The Spirit That Drives Cyber Security

The cyber security industry has always attracted passionate hackers, the open-minded and righteous, those who like to break rules and those who like to stop rule-breakers. What I’ve learned over the last decade is that true passion for the cause makes a huge difference.

This article is about the spirit the drives us defenders, the passionate members of our community. Our work protects businesses from sabotage and industrial espionage, the personal data of millions of individuals and sometimes even the lives of politically persecuted persons.

Good defenders are not driven by money or the pleasure in the solving of analytical or technical problems. Good defenders are driven by a believe⎯the believe that their work can make a difference. This believe fuels their pursuit to find solutions to analytical or technical problems, which ultimately leads to financial rewards, but it’s the believe — the “why” — that drives them.

I like the image of protectors, the super heroes of the digital world — and I am not the only one who has this mental image.

Artwork by Kristafer Anka (Source: https://geektyrant.com/news/2013/2/19/23-tron-style-marvel-characters-by-kristafer-anka.html)

It is no coincidence that the marketing departments of big security companies use that image and add it to their emotional appeal.

Kaspersky GReAT SAS2018 illustration (Source: https://www.kaspersky.com/blog/what-is-sas/14411/)

In the past, the cyber security industry used this figurative language only for threat actors and their operations. They named them “Wicked Panda”, “Deadeye Jackal” or “Hidden Cobra”.

Today, this visual imagery is omnipresent.

FireEye’s ‘Guardians of the Galaxy’ (Source: FireEye — RSA conference party)

SANS Blue Team Summit & Training (Picture: by @subTee https://twitter.com/subTee/status/988419810857050112)

Christopher and Nick (Source: FireEye — RSA conference promo)

The Battle for Talent

Recently, I’ve met with Daniel Bohannon, told him about this blog post and he asked me if I perceived this trend as something positive or negative.

While it may appear overblown at first sight, I am absolutely sure that this is what our industry needs to attract new talent and get them enthusiastic about the defensive field.

The image of a hacker, that breaks into systems has always been omnipresent and influenced many of us in our early years. In contrast, the defender’s side has been underrepresented in movies or series and, if at all, pictured as boring.

Movie: War Games (© Metro-Goldwyn-Mayer Studios Inc. All Rights Reserved.)

I really love drama so let me stir things up! I’d say that this image is an odd misrepresentation. In the real world, there are two groups of attackers, the bad guys and the penetration testers / red teamers / offensive researchers.

As the “bad guys” aren’t cool but criminals, let’s compare the “cool” work of offensive IT security professionals with that of the defensive IT security professionals.

While the adversaries of red teamers are blue teamers, administrators & software developers, the blue teamer’s adversaries are malware authors, threat groups and nation-state actors.

While a red teamer’s work results consist of a report listing software flaws and misconfigurations, a blue teamer’s deliverables are malware analysis, compromise assessment or incident containment reports.

While red teamers get emotional when they find a service account that has domain admin rights, we blue teamers have that uplifting feeling when we discover an attacker’s staging directory used for the exfiltration of data.

Vicious Circle of Pentesting

So, a blue teamer’s job isn’t boring, but “the good guy’s cyber battleground”.

I’ve been a red teamer before people started calling it “red teaming”. I know how great it feels to break into systems, evade security functions and extract sensitive data. But I also know the downsides, the lack of appreciation and the frustrating feeling that nothing ever changes.

A friend once told me “software will always be broken” — and he’s right. You can be someone that discovers new flaws in new software or help us to detect and fend off attackers, which exploit these flaws. It’s your decision.

Finally, I’d like to address my fellow red teamer friends. This pointed article is not(!) an expression of disrespect but an attempt to convince new talents of the defender’s work. Our industry needs more professionals working in the defensive field.

The talent pool of defenders is not keeping pace (Source: ISACA)

Besides that, red teamers are the necessary sparring partners and make great blue teamers themselves. Both sides can learn much from each other to improve the resilience, detection and response capabilities of our customers or employers.

Follow me on Twitter: https://twitter.com/cyb3rops