Welcome to the deep dive. If you need that shortcut to being really well informed, you are definitely in the right place. Today we are taking on one of those really persistent, kind of frustrating problems in technology cybersecurity defense. We're diving deep into this whole concept of the active defender, asking how do we actually move security professionals out of that constant reactive mode that burn out and into something more proactive a well a winning mindset.
Yeah, and our mission today is, I think crystal clear, we really have to fundamentally understand why the traditional passive security model just isn't cutting it anymore. It's failing. We're going to explore how adopting the knowledge the insights from the offensive security community, that hacker mindset is maybe the only way to really transform your defense posture.
And when we say failing, I mean we have the numbers right. The stats from the sources we looked at are genuinely well terrifying this traditional approach. It basically means you sit back, you wait for an alert. You're waiting for an attacker to make some loud noise that tells you, hey, I'm already inside.
Exactly, and when they finally make that noise. The real question is how long have they already been there? The average to get this, The average time to discover and contain an attacker inside an organization's network in twenty twenty two was two hundred and seventy seven days.
Two hundred and seventy seven days. That's what nine.
Months nine months of undetected access.
Yet nine months, just think about the kind of damage that causes. That is more than enough time to steal pretty much every piece of sensitive data you own, to set up persistent back doors, maybe quietly map out your entire environment for I don't know, a future ransomware attack. When an adversary has that kind of unchecked dwell time, it's not just a security failure anymore. It's like a potential business extinction event.
It really is.
And that number two hundred and seventy so it was only down slightly from two eighty seven the year before.
Right, It basically tells you the status quo is well static failure. It's not improving meaningfully. That two hundred and seventy seven day metric just confirms it. Waiting for your firewall, your basic endpoint tool to flag an IP address that's obsolete thinking, and that's precisely why we need this actor defender concept. Now, they aren't launching counter attacks, let's be clear, that's illegal, it's unwise, but they are cultivating that hacker mindset.
They use the offensive knowledge, the attacker techniques to understand the adversaries thought process even better than the adversary understands their own defenses.
Okay, let's unpack that the core philosophy here. We need to define this hacker mindset because I think for most people that word conjures up some figure in a hoodie and a dark basement like on TV. What are the key traits that security pros actually need to adopt.
Yeah, it's definitely not about the attire or any dramatic flare. The mindset. It's really defined by maybe six essential traits curiosity, creativity, patients, persistence, agility, and maybe most importantly, nonlinear thinking. The defender has to stop being satisfied with just getting an answer. They need to start relentlessly asking why, why not? What if they're constantly trying to make the system do something it was explicitly designed not to do.
Right, And you found some incredible historical examples of that creativity, didn't you. Let's talk about the freakers, the original sort of tech hackers focusing on phone networks way back like sixties seventies.
Oh. Absolutely, that's just pure brilliance born from curiosity. They didn't just stumble upon a secret code. They spent incredible amounts of time pouring over really obscure, really technical documentation stuff put out by the phone companies themselves, just trying
to understand the deep inner workings of call roading. And their creative breakthrough it came when they realized that generating a very specific audio tone twenty six hundred hertz could trick the phone line, make it think the line was idle, which then let them make free long distance calls.
And the legend, the famous part is that specific tone could be made by a toy whistle, one found in cap'n Crunch cereal boxes. I mean, that level of just lateral creative thinking. It's exactly what most security processes seem to lack today.
Absolutely, and that right there it immediately highlights the huge difference between linear thinking and what we're calling graph thinking, which is really the core of this active defender concept.
Okay, so how do traditional security teams usually miss that that lateral thinking. Are they just stuck in a very specific, maybe restrictive way of processing information.
They often are, Yeah, the traditional defender. They're usually taught to think very linearly. You know, if A happens, then check B. Follow the steps they become excellent at following. Checklists could be internal hardening guides, maybe the CIS controls, or a defined flow chart like the sans's incidant response process. It's all very step by step, a straight line, and.
That linear thinking. It just misses the bigger picture completely, doesn't it.
It only sees the individual steps, the trees, It misses the forest. The attacker, however, thinks in graphs, in connections. Their actions aren't usually a straight line towards one single goal. It's more like a mesh, a network of potential connections and pathways. They are deliberately looking for relationships between seemingly disparate data points that no single checklist, no flowchart could possibly anticipate. It's almost holographic in nature.
So okay, if I'm a defender trying to focus on the graph, what's a tangible example in security? Like when am I just seeing versus when am I truly observing that graph.
That's a great question. So you see a single event, right, a dot on your dashboard, let's say a log in fail you're alert from a user in accounting. Okay, noted, But you observe the graph when you realize, HM, that log in failure happened exactly thirty seconds after a weird, non standard port scan was logged against the database server, and then maybe ten minutes later, a completely different but legitimate admin account suddenly queries in an unusually small, very
specific data set from that same database. See. No single alert there is necessarily critical on its own. But the graph, the connection between the odd timing, the port scan, the specific data query that reveals the attackers underlying patterns, their intent. It's exactly what Sherlock Holmes meant, right, You see, but you do not observe.
Wow, okay, that makes the distinction incredibly clear. Thank you. A passive defense is so demonstrably well ineffective. Why are organizations still so stuck? Why is that two hundred and seventy seven day, twelve times so stubborn, so hard to bring down?
Yeah, it consistently seems to boil down to two really heavy forces holding organizations back organizational inertia and internal culture and inertia. Is that classic really frustrating? Well, that's just how we've always done it a pitfall for decades, security meant perimeter defense, build bigger walls, stronger firewalls.
Right, a totally nineteen nineties approach for a twenty twenties world.
Exactly, that model just completely falls apart when your employees are working from home from anywhere, and your most valuable data it's living across three different cloud providers. Maybe more. Inertia also shows up in how we misuse tools. Organizations spend millions, literally millions on passive protection tools SIMS intrusion prevention systems. They're designed sure to give consistent protection, but defenders often end up relying on them exclusively just watching the.
Dashboard, which leads directly to that infamous tunnel vision. Right. You're only looking at that specific dashboard, only reacting to the specific alerts the tool decides are important enough to show you.
And the result it's inevitable alert fatigue mass burnout. If you're getting bombarded with say, ten thousand low priority alerts every single day, you physically cannot look for that critical graph pattern. You stop trying and compounding all this is the financial inertia, the reality that cybersecurity is still overwhelmingly viewed as a cost center. Really so organizations are chronically understaffed.
They often won't commit money to essential validation activities, things like active threat hunting or frequent realistic penetration tests, and that lack of investment just reinforces the passivity. It's a cycle.
And beyond the money, beyond the tools, the culture itself often seems to breed passivity, specifically through siloing, right, departments not talking well.
Siling is devastating, absolutely devastating. Think about it. Crucial observations made by say a networking engineer about some unusual traffic patterns, or maybe a developer noticing some bizarre latency in an application, that information might never reach the security team. Why Because they don't have a shared framework or maybe even a shared goal. They operate in bubbles.
And then there's the flip side, the shadow it problem, which is always a great point of friction.
Users get frustrated, right, yeah, central it is too slow, too rigid, So what do they do? They just employ their own tools, Trello for project management, maybe WhatsApp for quickcoms outside of any central control and boom. This drastically increases the attack surface in ways it doesn't even know about. Now. A passive defender sees shadow it and their first instinct
to just shut it down, block it. But the active defender they see shadow it and they ask a different question, why why did the user feel they needed that tool? What legitimate business function was it? Maybe preventing or making too difficult. They use that discovery as an opportunity to maybe streamline the official processes, not just play whack a mole blocking things.
The shift and perspective is so crucial, isn't it moving from security as just a roadblock to security as an enabler. I really liked the analogy used in the source material comparing security to driving a high performance racecar.
Yeah, it's the perfect summary. I think of the cultural shift that's needed. If you think about security controls as the brakes on that race car, Well, the brakes don't actually make the car go slower overall, they're what allow the car to go faster safely. They let the driver take deliberate, well managed risks while still maintaining control through the corners. Security has to be seen the same way, enabling the business to move faster, smarter, not just introducing friction.
Okay, so we know we need this fundamental shift. It's clear how does an organization or even an individual defender actually transition go from being a passive monitor to an active defender. It sounds like it requires a kind of immersion into the very culture you're trying to defend against.
That's exactly the starting point, immersion, and maybe the first hurdle to jump is just getting over that media portrayal of security experts, you know, the myth of the solitary extraordinary genius savant like you see in shows like Mister Robot. You don't need to be some reclusive genius coding in a basement. You just need to be willing to engage, to listen and to learn from the people who actually specialize in breaking things. The offensive community.
So where do we find this community, this offensive security knowledge. It's not all just lurking in hidden forms on the deep web business, No, not at all.
It's actually very accessible surprisingly, So yeah, one of the best entry points is probably local communities. Conferences like security b sides are fantastic for this. They're often free or really inexpensive, and they were specifically created to be less corporate, more intimate, more about sharing knowledge than say the huge
commercial events. Also look for local security meetups in your area, groups like infosex seven sixteen or hashtag mee sec or just a couple examples, places where people just get together share what they're working on, what they're learning, really openly.
And beyond the physical meetups, I imagine online communities are pretty key too.
Oh, absolutely huge online communities on platforms like discord, Slack, and yes, Believe it or not, even Twitter, which is currently kind of the primary pulse the main platform for real time info sharing in the offensive community. The learning there is practically instantaneous if you follow the right people.
Okay, so once you're tapped into that knowledge stream that community, what's the first proactive activity and active defenders should undertake? You mentioned ocent open source intelligence exactly ocin.
It sounds fancy, but it's simply using any data you can find from publicly available, unhidden sources. The magic isn't really the data itself, everybody can find it. It's learning to view that public data through the attacker's eyes, understanding what intelligence they can gather about you.
Just by looking around online, right, that's what the analysis comes in. Give us an example, how does that public data turn into like actual attack intelligence?
Okay? LinkedIn is a gold mine, an absolute gold mine for attackers. They look at employee job titles, their certifications listed on profile. If they see, say five of your employees listing certified Palo Alto firewall administrator on their profile, well guess what they know? Exactly what perimeter technology you use. They can start researching specific vulnerabilities for that platform and
that information. It provides the perfect pretext, the perfect hook for crafting a highly targeted, very believable phishing email.
And beyond social media, you mentioned tools like showdan that shows more physical or I guess network exposure.
Yeah. Shodin is basically a specialized search engine, but instead of websites, it finds Internet connected devices, things like servers, webcams, even industrial control systems that are accidentally exposed directly to the Internet. An attacker uses this to scout for open ports,
maybe find misconfigured systems, default credentials. And we see it constantly too, developers accidentally leaving sensitive stuff like source code or API credentials public on sites like gethub, These are often the attacker's very first steps reconnaissance, and the active defender's job is to replicate those steps, find those exposures before the real attacker does.
Okay, so moving beyond just intelligence gathering, the active defender must prioritize active testing. Right. You can't just install defenses and assume they work, or assume your backups are actually restorable.
Absolutely not. Assumption is the enemy here, and we need to be precise when we talk about testing. It's important to distinguish between attack simulation and attack emulation. They sound similar, but they're different.
Okay, what is the difference then?
So an attack simulation is usually where you test individual specific techniques in isolation. You might use open source tools something like Atomic Red Team to test if your defense is catch a specific action, like say running one particular malicious script. It tests a point solution does this control stop this action? But attack emulation is much more advanced. It's about mimicking a specific known adversary group, their intentions, their goals, and the entire chain of procedures they would
likely use to achieve that goal start to finish. Emulation tests your security program's ability to detect and respond to an entire evolving narrative, not just one single event.
That narrative testing that seems to lead naturally into deception technologies, which you mentioned are a more sophisticated tool, maybe for the advanced active defender.
Yeah, deception tech is fantastic, especially for detecting adversaries who've already gotten past the perimeter, which let's face it, the stats show they often do. You deploy decoys, things called honeytokens, or maybe entire fake systems called honeypots. The goal is simple, create an attractive looking asset that no legitimate employee should ever have a reason to touch or access.
So it's basically like setting up a digital tripwire.
Precisely a high fidelity tripwire. For instance, you could create a decoy user account in your active directory, make it look like some old forgotten service account, give it a fake service principle name an SPN. This account is never used by real people or real services. It just sits there. Now. If anyone attempts to access that account or maybe query credentials related to that specific fake SPANA technique often used in curber roasting attacks to steal passwords hashes, boom it
immediately triggers a high priority, high fidelity alert. Accessing that decoy is basically a dead giveaway. You know with near certainty you have an adversary active inside your network.
Okay, this is fascinating. Now let's move up the stack to the highest level of defense planning. You said passive defense often waste time focusing on easily change things like IP addresses or file hashes, right, indicators of compromise. So if the active defender wants to truly frustrate an adversary make their life difficult, what should they focus on instead?
They absolutely must focus on tactics, techniques, and procedures. Ttpis, we need to move our thinking beyond just detecting a specific tool and focus instead on the attacker's broader goal and the methods they use to achieve it. We can kind of visualize this as a pyramid, the pyramid of pain.
Okay, So at the top, the highest level of value for the defender, we have tactics. That's the adversary's overall goal, right, like credential access exactly.
That's the why. Below that, you have the technique, that's the general method used to achieve the tactic credential access A technique might be dumping all SaaS memory, trying to steal credential stored in memory. But the most valuable level for the defender to focus on, the place where the active defender really concentrates their efforts is the procedure. This
is the specific implementation of the technique. For example, is the attacker using a well known specific tool like mimicats to dump LSAs or are they maybe leveraging a native Windows process, something already trusted by the system, like using Rundel thirty two dot ex with commsvcs dot dll to achieve that same memory dump outcome.
Okay, why does that distinction matter so much? The difference between the tool mimicats and the procedure using Renneal thirty two. Why is that key for the active defender?
Because attackers fundamentally don't care about using one specific tool over another. They care about the outcome. They want this credentials. So if a passive defense tool like an anti virus blocks the procedure of running the mimicats executable file, well, the traditional defender often stops there. The block maybe close the ticket threat contained, right, But the active defender, they understand the attacker isn't going to just give up. They'll
simply pivot. They'll try what we call a procedural synonym, just the different way, a different procedure to achieve the exact same technique, the same outcome exactly. They'll just try running runnel thirty two dot ex with the right parameters instead, it achieves the same goal dumping credentials. The active defender uses that initial failed mimicats attempt not as the end of the investigation, but is the first data point on
their mental graph. They will then actively look for that subsequent suspicious behavior, look for those connections across the network, hunting for the procedural synonyms, regardless of what specific tools are being used. That deep focus on understanding and detecting procedures, not just tools or basic indicators, is the key feature that truly separates the active defender.
So, wrapping this up, what does this all really mean for you, the person listening, the person responsible for defense? It sounds like the active defender is less about buying the next shine, any security product, the next magic box, and almost entirely about adopting a persistent, analytical, curious mindset, one that focuses on outcomes on patterns, on procedures. It's really an investment in curiosity over just compliance checklists.
Absolutely, and this proactive procedure focused approach is becoming absolutely critical when you look at the emerging threats, threats targeting the really foundational layers of our operating environments. Consider something like the blackloadus UA five bootkit. It was found in the wild, operates at such a low hardware level below the OS it can bypass secure boot even on fully patched Windows systems. Traditional patching, passive monitoring, they're simply insufficient
to detect or stop that. And we're also seeing this huge increase in highly sophisticated software supply chain attacks and things like BYOVD attacks bring your own Vulnerable Driver where attackers use legitimate sign drivers with known flaws to gain kernel level access.
Wow. So these low level, potentially high impact future challenges, they absolutely demand that constant situational awareness at holographic graph based thinking you mentioned.
They absolutely do. Only by actively engaging with that offensive security knowledge, the knowledge that reveals the procedures used by adversaries at every level. Only then can defenders really hope to stand a chance. So maybe your homework this week as you start thinking about your own journey towards becoming an active defender is to really look at the systems
you're responsible for protecting. Start researching what hardware specifically and what kernel mode drivers are actually running in your environment. Right now, you really need to know what you are truly protecting at that foundational level, because increasingly that's precisely where the attackers are aiming next