25D CYBER NETWORK DEFENDER

@SGT Smitty

I agree with @WiseChief, it can't hurt to submit a packet.

Here is the Milper Msg for 17C:
http://www.armyreenlistment.co..._15_164_20150602.pdf

.. and here is this weeks ArmyTimes bite on the 17C MOS:
http://www.armytimes.com/story...irst-class/71061118/

Just finishing up the 25D40 SLC pilot course, and I'll just say that it's been an interesting learning experience. Aside from the numerous staff duty taskings, the course was fantastic. I will go as far as to say (for those established 25Ds listening), that this course is not at the same level the 25D course was. Indexes will not help you in these courses. Not official yet (pilot) but I do believe they are going to change this course a bit, maybe remove one of the SANS courses. The auditing course was beneficial, and enlightened us all on some key questions we had in the past. The 20 Critical Security Controls (heh heh good luck). The network forensics course was probably the most beneficial of them all, as it goes into great detail on netflow and ways to correlate it (best to have taken intrusion analysis prior to this course). The final course we are in now seems a bit dull, especially after all the courses we just finished (my 2 cents).

Looks like the CPB is full now, especially since they are converting 25Ds and 35Q to 17C come 1 Oct, but don't let that discourage you, as a majority of the slots for 17Cs are 30 and below, and a majority of the 25Ds, and 35Qs will get pinned SFC and MSG here very soon (hint hint). I have been seeing a lot of my buddies, in the 25D course, from various previous assignments, and they tell me they are being assigned to various non-cyber units.

That being said, if you reclass to 17C, you WILL be assigned to one of only a few cyber units, in the U.S., to include the CPB.

Thinking of reclassing? Look here for details on the application process (CACd):
https://uscyberschool.army.mil...e=0&_58_redirect=%2f

I know a lot of you are having difficulty merging with the cyber idea, and while I cannot just give you a red pill, and BAM, I CAN point you in a few directions that may help you to reach your goal of eventually becoming a Cyber Operations Specialist.

There are numerous FREE resources on the web that offer cyber related training. just to name a few:

http://www.cybrary.it/
this one is FREE and offers numerous cutting edge training on tools and processes for various cyber fields. I am a member (different alias), and I recommend them.

https://www.youtube.com/watch?v=KByVf5-OJuQ (or just use the MANual pages)
For those who have a background in Linux already, it is imperative that you develop your skills using such stream editors as: GREP, SED, AWK, CUT, SORT, UNIQ, WC, etc. This is vital to your continued studies in various cyber fields.

DISCLAIMER: Using some or all of these tools on any target other than your own separate lab environment may be illegal, in other words, hack your own $h!t.

KUDOS! to the Personnel Management Chief who has acknowledged that cyber specialists, techs, and officers are needed, and for providing the much needed leniency to up-or-out rules. source: http://www.militarytimes.com/s...n-pentagon/71067386/

Good Luck!
Just siting here killin ⌚ to 'Martin Garrix'!
This kid's ahead of his time! An artist in both mind and spirit!

Speaking of being ahead of time, there is a Book that just released and really scales!

http://lmgtfy.com/?q=insite%3A...hacker+playbook+2%27

This book is loaded with great tools and tradecraft tips for the up and coming cyber security practitioner!

Just finished Methodologies Training (Advanced ******* Tradecraft). The training did not disappoint at all! One common theme though was the lack of Linux proficiency. I can't say this enough, if you don't know Linux you will be lost! One great thing that came out of the experience was the opportunity to successfully debunk the idea that 'one must be a good programmer to be a great hacker'. Hell the people that made the most findings during training have little or no programming skills whatsoever!

Well back to m'jams!

See Ya @ BSIDES

http://www.securitybsides.com/...BSidesAugusta%202015

Keep Reading Those Books!
43 - 25Ds promoted to SFC! .. WOW!

well I'm in another class 'shocked pose' Forensics .. and it's turning out to be very beneficial so far. Just a few more days till 8 Oct ... and we'll see who converts 17C.

Recently one of our Brothers, a First Ever 25D, retired. That now leaves just 10 of us 'First Ever' 25Ds remaining on the force.

If you HAVE been following my advice about the books, here's another good one. The author, Jason Cannon, emailed me and said he was making it FREE, but only for a short while, so if you have Kindle or if you have PC Kindle Reader, go download it:

http://www.amazon.com/Shell-Sc...ords=shell+scripting

Also if you are interested in learning how to script with PowerShell you can download the training solution here (rumor: PowerShell going to steal the scene for both Windows and Linux):

https://www.idera.com/products...tools/powershellplus

Finished reading this book:
http://www.amazon.com/Instant-...=1-1&keywords=tshark

and this one:
http://www.amazon.com/Practice...C_UL160_SR121%2C160_

Those two books really give one a great introduction on the capability of TShark, and various NetFlow tools; I recommend them both.

This goes out to 25D(Retired) M.
https://www.youtube.com/watch?v=AWtCittJyr0
Yes, I heard about the 25Ds and a shame that no 25Bs were selected, but I am tracking that 25Bs are way over-strength.

I have been working with a few 25Ds from the CPTs and we did some HBSS work together for a Cyber Exercise. If you like, PM me your e-mail and I hook you up with some inside stuff that I have received.
As a standard practice, I use tcpdump for full packet capture(ex) >>>

#tcpdump -i eth0 -C 100 -w target

w/ -C option to segment the pcaps (100MB),

then later mergecap (ex)

#mergecap -w target001.pcap target002.pcap target003.pcap target_merged.pcap

to remerge the pcaps,

and TShark (ex)

#tshark -Y http.request -T fields -e http.host -r target_merged.pcap | cut -d'.' -f2- | sort -n | uniq
-c | sort -nr | more

292 archive.org
247 wikimedia.org
178 irinnews.org
85 kali.org
56 abcnews.com
37 evil.com
4 google-analytics.com
...


and strings & grep (ex)

#strings target_merged.pcap | grep -i --after-context=1 Host | sort -n | uniq -c | sort -nr > ./output_file.txt

or

#strings target_merged.pcap | grep -i ".exe" | sort -n | uniq -c | sort -nr

3 tftp -i 192.168.28.2 GET VMWareConsole.exe
2 tftp -i 192.168.28.2 GET psexec.exe
2 tftp -i 192.168.28.2 GET ituness.exe
...


to parse through the post capture data for relevant info.

Netflow is my current pursuit Wink using nfdump, and various other tools combined with stream editors and regex, I can make short work of parsing logs (all logs) for relevant info ... hope to have a working TTP soon.
Yes, I am tracking all that. I can do that in wireshark and use split pcap as well.

The issue is disk space and wire speed, since I have over 25000 devices in my AO.

There is MOLOCH at http://molo.ch/

But I am looking at seeing if we can get funding for ENDACE devices such as their NetFlow Generator Appliances or other devices that can hold up to 64TB of space.

http://www.google.co.kr/url?sa...-u6whbJZckEgqlOAuEDg
have you used ELK (Eastic Search, Logstash, & Kibana) stack?

It's open source and free, and it also scales huge, but the best part about ELK stack is that it can do all of the things Splunk, ENDACE, and ArcSight can do, without normalizing the log data (leaving it parse-able & grep-able.

The issue we keep running into, when dealing with ArcSight, for example, is that once the collector normalizes the data, the raw format is discarded by the collector, and not forwarded to a repository, but with ELK stack, you keep the raw log format, even though the GUI(Kibana) normalizes the data for easy parsing. I also like that it can be applied to any existing storage array, saving $$$

Also from a forensics standpoint, raw log data is easily more admissable as evidence, then any data which has been modified from it's original state.

Phil Hagen (Advanced Network Forensics / FOR-572) swears by this tool, and uses it at his home too.

Product Briefs:
https://digital-forensics.sans...stophe_Vandeplas.pdf

https://resources.sei.cmu.edu/...5_017_001_431205.pdf

http://linuxfestnorthwest.org/...he%20ELK%20Stack.pdf

product link:
https://www.elastic.co/webinar...troduction-elk-stack

SANS prebuilt Logstash VM:
http://sourceforge.net/projects/sansfor572logstash/

here is the book that makes short work of setting up ELK stack:
http://www.logstashbook.com/

I'm building this at home in my spare time, and once I'm done and get it going, I will develop a simple TTP for setup and operation . . . work in progress Smiler
Yes the rumors are true .. we are 17Cs now Smiler

There is also a rumor that the CYBER Protection Brigade is standing up another Battalion (more CYBER types needed).

We have seen an influx of 35Q(supposed to be 17Cs .. dunno) PVTs, and a few 25Ds.

CPB finally got their own Patch and Insignia Smiler

So, I read another book this weekend. Chris Sanders wrote a book that embodies Security Onion, and the many programs, modules, and scripts that can be applied, all the while, linking one application or step to the next step! It is rare to find such a jem, so do not miss this one:

' Applied Network Security Monitoring '

I will be pursuing a most challenging feat soon; the offsec OSCP .. it's a long journey for one of the most coveted rights of passage for a cyber security practitioner: The hands-on, 64 days, no BS, pentest quest.

wish me luck Smiler

If you just happen to be following my advice about the books, here's another catch, recently published:

' Linux Forensics '

Here's, a listing of 28 sites/apps you can legally hack into .... seriously:

H@PPY H@CKING :-)

.. so you wanna be @ Cowboy, huh? .. here's a ' Red Ryder BB Gun ' for ya .. careful, you'll shoot your eye out Smiler

aHR0cHM6Ly9naXRodWIuY29tL2VuYXF4L2F3ZXNvbWUtcGVudGVzdA== IF you can 'decode' it Cool
hint: the tool needed is in this POST Wink

⌚ 2 J@M da TRAP n' BASE >>>>
aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1ubkF5MTkwNkVIZw==
I hope everyone was able to learn something, and those that did take the plunge into Cyber, Good Luck as you go forward. I am retiring very soon, and moving onto life as a civilian .. again.

Nearly 3 yrs ago, when this was all started, the CSM of 7th Sig CMD (CMU Provisional) told me to 'beat that recruiting drum'. I think I have lived up to his expectations, based on the feedback from all of you, my fellow cyber warriors.

I will definitely miss the chase, but like a great man once said, "you cannot stop the winds of change, but ride them into tomorrow, for as sure as the sun does fall at the eve of day, it will rise again!"

If you wanna get a hold of me for something cyber related, or just wanna shoot the breeze, you can email me; I'm in the global.

Cheers Army Cyber! Cool
SSG Poulin, D. USA
Cyber Protection Brigade
17C (former 25D,25B,25Q/31R)

P.S. To the remaining few, the 25Ds that helped start all of this, keep banging that drum! The fight is far from over ...

Add Reply

Likes (0)
×
×
×
×