Useful cyber security learning sites: an essential top 10 list of platforms

Here is a short summary list of useful cyber security learning sites, suitable for all levels of experience ranging from novice, through to more advance levels of skills and expertise.

In no particular order:

1. The XSS Rat (https://thexssrat.podia.com/) provides material relating to penetration testing and web application security.

2. TryHackMe (https://tryhackme.com/) has various training paths and rooms relating to both offensive and defensive cyber security. Offers free and paid for content.

3. Security Blue Team (https://securityblue.team/) provides learning material for blue team defenders. Offers certification for working within a SOC environment.

4. OffSec (https://www.offsec.com/) formerly Offensive Security, that offers a premier platform within offensive security for training, certification and community-based activities.

5. Hack The Box (https://www.hackthebox.com/) is a useful platform that offers both free and paid for content, that allows CTF hobbyists to exploit vulnerable machines created by the community.

6. Portswigger (https://portswigger.net/) a professional web application software company that provides the well known BurpSuite tool, and offers a learning platform and certification.

7. PentesterLab (https://www.pentesterlab.com/) is a learning platform for web application testing and several other learning paths, covering learning material useful for cyber security.

8. Altered Security (https://www.alteredsecurity.com/) provides training and certification that focuses more on red teaming, penetration testing Microsoft Active Directory based networks.

9. Zero-Point Security (https://www.zeropointsecurity.co.uk/) is a learning platform that covers red teaming, such as targeting simulated users, using C2 infrastructure, and exploitation.

10. INE (https://ine.com/) a learning company that acquired the eLearnSecurity platform, offering cyber security certifications around penetration testing infrastructure, and web applications.

DISA SRG/STIG Library

The DISA SRG/STIG Library can be used during static analysis of security architecture and system design reviews. The SRG/STIG Library is also used as a reference guide during design assurance activities, to ensure system configuration is assured using industry good practices.

Link: DISA SRG/STIG Library

The SRG/STIG Library can also be accessed using a STIG viewer – stigviewer.com

Black Hat Europe 2018

Black Hat Europe 2018, at ExCeL London
3rd – 6th December 2018

Address: Royal Victoria Dock, 1 Western Gateway, London E16 1XL (map: Directions)

Site link: Black Hat Europe 2018

Black Hat provides attendees with the very latest in research, development, and trends in Information Security. Here the brightest professionals and researchers in the industry will come together for a total of four days—two or four days of deeply technical hands-on Trainings, followed by two days of the latest research and vulnerability disclosures in the Briefings.

For the list of training events, see link here: Training

Honeypots

  • Conpot
  • Conpot is an ICS honeypot with the goal to collect intelligence about the motives and methods of adversaries targeting industrial control systems.

  • Wordpot
  • Wordpot is a WordPress honeypot which detects probes for plugins, themes, timthumb and other common files used to fingerprint a wordpress installation.

  • Shockpot
  • Shockpot is a web app honeypot designed to find attackers attempting to exploit the Bash remote code vulnerability, CVE-2014-6271.

  • p0f
  • P0f is a tool that utilizes an array of sophisticated, purely passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP communications (often as little as a single normal SYN) without interfering in any way.

  • Suricata
  • Suricata is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing.

  • Glastopf
  • Glastopf is a Python web application honeypot, that collects information about web application-based attacks like for example remote file inclusion, SQL injection, and local file inclusion attacks.

  • ElasticHoney
  • Elastichoney is a simple elasticsearch honeypot designed to catch attackers exploiting RCE vulnerabilities in elasticsearch.

  • Amun
  • Amun was the first python-based low-interaction honeypot, following the concepts of Nepenthes but extending it with more sophisticated emulation and easier maintenance.

  • Snort
  • Snort is an open source intrusion prevention system capable of real-time traffic analysis and packet logging.

  • Cowrie
  • Cowrie is a medium interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker.

  • Dionaea
  • Dionaea is meant to be a nepenthes successor, embedding python as scripting language, using libemu to detect shellcodes, supporting ipv6 and tls.

Basic Snort admin

Run Snort
sudo snort

Run Snort with preprocessors configured
sudo snort -v -c /etc/snort/snort.conf

Location of Snort.conf file
/etc/snort/snort.conf

Location of alert log file
/var/log/snort/alert

Location of snort log file
/var/log/snort/snort.log

Check Snort version
sudo snort -V

Edit local rules
sudo nano /etc/snort/rules/local.rules

Understanding the Snort alert log

Snort is an open-source, free and lightweight network intrusion detection system (NIDS) software for Linux and Windows to detect emerging threats.

Below is an example event from the Snort alert file from /var/log directory:

[**] [1:2403478:40303] ET CINS Active Threat Intelligence Poor Reputation IP TCP group 90 [**]
[Classification: Misc Attack] [Priority: 2]
05/06-22:28:32.932399 XX.XX.XX.XX:xx -> XX.XX.XX.XX:xx
TCP TTL:238 TOS:0x0 ID:43490 IpLen:20 DgmLen:40
******S* Seq: 0xB035D03C Ack: 0x0 Win: 0x400 TcpLen: 20
[Xref => http://www.networkcloaking.com/cins][Xref => http://www.cinsscore.com]

The alert log entry can be broken down as the following:

[**] [1:2403478:40303]
The Detection mechanism, Signature ID (SID) and signature revision. The SID (the middle number) has information about most of the signatures. The revision is minor release version of the signature.

If the SID is less than 1000000, this is a SourceFire signature (https://www.snort.org/rule_docs). If the SID is between 1000000 and 2000000, this is a snort community rule. If the SID is between 2000000 and 3000000, this is an Emerging Threats signature (https://emergingthreats.net). Lastly, if the SID is any other range, it will be a custom signature.

ET CINS Active Threat Intelligence Poor Reputation IP TCP group 90
This is one example of a Snort signature. In this case, the Emerging Threat (ET) from the CINS Active Threat Intelligence – Sentinel IPS engine, and has detected a bad IP classification based on poor IP reputation (widely reported and blocked IPs).

[Classification: Misc Attack] [Priority: 2]
The classification of the signature, in this case the signature is classed as an miscellaneous attack with a priority of 2. Snort priorities range from 0 (lowest priority) up to 10 (highest priority.

05/06-22:28:32.932399 XX.XX.XX.XX:xx -> XX.XX.XX.XX:xx
The month/day and timestamp of the signature event followed by the source IP address with port number, to the destination port number. Example denotes XX.XX.XX.XX as the IP address and :xx as the port number.

TCP TTL:238 TOS:0x0 ID:43490 IpLen:20 DgmLen:40
The IP header for the signature event. Displays the Time-to-Live (TTL), Type of Service (TOS), identifier (ID), the IP length (IpLen) and the datagram length – inclusive of headers and payload (DgmLen).

******S* Seq: 0xB035D03C Ack: 0x0 Win: 0x400 TcpLen: 20
The IP header flags (S for SYN), the IP sequence ID (seq), Acknowledgement (ACK), sequence window (Win) and the TCP length (TcpLen).

[Xref => http://www.networkcloaking.com/cins][Xref => http://www.cinsscore.com]
The signature reference for further information.

Popular Cybersecurity Certifications 2018

Offensive Security: OSCP, OSCE
EC-Council: CEH
GIAC: GREM, GCFA, GCFE, GNFA, GASF, GCTI, GSEC, GPEN
ISC(2): CISSP, SSCP, CCSP
ISACA: CISM, CRISC, CGEIT
CompTIA: Security+
SABSA Institute: SABSA
CESG: CCP IA
Cisco: CCNA Security, CCNP Security, CCIE Security, CCAr

Note: not a definitive list.