hackers

, , , ,

Tribe of Hackers

, , , ,

Tribe of Hackers, by Marcus J. Carey, collects a wide range of seasoned infosec specialists to discuss the cybersecurity world from an insider’s point of view. My favorite question out of the dozen asked is: What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture? Studying the 60-plus answers, I broke them down into three categories that resonate with the self-defense instructor in me:

  1. Invest in awareness

  2. Assume compromise 

  3. Application over theory

There are three common aspects of martial arts all around the world. The basic breakdown of martial arts is competitive (sport), performance (entertainment), and self-defense (mortal danger). Competition can teach you how to fight, but you are always learning to fight with rules. There is a ref, a set time, and a chosen place. Performance is about entertaining a crowd and displaying grace, power, and drama.

The portion of the martial art world we are concerned with here is self-defense.  The training one does for surprise attacks. Nothing fancy, first just learn to cover your groin and face. This is a very good reflex around monkeys and big cats. 

Boiled down, martial arts is situational awareness and the more time I spend studying the cybersecurity field the more I think of it as an offshoot of martial the world. Hand-to-hand and weapon-based systems each have their context for when they are useful.  I like thinking of cyber as the martial art of network conflict.

In the walk-around world, awareness often simply means understand your environment and become conscious of how you make yourself vulnerable. Predators rely on distraction and surprise. The more aware you are, the less of a target you are. Don’t make yourself more vulnerable than you have to be. How big is your threat landscape? The bigger it is, the harder it is to secure and whoever has the weakest perimeter gets eaten first.

These rules of conduct coincide with cyber defense rules, like limit employees’ access and privileges. There is no reason to increase the overall threat landscape any more than necessary. When you give someone access, you put them at risk of being exploited. Every admin privilege is a target on someone’s back. They will be hunted for their access. Actually, I’m the only one mentioning the hunting of people. Nowhere in the interviews does anybody recommend hunting people. 

According to the professionals, companies building security-minded cultures should start with the low-hanging fruit: multi-factor authentication, complex password policies, and up-to-date patches go a long way. It’s not full-proof, but covering the basics eats recon time and time is money even for criminals. The longer it takes to get inside the more likely they will move on to an easier target. No one is perfectly secure, but don’t be the only guy without a bulletproof vest in a gunfight. I’m paraphrasing of course. There was no mention of firearms nor discussions about kevlar in the interviews at all.

Investing in awareness also means understanding how your assets are vulnerable. Is it really tech that is vulnerable? Or are people vulnerable? Creating a security culture that captures the attention of employees is essential. All the fancy AI interfaces in the world (which I love) aren’t going to save you from an uninterested or emotionally distracted employee. A narrative (mission) that elicits vigilance (situational awareness) is key. Everyone is seeking a “better way” and people, in general, adopt great standards that lead to personal growth. No one actually said people seek personal growth either. I’m reading between the lines and maybe being a little idealistic, but I stand firm on the idea that people want to be heroes.

The second concept: assume compromise, also illustrates martial principles. As in, you don’t get to pick the fight you want. For companies, it means an attack isn’t an if, it’s a when. And, most likely, you aren’t going to see it coming. Predators like to hit their prey from behind, not head-on. Unfortunately, the first hint of attack is often the sight of your own data leaking out all over the internet.  Assume compromise means: “the phone call is coming from inside the house!”, so it’s best to build impact resilience into the system. A panic room, if you will. Again, I’m being a little hyperbolic, but I’m trying to paint a picture. 

For an organization, assuming compromise means exploring postures that increase opportunities to fight as you roll and recover to your feet. Remember, this is close-quarters combat. You don’t get to hold them off at arm’s length. They are already inside your defenses and a strategic counter is required. But, before you can counter, you must locate. Check the endpoints, scan the logs, find the beacons, and isolate. Get good at finding the intruder. Too much time is spent on playing wack-a-mole rather than setting honeypots and canary sensors. That’s right, I’m talking about tripwires and tiger pits.

If you have followed the basics from invest in awareness, then the pathways into the system are limited and your team is straight-up tracking the interlopers. There are only so many endpoints probable. You must be able to detect if you are to defend. Imagine Sherlock Holmes presented with Star Trek’s Kobayashi test. Model, model, model. Test, test, test. Invest in failure, because failure brings insight.  

Lastly, application over theory. As the great fist-philosopher, Mike Tyson once said, “Everybody’s got a plan until they get punched in the face.” Steps 1 & 2 have been followed. Your situational awareness is high and you’ve created not 1 or 2 plans for possible sneak attacks but a dozen. But does your plan work when it’s not your friend throwing the punches? 

Unfortunately, the only way to get comfortable with people trying to hit you is by doing such. It’s not everyone’s favorite pedagogy, but it gets results. Catch a few on the nose, and everybody covers up and starts rolling with the punches. This is another good place to point out, no one discussed punching and kicking people in the interviews.

For organizations, application over theory means regularly attacking their own systems not only internal testing but external testing. It means investing in outside consultants who can give an objective perspective. Test the process and adapt accordingly. Then, test again. This is not a static game of Battleship. The opponent is not waiting for you to come to find them. They don’t have any rules, but they do have limitations. Don’t let experience be your limitation, because experience is the key for both sides. It’s a simple calculation, if you have had more time learning to fight your way out of a corner than your opponent, chances are they make the first mistake when pressured. 

To recap and summarize the guidance from the interviews it goes something like this: 

1) Awareness = What Matters x Why it Matters 

2) Plan for the worse 

3) Test the plan objectively

I really enjoyed reading Tribe of Hackers, and I appreciate Mr. Carey putting it together. There is much more wisdom to parse through in the interviews than I have offered here and I hope my violent paraphrasing and comparison (beat a dead horse) to martial arts doesn’t diminish his efforts or their advice. Carey has other books of interviews specific to Blue Team, Red Team, and Security Leaders.

However, before diving into those, I’m headed to Reno for the Wild West Hack’n Fest. This will be the first in-person conference for me (and possibly a whole bunch of people) since Covid. It’s time for me to meet more of the tribe.

, , , , ,

Cyber-Sorcerer-Ninja-Detective

, , , , ,

The world that is emerging from our electronic interactions needs a lot of patches. It’s growing and in need of constant adjustment, reconfiguration, and stabilization. For my part, this week was dedicated to learning how to hide, lure, track and trap bad guys for 4 days and a total of 16-hours of training on Active Defense and Cyber Deception with Black Hills Information Security. This was one of three courses they offer for the very affordable price of pay-what-you-can. Don’t let the generosity fool you. John Strand provides these courses as a mission. He believes we are all far behind in the cyber security game and there is lots of ground to make up. After 15 years as a SANs instructor, he has lots of value to offer. Plus, his energy is contagious. He does seem to truly be possessed with a desire for the greater common good we all share.


What did I learn? Illusions, traps, and other cyber-bending ninja-detective tricks. Unfortunately, a good cyber-sorcerer-ninja-detective never reveals the mechanics of their tricks (that’s not true, they don’t mind sharing at all). 


1st day was strategy and defining what active defense is and isn’t. It’s not waiting for the SIEM (monitoring system) to tell you something is wrong. The SIEM is designed to find threats that are known. We are looking for very sneaky people. They will find a new way in, something the SIEM can’t detect. 


The key to stopping the attacker is understanding the path of the prey. Where do they need to go? Know this and you know where to lay the traps that suck up their time. The illusions that lead them down the wrong rabbit hole to infinite nothing. And this may be the key takeaway. Make it a time suck to mess with you. Make it not worth the hassle to hustle ya. 


Show’em something pretty. Something they have to look at. Delay them, obfuscate the prize, and frustrate their basic efforts. Don’t be the low-hanging digital fruit, just dangling out on the internet waiting to be easily exploited. 


How do you slow them down? Honey, and lots of it. Your main weapon is a long list of honey: honey-pots, honey-servers, honey-networks, honey-users, honey-files, and yes Honey Badger! What are all these honey-techs? They’re big fake data burritos wrapped in alerts, stuffed with traps, and trackers. These techniques and tools draw the attacker into a fake world with sweet-looking data. A juicy-ripe text file with a bunch of sexy financial information and contacts that can’t be resisted. 


2nd day we talked about the legal issues that come with the territory. This is a whole new frontier as far as the law is concerned. Stand-out thought is how far behind the legal concepts of property and privacy are in relation to the digital dimensions of our lives. It’s an 8-bit paradigm trying to govern an Oculus world. It would do me some good to study up search and seizure law. The question to answer: when are you a detective and when are you the interloper violating someone’s rights? 

  Day 3, the slide reads “Don’t Get Shot!” and the class focuses on your safety as an investigator. As in, you may find yourself dealing with bad people. You might play a big part one day in locating said bad people and putting them in prison. Sometimes bad people hold grudges. You don’t want your name on anything bad people can reference. You want to be a ghost, a shadow warrior. That’s right, John added to my practical knowledge of how to make people disappear and attack from the shadows. Always happy to add a little more ninja to my bag of tricks.


Day 4, how far does defense go until it becomes offense? We learned techniques that trapped our network baddies in infinite loops that “inadvertently” shut down their systems. Is that wrong? Well, it’s complicated. How far is too far depends on your warrant and what 3-lettered agency is writing the check. But that’s the justice side. Maybe you’re not working for the government. What about private clients? What would you do for the cash? What wouldn’t you do for cash?


In some cases, your client might not be interested in taking any of this to court. As in, they aren’t concerned with the legality of your work and whether it might stand up in court. That’s when you have to decide for yourself what kind of InfoSec operator you are. Are you a mercenary, a kinda cyber-gun-for-hire? Or are you going to be an agent of justice? Or chaotic good and you just can’t help yourself because of some twisted extreme perceptions of fair and foul play? Or maybe your just smart enough not to get involved in clandestine cyber-pissing contests.  


It’s easy researching and studying security to get paranoid; to think that there is a never-ending wave of threats. And while that might be true, there are ways to limit vulnerability. For a business or an individual, it’s not that difficult to avoid being easy pickings. Remember you don’t have to be faster than the bear, just faster than the rest of the campers when the bear arrives.


My CompTIA Security + certification test is coming up in a few weeks. Time to buckle down and memorize an ocean of acronyms, hashes, ports, and protocols. But while that test is important, my mind will still be on the terrors of a Spider Trap and the devious capacities of Honey Badger. I look forward to building a digital hall of mirrors and digging cyber-tiger traps filled with my own assortment of deadly links. That’s right folks, two can play at the sneaky link game. Actually, we should all be learning how the game is played. 


After all, ya got be a cyber-sorcerer-detective-ninja to catch a cyber-sorcerer-ninja.