I’m Givin’ Her All She’s Got, Captain!

I’m not the first person to point out that burnout in infosec is hitting a fever pitch. 2020 was a tremendously difficult year for security. Fueled by the pandemic and work-from-home, ransomware and other attacks boomed, high-profile breaches littered the news, and the business world continued its mass exodus from on-prem storage and operations to the cloud. Research by CIISec indicates that over half of security professionals have either left a job due to burnout or have worked with someone who has.

As your friendly neighborhood hacker, I’m going to make the argument…

The SolarWinds hack (and now Exchange) has taken over the news recently, and many security practitioners are curious about how to respond. As an attacker, I will candidly tell you that if you were breached, your best strategy is to assume Russia has established a presence in your network, and respond (reimage your endpoints) accordingly. It’s easy to feel like hackers are unstoppable forces of nature. But they make mistakes, take risks, and above all, fear being caught. …

Red-teamers find the gaps between security controls and visibility, whereas the pentest typically surfaces problems within specific controls. For practitioners who have to choose between a pen test or red team engagement, it comes down to the maturity of your security program and the questions you want to answer.

As a red teamer, I am frequently asked, “Should I do a pentest or hire a red team?” My response is always the same: that’s not entirely the right question. …

Security is a farce because “security” is neither the objective nor a value in itself. And in any case, it’s not a game you can “win.”

Any non-trivial organization has unknowns: unknown assets, unknown weaknesses, unknown adversaries, unknown changes. Beyond that, mistakes happen, and sometimes exploits happen long before patches. That’s life. Compromise is inevitable. So if you define any compromise as “losing,” then you’ve doomed yourself to loss by definition, you’re a bad defender, and you should find a different line of work.

The harsh reality is that s*%t happens, and sometimes the bad guy “wins.” That’s to be expected. But not-so-secretly, your compliance program has known this for a long time (that there will always be risk), which is why you don’t lose your…

This is part three of a series on hacker logic — weaponizing a vulnerability. Check out parts one (doing reconnaissance) and two (figuring out what asset to exploit) to catch up.

Just as water flows to the lowest point, hackers are usually looking to take the path of least resistance. They want to be able to break into a system as quietly and with as little effort as possible — and with the fewest exploits. Once an attacker finds a tempting asset on your attack surface to exploit, they will typically deploy a few different tricks and techniques to find…

Every company is subject to the same reality: Compromise is inevitable

The security industry is reverberating with news of the FireEye breach and the announcement that the U.S. Treasury Department, DHS and potentially several other government agencies, were hacked due (in part, at least) to a supply chain attack on SolarWinds.

These breaches are reminders that nobody is immune to risk or being hacked. I’ve no doubt that both FireEye and SolarWinds take security very seriously, but every company is subject to the same reality: Compromise is inevitable.

The way I judge these events is not by whether someone is hacked, but by how much effort the adversary needed to expend…

The cloud has changed everything. Companies may have a similar number of devices to what they had before, but defending them has become a different mental game altogether. It used to be that no matter what happened, you’d always be able to unplug your fiber from the wall and your whole system would be disconnected from the internet, but not any longer now that it’s in the cloud. Variable location has added complexity and made boundaries less clear. The transition to remote operations has made the need to isolate faulty assets that much more pressing, as anything could be connected…

Software developers favor agility over sticking to a fixed roadmap in response to a dynamic and ever-changing technological landscape. It’s time security learned the same lesson.

The first principle for security (and more specifically attack surface management) should be this: You don’t know (and probably never will know) your whole inventory. And if your business is critically dependent upon knowing everything, your business is probably going to get hurt.

Forward progress in cybersecurity requires that we question assumptions that we view as fundamental. First among these: the idea that we can know everything (about anything) and that we’re building security…