Life of a SOC Lead

Life of a SOC Lead

Alberto: I built my dream home lab here at the house for $800. And that was it. That was my budget. With $800, I was able to build a great small server about the size of a shoe box so I’m able to virtualize 10 virtual machines any moment in time. I’m not asking every security manager out there to be a reverse engineer. But what I’m asking for is allocate some of your personal time, if you don’t have it at work, to understand the technical aspects that your analysts have to go through to do their jobs well. Ricky: On our show today is a special guest who’s going to share with you the experience of someone working both as a SOC and offensive lead at a private company.

He’s an everyday guy who spent a total of $7,000 on Community College and $800 bucks building his home lab. Now in a successful career track in the world of cybersecurity. Alberto Rodriguez is a professional Alberto Rodriguez is a professional with years of experience securing critical infrastructure. pentesting, threat hunting, and incident response. He’s worked active duty as a cyber operations officer in the military and continues to serve in the reserves. He holds an OSCP, CISSP, three GIAC pentesting certs, and a master’s degree in Digital Forensics. Alberto’s got a unique perspective on cybersecurity because he’s involved day to day doing both offensive and defensive work for different clients of his company. In this video, we talk everything from home labs, some of the ins and outs of working on a security operations team, and recommendations for beginners to get into learning cybersecurity.

Without further ado, Alberto, thanks so much for coming on the show! Alberto: No, thank you, I appreciate it, excited to be here. Ricky: So let’s talk specifically about your work and what you do for a living. So as we talked about earlier, you work as a SOC lead and as an offensive lead which is really interesting. Because you get both the red and the blue side, kind of purple going on there. Tell us about that. Alberto: Yeah, so honestly, it’s my dream job. I love it. I love defending, I love attacking. It’s very rewarding to be able to lead a SOC, shape my analysts, find bad on networks, and help customers build their security posture, and build their detection engineering. Then on the flip side of that, I love to hack. I think to be good at one, you have to also know the other. It does present a challenge for me though because I’m always trying to stay up-to-date on the latest adversary tradecraft. But at the same time, I have to then go back and understand the detection implications of those specific tactics. It’s very sort of time consuming, but it’s very rewarding at the same time. Ricky: Can you talk about what your role as a SOC lead looks like?

What is a SOC and what does a SOC lead do? Alberto: SOC stands for Security Operations Center. So as a lead, I have a 50/50 customer-facing and internal-facing work role within my company. I interact with the customers, I grab their requirements, I understand their infrastructure. I implement security tooling in their environment, and I help shape how we’re detecting threats, how my analysts are detecting threats, and how we’re responding to them. So that lead part of my job is really a leadership aspect of my work role. And then also presents a client-facing portion as well. Ricky: So specifically, the SOC that you work in, you are kind of an out-SOC or external SOC for other clients. You’re not the SOC for your internal company. Alberto: Correct, so little bit of both. Internally to my company, we manage security infrastructure for just our company alone. So I lead all security operations for that. And then additionally, we also manage SOCs for other companies. So sometimes, companies don’t have either the resources or skill sets to manage their own SOC. So that’s where our own company would come in.

We would deploy security tooling. We would manage all their data sources, what’s coming in, all the detections and alerting. It’s basically SOC-as-a-service that we provide for all the customers. There’s various different customers expanding from schools sectors to banks, etc. that we manage for. And everyone has their own different challenges. And it’s my job to balance that and ensure that we’re providing a solid service to all of our customers. Ricky: That’s really fascinating, because you never usually think about smaller businesses, or SMB, small-medium businesses, let’s say 25 to 250 employees, having any robust cybersecurity capabilities. You just typically think, “Oh, these are all the victims out there getting hacked.” Whereas in fact, they subscribe to people like you who get to protect all of them and monitor what’s going on across several clients. Alberto: Exactly. Ricky: Can you explain what your day-to-day work or life role looks like? COVID, working from home… How does that work? You’re not actually in a operation center per se with those giant screens and all the Hollywood imagery people think of. How does that work? Alberto: That’s funny, you mentioned the Hollywood because before COVID, even in my time in the Army, you would go to those SOC war rooms, if you will, where tons of screens are everywhere, cyber bullets are flying across the place, it’s great.

Now in this COVID time, the work-from-home status that we’re all in, it’s really about communication. Internally, here in my team, we have operations and intelligence updates where we meet internally and discuss all of our customers and any ongoing projects, any specific alerts or detections that we’re working on, etc. We have a set schedule of when we speak to our customers. We have a battle rhythm with them as well because they need to get operationalized in terms of what the SOC is providing, what’s going on in their environment. A day for me looks like some calls with some customers, some detection engineering, alert triaging, communicating with my team. Maybe I’m spending two hours pentesting a different customer if it falls within that specified time within my projects. So it’s really a couple different things: speaking to customers, getting on the keyboard, programming, building detections, hacking a little bit on the side. Maybe I take a lunch on a specific day, maybe I don’t. But it’s really a wide range of tasks for me. Ricky: Wow, that’s a lot to handle.

That’s a lot of context shifts. Usually, when you’re doing just one role, you focus and you get to think deeply. Whereas, you being in a leadership role and programming… so tactical and operational level, how do you balance those? Is it a process of really using your calendar or schedule? Or are you meditating? What is your secret? Alberto: All of the above. I’m huge on time management. And I’m able to segment my time both on the calendar and on my mind based on what I’m working on. I use the Google Calendar very in-depth. I keep track of virtual notes of what I have to do. And within specified chunks of my time during the day, I spend doing different tasks, and I’m able to kind of segment those tasks and really focus in on them. I turn off my phone for various different tasks during the day. I turn off notifications. I just zone in, I get the work done. Once I get the work done, I move on to my next next task. And I always give some wiggle room because sometimes you may come over a technical problem that you allocate an hour for. But it might take you two hours or might take you an hour and a half, etc.

Allocating for those instances is also important. And just having that work-life balance. It’s definitely a challenge, but I’m all about time management. Ricky: What does your client engagement process look like? Walk us through that process. Alberto: Sure, so for an offensive security engagement, whether it’s a pentest or vulnerability assessment, a red team engagement, etc. Typically, we have a scoping call. We get on a call, we talk about the environment, what they’re trying to accomplish from a goals, organizational goals standpoint. And then we start the testing once we have a solid scope, and everyone has agreed upon rules of engagement and the scope of work. We start the engagement, so reconnaissance, enumeration, exploitation, initial access, lateral movement, etc. And then after the engagement, all those technical pieces then it goes into reporting. So big on reporting, it’s probably a quarter of my time is spent on working on the reports, making sure they make sense in English.

But they also make sense from an operational standpoint and they’re going to be beneficial to the customer. And then delivery. Delivery of that report, whether it’s a PowerPoint presentation or walking through the report. That’s kind of what that engagement timeline looks like. And then as a SOC lead, if we’re onboarding a customer for a SOC, we’ll do a pre-sales call. And we’ll give them all of our capabilities from a security operations standpoint. And then we onboard tools, so we might implement a SIEM or a security orchestrator, an automation tool like a SOAR. And then once we onboard some of their tooling, we go over how we triage alerts, giving them an understanding of what they have to do, what we are going to do day-to-day, and then establishing a battle rhythm. Whether it’s weekly cadence calls, or bi-weekly operational updates. We get monthly reporting. That’s more of a long-term project for some of our SOC customers. Ricky: There’s a lot of people who are only interested in Kali, hacking, red team, that kind of stuff. And there’s people who are only in the PCAPS, and logs, and the forensics, and is just like: “Oh, I’m just an IT guy, I’m a defender guy.” What would you say to those people, having a day-to-day experience in both? Alberto: I would say as a defender, we tend to focus a lot on logs, host-based artifacts, network traffic, etc. But until you understand from a tactical level how the adversary tactics are performed, you won’t get to that deep level of understanding those tactics which will lead into your detection engineering efforts.

And then as an attacker, most pentesters or red teamers I know, they really don’t like the blue teaming side of things. All they want to do is pwn, get root, call it a day, etc. But it’s really understanding how can I improve this organization from a security posture. It’s not just finding vulnerabilities, exploiting them, or telling a customer: “Hey, this is where you need to fix yourself, etc.” But it’s really focusing… you can gain huge value in focusing on how can you help the blue team, how can you help the defense understand your tactics, understand those TTPs, so that next time you try those TTPs, they already know how to detect it. For me, it’s kind of hard to speak to some offensive security professionals, and they don’t want to share their tradecraft because they don’t want to get caught. I think that’s the wrong mindset in this industry because we need to help the defenders understand at a very technical level how these tactics are performed, so that they can detect us. And then we continue to improve ourselves. We learn something, the defenders learn it, and then we keep balancing each other off to learn each other’s tactics and we just keep improving together. Ricky: What does your loadout look like? Some of the tools you use day-to-day, maybe start off with the red team tools and then maybe move to the blue team tools. Just to give people an idea of what software they may take a look at, checkout, kind of what they do. Alberto: Sure, so I’m actually going to start on the blue and then I’ll end on the red. For the blue side of things, really understand log management, so tools like a SIEM. Go out there and get Security Onion 2.0, it was just released. It’s a great toolset to get started off with. You’re going to get exposure to ELK, you’re going to get exposure to the Hyve, which is a case management tool. Check out tools like MISP for intelligence feeds, Wazuh or OSQuery for endpoint protection. Sysmon is an amazing tool you can deploy on a Windows environment to get some really good security, login, and plays. Take a look at ESXi for virtualization. I’m huge into scripting from a defensive standpoint. So PowerShell; I can use PowerShell to query any data source that I want from a Windows enterprise environment, and also Python. So integrating with APIs and different tooling with Python is also kind of in my tool suite.

  How To Pass a Cyber Security Cert in 5 DAYS (No books…)

From an attacker perspective, there’s really a tons more that I can name. I think GitHub is the best place for an attacker. You can find everything that you possibly want. Just to name a few for Open-source Intelligence, take a look at SpiderFoot, that’s a great place to start. Do so responsibly. Tools like Amass to do some subdomain enumeration. If you take a look at some internal Active Directory tooling like Impackets, or Rubeus, Bloodhound. If you haven’t… And this also goes into the defensive aspect. If you haven’t deployed Bloodhound and ran it on an Active Directory environment, go ahead and pause the video. Go out, and get it done, because Bloodhound is a great tool to map out an entire Active Directory domain. Get after some attack primitives that you’ll see in your enterprise. And it’s great for both defense and offense. And then I’ll finish it from the offensive Aspect of some command-and-control tooling so like Covenant or Mythic, Empire; PowerShell Empire still very popular, day-to-day, and maybe Merlin is another great one. Those are some tools that I’ve used. Ricky: And for some of the people who might not know, Bloodhound is a graph model that lets you see which users you might have to compromise within an enterprise domain to get to that domain admin, someone who can access all of the computers on that enterprise network. Many times the compromises will happen at an unprivileged user, someone who opened a phishing link in an email. And once you’re on that box, being able to find out who are the next users, I need to compromise and go after to make my way to king of the castle. Alberto: Exactly. It’s a great way to graph your entire AD environment from a security standpoint. It’s a really great tool. Ricky: What makes it so great is it gives you a little bit of visualization to track that process. But a lot of the tools you mentioned, they do have dashboards, but then there’s ones that are command-line. You mentioned Sysmon and just very text, or row, line-oriented. How do you keep track? Are you pen and papering? Are you using some project management software, or Google Drive, Google Sheets, Google Docs? Alberto: Sure, so for me, keeping track of everything on a Google Drive is essential in terms of documents. If I find a really good PDF or white paper out there, I have a Google Drive where I put some of those tech articles, if you will, or blog posts, before they could get taken down, or I lose the link, so to speak. Having solid bookmarks also helps. I keep tons of bookmarks depending on the different topics within security, whether it’s blue teaming or pentesting. And then it gets even deeper into just phishing. If I want to learn about phishing or find a cool way to do phishing, I can refer to some of those bookmarks to stay organized. From a tooling perspective, you can definitely keep a OneNote of all the tools that you’ve experienced and keep a running tab of that. I think that’s one of the best things you can do in security is just have solid notes for yourself. I think that’s a great recommendation for everyone to keep track of all your notes of all the tools that you used, you come in contact with, what they do, etc. Because some of these tools aren’t updated, but others continue to be updated, and they continue to get better. So definitely keep solid notes of everything. Ricky: So what are some common security pitfalls you see in organizations, having done both hacking into them and also trying to defend against hackers. Alberto: I think the most common pitfall is organizations think that investing in tools is how they solve security. Versus investing in personnel from a security standpoint. So a lot of organizations love to buy fancy tools. They get sold the shiny tool that’s going to solve all their problems. They deploy it, they press on, and they think that they’re going to be secured. But most times that is not the case. I think investing in your security personnel will go a long way. Because you can do a lot with small tools if you have the right talent working under your organization. Ricky: Got it, so people over tools all day, every day

. Because at the end of the day, it’s people attacking you, not necessarily tools attacking you. So you actually have to have people on the other side creatively solving problems. Alberto: Exactly right. Every organization is different. Everyone is dynamic. Everyone’s always changing. So having personnel that are talented from a cybersecurity standpoint, hands on keyboard, doing analysis, but also understanding the operational picture of your business and how that ties into your infrastructure. I think that goes farther than buying a very expensive tool. Ricky: So to improve their overall security posture, what are the recommendations you do? Because a lot of people think pentesting is just like, “Let me pwn some boxes.” Whereas as you mentioned, you spend a quarter of your time on the reporting and delivery of the results. What do you usually recommend? Alberto: Yeah so I recommend having Continuous monitoring on your infrastructure from a defensive and offensive standpoint. If you can afford it, if you have the right skills within your organization, have somebody constantly trying to exploit and find vulnerabilities. And then on the flip side, once you find those vulnerabilities, Fix them or make sure you can detect against them. You have to identify your visibility gaps. You have to identify the avenues of approach. And then just continuously improve. Security never sleeps, we never take a breather. Just having that understanding and having the right talent to do that work will continue to improve your environment. And as the adversary changes. Your personnel will change and then your security will hold its weight and maintain a hardened posture. Ricky: For sure, what is the composition of a SOC look like? How big is your team? And what are some of the different work roles on your team? Alberto: Sure. It really just depends on the customer and the organization, and how in-depth they want their SOC to be. But typically, you have SOC managers, SOC leads, you have some security analysts at different tiers: Tier 1 to Tier 3. The higher the tier, the more experience they may have within their specified work role. And sometimes analysts are also even divided into two different categories: someone being focused on network analysis, others being focused on host-based analysis. Really more specifying whether they’re a host of a Windows, technical niche, or they focus more on the Linux endpoints within the organizations; conducting forensics and gathering those artifacts. Then if you want to keep diving a little bit deeper, you have reverse engineers, malware analysts that are able to break those malware samples apart. Maybe digest them through a CI model, where they’re able to categorize what these malware samples are doing. Building indicators of compromise detection engineering against them. It really just depends. I would even add some organizations that are more mature even have adversary simulation analysts, where they’re always working with the SOC team and the blue teamers to build detections based on the tactics that they’re utilizing against them. So it really just depends on the size and how mature the organization is. It could go as big as thirty personnel to just having four people kind of cover some of those basics. Ricky: You mentioned the Tier 1 through Tier 3 SOC analysts. Can you break apart some of the skills and even salary ranges? What’s required and what’s the difference between a one, two, or three? Alberto: Sure. So as a tier one, I expect the SOC analysts to really understand the foundations of networking, of operating systems, architecture; maybe even a basic level of reading code. You might not be able to whip your own things but at a basic level, you have to be able to understand it. Really once you get into the middle tier, that means you understand a deeper-level of traffic, PCAP, host-based artifacts. It’s not just you going through alerts and seeing what’s going on, but you really can get deep into certain investigations without given a risk to that specific alert. And at that Tier 3 , I think you’re more of a standalone analyst, where you can do a lot for the organization to include writing your own tools, maybe your own scripting, you can build your own detection engineering rules or specific tooling. It’s really more of a development work role with all the analysis already fine-grained in your arsenal, if that makes sense. Ricky: What are some of the ranges you’ve seen? Alberto: I’ve seen ranges starting at $75,000 to higher than $250,000. I think that salary range; definitely location; will depend on what your salary is A second thing will be whether it’s cleared work or not. If you have like a top-secret clearance and you’re in that federal spectrum, you might get higher compensation than other specific industries. And then your experience level and your problem solving. I think being able to do really well in your interviews and showcasing your potential to that company. Not only from a keyboard standpoint, technically speaking, but also being that entrepreneur mindset: understanding the operational risk, understanding how you tie into a bigger picture of that company. That’ll just make you stand out against some of your competition when you’re interviewing. But the ranges are pretty crazy and it really just depends on the industry. Ricky: Yeah for sure. Tell me what does some of the guys on your team look like? Are they similar to you? Or what’s the personas of your team? Alberto: I’m actually in South Florida. Everyone’s a Hispanic at my SOC. Some of them have mustaches. Regular guys from different parts of Latin America: Cuba, Venezuela, Colombia, Puerto Rico, etc. We really have a Hispanic workforce here in South Florida because of the population. But regular people, they love to fish, they love to ride their motorcycles. Just regular guys, really. Ricky: That’s awesome. What is your approach to leading them and working with them? Because there’s management for people in general but specifically leading more technical people both at the junior and senior level. That’s a specialty, right? Alberto: Yeah, for sure. I think this leadership aspect in the technical realm includes connecting with them on a personal level, challenging them technically, making them understand the strategic views of the company and how their tactical tasks are towards a greater good for those strategic goals. Some of the times if you’re a manager, all you do is direct people. You give them orders, and then you expect them to finish it, and then you walk away. Well for me, that leadership aspect that was ingrained in me through the military and up was take care of those people, understand them at a personal level, understand their goals, challenge them technically, give them meaningful work. And then sometimes, even some of the not so awesome work, whether it’s writing reports, etc. Give them that sense of importance that their work is really towards a greater cost for the company. And just appreciate everything that they do because security can be very taxing on family life, on your personal life. If you just work your nine to five and you never take some of your personal time to develop yourself, you might get left behind in this industry because it’s always changing. So, giving them that level of satisfaction and thanking them for everything that they do for you, I think goes a long way. Ricky: You are a pretty technical manager or leader in your team. What are some words of wisdom or advice you might have for less technical people who maybe went a different route into a leadership role? Because there’s always that friction between the tacticians, operators, and the managers. Alberto: I would say to be a leader in anything that you do and not just security, you have to understand what your subordinates are going through. Meaning you have to understand some of the technical implications of what they go through and what jobs they do. I’m not asking every security manager out there to be a reverse engineer. But what I’m asking for is allocate some of your personal time, if you don’t have it at work, to understand the technical aspects that your analysts have to go through to do their jobs well. Because at the end of the day, nothing gets done unless you know the tactical echelon executes those tasks. So for me, being a leader in this industry, it’s not only the managerial piece, and the organizational leadership piece, and client-facing and etc. But take some time to really understand some of the work that they do and stay sharp. Because this industry is very fast, and there’s some decision-making to be done. And you don’t want to just rely on everyone telling you what to do from a technical standpoint to make decisions. Ricky: What was the interview process for you getting into your job role? I know different companies will have many very different processes. But for where you work now, what was that journey like? Alberto: Sure, so I’ll explain what I went through in this company. As I was transitioning out of the Army, I interviewed for a lot of different companies and they all kind of shared their similarities. For this specific work role, I had first, a managerial interview with senior exec of the company to make sure culture and things of that nature were going to be a fit. Then I had three technical interviews with some of their senior engineers. After those three tech interviews, I went back to another exec to make sure culture, etc was going to be good. And then the final piece was having an offer letter delivered to me. And then other companies I interviewed for as I was transitioning out of the Army, they followed a similar structure, but add a recruiter in the middle. So typically, I would speak to recruiter, recruiter would present me to a hiring manager, a hiring manager would present me to maybe two or three technical interviews, and then once I received an offer, I would go back to that recruiter and finalize the negotiation conversations. Ricky: What were some of the really important parts of those technical interviews? How did you prepare for them? Maybe if other people trying to follow your footsteps who are getting into a SOC or getting into some kind of pentesting role, what should they be looking at to prepare? Alberto: In order for me to, “Stay fresh in interviews,” I would say it was almost a full-time job having interviews all the time. You have to keep track of good notes of all the conversations. Because these tech interviews, they may go back and ask you deeper details of a topic they asked you in interview number one. For me HackTheBox was a great resource, hackthebox.eu. All my offensive interviews all I kept doing is hacking boxes on HackTheBox, so I can stay fresh and some of the tactics. I was reading blog posts every day. I was staying up–to–date with everything. Again, it was very tiring, but I wanted to make sure I had talking points. I had new tactics I could present and discuss. I had a fine-grained methodology to exploitation. And then some of my blue teaming tailored interviews, similar concept. I was doing HackTheBox, but I was also taking a defensive mindset to all the tactics I was doing; how I would detect against them. I was following different Twitter accounts. I was staying up-to-date with all the latest tactics and how to detect. For me, it was just surfing the internet and just staying really up-to-date with everything going on. And then writing down my talking points. I think I can’t emphasize enough to keep track with a notebook. I had a physical notebook for my interview process where I would have different talking points whether it’s an adversary tactic, or how to detect against a specific common tactic. I think those will help you along the way. Ricky: Tell me, how did you get into cybersecurity to begin with? Alberto: Sure, so interesting story. When I was in college, I actually started working as an IT person for a small sleep apnea company. That was my first deep dive into technology overall. And then the Army said, “Hey, you’re going to go be a cyber operations officer.” I didn’t really know what that meant at the time, but when I got to the training, that’s when I was in for a rude awakening. So I would say that the Army was the one that forced me to get into the cyber security space. Ricky: What did you do at the IT role in the sleep apnea company? Were you a helpdesk guy? Alberto: Yeah it was like standard IT. I managed a couple Windows servers, a couple endpoints for the company. We were distributed across different cities within South Florida. So I had to make sure everything was operational, you know, an Active Directory domain type of structure. Ricky: Would you say that was pretty fundamental for your skills? Building it there before you got in the Army and started doing cyber for them? What was your journey like in terms of your skill progression? Alberto: Yeah, for sure. I would say a lot of the times while I was in my initial first tech job there at the sleep apnea company was really self-taught. Teaching myself what a domain is, what is the domain controller, what is an IP address, etc. So a lot of the fundamentals, I had to teach myself as I was going through my undergraduate degree. But it was great because I got that first-hand experience of being a Windows system administrator the hard way prior to going into security. Ricky: What was the hardest part of getting your feet wet or learning about the things for you? Alberto: I would say maybe being a little bit alone in the industry. Obviously, when you’re in school, you can ask your professors etc. But I was a one-person shop, so I couldn’t turn to any co-workers regarding questions on the domain or any sort of configurations. So for me, it was really just being alone and having to Google my way to finding answers to the problems that I was facing. Ricky: So part of being really good at Googling and research or what they call now OSINT, is really… your sensei. Alberto: 100% Google skills are so important in this field. I learned that early on, the hard way, unfortunately. Ricky: How long did it take for you to feel you were confident in getting over that hump to where you could speak intelligibly and know what you were talking about with other technical people? Alberto: For me, that hump of feeling confident that I was a cybersecurity professional was really about the 18-month mark of studying, getting some certifications, and getting operational experience. It was close to that two-year where I felt confident in having those conversations with some of my peers. Ricky: What resources did you lean on and rely on besides Google, obviously, to help you become better just starting off. Alberto: Yeah, so as cliche as it may sound, I think some of the best resources are actually blog articles by other security researchers and other companies. So I’m heavily into Twitter, companies like SpecterOps, Black Hills Information Security, Red Siege, etc. And even some of the overseas companies like MDSec from the UK. Following some of that research and some of those employees that are within the security spectrum really helped me learn some of the tradecraft that they’re doing. Ricky: Any books or podcasts that you might listen to now? Just in terms of being consistent and just staying up–to–date in addition to these blog article sources? Alberto: I’ll be honest. I’m not huge on books, simply because some of the security books are really dry. I probably got a little bit traumatized from reading the CISSP book once upon a time. I’m bigger into YouTube channels like Heath Adams, this one specifically. IppSec for the HackTheBox walkthroughs. So for me, it’s really more of a YouTube spectrum. I like to learn via videos. Some of the podcasts I have listened to from Hak5 and the Coalfire team have also been helpful. But for me, it’s really just blog posts, Twitter, and YouTube videos. Ricky: Do you do any CTFs? You mentioned HackTheBox or a cyber competition, SANS’ Netwars, every holiday season, Christmas, November-December time frame. They have that SANS holiday hack conferences. Do you attend those things? Alberto: So for me, I actually cheat a little bit on these. I know a lot of people do CTFs in my industry, but I typically just wait for the walkthroughs. I like to start at the beginning and just walk through some of the blog posts of the solutions. Though it is beneficial to get involved, but it can be time-consuming if you’re participating in a couple. I also do speak at some conferences. This year, I’ve spoken at VetSecCon, it’s a veteran’s security nonprofit organization. I spoke at the South Florida ISSA chapter earlier this year. I’m getting ready to speak at AvengerCon which is a DoD cybersecurity conference. So I like to do the more speaker aspect of things. And then I just like to read about everyone else’s research and some of their solutions in CTFs. Ricky: Have you ever been to any training courses or camps, things offered at conferences, etc.? Alberto: Yeah, so the Army gives us some great training that’s homebrew, meaning the Army provides at training. And they also put us through external training like SANS, etc. So those are always beneficial. They really give you a perspective and that solid educational background of the tools and skills that we need in the security field. But for me really where I gained most of my value of my time is kind of banging my head against the keyboard in my home lab. So I like to go out and build infrastructure, break it, test it, and learn the ins and outs of those specific TTPs and adversary leverage and how I can detect against it. So for me, it all starts at the home lab to be quite honest. That’s where I learn the most. Ricky: Can you talk about what is a home lab exactly? A lot of people have different ideas of what that could be. In your opinion, walk us through your home lab. Alberto: For me, a successful home lab is something you can just crash and build at any moment in time. And with that, you need to maintain a security and place within your house. And that’s why I have a network segmentation in my house where I have a lab where I can just crash and burn and do whatever I want, and then I have another environment that’s more static moreso for the security side of my home. For me, an Active Directory domain, some Linux machines, some servers, a SIEM to collect logs and analyze it. All of those are very beneficial and crucial to a home lab. But again, I think having that flexibility is really important because everything always changes. There’s new technology out there you want to test, so you don’t want to make it too strict to where if you change something, it’s just going to break all your work. Ricky: So if I am a brand new beginner, all I knew is how to set up the WiFi from the router that came from the internet service provider. Talk us through your build-out of your lab. What was the first piece of hardware you bought? When you say things like network segmentation, what does that mean? And some of the software configuration, build-a-bear, build a home lab. Alberto: Sure, so right of the bat, get your Google on, pfSense is a great open-source router firewall you can use. You can also use VirtualBox for virtualization, meaning you have a host operating system, and then you build smaller virtual machines on that host operating system to build that lab. You’re definitely going to need resources like RAM. So if you can afford it, build your own server, it’s typically cheaper that way. PCPartPickers is a great website to get going on that. Once you have some good RAM, good CPU, good resources overall, you can create a virtualized infrastructure that includes pfSense for routing and firewall network segmentation, whether it’s through a virtual LAN or you have an entirely separate network, /24 to play around with; you want to get after some Windows servers, windows workstations, Windows 10s, Windows Server 2016, and build virtual machines with these operating systems, And then create what’s called an Active Directory Domain, which is again, it’s a Google-away. It’ll definitely teach you everything you need to set it up. Once you have an Active Directory Domain, which is very similar to what you’ll see in an enterprise domain, you want to then build a Linux machine. You can use a different distribution like Kali or ParrotOS, etc. to have an attacking machine, and then you just go after it. There’s different tactics you can try, Kerberoasting, exploits via service, and I can go on and on about a home lab. I hope that helps. Ricky: So just to be clear, your home lab is largely virtualized. We don’t have thousands of ethernet cables running around like you’re mad scientists, and there’s a whole rack of servers and physical appliances. You have a very beefy desktop tower or maybe a low-end server somewhere, and you’re virtualizing all of the stuff on it and creating a virtual network. Alberto: That’s correct. And if you don’t want to buy one of those big bulky servers, I recommend maybe Raspberry Pis, or an Intel NUC. Those are great places to start if you want something more compact that can bring some resources into that virtualized environment. Ricky: How many days or weeks and the dollar cost did it really take for you to put together your lab to practice? Alberto: So I definitely had to research what I was going to get in terms of hardware. Whether it was the CPU, the RAM, the processor, etc. For me, I built my dream home lab here at the house for $800. And that was it. That was my budget. That’s what I got. And I can definitely provide the specs to you and we can post them on the chat here. But with $800, I was able to build a great small server about the size of a shoe box to contain about 32 gigs of RAM. I have an i9 CPU, 8 cores, about two terabytes of storage. So I’m able to virtualize likely maybe 10 virtual machines any moment in time. It’s enough for my needs. Ricky: Wow, that’s not very much considering that there’s laptops out there that have double the specs, like 64 gigs of RAM and 16 cores and four or eight terabytes of storage. That’s a lot of virtual machines you are able to push on that spec. Alberto: Correct, because I’m not using them so much as as a user. I’m not opening up tons of applications at a moment in time on these virtual machines. They’re really just for exploitation and detection engineering, so they get the job done being small. Ricky: Tell me, what is your personal take on certifications? I know it’s a really controversial heated debate between different camps. Which specific ones did you value taking? And overall, is it really worth it? Is it really necessary? Alberto: That’s a great question. I get that question a lot. Even internally within my peers, we have these discussions about certifications. So I think it really depends on the industry that you’re targeting. To give you an example, if you’re pursuing a Department of Defense job that is in the United States and it’s cleared or has to do with cyber, they do have requirements in order for you to get the job, whether it’s 8570 requirement or it’s that specific organization that wants you to have a certain certification. So I would say certain organizations will value them and I just gave you an example of one. Some of the certifications I do recommend for anyone in security are something like the OSCP and some of the E-learning security certifications are pretty good as well. And whether they’re valuable or not, I would just grab the take of certifications as a way for you to improve yourself. You really want to make sure you take that specific topic and you focus on that topic. As an example, the OSCP certification is really focused on penetration testing, hacking, and getting you used to that enumeration to exploitation path from a security side of things. And then other certifications, maybe you take the incident handler course from SANS. And then pass that certification; it’s really tailored towards your blue teaming capabilities. So I wouldn’t necessarily put a certification as, “This is needed because it is a job requirement.” But it’s also a way for you to focus on, “I need to learn this specific topic.” So you put a goal to get that certification to push you to understand that specific topic. Ricky: Got it. So really focus on self-study and self-edification versus “Oh, let me just check the box, let me get my CompTIA soup, Alphabet soup,” and expect to just cyber away. Alberto: Yes, 100%. I think, training yourself in your home labs and getting few certifications that meet some of those criterias You take in those certifications seriously based on the curriculum and the learning objectives, not so much a check–off–the–box. I think that’s where the value of certifications come from. Really that push to give yourself that goal. Other than, I’m not a huge fan of certifications. Especially like you mentioned, if you just go out and get the plethora of CompTIA certifications just to have them. It really doesn’t give you those skills that you’re going to need to be successful on the job. Ricky: Got it. So what are some things that you do apart from cyber and tech stuff in your free time? Because there’s this cultural image that it’s all dark, hooded, Mr. Robot hackers, or 300-pound bearded dudes. While those guys exist, there’s a lot of other people out there too. Alberto: I’d like to think I’m handsome. My wife says I’m handsome, to that comment. For me, it’s really spending time with family. We’d love to go out and try different restaurants. My wife and I would love to go out and eat and try new things. I love to play basketball. I’ve been playing basketball since I was a kid. Not like a LeBron James athlete, but I’ve been playing the game for a couple years. I typically play a couple times during the week. Anything outdoors is really fun. Going to the beach, hiking, and biking. All those are things I do outside of cyber. Ricky: Awesome. What are some things that you do to stay secure? Like personal digital security practices and recommendations because everybody has parents… maybe people who are older that you care about and they’re now on a smartphone or a computer. And as soon as you touch technology, you are now a participant in this cyber game. Alberto: Interesting story on that. My mother had a phishing email saying that they had her email account and password, which was true. Because her account was leaked somewhere else and she never changed her credentials. They tried to blackmail her for that information. We did go through it. We change her credentials immediately all across the board. I implemented multi-factor authentication on all her banking websites, etc. Some of the things I do and I always preach to my family members are implementing a good password policy internally. Using password managers is a big recommendation I give to everyone. The times of having your personalized, your own passwords be repeated across every single platform that you use: those times are gone and it’s pretty dangerous. Implementing multi-factor on everything and changing credentials with a password manager on everything. I think those are some of the initial wins that people can get after improving their security. Ricky: Alberto, thanks so much for your time. I know we’ve gone a bit over, but it just kept on going because you were throwing in the details and the high-level stuff. I just really want to thank you for joining us and sharing some of your experiences and insight as somebody in the trenches making it happen every single day. Alberto, thanks so much for your time, and where can people find you and some of the work that you’re doing? Alberto: You guys can follow me on LinkedIn, Alberto j-o-s-e-r, we’ll post the links there. Also, I’m on Twitter, so underscore ar0d with a zero underscore. On Twitter as well. And I’m on a lot of Slack channels and Discords, so the Bloodhound Slack channel, Operation Code, VetSec, different Discords, you guys can find me there under arOd as well. Ricky: And you mentioned, you also teach on HackerU as well? Alberto: I’m an adjunct professor there at HackerU, which is a program that teaches for various different universities. And it basically takes students from zero to hero, in a cybersecurity bootcamp similar to some of the training I did while I was in the Army. Ricky: Awesome. So thanks so much again for coming on our show and hope to see you soon! Everyone take care, have a good one!

  Getting Into Cyber Security: 5 Skills You NEED to Learn
You cannot copy content of this page