├── README.md
└── interview-study-notes-for-security-engineering.md


/README.md:
--------------------------------------------------------------------------------
 1 | # Security Engineering at Google: My Interview Study Notes
 2 | ## By [nolang](https://twitter.com/__nolang)
 3 | 
 4 | I am a security engineer at Google and these are the notes from when I was studying for the interviews. This is my first job in security and a lot of people have asked me how I studied. My notes consist mostly of a list of terms and technologies to learn, plus little tidbits that helped me remember certain details. I've included interview tips and study strategies which are just as important as knowing what topics to study.
 5 | 
 6 | I occasionally update the notes to include more topics. There are many, many topics and terms in the list. Think carefully about the role you are applying for and target your study towards that. No one expects you to be an expert in everything.
 7 | 
 8 | **If you are less confident at coding:** 
 9 | Spend more time writing small scripts and studying features of your preferred language. Coding is essential (even if you don't like it or you don't use it much in your current role). I have a section on coding in this list.
10 | 
11 | **If you are less confident at security topics:** 
12 | I recommend doing a lot of reading and whenever you come across a term you are unfamiliar with or couldn't easily explain, then add it to the list. 
13 | 
14 | ### 5 Years Later [Update]
15 | I've been at Google for few years now and I have been delighted to learn of how many people have used these notes! Not just to get offers from Google but to get their first jobs in this industry, or to change focus area. I love hearing these stories! 
16 | 
17 | Since joining I have also learned what keeps most people from getting through the Google Security Engineering interview process. **The number one reason why a candidate misses out on an offer is because they struggle with the coding questions.**
18 | 
19 | I have two things to say on this:
20 | 1. **Improving coding skills takes a lot of practice.** Be sure to allow yourself enough time for it, including allowing time to be frustrated, to procrastinate, to iterate on your ideas, and to get help from others. Look for ways to make it fun or motivating - there are tedius repetitive tasks everywhere just waiting to be automated. 
21 | 2. **It is completely normal and acceptable to interview again** (many times, in fact!). Hiring managers love to see how someone has grown their skills over time.
22 | 
23 | If you are someone who didn't get an offer because you weren't confident in some areas, but you still believe that it would be a good role/company for you, take some time to build confidence in those areas and try again. 
24 | 
25 | Finally, pull requests are welcome! Thank you to those who have made contributions and are helping to keep the list up to date.
26 | 
27 | ### Contents
28 | - [Learning Tips](interview-study-notes-for-security-engineering.md#learning-tips)
29 | - [Interviewing Tips](interview-study-notes-for-security-engineering.md#interviewing-tips)
30 | - [Networking](interview-study-notes-for-security-engineering.md#networking)
31 | - [Web Application](interview-study-notes-for-security-engineering.md#web-application)
32 | - [Infrastructure (Prod / Cloud) Virtualisation](interview-study-notes-for-security-engineering.md#infrastructure-prod--cloud-virtualisation)
33 | - [OS Implementation and Systems](interview-study-notes-for-security-engineering.md#os-implementation-and-systems)
34 | - [Mitigations](interview-study-notes-for-security-engineering.md#mitigations)
35 | - [Cryptography, Authentication, Identity](interview-study-notes-for-security-engineering.md#cryptography-authentication-identity)
36 | - [Malware & Reversing](interview-study-notes-for-security-engineering.md#malware--reversing)
37 | - [Exploits](interview-study-notes-for-security-engineering.md#exploits)
38 | - [Attack Structure](interview-study-notes-for-security-engineering.md#attack-structure)
39 | - [Threat Modeling](interview-study-notes-for-security-engineering.md#threat-modeling)
40 | - [Detection](interview-study-notes-for-security-engineering.md#detection)
41 | - [Digital Forensics](interview-study-notes-for-security-engineering.md#digital-forensics)
42 | - [Incident Management](interview-study-notes-for-security-engineering.md#incident-management)
43 | - [Coding & Algorithms](interview-study-notes-for-security-engineering.md#coding--algorithms)
44 | - [Security Themed Coding Challenges](interview-study-notes-for-security-engineering.md#security-themed-coding-challenges)
45 | 


--------------------------------------------------------------------------------
/interview-study-notes-for-security-engineering.md:
--------------------------------------------------------------------------------
  1 | # Security Engineering at Google: My Interview Study Notes
  2 | ## By [nolang](https://twitter.com/__nolang)
  3 | 
  4 | ### Contents
  5 | - [README](README.md)
  6 | - [Learning Tips](#learning-tips)
  7 | - [Interviewing Tips](#interviewing-tips)
  8 | - [Networking](#networking)
  9 | - [Web Application](#web-application)
 10 | - [Infrastructure (Prod / Cloud) Virtualisation](#infrastructure-prod--cloud-virtualisation)
 11 | - [OS Implementation and Systems](#os-implementation-and-systems)
 12 | - [Mitigations](#mitigations)
 13 | - [Cryptography, Authentication, Identity](#cryptography-authentication-identity)
 14 | - [Malware & Reversing](#malware--reversing)
 15 | - [Exploits](#exploits)
 16 | - [Attack Structure](#attack-structure)
 17 | - [Threat Modeling](#threat-modeling)
 18 | - [Detection](#detection)
 19 | - [Digital Forensics](#digital-forensics)
 20 | - [Incident Management](#incident-management)
 21 | - [Coding & Algorithms](#coding--algorithms)
 22 | - [Security Themed Coding Challenges](#security-themed-coding-challenges)
 23 | 
 24 | # Background
 25 | 
 26 | Where did these notes come from? See the [README](README.md).
 27 | 
 28 | # Learning Tips 
 29 | 
 30 | - [Learning How To Learn](https://www.coursera.org/learn/learning-how-to-learn) course on Coursera is amazing and very useful. Take the full course, or read this [summary](https://medium.com/learn-love-code/learnings-from-learning-how-to-learn-19d149920dc4) on Medium.
 31 | 
 32 | - **Track concepts - "To learn", "Revising", "Done"**
 33 | 	- Any terms I couldn't easily explain went on to post-its. 
 34 | 	- One term per post-it. 
 35 | 	- "To learn", "Revising", "Done" was written on my whiteboard and I moved my post-its between these categories, I attended to this every few days.
 36 | 	- I looked up terms everyday, and I practiced recalling terms and explaining them to myself every time I remembered I had these interviews coming up (frequently).
 37 | 	- I focused on the most difficult topics first before moving onto easier topics.
 38 | 	- I carried around a notebook and wrote down terms and explanations. 
 39 | 	- Using paper reduces distractions.
 40 | 
 41 | - **How to review concepts**
 42 | 	- Use spaced-repetition.
 43 | 	- Don't immediately look up the answer, EVEN IF you have never seen the term before. Ask yourself what the term means. Guess the answer. Then look it up.
 44 | 	- Review terms *all the time*. You can review items in your head at any time. If I was struggling to fall asleep, I'd go through terms in my head and explained them to myself. 100% success rate of falling asleep in less than 10 minutes, works every time. 
 45 | 
 46 | - **Target your learning**
 47 | 	- Think *hard* about what specific team you are going for, what skills do they want? If you aren't sure, then ask someone who will definitely know.
 48 | 	- Always focus on the areas you struggle with the most *first* in a study session. Then move on to easier or more familiar topics. 
 49 | 
 50 | - **Identify what you need to work on** 
 51 | 	- Spend more time doing the difficult things.
 52 | 	- If you're weak on coding and you find yourself avoiding it, then spend most of your study time doing that.
 53 | 
 54 | - **Read**
 55 | 	- Read relevant books (you don't have to read back to back).
 56 | 	- When looking up things online, avoid going more than two referral links deep - this will save you from browser tab hell.
 57 | 
 58 | - **Mental health**
 59 | 	- Take care of your basic needs first - sleep, eat well, drink water, gentle exercise. You know yourself, so do what's best for you.
 60 | 	- You are more than your economic output, remember to separate your self worth from your paycheque. 
 61 | 	- See interviews for what they are - they are *not* a measure of you being "good enough".
 62 | 
 63 | 
 64 | # Interviewing Tips 
 65 | 
 66 | - **Interview questions**
 67 | 	- Interview questions are intentionally vague. This is to encourage questions.
 68 | 	- Ask clarifying questions 
 69 | 	- Questions reveal how you approach problems.
 70 | 	- Write down notes about the question. This is so you don't forget details and only partially answer, or give the wrong answer.
 71 | 	- Interviews should be more like a conversation with a lot of back and forth, thoroughly explore scenarios together and avoid jumping too fast to a solution.
 72 | 	- The interviewer can only make an evaluation on your suitability for the job based on the things you *say*. 
 73 | 	- **Interviewers test depth of knowledge**
 74 | 		- There will be questions about technical details on topics to the point where it'll be hard to answer. This is okay, try your best to work through it and say what you're thinking.
 75 | 		- Interviewers often aren't looking for specific answers, they just want to see how deeply you know a topic.
 76 | 		- Approach the question from a low level and even ask your interviewer if you need to add more details before moving on.
 77 | 	- **Interviewers test breadth of knowledge**
 78 | 		- There will be questions related to the role you're applying for and some that aren't. This is to explore breadth of knowledge. 
 79 | 		- Try your best to explore the scenarios and ask questions. It's very important to say your thinking aloud, you might be on the right track.
 80 | 
 81 | - **Show comprehension**
 82 | 	- Try to always ask clarifying questions even if you think you already know the answer. You might learn some nuance that even improves your idea.
 83 | 	- Always repeat the question back to the interviewer to both check your understanding and give yourself thinking time.
 84 | 	- *"Okay, I'll repeat back the question so I can check my understanding…"*
 85 | 	- *"Just to clarify…"*
 86 | 	- *"I just want to check I heard correctly…"*
 87 | 	
 88 | - **State your assumptions**
 89 | 	- Your interviewer will provide feedback if your assumptions are unreasonable.
 90 | 	- *"I am going to assume that the organisation is collecting x,y,z logs from hosts and storing these for at least 90 days…"* 
 91 | 	- *"Can I make the assumption that…?"*
 92 | 	- *"Let's say that we can get x,y,z information…"*
 93 | 
 94 | - **When asked a question you're not sure of the answer to right away, try these phrases:**
 95 | 	- *"I don't know but if I had to invent it, it would be like this…"*
 96 | 	- *"I don't know that exactly but I know something about a similar subject / sub component…"*
 97 | 	- *"This is what's popping into my mind right now is…"*
 98 | 	- *"The only thing that is coming to mind is…"* 
 99 | 	- *"I know a lot about [similar thing], I could talk about that instead? Would that be okay?"*
100 | 
101 | - **Say what you are thinking**
102 | 	- The interviewer can only make an evaluation on your suitability for the job based on the things you *say*. 
103 | 	- If you don't say your thought process aloud, then the interviewer doesn't know what you know. 
104 | 	- You may well be on the right track with an answer. You'll be kicking yourself afterwards if you later realise you were but didn't say anything (I missed out on an internship because of this!).
105 | 	- Write pseudo code for your coding solution so you don't have to hold everything in your head.
106 | 	- *"Right now I am thinking about…"*
107 | 	- *"I am thinking about different approaches, for example…"*
108 | 	- *"I keep coming back to [subject/idea/thing] but I think that's not the right direction. I am thinking about…"*
109 | 	- *"I'm interested in this idea that…"*
110 | 
111 | - **Reduce cognitive load**
112 | 	- Take notes on the question and assumptions during the interview.
113 | 	- If the infrastructure is complicated, draw up what you think it looks like. 
114 | 	- Write pseudocode. 
115 | 	- Write tests and expected output for code you write, test your code against it. 
116 | 
117 | - **Prepare**
118 | 	- Make a checklist that reminds you of what to do for each question, something like:
119 | 		- Listen to interview question
120 | 		- Take notes on the question
121 | 		- Repeat the question
122 | 		- Ask clarifying questions
123 | 		- State any assumptions
124 | 	- Prepare questions that you want to ask your interviewers at the end of the interview so you don't need to think of them on the spot on the day. Since an interview is also for you to know more about the workplace, I asked questions about the worst parts of the job. 
125 | 	- Bring some small snacks in a box or container that isn't noisy and distracting. A little bit of sugar throughout the interviews can help your problem solving abilities. 
126 | 	- Stay hydrated - and take a toilet break between every interview if you need to (it's good to take a quiet moment).
127 | 
128 | - **Do practice interviews**
129 | 	- Do them until they feel more comfortable and you can easily talk through problems.
130 | 	- Ask your friends/peers to give you really hard questions that you definitely don't know how to answer.
131 | 	- Practice being in the very uncomfortable position where you have no idea about the topic you've been asked. Work through it from first principles.
132 | 	- Practice speaking aloud everything you know about a topic, even details you think might be irrelevant. 
133 | 	- Doooo theeeeemmm yes they can be annoying to organise but it is *worth it*.
134 | 
135 | ### Interviewers are potential friends and they want to help you get the job, they are on your side. Let them help you, ask them questions, recite everything you know on a topic and *say your thought process out loud*.
136 | 
137 | 
138 | # Networking 
139 | 
140 | - OSI Model
141 | 	- Application; layer 7 (and basically layers 5 & 6) (includes API, HTTP, etc).
142 | 	- Transport; layer 4 (TCP/UDP).
143 | 	- Network; layer 3 (Routing).
144 | 	- Datalink; layer 2 (Error checking and frame synchronisation).
145 | 	- Physical; layer 1 (Bits over fibre).	
146 | - Firewalls
147 | 	- Rules to prevent incoming and outgoing connections.	
148 | - NAT 
149 | 	- Useful to understand IPv4 vs IPv6.
150 | - DNS
151 | 	- (53)
152 | 	- Requests to DNS are usually UDP, unless the server gives a redirect notice asking for a TCP connection. Look up in cache happens first. DNS exfiltration. Using raw IP addresses means no DNS logs, but there are HTTP logs. DNS sinkholes.
153 | 	- In a reverse DNS lookup, PTR might contain- 2.152.80.208.in-addr.arpa, which will map to  208.80.152.2. DNS lookups start at the end of the string and work backwards, which is why the IP address is backwards in PTR.
154 | - DNS exfiltration 
155 | 	- Sending data as subdomains. 
156 | 	- 26856485f6476a567567c6576e678.badguy.com
157 | 	- Doesn’t show up in http logs. 
158 | - DNS configs
159 | 	- Start of Authority (SOA).
160 | 	- IP addresses (A and AAAA).
161 | 	- SMTP mail exchangers (MX).
162 | 	- Name servers (NS).
163 | 	- Pointers for reverse DNS lookups (PTR).
164 | 	- Domain name aliases (CNAME).
165 | - ARP
166 | 	- Pair MAC address with IP Address for IP connections. 
167 | - DHCP
168 | 	- UDP (67 - Server, 68 - Client)
169 | 	- Dynamic address allocation (allocated by router).
170 | 	- `DHCPDISCOVER` -> `DHCPOFFER` -> `DHCPREQUEST` -> `DHCPACK`
171 | - Multiplex 
172 | 	- Timeshare, statistical share, just useful to know it exists.
173 | - Traceroute 
174 | 	- Usually uses UDP, but might also use ICMP Echo Request or TCP SYN. TTL, or hop-limit.
175 | 	- Initial hop-limit is 128 for windows and 64 for *nix. Destination returns ICMP Echo Reply. 
176 | - Nmap 
177 | 	- Network scanning tool.
178 | - Intercepts (PitM - Person in the middle)
179 | 	- Understand PKI (public key infrastructure in relation to this).
180 | - VPN 
181 | 	- Hide traffic from ISP but expose traffic to VPN provider.
182 | - Tor 
183 | 	- Traffic is obvious on a network. 
184 | 	- How do organised crime investigators find people on tor networks. 
185 | - Proxy  
186 | 	- Why 7 proxies won’t help you. 
187 | - BGP
188 | 	- Border Gateway Protocol.
189 | 	- Holds the internet together.
190 | - Network traffic tools
191 | 	- Wireshark
192 | 	- Tcpdump
193 | 	- Burp suite
194 | - HTTP/S 
195 | 	- (80, 443)
196 | - SSL/TLS
197 | 	- (443) 
198 | 	- Super important to learn this, includes learning about handshakes, encryption, signing, certificate authorities, trust systems. A good [primer](https://english.ncsc.nl/publications/publications/2021/january/19/it-security-guidelines-for-transport-layer-security-2.1) on all these concepts and algorithms is made available by the Dutch cybersecurity center.
199 | 	- POODLE, BEAST, CRIME, BREACH, HEARTBLEED.
200 | - TCP/UDP
201 | 	- Web traffic, chat, voip, traceroute.
202 | 	- TCP will throttle back if packets are lost but UDP doesn't. 
203 | 	- Streaming can slow network TCP connections sharing the same network.
204 | - ICMP 
205 | 	- Ping and traceroute.
206 | - Mail
207 | 	- SMTP (25, 587, 465)
208 | 	- IMAP (143, 993)
209 | 	- POP3 (110, 995)
210 | - SSH 
211 | 	- (22)
212 | 	- Handshake uses asymmetric encryption to exchange symmetric key.
213 | - Telnet
214 | 	- (23, 992)
215 | 	- Allows remote communication with hosts.
216 | - ARP  
217 | 	- Who is 0.0.0.0? Tell 0.0.0.1.
218 | 	- Linking IP address to MAC, Looks at cache first.
219 | - DHCP 
220 | 	- (67, 68) (546, 547)
221 | 	- Dynamic (leases IP address, not persistent).
222 | 	- Automatic (leases IP address and remembers MAC and IP pairing in a table).
223 | 	- Manual (static IP set by administrator).
224 | - IRC 
225 | 	- Understand use by hackers (botnets).
226 | - FTP/SFTP 
227 | 	- (21, 22)
228 | - RPC 
229 | 	- Predefined set of tasks that remote clients can execute.
230 | 	- Used inside orgs. 
231 | - Service ports
232 | 	- 0 - 1023: Reserved for common services - sudo required. 
233 | 	- 1024 - 49151: Registered ports used for IANA-registered services. 
234 | 	- 49152 - 65535: Dynamic ports that can be used for anything. 
235 | - HTTP Header
236 | 	- | Verb | Path | HTTP version |
237 | 	- Domain
238 | 	- Accept
239 | 	- Accept-language
240 | 	- Accept-charset
241 | 	- Accept-encoding(compression type)
242 | 	- Connection- close or keep-alive
243 | 	- Referrer
244 | 	- Return address
245 | 	- Expected Size?
246 | - HTTP Response Header
247 | 	- HTTP version
248 | 	- Status Codes: 
249 | 		- 1xx: Informational Response
250 | 		- 2xx: Successful
251 | 		- 3xx: Redirection
252 | 		- 4xx: Client Error
253 | 		- 5xx: Server Error
254 | 	- Type of data in response 
255 | 	- Type of encoding
256 | 	- Language 
257 | 	- Charset
258 | - UDP Header
259 | 	- Source port
260 | 	- Destination port
261 | 	- Length
262 | 	- Checksum
263 | - Broadcast domains and collision domains. 
264 | - Root stores
265 | - CAM table overflow
266 | 
267 | 
268 | # Web Application 
269 | 
270 | - Same origin policy
271 | 	- Only accept requests from the same origin domain.  
272 | - CORS 
273 | 	- Cross-Origin Resource Sharing. Can specify allowed origins in HTTP headers. Sends a preflight request with options set asking if the server approves, and if the server approves, then the actual request is sent (eg. should client send auth cookies).
274 | - HSTS 
275 | 	- Policies, eg what websites use HTTPS.
276 | - Cert transparency 
277 | 	- Can verify certificates against public logs 	
278 | - HTTP Public Key Pinning
279 | 	- (HPKP)
280 | 	- Deprecated by Google Chrome
281 | - Cookies 
282 | 	- httponly - cannot be accessed by javascript.
283 | - CSRF
284 | 	- Cross-Site Request Forgery.
285 | 	- Cookies.
286 | - XSS
287 | 	- Reflected XSS.
288 | 	- Persistent XSS.
289 | 	- DOM based /client-side XSS.
290 | 	- `<img scr=””>` will often load content from other websites, making a cross-origin HTTP request. 
291 | - SQLi 
292 | 	- Person-in-the-browser (flash / java applets) (malware).
293 | 	- Validation / sanitisation of webforms.
294 | - POST 
295 | 	- Form data. 
296 | - GET 
297 | 	- Queries. 
298 | 	- Visible from URL.
299 | - Directory traversal 
300 | 	- Find directories on the server you’re not meant to be able to see.
301 | 	- There are tools that do this.
302 | - APIs 
303 | 	- Think about what information they return. 
304 | 	- And what can be sent.
305 | - Beefhook
306 | 	- Get info about Chrome extensions.
307 | - User agents
308 | 	- Is this a legitimate browser? Or a botnet?
309 | - Browser extension take-overs
310 | 	- Miners, cred stealers, adware.
311 | - Local file inclusion
312 | - Remote file inclusion (not as common these days)
313 | - SSRF 
314 | 	- Server Side Request Forgery.
315 | - Web vuln scanners. 
316 | - SQLmap.
317 | - Malicious redirects.
318 | 
319 | 
320 | # Infrastructure (Prod / Cloud) Virtualisation 
321 | 
322 | - Hypervisors.
323 | - Hyperjacking.
324 | - Containers, VMs, clusters.
325 | - Escaping techniques.
326 | 	- Network connections from VMs / containers.  
327 | - Lateral movement and privilege escalation techniques.
328 | 	- Cloud Service Accounts can be used for lateral movement and privilege escalation in Cloud environments.
329 | 	- GCPloit tool for Google Cloud Projects.
330 | - Site isolation.
331 | - Side-channel attacks.
332 | 	- Spectre, Meltdown.
333 | - Beyondcorp 
334 | 	- Trusting the host but not the network.
335 | - Log4j vuln. 
336 | 
337 | 
338 | # OS Implementation and Systems
339 | 
340 | - Privilege escalation techniques, and prevention.
341 | - Buffer Overflows.
342 | - Directory traversal (prevention).
343 | - Remote Code Execution / getting shells.
344 | - Local databases
345 | 	- Some messaging apps use sqlite for storing messages.
346 | 	- Useful for digital forensics, especially on phones.
347 | - Windows
348 | 	- Windows registry and group policy.
349 | 	- Active Directory (AD).
350 | 		- Bloodhound tool. 
351 | 		- Kerberos authentication with AD.
352 | 	- Windows SMB. 
353 | 	- Samba (with SMB).
354 | 	- Buffer Overflows. 
355 | 	- ROP. 
356 | 	
357 | - *nix 
358 | 	- SELinux.
359 | 	- Kernel, userspace, permissions.
360 | 	- MAC vs DAC.
361 | 	- /proc
362 | 	- /tmp - code can be saved here and executed.
363 | 	- /shadow 
364 | 	- LDAP - Lightweight Directory Browsing Protocol. Lets users have one password for many services. This is similar to Active Directory in windows.
365 | - MacOS
366 | 	- Gotofail error (SSL).
367 | 	- MacSweeper.
368 | 	- Research Mac vulnerabilities.
369 | 
370 | ## Mitigations 
371 | - Patching 
372 | - Data Execution Prevention
373 | - Address space layout randomisation
374 | 	- To make it harder for buffer overruns to execute privileged instructions at known addresses in memory.
375 | - Principle of least privilege
376 | 	- Eg running Internet Explorer with the Administrator SID disabled in the process token. Reduces the ability of buffer overrun exploits to run as elevated user.
377 | - Code signing
378 | 	- Requiring kernel mode code to be digitally signed.
379 | - Compiler security features
380 | 	- Use of compilers that trap buffer overruns.
381 | - Encryption
382 | 	- Of software and/or firmware components.
383 | - Mandatory Access Controls
384 | 	- (MACs)
385 | 	- Access Control Lists (ACLs)
386 | 	- Operating systems with Mandatory Access Controls - eg. SELinux.
387 | - "Insecure by exception"
388 | 	- When to allow people to do certain things for their job, and how to improve everything else. Don't try to "fix" security, just improve it by 99%.
389 | - Do not blame the user
390 | 	- Security is about protecting people, we should build technology that people can trust, not constantly blame users. 
391 | 
392 | 
393 | # Cryptography, Authentication, Identity 
394 | 
395 | - Encryption vs Encoding vs Hashing vs Obfuscation vs Signing
396 | 	- Be able to explain the differences between these things. 
397 | 	- [Various attack models](https://en.wikipedia.org/wiki/Attack_model) (e.g. chosen-plaintext attack).
398 | 
399 | - Encryption standards + implementations
400 | 	- [RSA](https://en.wikipedia.org/wiki/RSA_(cryptosystem)) (asymmetrical).
401 | 	- [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) (symmetrical).
402 | 	- [ECC](https://en.wikipedia.org/wiki/EdDSA) (namely ed25519) (asymmetric).
403 | 	- [Chacha/Salsa](https://en.wikipedia.org/wiki/Salsa20#ChaCha_variant) (symmetric).
404 | 
405 | - Asymmetric vs symmetric
406 | 	- Asymmetric is slow, but good for establishing a trusted connection.
407 | 	- Symmetric has a shared key and is faster. Protocols often use asymmetric to transfer symmetric key.
408 | 	- Perfect forward secrecy - eg Signal uses this.
409 | 
410 | - Cyphers
411 | 	- Block vs stream [ciphers](https://en.wikipedia.org/wiki/Cipher).
412 | 	- [Block cipher modes of operation](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation).
413 | 	- [AES-GCM](https://en.wikipedia.org/wiki/Galois/Counter_Mode).
414 | 
415 | - Integrity and authenticity primitives
416 | 	- [Hashing functions](https://en.wikipedia.org/wiki/Cryptographic_hash_function) e.g. MD5, Sha-1, BLAKE. Used for identifiers, very useful for fingerprinting malware samples.
417 | 	- [Message Authentication Codes (MACs)](https://en.wikipedia.org/wiki/Message_authentication_code).
418 | 	- [Keyed-hash MAC (HMAC)](https://en.wikipedia.org/wiki/HMAC).
419 | 
420 | - Entropy
421 | 	- PRNG (pseudo random number generators).
422 | 	- Entropy buffer draining.
423 | 	- Methods of filling entropy buffer.
424 | 
425 | - Authentication
426 | 	- Certificates 
427 | 		- What info do certs contain, how are they signed? 
428 | 		- Look at DigiNotar.
429 | 	- Trusted Platform Module 
430 | 		- (TPM)
431 | 		- Trusted storage for certs and auth data locally on device/host.
432 | 	- O-auth
433 | 		- Bearer tokens, this can be stolen and used, just like cookies.
434 | 	- Auth Cookies
435 | 		- Client side.
436 | 	- Sessions 
437 | 		- Server side.
438 | 	- Auth systems 
439 | 		- SAMLv2o.
440 | 		- OpenID.
441 | 		- Kerberos. 
442 | 			- Gold & silver tickets.
443 | 			- Mimikatz.
444 | 			- Pass-the-hash.	  
445 | 	- Biometrics
446 | 		- Can't rotate unlike passwords.
447 | 	- Password management
448 | 		- Rotating passwords (and why this is bad). 
449 | 		- Different password lockers. 
450 | 	- U2F / FIDO
451 | 		- Eg. Yubikeys.
452 | 		- Helps prevent successful phishing of credentials.
453 | 	- Compare and contrast multi-factor auth methods.
454 | 
455 | - Identity
456 | 	- Access Control Lists (ACLs)
457 | 		- Control which authenicated users can access which resources.
458 | 	- Service accounts vs User accounts
459 | 		- Robot accounts or Service accounts are used for automation.
460 | 		- Service accounts should have heavily restricted priviledges.
461 | 		- Understanding how Service accounts are used by attackers is important for understanding Cloud security.  
462 | 	- impersonation
463 | 		- Exported account keys.
464 | 		- ActAs, JWT (JSON Web Token) in Cloud.
465 | 	- Federated identity
466 | 
467 | 
468 | # Malware & Reversing
469 | 
470 | - Interesting malware
471 | 	- Conficker.
472 | 	- Morris worm.
473 | 	- Zeus malware.
474 | 	- Stuxnet.
475 | 	- Wannacry.
476 | 	- CookieMiner.
477 | 	- Sunburst.
478 | 
479 | - Malware features
480 | 	- Various methods of getting remote code execution. 
481 | 	- Domain-flux.
482 | 	- Fast-Flux.
483 | 	- Covert C2 channels.
484 | 	- Evasion techniques (e.g. anti-sandbox).
485 | 	- Process hollowing. 
486 | 	- Mutexes.
487 | 	- Multi-vector and polymorphic attacks.
488 | 	- RAT (remote access trojan) features.
489 | 
490 | - Decompiling/ reversing 
491 | 	- Obfuscation of code, unique strings (you can use for identifying code).
492 | 	- IdaPro, Ghidra.
493 | 
494 | - Static / dynamic analysis
495 | 	- Describe the differences.
496 | 	- Virus total. 
497 | 	- Reverse.it. 
498 | 	- Hybrid Analysis.
499 | 
500 | 
501 | # Exploits
502 | 
503 | - Three ways to attack - Social, Physical, Network 
504 | 	- **Social**
505 | 		- Ask the person for access, phishing. 
506 | 		- Cognitive biases - look at how these are exploited.
507 | 		- Spear phishing.
508 | 		- Water holing.
509 | 		- Baiting (dropping CDs or USB drivers and hoping people use them).
510 | 		- Tailgating.
511 | 	- **Physical** 
512 | 		- Get hard drive access, will it be encrypted? 
513 | 		- Boot from linux. 
514 | 		- Brute force password.
515 | 		- Keyloggers.
516 | 		- Frequency jamming (bluetooth/wifi).
517 | 		- Covert listening devices.
518 | 		- Hidden cameras.
519 | 		- Disk encryption. 
520 | 		- Trusted Platform Module.
521 | 		- Spying via unintentional radio or electrical signals, sounds, and vibrations (TEMPEST - NSA).
522 | 	- **Network** 
523 | 		- Nmap.
524 | 		- Find CVEs for any services running.
525 | 		- Interception attacks.
526 | 		- Getting unsecured info over the network.
527 | 
528 | - Exploit Kits and drive-by download attacks
529 | 
530 | - Remote Control
531 | 	- Remote code execution (RCE) and privilege.
532 | 	- Bind shell (opens port and waits for attacker).
533 | 	- Reverse shell (connects to port on attackers C2 server).
534 | 
535 | - Spoofing
536 | 	- Email spoofing.
537 | 	- IP address spoofing.
538 | 	- MAC spoofing.
539 | 	- Biometric spoofing.
540 | 	- ARP spoofing.
541 | 
542 | - Tools
543 | 	- Metasploit.
544 | 	- ExploitDB.
545 | 	- Shodan - Google but for devices/servers connected to the internet.
546 | 	- Google the version number of anything to look for exploits.
547 | 	- Hak5 tools.
548 | 
549 | 
550 | # Attack Structure
551 | 
552 | Practice describing security concepts in the context of an attack. These categories are a rough guide on attack structure for a targeted attack. Non-targeted attacks tend to be a bit more "all-in-one".
553 | 
554 | - Reconnaissance
555 | 	- OSINT, Google dorking, Shodan.
556 | - Resource development
557 | 	- Get infrastructure (via compromise or otherwise).
558 | 	- Build malware.
559 | 	- Compromise accounts.
560 | - Initial access
561 | 	- Phishing.
562 | 	- Hardware placements.
563 | 	- Supply chain compromise.
564 | 	- Exploit public-facing apps.
565 | - Execution
566 | 	- Shells & interpreters (powershell, python, javascript, etc.).
567 | 	- Scheduled tasks, Windows Management Instrumentation (WMI).
568 | - Persistence
569 | 	- Additional accounts/creds.
570 | 	- Start-up/log-on/boot scripts, modify launch agents, DLL side-loading, Webshells.
571 | 	- Scheduled tasks.
572 | - Privilege escalation
573 | 	- Sudo, token/key theft, IAM/group policy modification.
574 | 	- Many persistence exploits are PrivEsc methods too.
575 | - Defense evasion
576 | 	- Disable detection software & logging.
577 | 	- Revert VM/Cloud instances.
578 | 	- Process hollowing/injection, bootkits.
579 | - Credential access
580 | 	- Brute force, access password managers, keylogging.
581 | 	- etc/passwd & etc/shadow.
582 | 	- Windows DCSync, Kerberos Gold & Silver tickets.
583 | 	- Clear-text creds in files/pastebin, etc.
584 | - Discovery
585 | 	- Network scanning.
586 | 	- Find accounts by listing policies.
587 | 	- Find remote systems, software and system info, VM/sandbox.
588 | - Lateral movement
589 | 	- SSH/RDP/SMB.
590 | 	- Compromise shared content, internal spear phishing.
591 | 	- Pass the hash/ticket, tokens, cookies.
592 | - Collection
593 | 	- Database dumps.
594 | 	- Audio/video/screen capture, keylogging.
595 | 	- Internal documentation, network shared drives, internal traffic interception.
596 | - Exfiltration
597 | 	- Removable media/USB, Bluetooth exfil.
598 | 	- C2 channels, DNS exfil, web services like code repos & Cloud backup storage.
599 | 	- Scheduled transfers.
600 | - Command and control
601 | 	- Web service (dead drop resolvers, one-way/bi-directional traffic), encrypted channels.
602 | 	- Removable media.
603 | 	- Steganography, encoded commands.
604 | - Impact
605 | 	- Deleted accounts or data, encrypt data (like ransomware).
606 | 	- Defacement.
607 | 	- Denial of service, shutdown/reboot systems.
608 | 
609 | 
610 | # Threat Modeling
611 | 
612 | - Threat Matrix
613 | - Trust Boundries
614 | - Security Controls
615 | - STRIDE framework
616 | 	- **S**poofing
617 | 	- **T**ampering
618 | 	- **R**epudiation
619 | 	- **I**nformation disclosure
620 | 	- **D**enial of service
621 | 	- **E**levation of privilege 
622 | - [MITRE Att&ck](https://attack.mitre.org/) framework
623 | - [Excellent talk](https://www.youtube.com/watch?v=vbwb6zqjZ7o) on "Defense Against the Dark Arts" by Lilly Ryan (contains *many* Harry Potter spoilers)
624 | 
625 | 
626 | # Detection
627 | 
628 | - IDS
629 | 	- Intrusion Detection System (signature based (eg. snort) or behaviour based).
630 | 	- Snort/Suricata/YARA rule writing
631 | 	- Host-based Intrusion Detection System (eg. OSSEC)
632 | 
633 | - SIEM
634 | 	- Security Information and Event Management.
635 | 
636 | - IOC 
637 | 	- Indicator of compromise (often shared amongst orgs/groups).
638 | 	- Specific details (e.g. IP addresses, hashes, domains)
639 | 
640 | - Things that create signals
641 | 	- Honeypots, snort.
642 | 
643 | - Things that triage signals
644 | 	- SIEM, eg splunk.
645 | 
646 | - Things that will alert a human 
647 | 	- Automatic triage of collated logs, machine learning.
648 | 	- Notifications and analyst fatigue.
649 | 	- Systems that make it easy to decide if alert is actual hacks or not.
650 | 
651 | - Signatures
652 | 	- Host-based signatures
653 | 		- Eg changes to the registry, files created or modified.
654 | 		- Strings in found in malware samples appearing in binaries installed on hosts (/Antivirus).
655 | 	- Network signatures
656 | 		- Eg checking DNS records for attempts to contact C2 (command and control) servers. 
657 | 
658 | - Anomaly / Behaviour based detection 
659 | 	- IDS learns model of “normal” behaviour, then can detect things that deviate too far from normal - eg unusual urls being accessed, user specific- login times / usual work hours, normal files accessed.  
660 | 	- Can also look for things that a hacker might specifically do (eg, HISTFILE commands, accessing /proc).
661 | 	- If someone is inside the network- If action could be suspicious, increase log verbosity for that user.
662 | 
663 | - Firewall rules
664 | 	- Brute force (trying to log in with a lot of failures).
665 | 	- Detecting port scanning (could look for TCP SYN packets with no following SYN ACK/ half connections).
666 | 	- Antivirus software notifications.
667 | 	- Large amounts of upload traffic.
668 | 
669 | - Honey pots
670 | 	- Canary tokens.
671 | 	- Dummy internal service / web server, can check traffic, see what attacker tries.
672 | 
673 | - Things to know about attackers
674 | 	- Slow attacks are harder to detect.
675 | 	- Attacker can spoof packets that look like other types of attacks, deliberately create a lot of noise.
676 | 	- Attacker can spoof IP address sending packets, but can check TTL of packets and TTL of reverse lookup to find spoofed addresses.
677 | 	- Correlating IPs with physical location (is difficult and inaccurate often).
678 | 
679 | - Logs to look at
680 | 	- DNS queries to suspicious domains.
681 | 	- HTTP headers could contain wonky information.
682 | 	- Metadata of files (eg. author of file) (more forensics?).
683 | 	- Traffic volume.
684 | 	- Traffic patterns.
685 | 	- Execution logs.
686 | 
687 | - Detection related tools
688 | 	- Splunk.
689 | 	- Arcsight.
690 | 	- Qradar.
691 | 	- Darktrace.
692 | 	- Tcpdump.
693 | 	- Wireshark.
694 | 	- Zeek.
695 | 
696 | - A curated list of [awesome threat detection](https://github.com/0x4D31/awesome-threat-detection) resources
697 | 
698 | 
699 | # Digital Forensics
700 | 
701 |  - Evidence volatility (network vs memory vs disk)
702 | 
703 |  - Network forensics
704 | 	- DNS logs / passive DNS
705 | 	- Netflow
706 | 	- Sampling rate
707 | 
708 |  - Disk forensics
709 | 	- Disk imaging
710 | 	- Filesystems (NTFS / ext2/3/4 / AFPS)
711 | 	- Logs (Windows event logs, Unix system logs, application logs)
712 | 	- Data recovery (carving)
713 | 	- Tools
714 | 	- plaso / log2timeline
715 | 	- FTK imager
716 | 	- encase
717 | 
718 |  - Memory forensics
719 | 	- Memory acquisition (footprint, smear, hiberfiles)
720 | 	- Virtual vs physical memory
721 | 	- Life of an executable
722 | 	- Memory structures
723 | 	- Kernel space vs user space
724 | 	- Tools
725 | 	- Volatility
726 | 	- Google Rapid Response (GRR) / Rekall
727 | 	- WinDbg
728 | 
729 |   - Mobile forensics
730 | 	- Jailbreaking devices, implications
731 | 	- Differences between mobile and computer forensics
732 | 	- Android vs. iPhone
733 | 
734 |   - Anti forensics
735 | 	- How does malware try to hide?
736 | 	- Timestomping
737 | 
738 |   - Chain of custody
739 |   	- Handover notes 
740 | 
741 | 
742 | # Incident Management
743 | 
744 | - Privacy incidents vs information security incidents
745 | - Know when to talk to legal, users, managers, directors.
746 | - Run a scenario from A to Z, how would you ...
747 | 
748 | - Good practices for running incidents 
749 | 	- How to delegate.
750 | 	- Who does what role.
751 | 	- How is communication managed + methods of communication.
752 | 	- When to stop an attack.
753 | 	- Understand risk of alerting attacker.
754 | 	- Ways an attacker may clean up / hide their attack.
755 | 	- When / how to inform upper management (manage expectations).
756 | 	- Metrics to assign Priorities (e.g. what needs to happen until you increase the prio for a case)
757 | 	- Use playbooks if available
758 | 
759 | - Important things to know and understand
760 | 	- Type of alerts, how these are triggered.
761 | 	- Finding the root cause.
762 | 	- Understand stages of an attack (e.g. cyber-killchain)
763 | 	- Symptom vs Cause.
764 | 	- First principles vs in depth systems knowledge (why both are good).
765 | 	- Building timeline of events.
766 | 	- Understand why you should assume good intent, and how to work with people rather than against them.
767 | 	- Prevent future incidents with the same root cause
768 | 
769 |   - Response models
770 |   	- SANS' PICERL (Preparation, Identification, Containement, Eradication, Recovery, Lessons learned)
771 |    	- Google's IMAG (Incident Management At Google)
772 | 
773 | 
774 | # Coding & Algorithms
775 | 
776 | - The basics
777 | 	- Conditions (if, else).
778 | 	- Loops (for loops, while loops).
779 |  	- Dictionaries.
780 |  	- Slices/lists/arrays.
781 |  	- String/array operations (split, contaings, length, regular expressions).
782 |  	- Pseudo code (concisely describing your approach to a problem).
783 | 
784 | - Data structures
785 | 	- Dictionaries / hash tables (array of linked lists, or sometimes a BST).
786 | 	- Arrays.
787 | 	- Stacks.
788 | 	- SQL/tables. 
789 | 	- Bigtables.
790 | 
791 | - Sorting
792 | 	- Quicksort, merge sort.
793 | 
794 | - Searching 
795 | 	- Binary vs linear.
796 | 
797 | - Big O 
798 | 	- For space and time.
799 | 
800 | - Regular expressions
801 | 	- O(n), but O(n!) when matching.
802 | 	- It's useful to be familiar with basic regex syntax, too.
803 | 
804 | - Recursion 
805 | 	- And why it is rarely used.
806 | 
807 | - Python
808 | 	- List comprehensions and generators [ x for x in range() ].
809 | 	- Iterators and generators.
810 | 	- Slicing [start:stop:step].
811 | 	- Regular expressions.
812 | 	- Types (dynamic types), data structures.
813 | 	- Pros and cons of Python vs C, Java, etc.
814 | 	- Understand common functions very well, be comfortable in the language.
815 | 
816 | 
817 | ## Security Themed Coding Challenges
818 | 
819 | These security engineering challenges focus on text parsing and manipulation, basic data structures, and simple logic flows. Give the challenges a go, no need to finish them to completion because all practice helps.
820 | 
821 | - Cyphers / encryption algorithms 
822 | 	- Implement a cypher which converts text to emoji or something.
823 | 	- Be able to implement basic cyphers.
824 | 
825 | - Parse arbitrary logs 
826 | 	- Collect logs (of any kind) and write a parser which pulls out specific details (domains, executable names, timestamps etc.)
827 | 
828 | - Web scrapers 
829 | 	- Write a script to scrape information from a website.
830 | 
831 | - Port scanners 
832 | 	- Write a port scanner or detect port scanning.
833 | 
834 | - Botnets
835 | 	- How would you build ssh botnet?
836 | 
837 | - Password bruteforcer
838 | 	- Generate credentials and store successful logins. 
839 | 
840 | - Scrape metadata from PDFs
841 | 	- Write a mini forensics tool to collect identifying information from PDF metadata. 
842 | 
843 | - Recover deleted items
844 | 	- Most software will keep deleted items for ~30 days for recovery. Find out where these are stored. 
845 | 	- Write a script to pull these items from local databases. 
846 |  
847 | - Malware signatures
848 | 	- A program that looks for malware signatures in binaries and code samples.
849 | 	- Look at Yara rules for examples.
850 | 
851 | Put your work-in-progress scripts on GitHub and link to them on your resume/CV. Resist the urge to make your scripts perfect or complete before doing this. 
852 | 


--------------------------------------------------------------------------------