I think blue team work poses a greater number of challenges than red team work (there's just so much attack surface). However, I think writing a red team report is inherently harder than writing forensic reports. 1/
In a forensic report, a story already happened and you have to tell it. It takes practice and skill to do that well, but there is less of a creative element. The analyst's burden to elicit an emotional response is smaller. 2/
The events in the report themselves have evoked emotion... pain, sadness, etc. It's not as hard to get folks to take action because they've already felt these things. 3/
In a pen test report, some of the story already happened (what you did), but the real story is what could happen without action by someone. How actual criminals could take a similar path, resulting in breach/loss. 4/
So as a red teamer, you have to be a little extra creative in your writing. You are responsible for eliciting the emotional response. You have to make them feel things they haven't felt yet. 5/
You have to do all this while being a good steward of the reader's emotional well-being. That means telling a realistic story that isn't overly sensational and properly captures the true risk of certain vulnerabilities going unmitigated. That's not an easy task. 6/
Red team writing also tends to be a little more repetitive in some ways. So, you have to force yourself to find ways to tailor the story to the specific network/client. That's extra work, but necessary. A common example is writing about network segmentation. 7/
Some of y'all are probably grimacing right now because you write about network segmentation in nearly every report. Tempting to just copy and paste it all verbatim, right? Most do, but probably not gonna spur any action. 8/
Blue or red team writing... it's all hard because it's all persuasive writing. You want folks to do something. Most of that comes back to storytelling and emotion. 9/
When you write to evoke emotion, you tend to get a little dejected when it doesn't work. Let's say you write a report about some vulns, come back two years later, and they're all still present. Feels bad, right? 10/
This usually turns writing into an apathetic (or downright combative) task over time. It compels the writer to put less effort into their work than more. Red team writing finds itself in this state more often... decent writing isn't as frequently positively reinforced. 11/
That's to say, blue team writing can often be decent and still evoke change, whereas red team writing often has to be GREAT to achieve the same results. There are external factors in play here, of course. 12/
These opinions are based on my experiences writing many of both kinds of reports and thoughts shared by students in my writing class.

Overall, I think both types of writing are challenging. The difficulty gap is significant but can be overcome. 13/13

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Chris Sanders 🍯

Chris Sanders 🍯 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @chrissanders88

1 Jan
Starting 2021 off well with *perfect* mushroom risotto. 🍄 Image
Because perfect leftover risotto deserves to be made into arancini.
Image
Read 4 tweets
28 Oct 20
One of the things I do in my Investigation Theory course, for those willing, is work with students individually to help them learn to ask better investigative questions. For example, one student started with this Suricata rule:

1/
The task here is to start by asking a couple of investigative questions, assuming you have access to any evidence you might want. This student posed these two:

1. How long as this machine been infected?
2. How many beacons has the machine sent?

2/
In this case, the student is making some assumptions that the machine is already infected, but we don’t really know that for certain yet. The first goal should be proving or disproving the infection.

How do you do that? 3/
Read 17 tweets
27 Oct 20
This was something I left intentionally vague in the poll to see how people interpreted it. Namely, some interpreted as competitive within your team, others as competitive in relation to a goal/adversary. Reveals some predispositions and bias, perhaps?
Consider the example of a wide receiver. They are internally competitive with their teammates because there are only so many spots on the team and passes to catch. At the same time, they are externally competitive towards the other team because they want to win the game.
In security, I observe that internal competitiveness is often over exhibited relative to the value and external competitiveness under exhibited relative to the value.
Read 11 tweets
5 Sep 20
I mentioned that the idea for Intrusion Detection Honeypots #idhbook was floating around in my head for a long time. Something I didn't mention in the book, is that it was my time as a pen tester many years back that crystaized some key parts of the concept for me. 🍯 1/
As the attacker, it's all about iterative discovery. You access something, look around, and leverage your access to move on to the next thing. You do this until you reach a goal, whatever it may be. 2/
Good attackers exhibit some common traits -- seeking to decrease ambiguity, adaptability, and curiosity are big ones. You have to take what the network gives you and manipulate it. I really learned the value of these things in the offensive context at @inguardians. 3/
Read 12 tweets
25 Jun 20
Let's talk about the differences between novices and experts. But, instead of cyber security, we'll use airport baggage screeners as an example. These are the folks who use the scanner screens to find forbidden items in luggage 1/
We all expect that experts are faster than novices. That's often correct, but WHY? 2/
Experts go through a few steps when looking at a bag image. First, they perceive the whole image quickly, looking for something to draw their attention. Maybe a dark spot or an unknown pattern. This holistic analysis is nearly automatic. 3/
Read 16 tweets
16 Jun 20
The most frequent mistake inexperienced analysts make when asking investigative questions is not being specific enough. For example, "Is this external IP bad?". That's a fine question, but it's not answerable without asking more questions. 1/
A deeper question might be, "Does this IP appear on any reputation lists?" or "Is it found in malware sandbox executions in public repos?" or "Have we encountered this IP in any other investigations?" . 2/
Another example, "Is this system infected?". We definitely want to know that, but it's more specific questions that get us there. 3/
Read 9 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!