• United States



John Strand Slapped Me In the Face

Aug 30, 20114 mins
Data and Information SecurityIT Leadership

I recently had the opportunity to participate in a course entitled “Offensive Countermeasures” taught by John Strand of PaulDotCom notoriety.  It was my belief going into the class that I would be honing some “leet skillz” to beat back the attackers persistently targeting the resources that I was hired to protect.  I envisioned an electronic Daniel Laruso learning some mystical techniques to fend off the digital Cobra Kai.  Far from my cyber Karate Kid fantasy, the course is more aligned with Home Alone.

Now your first impression is that my Home Alone comparison is a slight against either John or the course itself.  After all, which would you rather have in your corner, a highly trained martial artist or a mischievous 8 year old?  Far from it, this course was for me perhaps the most thought provoking course that I’ve had the luxury of attending in my 16 or so years in technology. 

We’ve all been taught that a weakness in anti-virus software and IDS technology lies in their dependance upon signatures.  These signatures mean that there must be an identified pattern in the mechanisms that an attacker is using against your network.  This reliance upon signatures leaves us blind to unique attacks.  If the bad guys are bashing in your front door in a new and novel way, you won’t even know about it until they get in.  We know that this is a weakness and that our failure to look for unique attacks leaves us vulnerable to “one of” attacks.

We know this yet when we architect our layered security we all do the same thing.  We are all using a firewall, IPS, IDS,  anti-virus, etc.  We’re all using them the same way, yet we’re shocked when someone bypasses them.  We know that we need to look for novelty in attacks yet we don’t rely on novelty in our defenses.  We’re relying on boilerplate technology configured in boilerplate ways. 

Strand’s course, for me was a wake up call.  I realized that I had fallen victim to vendor speak, expecting that since I was writing big checks for the latest and greatest security technologies and using “industry standard” controls that my networks were safe.  I’ld sworn nearly a decade ago that I would never get that complacent.  For me, Offensive Countermeasures was more valuable than the tricks and tips in the courseware, it was and remains to be a catalyst for rethinking how I defend that which I’m responsible for protecting.  Don’t get me wrong, I got a lot of value from courseware.  In fact, I’m working on implementing a few of the items discussed in class.  It’s just that the moment  I realized how complacent I had become was such a slap in the face that I can’t place a value on it. 

So what is my take away from John’s class?  Aside from the concrete things offered in the courseware, I’m going to look at how I defend my network as if I’m a mischievous 8 year old.  I will find a way to piss of the attackers, slow down their advances, send them on some wild goose chases, and find out as much as I can about them in the process.  I ‘ll find a way to set traps and alarms and if I can swing a paint can from a bannister, I’ll do that too.  I plan to spend a lot of time looking at the tools that I have and finding ways to use them in new ways, unique to my environment so that the bad guys won’t be able to follow a standard script to get in.  I vow not to make my network a signature or cookie cutter of every other production network out there.  I think the message that Offensive Countermeasures offers is something that each of us can take to heart and apply to our own defensive measures.  If you choose to ignore John’s advice, I’m sure I’ll be reading about you in the newspaper soon.

PaulDotCom can be found at

Chad McDonald, CISSP, CISA, C|EH, PMP is a Senior Professional Services Consultant with Imperva. Chad has worked previously at National Student Clearinghouse, Centers for Disease Control and Prevention, Georgia Department of Audits and Accounts and is the former Chief Information Security Officer at Georgia College & State University. Chad has addressed numerous groups on topics such as business continuity planning, incident response, and information security awareness. Chad has spent the bulk of his career building, managing, and assessing information security for educational and research organizations. Chad has earned multiple professional security certifications. He is a member of the Information Systems Audit and Control Association as well as InfraGard, an FBI Task Force charged with protecting the nation's information infrastructure. Chad is active in the security community He worked with law enforcement agencies to assist in the prosecution of the first computer crime on record in Georgia and continues to assist local and state authorities with computer based investigations. Chad has investigated computer and computer-related crimes for local and state law enforcement agencies. Chad is an avid Mac user, since he was rescued from the dark side eight years ago. He currently conducts the vast majority of his work using a MacBook Pro and a MacBook. Chad looks forward to the day that he can stop referring to himself in the third person and actually pay someone to write his bio for him. The opinions and statements expressed here are those of Chad McDonald and in no way reflect opinions or statements of any employer or organization with which Chad is affiliated.