If you know me, you can expect you'll know where I'll be the first week of August every year: DEF CON!!

I've been absolutely blessed to have been able to attend every DC since 26 and always find myself rejuvenated afterwards. The connections, the new ideas, the camaraderie with like-minded people is amazing.

A Year of Change

This year was quite different and a somber experience at the con. I lost my brother earlier this year in a senseless situation. Another person I worked with, but consider a very good friend, mentor, brother - bind - passed. Bind is very much woven into the fabric of this industry and touched so many lives. At a time where I was at my lowest, he was able to help pull me out and give me encouragement to persevere. This year felt different.

A Bit of Blue

I was able to present again at Blue Team Village for the third time (Incident Response 101: What Happens After the Hack?) to a crowded audience to kick off the start of DEF CON. The Blue Team Village entrusted ME to lead off the whole thing. I'm honored and can only hope I lived up to expectations. I'm always thankful for the ability to share what I learn, give back to the community and help shape new minds. Getting feedback that audience members found value in the content we provided is absolutely amazing!

Over the past year, I had the privilege to work alongside a great team of rock stars at Project Obsidian in Blue Team Village to help build the annual Blue Team Village Project Obsidian Capture the Flag (CTF) competition. Getting to create challenges to try to stump some of the brightest minds, while getting to teach blue team tactics along the way is exhilarating. Working alongside a great group helped so very very much!

All Tangled Up

Not only did I get to help at BTV, I got to help out at Packet Hacking Village (PHV) during the con. My journey into the PHV began in 2021, thanks to my friend bind encouraging me to give back and volunteer. His lasting impression on me was to give back, to teach others what I know. I've tried to build upon that and give back wherever I can, and PHV is one of the outlets that I was able to sink my teeth into.

This DC, I was able to assist in two areas: Packet Inspector/Packet Detective and the Hardwired. PI/PD was amazing, as always. The sheer number of people who come to check out and work through the challenges never cease to amaze me.

Hardwired was different for me - I had never had the opportunity to help with that area in the five years I had been volunteering. Now I get to show others how to make Ethernet cables. How fun!

Luckily, years ago as part of my job, I had experience terminating RJ-45 cables, so I was able to slot in relatively easily to the operation. Interacting with people wanting to learn how to create a cable from scratch but starting from zero was pretty cool to experience. I had a great time getting to tell stories about my experiences with making cables, some of the history of cabling standards that I knew, and getting a surprise visit from my wife while doing so. It all made for an absolutely amazing experience for DC.

I Didn't F It Up

Another part of DC that I absolutely love are the evening events. For at least the past six years, Hacker Jeopardy has been a staple of my DC experience. I made Whose Slide Is It Anyways a new annual staple moving forward. What an amazing evening of fun - even if it was invaded by those who attempted to strip away the joy.

But They Did

It goes without saying that one apple can spoil the whole bunch. That's very much the truth. Many attendees are gracious, caring, kind. There are others who attend who perhaps should be better aware of how they treat others. Be better. Treat others with respect. Be Kind. It's honestly not that hard to be a good person.

Luck?

In the midst of everything going on, I managed to obtain what appears to have been a card from the famed “Black Badge Raffle” card game at DEF CON that was super unique. Here it is:

Thankfulness

It goes without saying that all this isn’t possible without sacrifice. I am lucky beyond words to have someone in my life that encourages me and pushes me to do great things. Without her, I wouldn’t be where I’m at, nor could I be. I’m happy to have been able to share the DEF CON world with her the past five years. She’s dealt with my long nights working on something for DC and the crazy schedules while AT DC. Thank you for being there for me and keeping me focused on the bigger picture while keeping me grounded all along the way.

Reflecting

Overall, I think the experience was amazing. I find myself looking forward to the next DEF CON, ready to work alongside the amazing teams to build more materials to help teach/train newcomers in the field. If you've never had the opportunity to check out DEF CON, I encourage you to, should you ever have the means to. For its alleged faults, if you find the right crowd for you (and you’re not a jerkface), it can absolutely be a rewarding experience.

Beginnings

A lot can be said about first impressions, but far more can be said about perseverance. I take a great deal of pride in the type of work that I do and strive to be the best at what I do at a certain moment in time. I don’t think I’m better than anyone else - I just know I’m going to always work hard to get the best results, no matter what I’m going through. Or so I thought.

Let’s go back to 2011 - I decided to go back to school to get my Associates in IT. I’ve always been a tech guy for as long as I can remember, so it made sense. After working two jobs and attending classes, I graduated in 2014 with my shiny Associates degree. I had no clue what I wanted to be, but knew it had to be in IT/Tech. Got a job as a contract help desk employee at a large manufacturing facility in Southern California. I thought to myself: “This is my big break - to finally get a job in something that I’m good at!” Little did I realize that some events in 2014 would turn out to change the trajectory of my career path… in a big way.

In late 2013, news of the huge Target security breach came out. I had heard about this and then the Home Depot credit card breach in early 2014, but figured these were one-off situations. I started reading up more on the Target incident and became intrigued at the method of how the attack occurred. I had always considered myself to be a security-minded person, but to see how things played out with Target made me want to dive in further.

Education

On a whim, I decided to think about looking into further education as it became more and more apparent that an Associates degree would not get me very far without the real work experience - at least not far enough with respect to financials. I ended up starting the enrollment process for my Bachelor of Science in IT Security, aiming to start at the beginning of 2015. I was able to get about half of my program credits transferred in from my Associates degree. This would be a cakewalk.

HOLY SHIT. I hadn’t considered that an online-only school would require more from me than my experiences at the local Community College. I struggled working full-time (and often overtime) and attending school full-time. That along with being married and trying to maintain a relationship was not simple or easy. They say if you want something bad enough, you’ll make sacrifices to get it. I wanted that degree, I am going to get that degree.

By the middle of 2016, I was wrapping up my degree! I’ve done it. I got my Bachelors, finally! But part of me wondered, was there an opportunity for more? I’m still working as a Help Desk employee and while I was happy to work for the company I was contracted out to, the lack of raises or even health benefits was something that gave me pause. One benefit that I leaned on for my Bachelor program was tuition reimbursement. I was able to get a portion of my payments reimbursed by my employer - great! However, would they finance me furthering my education in obtaining a Masters in Cybersecurity? The answer, surprisingly, was “yes”.

Quite possibly easier than requesting a day off from work, my employer approved my plan to continue attending college and directly progress towards a degree in Cybersecurity.

I took the next year and a half to progress through my Masters program - I had already known the expectations and knocked the courses out. I started building an appreciation for the security world and everything in between. I always liked tinkering with things, making things do things they weren’t supposed to do, pushing boundaries. 

Above and Beyond - But Ghosted

I graduated in 2018 - I was extremely pleased with getting the opportunity to say I had my degrees. There was just one slightly major issue: who is going to hire a guy with no security experience, no security project background, a paper-holding wanna-be hack that only has Help Desk experience? All the places I applied to either gave the “we’ve selected a candidate that better fits our needs” email or the good old ghosting. 

I was great at what I did working for the Help Desk. People liked me because I didn’t treat them “like most IT people” - whatever that meant. I just genuinely enjoy helping teach people about technology and conveying related concepts in a way they can better understand. 

I also enjoyed getting to do special projects for the company: I would work on their phone systems, help plan tech upgrades, refurbish equipment. Mostly things not necessarily associated with Help Desk life. One such thing was helping the network team scope out projects before they made changes. They asked me to go out to Las Vegas in August 2018 to check out a new facility they would be implementing appliances to, and I jumped at the opportunity. VEGAS! Hell yeah I’m down to go.

By this time, I am engrossed in the security world, I’m checking out subreddits, web forums, Twitter, you name it. I took the trip to Las Vegas on a Wednesday-Friday for the job. Unbeknownst to me, it just so happened that this was the week of DEF CON 26. When I realized this, I had to attend. Another request to my employer got another approval to attend this convention. It was the weekend I attended DEF CON 26 that solidified my love for the security world.

I made it…

Fast forward to the beginning of 2019, I landed my first security role as a SOC Analyst - someone decided to take a risk on me. For the most part, the first three quarters of 2019 were amazing. I got a job in a role that I had been trying so very hard to get. My morale did fall when the majority of my colleagues left for better opportunities, but overall I got to work in my field! 

Then it hit me - I was thrown into a role in which I had no real direction, no real experience, and no real power to make positive changes. I did get to attend DEF CON 27, which was nice, and things appeared to be going well...until they weren’t.

Recognizing where I came from

Life is hard, finding who you are can be an absolute struggle. 

My parents divorced when I was seven or eight, my mom remarried quickly after and sent me and my siblings on a journey through hell. I'll spare specific details, but the in the end I ended up in a temporary "orphanage" home for a week and then foster care for about nine years.

I experienced a lot, but thankfully I learned some hard lessons in making the most of what you have and being thankful you have it.

What does this have to do with security, you ask?

My goal if nothing else is to tell you that no matter what you've come from, who you were, what you've done doesn't have to define who you are now.

Many of the foster children I grew up with were extremely troubled, some ended up in prison, others homeless, struggling. I very well could have been a statistic. Plainly stated, we all have our history. What we do with our future is what matters most.

…and then the walls came tumbling down

Life fell apart quickly for me after DC27; my marriage fell apart, my mom died, then the dumpster fire of 2020 happened.

I wasn't engaged in work; I loved being in the security world. I wanted to do more, to make an impact, but at every chance I was shot down by other teams I worked with, because they didn't have time to do anything about what I detected. At one point I figured there was no point to my role - what did it matter what I did anyways. Even if I find something substantial, it's not like anyone would do anything about it anyways.

To add insult to injury, I got moved over to a team that had been known as hard nosed and blunt at the beginning of the pandemic. I was positive I was out the door. I started working with a new member of the team that pushed me to think differently and encouraged me to go against the grain. I started to get more involved, but I was still not fully there. 

Unexpected Support Sources

I remember getting a call from my new manager a few weeks into being a part of the team. I expected to be berated for something I had done since the manager had a reputation of being very hardnosed, but instead the following was said "hey, I see you're struggling a bit with some of the work you've been doing - is there anything I can do to help you or assist you to get your numbers up?" I was actually taken aback by this - I had not expected support, only criticism and negativity. That's all it took for me to realize maybe there was another level I could take myself to.

That call made me realize a few things: 

1. People see the effort you put into your work.

2. Don't always allow other people's opinions to deny giving others a chance to prove to you who they are or how they operate.

3. I need to step up my fucking game and produce results.

Truth is: it was a wake up call. Stop feeling sorry for yourself, and be the security superstar you know you can be.

I think my manager saw something that I didn't initially see in myself: I can be a leader, an influencer, and most of all… a teacher.

I would later find out that I had been negatively viewed because of my poor work ethic. I had earned the moniker of “Six Tickets” from previous management - and this wasn’t a badge of honor. To find that someone thought that I would only close six tickets a week in the SIEM absolutely crushed me. To know this originated from someone who had claimed they were on my side? Of course I'm not going to give a shit when management tells me there's nothing they can do because they don't have the manpower to further investigate an issue I found every single time I found one.

Defining Me

I made it my goal to persevere and prove that wasn't me, it wasn't going to define me, just like I wasn't going to let being a former foster child from a broken marriage define who I am today.

From my experience I give the following advice to managers getting handed a new team:

1. Don't always take things at face value, you might not know history of an under-performer or the circumstances that led them there.

2. Don't be afraid to push for better, sometimes that's what people need to get them moving.

3. Do find out the strengths of the worker.

Saying this, however, some workers might not be able to handle the pressure, but every now and then you'll end up with a potential gem on your hands.

Finding a Voice

The first few months working with the new team was brutal, in a sense. I'm not normally a vocal person, I tend to be an introvert and keep to myself. What better way to make me uncomfortable than to make me the center of attention on team calls. 

You either sink or you swim in that sea, and I'm not going to turn down a challenge.

It was yet another time for self reflection. I realized, hey my work is being recognized, and yes we now have teeth to do the job right.

Over the next few months I learned to become more assertive, to trust my instincts, and to strive for excellence. I also learned the power of sharing your knowledge and experience with others - this is key. I've been extremely blessed to have met people in this industry that encourage and educate me constantly. I want to be able to share what I've learned with others like those before me.

To the coworker that inspired me to push through - thank you so much.

To the manager that got me outside of my comfort zone - thank you as well.

I’ll keep telling myself “Don’t be ‘Six Tickets’” forever.

Final Thought

I encourage you to share your knowledge, educate the new incoming security workers. We are such a small tight knit community, but we have room for so much more.

Connections

Thank you for taking the time out of your daily life to read this. If any of this resonates with you, I encourage you to reach out and connect with me:

• Website: https://www.ilovesec.com

• BlueSky: https://bsky.app/profile/ilovesec.com

• Mastodon: https://infosec.exchange/@Samunoske

• Github: https://github.com/samunoske

• LinkedIn: https://www.linkedin.com/in/thejoshuamorgan

(n)Map Exploration: A Great Time in Remote Destinations

Let’s take a look at activity within a corporate environment. Can we find actions that stand out or might be suspicious?

Video Walkthrough

Overview

What will we learn?

There are a number of concepts we will go over and learn in this walkthrough:

• What is reconnaissance in a security/threat hunt context?

• What are some ways that adversaries can identify points of exploitation within an environment?

• What are some commonly abused services that adversaries use?

• How can we walk through the thought process associated with a Threat Hunt from hypothesis to tangible results?

• What tools do we have at our disposal and what can we do with them?

• Can we go deeper and find out more after validating our hypothesis?

Initial Required Concepts

In order to dive into the hunt, we need to have some baseline information to better understand what we are seeking to find. Let us take a look at some of these now.

What is reconnaissance?

In a security context, reconnaissance is the process of gathering information about a particular target. It’s important to recognize that reconnaissance is not always malicious in nature. It is not unexpected or unheard of to see some tools in use within the organization that perform this activity. Reconnaissance is often utilized prior to potential exploitation as an adversary would build out a “map” of items that exists in a particular environment.

What are some ways that adversaries can identify points of exploitation?

An adversary can begin with some basic web searches to find information that is freely available on the internet to begin building a model associated with a particular “entity” - often in this context the “entity” is an organization. We call this freely-available information on the internet Open Source Intelligence, or OSINT for short. There is often a limit to the usefulness of the information provided by OSINT resources as it pertains to actively using it against an entity.

What if the adversary is already connected to the network?

If the adversary already has a limited foothold into the network, there are more effective things that the adversary can do:

• Build a network map of the environment - what systems are there? what operating systems are there?

• Identify services that the adversary could then utilize to move deeper into systems/the network.

• Exfiltrate data

From a security point of view, we call this building a list of systems “Enumeration”

What tools could be used to do this enumeration within the network?

Some tools for this include:

• Network Scanning Tools: Used for building out systems associated with a particular network, including open ports, operating system type, and more. A few examples of applications in this group include the popular tool nmap and as well masscan.

• Vulnerability Scanners: OpenVAS/Nessus are two vulnerability scanners that could theoretically be used to identify hosts within a network.

• Built-in OS Tools: The ping tool could be used to identify available hosts within a network, though

Now that we understand more about reconnaissance, let’s put these concepts together to see if we can build a Threat Hunt with these ideas in mind!

Threat Hunting

What is Threat Hunting?

Threat Hunting (TH) is a process of being proactive of unveiling unknown-knowns and unknown-unknowns to better our security posture

Hypothesis

In order to begin the Threat Hunt, we need to have a reason to start the hunt. To start, we will need to come up with a hypothesis.

What is a hypothesis?

A hypothesis can be described as something we think might be occurring or something that we think might be taking place in an environment. A hypothesis focuses on the 6 W’s:

• Who: Who is doing the activity?

• What: What is happening?

• Where: Where (What systems/networks) is this happening?

• When: What time/time period did this happen?

• Why: What is the end goal for the activity being performed?

• How: How is the activity occurring in the system?

How do we create a hypothesis?

For HOW to create a hypothesis for Threat Hunting, you can read an in-depth guide here: (insert link).

For now we will go over the hypothesis I have created for this scenario.

Let’s create a hypothesis to hunt for reconnaissance!

Broad Hypothesis

The company has reconnaissance activity within the network.

Narrow hypothesis

Reconnaissance activity is occurring in the Magnum Tempus environment, and some of the activity is malicious.

Transitioning from a Hypothesis to a Query

How can we formulate a query based on our hypothesis?

Our initial hypothesis presumes that there is reconnaissance activity within the environment. While this is most certainly true, we need to dig deeper. There may indeed be this ocurring, but as we noted above, not all reconnaissance activity is outright malicious.

First we need to understand what tools we have available. For this Hunt, we are using Splunk, however many of the procedures/methods we use can and should be used with other query languages/log platforms.

Since we know our log data is in Splunk, we first need to determine what log sources we have available to us.

We could modify our index to include ALL log source data using a wildcard query like this:

index="*"

HOWEVER, this is considered bad practice as doing so is an expensive (resource-intensive) query and could cause undesirable effects on the Splunk (or other Log Aggregator) server and could hinder other searches being done on the system.

Thanks to our friend, Cereal Killer, we can utilize the following query to find the indexes (source) of data to query against:

| eventcount summarize=false index=* | dedup index | fields index

While you may not know this, when I think of nmap usage, I think of it being used on Linux distributions. As we can see above, there is an index for Linux, so let’s start there!

In Splunk queries, we start by calling the index (source) of the data we are querying against:

index="linux"

We can query with just this, however we will get ALL data in the associated log:

NOTE: We need to change the time filter to the time period we are checking against for this specific scenario because we don’t know exactly when the log data starts/stops. In your own Threat Hunting (outside of this scenario), you will want to identify a timeframe to conduct your searches. This could be 24 Hours, 1 Week, 1 Month.

In this scenario for this hunt, we are focusing on the whole day of 2023-04-29.

In Linux, an example of a basic host nmap scan command line entry would look like this:

nmap -sn 192.168.1.0/24

To make it easier, we can expand on our existing query and add just the text “nmap” to it, since the nmap application is just simply nmap.

index="linux" (nmap)

Okay, so for some reason this did not provide any results.

Did we do something wrong here? Not exactly. We’re conducting a threat hunt for something we THINK might be in the environment. A threat hunt will not always be successful, but sometimes it can be.

Let’s look at the index list again. So we see there are a few items that might be interesting to try. We see sysmonforlinux. Sysmon is a tool that is used to get telemetry data (information about what’s happening on the computer, even activities that the end user doesn’t ever see) and forwards this data to a log collector. This might also be a great source to query against.

We can also try adding some of the other tools we referenced above to the query as well.

How can we refine this query?

Let’s start with the previous query:

index="linux" (nmap)

So there was no nmap activity in the linux logs in Splunk. Let’s pivot to include another potential log source as well as another command line reconnaissance tool, masscan.

Masscan might not be as commonly used as nmap and if we think like a potential adversary, we might want to use a tool that is less commonly used and therefore potentially less likely to be recognized.

An example of a masscan command line would be:

masscan -p 80,443 192.168.1.0/24

This scan is specifically looking for open HTTP (80) and HTTPS (443 Secure!) ports between 192.168.1.0 and 192.168.1.254.

We can modify our search as seen here:

index IN (linux,sysmonforlinux) (masscan OR nmap)

This query did not net us any relevant hits, either.

Let’s pivot again - this is normal. Everything is fine.

How can we refine this query since the previous did not get us what we expected?

Let’s start with the initial query:

index="linux" (nmap)

Our initial hypothesis presumes that we have reconnaissance activity in the environment. We started looking at Linux systems to see if there was activity there, but perhaps we made a problematic first assumption that the reconnaissance would come from a Linux system. Let’s go with the “sysmon” and “windows” index choices. Much like Sysmon for Linux, Windows Sysmon can provide telemetry from Microsoft Windows systems and there actually is a nmap version that can be used in Windows. We will not include masscan at this point because it’s less common in Windows.

Let’s go!

Here’s what we should modify our search query to:

index IN (sysmon,windows) (nmap)

Let’s run this query!

We have hits!

Let’s look at the overall results:

182 events - digging through this, we could probably refine this list down. Let’s take a look at the hosts that show nmap activity. If we click on the host field on the left side, we see that 5 systems have been identified with something related to “nmap” on it:

What we also notice is that a LOT of activity related to nmap appears to be by one particular system:

wkst16.magnumtempus.financial

Let’s dig into this system a bit to see what’s happening.

We need to modify the query again

index IN (windows,sysmon) (nmap) AND host="wkst16.magnumtempus.financial"

Running this, we see 152 events that match this query.

Looking through these entries the only directly interesting entry is one associated with Powershell, but it appears to be activity associated with installing nmap, so I don’t see this as particularly nefarious.

We also see this system is associated with Seth Morgan, an IT Engineer. Without knowing much more about what an IT Engineer is within the orgainzation, let’s take a moment to presume this is expected activity by this user.

Let’s compare with Excluding the host from the results:

index IN (windows,sysmon) (nmap) AND NOT host="wkst16.magnumtempus.financial"

29 events!

Let’s take another look at the breakdown of the hosts associated with this query:

We see now that the top talker for this activity is:

iot-eng-wkst.magnumtempus.financial

Let’s refine our query and dig more into this system:

index IN (windows,sysmon) (nmap) AND NOT host="wkst16.magnumtempus.financial" AND host="iot-eng-wkst.magnumtempus.financial"

So now we have found some interesting activity that seems like it would be somewhat questionable. Many of the top few events we see are from the user we saw previously, Seth Morgan, connecting over the network from the source IP Address 172.16.50.20 to the destination IP Address 172.16.50.19 via port 3389.

What is port 3389?

Port 3389 is commonly associated with Microsoft Windows Remote Desktop Protocol (RDP). This is a service that allows users to connect to a computer remotely via another computer.

!!!IMPORTANT NOTE!!! Remote Desktop Protocol service should never be exposed to the public Internet. If this is required, please be sure to have this service hidden behind a secure VPN or some other access restriction.

Moving forward with this in mind, we need to determine what the system 172.16.50.19 is. For this, we’ll need to craft another query.

Don’t worry, this one will be simple and we’ll get back to our main query shortly.

index=* 172.16.50.19

When we run the query, we see can look at the hosts that are somewhat associated with this IP:

Over 40% of the traffic is associated with this asset:

iot-jumpbox.magnumtempus.financial

For those who may not be aware, a “jumpbox” is a system that is used as an intermediary between networks that may be highly restricted. This can be a normal practice and based on the hostname, we can presume this is an expected system on the network.

Let’s make a modification to the original query to only look for nmap activity from this system:

index IN (windows,sysmon) (nmap) AND host="iot-jumpbox.magnumtempus.financial"

Running this query, we see two entries this time:

The first entry appears to be a file creation in the C:\Windows\SysWOW64 folder for nmap. Interesting, we may need to understand this more.

The next entry is very intriguing. Looking at the metadata within this, we see command line activity from this system probing the overall network using nmap:

CommandLine: nmap 172.16.60.0/24 -p 22,5900,8080,80,443,502 -oA a -v

Also, of note, is that this command was being run by a local user:

IOT-JUMPBOX\iotadmin

We know this is a local user due to the fact that the username includes the system name “IOT-JUMPBOX”. If this were a domain account, we would theoretically expect to see “MAGNUM.TEMPUS\iotadmin”

Let’s look at the command and dissect this so we understand what the command is looking for.

As we discussed previously, the command goes across a subset of the network, looking at the entry

nmap 172.16.60.0/24

This will cover all systems between the IP 172.16.60.1 and 172.16.60.254

-p 22,5900,8080,80,443,502

This is an interesting part of the command because of the wide range of open services that this is looking for. Let’s break each one down:

• 22: This is for a remote service, Secure Shell, commonly called SSH. This is often used for remote access to a system, commonly over command line.

• 5900: This is another remote service, Virtual Network Computing, VNC. This is used for Graphical remote access to systems, similar to Windows Remote Desktop Protocol.

• 8080: This is looking for a web server. While this is not commonly used, 8080 is used in situations where the normally default web port 80 is unavailable.

• 80: See above. This is the more common port used.

• 443: This is for Secure HTTP, HTTPS. This adds a secure layer to regular HTTP.

• 502: This port is the most intriguing of all of the ports for this query. This is not a port we would expect to be queried for except in specific scenarios. It is specifically used for Modbus TCP/IP, allowing devices in industrial automation systems to communicate over TCP/IP networks. Modbus is widely used for exchanging data between devices such as PLCs, SCADA systems, and other industrial controllers.

-oA a -v

• -oA a: This flag is used to specify the output format and file naming convention for the scan results. In this case, the letter “a” is used as the argument after -oA. It instructs Nmap to save the results in three different formats: normal format (a.nmap), XML format (a.xml), and grepable format (a.gnmap). This makes sense as to why we saw the file being created in the Windows SysWOW64 folder, and based on the filename, matches.

• -v: The -v flag is useful for obtaining a more comprehensive view of the scanning process and gathering additional insights about the targets being scanned.

Where does this leave us?

What stands out for this is that a local admin account on the jumpbox is attempting to enumerate a network, specifically looking for exposed webhosts, remote services, and curiously enough a port associated with industrial systems.

While this could be legitimate activity, I would not expect to see this type of a probe with all these seemingly unrelated ports being queried in a normal business operation. An administrator would not be looking for remote access ports, web servers, and an industrial-specific port, but instead have separate queries to do this.

What’s important to note is that our Threat Hunt focused only on computer/asset logs and we did not investigate any network traffic logs that could have provided additional context and support for our Hunt.

This activity definitely raises some red flags, so we need to provide our findings to the next team for them to dig in deeper.

Let’s build our Threat Hunter Template now!

THREAT HUNTER TEMPLATE

Playbook Title: Detecting Reconnaissance in Company Environment

Mitre Tactic: T1046 - Network Service Discovery

Mitre Sub Technique: N/A

Hypothesis: Reconnaissance activity is occurring in the Magnum Tempus environment, and some of the activity is malicious.

Proposed Detection Query: index IN (windows,sysmon) (nmap) AND host="iot-jumpbox.magnumtempus.financial"

Simulation Details: NONE

Hunter Limitations/Observation Notes: Network traffic flow logs were not available during this hunt. Having access to these logs could add additional context for the search. Also of note, all of the fields were not parsed within the logging platform, making queries slightly less efficient and not as readable.

Hunt Findings: There may be some fishy activity occurring, since we detected probing on an uncommon port associated with PLC/SCADA

Connections

Thank you for taking the time out of your daily life to read this. If any of this resonates with you, I encourage you to reach out and connect with me:

• Website: https://www.ilovesec.com

• BlueSky: https://bsky.app/profile/ilovesec.com

• Mastodon: https://infosec.exchange/@Samunoske

• Github: https://github.com/samunoske

• LinkedIn: https://www.linkedin.com/in/thejoshuamorgan

Go Phish: Visualizing Basic Malice

Come take a dive into the data lake and cast some queries to find proof that users have run files from malicious actors. How can we prove the existence of troublesome activity in the environment? We will take a journey as if we are a new member of the Magnum Tempus Financial Security Team and proceed through a Threat Hunt through the eyes of a newbie in the field of Threat Hunting.

Video Walkthrough

Overview

What will we learn?

There are a number of concepts we will go over and learn in this walkthrough:

• What is phishing and what is a phishing payload?

• What is Visual Basic for Applications?

• What are Macros and what does this have to do with phishing and Threat Hunting?

• How can we walk through the thought process associated with a Threat Hunt from hypothesis to tangible results?

• What tools do we have at our disposal and what can we do with them?

• Can we go deeper and find out more after validating our hypothesis?

Initial Required Concepts

In order to dive into the hunt, we need to have some baseline information to better understand what we are seeking to find. Let us take a look at some of these now.

What is phishing?

In simple terms, phishing in this context is an attempt by an adversary to use methods to obtain credentials in an illicit manner using email communications.

What is a phishing payload?

A phishing payload is the means in which an adversary attempts to obtain the credentials of a target. The payload could be a link that sends an unsuspecting victim to a webpage that emulates a known website (like Microsoft Office 365 portal or Banking logon page) to collect usernames and passwords. Here are a few examples of malicious emails I have seen in my information security experiences:

Another type of payload can be a document or file specially crafted to behave in a certain manner or take specific actions to attempt to collect credentials from a user’s system:

Let’s look at what we see in the above screenshot:

1. The company email is mycoinsnow.com but the email sender is mycolnsnow.com - this is a typosquat of the domain.

2. Misspelling ‘document’ in the text. Additionally, creating a sense of urgency on the recipient that action is required by a specified date.

3. Document attached is a .docx file that simply says “invoice” with no other indication on what it is for.

Attacks using the above type of email often utilize the Visual Basic for Applications (VBA) coding present in Microsoft Office Suite, primarily in Microsoft Word, Excel, and PowerPoint.

What is Visual Basic for Applications?

Visual Basic for Applications (VBA) is a slightly stripped down/limited version of Visual Basic coding language that can be used in Microsoft applications to add functionality and extensibility not natively available in the applications themselves. This can be useful in helping automate repetitive actions or automate retrieval of data when certain options are chosen in a document. VBA allows system-level access to perform actions and can act outside of the Microsoft Office Applications as well. We commonly call these “Macros”.

What are the issues with Macros?

Due to how the functionality works in allowing access outside of the walled garden of Microsoft Office Suite, macros can allow an adversary the ability to make system changes or download additional malicious code via these macros with little interaction from the victim.

An example of how the VBA Macro document could appear in a Microsoft Word document can be see here:

Now that we understand what phishing, phishing payloads, VBA, and macros are, let’s put these concepts together to see if we can build a Threat Hunt with these ideas in mind!

Threat Hunting

What is Threat Hunting?

Threat Hunting (TH) is a process of being proactive of unveiling unknown-knowns and unknown-unknowns to better our security posture

Hypothesis

In order to begin the Threat Hunt, we need to have a reason to start the hunt. To start, we will need to come up with a hypothesis.

What is a hypothesis?

A hypothesis can be described as something we think might be occurring or something that we think might be taking place in an environment. A hypothesis focuses on the 6 W’s:

• Who: Who is doing the activity?

• What: What is happening?

• Where: Where (What systems/networks) is this happening?

• When: What time/time period did this happen?

• Why: What is the end goal for the activity being performed?

• How: How is the activity occurring in the system?

How do we create a hypothesis?

For HOW to create a hypothesis for Threat Hunting, you can read an in-depth guide here: (insert link).

For now we will go over the hypothesis I have created for this scenario.

Let’s create a hypothesis to hunt for potential phishing activity!

Broad Hypothesis

Magnum Tempus employees receive malicious phishing emails.

Narrow hypothesis

MT Employees are targeted with Malicious Microsoft Documents containing VBA macros via phishing email. Some employees will click and open malicious documents.

Transitioning from a Hypothesis to a Query

How can we formulate a query based on our hypothesis?

Our initial hypothesis presumes Magnum Tempus employees receive emails with malicious documents and opens those documents.

First we need to understand what tools we have available. For this Hunt, we are using Splunk, however many of the procedures/methods we use can and should be used with other query languages/log platforms.

Since we know our log data is in Splunk, we first need to determine what log sources we have available to us.

We could modify our index to include ALL log source data using a wildcard query like this:

index="*"

HOWEVER, this is considered bad practice as doing so is an expensive (resource-intensive) query and could cause undesirable effects on the Splunk (or other Log Aggregator) server and could hinder other searches being done on the system.

Thanks to our friend, Cereal Killer, we can utilize the following query to find the indexes (source) of data to query against:

| eventcount summarize=false index=* | dedup index | fields index

We will start with Zeek logs in Splunk because we can find documents transmitted over network traffic if they are downloaded from a company email on a company asset. Zeek is used to collect telemetry data and traffic flowing through an organization’s network.

In Splunk queries, we start by calling the index (source) of the data we are querying against:

index="zeek"

We can query with just this, however we will get ALL data in the associated log:

NOTE: We need to change the time filter to the time period we are checking against for this specific scenario because we don’t know exactly when the log data starts/stops. In your own Threat Hunting (outside of this scenario), you will want to identify a timeframe to conduct your searches. This could be 24 Hours, 1 Week, 1 Month.

In this scenario for Magnum Tempus, we are focusing on 2022-02-11 through 2022-02-13

Let’s focus on document file types that are often sent as potential phishing attachments.

Some of the more common formats include Microsoft Word formats (.doc, .docx) and Microsoft Excel Spreadsheets (.xls, .xlsx). Splunk allows us to query for multiple file types at once. Note we are not necessarily looking for an official filetype designation because we may not know exactly if this is indexed in Splunk. Let’s check for the filetypes specifically as shown here:

index="zeek" (.doc OR .xls OR .docx OR .xlsx)

We get lots of hits (863!) because a lot of documents will be sent as part of normal business:

Let’s try to pare down the total number to a more manageable number using some common phishing terms.

How can we refine this query?

Let’s start with the previous query:

index="zeek" (.doc OR .xls OR .docx OR .xlsx)

This gave us way too many results. We want to reduce the number of files, but need to find files that could indicate potential phishing activity. Occasionally we see common terms/names in documents related to phishing activity as seen here at SANS Common Patterns Used in Phishing Campaign Files:

Let’s pick a few and run another search, this time expanding our search to other log sources within Splunk (using index IN):

Let’s try including a different log source with our zeek query.

Looking at our index from before, let’s go with sysmon, as we might be able to see files accessed on endpoints (Much like how Zeek is used for network telemetry, Sysmon is used to generate telemetry data from endpoint devices in an organization.)

We can modify our search as seen here:

index IN (zeek,sysmon) (.doc OR .xls OR .docx OR .xlsx) (invoice OR remit OR payment OR order)

This query did not net us any relevant hits:

We should probably try a different approach.

How can we refine this query since the previous did not get us what we expected?

Let’s start with the initial query:

index="zeek" (.doc OR .xls OR .docx OR .xlsx)

Our initial hypothesis presumes that users executed malicious VBA macro code. Is there a way for us to determine based on log data that such a document was executed?

In a word: yes.

Reviewing SANS Office macro execution evidence we see that we can check logs for “TrustRecords” to see if there were Windows Registry modifications:

One of the few places where macro execution leaves traces is in the “TrustRecords” entry in the registry: HKCU:\SOFTWARE\Microsoft\Office\16.0\Word\Security\Trusted Documents\TrustRecords HKCU:\SOFTWARE\Microsoft\Office\16.0\Excel\Security\Trusted Documents\TrustRecords HKCU:\SOFTWARE\Microsoft\Office\16.0\PowerPoint\Security\Trusted Documents\TrustRecords

-From https://isc.sans.edu/diary/Office+macro+execution+evidence/27244

Let’s take a look at what we should modify our search query to:

index IN (zeek,sysmon) (.doc OR .xls OR .docx OR .xlsx) (TrustRecords)

Let’s run this query!

We have hits!

Let’s look at the overall results:

62 events - this should be easier to parse. Looking at one of the first hits we see there is what appears to be an internal fileshare:

files.magnumtempusfinancial.com

For purposes of this TH, let’s exclude this in the query. Since our initial hypothesis indicated that users would download and execute malicious documents downloaded from a malicious sender, we might not expect to see these files in an internal file share at first. It is possible, however, that files could be malicious and saved to the fileshare. Let’s take a look to see how many of our documents that use macros are on the internal fileshare:

index IN (zeek,sysmon) (.doc OR .xls OR .docx OR .xlsx) (TrustRecords) AND (files.magnumtempusfinancial.com)

Running this, we see 26 events that match this query:

Let’s compare with Excluding the fileshare from the results:

index IN (zeek,sysmon) (.doc OR .xls OR .docx OR .xlsx) (TrustRecords) AND NOT (files.magnumtempusfinancial.com)

22 events!

Here’s the first event that shows up:

Registry value set: RuleName: - EventType: SetValue UtcTime: 2022-02-12 21:12:25.454 ProcessGuid: 0522759F-229C-6208-B002-000000001002 ProcessId: 972 Image: C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE TargetObject: HKU\S-1-5-21-2370586174-1517003462-1142029260-1129\SOFTWARE\Microsoft\Office\16.0\Word\Security\TrustedDocuments\TrustRecords%USERPROFILE%/Downloads/MagnumTempus-Policy-Violation-matt.tristique@magnumtempusfinancial.com.doc Details: Binary Data User: MAGNUMTEMPUS\matt.tristique

Based on the above we can see that a file was indeed executed according to the “Trusted Documents\TrustRecords” we saw in the SANS example of macro activity. This is a step in the right direction.

There were other users with similar activity, let’s take a look:

TargetObject: HKU\S-1-5-21-2370586174-1517003462-1142029260-1128\SOFTWARE\Microsoft\Office\16.0\Word\Security\Trusted Documents\TrustRecords %USERPROFILE%/Desktop/MagnumTempus-Policy-Violation-karen.metuens@magnumtempusfinancial.com.doc TargetObject: HKU\S-1-5-21-2370586174-1517003462-1142029260-1126\SOFTWARE\Microsoft\Office\16.0\Word\Security\Trusted Documents\TrustRecords %USERPROFILE%/Desktop/MagnumTempus-Policy-Violation-amanda.nuensis@magnumtempusfinancial.com.doc

All of the filetypes appear to be .doc and the filenames appear to be extremely formulaic and similar:

MagnumTempus-Policy-Violation-karen.metuens3@magnumtempusfinancial.com.doc

This is an interesting filename because it appears to include an email in the filename, which is NOT normal and could be a sign of a malicious file.

If we look at the bottom of the first entry, we see a workstation name (agent.hostname):

Let’s see if Splunk can show us more data. On the left side of the page, go to the “SELECTED FIELDS” section, then click on “agent.hostname”:

Matt’s hostname appears to be wkst03 - not many hits. wkst01 and wkst02 have a significantly higher number of entries, and this could signify additional activity.

Can we find the source of the files?

Let’s try to see what we can find with this filename in the logs. We have to create a new query:

index IN (zeek,sysmon) (MagnumTempus-Policy-Violation-)

When we run the query, we see additional users were targeted:

MagnumTempus-Policy-Violation-domi.nusvir@magnumtempusfinancial.com.doc MagnumTempus-Policy-Violation-celiste.pecunia@magnumtempusfinancial.com.doc

We also see where the file was downloaded from for one user, Matt Tristique:

File stream created: RuleName: technique_id=T1089,technique_name=Drive-by Compromise UtcTime: 2022-02-12 21:11:41.529 ProcessGuid: 0522759F-02B6-6208-A600-000000001002 ProcessId: 5616 Image: C:\Program Files\Mozilla Thunderbird\thunderbird.exe TargetFilename: C:\Users\matt.tristique\Downloads\MagnumTempus-Policy-Violation-matt.tristique@magnumtempusfinancial.com.doc:Zone.Identifier CreationUtcTime: 2022-02-12 21:11:40.731 Hash: SHA1=AE356A67D337AFA5933E3E679E84854DEEACE048,MD5=DCE5191790621B5E424478CA69C47F55,SHA256=86A3E68762720ABE870D1396794850220935115D3CCC8BB134FFA521244E3EF8,IMPHASH=00000000000000000000000000000000 Contents: [ZoneTransfer] ZoneId=3 HostUrl=about:internet
User: MAGNUMTEMPUS\matt.tristique

This entry is very intriguing:

RuleName: technique_id=T1089,technique_name=Drive-by Compromise

It appears that this file was detected as a Drive-by Compromise. This is not good. We might be able to surmise this is a malicious document based on this.

Who else downloaded the document?

Let’s see if any other users downloaded this file with ThunderBird:

index IN (zeek,sysmon) (MagnumTempus-Policy-Violation-) (thunderbird.exe)

From our search, it appears both Amanda and Karen downloaded the file via ThunderBird.

Interestingly enough, neither Amanda’s nor Karen’s entries signify that the file was detected as a Drive-by Compromise:

File created: RuleName: - UtcTime: 2022-02-12 21:11:24.552 ProcessGuid: 29C462BB-0EC0-6208-D000-000000001202 ProcessId: 3184 Image: C:\Program Files\Mozilla Thunderbird\thunderbird.exe TargetFilename: C:\Users\amanda.nuensis\Desktop\MagnumTempus-Policy-Violation-amanda.nuensis@magnumtempusfinancial.com.doc CreationUtcTime: 2022-02-12 21:11:24.552 User: MAGNUMTEMPUS\amanda.nuensis

File created: RuleName: - UtcTime: 2022-02-11 04:51:45.698 ProcessGuid: 444CBE19-EAF9-6205-E600-000000001302 ProcessId: 5552 Image: C:\Program Files\Mozilla Thunderbird\thunderbird.exe TargetFilename: C:\Users\karen.metuens\Desktop\MagnumTempus-Policy-Violation-karen.metuens@magnumtempusfinancial.com.doc CreationUtcTime: 2022-02-11 04:51:45.572 User: MAGNUMTEMPUS\karen.metuens

What does this mean?

Unfortunately, at least three of Magnum Tempus employees downloaded (and based on what we know about the registry changes involving “Trust Records” - successfully ran the malicious code) a malicious document laden with VBA Macro documents. At this point, it might be worth it to investigate further what has happened as a result of detonation of the intial malicious payload.

Are we done?

In theory, at this point we are done as we have fulfilled the initial hypothesis of determining that a user downloaded and executed the VBA Macro. While we have not necessarily confirmed that the macro code is indeed malicious, we would need to take additional steps to do this.

Can we find the initial email that contained the malicious document - and possibly the document itself and inspect the code?

Yes! However, we will need to use another tool, WireShark in order to extract information from the captured network traffic (PCAP File).

Threat Hunting and Investigation with WireShark

What is WireShark?

WireShark is a specialized tool for analyzing network data. We can review data flowing through the network in real-time, however in this specific case we will be reviewing a point-in-time capture of Magnum Tempus network traffic.

Locating the offending email in WireShark

Since we know what the filename, based on our searches above:

Let’s look at the filename:

MagnumTempus-Policy-Violation-karen.metuens@magnumtempusfinancial.com.doc

Since MagnumTempus is something that we might expect to see in other documents, let’s disregard this for the moment. The term “Policy-Violation-” stands out as something that might be unique in an organization. Taking this mindset, let’s use the following for our further search:

Policy-Violation-

Now let’s check to see if we can find this in WireShark:

Press control and F to bring up the search tool.

Change the first dropdown to “Packet Details” (1).
In the third dropdown change to “String” (2) In the text box, type the following (3):

Policy-Violation-

Press “Find”:

Let’s review what we see here:

1. Subject: [ACTION REQUIRED] INTERNAL IT POLICY VIOLATION

2. From: legal-internal@magnumtempus.financial

Time to dig deeper! Right click on this entry and go to “Follow” then click on “TCP Stream”:

A window will pop up with the network stream for this activity:

Scrolling down further we get to the content of the email itself. What makes this interesting is that perhaps the mail server was not properly configured, because we are able to see in clear-text over the network contents of an email. This has other security implications that we will not discuss here, but is important to note for future investigations.

We can see the content here:

The MagnumTempus Financial CERT and CyberSecurity team have noticed that you are one of the users - "karen.metuens@magnumtempus.financial", "amanda.nuensis@magnumtempus.financial", who have violated the company policy CCG-IV:5-8 on 2/7/2022, 8:48pm - EDT.

As mentioned in the yearly cybersecurity training and your employment agreement with MagnumTempus, the violation of IT policy may terminate your employment. 

Please review the attachment which includes the decision made by the MagnumTempus Legal team. Make sure to reply to this email within 72 hours of opening the document. 

Thank you, 
MagnumTempus Internal Legal Department 
(+1)969-555-5984
legal-internal@magnumtempus.financial 

Scrolling down further, we see there is an attachment:

A few notes about this screenshot:

1. The attachment is encoded, this one in Base64. Base64 is a common encoding algorythm that can be used to ‘encrypt’ documents to transmit.

2. The filename for the attachment matches what we expect to see, based on our findings in our Splunk investigations

3. This is the Base64 encoded data for the document.

This matches what we saw in our earlier Splunk queries. We might be able to extract the file data from WireShark to analyze further - an important thing to note from above is that the data is encoded in Base64:

NOTE: The below is a truncated version of the actual payload data for brevity purposes:

0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAABAAAAJwAAAAAAAAAA
EAAAKQAAAAEAAAD+////AAAAACYAAAD/////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////s
pcEAWeAJBAAA8BK/AAAAAAAAEAAAAAAACAAAAQgAAA4AYmpiapDKkMoAAAAAAAAAAAAAAAAAAAAA
AAAJBBYALg4AAPKgDFzyoAxcAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD//w8AAAAA
AAAAAAD//w8AAAAAAAAAAAD//w8AAAAAAAAAAAAAAAAAAAAAALcAAAAAADIHAAAAAAAAMgcAAKoU
AAAAAAAAqhQAAAAAAACqFAAAAAAAAKoUAAAAAAAAqhQAABQAAAAAAAAAAAAAAP////8AAAAAvhQA
AAAAAAC+FAAAAAAAAL4UAAAAAAAAvhQAAAwAAADKFAAADAAAAL4UAAAAAAAAtRcAADABAADWFAAA
AAAAAAAAAAAAAAAAAAAAAABFeHRlbmRlciBJbmZvXQ0KJkgwMDAwMDAwMT17MzgzMkQ2NDAtQ0Y5
MC0xMUNGLThFNDMtMDBBMEM5MTEwMDVBfTtWQkU7JkgwMDAwMDAwMA0KDQpbV29ya3NwYWNlXQ0K
VGhpc0RvY3VtZW50PTAsIDAsIDAsIDAsIEMNCk5ld01hY3Jvcz0tMTYsIDY0LCAxNDI5LCA1ODgs
IA0KAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAP7/AwoAAP////8GCQIAAAAA
AMAAAAAAAABGIAAAAE1pY3Jvc29mdCBXb3JkIDk3LTIwMDMgRG9jdW1lbnQACgAAAE1TV29yZERv
YwAQAAAAV29yZC5Eb2N1bWVudC44APQ5snEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAA==

We can then take the data we’ve copied and then use a tool like CyberChef to convert from Base64 to somewhat human-readable text:

Scrolling down, we can see data inside the converted code that indicates it’s a Microsoft Document:

Further down the code, we see proof of Visual Basic for Application Macros:

Then, with the assistance of MOVIE MAGIC (I made that up), we are able to reassemble the malicious document to see there are macros with obfuscation:

If we look at the Macro above - there are a few important parts that stick out:

1. This is set to automatically run the “test” function/macro on document open.

2. This is also set to automatically run the “test” function.

3. This macro is heavily encoded, perhaps to hide the true intent behind the function?

This is DEFINITELY NOT GOOD

There should be no reason for this level of encoding for a document of this nature.

At this point, it may be a good spot to pass this to the next team to begin their steps.

THREAT HUNTER TEMPLATE

Playbook Title: Detecting Enterprise Macro Activity from Emails

Mitre Tactic: T1566, Phishing

Mitre Sub Technique: T1566.001, Spearphishing Attachment

Hypothesis: Employees are targeted with malicious documents with VBA Macro Code and 
some employees will open the documents and detonate the payload

Proposed Detection Query: index IN (zeek,sysmon) (.doc OR .xls OR .docx OR .xlsx) (TrustRecords)
AND NOT (files.magnumtempusfinancial.com)

Simulation Details: NONE

Hunter Limitations/Observation Notes: During several portions of the hunt, we discovered that there 
were log sources (sysmon) that were not properly parsed, which made finding details difficult. If we had these 
parsed properly, we may have found it easier to get some of the data.

Hunt Findings: Three users downloaded the malicious document, two users appear to have
been affected by the payload.

On the eve before I issue final exams for my students in my class, I’m taking some time to reflect on lessons learned as a first-time instructor:

1. Some say the best way for you to learn something is to teach someone else

This is true. There are many concepts that I might not have understood (as my normal day-to-day work does not deal directly with it) but I was able to gain insight into these topics to a degree that I feel far more comfortable discussing them.

2. You know far more than you think you know

One of my biggest hurdles in actually accepting the opportunity to teach was being worried about the fact that I wouldn’t have enough material to cover the time allotted for the class. Fortunately/Unfortunately, I learned that this was not the case, and I ended up getting to a point to where I had too much material and not enough time to cover everything I wanted to.

3. Students will surprise you in surprising ways

I know I have a passion for information security, and in some sense education. Working in information security, you will learn that what you consider a priority will not always match in priority with others within the business. This is true as well when dealing with students in an academic setting. I have had students ask me about scenarios related to their employment: ways to get management to buy into implementing better security. I’ve had students give bare minimum, but far more give above and beyond.

4. Be EXTREMELY CLEAR in your expectations of students and try to not leave too much up to interpretation.

I’ve learned a few things this semester from students. Students will wait until the last minute to turn something in. Whether or not you accept it is another question. Students will ask what types of questions will be on exams - this one took me by surprise: I just presumed you prepared by understanding the material, not the type/method of exam.

5. It’s easy to drone on about boring topics, so change it up!

Yes, we need the basics before diving into deeper topics, but one key thought I now have is to incorporate demonstrations for different things I’m teaching. If I had the ability to redo this semester, I would incorporate much more of the hands-on - my students really, REALLY seemed to enjoy this aspect.

6. You don’t have to know EVERYTHING

One thing I know is that I don’t know everything. It’s okay to admit you don’t know something, but be willing to work to find an answer. I had several questions that stumped me, but I was able to find the answers and get the information to the students Final Notes

All in all, it was definitely an amazing experience and one that has opened my eyes to further teaching in this industry. I’m looking forward to my next opportunity to share my knowledge with others.

Connections

Thank you for taking the time out of your daily life to read this. If any of this resonates with you, I encourage you to reach out and connect with me:

• Website: https://www.ilovesec.com

• BlueSky: https://bsky.app/profile/ilovesec.com

• Mastodon: https://infosec.exchange/@Samunoske

• Github: https://github.com/samunoske

• LinkedIn: https://www.linkedin.com/in/thejoshuamorgan

What is your passion? I have been asked this question so many times. So many times I’ve replied with the most obvious choice for me - technology. While this is somewhat true, it doesn’t tell the whole story. Well, at least my whole story.

My first passion that I can remember was writing. When I was younger, I had planned to become a writer. I wrote all the time: poetry, short stories, fiction. I was certain I would become a professional writer sometime. Along the way through my life the plans shifted and took me down another path towards the technology world and another passion.

Computers made complete sense to me. I could figure things out quickly and help others to be better with computers. Could this be my calling? I loved working with computers and from Middle School through High School, I found myself as the go-to for all problems computer or tech related. I loved it. I get to mess with computers all the time and help others - what an awesome thing. Teachers would ask me for help with new gadgets and computer programs. What I didn’t realize is that while cultivating my love for technology, I was cultivating my ultimate passion: helping others.

It is important to realize that being able to pursue your passion can help to make your life more fulfilling. Easier said than done, I know. Find a way to incorporate your passion into what you do day-to-day. If it’s writing, write a little bit each day. If it’s gardening, plant a garden. If it’s photography, go take awesome photos. Hiking? Go hike. I’m lucky that I get to work in some capacity every day to help at least one person. I get to think outside the box to get something accomplished. At the end of the day, I get to teach others about my passions: helping others and technology.

Now that I’ve finished my Degree path, I can now try to combine the two passions with my original passion, writing and my newest passion: security.

So, I ask you: What is your passion - and what can you do to cultivate it?

Connections

Thank you for taking the time out of your daily life to read this. If any of this resonates with you, I encourage you to reach out and connect with me:

• Website: https://www.ilovesec.com

• BlueSky: https://bsky.app/profile/ilovesec.com

• Mastodon: https://infosec.exchange/@Samunoske

• Github: https://github.com/samunoske

• LinkedIn: https://www.linkedin.com/in/thejoshuamorgan