Tribe of Hackers, by Marcus J. Carey, collects a wide range of seasoned infosec specialists to discuss the cybersecurity world from an insider’s point of view. My favorite question out of the dozen asked is: What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture? Studying the 60-plus answers, I broke them down into three categories that resonate with the self-defense instructor in me:

Invest in awareness
Assume compromise
Application over theory

There are three common aspects of martial arts all around the world. The basic breakdown of martial arts is competitive (sport), performance (entertainment), and self-defense (mortal danger). Competition can teach you how to fight, but you are always learning to fight with rules. There is a ref, a set time, and a chosen place. Performance is about entertaining a crowd and displaying grace, power, and drama.

The portion of the martial art world we are concerned with here is self-defense. The training one does for surprise attacks. Nothing fancy, first just learn to cover your groin and face. This is a very good reflex around monkeys and big cats.

Boiled down, martial arts is situational awareness and the more time I spend studying the cybersecurity field the more I think of it as an offshoot of martial the world. Hand-to-hand and weapon-based systems each have their context for when they are useful. I like thinking of cyber as the martial art of network conflict.

In the walk-around world, awareness often simply means understand your environment and become conscious of how you make yourself vulnerable. Predators rely on distraction and surprise. The more aware you are, the less of a target you are. Don’t make yourself more vulnerable than you have to be. How big is your threat landscape? The bigger it is, the harder it is to secure and whoever has the weakest perimeter gets eaten first.

These rules of conduct coincide with cyber defense rules, like limit employees’ access and privileges. There is no reason to increase the overall threat landscape any more than necessary. When you give someone access, you put them at risk of being exploited. Every admin privilege is a target on someone’s back. They will be hunted for their access. Actually, I’m the only one mentioning the hunting of people. Nowhere in the interviews does anybody recommend hunting people.

According to the professionals, companies building security-minded cultures should start with the low-hanging fruit: multi-factor authentication, complex password policies, and up-to-date patches go a long way. It’s not full-proof, but covering the basics eats recon time and time is money even for criminals. The longer it takes to get inside the more likely they will move on to an easier target. No one is perfectly secure, but don’t be the only guy without a bulletproof vest in a gunfight. I’m paraphrasing of course. There was no mention of firearms nor discussions about kevlar in the interviews at all.

Investing in awareness also means understanding how your assets are vulnerable. Is it really tech that is vulnerable? Or are people vulnerable? Creating a security culture that captures the attention of employees is essential. All the fancy AI interfaces in the world (which I love) aren’t going to save you from an uninterested or emotionally distracted employee. A narrative (mission) that elicits vigilance (situational awareness) is key. Everyone is seeking a “better way” and people, in general, adopt great standards that lead to personal growth. No one actually said people seek personal growth either. I’m reading between the lines and maybe being a little idealistic, but I stand firm on the idea that people want to be heroes.

The second concept: assume compromise, also illustrates martial principles. As in, you don’t get to pick the fight you want. For companies, it means an attack isn’t an if, it’s a when. And, most likely, you aren’t going to see it coming. Predators like to hit their prey from behind, not head-on. Unfortunately, the first hint of attack is often the sight of your own data leaking out all over the internet. Assume compromise means: “the phone call is coming from inside the house!”, so it’s best to build impact resilience into the system. A panic room, if you will. Again, I’m being a little hyperbolic, but I’m trying to paint a picture.

For an organization, assuming compromise means exploring postures that increase opportunities to fight as you roll and recover to your feet. Remember, this is close-quarters combat. You don’t get to hold them off at arm’s length. They are already inside your defenses and a strategic counter is required. But, before you can counter, you must locate. Check the endpoints, scan the logs, find the beacons, and isolate. Get good at finding the intruder. Too much time is spent on playing wack-a-mole rather than setting honeypots and canary sensors. That’s right, I’m talking about tripwires and tiger pits.

If you have followed the basics from invest in awareness, then the pathways into the system are limited and your team is straight-up tracking the interlopers. There are only so many endpoints probable. You must be able to detect if you are to defend. Imagine Sherlock Holmes presented with Star Trek’s Kobayashi test. Model, model, model. Test, test, test. Invest in failure, because failure brings insight.

Lastly, application over theory. As the great fist-philosopher, Mike Tyson once said, “Everybody’s got a plan until they get punched in the face.” Steps 1 & 2 have been followed. Your situational awareness is high and you’ve created not 1 or 2 plans for possible sneak attacks but a dozen. But does your plan work when it’s not your friend throwing the punches?

Unfortunately, the only way to get comfortable with people trying to hit you is by doing such. It’s not everyone’s favorite pedagogy, but it gets results. Catch a few on the nose, and everybody covers up and starts rolling with the punches. This is another good place to point out, no one discussed punching and kicking people in the interviews.

For organizations, application over theory means regularly attacking their own systems not only internal testing but external testing. It means investing in outside consultants who can give an objective perspective. Test the process and adapt accordingly. Then, test again. This is not a static game of Battleship. The opponent is not waiting for you to come to find them. They don’t have any rules, but they do have limitations. Don’t let experience be your limitation, because experience is the key for both sides. It’s a simple calculation, if you have had more time learning to fight your way out of a corner than your opponent, chances are they make the first mistake when pressured.

To recap and summarize the guidance from the interviews it goes something like this:

1) Awareness = What Matters x Why it Matters

2) Plan for the worse

3) Test the plan objectively

I really enjoyed reading Tribe of Hackers, and I appreciate Mr. Carey putting it together. There is much more wisdom to parse through in the interviews than I have offered here and I hope my violent paraphrasing and comparison (beat a dead horse) to martial arts doesn’t diminish his efforts or their advice. Carey has other books of interviews specific to Blue Team, Red Team, and Security Leaders.

However, before diving into those, I’m headed to Reno for the Wild West Hack’n Fest. This will be the first in-person conference for me (and possibly a whole bunch of people) since Covid. It’s time for me to meet more of the tribe.

Under the flickering lights of our Christmas tree, I wrap presents and think about a system file check of my prefrontal cortex. It’s the part of the brain that modulates social behavior. I want to confirm the hashes on all my psychic attributes because my mind is a swarm of acronyms and random strings of numbers. Once they get in there, it’s not easy to get them out. The numbers I mean. Cryptography has scrambled my axons with my dendrites.

I refocus and fInd some tape and scissors and while finishing the gifts I think about Santa coming down the chimney as a penetration test. Perimeter check. Santa is the perfect pretense to test our physical security. Going to need a new policy. Nothing like mitigating Christmas.

Certification is now the focus of Bootcamp. No more technical training. Now it’s review and career prep. I am a walking-talking flashcard. I’m in constant dialogue with myself. Me in my head explaining security threats to a panel of enthusiastic me. I’m describing my plan to defend employees against Social Engineering. I look back at me very impressed

Hanging ornaments, I think of all the holiday cards we got this year, and next thing I know a phishing email begins to type itself out on the screen behind my eyes. A voice whispers in my ear, “Rapport building and framing psychologies create tribal bonds, these are our goals.” I stop myself, take a deep breath, and look around at my family.

Freeze frame for the postcard moment: Christmas tree, everyone wearing wonderfully hideous Xmas sweaters; my wife has a tiger ornament in her hand; son, headphones on, reaches high above his mother to hang basketball ornament; daughter laughing with her head back and eyes closed, whatever it is it’s so hilarious it hurts. Cats attacking ribbons and bows, rolling in liberally scattered catnip. My tribe. My love. My treasures.

The Muppet Holiday album is playing, I’ve got hot cocoa, and I sink into a deep sense of gratitude. What a crazy ride. I pray everyone is as safe and warm and loved as I am. Happy Holidays. Let’s talk about Joseph Menn’s Cult of the Dead Cow (CDC).

Before we jump in, here’s a little background. Academically, there are 5 basic threats in CS: APTs (Advanced Persistent Threats-national interests), criminals (it’s about $), hacktivists (philosophically motivated), pranksters (fun-power), and mistakes (distracted minds). While Sandworm focused on the history of APTs, CDC focuses on the history of the hacker activist trying to save the internet from itself.

My instructor is fond of saying, “In the beginning, there was no security.” Simply put, the internet’s infrastructure has vulnerabilities. What kind? Well very it’s technical, so let’s try this. If the internet was a boat, it would a paper boat headed for the street’s rain run-off drain where the clown from IT is waiting. And if the internet has vulnerabilities, then so do we. Take notice, in that story with the paper boat, we are the little kid chasing the paper boat into the street drain and we are about to reach down into the dark to find sharp teeth.

Similar to It, CDC is the story of a bunch of kids who discover that beneath the normal world there is an underground system stalked by an otherworldly predator. Ok, maybe I’m pushing the comparison. I’ll stop there but if you’re a Stephen King fan at all, you can see how ugly this could get. Let’s try a different tac.

At the dawn of the digital age, the prehistoric version of the internet was built for nerds by nerds to share information. They weren’t worried about anyone listening, cause the idea was to be able to listen or at least hear. The main point was sharing.

Quick note: Kopimism is an official religion whose faith it is to copy and share information. They believe that information is holy and to share it is to take part in that sacred process. I mention this because sharing on bulletin boards is how CDC was born. It all begins with people sharing ideas through text files and trying to make phone calls on the cheap. But that small (dare say meager or mild) attempt at fan fiction and manifestos might just have saved us all. For now.

CDC is a history lesson of the internet and the people who grew up with it, love it and are afraid of what could happen if our grand experiment goes wrong. Put simply the Internet of things, IoT, the Web, our phones, every application, and service they provide has not been planned well.

Well, it wasn’t planned at all. It was co-opted. Repurposed. You might even say, hacked. Because now the Internet is actually an ATM. The biggest wealth maker ever seen in the history of humanity. So much wealth we could feed, clothe, shelter, educate, and provide medical care to the entire world. But we don’t. So the CDC has been trying to hack the hack and give us the Internet back.

I keep using the word hack. Before the Bootcamp what did I know about hackers?

Hackers. The movie War Games introduced me to my first hacker. Remember the 1980’s: VCRs, Miami Vice, John Hughes. Then maybe you recall a young Mathew Broderick almost starting a nuclear war by hacking into a government war simulator. “Would you like to play a game?”

Cult of the Dead Cow is kinda like what would happen if Mathew’s character was actually represented by a dozen or so hackers who grew up with the internet, made it their habitat, learned to forage and hunt, found treasures, discovered pitfalls, and then rushed back to the outside world to warn us of what lurked in the digital forest. There are highwaymen, rickety rope bridges, hidden passages, boobytraps, spies, pirates, swindlers, and more. Oh so much more.

Think IT meets Mr. Robot and the show runs for 50 years.

You don’t know it yet, but we owe them big. Because while we were sleeping, they held the great glowing neon firewall. They snuck behind the GUI and took a look at the code holding the data-world together. What they learned scared them. They could have said nothing. They could have robbed us blind. Instead, they played David vs Goliath and set about hacking the world.

They went up against Microsoft, mass media, and terrorists. Along the way, they crafted code, political philosophies, mayhem, and modern-day security analysis. Not all of them are heroes. The truth is complicated. They hacked for good, for fun, for country, and sometimes merely for chaos. They are at times activists, inventors, mercenaries, vigilantes, pranksters, soldiers, spies, and even Presidential hopefuls. Ugly warts and all CDC doesn't try to hide the flaws of the community. Instead, it gives enough space to let things be as they are and the reader to make their own judgments.

My takeaway: The future is coming and we are going to need a bigger boat.

What do I mean by that? It’s the line from Jaws. That moment when they are chumming the water and Scheider’s character sees the shark for the first time. That’s me after 6 months of CS training. We are going to need a much bigger boat than the paper one we are in now.

That translates into: we need a much broader understanding of what we are dealing with.

Next: Matthew Holland talks about Cyber Security