Real World Security Professional Day One
After obtaining quite a few certifications in the security field, I've concluded that by far, the Real World Security Professional is the one certification to aim for.
Presently I hold the CPT, C|EH, CHFI, OSCP and a few other certifications that are security related and while I initially had my "most cherished" certification (OSCP) the RWSP takes the current title and is "the must have" for those seeking to validate themselves professionally.
Before I move into an explanation of the class and its objectives, I will explain what the RWSP is, isn't, how it started, who is running the show and the history behind it. For those familiar with security certifications, books and talent, the names Russ Rogers and Greg Miles should ring a bell. They are the guys behind the NSA IAM/IEM course and literally wrote the book on it, in fact quite a few books between the two.
The RWSP from my perspective is the one exam that separates the "Pros from the Joes." Unlike conventional exams, there is no method for anyone to "cram" information for the sake of passing this exam. Unlike the OSCP, OSCE, CPT and CEPT exams, you will not only be "put to the test" but you will be frustrated. In those exams mentioned, your attack surface doesn't fight back!
RWSP consists of three "components", the class, a test after the class, followed by a collegiate thesis like write up on a security topic of your choice which needs to be approved, peer reviewed, then accepted.
For those similar with SANS' formatting, think of writing a "Gold" paper which will be reviewed by multiple peers. The class is extremely challenging and extremely frustrating on a POSITIVE level. My only complaint is the class wasn't longer. This is not a negative statement, on the contrary, the class was so much fun and so challenging you WILL leave thinking differently and wishing you had "one more minute."
Day one of the class. After an introduction to explain the creation of certification, the purpose of the why the certification exists, and what the ultimate goal of the certification is, introductions are made by everyone attending the class. Everyone in the classroom IS an expert in their field. This class was not for "beginners" by any stretch of the imagination.
Staff then assess the background of the individuals attending the class and splits everyone into two teams based on their background. Your team will be your team for the remainder of the class. You will have one day defending your castle and one day exploiting your enemy's castle. Each day consists of three missions and after each mission, both teams get to explain their goals, objectives accomplished, tactics used to "offend" or "defend" depending on their role.
There is a storyline behind the entire class so I will try to explain it as best as possible under exhaustion from the class and the entire trip. Deep in the future, government is large and complicated, corruption is aplenty and only two federal contractor remain, Deckard (Red Team/Offense) and Rapture (Blue Team/Defense).
After a failed takeover attempt by Deckard, Rapture procures a security task force to protect themselves. Rapture's entire staff either left, were victims of questionable fatalities or were likely hired out by Deckard for more money. Working at Rapture, your immediate goal is to understand the corporation's infrastructure and prepare to defend it.
Your chosen team is your backbone period. Everyone on your team has strengths and weaknesses and you need to work as a team in order to accomplish each objective. Note: You will not get far in this class without being able to work as a team. As in the real world, no one is a superhero capable of being an all-around expert in security. You will have your strengths and your weaknesses.
In my class I was fortunate enough to have a rock solid team whose roles were actually defensive by nature. During this part of the class, I honestly felt intimidated, not in a negative way or because I felt my skills lacked. I felt intimidated because I wanted to assist my team as best as I possibly could. "Can I do it, what the heck is that Windows command line syntax... What the heck is that hping syntax again?!"
As an employee of Rapture, you are given a security budget which you must use wisely and changes, just like in the real world, have to be approved by senior management. This includes being told "no you cannot afford this technology", to "how does it benefit us, has it been tested, what is the cost to operate, train", etc.
I don't want to give out any potential tactics, tips or spoilers for anyone taking the course in the future, so I will say "plan wisely." If you walked into a new company that had little to no security in place, what would you do, how would you do it, how would you get management to agree to your methodologies, to understand them.
As in the real world, we had a minor setback in that one of our teammates had to leave for personal reasons, so we quickly became understaffed. The remainder of our team had to brainstorm and come to conclusions on how to spend our budget, why we chose to perform certain tasks and use certain tools. I had the unfortunate mishap of completely rendering my firewall useless and blocking out visibility from the world which in the real world, translates to monies lost in productivity and sales. This ended up costing points at the end of the day.
Round 1... Fight
After getting a snapshot of the environment we were in, we had to strengthen the security posture of our company, while at the same time trying to repel an active attack on our infrastructure. Timing is crucial and working with your teammates is critical as it is a collaborative effort. Because the simulation is real world, you will be faced with real world tasks.
This may consist of patch management, security updates, auditing your security posture, auditing your firewall rules, understanding the interconnections between servers in your network. While you may immediately think of a "block all" firewall rule, I personally had decoys in mind up my sleeve, so you need to plan ahead.
The unfireable... As in many corporations, we had a "family member" of the corporation who did things "his way" which meant, we now have one thing against us. Imagine trying to make changes only to have to conform to what "the owner's son, or nephew or wife, etc" dictated. "That's my machine and I will not remove it", or "I will keep my weak password because darn it I'm the boss." There is a lot of planning on the "unforeseen" level here and by the end of Round 1, you should have some level of security in place... Or so you thought.
Round 2... Fight
Deckard has found a way onto your DMZ and they are now attempting to get a foothold into you internal systems. What have you done so far to detect them, block them, confuse them? Because your DMZ is now "owned" and you are under attack, you need to use a combination of savvy security engineering, systems engineering, incident response and forensics knowledge to keep the attacker(s) at bay.
What are they going after, where are they coming from, are they using decoys, is the family member in our company selling our security out? These are all questions you need to address on a technical level and from my perspective on a "psychological level" to which I'll explain.
My method of thought for the "family member that does whatever he wants to do" was: "I wonder if this guy was part of the takeover and purposely left things awry. Sabotage? Dangerously carefree?" There were a lot of "easter eggs" we would find on the defensive side including rogue personal web servers that we would take down and somehow, they would sprout back up. This made things difficult to address as would it in the real world.
On the second round, I decided to take an offensive approach, to defend. This meant using money from my budget to purchase a vulnerability scanner in order to assess my security posture. I figured by seeing what the "bad guys" would see, post defensive implementation, that I would know what to protect. "If I can hack it so could they." All this while still getting familiar with processes and procedures in order to keep the business running in real-time and while actively monitoring IDS, IPS, event logs, etc.
On round two, the ending became real tense as one of the guys on the other team was literally on a database server but he wasn't visible to me. An annoyingly cool trick for reverse connections I ended up learning - one of those aha! moments (and I don't mean a-ha the 80's band.)
Initially I had been monitoring IPS with good old fashioned tail -f, I was on the same DB server as the attacker, yet the whole time they were on the host out of sight. Luckily, a good old netstat view came to the rescue, so a kill -9 was sent to kill that entire connection, followed by an active block. If that hadn't been caught, we would have likely been out of business.
Final round... Fight
Our opponents were past the DMZ with a the door and we needed to keep them from "the family frakels." This meant we needed to completely understand what they were after, how did they get in, how to continue to defend ourselves and how to kick them off our network and keep them out. This stage was frustrating from both the defensive side and the offensive side (I will explain the offensive frustration on the next article.)
Throughout the course of the day, we had struggled with Microsoft's Patch Tuesday logistical nightmare - their servers were severely lagged. Not to mention our carrier was likely being DoS'd as we had connection outages. Those outages led to us not being able to obtain certain mission critical security patches and updates. Even with the patches, we had to be sure that those patches worked and we didn't step on the toes of the "owner's kin." At the end of the day, we were drained (at least I was - literally.) Overall my teammates and I edged ahead on points, even after I took out my own firewall.
1) Know your role: Previously I stated I don't want to give away spoilers, tactics and methodologies and I will explain this little further now. Even if I did give away whatever tactics, methods or tools I may have used, this class and the exam is not static and I can never envision the flow of the exam being the same. Everyone will attack you using different methods and different tools and you need to understand what is going on in your environment, what purpose does a specific technology play in your environment, how best to secure your environment while keeping business objectives in order.
You need to understand systems and this means Windows systems from the administrator and security level, Linux/BSD systems from the administrator and security level, networking, security concepts and a bit of security management (after all you do need to comply with management’s requests or denials for technologies and implementations of certain processes.) You will need to make real-time decisions and rely heavily on your team as well as support your team as best as you possibly can. You also need to understand your management and respect their decisions, whether or not you agree with those decisions.
2) Great defense means knowing offense: If you have never compromised, audited or tinkered with systems, you will have a difficult time defending them. Our opponents were very skilled - and I seriously mean this - they were very skilled. However, this does not mean you cannot plan a good defense if you understand where they *might* be coming from, because my teammates and I were constrained from applying certain firewall rules, does not mean there aren't mechanism around this. By that statement, I do not mean you should be subverting authority, I simply mean you may get management to approve your requests once they truly understand the risks and by explaining your security objective.
They may in the long run understand how this matches their business objectives. For example - (I may be even hinting at something here) - just because you cannot outright block an attacker from getting to you, does not mean you have to respond. If you are familiar with networking concepts and firewalls, I need say no more on that note. If you don't get what's being hinted at, think different ;)
3) You are NOT ALONE! If you came into the class trying to be a top-gun superhero, you will fail, and you deserve to fail. The class is based on the efforts of your team. Speak with them often, they may know much more than you. In fact, one of my teammate’s knowledge wise was an expert in forensics. I know factually, he could mop the floor if I went toe-to-toe with him on the forensics level. This was a plus for my time, as he definitely understood what to look for, how to track it, etc., so had I been "going at it alone" we would have lost day one. We would not have accomplished our goals if we decided to splinter on a free for all.4) Listen up! At the end of each module, both sides get some time to explain what they did in order to accomplish their goals. This is the most important part of the class from my perspective. Everyone is unique from both an offensive and defensive perspective. It pays to hear what an attacker was doing or did in order to compromise a network. Similarly, it pays to hear what someone did to actively defend against an attacker. This is what makes this class stand out, everyone's approach will be different and you certainly will leave with valuable insight. This insight consists of you understanding where you failed or where you shined.
Real World Security Professional Day Two
A quick recap, there is a storyline behind the RWSP entire and it goes to the tune of: Deep in the future, government is large and complicated, corruption is aplenty and only two federal contractor remain, Deckard (Red Team/Offense) and Rapture (Blue Team/Defense). After a failed takeover attempt by Deckard, Rapture procures a security task force to protect themselves.
Rapture's entire staff either left, or were victims of questionable fatalities or were likely hired out by Deckard for more money. Working at Rapture, your immediate goal is to understand the corporation's infrastructure and prepare to defend it. Working at Deckard, your goal is to steal Intellectual Property.
Working at Deckard, it immediately dawned on me that I needed to clarify a few things. Under the storyline, I was part of a rogue team that set out to compromise a target. As in the real world, I had to understand what our team's goals were and how far we would be allowed to go to obtain those goals and meet our objectives.
Thinking about this from a realistic perspective, all gloves are off. There are no ethics to follow as you and your teammates are literally breaking the law so there is (or at least there should be) nothing stopping you from accomplishing your objective. Obviously in a real world scenario you wouldn't fire off a Denial of Service attack, in our class, this was possibly the only limitation.
Round 1... Fight
Our team needed to gather as much information as we could about our target. This compromised of putting together a dossier of the target's servers, networking components, services, employees at the company and any other information that was available to us. Because the Rapture Corporation had a publicly visible webserver, we set out to gather as much information as we can.
"Psychology time" from my perspective, as an attacker working on a team, we have an "end game" which consists of "getting the family frakels" off of our opponent. We immediately overstepped typical logic and decided to "go for the gold." After a brief team meeting, we split the tasks with my teammates working on one function and myself working on the other.
We immediately sought out and documented for ourselves, what their entire network "looked like" and began to drill down towards the internals. My teammate used his forensics and investigation skills to parse out information embedded in comments, cross-reference those with forms, database structures, etc.. In the background, I fed him a hidden directory with application information which would be later used for staged exploitation and pivoting.
My personal tool of choice was Accunetix here and I will explain why. Prior to me heading to the class, I configured and deployed an array of tools, scripts and other goodies to assist me on the offensive side. I immediately tested the install, deployed it to a VMWare image and loaded up onto a 2TB drive. Validation goes a long way! Because I didn't take the time to validate the VMWare image, my VMWare application would not load any of the tools I had. I spent a lot of time trying to improvise with this which was completely my fault and cost our team a lot of time. However, not all was lost.
The initial stage was set and our team already had a massive view of the network. So much so, it was suprising the instructors didn't outright ban me for finding networks I wasn't even supposed to know existed. This "train of thought" came from: "If it's not mine, it's theirs." While this may have worked for the class - I realized it then and iterate it now - is not a "real world" methodology to a degree. In the real world, you won't get to cherry pick your information.
However, the real world dictates that I can use tools like ARIN's whois to find out who owns what networks, Shodan to find any publicly visible entry points, etc.. I'm torn on whether or not from a "real world" my scan on an entire slash 16 would have been practical. "Train of thought" (again): "This is their network, I wanna see everything!" The "hosts down" information off of an nmap insane scan, I began trying to sort out what did what, why and to where. This while working with my teammate to get a foothold into their DMZ
Round 2... Fight
With our team inside their DMZ, we needed to figure out how to stage an exploit with Metasploit against a vulnerable instance of MS-SQL. This is where sharp systems administration skill come in handy. Fail! I completely failed at this as did my teammates as we were all unfamiliar with MS-SQL. To be honest, I believe that 99% of everyone in the class with proctors and instructors included, all primarily were Linux/BSD gurus.
We couldn't find the proper MS-SQL calls method to dump their information. We "did" upload Cain and Able and my teammate was sniffing their traffic, dumping their hashes when reality kicks in and... Darn it, the opponent kicked us off their servers and removed netcat, Cain and Able and other tools momentarily.
This was the frustrating part of the exam - being repelled! Unlike the OSCP, CPT or CEPT, perhaps any other technical based certification, you are being actively defended against. We definitely struggled on this portion and it was not as simple as I thought it would be. The same opponent we managed to keep at bay, were now keeping us at bay.
Throughout the second round, we managed to get a bit of information regarding their DB username, passwords, database structure, how their internals worked, what interconnected with what but at the end of the day, they kept us out of their infrastructure - sort of.
Final Round... Fight
We are now in their internal systems and we need to find the information without being detected. Throughout the vast majority of the day, I had been launching tons of traffic at their systems which included decoys of their own machines attacking themselves. Side note: After Round 2, the defensive team thought they knew who I was, where I was coming from but they were wrong. I even made mention of this: "nope wasn't me" and while they kept trying to focus on me, my teammates were the ones doing all the damage, I was simply looking for and finding holes, still struggling with getting my attack system to work while improvising.
Because time was winding down, I ended up going back to my hotel room and snagging up another laptop to aide the team. My goal was "low hanging fruit time" in the sense that one laptop would launch Immunity's Canvas at specifics, another would be doing hydra bruteforcing, running decoys, etc., and it paid off. The proctors I guess gave up on trying to get a handle on what I was up to.
Unfortunately for me, even one my laptops acted bizarre in which I had to move Canvas to yet a fourth machine to get it working. On the fourth machine (I will explain the third so I don't skip it momentarily) - on the fourth machine I ended up running out of time however, on that machine our team had managed to fragroute our way into their systems, we had credentials, we just didn't have those crucial extra minutes. Result semi-fail. Opponents I believe beat us out on the points by then.
When you have someone who meets or exceeds your level of skill as your opponent, the competition is fierce as hell. Unlike the other certifications as mentioned before, this exam forces you to think in real-time on multiple strategies. If it weren't for my teammates, we would not have gotten far especially when 1) we were understaffed 2) my lack of validating whether or not tools were usable did not occur 3) you didn't anticipate your opponent to be that damned skilled.
From the previous day, I had re-learned something I mentioned before about tools: Think different. The previous day, my opponents struggled with mapping a network solely because they relied on nmap. They ended up compromising a user account that didn't have enough privileges to compile nmap so they wasted time trying to figure things out. It was towards the end, they ended up using netcat. Rinse and repeat the following: Thou shall not rely on any one tool! I used a combination of hping3, nmap and netcat for networking "voodoo."
Think miles ahead! Forget thinking about steps ahead, think miles ahead. As an attacker, you should have more than tool and game plan. I mean this from the "offensive" end for the "Red Teamers" out there. Our demise came from a proper lack of planning for "plan B." Know your systems, refresh your skills, understand your opponent and never misunderestimate their skills.
RWSP is a hardcore, challenging, fun and severely frustrating exam. For the gamers on the site, particularly say Modern Warfare2, think of Capture the Flag. While in most CTF's you WILL SEE offensive, it is rare you will see someone countering your offense. In MW2, you will be shot for getting too close and capturing the flag, in this exam, you have security snipers gunning for you on both sides of the fence. Vice versa, for the defense, you will learn (or perish for not learning) that your opponent can be very covert, slick and may surprise you at the end of the day.
So who benefits from this exam? Personally I don't see a beginner (1 - 3 years experience) benefiting from the exam yet at the same time I do. If you are a beginner, you will learn what it's like in the real world to both attack and defend. However, you will likely find someone extremely talented as your opponent so you may not understand what they're doing or why they're doing it. This, even after they explain it. The professional (3+ years experience) - you will be tested to the maximum on this exam no matter if you have 3 years rock solid experience or 15 years rock solid experience.
Ultimately, this is a course I believe should be taken over and over and over. The difference between this and other exams is the format for starters and secondly, it is highly unlikely that you will experience the same results at any given point in time. Attackers and defenders are all different, they use different tools and different tactics. Some have to follow certain rules, while others don't.
Throughout the course right up to the end of the course, you will learn to re-think your ways. You'll be forced to renew your skills, strategies and methods of thinking. The learning potential is infinite - and I sincerely mean this. Were it up to me, it would be the one course to take as much as possible.
Finally (after writing a darn book on this), I was fortunate enough to be voted MVP for my team and given a silver coin but the reality is, I wouldn't have accomplished anything without my team. If I could split the coin into sections, I would. My teammates are the real heros for 1) tolerating me ;) 2) tolerating me ;) 3) allowing me to help them and vice versa 4) helping me think differently.
We all contributed as a team and as an entire class, I am grateful I had the opportunity to be in a class with such talented security pros. Collaborating with them allowed me to see things I miss yet also allowed me to give some tips. It was a tremendously informative class, learning experience and fun (Seriously frustrating as well!).
Anyhow, in ending, I passed two thirds of the exam and look forward to the third... Wait? Did I mention after being abused from both sides of the scope (offensively and defensively) you also have to take an exam AND write a paper for peer review? If not, reminder: 1) Take the abuse via class 2) Take an exam 3) Put on your thinking cap for a collegiate-like paper 4) brag the you either beat up the best of the best, or put your head down at the fact they mopped the floor with you.
I am just unwinding now after a long weekend of abuse and I can partially say I am RWSP certified pending my paper's approval. I need to clear my head because my initial response is: "Jesus no more security, can't I just put on the blackhat role again and bribe my way in..."