This is part of a series comparing Jiu Jitsu with InfoSec.

Both Jiu Jitsu and InfoSec have the concepts of privileged access. In Jiu Jitsu, it’s control of your opponent’s body. In InfoSec, it’s control over a computing system (e.g. root, admin, or system). This is another similarity between these two disparate realms. Let’s pick it apart…

In Jiu Jitsu, virtually everything you do involves controlling the space between your opponent’s arm pits to hips, on at least one side, and usually both simultaneously; however, even a multi-year Jiu Jitsu student may not have come to realize this in such…


This is part of a series comparing Jiu Jitsu with InfoSec.

As very much a low level student of Jiu Jitsu, one of the ways I know that I’m getting better is that I’m seeing my mistakes closer to the time I made them. (“Putting my hand there was a mistake! He pinned my legs down! I should have squared up when I had the chance!”) Make no mistake, it’s still too late. I fall behind the curve, and my opponent ends up winning.

But detecting these mistakes after they were made is still a big step up from the…


Previously, I discussed adversary emulation vs simulation and introduced an approach to make emulation more appealing: false flags. Today, I want to discuss what happens when you take emulation too far, but first a comparative story.

You may be familiar with the Zodiak Killer and it’s references in pop culture, such as this note pictured below:

Zodiak Killer — https://en.wikipedia.org/wiki/Zodiac_Killer

The Zodiak Killer case is one which inspired copycat murderers, like this one. One of the ways these copycats were differentiated from the original criminal is variations of TTPs, specifically those that were not publicly disclosed. The copycats get 98% of the details correct…


This is part of a series comparing Jiu Jitsu with InfoSec.

Castles: Layered Defense in Depth

I already discussed this a little bit here, but I wanted to tease out a little more nuance.

In InfoSec, we don’t just rely on a single defensive control. We all know that. A modern email borne phish probably goes through something like this: SMTP sender validation, DNS domain categorization, message velocity throttling, previously unseen sender quarantines, content inspection (signatures, heuristics, and machine learning), attachment checking, link checking, document “detonation” (opening the document in a sandbox), behavioral analysis in that sandbox … then eventually landing on the endpoint, Anti-Virus…


Simulating Adversaries Since 1984

Congratulations! Your organization has approved the creation of an internal Red Team program and tasked you to do it! Here are some quick easy tips to get this program off the ground as simply as possible, based on Q&A I have done with a number of old/mature corporate Red Teams, brand new corporate Red Teams, and lessons I’ve personally learned (some of which were the learned the hard way). I am publishing this here as a reference for others who reach out and request help getting their programs started.


It’s simple: voting privacy.

When you bank online, the security of your interactions with the bank are authenticated (your login password and hopefully some sort of two-step verification passcode), so the bank knows it is YOU on the other end. You have no expectation of privacy from your bank. You expect that your bank will know it’s you who moved money; in fact, you want them to MAKE SURE it’s REALLY YOU that moved that money and not someone else.

When you vote, it’s the opposite — the polling place needs to track whether you voted or not, but they…


false black beard flag?

There are many write-ups distinguishing emulation from simulation, but this one is mine (which is why I also added in “False Flags” for more flavorful fun).

First, let’s establish some stodgy academic definitions:

Emulation: (computing definition) reproduction of a function or action on a different computer or software system. This is an older word used since before the 16th century English.

Simulation: imitation of a situation or process; the action of pretending; the production of a computer model for the purpose of study or learning. This is a newer word, first in widespread use during the mid 20th century.

False…


This is part of a series comparing Jiu Jitsu with InfoSec.

Go to attend a Jiu Jitsu class at a Gracie academy or MMA gym and you will likely see an instructor who shows a three step progression on a simple move or position. First, they will show a basic setup of the position, have the students find a partner and each drill that a few times. Then come back and iterate on it. Perhaps show another option to form a “series” of moves that can be chained together (like a Chess match). Drill that improvement. …


About Imphash

If you’re not familiar, “imphash” stands for “import hash” of all imported libraries in a Windows Portable Executable (PE) file. You can get started playing with it quickly with its python implementation here:
https://github.com/erocarrera/pefile

To calculate an “imphash,” all imported libraries and their linked functions are dumped in string format, concatenated, then cryptographically hashed. Virus Total is also doing this against the PE files it sees in its daily submissions, so it’s important to understand how this works and why.

Why calculate this?

Simple: malware authors are humans, and humans stick with what they know. They go to the same watering holes. So…


This is a simple concept that at first blush may just seem common sense, but it is a powerful mental tool to approach security conflicts from both the offensive and defensive perspective. Some vernaculars swap the word “boom” for “bang” but the meaning is the same.

This concept is based upon military doctrine and can be found in recent popular culture books, but this very much has an application to Information Security. Here are a couple recent books if you enjoy this topic:

Tim MalcomVetter

Red Team Leader at Fortune 1. I left my clever profile in my other social network: https://www.linkedin.com/in/malcomvetter

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store