjoy helping motivated people. The information you put in public can give employers more data to consume when you are short on other requirements.
  2. Work on your soft skills. I have a few posts up here about how soft skills can be improved in various ways, and I intend to continue these posts. You need soft skills in this industry if you want to get into the better jobs. Interviews will make or break your job application in the end.
  3. Go out and meet people. This can be virtually or physically. There are quite a number of people who I would consider to be a step above acquaintance in terms of relationship who I have never met. Some I might not even know their real names! Connections will get you in the door.

Last point, I am in no way criticizing the companies that put up those job listings. They have reasons for asking for those requirements, probably because something has bit them in the past. I am not saying they should relax their requirements either. What you as an applicant has to recognize is that the requirements are not always requirements. You need to make meaningful connections to get access to the people that are making the hiring decisions.

I hesitated about initially sending those tweets, and again about writing this post. I am sure another round of hatemail will be heading my way soon. Also, it is not easy to publicly admit that I don’t qualify for so many positions in the industry I have been in for so long. I probably don’t even qualify for the requirements of my current position either. As someone facing the challenges of the hiring process, I hope this can give some comfort and help in your quest.

Good Luck!

James Habben

Friday, July 14, 2017

Compile Time Analysis of NotPetya

I had a thought the other day about some of the NotPetya / M.E.Doc (Medoc) initial infection vector that was released last week. I wondered if the attackers had full and complete access to the Medoc network and even source code. Did they have the ability to inject the malicious code into the source repository? Then just sit back while it got included into the build that was released to the customers. Or did they have more restrictive access to, say, the FTP server holding the update files?

Here are a couple references for those that didn’t keep up with the fast moving data related:
ESET wrote about the code that was injected into the ZvitPublishedObjects.DLL file

Cisco Talos wrote about their investigation on behalf of Medoc with access to internal servers

I wanted to see if I had some data to support the level of access the attackers had, even though I don’t have access to the internal systems. It is very possible that Talos has already made this determination and just not made the statement public.

Executable (exe) and Dynamic Link Library (DLL) files have a timestamp in the PE header known as the compile time. This is often used to identify characteristics of attackers, as many times they forget to cover their tracks with this field.

In my inspection, it appears to me that the attackers had full and complete access inside the network with the ability to inject their malicious code into the source repository (whatever Medoc uses).

Single File

The first thing I did was use PEStudio to analyze the affect DLL file. The compile time in this view appeared to be within a normal time period based on other information that has been provided surrounding this attack.

The timestamp is shown in PT since my system has that set. The UTC time is 2017-06-21 14:58:42. I checked a couple other PE files and found it to be within the same time range.

Multiple Files

There are hundreds of files in the Medoc program folder and a large percentage of them are EXE or DLL. It makes no sense to check things one by one when we have the power of automation. Check out AdamB’s post on clustering analysis using compile times.

I took a similar approach and wrote up a quick EnScript to identify PE files and then parse the 4-byte compile time value and dump it out. I used this approach because EnCase allows me to analyze and extract data without having to mount or copy files out. Also, I have been writing EnScripts for a couple years. ;)

The result tells me that the attackers got the code injected at the source. Look in the following screen shot and you won’t find any times that are overlapping. It also appears to have a reasonable amount of time between files based on the sizes.


What I can’t answer with my own analysis based on the data available is whether the attackers stole the source code and compiled it on their own. According to Talos, they had access to change the NGINX configurations to have the internal server proxy connections out to a server under their control. Did the attackers inject the code into the internal repository? Did the attackers steal the source code and compile it outside of the Medoc network?

Hope you found this as a nice little interesting tangent from your daily tasks. i did!

James Habben

Thursday, July 13, 2017

Soft Skills: Respect

I'm sorry that you interpreted our discussion in the way that you did

I was recently the recipient of this statement. In the best case, it is frustration to hear or read this. In the worst case, it can be depressing and completely demoralizing. Let me provide a few examples with a little elaboration:

As a teacher:
I’m sorry that you didn’t understand what I was saying. It is only my job to talk at you and you are responsible for listening and figuring out the message I was intending to deliver.

As a consultant:
I’m sorry that you didn’t get what I explained. I do this on a daily basis and know so much. I also don’t have time to explain these things to you.

As a friend:
I’m sorry you didn’t interpret that conversation correctly. I was trying to help you to be a better person, but you couldn’t get over yourself enough to hear what I was saying.

As a potential employer:
I’m sorry you understood my statement incorrectly. I hold all the power here and you should be bowing to me to show that you are worthy of a job here.

As a boss:
I’m sorry you misunderstood my instructions. You should have listened better. I know exactly what I was saying and it is your fault you don’t.

Own It

When you decide to take on the task of explaining something, it has become your responsibility to ensure that all of the recipients correctly understand the message. If they don’t, it is YOUR FAULT. This may come as a news flash to some people, but there is no such thing as a mind reader. If you do not explain things in a way that people can understand, you are setting someone (or someones) up for failure.

From Jessica Hyde:
The phrase "I'm sorry" is absolutely meaningless when the onus is then placed back on the party being apologized to in the qualifier. Apologies should be formatted " I am sorry I..." not "I am sorry you...". Argh. The second is just rude.

From Mitch Impey:
the basic rules are valid in every industry and respect is key :)

Treat everyone with respect. Someday it will bite you.

James Habben