Do you need a Cybersecurity home lab?

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
number one if you're building a home lab you don't know what you don't know so how are you gonna build that home lab to to actually test your skills and i'm gonna pick on on cisco and i'm gonna pick on the the the ccnas and the ccies here for a little bit now do that pick on me i wasn't explicitly gonna say you but neil this comes up a lot firstly would you recommend creating a home lab to learn cyber security hacking stuff and what would you do if you did recommend that i mean i've asked you a really broad question because i know you've discussed this before so i want to hand it to you and you know just run with it absolutely thanks david and and and you and i kind of talked uh uh off camera about a little bit of this and i told you i was gonna take a pretty pretty stark stance on this and so i'm gonna i'm gonna upset all your your cisco folks and all your uh your your i.t folks who are used to that and i'm gonna say if you're building home labs right now in cyber security if you're buying hardware and you're buying servers to to put vms on you know in a rack in your house you're a dinosaur you're a dinosaur um i think that i and this is something i i talk about pretty extensively i don't see ice i don't see the need for physical home labs physical equipment home labs the same way that you know you know we thought about them back in the 2000s the the mid to late 2000s especially around you know when we think about when when people come to me and ask me about home labs um you can you can tell the question is centered from this idea that started and i'm gonna pick on on cisco and i'm gonna pick on the the the ccnas and the ccies here for a little bit now dude picking me i wasn't explicitly gonna say you but do you still have a physical rack inside of your your house with a lot of cisco equipment no it's quite funny because i've got a bunch of equipment it's actually up in the in the loft there all powered off and gathering dust because i i don't see the need unless you like just want to learn physically how stuff looks uh which you you do it perhaps at the very beginning yeah i'm a firm believer in virtualizing stuff yeah and that's and that's and that's very much what i believe in right and i think that's the cisco mentality i don't know where it started or how it manifested or why it is still alive in people today but this idea that you have to have physical equipment to build any form of a home lab i think is a is a fallacy and i think that it it causes unnecessary waste i think it causes an unnecessary financial burden on to most people um and i think that it uh um i i don't think that it's it's effective at what it is that we want to do whenever we teach ourselves cyber security um now home lab conversations in cyber security are vastly different because we have so many job opportunities right whether we talk about incident response ethical hacking malware reverse engineering um you know risk and governance right all the different job roles that you can have inside of a inside of a cyber security organization um you know generally speaking as a general rule if you're if you're not virtualizing your home labs then you're failing step one and i'll make that bold statement now there's gonna be a portion of people out there who are like yeah of course i mean i can virtualize on my laptop and so i should have like a server in my house where i can have 50 virtual machines on it and i'm just like there's you know unless you're unless your home lab consists of a of a you know a small scale fortune 100 company why do you need 50 virtual machines right in most cases in most cases you only need a handful of virtual machines in very very few cases do you need a dozen virtual machines running at any point in time think about ethical hacking right if you're just practicing throwing an exploit you need a cali box and you need a target right if you're practicing doing reconnaissance you need a cali box and a target right this idea that you need to scan a class c so therefore i need 255 vms so that i can practice scanning a class c as a fallacy right that the process for scanning one you know box can be you know upscaled to scanning 255 and so i i this when i say to people about building home labs one of the very very first things that i tell people and that's something i harp on is before you put pen to paper before you spin up your first virtual machine before you you you launch cali the first time define what your objective is of that home lab define your objective um and when i say objective right the objective should be more than just i want to learn cali right i don't think that that's a good enough objective like i'll i'll i'll give you i'll give you a c plus maybe a c minus i'll give you a c right for for your objective being to learn cali what your objective should be is i want to learn how to use the nmap scripting engine right now for that you need a cali box that's easy right but the target you need to decide the target based on which nmap scripting script you want to run and so that requires you to research the nmap scripting engine research all of the nmap scripts that are out there pick one that you want to learn really really really well and then you set up a target that you get to practice on with that map script now what does this do for you right a it keeps the scope of your home lab really small and really pragmatic okay a when you look at map scripting engine there are over 200 scripts in my scripting engine right you're not going to be an expert in all 200 and you're not going to be able to create a home lab to test all 200 and chances are when you learn one it's a pretty repeatable process for a lot of the other scripting you know engines that are that exist inside of inside of map anyway and so becoming a really really good expert in one tool is more valuable than topical understanding of 200 tools and the only way that you can do that in my opinion is to define the objectives of your home lab first and be very pragmatic in the definition of those objectives neil i want to ask you this though because in cisco environments the thing that we we picking on cisco and me there is no like hack the box i mean there's work on that kind of stuff but the in the in the old days you know we we old in the old days we had to have physical equipment because the software didn't run on virtualized environments but now we have virtual environments but we have this cisco's kind of a bit behind you in that we have um software that can be virtualized so you can run cisco devices on you on your laptop but they're not always labs that people can follow so question to you in cyber security now would you recommend getting or creating a home lab or just you know enrolling and hack the box and those kind of systems because i'm offline we kind of mentioned a little bit about that but i want to push you now so what what would be the right path or the best path for someone who's starting out is it like go and invest in a home lab buy um servers on amazon or whatever or just go and register with hacker box give us the path of what you'd recommend 100 100 and i think that that's really my point with home labs right is that you know we've seen a blow up of home labs as a service no lack of a better term right home labs as a service right whether we talk about range force try hack me hack the box security blue team cyberdefenders.org um vuln hub i think you know at one point in time was was was doing it as well um i think we've seen this explosion of these these home labs as a service that if you're going to invest in something and i and and i get dms still about people who are like when when i get enough money to get a new laptop or when i get enough money to get a new you know computer or something like that and i'm just like why do you need a new computer when you can go do these home labs as a service right you know if you've got a computer that can run ubuntu which is a very i mean you you can run ubuntu on an armed device these days right on a raspberry pi yeah on a raspberry pi right that cost you what does a resume call what's the raspberry pi cost these days like 30 or something like that i don't know exactly i'll put a price on the screen there you go put it put that put that link on that screen for raspberry pi but you know all you need to be able to do is to connect to these boxes and be able to run a lot of these labs inside of these these these other people's places and so i would say don't spend the money on a new laptop when you can instead give this money over to somebody and you can get you know to things that david and i have talked about on this this show quite extensively right which is you can get hands-on skills with somebody else who's built a home lab and you can put that on your linkedin your resume and you can be productive and effective at your trade craft today so i just do i want to hop jump on that right now because i think you've mentioned two very important things there number one if you're building a home lab you don't know what you don't know so how are you going to build that home lab to to actually test your skills but someone else has already built that for you so they they they they perhaps know a lot more than you so they've built this vulnerability or this test lab and now you testing your knowledge and the second point i think is you can actually show employers that you've completed this lab so it's got like a dual you know win if you like whereas if you build your own home lab how do you prove that absolutely and and um i want to i want to say something about a company um and i won't i won't name the you know you can cut the center out um i want to i want to i want to say something about rangeforce but i don't want it to come off as you know you know rangeforce sponsors the stream and i don't want to come off as as plugging rangeforce because they sponsor the stream so you can choose to cut this out if you want but they do have something that i think is very pragmatic that i do want to harp on i mean i would and i would and i would harp on this whether they were sponsoring the stream or not so um to that point david this is why i'm a fan of companies like rangeforce from that hands-on perspective and i'll give you an example you know instead of spending money on a home lab you can go sign up for a company like rangeforce and they have um they have what they refer to as battle paths for things like a sock analyst they have three levels of battle pass for a stock analyst they have a battle path for a threat hunter and so like you can go put that money into something like range force you can go take the battle path for stock analyst one and at the end of the day you get a badge that says that you're certified on their platform and it's an acclaimed badge which means that you can put it on linkedin you can put it on your email signature you can put it on your resume so you're gonna get an acclaimed badge that says that you've passed their certification to be a sock analyst one and it's like why would you not invest instead in all the work that they've done on building a home lab to get you a piece of credential that shows people that you've got hands-on experience as a sock analyst um you know almost immediately why would you need to do that yourself with your own physical hardware to david's point trying to build something you know you don't know what it is that you don't know number one number two they have they have technologies like splunk like carbon black you know like elastic right they have technologies that um you can go get your hands on today because they've built the infrastructure to to put a elastic instance up or to put a splunk instance up so that you can put your hands on real enterprise grade technology today and so that's an investment that you can make in a home lab that instead of you know you trying to build your own splunk instance are you trying to build your own elastic instance are you trying to find you know you know some way that you put your hands on carbon black so that you can practice your edr perspective you can go there and you can get those hands-on skills and you can put those on your resume immediately and and i'll tell you when i look at people's resumes david and you know you know when i start to look at their experience section and they don't have something like try hack me or hack the box or rangeforce or cyberdefenders.org or insert the 700 other companies you know that are out there that do provide that hands-on training i start to ask myself why why haven't you taken the time to invest in that hands-on training and when we talk about home labs this is why i get people into the conversation of what is your objective because if if you know if your objective is to be a better sock analyst you're never going to build that home lab you're never going to build a home lab that demonstrates on your resume that you're a sock analyst writer that you're qualified to be a stock analyst you're never going to be able to build as good of a try hack me lab to show that you can be as successful in some of the try hackney exercises as if you were to go to try hack me and be part of their you know their their ecosystem so neil i just want to push you because i'm going to put you right on the spot now yep i've got a pool of money give it to me 100 yeah sorry not that much 100 or 500 or a thousand dollars whatever it is whatever my budget is yeah would i take that money and try and buy an inexpensive computer or try and build a home lab or would i simply use what i've got and try and buy credits on hack the box and all these other places that you've mentioned that's a fantastic question and i've and i've had i've had people come to me it's ironic that you say that but i've had people come to me and say no i've got a thousand or two thousand you know i think i had somebody company one time and said they got eighteen thousand dollars and what should they spend you know i know right buy a call and i was like and i was like do you realize that you know if you've got something like 18 000 like the last thing that i would put 18 000 i would put all 18 000 of that into into you know my security education i don't think you need to spend that type of money if you've got a hundred dollars if you've got 200 um you know and you're saving up right regardless of where you you're at regardless of anything like that you're saving up i think that that hundred or two hundred dollar investment is better spent on somebody else's home lab setup than on you investing in your own home lab setup right i think you can have your computer you can have ubuntu and again when i talk to people right they're so used to thinking about cali and they're so used to thinking about virtual machines that they're like well i need i need a thousand dollars to buy a computer that can have a virtual machine do you realize that if you have a computer that can in that can support ubuntu you can go to github and you can just clone the repositories for things like metasploit you can clone the repositories for things like sql map you can clone the repositories for for most of the tools that are inside of of cali and you can be a better penetration tester or better ethical hacker by learning how to install your own tools via get on you know on on those on those operating systems anyway and so you don't need to spend a hundred dollars on a new laptop you don't need to spend 100 on a laptop that has the capability to support a vm because you could do that on an ubuntu machine you can just go download the the the applications that you think you need to be successful and try hack me hack the box or anything else but i get back to most of these other home labs most of them have jump boxes most of them have boxes that you can use to launch you know to be your exploit platform you know most of them have you know most of them give you that infrastructure so all you realistically have to be able to do is just connect to them and so if you have a device that can connect to those home labs you should better spend that money investing in those home in those paid services because you're going to take your career so much further than trying to have that cisco mentality that makes you feel like you have to have your own infrastructure in your own house yes if you've got a chromebook or some cheap and nasty computer as long as you can run a decent web browser a lot of these will work is that right absolutely 100 okay neil so let me put you on the spot again give me your top three top five because this is like a meme top three or top five uh red team places to get labs yeah and and blue team yeah i don't know if there is that many but you know kind of like just give us your list and then kind of why and i mean it doesn't matter i know i know you've mentioned ine before i know you've mentioned hack the box um just give us give a give us a rundown and then kind of like give us your opinion why yeah and i think three is going to be i think three is gonna be the limit because to your point you know you know there's there's a lot out there but i don't think that there's a lot that are doing it really really well um and and you know i think that what this really boils down to from a top three perspective on the red team side i would rank um um try hack me probably number one i would do hack the box number number two i say that right try hacking number one hack the box number two um number three would probably be oh neil you seem to be struggling for number three what about ine because they seem to have a like when they bought elon security they seem to have a good thing or is that like more of a hybrid learning platform it's it's more of a hybrid learning platform you know you you take a a course on ethical hacking and then you get a lab like let's say that you're you're doing a learning module for um for me me cats then you're gonna get a lab on how to use mimikatz um when i look at and and that that works but i don't think that that's the same as a try hack me or hack the box which is trying to gamify an entire process um when you look at something like hack me they rank you right based on on um you know your ability to go from room to room inside of try hack me and and while i do think that i e has got great curriculum they don't have a gamified battleground type of place that allows you to you know level one i'm gonna learn nmap level one i'm gonna learn metasploit level one i'm gonna learn responder okay you complete those rooms we're gonna go up to level two and we're gonna teach you sql injection um you know yadda yadda that's all lab based stuff right in the same way that tri hackme does right where it tries to gamify it you know assign you points um you know you know help you kind of grow up in the space like that um you know ine you know their hybrid lab environment is i'm going to teach you you know you know ethical hacking and i'm going to teach you how to use me me cats and then i'm going to give you a lab environment on how to use mimikats so it's cognitive learning followed by demonstrative validation in that regard and that's vastly different then i think when we think about home labs right you can practice when i think about a home lab when i think about try hack me when i think about hack the box when i think about those types of organizations they're set down so that it's almost like video games right you sit down at the end of the day you plug in you know people plug yourself into your xbox or your ps4 and you sit down there and you you play call of duty and you level up call of duty and you get new weapons and things like that from call of duty and then you turn off at the end of the night and you know you're you're focused in on the actual execution of your call of duty play that's what i think about when i think about try hack me when i think about ine ine is is the step above that right in the sense of like okay i want to work towards the career of a penetration tester and so i want to learn things in a career path passion that gets you from start to finish and you're going to take labs along the way to provide validation for skill sets that you learn along the way um could you still do really well at call of duty based on what you learn in ine absolutely 100 but it's a different way of learning that stuff and that's why i equate home labs differently to the conversation of the ine labs because i don't think that the learning methodology is exactly the same as what you get from a home lab so that's that's why that's my hesitation on the i need side is because i think that the delivery mechanism of the training isn't in the spirit of a home lab i agree i mean it's like it's more like mentored learning if yeah it kind of thing and then you get to practice so do you have a third i mean you've got hack the box try hack me is there a third one that you'd recommend for red team so so i want to show you something i'm working on and you can decide whether to include it in um in your um in your in your video or not you
Info
Channel: David Bombal
Views: 127,113
Rating: undefined out of 5
Keywords: cybersecurity, home lab, homelab setup, hack the box, try hack me, htb, thm, hack the box academy, cybersecurity for beginners, cybersecurity careers, careers in cybersecurity, cyber security, information security, infosec, cybersecurity jobs, how to start a career in cybersecurity, cyber security career, career in cybersecurity, cyber security engineer, cyber security analyst, cyber security careers, cyber security salary, ceh, oscp, ejpt, ine, hack the box vs try hack me
Id: fffSbCbafts
Channel Id: undefined
Length: 21min 55sec (1315 seconds)
Published: Tue Apr 20 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.