“Anyone who stops learning is old, whether at 20 or 80. Anyone who keeps learning stays young. The greatest thing in life is to keep your mind young.”
– Henry Ford
I came across an interesting article in Security Magazine titled “SOC experts report cyber skilling obstacles”. In the article Cyberbit, a provider of Cyber Skills Development Platforms, revealed the results of the first annual Cyberbit SOC Skills Survey. The survey (download link in the article) results sheds light on how companies are fulfilling (or not) cyber team skills requirements in order to maintain a strong cyber defense posture.
I thought there were a number of interesting findings in the report. One was the disparity between human resources and technical hiring managers. No news there; it’s hard for non technical HR staff to assess candidates for technical job roles. My take is that you need differentiate yourself to make your resume or C.V. stand out to human resources professionals.
Another finding was how candidates are interviewed and screened. The report called out that while 70% reported “conversation’; 8% use ‘cyber range simulation’ and 10% use ‘task’. I believe that having candidates use simulations and complete tasks are great assessments of technical skills. The challenge posed by using those assessments is in delivering them fairly. In order to use a simulation or to have a candidate complete some task the employer should advise candidates in advance of the assessment and it’s associated conditions. Those conditions include some notes about general problem background; what equipment or data will be provided, and how long the candidate will have to complete the simulation or task.
Since the overwhelming number of responses cited ‘conversation’ as the interview technique; candidates have to have a plan for how to guide that interview conversation. My suggestion is that you be ready to talk about some recent technical topic that you’ve researched or learned about. Judging applicability of that topic to your interview is something that should be part of the candidate’s interview prep. Be prepared to talk about how you have recently studied cyber threats linked to open source code (for example). Have a plan to offer a 2-3 sentence summary (less than 1 minute) of what you learned about Heartbleed. Be prepared to go deeper. Have a plan to follow that up with 2-3 minutes about patterns of attack using open source used multiple vectors.
In short, be prepared to drive that initial interview conversation. Start short and high level. Be prepared to show some depth.
Another important skill finding brought up by Cyberbit was regarding skills. The two most critical skills identified were Intrusion detection and network monitoring. I read that SIEM and IDS/IPS. There are so many tools available at little or no cost that not being able to learn and speak about these topics is just wrong.
Looking at the phishing email I received the other day telling me that my PayPal account had been suspended the next step in my investigation is to determine how it reached my inbox.
There are many good resources available that describe manual email header analysis. To start out take a look at this article at Forensic Focus. This is a short read that is good introduction to reading email headers.
Next I’ll point you at a good article titled “What all the stuff in email headers means—and how to sniff out spoofing” at Ars Technica. Jim Salter is a good technical writer and he did all his homework writing this article.
I also recommend these couple of articles (first, second) on email forensics by Peter Matkovski on Medium (paywall?). He said up front that he was going to break the analysis into three parts but doesn’t seem to have gotten to part three, the attachments just yet. Still very good reading.
I’m all for line by line analysis when I have the time. Problem is I rarely have the time so I often use web based message header analysis tools. I looked at and compared three different web based email message header analysis tools recently.
The Trace Email tool at DNSChecker (https://dnschecker.org/email-header-analyzer.php) analyzes based on the IP source where the submitted message came from. The report includes host information including a threat level assessment and a whois lookup. The folks at DNS Checker offer a wide variety of tools and this is just one of perhaps 2 dozen.
The ‘Analyze Headers’ capability at MXtoolbox (https://mxtoolbox.com/EmailHeaders.aspx) is more comprehensive. It takes a little longer to execute but this tool examines the SPF and DKIM information in the submitted headers and presents a more complete report. A unique feature of this tool is the link at the bottom of the report page ‘Permanently forget this email header’.
Google Admin Toolbox
The Google Admin Toolbox Message Header tool (https://toolbox.googleapps.com/apps/messageheader/ ) is as fast as DNSChecker and provides a pass/fail check of SPF, DKIM, and DMARC information.
Summing up DNSChecker will tell you about the IP source. MXToolbox provides the most analysis of the header and reports on SPF and DKIM. The Google Admin Toolbox Message Header tool was the only one here that reported on SPF, DKIM, and DMARC.
Only problem was that he email address the message was sent to doesn’t actually have a PayPal account associated with it. But given the effort that must have been taken to undertake this campaign I thought I’d investigate. Fair warning: I have worked in cyber security for years and analyzed hundreds of emails. I examine information from the email messages and strongly suggest you never follow any URL to the host site.
The first step was to look at the sender’s email address (xqxjtfd at hwgnbiftch dot xxzk8aish dot com). This turned out to be of no real value. It was not from the PayPal domain and running the domain it was from through VirusTotal yielded little information other than the domain ‘xxzkaish dot com’ was likely dynamically generated. None of the VirusTotal engines saw this as malicious.
The next step was to look at the link in the email message itself. Putting myself in the threat actors shoes for a moment what they were trying to do is to elicit an ‘aw shit’ emotion and get the reader to click on the PayPal login link in the message. That ‘Login to PayPal’ link in the message was interesting in that it resolved to LinkedIn dot com.
LinkedIn does offer a URL shortening capability. In fact if you share a link that is longer than 26 characters in a LinkedIn post they automatically shorten the URL. Note: I have contacted LinkedIn Support asking if this is a genuine LinkedIn shortened URL and if they can share with me the post or profile that the URL was generated from. From the safety of a virtual sandbox I followed this LinkedIn URL.
As you can see the LinkedIn shortened URL produces a recent screen copy of the PayPal login screen. The big red flag is the URL for that login page being from the’kozow dot com’ domain. As of this writing running the complete domain ‘aotsuruz0e dot kozow dot com’ through VirusTotal resulted in three engines identifying this as either phishing (Emsisoft and Google Safebrowsing) or malicious (Netcraft). Running just the top level domain ‘kozow dot com’ through VirusTotal resulted in just two engines (Emsisoft and Netcraft) producing results.
Going further and looking at the words used I called up Google Translate. I believe that the sender email address was likely dynamically generated and resulted in no translation. The domain used to display the PayPal login used two words. The word ‘aotsuruz0e’ did not translate (parsing the word differently did return ‘blue crane zoe’ in Japanese) and “kozow’ in Polish translates to ‘goat’ in English.
I believe that the domain ‘kozow dot com’ has likely been hacked and is in the hands of one or more threat actors. My recommendation is that domain be blacklisted by Internet Firewalls.
I had the opportunity to attend the Security Onion 2020 User Conference yesterday. This was a two plus hour virtual event this year due to the pandemic. The Security Onion Solutions team did a really great job both logistically via WebEx and Discord. The team did well content wise too; packing an extraordinary amount of news about the new version along with a thorough walk through of many of the useful capabilities of the new version of this commercially supported open source network security monitoring solution. It was announced that Security Onion v2 (actually 2.3) has reached General Availability (GA) release status and (sadly) that the previous version Security Onion 16.04 will go end of life in April of 2021.
Welcome to Ford’s Lab!
I recently changed my Facebook setting to point at ‘Ford’s Lab’.
This was an experiment on my part to see how quickly my fellow facebook users would notice the change. I was sort of shocked that within the first hour a number of my friends had noticed and liked or commented on the change.
Note: I have not changed jobs.