joost/website-zola
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

added some forgotten posts

Browse Source
This commit is contained in:
Joost Agterhoek 2025-03-18 10:44:09 +01:00
parent 441e457d94
commit 04e9f434fa
4 changed files with 129 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
content/posts/juggling-interests.md Normal file
View File

@ -0,0 +1,39 @@
+++
title = 'Juggling interest
date = "2025-01-07"
updated = 2025-01-07
[taxonomies]
tags = ['Blue Team', 'BTL2', 'Azure', 'training']
+++
# Happy New Year!
Best wishes to all! We have entered into a new year which definitely sounds like the date of a dystopian sci-fi hellscape ('in the year 2025, there is only war...'). Thankfully, the ending of 2024 and the beginning of this year were quite peaceful for me. Just like this website! All kidding aside, I am happy to be back in the saddle, well rested and rejuvenated, ready to take on the world 🔥.
# Keeping busy
So, what have I been doing for the past few months? Well, it's been quite a mess. For the better part of last year, I have managed to focus my selfstudy, both in my work and my personal time, mainly on:
- Malware analysis and development (C, C++)
- [Maldev Academy](https://maldevacademy.com)
- [Ethical Hacking Foundations: Malware Development in Windows](https://www.udemy.com/course/ehf-maldev-in-windows/)
- Web app development (Python)
- My [Flask SOC-site](https://code.joostagterhoek.nl/joost/flask-soc-site)
However, due to a number of changes in my work, I had to refocus and change gears quite drastically. To summarize, I:
- Prepared for and joined an ethical hacking event, HALON2024. To prepare, I:
- Took a web application pentesting course (the excellent Taggart Institute's [Practical Web Application Security and Testing](https://taggartinstitute.org/p/pwst))
- Read a book on the subject (the classic [Web Application Hacker's Handbook](https://portswigger.net/web-security/web-application-hackers-handbook)).
- Got more involved in (Azure) cloud architecture and (operational) security and:
- learned about cloud security benchmarks and best practices like the Azure security benchmark, the Cloud Adoption Framework, etc.
- took the courses Microsoft Security Operations Analyst, Microsoft Azure Administrator and Microsoft Azure Fundamentals
- Got the AZ-900 Microsoft Certified: Azure Fundamentals (more on the way)
- Refocused on studying for the Blue Team Level 2, BTL2, certification exam:
- Doing the suggested BlueTeamLabsOnline-labs and investigations ([5 challenges & 4 investigations so far](https://blueteamlabs.online/home/user/e0a7f6d0f94e27e5ca89a3))
# What to do in 2025

4
content/posts/loving-writing-again.md
View File

@ -15,7 +15,7 @@ Later on in my life, I applied this love of writing (and the lack of any other c
# Rekindled 🔥
Lately though, I have started writing more. And what I found I need, is a good space to write in. I don't mean a nice couch or office, I mean the place where I put down my words, the tools that give me a focused and frictionless writing experience. And I think I found that with Neovim. Yes, another post about Neovim, what else is new 😏. Please, don't leave! I promise I have something worthwhile to say.
# Neovim all the things
# Neovim all the things 🤯
For the past year, I mainly used Neovim for programming. I have some Python-projects 🐍, some C-code, lately a little bit of ObsidianJS 📓. Before that though, when I learned my first Vim motions, I was writing reports, blog posts and project proposals with the [NLnet foundation](https://nlnet.nl). For current work projects I found myself again in Microsoft Word, staring at a blank page, and feeling wholly unmotivated. Sometimes I switched over to Neovim for some light programming, reconfiguring my Neovim-plugins, just to get away from that horrible piece of software that we somehow all rely on for text editing. Then it dawned on me ☀️: why shouldn't I just write my work in Neovim as well? I was already writing all my notes 🗒️ in Obsidian, which really helps me structure my thoughts and the current status of work I'm not bookkeeping elsewhere (Jira, email, etc.).
# Workflow 🌊
@ -25,7 +25,7 @@ I haven't found a perfect workflow yet, but so far what I have been doing, is th
This workflow solves a lot of issues at the same time: I can keep notes and actual texts close to each other (usually in the same folder or back-linked to each other). When I want to, I can output a Word-document that others can use, review and edit in our shared work space. And I can work on the source text both in Neovim and Obsidian!
# Total focus 👀
I'm not entirely up-to-date on the phisolofphy of Vim/Neovim, but I do know that one of the usability mantras is: you'll never have to use your mouse again. Keeping your fingertips on the home row and minimizing moving your hands away from this position puts me in a place of total focus: the text **is** where my head is at, it's the only thing I'm interacting with, it's the center of my attention. I have been improving this state further and further, thinking about my most useful keymaps, what I want to do in Neovim and outside of it. This brought me to this separation of concerns:
I'm not entirely up-to-date on the philosophy of Vim/Neovim, but I do know that one of the usability mantras is: you'll never have to use your mouse again. Keeping your fingertips on the home row and minimizing moving your hands away from this position puts me in a place of total focus: the text **is** where my head is at, it's the only thing I'm interacting with, it's the center of my attention. I have been improving this state further and further, thinking about my most useful keymaps, what I want to do in Neovim and outside of it. This brought me to this separation of concerns:
- `tmux` for window and attention management (different sessions for work, study, blogging, different windows for writing, executing code, browsing the filespace)
- `neovim` for writing and programming and local file management (with `oil`)

37
content/posts/new-goals.md Normal file
View File

@ -0,0 +1,37 @@
+++
title = 'The importance of new goals'
date = 2024-11-17
updated = 2024-11-17
[taxonomies]
tags = ['programming', 'python', 'flask', 'selfhosting', 'motivation']
+++
# Building a Python-powered website
One of my core programming projects is a Flask-app that can do security-related lookups of URLs, domains, IP addresses and email addresses. It is one of the few projects I actually took some time for to (minimally) document on this website ([see the project here](https://joostagterhoek.nl/projects/flask-soc-site/)). So far it has been able to look up generic information like the IP address of a website, when a domain was registered and where, its SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting and Conformance)-records to indicate email security and authenticity. It is also able to look up more specific security information like what [VirusTotal](https://www.virustotal.com) and [AbuseIPDB](https://www.abuseipdb.com) think of the domain or IP address. All of this information is displayed in (somewhat) dynamic tables that provide basic highlighting (grey undetected, green harmless, red malicious).
# Learn Python The Hard Way (really)
The idea came after starting a final assignment of the book [Learn Python 3 The Hard Way](https://learnpythonthehardway.org/python3/) by Zed A. Shaw. The assignment was to make a Flask app that would run a text-based adventure game. While I liked the challenge of the project and wanted to get more into Python by learning the Flask framework, I noticed I wasn't motivated by the assignment and the already challenging experience I had with the book. By the way, that is not a negative take on the book, more a description of where I was at the time, learning (and seriously struggling with) Python: I felt like I wasn't really in control of what I was doing and a project like this was more intimidating than inspiring.
# Make it useful
To smooth these bumps in the road, I started thinking how this difficult project could **actually be of use to me**. Meaning, could it provide some useful function for me, in my day to day work? As a security operations center (SOC) analyst, one of the things you tend to do, is look up the validity and reputation of hosts, meaning IP addresses, URLs, domain names, email addresses, etcetera. Is a domain vulnerable to phishing, has a URL already been flagged as malicious by antivirus vendors? If so, the unexpected behavior that your security tooling flagged for you, could be malicious. Of course, your tools usually already do a lot of this work for you. But it's still inspiring to see **your own hand-written code do something useful**. So, I set out to do just that.
# A few moments later...
More like a few months later! In between my day job and self-study to become a better security analyst (malware analysis, security engineering, cloud security), I found enough time to get the Flask app running on a local server and make it useful for myself. But, at a certain point, I got stuck: the site did what it needed to do, but it couldn't handle for example multiple inputs (copy and paste a number of domains and look each up sequentially). Also the file upload (upload a text file with hosts in it) function needed more work. Finally, I was only doing all of this on my local development server, not in any representative way. When I started documenting the project, this got me thinking: shouldn't I take the next step and turn this into *an actual website*?
# Saved by a forum post
I understood that the next step this project needed to take, was to make it real: move away from the development server and run the code on an actual domain! But...how? This website and its subdomains all run on the same self-hosted Yunohost-server, which takes a lot of the administrative work away from me (thankfully). But the (very rich) Yunohost ecosystem did not seem to have a ready-made Flask-app solution ready. Then I stumbled (again) onto the 'My Webapp'-project ([link to repo](https://github.com/YunoHost-Apps/my_webapp_ynh)). With this application, you can install a custom web app, complete with a database, proxy configuration ready to go, SFTP access, that you can customize to build your own web application, basically. But how could I leverage this into hosting a Flask-app? Luckily, I wasn't the only one looking for the answer to this question. This [detailed post on the Yunohost-forum](https://forum.yunohost.org/t/nginx-gunicorn-flask/30166/5?u=j8ter) made it look quite simple. And lucky for me: it was! Now I have a (absolutely barebones Hello World) Flask-app ready on the subdomain [sec.joostagterhoek.nl](https://sec.joostagterhoek.nl). Hooray! 🎉 Now, looking through the Flask documentation and considering the use cases and risks of my web app, I know what to do...
# Work to do
What I have to do (and have to learn) is the following:
- Figure out rate limiting for my web app (because I am using my own (free) API keys for services like VirusTotal and AbuseIPDB)
- Turn the code I have now into a wheel (following the Flask documentation on deployment)
- Figure out a save way for environment and secrets handling (API keys for example)
- Make the website look **a lot better** (it's all text and a few colors right now 😅)
I know that these tasks will keep me quite busy for the next few weeks or months. But! It's great to have a shiny new goal to work towards 🚀. See you soon! 👋

51
content/posts/passed-BTL2.md Normal file
View File

@ -0,0 +1,51 @@
+++
title = 'Passed Blue Team Level 2 certification'
date = "2025-02-06"
updated = 2025-02-06
[taxonomies]
tags = ['BTL2', 'Security Blue Team', 'exam', 'certification']
+++
# So glad we made it
I'm ecstatic: I passed the [Security BLue Team Level 2 certification exam](https://www.credly.com/badges/d7188215-b064-42d9-b916-b7d3966a1867/public_url)! This was *quite* a lot of work.In this blog post, I want to share my journey through the content material, the labs and the exams.
_Disclaimer:_ this is not an exhaustive overview of BTL2, only my experiences with them. I took a lot of notes, but not a lot of screenshots, so this is all from recollection (which is why there isn't so much detail about the course, I don't want to give out wrong information).
# The course material
After passing BTL1 in May 2023 and getting the gold coin (first attempt at least 90%), I quickly followed up by studying the course material for BTL2. Instead of the 7 domains of BTL1, you go deeper into less domains in BTL2, namely threat vulnerability management, malware analysis, malware analysis, advanced SIEM and threat hunting.
Because my personal interests have developed into malware analysis, malware development and programming, I leaned heavily into the malware analysis domain first. The course and the labs let you work with some familiar tools like PEstudio, Procmon, Regshot and new document analysis tools like peepdf and oledump.py. The labs related to portable executable analysis, which interests me the most, were relatively basic: open an exe in PEstudio, look at the strings, compilation date, used compiler. Other domains I put a lot of time into were Linux system and log hunts (using commands like `journalctl`, `find`, `crontab`, `ps auxf` and `lsof -p`).
Relatively new domains for me were Advanced SIEM, (some parts of) Threat Hunting and Vulnerability Management. The main lessons for me from these domains are the following:
- Threat hunting with a clear goal and model in mind (following the MITRE ATT&CK for example)
- Adversary emulation in SIEM development and maintenance
- Threat hunting in Windows and Linux services/jobs, files and internet connections (Event IDs relating to services like 7045, 4697, tools like `capa`, `chainsaw`, searching SIEM logs for new users, failed (RDP) logons, cronjobs, modified files during incident)
- The importance of what logs to use when (from initial access to establishing persistence, lateral movement, exfiltration,command and control)
I approached the content material and the labs as follows: if the content and the lab was clear to me, I would only take essential notes (names of tools, important file locations, commands). If I did not recognize something or got stuck in a lab, I noted what the issue was and how to solve it (different ways to use tools, command line syntax, places I overlooked).
# The exam
My experiences with the BTL2 certification exam were, unfortunately, not as positive as with the course material. Basically, it was really hard! At least, it felt like it was really hard.
Without going into details, what I would have advised myself was:
- Keep thinking the incident through: what are places of potential first access, what is the timeline, what are ways an attacker can establish persistence, do lateral movement, what is the impact (ransomware, data exfiltration, defacement, etc.)
- Rabbit holes: don't get stuck in a scenario that doesn't add up, but instead take a step back and identify evidence that you were in fact able to corroborate
- Don't overlook the obvious: a 'normal' file (or extension) in a strange place could be quite suspicious
# What got me through
So, how did I overcome my earlier attempts and pass BTL2 finally? Basically, I really took the advice in the course material to heart.
- Do the labs, get to know the tools (I learned some features of Procmon and PEstudio I cannot go without now)
- If you want to get more practice, do the recommended Blue Team Labs Online investigations and challenges (I **sincerely** believe these are what got me over the finish line!)
# What's next?
Because my work is slowly focusing more on cloud environments, I will continue to get my Azure certifications (already have AZ 900):
- AZ-104:
- SC-200:
- SC-400: