Since I was 18 years old, Linux was my preferred OS for desktops, servers, virtualization, storage, VPN, metrics, for Quake3 as well. For offensive operations and defensive research and hardening. After 20 years that did not change. What's most interesting, each project that I was commercially working on needed more or less advanced knowledge of Linux, understanding the internals, and the behavior of mechanisms such as SELinux, AppArmor, iptables, tcpdump to name just a few. No GUI of course! These days it's also required to know and "feel" cloud and automation solutions on top of your cyber skills: Ansible, Puppet, Terraform and many, many more (not only for your C2 auto respawing) Not to mention of course about real experience with Docker and Kubernetes where except to DevOps and business requirements, the real-time monitoring and true understanding of hardening is an also a huge need in this scope. To protect yourself better, you must know your enemy. That's the reason why for the last few years I focused more on different flavors of Linux rootkits, those from kernel and user space vs DFIR and detection. It's like killing two birds with one stone - an Attack-Defense-Forensics approach.

Where am I going with this post? I want to show that everything in terms of cyber experience is interconnected today, and every **hands-on** experience may come in handy, you don't even know when. 

Example 1: my latest deployment of a MISP project for one of my customers:

You could say, easy as running docker-compose up with

https://github.com/NUKIB/misp

right?

Well, in real production networks, you must be prepared for different scenarios. Too restrictive network security policies to ports, support for Artifactor/XRAY, access to your VM instance over many hops (SSH tunneling for life!), naturally issues with DNS, puppet restoring your changes, SELinux access denied, no-direct access to public network => SSL Forward Proxy in the middle, client certificate authentication for getting remote server's feeds, Pullservers scheduling with Jobber, wrong permissions, creating systemd scripts, copying files between nodes with many hops, and so on. Integration with Splunk, API keys, LDAP/AD user authentication, network restrictions again, new index, and | collect and saved searches. Not to mention struggling with Privileged Access Management short session timeouts - I feel your pain :) 

Example 2: Deep understanding of threats in Linux ecosystems

Another project I am working on currently is about Linux detection coverage testing, building, and validating Incident Response playbooks. Without understanding attack paths, you can't actually deliver good quality service. So having red team/penetration testing experience is very important. Then you find that you need access to the cyber range where you could run and test all your assumptions. You need to create such a lab that costs time and huge effort or you could use existing ones like #PurpleLabs with dozens of already deployed Linux virtual machines, with integrated tools like Falco, Tracee, Sysmon, LKRG. With network telemetry based on Zeek, Suricata, or Full Packet Capture. Watch for packets! With tools handy for DFIR activities like the greatest Velociraptor IR, OSquery, or Sandfly Security. With integrated automated memory acquisition and forensics with Volatility2 and Volatility3. Watch for in-memory implants!  You must be prepared to perform such a service. The lower you can go, the more value you deliver. Long story short, take a look at the labs' index that I am constantly developing here: 

https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale

Without active research, I would not be able to provide advanced cyber services and workshops. And it all comes together more and more. But the basis in my case, at least, is always Linux and the Open Source community, which I would like to thank here, because thanks to the COMMUNITY the world is developing at an ultra-fast pace, our systems are becoming more and more advanced and complex, and to be able to properly secure them, you have to go through the path. Neverending path which I love so much! Cheers :)

See yaa in Phuket @ Hack In The Box Conference 2023 for hands-on training on practical Linux rootkits! Don't miss this opportunity to improve your offensive and defensive Red / Blue and Purple team skills!

https://conference.hitb.org/hitbsecconf2023hkt/product/practical-linux-rootkits-hitb2023hkt/