Skip to content


Community is an interesting concept. A collective group bound by shared values and beliefs - this is how community is defined. Now, even in the smallest communities (population 2) not all of the values and beliefs are shared. For a community to stand, the core values must be shared.

Infosec isn't a community. Infosec is a philosophy built around values and beliefs, potentially including a right to privacy, data security, breaking systems to fix them before someone else can break them, and control of one's data. People may have more to add to that list. People may not include everything on that list. Either way, how anyone defines Infosec is built around the values and beliefs they assign to the philosophy - and that isn't a universal list. This distinction of personally defined philosophy versus the values and beliefs that make up that philosophy matters.

A modern American philosopher I know hangs his hat on the credo "Acta, non verba." Actions, not words. We are defined by our actions more so than our words. Social media has amplified this disparity. Many will tweet about injustices. They will post selfies with pontification about wrongs on instagram. What they will not do is take any meaningful action to work to correct the wrongs and injustices. What makes it worse is they will actively decry a wrong in the world, and then demand someone who is characteristically unlike themselves to be the ones to fix it.

At no point in human history has that been the way things have worked. Ever.

History is replete with turning points built on the backs of individuals who take personal responsibility to be the change they want to see in the world. They lead from the front. They let their behavior set the example. Whether it was George Washington leading the rebellion, Dr. Martin Luther King Jr marching non-violently, or Elizabeth I pushing back against tradition, someone said the world shouldn't be this way and worked to change it. Successfully. They did this by establishing a like minded community of people willing to put in the work to change the status quo in a constructive manner.

This is why the concept of an Infosec community is poisonous.

Infosec professionals and aspirants are very active on social media. They share information, brag about accomplishments, and preach. A lot. When some grave ill comes to the attention of the Infosec people engaged on social media, the pitchforks are sharpened and torches lit. Vitriol is flung into the arena and guns start blazing. There is no time to wait, battle must be ensued. People have to be seen challenging this wrong from their phones, tablets, and laptops, and they need to be among the first to engage.

My guiding principle of incident response is simple. When all hell breaks loose, the very first thing you should do is nothing. The second is take a breath. Why? Either you have an incident response plan, which means the incident will be handled properly and timely, or you don't, at which point you are in grave danger of the likelihood of immutable damage occurring by you and your team's hand is taking exponential jumps.

When these horrible behaviors are brought up in social media (ALWAYS selectively edited for maximum impact as desired by the poster) the response is sudden, damning, and often without any analysis or rational thought. Combined with the need to be seen railing against the horrible thing, we start seeing a pattern of what defines the 'Infosec Community.'

You change behaviors by engaging constructively

The 'Infosec Community' chooses to name and shame, and condemn, and then only selectively based on who is in and who is out.

And here is where the concept of Infosec as community crumbles. The 'community' doesn't hold everyone accountable equally (making justice not a principle). The community will indict and sentence (without trial or defense) based on selective information (basing a declaration of attribution on a lone indicator. Due process, a search for truth // fact, and thoroughness out the window). The 'community' will take things out of context if it supports their side. It engages in whataboutism. The list goes on.

There isn't an Infosec community. There are communities that exist within the bounds of Infosec. Recognize them for what they are.

"All animals are equal, but some animals are more equal than others."

-George Orwell.



There is nothing like an empty hotel gym at 5am. You can struggle. You can flatulate with impunity while your guts undulate like a bridge about to flip while on the treadmill. You can do low weight high reps on the dumbbells without 'bro do you even lift' condescension.

No matter what you want to improve, no matter how much of a novitiate you think you are, there is always a way to improve yourself in a manner which will not draw attention to yourself and your perceived shortcomings until your impostor syndrome has lessened.

Or dive right in and face it.

As an institutional defender, I have the disadvantage of having to guess right the first time to detect an attack at the earliest stage. Every institution also has a limited budget, so as a defender I've had to choose what doors I watch with given levels of scrutiny. The only way to do so is to build a threat model.

To understand threat modeling, you need to start with the risk equation.

Risk = (Threat to asset x vulnerability allowing reach x impact to institution) / mitigations


If your business has a gum ball machine in the lobby that takes quarters, the threat is the loss of the gum ball machine, its quarters, and its gum balls. The vulnerability is it can be beaten with a key, someone can use slugs to get gum balls, or someone can grab it and run. The impact is the cost of the lost goods, the reputational impact, and the time lost replacing it, updating policy and procedures, or working with the police. The mitigation could be bolting it to the floor, having a custom key, or hiring someone to either man the machine or protect it.

You need to understand what you are trying to protect, to understand the threat to it, what vulnerabilities it has, the impact to its loss, and if the mitigation is appropriate. Hiring an armed guard will make the loss of the gum ball machine unlikely. The cost outweighs the benefit.

What are you trying to protect? It could be any number of things.

  • Money
  • Physical property
  • Intellectual property
  • Access // Trust
  • Reputation // Brand

The asset needs to be defined, before you can understand the risk involved. Most likely, your institution has multiple asset types. These assets will not carry the same risk, and will not be protected the same way.

In a bank, the obvious asset at risk is the money. That asset exists both as physical currency and digital bits. Each has its own threat model. Both are at risk from thieves, insider threats, or potential destruction. How do you define each? How do you prioritize which one you want to protect more? How do you define your crown jewels?

Think about the threat to the assets. Someone could take the physical money. Someone could manipulate the digital bits to make someone else take ownership of the money. How do they accomplish either feat? Are you more worried about masked assailants taking the currency from a branch office, or a digital adversary abusing the SWIFT banking system to move money to another bank and account in an unauthorized manner? If you controlled security spend, how much would you spend depending which? How would you prioritize your detection capabilities?

Think about the vulnerabilities. Who has access to move the money? Who determines who has that access? How is that access granted? Who audits that behavior? When and how often? How do you define trust of the people involved in access? How do you verify that trust? What about the systems involved? What physical protections exist? How strong are they? What hardware and software is in use to control access to the digital assets? How often are they patched? What is the software // hardware lifecycle? What policies governing use of these assets are in place?

Think about the impact. How does the loss of the asset affect the institution? What is the total cost of that loss? How do you quantify the loss of trust? The failing morale? The loss of time investigating, then vetting and putting in place new mitigations (procedures, audits, hardware and software)?

In order to prioritize your defenses, you need to understand what you are protecting, the impact of its loss, how it can be lost, and and why (and potentially who) that loss would occur. Then design your mitigations based on that. That is your threat model.


Nobody is a Qualified Infosec Practitioner

I read the same tweetstorm everyone else did about what you have to have to be an infosec professional.  My $0.10 is simple: every time someone says you aren't a true // capable // professional Infosec practitioner, remember they weren't born like that either. They ignore their past and it's learned ascent, and view the world of Infosec through the bias of their position, their history, and their employer's threat model. 

And remember, many of these supposed supermen usually work at the behest of the US Federal Govt, so all their brilliant life choices mean this is the third time this year they aren't getting paid. No one gets it right all the time.

All respect to the people who help and uplift and work to make us all safer wondering how they are going to pay January and February rent. I can't begin to imagine ...

Leave Your Comfort Zone

I have recently unmuted every account I had muted on Twitter (100+). I unblocked many. I didn't unblock all, because I do have lines. I instead muted words or phrases whose use (in my searching) never amounted to a good conversation on Infosec. I chose to immerse myself in the views (via retweets) of those I disagreed with, sometimes vehemently. As seen above, we view the world from within the lens of our own experiences. We can't understand why people act a certain way // speak a certain way // vote a certain way while only looking through our lens. 

I have diversified my reading. I just finished Democrat to Deplorable by Jack Murphy. This book takes a look at how nine million people who voted for Obama twice then voted for Trump. It's been easy to scream racist // sexist // various pejoratives designed to shut down discussion at people rather than look through their lens, but Jack lets us peer into his. It is a good look at second and third order effects, and shows us what happens when people's use of words clings to definitions long past. Literally.

Next on my list is The Handmaid's Tale. I frequently heard how this would be a reality with the elevation of Kavanaugh to the Supreme Court. Reading the back cover I can't even begin to imagine the world view I currently believe to be inane where anyone can think American politics could create such a world. I choose to delve into it because there may be ideas that deserve greater discussion and thought - assuming people are willing to have real conversations about it.


I am about to buy a game for my Nintendo Switch I don't want because then my nephew will have someone to play against on his newly opened switch (which my brother wisely updated before putting under the tree). The $60 I'm spending isn't for the game, it's for the shared experience with my nephew. 

I'm fortunate this Christmas that most of my gift givers gave me things that we could use together - they gave something that was bundled with the gift of time. I have too much stuff as it is (and still need another bookshelf and a small number of other things), so the gift of time is especially welcome as I live alone.

Time is your most limited and most precious resource. Put it to good use.


I am working on an opportunity that may allow me to make a living while returning more of that most precious commodity to me - time. It is a sacrifice that puts me at odds with another potential choice in advancing in my Infosec career in a way I didn't expect. Like anyone else in this world, I have choices. Unlike many, mine are choosing between two potential betters. I acknowledge my agency in the choice, and the responsibility that goes along with it. I already have dedicated time to my projects, my education, my work, and my businesses. I have to remember to carve out time for my health, fitness, and decompression. You put on your oxygen mask before your child, because you can't help anyone else until you take care of you. True on planes spiraling to armageddon as it is in your daily life. Eat healthy, work out, read, and rest. You will feel better.


Time for the cast iron pan fried ribeye, air fried garlic potatoes, steamed green beans, sautéed spinach, hot tea, and the spate of Christmas movies:

A Christmas Story

Die Hard

The Ref

Die Hard II

and Scrooged.

I hope you aren't reading this on Christmas (unless you are in an inhospitable place, then I hope I provided a moment's relief). If times are good, embrace it because this moment will never come again. If they are bad, just wait, it is only a moment, and will small effort will be gone forever soon enough.

Remember, Reginald VelJohnson's role in Die Hard gave us Family Matters. Here's to second order effects.



The arbitrary end of the calendar year approaches. This is always a good time for review.

The purpose of a review is to take stock of what you accomplished compared to what you planned to accomplish. If you've accomplished everything you've planned, then odds are you didn't press yourself enough. If you didn't accomplish everything you planned, then you need to refine your expectations or your prep work. From a work // employment standpoint, this is a chance to burnish your CV // Resume combo, even if you have no plans to switch jobs. You may consider a switch, or have one forced on you, at some point. In this case it is easier to hit the ground running if you keep your resume and CV accomplishments current. I use the accomplishments of the year to plan for my goals for the following year, and build a long term plan, so I have a focus.

As James Spader said in Stargate, the last point needed to get to a destination is a point of origin. To consistently track your journey, you need to keep looking at that point of origin to stay on course. As you hit different waypoints, that changes the point of origin for the current leg of the journey, but keep the original one in mind to maintain awareness of where you started.

My journey started when I went to school. I got my first IT job, then I got my first InfoSec job. Then I got my associates, then a better job with a pay and responsibility increase, then my bachelors. It took me time to get some certs and work my way into a top flight institutional defender position. Once there, I worked to build out professional 500 level InfoSec certs, learned new technologies, demonstrated excellence, built out a mentoring program, started speaking at Cons, started writing a blog, and started building an e-commerce website.

That is a lot of accomplishments. And it seems daunting to people new to the industry (or even veterans). Take a look at that list, and realize that began in July 2006. I see a list of accomplishments over 12 years, and I feel I have not done enough. It takes time to build momentum. Success builds on success. And the more wind beneath your wings, the better you are at charting a course going forward.

I have three SANS certs: GCIH (504 Incident Handler), GCFE (500 Windows Forensics), and GCTI (578 Threat Intel). Planning ahead, I am taking the class and exam for the 572 Threat Hunter course in Q1 2019. Beyond that I know I need the 401 GSEC and two gold papers to press for the GSE. That will press into 2020. The past has helped inform my direction as an institutional defender, and I need to shore up my certifications to be able to demonstrate that. This is good from a job standpoint, and to have a skillset that lets me press for more training and leadership // directional decision for my institution.

I need to get the website fully secured and both Android and iOS apps built for the site by end of summer 2019. Site is almost done, and infrastructure yet needs to be built. I've done most of the legwork, and Humble Bundle and No Starch have helped provide resources. The ultimate goal is to build as near passive income as possible, as a resource to eliminate debt, build more of a nest egg, provide a safety net, and build independence.

I need to get the CISSP, for reasons both obvious and personal. I need to slot time in to do that, and the study should start in 2019, even if the exam is in 2020. Whatever direction I go, it both shows an excellence HR departments understand, and it provides flexibility to be on either the policy or technical side of the house.

I need to press for my Masters. To do that I need to take the GMAT in summer 2019, expecting school won't start until January 2020 at the earliest. And I need to decide between a MBA, a Masters in IT, or a combination program. Once again, the credential matters, as there may be opportunities for leadership at my institution, and I need to further separate myself from my cohorts, though I expect taking on the role would come with their support.

I need to start outlining both of my books. I plan to write a fiction book and a non-fiction book on Infosec. Sometimes all you have to do is sit down and write. But it will collapse without structure. My desire is to put something out there that will help future institutional defenders start and build a career.

I think of where I started, and how the successes built on each other to maintain a progression closer to exponential than linear. All things take time. What's important is to compound the successes over time. This won't make accomplishments easier, it will make the burden of success easier to carry.

"Progress not Perfection." Denzel Washington in The Equalizer.


The concept of trust is a foundational one in InfoSec. You give a user access, you expect that access to be used in the designated way. You give an accountant trust to dispense money in accordance with, and only for, the business need. You give your kids the car keys or let them stay home alone, trusting to get the car back in one piece and the house clean of party remnants. If a user misuses the system, the accountant embezzles money, or the kids damage the car or house, privileges (or jobs) can be revoked.

Thus the concept of forced trust. You want a job with the Federal government? You are filling out very detailed forms, and you have no choice but to turn over that data. Your employer has to have your W-2 information for payroll. You want to stay connected with your family? That may mean you need a Facebook account. Even with all the privacy settings, the data gets slurped, in ways you may realize, but most don't.

To be a part of the world, in so many ways you are forced to trust entities that have already, maybe even repeatedly, proved they aren't worthy of that trust.




Every major hotel chain (Marriott 2018, Hilton 2017, Hyatt 2015, Starwood 2015).

Online retailers.

Brick and mortar retailers.


Sure there's a fix. Never submit identifying information. Only use cash. Drive older cars. Only use prepaid cellular, and only turn it on and call from the same place.

How practical is any of that? Even monks in monasteries are online. So what can you or anyone do?

Humble Bundle prompted this. The good news is only those with a humble subscription, not regular users, are affected. And the reports show the adversaries got e-mail addresses and that those e-mails were tied to subscriptions. These can be leveraged for phishing attacks, or spam from other game services.

I purchase the monthly bundle on occasion. My protections for this and other online retail is somewhat simple. Anything that isn't primary to my life is tied to a secondary e-mail account, and a secondary account for my money. I move money in to pay, and I'll happily take the monthly account fee to not have a minimum balance. A low balance credit card fits this bill nicely. Any compromise will send spam and phishing to the secondary e-mail account. If something goes horribly wrong, it's easy to burn that account and spin up a new one. Password managers prevent reuse attacks. And if something slips through the e-mail provider's BS detector, I know not to click the link and just login at the site directly. Any reputable service will have alert notices clearly visible right after login. I know people who use more unusual browsers (e.g. Opera) for transactions on banking and healthcare sites, knowing they are less likely to be targeted for exploitation on those sites. Obscurity is not security, but obscurity can augment security.

We live in a world where forced trust is constantly betrayed. Even if Facebook is broken in half, other services will fill the void. They too will betray you (whether or not members of their board Lean In). The best anyone can do is understand their personal threat model: what do they have that would hurt when lost, and how can they reduce the risk of that loss, or in the modern world prepare to continue on when that loss happens. We are in the Matrix, there's no more getting out. There is simply dealing with the world as it is.

"You lost today, kid. That doesn't mean you have to like it."

-Man who gave Indiana Jones his hat.




This is part four in the series on personal codes of conduct. These are my maxims, my personal guiding philosophic code.

Part 1

Part 2

Part 3

Maxim 10: People aren't dumb. They are illogical.

Dumb users may be the foundational trope of IT. Doubly so in Infosec. I remember the early days of the Bastard Operator from Hell (reference point: go to and search BOFH). There were other actual non-satirical blogs like this of admins having days ruined by inane stupid requests from users. If you are old enough, you remember the stories of the now extinct cd-rom drives' birth when there was always that one user who thought it was a coffee cup holder. To be fair, by modern definition, the coffee cup wizard is a hacker. They found an undesigned use for their hardware. We mocked them; we should have praised them for their ingenuity. Thus my maxim.

Users aren’t dumb. They are illogical.

End users are trained to do their processes. Most jobs in offices today are designed to be done in near assembly line style. A user has a very defined set of duties. They are trained on that set of duties. They practice those duties every time they do them. The procedure is logical for them. That logic exists within the bias of their experience. Most jobs do not require – nor do they want – people who think outside of the box. This is the complete antithesis of IT and Infosec – we follow processes but are constantly put into situations where the box doesn’t exist, and we must solve the problem // track the adversary // stop the malware // fix the issue RIGHT NOW. This requires us to be agile in thought while still following a logical progression. To be in the IT // Infosec space, you need to have the ability to be logical. Troubleshooting is applying logic to a problem. The nature of our jobs requires us to be able to logic any situation that comes up, as inevitably many have nothing to do with our systems.

In the modern day Everything as a Service society where most people outsource their needs to third parties, the need to be able to solve problems logically is no longer a necessity. It gets outsourced. Thus, when people need to be logical in an unfamiliar environment, they get frustrated.


subject inexperience x emotional escalation x attention at that moment = disproportionate response (Blowback)

You must understand the logical approach in dealing with an illogical person, then you can mitigate any unpleasant response. If you can minimize the attention on them at that moment, calm the situation down through the liberal use of patience, and use it as a teaching moment, you minimize all three factors leading to blowback. The biggest part of this is knowing that they will be illogical with their next tech and security issue, and the next, and the next. On a long enough timeline with enough interaction, they will start understanding the logic. And helping them get there gets you an ally.


Maxim 11: Words matter.

“If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him.”     -- Cardinal Richelieu, in The Three Musketeers.

Words change the path of the world. Look at what a tweet from the commander in chief can do. Words can be used to change a mood, challenge an assertion, even save a life or sentence a human being to death. Words can build allies or create enemies.

We live in a world where people want to be offended, forgiveness is conditional, and even (especially) the most mighty of Infosec heads look for reasons to crucify people based on their personal orthodoxy. For all the talk in helping people up, they also file away every printed work to use against those same people someday.

In the modern world, our words are eternal – every tweet a testament, every comment an epitaph. In this world, you must be skillful with your words as if they will be carved in stone forever. You need to respect the damage they can do to you as well as to others. Your words will be used against you by your adversaries and enemies.

Be direct. Use exacting language. Understand how to communicate for your medium. If you use twitter, reference an idea then link to a blog post expanding on it. Review written words before publishing. Think on any e-mail before hitting send. Think about the potential recipients (even ones not in the To field or among your twitter followers) as your message is shared and how they choose to interpret the words from within their bias bubble.

It sounds like a lot of work. It is. It doesn’t matter if we don’t like the world being that way, we deal with the world as it is (Maxim 2).

Corollary: Passive aggressive statements are a sign of weakness. Those who deliver such statements demonstrate a cowardice to take responsibility and challenge something directly, most likely because they know their challenge will not stand up to any logical scrutiny. These statements are most often used when logical truth is at odds with emotional (childish) desires.

Do Not Be Passive Aggressive.

Maxim 12: Take care of the people who take care of you.

I am fortunate. Not because I have slogged through the mud to an amazing job with the best benefits I have ever seen (not primarily). Having slogged through thankless jobs, I am very appreciative of those who enable me to spend more time doing what I need to be doing, rather than being forced to do little housekeeping day to day time sinks that whittle down my time availability in my day. I once thought the idea of the rich person with the butler was snooty. Having been support staff, I realize the value in the staff giving back time into my day. Lunch is provided, so I don’t have to spend time making it before work. People keep the office and restrooms clean, so I don’t. I have a HR department that is constantly challenging our benefit providers to do better so I don’t have to shop around myself. I have a bona fide excellent IT support team who makes sure I never have to engage with angry users.

I also realize these people get paid far, far less than I do.

It starts by acknowledging that they are not an invisible service provider. They have names. Most have families. They aspire. At times they have unpleasant jobs. I want them to feel valued; I want them to feel appreciated. I want them to achieve and do well in life. I want them to be part of a culture of success.

And to do that, I give my time. When they have questions of personal security, I will take the time to do a security review and let them know what options are available. Are they in a branch of IT and are looking at positions on the horizon? I work with them to know what they should train to build the skillset for pending internal positions that would be a promotion. I help them find the conferences and knowledge bases they don’t know exist. Sometimes, just having hallway talk about how bad the Buccaneers are doing this year (after a too promising 2-0 start with a backup) so the slightly better Packers could be in a worse position.

Taking the time is more than just being human, it’s pragmatic. Because that day will come when I need them to take the time for a reason I can’t imagine, when they wouldn’t have to. I won’t even have to ask.

Across seas of monsters and forests of demons we traveled. Praise be to Allah, the Merciful and Compassionate. May His blessing be upon pagan men who loved other Gods, who shared their food, and shed their blood. That His servant, Ahmed Ibn Fahdlan, might become a man, and a useful servant of God.

-- Ahmed Ibn Fahdlan Ibn Al Abbas Ibn Rashid Ibn Hamad, closing line to 13th Warrior.




I have a folder in my e-mail where I save the CFP rejection notices I have received, from the conferences that send those notices. When these rejection notices come in, they always come with platitudes such as 'thank you for submitting' and 'please submit next year'. They never say 'your submission was awful' or 'please don't contact us again.' They come with zero constructive feedback. If you talk to people on the selection committee, they will say some variation on the following lessons people can learn from the process:

  1. Try submitting the talk again at other conferences.
  2. Try again next year.

These are complete falsehoods.

Submitting at other conferences may be a waste. Selection committees are inbred. Selection committees are made of high profile Infosec people and conference insiders. There are not a lot of these in a region. Ergo, they get reused. If you are rejected from giving a talk in Indy and you submit to a conference in Chicago // Louisville // Grand Rapids, you may very well be rejected again by some of the the same people who told you to submit it elsewhere.

Why would you try again next year? In the world of Infosec, where things change daily, if the talk wasn't up to their snuff this year, when all the incremental changes happen in a year, how will your talk be even more relevant? Doing this is a waste of time.

As always Maxim #2 applies (We deal with the world as it is - we don't pretend it's the way we think it should be). In light of that, here are the real lessons I have learned from the CFP process, and my several rejections.


Make a decision - do you want to speak on this topic, or do you want to speak at this conference?

Understand this. You may have a topic you think is of value. You may have  conference where you'd like to speak. And they may not go together. Most every talk can fit into the base design of some conference - there are dozens, if not hundreds, in the US alone. But most conferences have a very specific template. Look at the webpages for that conference past, and see the talks and abstracts they publish. Does your topic line up with these? If your goal is to present at a conference versus give a talk on a specific topic, look at the past talks to find what they like to have presented at their conference (and it is THEIR conference, despite any claim about being part of or welcoming to the community - internalize that). Find something in that vein and present it. Do they take talks about threat hunting? Find a topic on hunting that hasn't been done, such as hunting with outlook registry artifacts or hunting through Mac system logs. Learn a topic that they'd like that no one has presented, become an expert, and submit that. That may mean waiting until next year, but if the goal is to present, put yourself in a position to do that. If you want to present on the topic, you may have to widen your search, and expect to travel.


Every conference has a clear template about what presentations they accept. They are the presentations from previous years.

This seems so common sense, but it is never really preached. People will mention it occasionally, but it is the ultimate Canon on what a conference wants. You have a library of what talks they want, how they should be titled, what the abstract should look like, and most importantly, what kind of people they want presenting (this last one is the unspoken dirty little secret - conferences are run by people with agendas, remember). Everything from the headshot to the name to the title to the bio is laid out in a nice order. Review these over a long enough timeline and you will see a pattern. Build to fit the pattern they want. This increases your chance at selection.


Don't punch above your weight.

Some conferences, through the patterns explained above, don't want new people or unknowns. They tie the prestige of the conference to the speakers who present. When a conference publishes a partial list of speakers before the stated date of selection, they are demonstrating their prestige. Each of these speakers will have some list of notable accomplishments or previous speaking engagements which give the conference weight, and explain what they are looking for.

Like every rule there is an exception. There is nearly always a magical little checkbox at these conferences that (when most politically correct) says 'check here if you are an underrepresented group.' Understand in modern parlance, that means not a white male. As a white male, I have very strong feelings about this, for reasons you wouldn't expect (and some you would). But the truth (maxim 2) is that if you are not a white male, use this to your advantage. Conferences want people who aren't white males (for reasons ranging from pure to sexist//racist, depending on the conference - not everyone is on the side of the angels). Use this to your advantage. Make use of the opportunity. Understand this doesn't mean (at most conferences) that you will be accepted because of a sub-par talk. What it means is you win tiebreakers. The conference will pick out the big names and the talks they clearly want. If yours is a talk they want, and you aren't up against an Infosec name, and you followed the submission guidelines (people don't - conference organizers whine about this every year), your competition is whittled down to any other similar talk being presented by either an unrepresented group or an insider who knows someone on the selection committee - and the checkbox can beat even that. Understand this, there is no shame in using the available advantages. It is your future, and your resume - don't hold yourself back.


Sometimes, the only winning move is not to play.

If you read this as a defeatist attitude, you already miss the point. As the old woman in The 13th Warrior told Buliwyf, perhaps you've been fighting in the wrong field. If your goal is to get information out there, but you don't think you can get past the selection committees for whatever reason, you have options. Write a blog. Do a podcast. Post a video on youtube. Create the content with your own personal spin, and use that to build your personal brand. Demonstrate value. Connect with like minded people. Share content. Do this, improve your skills at presenting information (in any format), build a history of useful content, and you become a name that the conferences want, you build bridges to people on the selection committees, or you may be brave enough to put in the time to start a conference covering those uncovered topics.

Here's the dirty little secret of meritocracy, and an example of where even the most beneficial and fair system breaks down. When you accomplish something that lets you connect with the people running these conferences, you are in a position to make better connections and have access to research others don't, making it easier to get the better jobs or access to information on topics you'd like to research, that you can then present, creating a continuous cycle. It takes a lot more effort to get into the eye of the storm than it does to stay there. And when others see people make that same journey, they will work to insulate that group. It's the nature of tribalism, which has existed since the dawn of mankind and will never go away. Understand it. Accept it. Make use of it.

Ultimately, decide what you want. Take the time to learn the real rules of engagement, then play to win.


Give your adversary every opportunity to make a mistake.

This is my first maxim of Information Security. It is my keystone. We hear variations on this. An adversary only needs to be right once to get in, but then only needs to be wrong once to be discovered. APT 1 had behaviors that led FireEye to track them to Shanghai and a building tied to China's People's Third Army. Crowdstrike reviewed the DNC hack and was able to discern that two separate Russian intelligence bureaus hacked into the system, and didn't realize the other also had. Guccifer 2.0 forgot to turn on his VPN just once before going onto twitter and his location was tagged in a building in Moscow tied to an intelligence directorate. Stuxnet was traced back to the NSA, Duqu to the Israelis. The best of the best make mistakes. This leads to a corollary to my first maxim: on a long enough timeline, everyone makes a mistake.

Here's a story that was shared with me by a good friend in the industry. It is missing relevant details out of respect for my friend. Some details have been changed. The processes, trail, and TTPs are accurate. Apologies to Dick Wolf.

An adversary (henceforth identified as Beetroot) was intent to commit fraud. Beetroot would accomplish this by pretending to be an American company that would help foreign businesses get loans that would allow it to establish a presence inside the United States. The presence would help them register with the IRS and get an Employee Identification Number. Beetroot would claim to be able to facilitate the paperwork, the line of credit with an American bank, and set up contacts in the United States for the foreign business allowing them access to the lucrative American markets, for a moderate to large fee with a revenue sharing percentage over some amount of time. Beetroot claimed to be able to do this because he was a university professor with access to Masters and PhD candidates to do the work for research and credits. Beetroot would reach out to targets by utilizing Search Engine Optimization (SEO) on popular foreign search engines (Yandex or Baidu, for example).

Beetroot had been running this scam for a long time. As he didn't target American citizens or businesses, no one domestically took any notice. His fee amounts were small enough foreign governments wouldn't go through the hassle of dealing with the US State Department to attempt to apprehend Beetroot or retrieve the money. Beetroot was safe.

Beetroot would do some brand impersonation on a website. One of the brands he impersonated found out and had his site taken down. Beetroot spun up another site and impersonated someone else.

Later on Beetroot spun up another site, with a domain name very similar to the one that had previously been used against my friend. Once again, my friend's educational institution (a collegiate business school in the greater midwest) found the site, and worked to take it down. My friend came to me and asked me to take a look at what he had. We worked at different shops but were both contracting through the same firm so NDAs were easy to handle.

### I reread that NDA 4 times before hitting publish. This births a new maxim. Do not mess with an NDA.

Beetroot used servers in Eastern Europe. Beetroot used privacy guard. Beetroot used publicly available information from any search engine to do the impersonation. Beetroot had no digital footprint of any kind in the US. There wasn't much to go on. Except Beetroot went back to the well and impersonated the same school twice (mistake #1).

This time Beetroot's tradecraft was nearly flawless. But, since the attack was virtually identical in every way (what he did, how he did it, who he targeted, where the targets lived) one could say with moderate confidence it was the same adversary. So the focus of the investigation was the original impersonation website.

Both websites were a variation on the school's URL acronym, but at .com instead of .edu (many schools, even business schools, don't register the .com - poor brand defense). But, on the original one, Beetroot made one hiccup. At one point he switched registrars. Maybe it was due to being cheap, maybe he had a deal, maybe he liked the local geolocation better. But the day he switched, he forgot to check the box for whois privacy. (mistake #2). And for one day, the full whois record was listed, and passive DNS captured it in perpetuity. There was no name, but there was an e-mail address, and a street address. Tied to the registration date, we had behaviors tied to an indicator - we had pivot points. The e-mail address turned up three more websites that were impersonating Australian and New Zealand schools that had business and law departments specializing in South Pacific maritime law, offering to (for a fee) set up businesses in regional countries to deal with shipping laws. Same scam, different business model (mistake #3).

The street address was diamond studded 24 carat platinum plated solid gold. Over 40 websites with 15 different e-mail addresses tied to that address. All 40 sites were hosted on one of three different Middle Eastern bulletproof hosts. At each host, all the sites lived on a /30 subnet. Every single site used the same web server. The web server differences were tied to versions, and the versions tracked to when the sites were spun up. There were more sites on those subnets, and they led to a few more e-mail addresses, which led to a few more sites (mistakes 4 -1329542). These took the timeline to a point, when Beetroot figured to privacy guard everything. There were tons of pivot points to investigate, spoofing tons of other schools in English speaking countries.

That wasn't all. Looking at the original site that spawned the original investigation, there was one line of text that stood out. It looks like a sentence was run through Google Translate into another language and back into English. The original line wasn't hard to guess, and when run through translate into Russian and back into English it produced the distinctive sentence. We ran a Google search on that sentence. We got three hits. One website didn't exist anymore. The other two did. And they were near carbon copies of the original website my friend originally investigated. Those two were privacy guarded. And they had the same web server, same web structure, and operated on a subnet that tied to an early DNS record for the original imposter site (mistake X). But the defunct website was a diamond the size of a softball.

The original site was <university acronym>.<general university-biz word dash LLP>.com. It contained multiple subdomains for all the business types Beetroot would spoof. Whois wasn't private, the address nearly lines up (one digit was off), and the registrant had a phone number, and it had the area code and local prefix of the city and state in the whois. Later in the whois history, Beetroot switched phone numbers to a Google Voice number, which used geolocation to give him a number with the same area code and prefix. The registration date puts this as the first site spun up. A web archive view of the site showed a very rough draft of some of the impersonating sites.

The cherry on top - Google Earth. The addresses should be tied to a lat // long scale. Beetroot's address was in the middle of nowhere. Google Earth showed an empty field of tall grass.  We went down the road in both directions, and found that the addresses on the few mailboxes didn't line up with Google Earth. So we clicked down the road to a small house in surrounded by fields for hundreds of yards. The address marker had the address of the original discovered address from whois. The small house had multiple satellite dishes (like one would have for Dish or Direct TV), which would make sense for middle of nowhere internet. And the smile on the Mona Lisa? We spun the Google Earth around, and someone had paid the money to put an internet junction box like you see in suburbs right across the street from this house in the middle of nowhere. There were still signs of a fresh trench dig and fill in from there to the direction of the highway. And a fresh strip of asphalt from it across the street to (what I assessed with High Confidence based on everything together) was Beetroot's house.

From a Threat Intel standpoint, this was unbelievable. It was the Deathly Hollows, the Lost Ark, even the alien from Area 51. We had tradecraft. We had a full timeline from start to current. We had targets. We had consistent TTPs stretching over years. And we had Beetroot's home.

We imagined that's what it felt like when the Mandiant researcher stood outside the office building in Shanghai and took that picture.

Beetroot represented something that gets zero discussion in most online Infosec circles - the Persistent Threat. We hear about Advanced Persistent Threats all the time. And we hear about script kiddies who wreak havoc with a tool. Beetroot fell in the middle. Beetroot probably started out as one person, and then worked with others to make his scam work. Beetroot's skills improved with time. But Beetroot never wiped his slate clean. As his tradecraft got better, he didn't clean up his previous footprints.

Persistent threats have greater initial technical debt, and much more limited resources. They need to build on previous successes with very limited budgets. Their advantage is it's harder to defend than attack, and Beetroot wasn't attacking anyone who had the means to fight back. But the work wasn't lucrative enough to throw away his old infrastructure, and then he likely forgot about it. He diversified, but not enough. He (like most adversaries) had consistent TTPs across his fraud. Lone indicators were a starting point, but the TTPs were so obvious from one to the next.

We think of the near impossibility of finding APTs without multiple dedicated staff assigned to each Infosec function. And how would one train to challenge such an adversary? Lots of businesses will fall into the targeting reticule of one of the many APTs. But for each of the APTs, there are dozens of persistent threats coming after your networks, with tradecraft not as good. You can use these to show successes to leadership. You can use these to sharpen your skills. And you can use the learning experience to better position yourself to catch the advanced threats, who will also make mistakes.

Give your adversary every opportunity to make a mistake. They will. And you will catch them.