Read Time: 8 minutes

Vulnerable U Community,

In another edition of “Matt tells me how infosec is broken” - this week we’re talking about how most of us are focusing on the wrong things. Believe it or not, there are entire companies thriving on the sole purpose of helping you prioritize your vulnerability findings. If that isn't proof that we've been missing the mark, I don't know what is.

Topic of the Week:

Everyone's goal is to not get hacked. That goal is meaningless.

Conventional wisdom is that setting specific, actionable goals is the key to success—ensuring our networks are impenetrable, our data is safe, and our businesses are secure. For years, many of us have approached our infosec practices with this goal-oriented mindset, but the reality is that this approach often falls short.

What truly matters isn't the goal itself, but the system we implement to achieve it. As legendary football coach Bill Walsh says, "The score takes care of itself." In other words, it's not the end result that we should be obsessing over, but rather the process we follow to achieve it.

Understanding the difference between goals and systems

James Clear talks about this in his book, Atomic Habits. How the pitfall of focusing on goals causes a few common problems to arise. I’d like to approach this same concept through an information security lens and explore what lessons we can learn from it.

I’m proposing that there are limitations of goal setting in information security and why shifting our focus to building sustainable, robust systems is the key to long-term success. Adopting a "Foundations First" approach will not only help us build stronger security measures but also transform the way we think about and approach our infosec program challenges.

Am I saying goal setting is useless? No. Some north stars serve a purpose for setting a target to provide clear direction for your org and give your team a sense of purpose. That being said, they often do little to move the bar forward, many times even distracting us from some critical steps necessary for true progress.

On the other hand, systems are the means through which we reach our goals—the processes, structures, and habits that actually give us the outcomes we’re looking for. In the realm of infosec, this can include all the basic blocking and tackling of day to day security ops and engineering. I’d put Threat Modeling at the top of the list to better understand what your foundations should look like. Unlike goals, which focus solely on the end result, systems emphasize the journey and provide a roadmap for continuous improvement which is necessary in an industry that is continuously changing.

The goalposts are constantly moving and traditional goal-setting becomes increasingly futile.

Building a Sustainable Infosec System

I was going to start this section with the ol’ “People, Process, and Technology” but I think there is an item 0 on my list here and that’s Threat Modeling

1. Threat Modeling: A mentor of mine has a saying: “If you’re coming to the table without a Threat Model, you’re just finger painting in the air” - That being said, without understanding your threat landscape, you really are just doing things that sound good and not things that you definitely need to be doing. To build a solid foundation for your infosec system, start by identifying potential risks and asking yourself the question, What could go wrong? To understand the people, processes, and technology systems you need - you’ll need to know what you need to protect against these threats.

2. People: Skilled non-toxic professionals are the backbone of any successful infosec system. One bad hire will tank any progress you’re making faster than anything else you can get wrong. Invest in ongoing training and development to ensure your team stays current with the latest threats and best practices. Encourage collaboration and knowledge sharing, both within your organization and with external partners, to strengthen your collective resilience.

3. Processes: Create clearly defined, repeatable, and scalable processes for risk assessment, incident response, and security maintenance. This will help your organization maintain consistency and efficiency in its infosec efforts, reducing the likelihood of mistakes and oversights. This will also create a baseline of the non-sexy mop and bucket work that will need to be done consistently in order to even start to consider the shiny things.

4. Technology: Equip your team with up-to-date, reliable, and integrated tools and infrastructure. These technologies should support your people and processes, enabling them to work more effectively and focus on what matters most—protecting your organization. - If you’re a software shop make sure your tech is developer focused and you aren’t just spitting reports out and throwing them over the fence. Build where it makes sense, buy where it doesn’t.

You need to align your systems with your organizational culture, objectives, and risk tolerance. I used to work at some large financial institutions and had a saying that we were going to go “full bank” on a particular problem, which usually meant a level of paranoia that I never experienced elsewhere. On the flip side, if you tried to go “full bank” at a software startup, you’d firmly plant that company into the ground.

1. Embrace an iterative approach to infosec, learning from successes and failures alike. Avoid the sunk cost fallacy; if a particular component of your system isn't working, be prepared to pivot and try something new. By adopting a "fail fast" mindset, you'll enable your organization to adapt more quickly to new threats and challenges. (read a lot about this in last week’s newsletter if you missed it: link)

2. Encourage a culture of continuous improvement, where your team is always looking for ways to refine and optimize your systems. This may involve staying current with industry trends, soliciting feedback from stakeholders, or conducting regular reviews of your processes and technology. By fostering a blameless environment of growth and adaptation, you'll set the stage for long-term success.

Elective Reading

Here are some things I’m reading right now and some cliff notes or thoughts:

Or if you can’t get passed their paywall:

For those of us in infosec roles at target rich environments - we need to remember that we are targets. Especially of phishing and when traveling internationally. I had one CISO friend get asked some very pointed questions by the airport customs agent about their ability to hack computers.

Two good ones out of mandiant this week. One is a recent Fortinet 0day linked to Chinese espionage and the next is an overview of all of 2022 known exploited 0days (55 of them)

• Mandiant tracked 55 zero-day vulnerabilities that we judge were exploited in 2022. Although this count is lower than the record-breaking 81 zero-days exploited in 2021, it still represents almost triple the number from 2020.

• Chinese state-sponsored cyber espionage groups exploited more zero-days than other cyber espionage actors in 2022, which is consistent with previous years.

• (Major kudos to the elder millenial who made the headline a Ludacris reference)

• BianLian continues to exhibit a high level of operational security and skill in network penetration, seeming to have also found their stride in the pace of their operations.

• At the same time, the group has been improving their ability to operate the business side of a ransomware organization.

• Most notably, BianLian has shifted the main focus of their attacks away from ransoming encrypted files to focus more on data-leak extortion as a means to extract payments from victims

Pwn2Own 2023 was this week. Always have an eye on this as it generally leads to an interesting Patch Tuesday. I should do a write up of all the interesting Pwn2Own winners of the past decade+

Talk about cyber becoming kinetic.

“Lenin Artieda, a journalist and presenter for an Ecuavisa TV program, was reportedly injured as a result of a USB drive that blew up when he inserted it into a computer.”

I always have an affinity for keeping an eye on the world of Quantum Computers. For a few reasons, some are obvious if you watch the video. But also a few great friends of mine run a Quantum Computing startup called Strangeworks. Who, btw congrats raised a big Series A of $24mil this week.

This is a dense report. I’m looking forward to combing through it more detailed but it looks juicy.

Specifically I like the sections about the 2022 trends in:

• Ransomware

• Initial Access Tradecraft

• Command and Control Frameworks

• Stealer Malware

• Identity Attacks - (interception of MFA was big)

• Email Threats

The Power of Vulnerability:

A quick shout to Reddit’s infrastructure team on presenting an incredibly detailed public post-mortem on the 314 minute Pi Day outage. These kinds of writeups are rare in the tech world and usually buried as embarrassing - glad we’re taking the “Be Vulnerable” path to raise all of our collective awareness and resilience through lessons learned.

The whole writeup is here:

TL;DR - Kubernetes upgrade gone bad

"Upgrades, particularly to our Kubernetes clusters, are risky for us...

Upgrading from Kubernetes 1.23 to 1.24 on the particular cluster we were working on bit us in a new and subtle way we’d never seen before."

We practice upgrades but there is always the unknown.

We tried to fail forward.

"It took us hours to decide that a rollback, a high-risk action on its own, was the best course of action...

We didn’t find the extremely subtle cause until hours after we pulled the ripcord and restored from a backup."

A very minor difference in Kube 1.24 was our downfall.

"In the 1.20 series, Kubernetes changed its terminology from “master” to “control-plane.” And in 1.24, they removed references to “master,” even from running clusters

This is the cause of our outage. Kubernetes node labels"

Community Spotlight:

I want to give a shout to @Jhaddix - who is one of the best bug hunters on the planet. He is running a training course on his bug hunting methodology that is particularly good for him collecting bounties. The training sold out so fast he had to add another weekend. Check it out here: link

Also: you’re missing out if you aren’t keeping up with Daniel Miessler’s blog posts on all the latest in the AI revolution. He is really keeping a closer eye on it than most and is a great signal amongst all the ChatGPT noise. Check out a recent favorite of mine here: link

Check me out in a few weeks doing a LinkedIn Live with the Founders of Tromzo and Semgrep talking about the changes we’re seeing in the AppSec industry. Register here: link

Please write to me and share stories or anecdotes for this section. It goes very well with the theme of being vulnerable together to share stories. I’d especially love to hear about your failures. What is a time you failed? What did you learn? How did it change your life?

Extra Credit:

Help Us Grow! If you know someone who might be interested in joining the Vulnerable U community, please share this newsletter with them! As of now, spread will just be by word of mouth.

Parting Thoughts:

Let me know how I can help as always.. If there's a topic you'd like to see covered in a future edition of the newsletter, or if you have any questions or concerns, please don't hesitate to reach out to us. I’m always happy to hear from our readers and help in any way I can.

Stay safe, Matt Johansen
@mattjay