No Dislocated Knees!

I was recently re-reading my old posts, just to see how they’ve held up with evolution within the industry as well as within my own thinking. When I came across When You Point a Finger, Three Point Back, I immediately sent this to my team, realising that it reaffirms a lot of the guidance I’ve been giving them on their growth. However, I also realised that the industry has evolved substantially in the time since I’ve written that, and I now have friends in the industry who are established experts and leaders in Digital Forensics and Incident Response (DFIR). It has emerged as its own specialisation in our ever-expanding threat landscape, which has definitely changed my perspective a bit.

While it’s a very good thing for the industry to be exploring the breadth and depth of DFIR, I do fear that we may be introducing an element of over-specialisation. Rather than a skillset that you acquire in a step along the way to your offensive security goals, we’re now expecting young analysts to declare their path early on, locking them into their choice for the duration of their career, and shielding them from the experiences they may gain from sitting on the other side of the keyboard.

One of the most common injuries for a ballerina is a dislocated knee. This happens when the outer muscles of a dancer’s legs become over-developed, and the inner muscles become under-developed, because a dancer isn’t supplementing with strength training outside of dance. When the dancer engages those muscles en pointe, the outer muscles exert pressure on the kneecap, pushing it away towards those weaker inner muscles, resulting in a dislocation. I think this is what we’re training towards in security, as well, when we have teams focusing solely on building their abductors (defensive security skills) or adductors (offensive security skills). It’s a recipe for [metaphorical] dislocated knees.

What I’ve advised my team to focus on is building these skills in balance with one another, so that they are continuously learning from themselves at each step. For my new in career analysts, I’ve encouraged them to learn basic penetration testing, being able to execute canned exploits to compromise systems with known vulnerabilities. Then, they can take these systems they’ve compromised and see what it looks like in the logs, allowing them to turn that exploitation into an indicator of compromise (IoC) for that attack. How else can you defend against attackers if you don’t know what an attack looks like?

This balanced building isn’t just for new in career, though. As you get better at both skills, you’ll start to build evasive techniques, learning to write your own exploits so you can compromise that same system without tripping your own IoCs. This in turn leads you to building out more resilient IoCs that catch rapidly morphing exploitation. More resilient IoCs in turn push you to develop new evasive techniques and methodologies in your exploitation to impede detection and investigation. It’s a never-ending cycle, where are continuously learning from your expanded experiences, offensive skills feeding into defensive skills.

If you happen to walk by while I’m on a call with my team, you may hear my new rally cry, “No dislocated knees!” Rather than encourage specialisation in one side or the other, I’m encouraging everyone, regardless of level, to work on these skills equally. I’ve included both offensive and defensive expectations in every band of my leveling guide. No one needs to pick the red pill or the blue pill; this isn’t The Matrix!

Eventually, we’re all forced into specialisations. That’s inevitable, as the industry continues to expand beyond the limits of individual comprehension. No one can possibly be an expert in every facet of such a broad industry. However, I believe being able to context-switch between offensive and defensive concepts and techniques is essential to being an expert in either. That is why I, along with my team, will be making a concerted effort to grow our skills in whichever side is weakest, continuously working back and forth between these as we strive to be well-rounded experts in whichever path we ultimately choose to follow as a specialty.