USENIX Enigma 2016

some quick notes taken while watching the presentation:

Know your network, the devices the security technologies and things inside it.

Attackers will often employ ppl that study the security technology of the devices you use to a very deep level. They end up knowing it better than those who develop it.


Reduce attack surface, red team, pen test and act on results. Don’t assume a small crack is too small to be found. Attackers are patient and persistent, they’ll keep poking and they’ll wait for windows of opportunity if needed.

network boundaries expanded with byod, work from home, cloud, mobile devices that come and go


spear phishing, waterhole, known cve, sql injection, 0day.
Note that it’s not all 0days.. attackers persistence and focus will get them in.

brest practices, baselines, credentials. Have processes to know what is norm.

segmenting, whitelisting

move laterally, how will you detect it? segment, manage trust

defend & improve -> rinse and repeat

Learning the wrong lessons from Offense (Harron Meer)

A really interesting talk from Haroon Meer at the t2 conference in Finland (2016)

A collection of points I wrote down while watching it, and that I would like to highlight:

  • Enterprises are still finding out they were hacked because stolen data often ‘self-advertises’ the hack. Where this isn’t the case, enterprises go months/years without knowing
  • Think like an attacker : Try thinking like a chef and see how well you do on the kitchen (quoting a post from 2008 )
  • the Cargo Cult Science in learning from offense

offense vs defense

  • offense has tight feedback loop (attacks either succeed or they don’t) vs defense can think it’s doing something meaningful when actually the only thing is that you have not been attacked on your watch yet.
    • defense ends up doing things that are of very little value like forcing ppl to change their pass every two weeks
  • offense understand cost better than defense does
    • offense knows cost of attacking and usually knows the value of the prize he’s after vs defense doesn’t necessarily know how the attacker values his information or how much it cost them to attack
  • only have to win once : discovering offense burns toolsets and TTPs. see
  • get to choose time & cadence
  • Complexity tends to favor the attacker
  • Attackers ability to throw things/tools away once they are not useful
  • Clarity : attackers specializing while defenders to it all
  • attackers write more code. Defenders need to write more stuff, own tools, rely less on blinking lights and SLAs (I really liked the way Haroon spoke about this one)

defender disadvantages

  • least privilege: ppl complain of lacking permissions, but no one complains for having too much access
  • enterprise obstacles: defenders attitude “if only they did it right”

defender adv

  • network awareness: attackers choose when but defenders choose where
  • custom detection: there’s value in things put together by defense, also, there’s value in a little of security by obscurity as long as it’s not the only thing you rely on. add variables that attackers can’t easily guess

what we can do

  • expect breach: how quickly can we detect it, how we can contain, how we can respond. and KNOW your network
  • Learn your stuff
    • USENIX Enigma 2016 – NSA TAO Chief on Disrupting Nation State Hackers bDJb8WOJYdA
  • Build it! Embrace the hackiness as in, get the solution that works; defense is a series of hacks too.

Hello world!

Welcome to WordPress. This is your first post. Edit or delete it, then start writing!