How to Learn Cyber Over the Weekend: An Orientation in 48 Hours
It’s Friday night and you finally decided to “get into cyber.” Or maybe you are starting a Masters degree and are about to take an introduction course to the cyber field and want to read up a bit before the first day of class. What do you do next? The market is so full with buzzwords and a myriad of organizations that promise career preparation that candidates often experience difficulty framing the problem set.
The goal for this article is to help you figure out which direction you want to go inside the overall cyber domain. We’ll start with an initial macro-level orientation to cyber security candidates that will allow you to make an informed decision about where to dedicate their precious time, energy, and synapses moving forward. Armed with this 30,000 foot perspective, you can move forward in the area that makes sense for you anywhere in the framework from threat analysis looking at adversary intent to technical tool development and everything in between.
Since most people best learn through stories, we will begin with case studies.
NOTE: The article is back up! In case it goes down again, consider these other articles: 9 Infamous APT Groups: Fast Fact Trading Cards, the Crowdstrike 2020 Global Threat Report, and recommend either reading SANDWORM or Countdown to Zero Day.
Article: How an Entire Nation Became Russia’s Test Lab for Cyberwar by Andy Greenberg. This article looks at Russia’s involvement attacking power providers within Ukraine’s oblenergos (power distribution companies). First, Andy Greenberg simply wrote a great, easily digestible article. Second, the article effectively walks the reader through not one, but two intrusions into destabilizing the power grid broadly from initial entry to post-exploitation. Eventually, learn this campaign case study from front to back. Communicating complex, technical actions in a simple was is very important in this field.
APT Report: IRON TWILIGHT Supports ‘Active Measures” by the Secureworks Cyber Threat Unit Threat Intelligence Team. This report looks at the (alleged) Russian use of cyber as a platform for information operations and covers everything from gathering military intelligence to false flags to Flight MH17 to the DNC hack.
Here’s there more articles that are highly relevant:
Article: New secret-spilling flaw affects almost every Intel chip since 2011 by Zach Whittaker. This article talks about how a flaw in hardware can be exploited by software to leak data. This article is important because it shows that software is just one part of the “cyber” domain.
Article: UPDATE NOW! Critical, remote, ‘wormable’ Windows vulnerability by Mark Stockley. This article introduces the concept of the software development life cycle (SLDC), arbitrary code execution, and worms in addition to emphasizing the importance of patching systems.
Article: Emotet Malware - An Introduction to the Banking Trojan by the Malwarebytes Team. This article discusses important concepts like sandboxing, polymorphic code, macros, and command-and-control servers. Emotet was originally designed as banking malware but has since evolved. What is the easiest way to protect against Emotet? Patch.
ASD Essential Eight — I’ve been a big fan of the Australian Signal Directorate (ASD)’s “Essential Eight” for a few years now. Trying to wrap your head around other frameworks like the CIS 20 Controls or even the MITRE ATT&CK™ (below) can be daunting and there is no real priority within the frameworks. The ASD solves that problem and effectively tells you which eight things to implement and in what order. But take it from them, not me: “Known as the Essential Eight, these mitigation strategies make it much harder for adversaries to compromise your systems. Implementing the Essential Eight proactively can be more cost-effective in terms of time, money and effort than having to respond to a successful large-scale cyber security incident.” Of course, the ASD has a much more in depth version of the “Essential Eight” broken out by maturity within the framework and even a prioritized Top 35 list which is still evolving. However, the purpose of this article is to provide an introduction, so just stick with the first eight for now!
MITRE ATT&CK — Now that you have a frame of reference and introduction into the adversary, let’s take a deeper look at how to protect against, detect, (alarm), and respond to intrusions. A great framework mentioned above is the MITRE ATT&CK™ which stands for Adversary Tactics, Techniques, and Common Knowledge. This framework look at pre-attack and post-attack and walks through some of the nitty gritty details found in the case studies above. You should be familiar with the column titles generally. Later in your career it might be nice to be able to explain each column heading and two to three cells from each column.
OWASP TOP 10 — The Open Web Application Security Project (OWASP) Top Ten outlines the web’s current top ten problems developers need to consider when building web applications. It just so happens that the top ten risks are also consistently the top ten ways in! Injection (usually through user input validation problems) and broken authentication are consistently at the top two risks security practitioners need to consider.
Ok, you probably could get through all of this in less than a weekend, but I assume you intend on spending at least a little time with family and friends. I intend to soon release a reading list with actual, you know, books. That reading list works in the same macro-to-micro format that begins with an in-depth look at the Stuxnet case study and eventually progresses to regular expressions. Keep an eye out.
If you’re using this content as a study guide prior to an interview, remember this: overlaying the APT case study campaign onto the MITRE ATT&CK, ASD Essential 8 and, OWASP Top Ten shows an increased level of maturity within the industry.