John Strand Slapped Me In the Face

I recently had the opportunity to participate in a course entitled “Offensive Countermeasures” taught by John Strand of PaulDotCom notoriety.  It was my belief going into the class that I would be honing some “leet skillz” to beat back the attackers persistently targeting the resources that I was hired to protect.  I envisioned an electronic Daniel Laruso learning some mystical techniques to fend off the digital Cobra Kai.  Far from my cyber Karate Kid fantasy, the course is more aligned with Home Alone.

Now your first impression is that my Home Alone comparison is a slight against either John or the course itself.  After all, which would you rather have in your corner, a highly trained martial artist or a mischievous 8 year old?  Far from it, this course was for me perhaps the most thought provoking course that I’ve had the luxury of attending in my 16 or so years in technology. 

We’ve all been taught that a weakness in anti-virus software and IDS technology lies in their dependance upon signatures.  These signatures mean that there must be an identified pattern in the mechanisms that an attacker is using against your network.  This reliance upon signatures leaves us blind to unique attacks.  If the bad guys are bashing in your front door in a new and novel way, you won’t even know about it until they get in.  We know that this is a weakness and that our failure to look for unique attacks leaves us vulnerable to “one of” attacks.

We know this yet when we architect our layered security we all do the same thing.  We are all using a firewall, IPS, IDS,  anti-virus, etc.  We’re all using them the same way, yet we’re shocked when someone bypasses them.  We know that we need to look for novelty in attacks yet we don’t rely on novelty in our defenses.  We’re relying on boilerplate technology configured in boilerplate ways. 

Strand’s course, for me was a wake up call.  I realized that I had fallen victim to vendor speak, expecting that since I was writing big checks for the latest and greatest security technologies and using “industry standard” controls that my networks were safe.  I’ld sworn nearly a decade ago that I would never get that complacent.  For me, Offensive Countermeasures was more valuable than the tricks and tips in the courseware, it was and remains to be a catalyst for rethinking how I defend that which I’m responsible for protecting.  Don’t get me wrong, I got a lot of value from courseware.  In fact, I’m working on implementing a few of the items discussed in class.  It’s just that the moment  I realized how complacent I had become was such a slap in the face that I can’t place a value on it. 

So what is my take away from John’s class?  Aside from the concrete things offered in the courseware, I’m going to look at how I defend my network as if I’m a mischievous 8 year old.  I will find a way to piss of the attackers, slow down their advances, send them on some wild goose chases, and find out as much as I can about them in the process.  I ‘ll find a way to set traps and alarms and if I can swing a paint can from a bannister, I’ll do that too.  I plan to spend a lot of time looking at the tools that I have and finding ways to use them in new ways, unique to my environment so that the bad guys won’t be able to follow a standard script to get in.  I vow not to make my network a signature or cookie cutter of every other production network out there.  I think the message that Offensive Countermeasures offers is something that each of us can take to heart and apply to our own defensive measures.  If you choose to ignore John’s advice, I’m sure I’ll be reading about you in the newspaper soon.

PaulDotCom can be found at http://pauldotcom.com