Do. Not. Lie. On. Your. Resume!!!

Was helping a client do a tech screening this morning.

They're looking for someone who's "an accomplished penetration tester" (from job posting)

This poser was anything but.

1 Asked some ice breaker questions, and they did OK.

But then as we got into more situational questions. The answers got vaguer... and frankly odd.

Me: How would you avoid causing issues when working on prod?
Candidate: be sure to fill in a change request before the work

huh?

2

We need to do a better job of mocking vendors who claim 100% MITRE ATT&CK coverage. Not because it’s silly (we all know there’s a near infinity of evasions and obfuscations for each tactic, right?)

No, we need to mock the 100% coverage crowd for a far more important reason…

1 (Vendors, listen up, this is free consulting for you)

Attack chains are brittle. Defenders should focus on the weakest point(s) in the attack sequence. Vendors could provide enormous value in helping clients see where to maximize defensive efforts.

2

My "AI doesn't belong in SIEM" tweets pissed more than a few people off (based on DMs I got)

First: let me be REALLY clear. For the near future, AI shouldn't be part of any SIEM. but may help the SOC.

Let's dig in!

(all pics made with DALL-E 3 AI because LOL)

🧵1/15 Right now, the ultra majority of AIs are LLMs. Large Language Models.

The major problem is SIEM data (aka logs) isn't a large language set.

Before you flip out, you're thinking large **volume**.

Yes! There's lots of logs... but! SIEM data is highly repetitive.

2

Buckle up... we need to chat about EDR, MDR, and XDR.

(IDK if I've kicked off a thread about this stuff... though I've participated in plenty.)

Here we go!!

1 EDR = Endpoint Detection & Response.

It is NOT a replacement for anti-virus. It is NOT a replacement for SIEM. In fact, many EDR products do better working with both!

2

You *can* win at defense in cyber security.

Many orgs tell you that if an attacker lands on a system, or takes over a single account, that you've "failed"

That's simply not true.

If you believe you have to be perfect to win, buckle up... this is the thread for you!

1 First, let's talk about attacker goals. They're stealing accounts or getting on systems to do something. The goal is to act upon your data in some way. (destroy, alter, etc.)

This is an *important* distinction that many gloss over.

2

I've shared with folks that I grew up poor.

I will forever be confused by the mental gymnastics richer folks go through to convince themselves they're not rich.

Story time:
1 This past weekend my Mrs and I were looking to buy a used sailboat. Here's the exchange

Me: it's an expensive hobby
Them: yeah, but compared to others it's quite reasonable!
Mrs: Like what?
T: IDK... owning an airplane?

2

Story time:
Once I had a client (CISO) that was hyper insistent that I do "a no holds barred" attack against the C-Suite.

Despite mine and client's legal team's stream of suggestions to NOT do this, CISO was firm. It must be done to show a lesson.

Spoiler: plot twist soon!

1

https://twitter.com/SecurePeacock/status/1628610493685411840

Legal & HR came to me and said CISO is going to do this. There were other vendors who are pitching this, and I was the most firmly opposed. So they trusted me to not be evil.

Could I do the gig, but not in the way the CISO was expecting?

2

Someone DMed me asking what this was about.

This is a stream of consciousness musing based on a part of a convo I had earlier today.

Let's dig in on what this is and why it's important... assuming NO technical know how.

1

https://twitter.com/bettersafetynet/status/1628567591496175622

Attackers use scripts and tools to find weaknesses in web sites & APIs. They pretty much have to because doing things by hand is slow, error prone, and "please kill me now" boring.

The technique I suggest *breaks* attacker automation, and does it in a way that's just... mean.
2

HOLY CRAP. Infosec teams: do you eat your dogfood?

I did this morning. I did NOT like it.

This was eye opening.

1 Late yesterday

Client: mobile device reset is unbelievably burdensome for the users.
me: Let me look into it. I don't see how it would be that big a deal.

ominous music swells

2

Build/config for my NixOS is nearing completion.

Here's some stuff I'm doing... unix/linux folks... what should I add to this?

1 Virtualization stuff:
Docker
Qemu
KVM

(I use qemu-utils to convert VMs to qcow2 and am pretty much good to go)

2

An open letter to MSFT Graph API and cmdlet folks.
(please RT for reach)

Most of us who are playing with your Graph API and related PowerShell cmdlets are OK with improvising and figuring things out.

But... you're increasingly making things harder than need be.

1 It seems like the docs you write are targeting the wrong crowd.

We *need* examples.

What you're giving is pages and pages of trivia that *might* be helpful as a reference. maybe.

2

Getting DMs saying I'm wrong on this. Look, score != your role.

If you score well in a tech screen, you pass. If you score poorly you fail. Great scores do not get a more senior offering. If you score perfectly you don't get CTO or whatever.

It doesn't work that way. At all!
1

https://twitter.com/bettersafetynet/status/1610411041019551744

There is a discretionary zone where you might not be as strong technically as the org is looking to hire, but if you show good "intangibles" you can be hired... yes... even over a more technical person.

2

Got a lot of DMs about a tech screening thread.

Number one issue: a good % of folks don't actually know what a tech screening is. So let's dig in!

1 Yes, a tech screen is to see what the technical competency is of a candidate... but it's more than just that.

If it only were a "can they XYZ?" you'd likely be sent to an online test.

2

Just had my 2nd call today with the client about this.

They asked me to state a few things:
Calling this candidate a "techbro" and "an ass" was out of line. In hindsight, that's more than fair. I shouldn't have put this out so publicly.

1

https://twitter.com/bettersafetynet/status/1609910074352214016

Client also shared the candidate was told they would get the notes immediately after the call. There was confusion on candidate's part re: "read me your notes".

After review, client found notes to be helpful and insightful.

2

I just hard flunked someone on a tech screening interview.

them: OK let's get this over with, I'm a big deal in this sector of the biz. I know this stuff.
me: um, we're screening tech, but I want to let you know I'll report tone and stuff too

1 Them: why? you're a tech screener, screen for that
me: Then why does my client include a "likability" column in the rating sheet?
T: don't care. I don't need to work with people.
M: huh?
T: I'm a 10x engineer. I don't ever talk with folks

2

Just got off a phone call with someone.

A regulator ripped up an architecture… And I’m furious.

Before you go any further. This is for a high performance (very very very high volume) site _which will NEVER EVER have proprietary data. EVER.

Let’s look at the complaints…

1 “TLS must be to the destination web server/service”

We designed TLS to terminate at the load balancer. And HTTP to the worker.

Look, I understand MitM attacks. I’ve written tools to do it! But if your threat is an attacker can be between the LB and the WS? Da hell?

2

Someone DM’ed me and asked “what do you mean Really Big Monitors?”

All SOCs are required to have absurdly large monitors on the walls. They are required to have pew pew visualizations on them at almost all times, but especially when clients or execs come visit the SOC
1

https://twitter.com/bettersafetynet/status/1601017680395632640

Now I know what you’re wondering… but do the analysts use these monitors? LOL! No. Never. (Maybe in the wee hours they’ll play a movie)

So why have these big monitors? It’s so your SOC is being shown as srrrsly SOCing so goodly. If you don’t have RBM, do you even SOC?
2

Those just joining infosec or who are early on in your career.

This may shock you, but raw technical skill will be one of the least important skill sets for you.

It's important to develop tech skills, but...
1 In team based orgs (literally every single org), soft skills actually far matter more.

- can you communicate well (both written and verbal)?
- are you nice to work with?
- can you teach yourself?
- can you speak hard truths in a respectful ways?
2

New to Information Security? Not in the industry yet, but want to be?

What will the current crop of AI tools mean for you, a cyber security rookie?

Here’s some of my thoughts… (long thread)
🧵

1 That block of text in the first tweet is potent… (I’ve actually saved it and plan on re-reading it periodically)

One thing that rookies need to be KEENLY aware of… There’s going to be an *explosion* of reasonable sounding but flat out wrong advice

2

This will hurt a lot of feelings so buckle up.

Cyber security is exactly as difficult as your org makes it.

If you have burdensome process, if your machines are overloaded with agents, if you have alert fatigue, etc.

You have a culture problem, not a tech problem.

1 No tech will ever be able to fix that.

Orgs grab for tech because they wrongly think it's the solution to security issues. They hopefully help, but they ALWAYS create new issues.

2

long (slightly emo) rambling thread.

TL;DR: there's no crisp line between supporting and enabling someone. It's a fuzzy zone.

Sigh... today I may have "lost" an old friend to untreated mental illness. They're still alive but - for now - dead to me.

1 "Joe" is a brilliant fashion designer. Met him thru work when I was a sys admin for a top fashion brand.

His hilarious wit and insane ability to cut and drape fabric so it always flattered (regardless of body type) and mix textures... top notch.

2