Hello!
I’m working as a pentester/RT Operator in a cybersecurity company, which for some reason is a Windows shop, so we are mostly forced to work within VMWare VMs, WSL and similar. However, I’ve recently found out that we can in fact dualboot or reinstall our laptops, so I’m now looking for a good setup or recommended distros to use.
When I last tried switching to Fedora, my main issue was that since we are deeply integrated into O365, and our Exchange server isn’t configured to allow 3rd party apps (and we can’t create app passwords), accessing Teams, Mail or just writing reports in Office was a struggle. And another issue was the fact that our PT VPN is Checkpoint, which I did not manage to get working on Linux.
I’m of course familiar with Kali/Parrot/BlackArch, but I would not consider those fitting for a daily driver - each engagement can get pretty messy, and I think it’s better to start with a fresh VM for every customer, just to avoid any potential issues.
I’ve recently discovered QubeOS, which in theory sounds like it should be perfect for this usecase - you can easily separate data for different customers, keep them safe in a storage qube, deal with per-customer networking/different VPNs in their respective Kali VM qubes, and spin up a Windows qube for report writing and backoffice/administration/communication. And if I really understand it correctly, it should also be possible to easily test out malware in a separate disposable qube without much risk.
But I didn’t try working with QubeOS yet, so all of this is just a theory based on my understanding of it’s features and usecases.
So, my question would be - what kind of setup do you use for engagements and backoffice/administrative work? What distro would you recommend, that works well with running different VMs without it being too much of a hassle? And most importantly, is there anyone who uses QubeOS in this field of work, or will it only slow me down and make everything a lot harder than it should be?
Thank you!
I’ve used it as a daily work driver for almost two years now! It’s actually great for security work. You can spin up a new Qube for each project, or each subsection of your work. I’ve ditched my corporate gig and rebooted my consulting company recently and I just spin up a new Qube for each client and keep all their files in there. You can also create a separate Qube for your personal stuff or for Netflix or whatever, and then shut it down when you’re supposed to be working (creates an extra barrier against distractions).
However, I’ve been a Linux user for 23 years and I’ve used Qubes before (not for work). You DO regularly run into issues, just at this point, they’re all issues I know how to solve pretty quickly. I also dual boot my system between Qubes and Linux Mint. If I have an issue with Qubes I can’t solve quickly, or I break it (both of which have happened several times in recent memory), I can switch to Mint (which isn’t the most secure OS, but it is incredibly stable) so I can just get back to work and then I can fix Qubes when I have the time and bandwidth.
I’m now in the process of figuring out a best way how to handle various secrets and customer data from WIP engagements that are now mangled together on one encrypted VeraCrypt volume
Stop that. :) Your system should be using FDE (which VeraCrypt can do if you’re stuck with Windows). When only part of your system is encrypted it’s EXTREMELY likely that, for the sake of expedience and convenience you’re going to end up parking some sensitive data somewhere NOT encrypted… and then forget you did that… and then…?
Thank you, that sounds like exactly what I imagined QubeOS would be good for, so I’ll give it a go.
Stop that. :) Your system should be using FDE (which VeraCrypt can do if you’re stuck with Windows).
I’m using Bitlocker for the whole drive, but the main point of separate volume is for it to have adittional password protection, that I auto dismount when not working with it, just in case my laptop got compromised. I’m still mostly figuring out best practices, since I don’t work in the field for that long, and few months ago I was running Snaffler on my PC to test it out for one engagement, and was horrified when I realized how much did it manage to find, so I at least promptly moved it to separate password protected volume, and am now figuring out a better secrets and sensitive data management workflow.