Path to CND

SephStorm

Hello,

Wated to post this in security, but its not cert related. We find that there does to be a decent arena for people interested in offensive security to get started in. a few well known certs, even a simi formed roadmap or path. I dont see that so much on the defensive side. So after doing some job hunting, i've seen the jobs are out there, incident handlers, forensics specialists, IDS analysts, firewall analysts,... for the most part thats it, you'll see some jobs with security duties...

So does anyone think there is a clear roadmap to a CND career? One would think, with articles stating that the US is unprepared for a cyber attack...

the_Grinch

I'd argue that the offensive security certs can easily be applied to the defensive side of the house. Generally, it seems like when it comes to defense it rests in the hands of the normal administrators. I've seen places that have security analysts who are basically doing the scans and then sending the findings to the administrator who controls the resources. From there it is on them to either do the patching or configuration changes. I tend to think that an administrator who gets an offensive certification, would then use those skills to look at their devices and make those needed changes. I'm sure others will chime in, but that's my two cents.

wes allen

Maybe there is a clearer path in offsec because it is a much smaller field, with only a handful of certs, while defense is much broader with a huge range of certs - all the vender (Cisco, Juniper, Checkpoint, McAfee, MS) specific ones, sec+, CISSP (and concentrations), GIAC, etc. So many options makes it harder to pick one path.

Kinda an aside, but still related, this popped up in my feed this morning -

Schneier on Security: When Technology Overtakes Security

"The problem is that it's not balanced: Attackers generally benefit from new security technologies before defenders do. They have a first-mover advantage. They're more nimble and adaptable than defensive institutions like police forces. They're not limited by bureaucracy, laws, or ethics. They can evolve faster. And entropy is on their side -- it's easier to destroy something than it is to prevent, defend against, or recover from that destruction."

SephStorm

It certainly is easier. And understanding the offensive side certainly is a positive for a defender. But i think one problem is like Wes stated, a lot of vendor specific training is out there, and much of it seems to require previous instruction. Difficult to become a firewall specialist unless you've taken CCNA and a McAfee course maybe a juniper FW course, which you'll need to get a JCNA (i think?) first. Same for IDS, you'll likely need to take a Snort course followed by a Splunk course, ect.

I think there is an unfilled place in the industry for courses that teach the foundations for all of these technologies, and then teach the ideas that can be shared across the board, TCP/IP, OSI, How to write FW rules, how to work with the Windows FW,IPTables, IDS Analysis 101, Incident Handling and Response.

thoughts?

YuckTheFankees

I've been in a CND position for 2 months and I'll share my view. Out of the 10-15 security guys I work with, they have all kinds of backgrounds (unix admin, network admin, customer service, etc..). We do anything from change firewall rules (open/close ports, add NAT rules, etc), setup VPN's (IPsec or SSL), add URL's to whitelist/blacklist, troubleshoot switching/routing issues, review attacks and see if we need create a signature for our firewalls, review IDS/IPS/logs, etc, etc. Dealing with all these issues, it would be hard to create a clear path. I would recommend studying the concepts in depth (IDS/IPS/firewalls/NAT/VPNs/common attacks/knowing intermediate R&S) and once you have this down, it will become easier to pick up vendor specific products (checkpoint, cisco, palo alto, juniper).

Do you have an idea of what kind of security you want? Because the roadmap to becoming a firewall engineer will be a lot different than computer forensics.

And the famous JDMurray once said "You can't do defense unless you understand the offense. " - 08-12-2011

Edit: I forgot to mention one of the biggest concepts with defensive security..packet flow. You'll need to know how packets flow through the network (tcp/udp headers (SRC/DEST IP addresses, SRC/DEST ports), what interface did the packet come in/ leave from (ingress/engress), is their NAT involved, is there a rule to allow the packet through to their destination, etc..)

the_Grinch

See the problem is how do you teach one to write a firewall rule when it's not same with every device? You can teach the general "flow" as Yuck said, but it's going to be different on every device your touch (ASA, Sonicwall, Checkpoint, etc). That's where the vendor related training comes into play. Ultimately you need a solid foundation in whatever technology you are trying to secure and from there a solid knowledge of networking. Add in a few tools and you should be ready to rock.

SephStorm

I suppose you would cover the basics that I assume are involved in the process, port numbers, source and destination IP, ect. Then you could teach a few different vendor specific methods, i.e. Cisco ACL, Sonicwall, ect.

YuckTheFankees

Generally, if you can create a rule with say Juniper...it's easy to do it with Cisco/Checkpoint/Palo Alto. Yeah, you may need to take 5 minutes to look up a command but other than that...they are pretty similar.

docrice

Security is an extension of existing roles such as systems and network administration, database management, software development, and so on. Offensive security just is another angle on the same subjects. Defense and offense go hand-in-hand, and they both heavily rely on fundamentals.

So let's take firewalls as an example since we're on that topic. All firewalls essentially work on the same principles. They have to evaluate packets, create states, evaluate policies based on the rules of the network language (TCP/IP), and reliably take action. While every vendor will have different buttons and perhaps process the traffic workflow slightly differently, at the end of the day it all comes down to knowing what network packets, applications, and data is about and how they're structured. The traffic lights and intersections may look slightly different in each city, but the cars that ride along the road all work on the same physical rules.

Knowing how encapsulation, decapsulation, framing, headers, offsets, typical / atypical values, and other rules of communication work is essential. I've noticed that in the IT world, there are two types of people: people who know which buttons to push, and people who know why you need to push a given button. I recently did some interviews for networking candidates and it became obvious after some time that a lot of people know the commands but don't necessarily understand the actions that take place on the wire once those changes are made to the appliance. A conceptual understanding usually gets you through the day, but that doesn't account for truly understanding the gravity of a decision.

While I think getting your Cisco / Juniper / Check Point / yadda yadda vendor knowledge is important so you know how to configure the devices in your network to align with organization policy, I've gained much more insight through vendor-neutral training. SANS is one obvious example (SEC-502 and 503), but less-known outlets such as Wireshark University is a big deal, in my opinion. Don't waste your time with the certification, but learn to read raw network traffic if you're going the networking route. Doing debugs on the router or reading firewall / switch syslogs will only tell you so much because quite frankly, they suck. Metadata provides a starting point to pivot from, but seeing the actual headers and payloada saves the day much more often because you can actually see it. I'd rather get the details at that level rather than a Cisco ASA telling me, "Oh, I've established a connection with these two address pairs."

Vendor-specific certifications don't really dig deep. While I haven't gone far in the Cisco security track, I'll say that I'm heavily disappointed in the material offered thus far. It's one thing to know how to set up port-security on a switch, but they never go into detail why it's important in terms of showing the attack tools and techniques which it helps mitigates. Based on my cursory glances in the FIREWALL and VPN 2.0 books, I understand why so many network security admins aren't really engineers. Simply understanding the features and configuration options on a firewall does not make one a competent security engineer with good mindset and ability to visualize potentials.

There's no clear roadmap for the defensive side because it's an extension of existing verticals. Everything has a security component to it. With the technology constantly changing, slicing itself into more narrow specializations, etc., it's hard to take a fragmented landscape and make a training program that's unified and consistent. In many ways, security is about knowing and accounting for everything and making the best risk trade-off. The offensive side is about sliding through the cracks and demonstrating the gaps.

If you learn one technology really well enough, the defensive security perspective can come naturally. If you're creative enough, you can think outside the box and see ways to game the existing framework with its inevitable limitations.

I don't want to wave the SANS banner too much, but I will say they have the broadest security-training coverage. Their courses provide good packages, but in a lot of cases the stuff they teach is freely available in a lot of different places (knowledge base articles, write-ups, blogs, books, etc.). The glue that holds their packages together is the field experience that's baked into the overall training offering and how they neatly wrap up a lot of things together.

In the end, it essentially boils down to knowing a given subject matter well beyond what vendor training books cover. Those certification guides provide a starting point, not wisdom or lessons learned. It's one of the reasons why someone like me with a lengthy list of seemingly-impressive certifications doesn't necessarily translate into a capable professional who can deliver results in the most cost-effective manner.