I'm Gage Bennett, a Defense Content Developer at Offensive Security Ask me anything about cyber security and defense content creation.

Where’s the best place to start as someone who has an IT background, but wants to move into SecOps?

What classes (online) or literature do you suggest?

A background in IT is a great start already and a easy transfer that a lot of people do. My biggest advice is to start getting hands on experience. There are a lot of books out there but just reading can only get you so far. Offsec has our SOC200 training out with the exam that will be coming out as well. We also have challenge labs with a play button that launches an entire attack against a network and the student has to find it in the host logs. Tryhackme is also a good resource for hands on stuff as well. CTFs are a fun way to get some experience and hands on skills like PicoCTF. Getting some security certifications will help make that switch too.

I’ve been working through TryHackMe and several Udemy courses. I have a thing where I don’t want to be dead weight on a team.

Thank you for your insight and I will absolutely look up your program Gabe!!!

Do not worry about being dead weight. I will always choose an analyst who is trying to get better and has a good work ethic over someone who knows a lot and does not try to get better.

What is your opinion on artificial intelligence in cyber security? Especially in regards to behavior-based detection systems, for example in fending off zero-day attacks.

I have heard a lot of people talking about how that is the future and even someone said that security analysts will be a thing of the past. I disagree with that. I do not think AI will take the place of a person. Well at least for a long time. There are a lot of tools that classify network traffic and logs and create a base of what is going on and hackers till get passed that stuff. It will help for sure but every time security tools get better then hackers get better. It just never ends.

What are the most common ways hackers get into networks? Are there a lot of different methods for them to get into networks? What are some of the less common ways?

There are a ton of ways for hackers to get into a network. The biggest security risk is people. You can have all the right security measures in place and someone will mess all that up. Email or phishing attacks are huge. An attacker sends an email with malware attached and then a user clicks on it to get all their free iTunes music and boom the attacker has a foot hold in the network. Social engineering is a big way for attackers to compromise a network

Web attacks are huge too. Mismanaged websites and application are always a way to get in a network. https://owasp.org/www-project-top-ten/ has a list of the top 10 web application security risk that they keep updated and is a great source for that.

A less common way is probably like the movies show a hacker just reinforcing their way into a network.

What are some warning signs that an undetected attacker would be attempting to escalate privileges on a machine?

Thanks for the ama!

That is a tough question haha because that can be a lot of different things depending on what technique they are using. For a general answer I would say looking for "weirdness" on the network. I always say most of a SOC analysts job is verifying "good" things. Lots of things will look weird on the network and you dig in and find its something normal. So I would be looking for things a normal user would not be doing. Things like running command that are not necessarily bad but could be used in a bad way that a normal user would not be doing. Trying to access things on the system a normal user does not need to access. Those type of things.

What, in your opinion, is the single best thing a person can do to protect themselves online? Thank you!

That is a tough question. I would say improve your knowledge about the threats out there. People are the biggest security risk. You can have all the security features you want but a person can make those useless. Be aware of how hackers are operating these days. Like text message are big now saying it is your bank and you need to click a link. Just be aware of those type of things.

Not OP, but Multifactor Authentication is a huge way to protect yourself. Put it on everything you can. If attackers gain your usernames and passwords from data breaches, MFA can prevent them from getting into your accounts. Also, don't use the same passwords on multiple sites because if somebody hacks LinkedIn (for example) and gets your password, you can bet they'll try to see what else they can access with those credentials.

Great advice. That all comes back people being well informed and nonweldable. Some people do not even think about what you just said. Great advice thank you!

Why does Offensive Security need a Defense Developer?

Great question. We are creating more defensive training. We have a SOC200 course that is out and the OSDA (Offensive Security Defense Analyst) exam coming out soon. The best security analyst is a well rounded one that can have a defense and offensive mindset. You can not have defense training if there is no one to play the offensive part so creating defense training just makes sense.

We also have defense challenge labs too. The student has access to a ELK SIEM with a working network that starts up. The student presses a play button and full network attack from initial compromise to the end of the attack happens and the student has to find what happened in the logs. Having a hacker at your fingertips basically so analyst can train on "hunting" is great training.

Ok commercial over!

Do/did you do any work in misinformation campaigns? It seems countries like Russia do this very well. Curious how often Americans are purposely duped for efforts related to warfare.

I did not work in any of that but I did volunteer to do that but it just never happened. I thought it would have been a lot of fun though. There is a lot of misinformation that is happening when it comes to warfare and the U.S. is a huge target. The use of misinformation is not a new thing either. It has been happening for a long time. It is just easier now with the internet. If you can make the enemy confused then you have a big advantage.

What is your opinion on scam callers? And how do you think the government should battle them?

I think about this a lot since I get scam calls a lot. What some people do not know is that answering these can cause more calls to happen. Some scam calls are just being sent to random numbers to just see if it is even a real number. Then they see it is real and keep calling. So it is best to never answer.

There does need to be some sort of regulation when it comes to this. It is hard to regulate though because often these scam calls come from outside the U.S. and that makes it tough to enforce any real consequences. I do not have a solution (If I did I would probably be rich) but maybe regulating the cell phone companies so they actually put real blocks in place. The are probably in the best place to do something about it all these calls so if they have a real incentive put in place by regulations then they might spend real time trying to solve the problem (This could be a thing already but I am not sure to be honest).

Hi Gage, I'm a big fan of the Offensive Security training materials you put out there, but they can be very difficult to figure out in terms of what to do for labs and the proving grounds. I know the OffSec motto is "try harder" and I'm a big believer in that, but has there been any discussion about making some of the lab boxes a bit more straight forward?

I do not work on the team that does the Proving grounds work so I am not sure if they are having that discussion. The offsec discord is a great place to bring those issues up and get some answers. I will can also pass that message along to them and if you have some more specific input on that let me know and I will pass that along.

I will say that for proving grounds I think the idea is to not have much to go on. Just like in the real world for a hacker. They do not get any inside tips or help most of the time. They might just start with a web site or an IP address just like in proving grounds and from there they work on finding out as much as they can about what services are running, vulnerabilities, etc.

If the issue is not that and something else then we are always open to making the student experience better any way we can.

what's the scariest cyber attack you've dealt with?

I can not get into details because of the classification. I will say the scariest attack is one that happened at a very very important facility and it was not hard for the attacker to get into that network. It was a network that should have been harder to attack but the it was sooo easy for them.

I always wonder how many of these Stargate-style world altering scenarios have been averted by specialists like you but no one will ever know about because of the classifications of them.

Thank you for your service to the world.

You would be surprised how boring having a clearance can actually be. It is not as exciting as the movies make it out to be. I dealt with a couple cool things here and there.

Not sure if I helped the world but I will keep at it! Thank you!

What's a recommendation for online resources for someone who wants to get into Cyber Security? Things like Tryhackme, Cybrary, etc?

I was in the Army as well and have spent a few years working physical security. Looking back I regret the time I told my recruiter I wasn't interested in IT work haha

I obviously recommend offsec for training. We have a lot of hands on stuff and a lot of good defensive training going on right now. Tryhackme is a good resource as well. I have used that.

For some good fundamental training https://overthewire.org/wargames/bandit/ and under the wire are great. They help build command line skills which is very important. They are free as well.

We probably all have something we regret like that for our time in the Army haha but its never to late to get in the game. I was 25 working at a motorcycle mechanic when I joined the Army and started in cyber security.

I will soon be graduating with an AAS in Networking Technology and an AAS in Cybersecurity. I plan to get a CCNA cert and a Security+ cert as well. I have a bit over a year of experience as an operations coordinator at a large shipping company.

​

Most jobs, even ones claiming to be entry level, seem to require multiple years of IT experience. Is this actually required for most entry level jobs or as long as I demonstrate I have the skills should my current skill set be good enough to get an entry level job to start gaining experience? I'd really prefer to get a job in Cyber Security after my AAS instead of going for my B.S. right now, is this realistic?

​

Thank you btw!

That is a problem in the industry. A lot of entry level jobs then say "requires 5 years experience." The market is very demanding right now. There are a lot of jobs out there but a lot of people too trying to get those jobs.

If you have basic skills then you should be good for a entry level position. I think a good attitude and showing you are trying to learn more goes a long way. You might not get the exact job you want right away but do not be afraid to take something not ideal to build that experience.

The more certs you have does help, but you need to be able to show that knowledge as well. Like I said in another post that I was a motorcycle mechanic before and I made the switch. Do not be afraid to go for it.

Do you have a single daily driver operating system that you use everyday or a variety?

I use Windows 11 at the moment. I always have virtual machines running though with a Linux system going. I use both windows and Linux to get work done. I know a lot of people use MAC as their OS on their laptop and then run VMs with Windows an Linux going.

Does Reddit, or social media platforms in general, have safeguards in place to stop users from posting malicious links on their platforms?

Does Reddit, or social media platforms in general, have safeguards in place to stop users from posting malicious links on their platforms

I am not sure to be honest. Not any that I have heard of thought. I feel like it would be tough to handle because of the volume that links are getting posted to the platforms. I could be wrong though.

What did you score on your Sec+ exam?

haha I honestly do not remember. It was a passing score though

Thank you for doing this AMA.

What are your thoughts on SIEM technologies? There doesn't seem to be a single security professional that loves their SIEM. They are noisy. They are overly complicated. They are expensive. They require more care and feeding than a newborn. Are they only a necessary evil? Or do they really provide value?

Great question. Some SIEMs are the worst and some are great. I like Splunk a lot because it is easy to use. I think it is something that is needed in an enterprise network. They are as good as you set them up to be. A lot of places just sent logs to their SIEM and thats it. They do not tune their logs or anything. You have to spend time making it work correctly. You have to spend the time making worth while alerts and dashboards. When we would deploy to a network the first thing we would do would be is fine tune our SIEM. Making sure the correct logs are going in and not just all the logs.

long answer short is they are as good as you let them work. Spend the time to tune them and make them work well for your organization.

Why the correlation between luciousness of a UNIX heard and other facial hair & mad 1337 h4x0r sKiLlZ?

full beard == mad 1337 h4x0r sKiLlZ

What’s my best bet to get into cyber security with no prior qualifications? I’ve always loved technology, built computers, repaired phones and have always wanted to get into cyber security for lack of better word, the security. Any tips? Many thanks.

Getting some certifications will help get your foot in the door. You can always go after some IT/helpdesk positions. They are not security but are good to get experience and pivot over to security.

Also there are a lot of smaller cyber security companies, also hospitals, lawyer firms, things like that have security positions that may be easier to get a job in security for them.

The certifications will help get their attention and then do some training on your own to build some knowledge.

I’m planning to take a non degree certificate course for cyber security. Is it worth it will I be able to find good jobs or will they expect a Bachelors in field?

Lots of positions I have seen list for qualifications like "5 years experience with degree or 8 years experience with no degree". It makes it harder because you need more experience but you can get into the field with out a degree.

Obviously it helps to have a degree but I have worked with some super smart people who never got a degree and can run circles around me on the keyboard.

Just a couple of questions

1. How did you get into the field?
2. What's the work like in the cyber security field (what is the core elements of the job)?

1. I started in cyber security in the Army. I was on a cyber protection team and we deployed to different areas where a cyber attack had occurred. I was actually a motorcycle mechanic and wanted to make a switch.
2. The work is fun and challenging. There is always something to learn and it never ends. For a SOC analyst for example they spend a lot of time looking at a SIEM and looking at alerts hoping to find "the bad things". We would spend a lot of time working on tools to make our work easier and make it easier to find cyber attacks. Also we did a lot of practicing and exercises because if you do not have an cyber attack its hard to get better at finding one.

Hey man, keep up the good work. I'm in the same role for the DiB.

My question, why does this role make us all grow long beards?

haha shaving in the Army for 7 years made me want a long beard but a keyboard must have some sort of electromagnetic hair pull that makes the beard grow down.

If a hacker sends a malicious link and someone clicks on it, can the hacker access the person's network upon them clicking on it? Are only copying and pasting full web address links or clicking links which you fully trust the best way to avoid clicking on malicious links? Any other suggestions?

There are different ways this can happen. The link may bring the user to a malicious site hosted by the attacker and then malware is automatically downloaded. Networks may have security measures put in place to help stop this but they also may not.

When things like that are initiated from inside the network it can bypass security measures because users still need to visit web sites and download things. You can not just stop normal use.

Once the malware is downloaded it might make a connection back to the attacker so they can access the network. It could be a worm that does not need human interaction and spreads itself through the network. Lots of things like that can happen.

There is no fool proof way to avoid links. You can be cautious though. Look at the full picture. Did the link come from a unknown email? Or a email from the organization but it is worded weird ex: "Hey friend co worker of mine! Good days to you and yours. Please click link for the fun I talked about".

Virus total is a good website to use. You can paste the url on the site and they will give you a score on how malicious it is and if it is known to be malicious. That is always helpful for a quick check.