cyber

, , , ,

Tribe of Hackers

, , , ,

Tribe of Hackers, by Marcus J. Carey, collects a wide range of seasoned infosec specialists to discuss the cybersecurity world from an insider’s point of view. My favorite question out of the dozen asked is: What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture? Studying the 60-plus answers, I broke them down into three categories that resonate with the self-defense instructor in me:

  1. Invest in awareness

  2. Assume compromise 

  3. Application over theory

There are three common aspects of martial arts all around the world. The basic breakdown of martial arts is competitive (sport), performance (entertainment), and self-defense (mortal danger). Competition can teach you how to fight, but you are always learning to fight with rules. There is a ref, a set time, and a chosen place. Performance is about entertaining a crowd and displaying grace, power, and drama.

The portion of the martial art world we are concerned with here is self-defense.  The training one does for surprise attacks. Nothing fancy, first just learn to cover your groin and face. This is a very good reflex around monkeys and big cats. 

Boiled down, martial arts is situational awareness and the more time I spend studying the cybersecurity field the more I think of it as an offshoot of martial the world. Hand-to-hand and weapon-based systems each have their context for when they are useful.  I like thinking of cyber as the martial art of network conflict.

In the walk-around world, awareness often simply means understand your environment and become conscious of how you make yourself vulnerable. Predators rely on distraction and surprise. The more aware you are, the less of a target you are. Don’t make yourself more vulnerable than you have to be. How big is your threat landscape? The bigger it is, the harder it is to secure and whoever has the weakest perimeter gets eaten first.

These rules of conduct coincide with cyber defense rules, like limit employees’ access and privileges. There is no reason to increase the overall threat landscape any more than necessary. When you give someone access, you put them at risk of being exploited. Every admin privilege is a target on someone’s back. They will be hunted for their access. Actually, I’m the only one mentioning the hunting of people. Nowhere in the interviews does anybody recommend hunting people. 

According to the professionals, companies building security-minded cultures should start with the low-hanging fruit: multi-factor authentication, complex password policies, and up-to-date patches go a long way. It’s not full-proof, but covering the basics eats recon time and time is money even for criminals. The longer it takes to get inside the more likely they will move on to an easier target. No one is perfectly secure, but don’t be the only guy without a bulletproof vest in a gunfight. I’m paraphrasing of course. There was no mention of firearms nor discussions about kevlar in the interviews at all.

Investing in awareness also means understanding how your assets are vulnerable. Is it really tech that is vulnerable? Or are people vulnerable? Creating a security culture that captures the attention of employees is essential. All the fancy AI interfaces in the world (which I love) aren’t going to save you from an uninterested or emotionally distracted employee. A narrative (mission) that elicits vigilance (situational awareness) is key. Everyone is seeking a “better way” and people, in general, adopt great standards that lead to personal growth. No one actually said people seek personal growth either. I’m reading between the lines and maybe being a little idealistic, but I stand firm on the idea that people want to be heroes.

The second concept: assume compromise, also illustrates martial principles. As in, you don’t get to pick the fight you want. For companies, it means an attack isn’t an if, it’s a when. And, most likely, you aren’t going to see it coming. Predators like to hit their prey from behind, not head-on. Unfortunately, the first hint of attack is often the sight of your own data leaking out all over the internet.  Assume compromise means: “the phone call is coming from inside the house!”, so it’s best to build impact resilience into the system. A panic room, if you will. Again, I’m being a little hyperbolic, but I’m trying to paint a picture. 

For an organization, assuming compromise means exploring postures that increase opportunities to fight as you roll and recover to your feet. Remember, this is close-quarters combat. You don’t get to hold them off at arm’s length. They are already inside your defenses and a strategic counter is required. But, before you can counter, you must locate. Check the endpoints, scan the logs, find the beacons, and isolate. Get good at finding the intruder. Too much time is spent on playing wack-a-mole rather than setting honeypots and canary sensors. That’s right, I’m talking about tripwires and tiger pits.

If you have followed the basics from invest in awareness, then the pathways into the system are limited and your team is straight-up tracking the interlopers. There are only so many endpoints probable. You must be able to detect if you are to defend. Imagine Sherlock Holmes presented with Star Trek’s Kobayashi test. Model, model, model. Test, test, test. Invest in failure, because failure brings insight.  

Lastly, application over theory. As the great fist-philosopher, Mike Tyson once said, “Everybody’s got a plan until they get punched in the face.” Steps 1 & 2 have been followed. Your situational awareness is high and you’ve created not 1 or 2 plans for possible sneak attacks but a dozen. But does your plan work when it’s not your friend throwing the punches? 

Unfortunately, the only way to get comfortable with people trying to hit you is by doing such. It’s not everyone’s favorite pedagogy, but it gets results. Catch a few on the nose, and everybody covers up and starts rolling with the punches. This is another good place to point out, no one discussed punching and kicking people in the interviews.

For organizations, application over theory means regularly attacking their own systems not only internal testing but external testing. It means investing in outside consultants who can give an objective perspective. Test the process and adapt accordingly. Then, test again. This is not a static game of Battleship. The opponent is not waiting for you to come to find them. They don’t have any rules, but they do have limitations. Don’t let experience be your limitation, because experience is the key for both sides. It’s a simple calculation, if you have had more time learning to fight your way out of a corner than your opponent, chances are they make the first mistake when pressured. 

To recap and summarize the guidance from the interviews it goes something like this: 

1) Awareness = What Matters x Why it Matters 

2) Plan for the worse 

3) Test the plan objectively

I really enjoyed reading Tribe of Hackers, and I appreciate Mr. Carey putting it together. There is much more wisdom to parse through in the interviews than I have offered here and I hope my violent paraphrasing and comparison (beat a dead horse) to martial arts doesn’t diminish his efforts or their advice. Carey has other books of interviews specific to Blue Team, Red Team, and Security Leaders.

However, before diving into those, I’m headed to Reno for the Wild West Hack’n Fest. This will be the first in-person conference for me (and possibly a whole bunch of people) since Covid. It’s time for me to meet more of the tribe.

, , , , ,

Cyber-Sorcerer-Ninja-Detective

, , , , ,

The world that is emerging from our electronic interactions needs a lot of patches. It’s growing and in need of constant adjustment, reconfiguration, and stabilization. For my part, this week was dedicated to learning how to hide, lure, track and trap bad guys for 4 days and a total of 16-hours of training on Active Defense and Cyber Deception with Black Hills Information Security. This was one of three courses they offer for the very affordable price of pay-what-you-can. Don’t let the generosity fool you. John Strand provides these courses as a mission. He believes we are all far behind in the cyber security game and there is lots of ground to make up. After 15 years as a SANs instructor, he has lots of value to offer. Plus, his energy is contagious. He does seem to truly be possessed with a desire for the greater common good we all share.


What did I learn? Illusions, traps, and other cyber-bending ninja-detective tricks. Unfortunately, a good cyber-sorcerer-ninja-detective never reveals the mechanics of their tricks (that’s not true, they don’t mind sharing at all). 


1st day was strategy and defining what active defense is and isn’t. It’s not waiting for the SIEM (monitoring system) to tell you something is wrong. The SIEM is designed to find threats that are known. We are looking for very sneaky people. They will find a new way in, something the SIEM can’t detect. 


The key to stopping the attacker is understanding the path of the prey. Where do they need to go? Know this and you know where to lay the traps that suck up their time. The illusions that lead them down the wrong rabbit hole to infinite nothing. And this may be the key takeaway. Make it a time suck to mess with you. Make it not worth the hassle to hustle ya. 


Show’em something pretty. Something they have to look at. Delay them, obfuscate the prize, and frustrate their basic efforts. Don’t be the low-hanging digital fruit, just dangling out on the internet waiting to be easily exploited. 


How do you slow them down? Honey, and lots of it. Your main weapon is a long list of honey: honey-pots, honey-servers, honey-networks, honey-users, honey-files, and yes Honey Badger! What are all these honey-techs? They’re big fake data burritos wrapped in alerts, stuffed with traps, and trackers. These techniques and tools draw the attacker into a fake world with sweet-looking data. A juicy-ripe text file with a bunch of sexy financial information and contacts that can’t be resisted. 


2nd day we talked about the legal issues that come with the territory. This is a whole new frontier as far as the law is concerned. Stand-out thought is how far behind the legal concepts of property and privacy are in relation to the digital dimensions of our lives. It’s an 8-bit paradigm trying to govern an Oculus world. It would do me some good to study up search and seizure law. The question to answer: when are you a detective and when are you the interloper violating someone’s rights? 

  Day 3, the slide reads “Don’t Get Shot!” and the class focuses on your safety as an investigator. As in, you may find yourself dealing with bad people. You might play a big part one day in locating said bad people and putting them in prison. Sometimes bad people hold grudges. You don’t want your name on anything bad people can reference. You want to be a ghost, a shadow warrior. That’s right, John added to my practical knowledge of how to make people disappear and attack from the shadows. Always happy to add a little more ninja to my bag of tricks.


Day 4, how far does defense go until it becomes offense? We learned techniques that trapped our network baddies in infinite loops that “inadvertently” shut down their systems. Is that wrong? Well, it’s complicated. How far is too far depends on your warrant and what 3-lettered agency is writing the check. But that’s the justice side. Maybe you’re not working for the government. What about private clients? What would you do for the cash? What wouldn’t you do for cash?


In some cases, your client might not be interested in taking any of this to court. As in, they aren’t concerned with the legality of your work and whether it might stand up in court. That’s when you have to decide for yourself what kind of InfoSec operator you are. Are you a mercenary, a kinda cyber-gun-for-hire? Or are you going to be an agent of justice? Or chaotic good and you just can’t help yourself because of some twisted extreme perceptions of fair and foul play? Or maybe your just smart enough not to get involved in clandestine cyber-pissing contests.  


It’s easy researching and studying security to get paranoid; to think that there is a never-ending wave of threats. And while that might be true, there are ways to limit vulnerability. For a business or an individual, it’s not that difficult to avoid being easy pickings. Remember you don’t have to be faster than the bear, just faster than the rest of the campers when the bear arrives.


My CompTIA Security + certification test is coming up in a few weeks. Time to buckle down and memorize an ocean of acronyms, hashes, ports, and protocols. But while that test is important, my mind will still be on the terrors of a Spider Trap and the devious capacities of Honey Badger. I look forward to building a digital hall of mirrors and digging cyber-tiger traps filled with my own assortment of deadly links. That’s right folks, two can play at the sneaky link game. Actually, we should all be learning how the game is played. 


After all, ya got be a cyber-sorcerer-detective-ninja to catch a cyber-sorcerer-ninja.


, , ,

Dawn of the Bot Hunter

, , ,

It’s raining and the morning sky is still dark, but the light is slowly shifting from ebony to blue. 

I’m thinking about Bladerunner as I listen to the rain. Harrison Ford narrates my near-future dystopian fantasy as a billion drops per second shower the world. I imagine each drop a malware-loaded bot, a digital armada with greater power than humanity has yet amassed but smaller than an atom, slamming against my firewall. 

Good morning, it’s a great day to hunt bots.

The information security company WhiteOps is the genesis of this daydream. Claim to fame: authenticating trillions of online interactions. The service: determine if it’s a bot or not. 

That’s what reminds me of Bladerunner, the Voight-Kampff test from Ridley Scott’s cyberpunk masterpiece. A digital detective tasked with identifying bots imitating humans. Sounds like another way of saying non-human investigations. So spooky and suspenseful, I’m definitely going to need a trench coat.

Detecting and defending against bots isn’t the future. It’s now. These bots are the new tanks and the next-generation super-cyber bombers. Consider how devastating the German u-boats were to the battles in the Atlantic. Bots are cyber-dimensional submarines exploiting the trade routes of the internet. They are electric ideas driven by algorithms with ambitions. And one of their greatest powers is passing as human.   

WhiteOps has a position open: Threat Intelligence Investigator. That sounds slick enough to me. If there is an AI that loves me, then there will be a bright and shiny circuit-badge with this gig. Just once, I want to unfold my wallet, flashing my ID, and say, “I’m Investigator Twitchell, this is my partner, we’re looking for some bots that were spotted in the neighborhood.”

I sent in a resume and cover letter a few days ago. Not just because Threat Intelligence Investigator sounds badass, it does, but also because figuring out what is human online is essential.  

If you find my words dramatic, well then don’t read this report on fraud and definitely don’t read this article on the AI-containment problem. And most definitely don’t read this one about Facebook being a Doomsday Machine with 90 million bots lurking around trying to friend the planet to death.

I hope to hear back from WhiteOps, but if not, I’m still going to hunt bots! 

And once I find them, game on. Ding ding goes the boxing-ring bell, let the match begin. In this corner hailing from 3-dimensional space fighting for humanity and weighing in at 170-pounds of bravado and hyperbole, Jay “The Bot Hunter” Twitchell. 

Well, like my grandfather used to say, “If you’re going to fight robots, you need to go to robot fighting school.” So, before my certificate of completion as a Digital Detective (artistic license with title) arrived, I was already signed up for a 4-day SOC analysis course with Black Hills Information Security taught by John Strand. 

SOC is short for Security Operations Center. It’s where the cybersecurity team responds to possible intrusions into the network. Picture a cyber-war room. Kinda like a NASA launch control room, with a two-story wall covered in screens, flashing red and green lights, maps from missile command, and graphs and dashboards keeping the score of the living and the dead. In the heat of it, sweat flowing from every brow, a dozen people furiously typing on keyboards, faces aglow in the wash of screen light, whispering battle commands into their microphones. 

SOC Analyst Level 1...gets that team’s coffee. Everybody’s got to start somewhere. As a coffee-dog and bot spotter, you let the team know about a flashing alarm and then Level 2 and 3 deal with capture, containment, and neutralization. You survey the network like a bushman on the savannah scanning for evidence of predators’ digital skat, dissecting packets, and looking for paw prints of persistent connections in silicon. 

Information security is totally hunting the hunter, spy vs spy. Just not the fast cars and jet packs, but instead SQL injections and rootkits. And If you're going to hunt down the enemy, you have to learn how to read the threat landscape and appreciate the tactics. To hunt a fox you must become a fox, yes? You need to know the methods so you can spot the signs that you are being stalked. 

John Strand is a great resource for honing cyber-safari skills. John is formerly a SANs institute instructor (15yrs) and runs BHIS, a cadre of devious cyber ruffians. 

A quick summary of the 4-day course:

There is no one product or strategy that is foolproof. Anything, given time and persistence, can be bypassed. The trick is layering the network with enough security gambits that it costs too much time and/or sets off enough alarms that an attack can be prevented or quickly resolved. The idea is to create a layered web. A spider uses more than one string to catch a fly. 

Endpoint analysis and common command-line magic tricks combined with a slew of open-source network monitoring tools and Shazam, you can respond to an incident. Right?   

Hmmm...not so fast. Even a good plan won’t help you if you aren’t used to responding to threats. There are a couple of fun quotes about this,  “Everyone has a plan until they get punched in the face.” and “No battle plan survives meeting the enemy.”

This is why you hire penetration specialest-teams like BHIS, and run attack simulations. If you can’t afford that, then attack your own system and test the defenses. Sounds like martial arts to me. Seeing as how I’ve paid professionals to beat me up most of my life, I totally get this principle. When you're getting your ass kicked isn’t the time to discover you're not ready for an ass-kicking. No one has time to think when they are getting pummeled. It takes practice to learn to roll with the punches. 

And if you're going to pay someone to cyber punch you, John and his team seem like the right kinda people. 

My takeaway from the 4 days: John is a passionate and generous instructor. The class was pay-what-you-can. So, the cost wasn’t an obstacle for the education. And I’ve rarely seen someone outside of a Pentecostal tent so evangelized about their work. It’s great to see that this field can keep a fire alive in the belly. Borders on inspiring.

My favorite quotes from the course were:

“You don’t get paid for the good days, you get paid for the bad ones.”  

and

“You don’t train until you get it right, you train until you can’t get it wrong!” 

To get your own dose of John, listen to this Darknet Diaries podcast where he shares stories about all kinds of penetration testing. One story involves his mother popping shell on a prison system. Below is the podcast and an article from Wired for the extra curious (it’s totally worth it).

Darknet Diaries - 67: The Big House (google.com)

(Darknet Diaries is my favorite podcast)

How a Hacker's Mom Broke Into a Prison—and the Warden's Computer | WIRED

I signed up for another course in March: Active Defense & Cyber Deception. I also enrolled in BHIS’s Cyber Range where you can build your cyber skills and supposedly compete for a position on the BHIS team. I also bought a t-shirt. I know it’s not quite a trench coat, but it’s a good start for the newest bot hunter on the block. Watch out, robots. I’m coming for you.


, , , ,

Hello Cybersecurity World

, , , ,

The world has changed. In the face of Covid, the ensuing shutdowns, and social distancing, I’ve made a change as well. I’ve been an in-person kinda guy all my life. Massage is literally a hands-on job. Martial arts also involves a fair amount of physical back and forth with another person. Since working face to face with people isn’t as easy anymore, I decided to retrain myself and transfer my skillset into another field of expertise. I landed on cybersecurity.

Just before covid, I was working my way through a javascript tutorial and dabbling in some python when I came across a bug bounty video. The process of hunting down flaws in programs and networks hooked me.  I couldn’t follow the particulars to save my life, but the process was thrilling: recon, identify vulnerability, exploit, entry, cripple, exit.

It struck me how similar this was to my pain management system. Pain management is about understanding flaws in the system and building programs to improve resilience. And martial arts is the study of conflict strategies. Thus, when the world shut down, I dove into a VM rabbit hole and enrolled in the University of Oregon’s Cybersecurity 6-month Bootcamp. 

I had found a way to continue identifying weak points, building up hardened systems, and fight bad guys.

In Bootcamp, everything is remote and we (my 15 person cohort) were thrown into the deep end of the digital pool immediately. You get a machine and you load it up on your own, and then go. You better be able to follow directions, even if you don’t know which way you are going or where you are. I have been three virtual machines deep and unsure of what window I was in because my cursor was lost between interfaces.

It’s impossible to describe concisely how much material we have covered in so little time. It can break a brain. Neural networks can only take so much. I have had some serious cerebral-buffer overflow issues.

I’ve heard Bootcamp experiences described as learning by firehose. I agree and at times this has even felt a little more like learning by flame thrower. I would recommend this program if you don’t mind feeling overwhelmed. 

Many nights, my mind melted from being on the command line trying to grep answers. 40-hrs a week studying just to keep up with each new offensive, defensive, or forensic application that is introduced. I tried short cuts that were long ways back to the beginning to do it all over again and again. My rig crashed, looped, rebooted, and eventually fried its battery. I learned to live in the glow of at least three screens at all times. It’s like playing missile command but they are checking for good grammar as well your strategic aptitude.

Supposedly speaking another language in your dreams is good evidence the language is really settling in. A move toward unconscious competence. Asleep, I find myself searching for the password to my dreams, unaware I am already asleep.  It would appear my subconscious is concerned with the abstract syntax of a deeper logic. It’s trying to hack its own psychic login and get root access.  Data denied the waking me, the user.  Am I running hot or just getting warmed up? Not sure, but I am totally fascinated.

Why cybersecurity? I have thought about it and there are a whole bunch of answers. OMG, have you heard of Nerdcore? There are so many answers that I can’t put them all in this post. The next few posts should really start to give a fuller picture. 

That said, one of my favorite responses to “why cybersecurity?” is found in an analysis of three movies:  Bladerunner, Tron, & The Matrix. 

You didn’t think this could get any dorkier, did you? Grab your favorite nerd, cause it gets so much dorkier. But I digress.  Why these three movies? Long story short, they explore the perils of accelerated technological growth and the consequence to humanity.

Why cybersecurity? Because I like big ideas and what’s bigger than the transformation of humanity? Wait, but what does cybersecurity have to do with the transformation of humanity? Well, I’m glad you asked.

I will be exploring just that. In the simplest sense, cybersecurity patrols the infrastructure that makes the information-world work. Every electronic communication, bank account transfer, social media post, email, link, app, and or website/game. None of it works without cybersecurity.  

Next: Sandworm