Thursday, January 7, 2016

Red versus Blue - What to Do? What to Do?

Red versus Blue - What to do?  What to do?
Security’s been lacking, they've let hackers through.

Script-kiddies are giggling, their phishing uncaught.
Someone's opened their email, without even a thought.

Antivirus averted, the firewall’s a bust
and their passwords were stolen, a violation of trust.

Protections were few - no IDS, IPS, or SIEM.
Their reactive analysis proved only a dream.

Now the CEO’s yelling. IT’s grasping at straws
‘cause they’d simply been dwelling, ignoring the laws.

Their posture, unhealthy, their planning was ill.
Now they’re looking for talent with just the right skill,

education and training, but where to begin?
The red team the blue team - do they pull from within?

Consider your goals kids and what training to pursue.
Red versus Blue - What to do?  What to do?

The past seven or eight years, it’s been fairly common for high-school and college students alike to hit me up for IT career advice and direction - particularly in the security realm.  Most of these kids are young and driven out of a desire to earn the ‘big bucks’, but they’re uncertain as to the proper direction to follow, the classes to take or even the school / training to attend.  Additionally, each student has different strengths, goals and ambitions, as well as differing desires and needs for learning, knowing that not all students ‘learn in the same way’.

It’s difficult to give them one specific answer, because I’ve never attended college nor have I gone through ‘formal’ education, in order to do what I do.  Much of what I’ve learned and accomplished was driven by my personal fancies, dreams, ambitions and the goal of always trying to be among the first to do and discover new things.  Add to the mix that the information security world is a very large, continually growing space and you have a recipe for mass confusion, if the conversation begins blindly, from the student’s perspective.

As I sit down and talk with each of them, the biggest, most important question I lead with is, "What do you WANT to be doing in ten to twenty years?"  I ask them to consider, first and foremost, where they want to be (location, professionally, financially) and what their NON-professional goals are.  Quite honestly, the security industry can be extremely taxing on even the most seasoned veteran infosec people.  I want aspiring students to understand that because of the way the field changes, because of the attitudes and stressors that they'll encounter, because they'll quite literally NEVER be able to stop learning and adapting in this field, they need to decide, first and foremost, on their willingness to commit to their goals, wholeheartedly.  This isn't to say that with the right effort and time, life won't all come together nicely.  Just that, more often than not, if a person wants to succeed in both their professional infosec career AND their personal life, their schooling (whether organized / formal courses or self-teaching, seminars, books, videos, CBT's) will likely be much more taxing than their primary / secondary education has been or ever will be and it will likely impact their personal life and 'free time' much more than they'd anticipate.

Once that's been put to bed, assuming the person hasn't run away realizing that the glamorous portrayal of hackers and infosec geeks in the media (untrained / uneducated 'whiz kids', hacking merrily away) isn't the reality they've come to expect, I'm usually asked, "OK, what courses should I take and from where?" This is followed by, "What school should I attend or can I be all self-study, like you?"

<cough> Ahh, how I love loaded questions! </cough>   (They all hope for a straight / simple answer)

As previously noted, I've attended ZERO college, so I can't speak for formal secondary education, specifically which school to attend.  I could be biased and refer them to some of the schools where my professional colleagues teach, but in all honesty, as I've not taken their courses or those of the others in their departments, I can't speak for the quality of their teaching.  Will I mention them in the discussions?  Absolutely!  Especially if their outside activities (infosec community activity and involvement, conference speaking, tool development, etc) have shown me that they know their stuff.  But otherwise, I can't recommend any one over the other from a 'personal experience' point of view.

With regard to 'what to take', this discussion could go a number of directions.  Depending on WHERE a student chooses to attend, the course offerings and programs might differ entirely, from one college to the next.  Additionally, different courses and programs might be geared to one discipline versus another and therefore the student has to make at least an initial career decision (knowing this could change in the future) on what 'part' or role they want to play in infosec, because whichever program or path of study they choose, it needs to benefit their career progression and prepare them to dive in.

This leads us to Red Versus Blue - What to Do?  What to Do? - or even Purple (or White, Gray, Black... but we'll delve into those areas another time)

Ultimately I ask students to really think about the following question.  I ask them for their first, gut response, then we discuss a bit and I follow up with them again after our chat, to see if their thoughts have changed or if their initial answer(s) still stand.  The question is:

"If you were to picture yourself in 10 years, would you want to be in an upper management role (where you're managing the overall security posture and practice of your organization), or would you prefer to be a team leader or member, working on hardware and / or software security and protection, versus trying to break those protections in order to help assure a secure environment?"

This is where our colors come into play.  An upper-level manager, who is responsible for all areas of the corporate security strategy, generally falls into the purple (mixed red / blue) category or leans more in the direction of blue.  Blue is typically thought of as cool / 'safe' and the team members are dedicated to protection - auditing and analysis, hardening systems, building solutions or monitoring existing solutions.  Red is considered to be hot / 'dangerous', and the team members are typically your attackers - penetration testers, malware experts, social engineers or even 'hackers'.

What differentiates the two colors is typically the work they're performing, as well as what I call their 'known' approach.  What do I mean by this?  Well...

While it's not always the case, more often than not, blue team activity is typically more relative to 'known' information and issues.  As they build protections, IDS / IPS, deploy antivirus or what have you, they're following known procedures and best practices (at least, I HOPE they are) in order to watch for and protect against known problems.  They're protectors and, by nature, protectors will try their best to prevent 'the unknown', but are obviously much better suited to deal with 'the known'.  More often than not, at least from many of the companies and environments I've seen, their approach takes a turn for the reactive side.  But every now and then, I'm excited to see a proactive blue team, trying to think more ahead of the eight ball (visible, easy to reach and eager to be put to work), rather than sitting behind it, where their activity might be less noticeable and success might be harder to obtain.

The red team, on the other hand, tend to be more proactive and are always looking for the newest 'unknowns', methods, exploits, vulnerabilities and ways to attack.  (This isn't to say they won't take complete advantage of a 'known', if the blue team isn't on top of their game, however).  While their purpose is still to act as an 'enabler' (and ultimately often additional educators) for the blue teams to be able to resolve their problems, because they try to remain one or more steps ahead of the curve, they tend to be more aggressive with their education and training, and are always on the lookout for the 'cool' or 'exciting' blog posts, newsfeed, IRC discussions and videos, showing the latest and greatest methods for exploitations.

Now that I've discussed Red and Blue (and Purple), it's often at least a BIT easier for the students to begin making some decisions.

In either case (red or blue), typically there will be a need for some sort of programming language.  Even if the student never becomes 100% proficient in a language, the ability to at least follow along, in general, with a program's flow or execution is a needed skill.  Depending upon specialization (red team might include web application hacking, for instance), specific languages such as Python, Ruby, Javascript, HTML or even shell scripting (BASH) will be more useful than others, so those discussions come into the mix.  Alternatively, for 'operating system' / client-side application hackers, there may be more need for C++, Visual Basic or .Net experience.  In either case, an understanding of Assembly is also a good 'back pocket' skill, even if only at a high level.

Along with programming, both red and blue teams also need at least a reasonable awareness of the latest applications and operating systems, as well as a solid understanding of networking fundamentals.  In any modern environment, there may be a mixture of Windows, Linux and OSX devices, and these may be connected via wired or wireless networks, throughout the organization.  In addition, routing protocols and topologies are important to gain an understanding of both inter- and intra-office communications, as well as internet connectivity.  As such, topics of study in college might include classes on one or more of the operating systems, especially Linux if available, as on one hand it's very similar to Mac OSX and on the other many security tools and distributions are built on and using Linux.  Beyond the OS, networking courses, such as the various Cisco certifications that many schools now offer (or other vendors' courseware, if applicable / offered), should be a staple of any information security curriculum.

Technical classes aside, other courses that would be extremely useful for information security professionals are psychology (useful in understanding how various people 'think', as well as understanding social engineering, phishing, etc), language / writing (it is VERY important to be able to communicate findings, whether to a company or to the infosec community as a whole) and mathematical courses, including statistics, since analysis skills are a big commodity in the industry.

All of the above said, students need to make those 'final' decisions.  First of all, which pieces of what I've already provided fit into their long term goals and plans?  Based on those pieces, which courses and programs will suit their needs and best prepare them for their careers?  Which schools offer the best packages and curriculum in order to accommodate all of the courses and are the instructors well known and active enough (whether in the community or by reputation), such that the students feel they can get the most from the experience?  Finally, dear students, do you think you CAN (and do you WANT to) do all of this learning on your own, or do you feel a collegiate program is better suited to prepare you?

I'll be the last to profess that only a college degree will get you somewhere in life.  I'm living proof that it can all be accomplished without one.  But as a married father of 4, who just had a wife progress through nursing school in her mid-to-late thirties, I'll also be the last to say it's an easy ride if you go it on your own.  The commitment and time required are difficult to substantiate and I can honestly say that, while I'd do it all again, it definitely would've been an easier road to have traveled before the married life.


No comments:

Post a Comment