Menu of cybersecurity risk management options
Posts by Year
2025
Assorted links 2025-03-19
1. Shapeshifting Chrome extensions
Assorted links 2025-03-17
1. Cyber insurance is no silver bullet for cybersecurity “Regulators and businesses hope cyber insurance will drive stronger security practices. In reality, a narrow focus on mitigating financial loss makes it an unreliable solution”
Assorted links 2025-03-09
1. Crafty Camel, a threat targeting the UAE
The more labels you have for yourself, the dumber they make you. Permalink
One of Paul Graham’s best.
Defining security outcomes
I’ve long viewed incidents as one of an organization’s very best tools for measuring everything from cybersecurity effectiveness, to overall operational maturity. Unsurprisingly, I’d also recommend using incidents to define and understand security outcomes (i.e., whether your costly security-related investments are getting the job done).
The SEC should require disclosure of cybersecurity controls
8-K filings for material cybersecurity incidents should require disclosure of all cybersecurity controls (software and services) in place when the event occurred.
Atomic Red Team ATT&CK tool updated to v16.1
Just a quick note to point out that the Atomic Red Team test tracking tool has been updated to reflect MITRE ATT&CK v16.1.
Known exploited vulnerabilities by market cap
It’s easy to criticize vendors for the number of known exploited vulnerabilities in their software, but raw counts lack context. A company with 100 software products will naturally have more vulnerabilities than one with a smaller portfolio. However, product count alone doesn’t account for a company’s size or resources.
Cybersecurity stat of the day: CISA KEV vulnerabilities 2.8 years old, on average
Cybersecurity stat of the day: The average delta (in years) between CVE assignment and addition to the CISA Known Exploited Vulnerability (KEV) catalog is 2.8 years. 🤯
2024
Script to log OverSight camera/mic events on macOS
I’m a huge fan of Objective-See, Patrick Wardle’s non-profit organization, and the arsenal of invaluable macOS secuirty tools he provides.
AI query capture and OpenAI search Permalink
I’ve been really interested in how AI engines will impact traditional content discovery models. A key hypothesis is that content creators will reduce time-to-citation by:
MarTech and AdTech are the true global surveillance superpowers Permalink
Great reporting by Brian Krebs:
NotebookLM-generated discussion based on my recent post (SEO, GEO, and the future of content discovery)
I uploaded The End of Advertising along with my commentary into NotebookLM and asked it to generate a brief discussion between two hosts. The results are impressive, in particular the aspects of the topic that aren’t covered by either the original text or my own.
SEO, GEO, and the future of content discovery Permalink
The End of Advertising by Michael Mignano was thought-provoking, but not for the reasons I expected.
Cybersecurity effectiveness is mostly device + identity
After years observing cybersecurity defenders balance cost and effectiveness, focus has oscillated solely between device (e.g., endpoint) and identity (e.g., directory or identity provider) security.
Cybersecurity predictions, Q3 2024 edition
Anyone who’s worked in cybersecurity for a meaningful amount of time has been asked to make predictions. Here are two predictions I’ve made that have endured over the past 2-3 years.
A simple framework for talking to leadership about cybersecurity
A simple framework for talking to leadership about a cybersecurity program, particularly for an inbound security leader looking to level-set:
Where do your incidents come from?
Where do your incidents come from?
SaaS attack technique matrix Permalink
Inspired by MITRE ATT&CK, the good folks at Push Security have taken a pass at enumerating attack techniques specific to Software-as-a-Service (SaaS) applications.
Left and Right of Boom (by Tim MalcomVetter) Permalink
Prevention is just detection with an action at the end. -Casey Smith (subTee)
Cyber Defense Matrix slide template Permalink
I’ve made 100 variations of Sounil Yu’s venerable Cyber Defense Matrix for workshops, presentations, and planning over the years. Here’s the Google Slides template that I use to save time. May it save you time as well.
The top initial access vectors in 2023, mapped to ATT&CK
In reviewing security firms’ 2023 threat data, a subset of these include insight into the initial access vectors leveraged most frequently in successful intrusions. This is a summarization of findings based on their reporting.
Open source roundup of cybersecurity models
This is a collection of cybersecurity, risk management, and related models that I’ve collected and/or used over time.
A technology adoption model for cybersecurity teams
This article is adapted from a presentation (charts + talk track) I’ve maintained over the years as a tool to help myself and others understand how technology adoption drives the work we do in cybersecurity, and where we are in the technology adoption cycle at any given time. Charts revised late 2023.
The End of Software (essay by Chris Paik) Permalink
An interesting essay and take by Chris Paik (Twitter):
Search or subscribe to SEC 8-K Material Cybersecurity Incident filings
In 2023, the Securities and Exchange Commission (SEC) published rule 33-11216 Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, where the operative requirement is that companies disclose material cybersecurity incidents. The summary disclosure requirement is as follows:
2023
Improving CISA KEV data integrity
tl;dr - Sometimes CISA removes Known Exploited Vulnerabilities catalog records. It would be awesome if they marked them as withdrawn and/or superseded instead.
When your product becomes a feature
Having spent a few years using, maintaining, and building security products of every conceivable shape and size, it’s become apparent how uniquely risky it is to invest in building cloud[1] security products.
Top initial access techniques from 2019-2022, mapped to ATT&CK
Based on initial access data from dozens of cybersecurity industry reports over the past four years, here’s a visualization of the top five initial access techniques, and how they’ve trended over the years:
Not all attack surface is created equal: Why protecting security controls is critical
Any exposed attack surface can be used by an adversary to gain or maintain access to your environment. Security controls are a uniquely high-risk part of your attack surface, because compromising a security control often provides an adversary with privileged and/or uniquely positioned access to the environment. And evidence shows that adversaries are capitalizing on exposed, vulnerable attack surface.
CISA Known Exploited Vulnerabilities (KEV) affecting security controls
Since its inception, I’ve been bullish on the value of the CISA Known Exploited Vulnerabilities (KEV) catalog, along with their periodic analysis of the top exploited vulnerabilities based on the same. The KEV catalog contains a concrete set of trailing indicators that tell you which vulnerabilities should be prioritized for patching or other forms of remediation.
Your security controls are (a huge) part of your attack surface
Security software is just software, subject to all of the same problems as any other type of software. And like so much of the software we find in the enterprise, security software has some predictable characteristics:
Breaking down exposure management
While participating in some industry analyst research, I was asked how I’d walk someone through and connect these concepts. This is a paraphrased version of the talk track (with some visuals based on prior work).
Dave Aitel (and friends) on BlackHat, DEF CON, and infosec culture Permalink
The Vegas security conferences used to feel like diving into a river. While yes, you networked and made deals and talked about exploits, you also felt for currents and tried to get a prediction of what the future held. A lot of this was what the talks were about. But you went to booths to see what was selling, or what people thought was selling, at least. But it doesn’t matter anymore what the talks are about. The talks are about everything. There’s a million of them and they cover every possible topic under the sun. And the big corpo booths are all the same. People want to sell you XDR, and what that means for them is a per-seat or per-IP charge. When there’s no differentiation in billing, there’s no differentiation in product.
Google DFIQ: Open source building blocks for IR playbooks Permalink
The DFIQ project (GitHub, website) is an open source collection of questions that analysts should ask during certain types of investigations. There’s a simple tagging system that allows a unique question to be associated with platforms, primitives like file or network knowledge, and of course MITRE ATT&CK techniques. Questions are used in the context of scenarios, which are effectively types of incidents.
Exposure management via CISA’s Top Routinely Exploited Vulnerabilities Permalink
This is textbook example of the type of input you’d apply to an exposure management process:
Incidents as a measure of cybersecurity progress
Phil Venables published a helpful collection of ways that risk and cybersecurity leaders can share their successes, ideally on an ongoing basis. His working theory, which I believe is correct, is that we’re not great at this. And as a result, many of our peers only hear from us when things go sideways, which leads to a variety of problems.
Roundup of security conference and CFP trackers
A collection of websites and projects that I’ve used in an attempt to track upcoming information security (infosec) or cybersecurity conferences, including call for papers (CFP) deadlines.
Exposure management - Managing assets, attack surface, attack paths, and vulnerabilities with purpose
There are a variety of cybersecurity product categories and activities intended to reduce the likelihood that an adversary finds and successfully exploits a vulnerability, resulting in an intrusion (and ultimately a breach):
Threat modeling templates
In the course of reviewing a number of published threat models, it became apparent that there is not (nor does there need to be) any standard output format, even given the same methodology (e.g., STRIDE).
Threat modeling, the cloud, and shared responsibility
An interesting aspect of cloud-related threat models is that cloud-based threats must take into account shared responsibility models that are specific to each cloud provider and service.
Roundup of threat modeling resources
I don’t know much about threat modeling, except that as long as I’ve been working in cybersecurity, we’ve been asking people about their threat model, telling them to do threat modeling, and in the worst cases using greedy threat models to convince folks that they should prioritize things that they probably should not.
Information asymmetry is the root cause of every breach
Information asymmetry is the root cause of every breach. Your adversary knows something that you do not.
The top initial access vectors in 2022, mapped to ATT&CK
This data is from 2022. For data from 2023 (the most recent), please go HERE.
A company with a formal org chart is a company big enough to have an informal org chart that accurately describes how things actually get done. Permalink
From Byrne Hobart at The Diff, a list of scaling bottlenecks often encountered by startups: Recruiting, decision-making, management, and more.
If you wait until you feel like doing stuff, you’re fucked. Permalink
If there’s an article-length version of Atomic Habits, published years prior to the best-selling book, this might be it.
Observability as a function of your threat model
This model attempts to explain the relationship between visibility, observability, detection, and mitigation, which are closely related and important to understand when implementing any information security or cybersecurity program.
The future of cybersecurity might be insurance
For some time, I’ve considered a hypothesis that the future of cybersecurity is a vertically integrated set of products, services, and insurance. The insurance aspect in particular would bring actuarial rigor to identification and measurement of the outcomes that cybersecurity vendors claim to provide, and so it will represent the subset of offerings that provide consistent, provable value (i.e., things that reliably mitigate high impact threats). The primary consumer benefit will be a faster path to implementation of a plenty good enough cybersecurity portfolio for a large percentage of organizations.
Publish your Twitter archive in seconds Permalink
A simple, elegant application from Darius Kazemi (GitHub, Website) that runs locally via your web browser and takes as input:
Incidents: An organizational Swiss Army knife
Incidents may be one of the best measures of maturity, effectiveness, and progress in any highly operational environment, including but not limited to security operations and technology operations (including site reliability engineering, or SRE). However, incident management done right can be an invaluable tool that you can point at virtually any problem- or failure-prone system to make it better.
Visibility, observability, detection, and mitigation in cybersecurity
The concepts of visibility, observability, detection, and mitigation are foundational to cybersecurity–security architecture and detection engineering in particular–and technology operations in general. They’re useful for communicating at almost every level, within technical teams but also to organizational peers and leadership.
An open source catalog of offensive security tools Permalink
From Gwendal Le Coguic (@gwen001 / @gwendallecoguic), offsec.tools is a fairly wide-ranging collection of offensive security tools. At the time of publication, it includes close to 700 tools, though some very popular free tools (e.g., mimikatz, impacket) are missing, and the project’s appetite for cataloging commericial tools (e.g., Pegasus, FinFisher, etc.) is unclear.
Roundup of commercial spyware, digitial forensics technology use by governments Permalink
From the Carnegie Endowment for International Peace:
Simple, measurable ATT&CK testing with Atomic Red Team
Updated January 2025 to support ATT&CK v16.1.
The most prolific ransomware groups in 2022
It’s 2023 and security firms are starting to release findings from 2022 threat data, notably their lists of the most active, impactful ransomware groups.
2022
LastPass: The breach that keeps on giving Permalink
LastPass was breached in August, and has since updated their breach disclosure several times, each update just a little bit worse and more concerning than the last. Unfortunately, for a business with a large consumer customer base, it’s almost impossible to use these disclosures to determine whether LastPass should be trusted. For security practitioners, it’s much eeasier:
The Open Source Security Index Permalink
The Open Source Security Index tracks the most popular and fastest growing open source security projects on GitHub. This project is the brainchild of Chenxi Wang of Rain Capital fame.