Rarely have I heard someone tell me an IT problem to which the answer is: add a new piece of equipment. Rather, the best security posture is often a lean one that uses just a couple of tools to enforce each layer effectively.

More often than not, companies dump money into adding new layers of security without actually affecting new controls. Most of the time, when an IT team stands up a new system, they do so by copying over the configuration of an existing system that they know works.

The key is: the work isn’t done here. After you…


Photo by Greta Farnedi on Unsplash

Security tools are kind of like credit cards. Not enough and you won’t function; too many and they all become useless.

Running a security program involves a great deal of trust. You have to trust your team to effectively carry out their roles; you have to trust that hackers do not know everything about your system; and you have to trust that your security vendors’ products are secure. But we know that you can’t trust anything, including third-party security vendors. There’s an entire marketing movement around it: “zero trust.”

One needs to look no further than the bevy of vulnerabilities…


The US’s largest fuel pipeline was hit with a ransomware attack that took it offline. It is expected to be inoperational for more than a week. The scale of such an attack has left many in the security community wondering what went wrong. At Randori, we take the position that these attacks are inevitable, and that as a defender, you have to ask yourself when they will happen, not if.

For a look at why, we have to turn the clocks all the way back to 2012, when I gave an interview explaining why SCADA (Supervisory Control and Data Acquisition)…


I’m Givin’ Her All She’s Got, Captain!

I’m not the first person to point out that burnout in infosec is hitting a fever pitch. 2020 was a tremendously difficult year for security. Fueled by the pandemic and work-from-home, ransomware and other attacks boomed, high-profile breaches littered the news, and the business world continued its mass exodus from on-prem storage and operations to the cloud. Research by CIISec indicates that over half of security professionals have either left a job due to burnout or have worked with someone who has.

As your friendly neighborhood hacker, I’m going to make the argument…


The Russians are probably lurking elsewhere in a Solarwinds victim’s environment, but that shouldn’t shock you

The SolarWinds hack (and now Exchange) has taken over the news recently, and many security practitioners are curious about how to respond. As an attacker, I will candidly tell you that if you were breached, your best strategy is to assume Russia has established a presence in your network, and respond (reimage your endpoints) accordingly. It’s easy to feel like hackers are unstoppable forces of nature. But they make mistakes, take risks, and above all, fear being caught. …


Red-teamers find the gaps between security controls and visibility, whereas the pentest typically surfaces problems within specific controls. For practitioners who have to choose between a pen test or red team engagement, it comes down to the maturity of your security program and the questions you want to answer.

As a red teamer, I am frequently asked, “Should I do a pentest or hire a red team?” My response is always the same: that’s not entirely the right question. …


Security is a farce because “security” is neither the objective nor a value in itself. And in any case, it’s not a game you can “win.”

Any non-trivial organization has unknowns: unknown assets, unknown weaknesses, unknown adversaries, unknown changes. Beyond that, mistakes happen, and sometimes exploits happen long before patches. That’s life. Compromise is inevitable. So if you define any compromise as “losing,” then you’ve doomed yourself to loss by definition, you’re a bad defender, and you should find a different line of work.

The harsh reality is that s*%t happens, and sometimes the bad guy “wins.” That’s to be expected. But not-so-secretly, your compliance program has known this for a long time (that there will always be risk), which is why you don’t lose your…


Image credits to BetaBreakers

This is part three of a series on hacker logic — weaponizing a vulnerability. Check out parts one (doing reconnaissance) and two (figuring out what asset to exploit) to catch up.

Just as water flows to the lowest point, hackers are usually looking to take the path of least resistance. They want to be able to break into a system as quietly and with as little effort as possible — and with the fewest exploits. Once an attacker finds a tempting asset on your attack surface to exploit, they will typically deploy a few different tricks and techniques to find…


Every company is subject to the same reality: Compromise is inevitable

The security industry is reverberating with news of the FireEye breach and the announcement that the U.S. Treasury Department, DHS and potentially several other government agencies, were hacked due (in part, at least) to a supply chain attack on SolarWinds.

These breaches are reminders that nobody is immune to risk or being hacked. I’ve no doubt that both FireEye and SolarWinds take security very seriously, but every company is subject to the same reality: Compromise is inevitable.

The way I judge these events is not by whether someone is hacked, but by how much effort the adversary needed to expend…


Duck or rabbit illusion? “Kaninchen und Ente” (“Rabbit and Duck”) from the 23 October 1892 issue of Fliegende Blätter

The cloud has changed everything. Companies may have a similar number of devices to what they had before, but defending them has become a different mental game altogether. It used to be that no matter what happened, you’d always be able to unplug your fiber from the wall and your whole system would be disconnected from the internet, but not any longer now that it’s in the cloud. Variable location has added complexity and made boundaries less clear. The transition to remote operations has made the need to isolate faulty assets that much more pressing, as anything could be connected…

David Wolpoff (moose)

moose. co-founder @randori. red-teamer. security can’t be fixed. practice how you fight. www.randori.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store