For the newcomers out there...

I’ve been doing InfoSec stuff for ~20 years now, & every 3-5 years I discover a better understanding of the subject. Just when I think I’ve got it figured out, I get a little closer still.

This is for your edification to stick with it 1/

20 years ago, I thought “perfect computer security” was possible if you just figured out the correct “recipe” of stuff for the technical problem you were trying to solve.

Didn’t take long to shatter that misconception.

13 years ago or so, @cigitalgem convinced me that “network security” is really “software security” since “appliances” (that was our “cloud” back then) were just CPUs, RAM, and IO with a software stack. That was eye opening for me and still affects the way I think today.

~11 years ago, I believed focusing on prevention (over detection/response) was the right approach. That’s about the time I declared AV to be dead and whitelisting was the way to go. (A decade later and most orgs still can’t really scale whitelisting.)

~10 years ago, I discovered the importance of incentives for enterprise security. I couldn’t “move the needle” until I figured out how to eliminate the pain points for stakeholders.

The best example 10 years ago was to focus on identity management. This was back in the Stone Age when very few vendor solutions existed & they were a kajillion (unbudgeted) dollars. So I built one.

Coincidentally, that’s when I saw how valuable dev skills are in InfoSec.

Back then, I saw attacks moving to web apps because commodity attacks were drying up thanks to things like Microsoft’s secure SDLC initiatives. But nobody wanted appsec yet. They did, however, want less passwords to remember & to onboard personnel quickly.

~8 years ago, my “software security” bias led me to belittle “network penetration testing” since it’s really just attacking services, & a service is an “application” just written by a vendor of a commodity like an OS. While true, I threw out the baby with the bath water.

~6 years ago, I still thought AppSec was the tip of the spear of the InfoSec conflict, completely ignoring the reality that real attacks choose easier paths, let alone vuln discovery is typically quite noisy in a live environment.

~3 years ago, Red Teaming really woke me up the value of a good detection & response program. So much that my new (current) bias is that without D&R, you simply do NOT have a security program (yet).

More than 15 years in and while I would have said “yes, of course detection and response are important” ... I would not have comprehended just how important.

No org can eliminate all vulns. It’s impossible. But you can reduce the value of them to basically zero.

On that note, Dan Geer was one of my early inspirations—go find his old talks if you can. If you’re a mere mortal like me, you’ll have to listen to him talk twice: once to hear the words, and a second time to replay them and fully comprehend what he’s saying.

One of Dan Geer’s talks I’ll never forget: “there are 2 knobs in security: 1 to prevent failures & 1 to make failures meaningless.” He references how banks moved from armed guards (prevention) to prepared bags of money with trackers and known serial numbers (response).

Despite hearing Dan Geer say all that probably more than 12 years ago, it never resonated like it does now until I got into Red Teaming. In fact, I used the “2 knobs” analogy twice in two recent debriefs.

Fast forward to now ... what is resonating with me now is just how out of touch the pentest / red team (self included) community is as a whole with the most common enterprise infiltration method: malware.

Yes, red teamers typically acknowledge that phishing “just works” and we have been sharing a lot of overlap with malware in terms of initial execution (ie how to construct a maldoc), but everything after that point is different.

I find that very few pentest/ red team people can rattle off current malware family names and discuss their TTPs. Why? Because (at least for me and my honest self-reflecting colleagues), we belittle “viruses” as being less capable than us. Yet, at scale malware is a big problem.

What I believe we are seeing now, however, is the awakening of a sleeping giant: the move from powershell to C# is encouraging many OffSec people to rethink the importance of dev skills. With AMSI support for .NET around the corner, I predict some will move to C/C++.

As OffSec people move to less forgiving languages like C++, I think we may start to realize and respect the tradecraft in malware families and see more red teamers who can rattle off malware variant names and how they operate, with the reverence I see top blue teamers use.

Anyway, take-away for newcomers: there is always something more to learn and do not let your prior biases impact your future perspective, but also recognize that your prior experience may lend to a unique experience.

Also, a lot of the things the current “thought leaders” discover were solved a long time ago. Listen to talks by Dan Geer or Gary McGraw (mentioned above) as just one example.

What’s old will be new again.

Read all of this thread in a more polished form:

https://twitter.com/malcomvetter/status/1086185363456946176?s=21