10 REAL BENEFITS OF READING THE payl0ad.run BLOG



2019 Feb 25

payl0ad.run

Welcome to the payl0ad.run blog. This site exists to document my off-the-clock investigative efforts in threat research, adversary emulation, and information security in general. I have no wishes for attention or popularity, and I’m not doing this to give back to the infosec community either. I’m making it for the sole purpose of pursuing my own skill development and personal achievement in a deliberate and orderly way. Nothing more. So, why might you care to read? It’s my earnest belief, and my sincere hope, that other security professionals (or anyone else interested in cybersecurity for that matter) will benefit from my work and what I have to say. Here’s how:


  1. Clarify Technical Concepts
  2. Unclutter your Digital Life
  3. Improve your Personal OPSEC
  4. Enhance your Arsenal of Tools
  5. Fully Integrate New Knowledge
  6. Turn Knowledge into Capability
  7. Save Time Reading Infosec Books
  8. Make Better Training Selections
  9. Understand Different Viewpoints
  10. Get Inspired to Build Something


Clarify Technical Concepts


It’s a real pain to try to learn a new software program or security technology/technique when the main search results you get are all stuffy, dictionary-like pseudo-descriptions of the topic in question. To really grasp something new one should be able to make conceptual distinctions. Questions like “How does software X differ from Y?” or “Why, and in what contexts, would one use technique A over B?” are pivotal to learning, but when you’re just starting out with something new that’s a lot of legwork, and it can frustrate you before you’ve really gotten started. Moreover, there’s plenty of how-to content online for security pros, but it’s more time-consuming to find answers to “why” questions. So, as I discover clearer explanations and formulate more consise answers to these types of inquries I’ll share them on this blog.

Process hollowing visualized

File-based malware exhibiting process hollowing capabilities

Being a security professional requires both hands-on application of ideas but also a crystal clear grasp on abstract, high-detail concepts that have constantly shifting relevance. We have to pick things up quickly but very precisely. To that end, as I encounter concepts that are new to me (or familiar ones that are just difficult to fully know without imagery), I’ll also be creating easy-to-digest visuals that summarize my understanding and posting them here. I’m making them for myself, but I expect they’ll be helpful someone else’s learning, so I’ll try to make them pleasing to look at as well.


Unclutter your Digital Life


If you’re an infosec pro you probably have an armful of devices, quite a few virtual machines, tons of notes, dozens of passwords, SSH keys, VPN configs, software licenses, and more that you have to track and manage. How difficult is it for you to find and start using a given digital item when needed? What about your physical workspace? Is disorganization getting in the way of your productivity or just annoying or discouraging? If any of that resonates with you then I’m really looking forward to sharing my personal experiences and tips for overcoming all of that. And, because we’re in the business of security, all my recommendations thoughtfully account for any confidentiality, availability, and data integrity rules or preferences one might have.

Overhead view of various tools placed neatly on a table

I’m not some productivity guru or whatever, and this is NOT a topic I’ll address by simply getting up on some preachy or overly-motivational soapbox to spew self-help platitudes. Instead, I’ll be sharing my real-world, everyday tactics to get your digital life under control and minimize wasted time so you can focus on solving more fulfilling problems. We all have some clutter, but I think my organizational approaches can really help someone else.


Improve your Personal OPSEC


Chances are you don’t live in a cave, you don’t ‘trust no one’, and you’ve identified that complete separation from modern technology and services in the name of privacy is a hard path to follow. The internet, smartphones, home automation devices, cloud services, and the like provide an incredibly obvious benefit to human life in today’s world. The benefits of security, however, are not necessarily tangible or immediate. It’s rational to want and to pursue both, but trying to find balance can leave you with more questions than answers. Security or privacy-conscious consumers might ask which products are most secure or which organizations are most trustworthy? Instead, I will articulate how to approach making security trade-off decisions in any context you might encounter.

A car following at night with text quote "Let your plans be dark"

Teaching one to fish, so to speak, is infinitely more valuable than only making specific product or service recommendations rife with bias and short half-lives. Besides, the approach of accepting such a concrete-only, consumer-targeted set of recommendations to follow only adds to the list of parties you’ve trusted. Bluntly, you can’t trust your way out of being too trusting. It’s time to stop kicking the can on these issues, learn how to independently test or validate claims of security or privacy using your own mind against your own personal standards (whether you have to get your hands dirty or not), and how and why to create your own security solutions where you must.


Enhance your Arsenal of Tools


A huge part of my learning methodology is getting as close to real-world, hands-ons doing as possible. Luckily, there are often fantastic, ready-to-use software programs that’ll do the job. Other times, though, all one can find are some code samples or documentation. Sometimes no amount of searching and asking around helps you find any tools that currently exist. Personally, I don’t intend to sacrifice my learning by suffering such defeats, so when the need arises, I write some code and make my own tools to get things done. I’ll be publishing source code for these tools whenever I can (employment agreements and general self-interest permitting) in the hopes of feedback, collaboration, and saving someone else some time.

Stylized typography phrase saying "MAKE MY WEAPONS"

At present, I have ongoing coding projects pertaining to VM automation, penetration testing, secure communications, and file encryption/storage management approved for and pending public release. With all this said, software development is one of the many skills I’m focused on improving, so, for now, any of the tools I release publicly have absolutely no warranty and I make exactly zero guarantees regarding your use of them. But do feel free to use them, and while you’re at it, critique them, improve them, and make them your own too.


Fully Integrate New Knowledge


Even if you’re completely up-to-date on the latest security research, it’s wise to note that constantly reading and seeking out any new tweets, blog posts, or whitepapers is not a substitute for deep understanding. Sure, vigilance is important in security. It’s a fast-paced field. But effectiveness in security isn’t defined by one’s ability to rattle off the latest industry news. To succeed against your opponents (infosec is always adversarial regardless of whether you work in offense or defense) you must be able to identify what you know, honestly conclude how well you know it, and (this one is critical) address the things you don’t know or truly understand well enough. Whether you deal with it or not, your opponents will use anything they perceive as your knowledge gaps or flawed thinking against you.

Brain

This blog covers some valuable approaches to concept formation and how best to integrate new knowledge into your existing mental context. There are some insanely quick and easy mental and organizational exercises I’ll describe that can help you visually represent your conceptual understanding of a given infosec domain and allow you to identify any knowledge gaps or areas of less-than-adequate levels of comprehension.


Turn Knowledge into Capability


This blog will be more than yet another source of info about software vulnerabilities or developments in malware activity. Those kinds of blogs are useful, but their sole focus is often to merely inform you. Even when a post has an accompanying tool release, it’s left to the reader to know how best to act on all of those details and exactly where the new tool or technique fits into the big picture. Simply hearing about (and even grasping the technical details of) these things won’t amount to much unless you can act and truly put what you learn into practice.

Blurry shot of men at a gun range

So instead of posting a flurry of how-to articles toward the simple goal of just informing you I will be describing the higher-order organizational foundations necessary to fully operationalize and practice everything relevant you might come across. It’s not enough to think you know how to use security tool X or to approximate how offensive technique Y works. This blog will discuss exactly how to get hands-ons with your learning all while organizing your processes and procedures into a functioning, repeatable system. I’ll also discuss methods to track your level of competency in your infosec discipline(s) of choice and how to know the readiness of your tools at any given time so you can maintain your capabilities in the long-term.


Save Time Reading Infosec Books


How many books are there about hacking, reverse engineering, forensics, malware, network monitoring, and all sorts of other information security topics that have piqued your interest? Can you say that you’ve read all the ones that you’ve wanted to read? If not, do you at least have a plan for getting around to them? Books are incredible resources for learning vital skills in this field, but it can take significant time and personal discipline to make consistent progress in absorbing the massive amounts of information they contain. To that end, as I read through my personal reading list, I take detailed notes for every chapter and major concept, tool, and technique covered.

A bookshelf with over 100 books

Additionally, many infosec books include dozens of hands-on labs and exercises to reinforce your learning, but some are outdated or contain errors thereby worsening the barriers to entry for individuals new to the field. I also take notes (with setup instructions, command-lines, code snippets, etc.) for all the exercises I try. Lastly, I will be posting reviews of the many books in my reading list as I finish them. I’m certain that my notes and related advice will save you time and frustration while trying to navigate a specific book, and I hope my reviews can help you make informed book selections so you can use your limited reading time on the right books for you and your specific objectives.


Make Better Training Selections


Similarly to books, there are so many great training resources available for hackers looking to learn a new skill. Researching them all, though, and choosing one over another is tedious and has financial risk. What if you spend your limited money (or, if you’re lucky, your employer’s limited training budget) on a course that was ultimately not the best one for you. Even if you take the time to research and compare them all, the risk doesn’t go away completely. Hearing personal accounts, particularly ones that help differentiate similar training paths, might give you a crucial detail that can save you from making an expensive (money, time, opportunity costs, etc.) mistake.

Track & Field

I’ve been fortunate enough to take a good number of professional infosec training courses and workshops from organizations such as SANS, TrustedSec, and others. These courses have covered offensive topics such as penetration testing and red team tactics as well as defensive ones like malware analysis and endpoint monitoring. I plan to continue taking as many relevant, high-quality infosec training courses as I can possibly manage, and I’ll be sharing my course notes, tips for labs and exercises, and my reviews and other thoughts that come up. I won’t promise that you’ll learn everything I learned or was taught (I won’t be breaking any NDAs or license agreements), but you’ll learn enough from my experiences to better invest your time and money when it comes to training.


Understand Different Viewpoints


The infosec community knows very well the discussion topics that reveal one’s personal opinions and prompt debate. How should a researcher disclose a software vulnerability, and how should a vendor handle external security researchers? What rights and responsibilities are at play in matters of dual-use technologies like exploits, encryption, and anonymity tools? How should our institutions protect intellectual property in light of 21st century technologies? What role should government play in handling various types of objectionable online content? Should government regulate ISPs like public utilities, or should the internet rely on free-market principles?

These questions, among many more, might be ones you shouldn’t neglect to consider, but only comprehending how a given technology works won’t change the world, and to merely know which opinions you hold is not enough to solve ethical and policy issues in technology.

Atlas

Furthermore, to only ever hear the same sound bites from the same places with the same opinions and viewpoints on those issues makes for less independent, critical, and logical evaluation. Echo chambers sabotage your intellectual potential. You owe it to yourself to arrive at your own conclusions using your independent judgment, and hearing a new, contrasting viewpoint can reveal more about your own beliefs.

Ethical and policy issues in technology are highly nuanced. They require rational, honest, and rigorously logical analysis that incorporates technological familiarity but doesn’t evade or ignore vital historical, scientific, economic, and philosophical contexts. My personal views might not win popularity contests, and you may disagree with what I have to say, but I’ll always show how I used sound logic and reasoning to arrive at my conclusions. There is real value to your knowledge, awareness, and intellectual horsepower in hearing a different opinion. Even if I don’t change your mind, you’ll have likely learned something new that’s useful to you in this field of inquiry.


Get Inspired to Build Something


The content I post here, and the software tools that I release, may not have precise relevance to your personal goals or unique interests. I’m writing this blog exclusively for my own selfish needs. But reading the thoughts and work of other people can be a worthwhile source of creative inspiration for you. Even if you don’t learn anything new from reading this blog, or even if the specific projects I’ve undertaken don’t capture your attention, there’s still a chance that the mere exposure to something I’ve done or said, or the way I went about it, can spark a good idea in your mind. Or it might even help you identify an area of research or type of work you’ll love to pursue, even if it has nothing to do with the research areas to which my projects pertain.

Hancock Tower in Boston, Massachusetts

“John Hancock Tower, Blue Hour” by Tim Sackton (modified) / CC BY-SA 2.0

Using your mind to build something, to creatively reshape the world so it can better suit your life, to build something that otherwise would have never existed if it weren’t for you and your efforts, something you can feel incredibly proud of (even if you’ve done it for nobody except yourself) is an irreplaceable life experience and profound value to achieve. Even if this blog has no other utility to you than this one I’ll still think it worthwhile for me to have published it.


Now What?


If any of the above benefits apply to you and your goals then you’ll likely get real value from reading my future posts too. At present, I plan to share links to any new posts on Twitter and other platforms, but I’ll likely get a proper RSS or Atom feed working at some point too.

I’m always receptive to feedback (positive and negative) offered in good faith. This is my first and only blog, and I’m doing just about everything by myself, so feel free to send me a message to let me know your thoughts, how I can improve, or just to say hello. Thanks for reading!




Mike Iacovacci
Mike Iacovacci is an information security professional specializing in endpoint security, intrusion investigation, and security research. His efforts have prevented serious security incidents and continue to disrupt cybercrime operations and sophisticated threat actors.

FOR FUTURE POSTS AND UPDATES FOLLOW @mikeiacovacci