I’m Givin’ Her All She’s Got, Captain!

I’m not the first person to point out that burnout in infosec is hitting a fever pitch. 2020 was a tremendously difficult year for security. Fueled by the pandemic and work-from-home, ransomware and other attacks boomed, high-profile breaches littered the news, and the business world continued its mass exodus from on-prem storage and operations to the cloud. Research by CIISec indicates that over half of security professionals have either left a job due to burnout or have worked with someone who has.

As your friendly neighborhood hacker, I’m going to make the argument…


The Russians are probably lurking elsewhere in a Solarwinds victim’s environment, but that shouldn’t shock you

The SolarWinds hack (and now Exchange) has taken over the news recently, and many security practitioners are curious about how to respond. As an attacker, I will candidly tell you that if you were breached, your best strategy is to assume Russia has established a presence in your network, and respond (reimage your endpoints) accordingly. It’s easy to feel like hackers are unstoppable forces of nature. But they make mistakes, take risks, and above all, fear being caught. …


Red-teamers find the gaps between security controls and visibility, whereas the pentest typically surfaces problems within specific controls. For practitioners who have to choose between a pen test or red team engagement, it comes down to the maturity of your security program and the questions you want to answer.

As a red teamer, I am frequently asked, “Should I do a pentest or hire a red team?” My response is always the same: that’s not entirely the right question. …


Security is a farce because “security” is neither the objective nor a value in itself. And in any case, it’s not a game you can “win.”

Any non-trivial organization has unknowns: unknown assets, unknown weaknesses, unknown adversaries, unknown changes. Beyond that, mistakes happen, and sometimes exploits happen long before patches. That’s life. Compromise is inevitable. So if you define any compromise as “losing,” then you’ve doomed yourself to loss by definition, you’re a bad defender, and you should find a different line of work.

The harsh reality is that s*%t happens, and sometimes the bad guy “wins.” That’s to be expected. But not-so-secretly, your compliance program has known this for a long time (that there will always be risk), which is why you don’t lose your…


Image credits to BetaBreakers

This is part three of a series on hacker logic — weaponizing a vulnerability. Check out parts one (doing reconnaissance) and two (figuring out what asset to exploit) to catch up.

Just as water flows to the lowest point, hackers are usually looking to take the path of least resistance. They want to be able to break into a system as quietly and with as little effort as possible — and with the fewest exploits. Once an attacker finds a tempting asset on your attack surface to exploit, they will typically deploy a few different tricks and techniques to find…


Every company is subject to the same reality: Compromise is inevitable

The security industry is reverberating with news of the FireEye breach and the announcement that the U.S. Treasury Department, DHS and potentially several other government agencies, were hacked due (in part, at least) to a supply chain attack on SolarWinds.

These breaches are reminders that nobody is immune to risk or being hacked. I’ve no doubt that both FireEye and SolarWinds take security very seriously, but every company is subject to the same reality: Compromise is inevitable.

The way I judge these events is not by whether someone is hacked, but by how much effort the adversary needed to expend…


Duck or rabbit illusion? “Kaninchen und Ente” (“Rabbit and Duck”) from the 23 October 1892 issue of Fliegende Blätter

The cloud has changed everything. Companies may have a similar number of devices to what they had before, but defending them has become a different mental game altogether. It used to be that no matter what happened, you’d always be able to unplug your fiber from the wall and your whole system would be disconnected from the internet, but not any longer now that it’s in the cloud. Variable location has added complexity and made boundaries less clear. The transition to remote operations has made the need to isolate faulty assets that much more pressing, as anything could be connected…


Software developers favor agility over sticking to a fixed roadmap in response to a dynamic and ever-changing technological landscape. It’s time security learned the same lesson.

The first principle for security (and more specifically attack surface management) should be this: You don’t know (and probably never will know) your whole inventory. And if your business is critically dependent upon knowing everything, your business is probably going to get hurt.

Forward progress in cybersecurity requires that we question assumptions that we view as fundamental. First among these: the idea that we can know everything (about anything) and that we’re building security…


Photo by Brendan Church on Unsplash

Attackers have a checklist for evaluating a new target, and pro-tip: it doesn’t only have to do with the highest severity vulnerabilities

This is part two of a series on hacker logic — deciding what to exploit. If you’re interested in how a hacker does recon on a company, particularly through social engineering, read part one on reconnaissance.

Even medium-sized companies these days do so much diversified work in the cloud that their attack surface is absolutely massive, making it nearly impossible for them to know where to focus their time or energy. But the good news is that adversaries don’t have time to look at every asset in depth either — the number of assets can often run in the tens…


Doing surveillance on organizations takes time and persistence, but isn’t overly sophisticated. Tools that make things more usable, make you more of a target, and organizations have to make this risk trade-off daily.

Screenshot from OSINT.

As someone regularly hired to hack Fortune 500 companies, I’ve gone up against many different types of organizations — some are adept at stopping me from achieving my objective, others leave the door wide open. What I’ve found is that the most challenging organizations to break into are the ones anticipating my every move. They have experience protecting what matters most.

This blog post series is designed…

David Wolpoff (moose)

moose. co-founder @randori. red-teamer. security can’t be fixed. practice how you fight. www.randori.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store