About this Episode:
Cybersecurity concepts are fundamental pieces of knowledge necessary for a career in security testing. In this episode, Joe Abraham, author of numerous Pluralsight courses, shares insights into many security aspects. Listen in to learn about security onion, threat intelligence, cyber threat hunting tips, and more.
TestGuild Security Testing Exclusive Sponsor
Micro Focus Fortify is the recognized market leader in application security and is the most comprehensive and scalable application security solution that works with your current development tools and processes. Try it today
About Joe Abraham
Joe Abraham, CCIE #62417, is a Cybersecurity Consultant working in the public sector space, assisting customers develop and implement functional and secure network architectures. He graduated from Excelsior College with an M.S. in Cybersecurity and a B.S. in Information Technology (Network Management). He currently holds many IT certifications to include CCIE, CISSP, GSEC, GCIA, and CCNP Security. Joe is a mentor to IT professionals and a blogger who spends his time either with his wife and three children, exercising, researching and writing about technology, or learning new technologies. Spending much of his experience helping to train and educate IT professionals, he is passionate about teaching and always strives to be a positive influence in the IT field.
Connect with Joe Abraham
Full Transcript Joe Abraham
Joe C. [00:01:57] Hey, Joe! Welcome to the Guild.
Joe A. [00:02:00] Thanks for having me, Joe. I appreciate it.
Joe C. [00:02:02] Awesome to have you with us. So Joe, before I get into it is there anything I missed in your bio that you want the Guild to know more about?
Joe A. [00:02:09] No, I think you covered it quite well. Thanks.
Joe C. [00:02:13] Cool, so I guess my first question, as I said in the preshow, I'm a newbie to Security even though I've been doing this podcast for a year, I assume a lot of my people listening, audience members are probably newbies as well or just getting into it. So first question may be dumb CyberOps, is CyberOps unique to Cisco or is that kind of like a DevSecOps or, you know, AIOps? What is it? Is it a thing?
Joe A. [00:02:40] So CyberOps, I mean, it's just it's just short of cyber operations, it just means cyber operations in general, everything that has to do with cybersecurity and how we manage the threats and deal with it on a daily basis.
Joe C. [00:03:00] Very cool. So a lot of your course the reason why I bring it up is it starts with Cisco CyberOps and then it has Security topics, but it seems like it's more it's not just for Cisco Security. Those courses you can learn Security well, not necessarily being a Cisco customer, I assume.
Joe A. [00:03:21] No, that's correct. Yeah, so the majority of the technologies that we use in the courses are open source and free to download and use. So you don't have to have any sort of knowledge on cyber security to get started with it. And that's what I love about teaching these.
Joe C. [00:03:36] Awesome. So how do you describe what is cybersecurity? What's your definition of what is cybersecurity?
Joe A. [00:03:44] Oh, wow, that's a tough one. So I feel like the term cybersecurity has been evolving for years and it encompasses so much right now. It has anything to do with network security, to host security, to security management and processes and policies. So it encompasses that entire picture and I think I saw a chart somewhere on LinkedIn once where it had all of the different cybersecurity domains and there had to have been at least like 15 or 20 different domains within cybersecurity because it has to do with Pen Testing as well. And so both offensive and defensive security at the same time. So…
Joe C. [00:04:25] So how rare is it then to find someone that knows all types of security? So well, I guess when you're hiring for a security professional, you may just hire a Pen Tester or a Blue Team expert, that type of Red Team expert. Like how does that work?
Joe A. [00:04:40] Yeah, so typically the job requisitions would be for a specific role, right? So there are Pen Tester roles like you mentioned. We have network security engineer roles. We have cyber security analyst roles or sec analyst roles. information security managers, so it's a broad spectrum of security type jobs.
Joe C. [00:05:04] Is there a common thread between all of them that people should have if they're looking to get into Security?
Joe A. [00:05:10] Yeah, a love for security, a love for technology, trying to protect your network or your end points and what I've noticed is that a lot of cybersecurity professionals really love to dig into the weeds and figure out the why, not really the what.
Joe C. [00:05:28] Absolutely. So the first course I actually watched of yours is the Cisco CyberOps exploring security concepts. As I mentioned, I think this will help a lot of people listening. I like to go over some of these high level concepts to kind of get people more familiar with some terminology. First thing I noticed was some cool tooling and one of them was Security Onion. So can you talk a little bit about Security Onion?
Joe A. [00:05:54] Oh, yes, Security Onion is a virtual machine that you can download and install and it has an IDs built in and it has a SIM built in, so you can use it. You can set it up and use it to monitor your network passively. And you can use it to SemSys (??) log or other types of machine data into it. It comes built with the ELK Stack, so ElasticSearch and Kibana so you can see your sys logs right in Kibana in the GUI right there.
Joe C. [00:06:29] Nice. I don't know if this is similar like for software development they have something called x-amp (??) which will install the amp stack, so you have an install PHP, the database, the web server so it sounds almost like this is the security version of that.
Joe A. [00:06:43] Yeah, pretty much, I guess you can say that. I don't want to say it's an all in one package, but it gives you so many security capabilities, including Snort or Suricata now with the newest version of Security Onion. And it just gives you a lot of capabilities to play with. And it's free. It's relatively lightweight to download and install and use so you can get up and running relatively quickly with it.
Joe C. [00:07:07] Nice. So after you go over some higher level things are getting started you talk about threat intelligence. So I thought maybe you go over the three stages that you went over a really quickly and then people can dive in more by listening to your course. But what is threat intelligence and what are the pieces that make it up?
Joe A. [00:07:26] Threat intelligence is really broken down into a couple of different parts, it's both generic intelligence, which is maybe not threat related, but it's helpful in a context. But then threat intelligence itself is where downloading intelligence, we might be downloading indicators of compromise and stuff like that, where we're looking at what the attacker might be doing. And when we figure out how an attack works, we can then use threat intelligence to automatically download that or manually download it into our security tools to look for those specific events. So it gives us the signatures, I guess you could say, so to speak, in order to figure out if the attacks are happening.
Joe C. [00:08:11] Nice. So in that same conversation, I think you mentioned something about the threat intelligence platform. You said it was a new kind of term. So I guess what is threat intelligence platform then for people that probably first time they're hearing it as well?
Joe A. [00:08:27] Sure, yeah, so I mean, a good example of that would be something like Cisco's threat grid or another cloud service where we have all of our threat intelligence uploaded into a threat intelligence platform or somewhere in the cloud. And our devices connect to that and as the attacks are happening on one device, what's really cool is our security technologies upload the information about those attacks to the cloud. That way, everybody else that's connected to it can download that data and it almost in real time detect the same threats. So threat intelligence platform is what host all of that information.
Joe C. [00:09:13] So you talk a lot about information, all this information that's been generated by all the logs and all the things, so it sounds like you use things like Splunk and ElasticSearch to help, kind of like how do you bubble up really important things and ignore things that are unimportant with all this data that's being collected all the time?
Joe A. [00:09:35] That is the secret to success, so we have so much data in our environments, we want to collect a lot of data, but we have to pick and choose what we want because we don't want (unintelligible). And it'll be like searching for a needle in a haystack. So we don't want to overload ourselves with too many. And so what we try to do is create specific searches or maybe we have apps that help us automate the correlation searches where we gather all of these different areas of compromise. And instead of just trying to sift through logs manually we have these automated mechanisms to search for patterns based on these indicators. They could be called (unintelligible) searches. That's what they're called in Splunk Enterprise Security. And so what they do is they help us automatically search haystack needle that for.
Joe C. [00:10:33] Nice. So how much of data analysis type of skill does someone need to be in security? If any.
Joe A. [00:10:45] Well, you have to understand where your data is coming from and how you're getting it and also what it means. So I would say less so from a security engineering perspective you might not be concerned about viewing the data and analyzing it, but if we're sec analysts or if we're cyber operations professionals, we're going to be digging into the data and trying to figure out exactly which events cause an attack or which events did not. So you have to love data analysis or at least enjoy it a little bit. I'm a big fan of enjoying what you do for work, so if you don't enjoy it, you're going to be just staring at the same logs over and over and over again, feeling miserable for yourself.
Joe C. [00:11:28] So how does data come into play in the day to day life? Like, do you walk into work and then you get alerts or do you look at a dashboard and then you're looking for patterns or it's a combination of you getting paged still or text? How does the whole day of life kind of work with the alerting and trying to find issues proactively rather than after a hack has occurred?
Joe A. [00:11:51] That's one thing I love about my job is I get to go into many different environments as a consultant and kind of see how their operations are. So I've seen it several different ways. For the most part, though, there's typically one main tool or two main tools that they use for alerting, and that's what they kind of use to triage their events. And then after triage, they typically prioritize them and then assign them to some sort of analyst to be able to dive deeper and really investigate it to see if an attack is happening or not.
Joe C. [00:12:25] So I guess along those lines, then, would you call this is the term cyber threat hunting? And if so, like, what does that like?
Joe A. [00:12:34] Yeah, you can consider that cyber threat hunting, so if we're hunting, we're doing it when when we're not, I guess you could say racing to do it. Threat hunting is when we're proactively looking for attacks or threats that might have missed our security devices. Whereas, the typical day to day operations of an analyst would typically be responding to alerts and investigating very specific incidents.
Joe C. [00:13:06] So you said you could focus on a lot of different things, you kind of have to narrow down what your focus is on. You also talked about a common vulnerability scoring system. Does that help you know, like “This is to prioritize. We better look at this because this is a high score then this other thing.”
Joe A. [00:13:25] Yes, it does. So what's cool is a lot of the tools now are starting to get a lot of integrations with the CVSS scores and the MITRE attack matrix in all of these other frameworks that help us prioritize and help us kind of see how bad an incident may or may not be. And when it comes at the CVSS scores, those are vulnerability scores, so those help us prioritize more along the lines of patching our systems and trying to close the holes in the systems. So that's where that comes into play.
Joe C. [00:14:00] Nice so you talked a lot about integration also on this course with the data for security experts and you talked about dashboarding. You know, I'm thinking as a software developer and a software developer tester, they usually use CI/CD pipelines and hopefully people are starting to incorporate security checks as people checking code. In general, is it easy to integrate security into your pipelines for developers as well to get them more involved?
Joe A. [00:14:31] I'd say if you start off with the security mindset, then yes, but if you're trying to do it after the fact, that's where it starts to get more difficult. And I have mentioned API several times in my courses in the (unintelligible). Right now APIs are being used all over the place to integrate different tools and like I said, the frameworks and everything like that. So the whole DevSecOps concept is extremely important moving forward for us to start from scratch with the security mindset.
Joe C. [00:15:00] But you did mention you are a consultant, so you get to see a lot of different companies and organizations, is DevSecOps kind of just a buzz word, or are people actually starting to embrace it? Do you see an uptick or is it just, you know, people shrug their shoulders and go on as they always have?
Joe A. [00:15:16] No, honestly, I'd say people are starting to embrace it. With so many attacks and cybersecurity incidents that have been happening over the years, I feel like you were finally starting to cruise from that perspective. We're finally starting to have a security first mindset instead of just trying to get products out and out into the wild.
Joe C. [00:15:43] And you think the reason for that is more hacks or is it because when developers start using more open source code that their application becomes more insecure? Is there a reason why it seems like people are moving in this direction?
Joe A. [00:15:59] I'd like to say it's a result of all of the above, but I can't honestly speak for that. But my thoughts are that. We've been pushing security, security, security for years and years and years now, and I feel like that might be the reason why we're finally starting to see some headway in that.
Joe C. [00:16:21] Now, I know from the outside looking in, it almost seems like security seems like a skill that like a specialty skill not a lot of people like, “Oh, that's the security team's job.” So I don't know is that also a culture that needs to be changed as well to say, “Hey, well, maybe you could start doing other things that make it more easier to get security built in earlier as you're developing your code”.
Joe A. [00:16:47] Well, so, yeah, the DevSecOps thing that I mentioned is definitely important. User education is extremely important for ensuring that the entire company or the entire organization or team has that security mindset. Yeah, I think that's pretty much it from that perspective.
Joe C. [00:17:09] So they need, like models of frameworks you find helpful. I think you mentioned something about the CIA triad. I don't know if that helps. How does that help with security and security in your teams?
Joe A. [00:17:22] Well so the CIA triad helps us kind of identify how different security controls may affect the data or the users so certain technologies help us with confidentiality. Certain ones help us validate the integrity of data and stuff like that. But from a framework perspective, if you're learning about cybersecurity, I would definitely look at the MITRE framework. You know, maybe the dime (??) intrusion model. The course I'm currently working on is going to cover all of those quite in depth.
Joe C. [00:17:56] Awesome. So in the course you also have a section pf I think challenges in cybersecurity. I thought maybe you can go over a few of those to give you a little more familiar, like what are some of the challenges you see within cybersecurity?
Joe A. [00:18:11] Yeah, so there's a lot of challenges with data visibility. I mean, if you think about it while we're trying to get more visibility and get more logs and be able to see more of the network we're also trying to secure it too and by securing it we're also trying to hide that data. So there has to be some sort of balance. A good example of that is things like encryption and VPNs. If users are using VPNs, then we can't see inside of those packets to see what exactly is going on. So malicious activity could be happening without our knowledge. And so there are visibility problems when it comes to the networks. And this is both on the host and the network and then even in the cloud as well. And you mentioned the 5-tuple approach to isolating a compromised host. The 5-tuple is kind of what we use to determine different conversations between hosts and like I said, VPN and other obfuscation types or obfuscation methods really hinder the ability to see that kind of stuff.
Joe C. [00:19:21] So are there any overlooked areas you think people, when they came to security kind of ignored, that probably would be better served if they pay attention to. I would think outside again looking in, Pen Testing would be kind of like the sexy area. And maybe that's where companies focus in on first. I don't know. It's just my gut. Any thoughts on that?
Joe A. [00:19:40] Well, so the Pen Testing area is definitely sexy and I truthfully am not very good at that. I can fumble my way through a little bit of offensive security, but that's about it. But, yeah, it's really tough because there's so many facets to cybersecurity and sometimes you have to specialize in only a few different areas of it. So, yeah, I, I don't know. The focus that organizations have varies based on their maturity of their security infrastructure so we wouldn't want to start out just Pen Testing a network. We want to be able to decide what we have to protect. We want to identify the assets and all that kind of stuff and then put our controls in place and then hire Pen Testers to come in and tell us what else we've missed. So their job is to help us identify the holes in our network.
Joe C. [00:20:33] Nice, so this might be off the wall, but I've been hearing more and more about ransomware, and I think Garmin was like they pay people like millions and millions of dollars to stop the attacker unlock certain data. Is there a reason why it seems like there's a rise in ransomware? I don't know if it's just because I'm seeing articles and that's a bias of mine. But can you talk a little bit about what is ransomware, maybe how people can try to avoid it? Or is it like a common step that people are missing that would help them so it won't happen as often?
Joe A. [00:21:03] Sure, yes, so ransomware is when somebody overtakes a computer or network and is able to control it and lock you out of your own systems. And they typically use some sort of encryption mechanism. And they're the only ones with the key, obviously. And once you pay the ransom, then they'll unlock your systems for you. And the reason why it's become so popular, I think, is because it's lucrative. People are paying them. So I attribute that as one of the main factors to the rise in ransomware. From a security perspective, trying to mitigate that kind of attack there's not really any one size fits all option, but I would definitely say if you have a robust security policy and your controls are in place and you have good backups, you'll be able to help mitigate any loss if you refuse to pay it or possibly prevent the attack from happening.
Joe C. [00:21:58] Awesome. So I think all companies have backups, but it sounds like maybe that's not the case.
Joe A. [00:22:04] Yeah, I mean, you'd be surprised. I'm an advocate for backing up as much as you can especially when it comes to critical systems, hospitals and things like that. If you ensure that you have the backups then you might not be as worried about paying the ransom because you can just restore your systems to the backup.
Joe C. [00:22:24] Absolutely. So, as I mentioned, you have four courses. Maybe I missed one or two, but the one I watched was Exploring Security Concept, which was really good. You have three other ones. It says, it sounds like you're working on a few other ones.The other courses are Security Monitoring, I believe, Analyzing Host and Analyzing the Network.
Joe A. [00:22:43] That's correct.
Joe C. [00:22:44] I'm thinking, is there a certain order people should go through out of these four? I mean, I would think they'd start with the Security Concepts, but after that, is it just whatever resonates with someone, whatever they're working on to say should I be analyzing the data or working on the host or monitoring?
Joe A. [00:23:01] Yes, I would definitely say if you could start with the Exploring Security Concepts course first and the way I'm building the courses, it's going to be a five course path. And the way I'm building them is to just kind of follow each other in the order that you mentioned – Security Concepts and then Security Monitoring, then Host and Network. And the one I'm working on is Managing Policies and Procedures so it's a lot of the bigger conversations about the frameworks and policies. But if you're not interested in exploring the entire series, just pick and choose what you like, what interests you, and see if it resonates, like you said.
Joe C. [00:23:36] So I was thinking maybe we could pull out like one big concept for each that you could talk a little bit about to whet people's appetite or get them more interested in actually consuming the whole course. So I'm thinking, you know, Analyzing the Network, what's one big takeaway from that you think people would get if they watched that course?
Joe A. [00:23:55] Oh, yeah, I mean, with the Network we're talking about packet analysis and we're talking about analyzing the net flow, looking at the actual data that's coming across the network to try and help us identify potential events that are happening. And then the Host Base Analysis course, it's almost the same thing as the network one, but all about the host. So we're looking into antivirus and how those will detect threats for us. And everything's tied into Security information Event Manager. From the security monitoring perspective, that one's just general monitoring capabilities. We're talking about where we're getting our data from, how to ingest it, how to analyze it. That's a really good one if you want to be able to look at machine data analysis or just log analysis in general. And then like you saw with the Security Concepts, course, it's an overview of a little bit of everything.
Joe C. [00:24:46] Yeah, it's a great way to get up to speed and if someone studying for a certificate or certification will this help them with any specific certification if they went through all five?
Joe A. [00:24:57] Yes, I think so. So it'll help with the Cisco CyberOps Associate certification. It'll help with any of the other certifications as well as Security Plus maybe CISSP. I mean, that's more of an advanced one. But any of the basic security certifications, you know, this is really good general knowledge to have. And it covers the gamut of cyber operations and security in general.
Joe C. [00:25:22] Nice, so I am a big geek about tools. It's probably a bad thing, but I like tools, any type of automation tool to help me with some sort of testing. Soare there any go to tools you use? Most people I talk to bring up Pen Testing, but it doesn't seem like that's the area that you necessarily focusing on. So I'm just curious to know what tooling is, what you go to for your type of Security work?
Joe A. [00:25:44] So I love working in SIMs. I love the data analysis portion of it. I really love working with NetFlow. I think it's a great protocol and it's really lightweight and gives us a lot of metadata about the information that's going across our network. And I say the data analysis portion is where I really enjoy it.
Joe C. [00:26:04] So I just open up a memory packet, you talked about telemetry and telemetry is something I've bee hearing more about in conjunction with observability. So like what is telemetry?
Joe A. [00:26:16] So that's a good question. I don't want to say it's relatively new, but it's really the collection of measurements and statistics about your network. And that's something that's been really big lately as networks have become more software defined and more robust, so to speak. So telemetry gives us a lot more data than just logs and machine data. So that really helps us drive security processes and helps us identify threats quicker.
Joe C. [00:26:47] And it's able to identify threats quicker because it has more data is that stupid? But it gives you more data you can analyze and say, “Okay, now I know this is a charade, then, oh, it's something on my server. It's a little more granule, I guess.”
Joe A. [00:27:02] So I guess it's more targeted data. So it may be more data, but it's more targeted and at the same time it's also more data that's useful. So some examples of that could be we have the integration that we spoke about earlier between many security technologies, and we might get telemetry from each of those and they might be normalized in a way where they all complement each other.
Joe C. [00:27:30] I don't know about open telemetry, I assume this is the same thing, it's just a collection of tools, APIs and things that people can consume to help them with their data sounds like in general, high level.
Joe A. [00:27:40] Yes, exactly.
Joe C. [00:27:42] Cool. Yeah, I think it's an area people should definitely focus more in on because I'm hearing more and more about it. So awesome.
Joe A. [00:27:48] Oh, yeah. It's becoming big.
Joe C. [00:27:51] So we're starting the new year 2021 any trends you see going on in the security space that you think people need to jump in on now before maybe they're left behind or maybe if they want to get in on early on the ground on some sort of technique or area you think would be beneficial for their career?
Joe A. [00:28:11] Oh, wow, that's a loaded question because cybersecurity so broad. I say the buzz words, so to speak, that I'm hearing in the community are definitely the remote access solutions using the cloud and then zero trust. Zero trust is the big buzzword. And so everybody's trying to either have some sort of zero trust policy implemented or gets more tools to help with that process.
Joe C. [00:28:37] All right. Okay Joe, before we go, is there one piece of actionable advice you can give to someone to help them with their security efforts? And what's the best way to find or contact you?
Joe A. [00:28:47] Sure, so the best way to help your security efforts is to not stop learning. I can't emphasize that enough and I think anybody in the security industry would second that as well. Don't stop learning. Always be hungry to learn more about what you're doing or about other facets of the security to help complement your actual role. And then, yeah, you can find me on social media. My Twitter tag is @joeabrah. Then I also am hosting defendthenet.com. That's my blog that I'm trying to get up and running this year. So I've had a couple of setbacks, but it's launched. There's just not a lot of content on it yet. But I do hope in the next couple of weeks that we'll start adding a lot more.
Rate and Review TestGuild Security Podcast
Thanks again for listening to the show. If it has helped you in any way, shape or form, please share it using the social media buttons you see on the page. Additionally, reviews for the podcast on iTunes are extremely helpful and greatly appreciated! They do matter in the rankings of the show and I read each and every one of them.