This is part of a series comparing Jiu Jitsu with InfoSec.

Both Jiu Jitsu and InfoSec have the concepts of privileged access. In Jiu Jitsu, it’s control of your opponent’s body. In InfoSec, it’s control over a computing system (e.g. root, admin, or system). This is another similarity between these…


This is part of a series comparing Jiu Jitsu with InfoSec.

As very much a low level student of Jiu Jitsu, one of the ways I know that I’m getting better is that I’m seeing my mistakes closer to the time I made them. (“Putting my hand there was a…


Previously, I discussed adversary emulation vs simulation and introduced an approach to make emulation more appealing: false flags. Today, I want to discuss what happens when you take emulation too far, but first a comparative story.

You may be familiar with the Zodiak Killer and it’s references in pop culture


This is part of a series comparing Jiu Jitsu with InfoSec.

Castles: Layered Defense in Depth

I already discussed this a little bit here, but I wanted to tease out a little more nuance.

In InfoSec, we don’t just rely on a single defensive control. We all know that. A modern email borne phish probably…


Simulating Adversaries Since 1984

Congratulations! Your organization has approved the creation of an internal Red Team program and tasked you to do it! Here are some quick easy tips to get this program off the ground as simply as possible, based on Q&A I have done with a number of old/mature corporate Red Teams…


It’s simple: voting privacy.

When you bank online, the security of your interactions with the bank are authenticated (your login password and hopefully some sort of two-step verification passcode), so the bank knows it is YOU on the other end. You have no expectation of privacy from your bank. …


false black beard flag?

There are many write-ups distinguishing emulation from simulation, but this one is mine (which is why I also added in “False Flags” for more flavorful fun).

First, let’s establish some stodgy academic definitions:

Emulation: (computing definition) reproduction of a function or action on a different computer or software system.


This is part of a series comparing Jiu Jitsu with InfoSec.

Go to attend a Jiu Jitsu class at a Gracie academy or MMA gym and you will likely see an instructor who shows a three step progression on a simple move or position. First, they will show a basic…


About Imphash

If you’re not familiar, “imphash” stands for “import hash” of all imported libraries in a Windows Portable Executable (PE) file. You can get started playing with it quickly with its python implementation here:
https://github.com/erocarrera/pefile

To calculate an “imphash,” all imported libraries and their linked functions are dumped in string format…


This is a simple concept that at first blush may just seem common sense, but it is a powerful mental tool to approach security conflicts from both the offensive and defensive perspective. Some vernaculars swap the word “boom” for “bang” but the meaning is the same.

This concept is based…

Tim MalcomVetter

Red Team Leader at Fortune 1. I left my clever profile in my other social network: https://www.linkedin.com/in/malcomvetter

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store