Feb 2, 2021Jiu Jitsu vs InfoSec: Privileged AccessThis is part of a series comparing Jiu Jitsu with InfoSec. Both Jiu Jitsu and InfoSec have the concepts of privileged access. In Jiu Jitsu, it’s control of your opponent’s body. In InfoSec, it’s control over a computing system (e.g. root, admin, or system). This is another similarity between these…Jiu Jitsu5 min readJiu Jitsu5 min read
Nov 12, 2020Jiu Jitsu vs InfoSec: Mean Time To DetectThis is part of a series comparing Jiu Jitsu with InfoSec. As very much a low level student of Jiu Jitsu, one of the ways I know that I’m getting better is that I’m seeing my mistakes closer to the time I made them. (“Putting my hand there was a…Infosec3 min readInfosec3 min read
Sep 21, 2020Adversary Emulation vs. Bad CopycatsPreviously, I discussed adversary emulation vs simulation and introduced an approach to make emulation more appealing: false flags. Today, I want to discuss what happens when you take emulation too far, but first a comparative story. You may be familiar with the Zodiak Killer and it’s references in pop culture…Threat Intelligence3 min readThreat Intelligence3 min read
Jul 29, 2020Jiu Jitsu vs InfoSec: Defense in DepthThis is part of a series comparing Jiu Jitsu with InfoSec. I already discussed this a little bit here, but I wanted to tease out a little more nuance. In InfoSec, we don’t just rely on a single defensive control. We all know that. A modern email borne phish probably…Infosec3 min readInfosec3 min read
Jul 16, 2020How to Create an Internal/Corporate Red TeamCongratulations! Your organization has approved the creation of an internal Red Team program and tasked you to do it! Here are some quick easy tips to get this program off the ground as simply as possible, based on Q&A I have done with a number of old/mature corporate Red Teams…Red Team8 min readRed Team8 min read
Jun 11, 2020Why can I bank online but not vote online?It’s simple: voting privacy. When you bank online, the security of your interactions with the bank are authenticated (your login password and hopefully some sort of two-step verification passcode), so the bank knows it is YOU on the other end. You have no expectation of privacy from your bank. …Electronic Voting3 min readElectronic Voting3 min read
Feb 10, 2020Emulation, Simulation, & False FlagsThere are many write-ups distinguishing emulation from simulation, but this one is mine (which is why I also added in “False Flags” for more flavorful fun). First, let’s establish some stodgy academic definitions: Emulation: (computing definition) reproduction of a function or action on a different computer or software system. …Cybersecurity8 min readCybersecurity8 min read
Jan 23, 2020Jiu Jitsu vs InfoSec: Learn Both SidesThis is part of a series comparing Jiu Jitsu with InfoSec. Go to attend a Jiu Jitsu class at a Gracie academy or MMA gym and you will likely see an instructor who shows a three step progression on a simple move or position. First, they will show a basic…Infosec2 min readInfosec2 min read
Nov 12, 2019Defeating ImphashAbout Imphash If you’re not familiar, “imphash” stands for “import hash” of all imported libraries in a Windows Portable Executable (PE) file. You can get started playing with it quickly with its python implementation here: https://github.com/erocarrera/pefile To calculate an “imphash,” all imported libraries and their linked functions are dumped in string format…Programming5 min readProgramming5 min read
Oct 8, 2019Left and Right of BoomThis is a simple concept that at first blush may just seem common sense, but it is a powerful mental tool to approach security conflicts from both the offensive and defensive perspective. Some vernaculars swap the word “boom” for “bang” but the meaning is the same. This concept is based…Security6 min readSecurity6 min read
