Bag of Tricks

When I started security, I had the dumb fuck mentality: I don’t know anything, so I’d best learn all that I can about any topic I can get my hands on!

Then came the midwit phase: I will specialize in one facet of security and become the best at this.

I believe my midwit phase is almost over, and I have proceeded to the megamind* phase: Everyting I learn can be useful one day. Not today, not tomorrow, but one day, the topic will come up.

*megamind == dumb fuck with more work experience

What is the bag of tricks?

I first heard this phrase when I listened to Darknet Diaries (as one does). Jack talks to Tinker Secor (a great person and a spirit animal for many).

Yeah, I love pen testers. It’s like you’re Felix the Cat; you have a bag full of tricks and you never know when you need it but you just have them ready to go.

(Source: Darknet Diaries ep. 36: Jeremy from Marketing)

Let’s see how this went for me, how I found my bag of tricks and how I never want to give it up again.

The bag of tricks had to be shown to me

The bag did not make itself known to me until a year or two ago, when I joined my first telecom. It was a huge company and I was hired as a SOC analyst, but I must say my boss was extremely attentive. During the interview, I got a test involving a laptop and was tasked with doing evidence collection. The scenario was “Your friend asked you to look at her laptop, because anything she uploaded to it showed up on porn sites a few days later. Her friend has the root account and he installed it for her.”

I went forward as I knew Tinker would, not doing crazy shit. There was no internet connection, no antivirus (it was Debian and clam had to be installed) and no SystemD. From what I gathered, I assumed the system may be pinging to some remote IP or be accessible on a specific port from anywhere. Since you could never count on NAT being on your side, I started low and slow. I ran ps aux and netstat -tupln to see what ports were open and what processes were running right off the boot. After that, I started looking into command history, /tmp, and so on, as I thought would be helpful. I also looked into every folder using ls -hal. My soon-to-be boss was looking over my shoulder, and then it happened.

I can see you were a pentester!

I was stunned by this. How could he recognize it from a few commands that I assumed any incident responder would run in this scenario. Sure, I did not secure the evidence, I didn’t make a disk image, but none of those tools were available. That’s when it hit me. I had some tricks this guy didn’t see often, he was used to people working in a specific way, and since I was basically a Linux fan pretending to know what blue team does, I did what I could. I didn’t expect it to be enough, but apparently it was.

After that, I got a call that I got the job and that I’d be “very useful” to the team. I had no idea what that would mean. My boss showed me my bag of tricks.

The bag grows

When I started out, it was a lot of learning. SIEMs, EDRs, all the good blue team stuff. I was on track to forget all my pentesting, when my boss came to me a few weeks into my probation period and said “Hey, could you test out this rule you just made? You know how to attack like this, right?”

I actually knew, and I did test it that day. Since then, every time a rule was made, I was asked whether it could be tested. This did not hone my pentesting skills that much, but it expanded them in a different direction: It showed me that it’s not just about the sweet hacks, it’s about knowing how to lock it down after you get in.

Why a bag? Isn’t that disorganized?

You may want to see your bag of tricks as a more organized receptacle, such as a briefcase, but I would refrain from it. Putting your skills into boxes blocks the connections between one skillset to another. It’s the opposite of “thinking outside the box.” If you see a door you can break into, you have an easier time fixing it than someone who only knows how to fix doors. You can also try your theories much easier.

In normal human talk: If you work defense, try doing some attack work in your spare time; if you spend all your days breaking into companies, look up some EDR rules for detection, not just prevention, and put it in a report for the client!

I have found that no knowledge is off-limits or “inappropriate” when it comes to security. I have some theoretical knowledge of firearms, explosives, assassinations, poisons, baking, cooking, sewing and so on and so forth. Some of these did not come up in conversation just yet, but hey, it’s just a matter of time. The more skills you have, even theoretical, the better you can keep up in any conversation. I never thought some basic radar/bug detection knowledge would come in handy, but I have a plan to build a drone detector now!

This was a waste of time

In this post, I just had to vent. Hopefully my next post will be more useful, but take away this: Anything you read, anything you are even remotely interested in, all this stuff will be useful one day.