If we were to choose a word that would describe the past couple of years, it would most likely be overwhelming. We’ve all experienced a self-inflicted pressure to do more.
But let’s face it: we like a good challenge!
Otherwise, how can one successfully weather through all the fast-paced changes that are taking place?
The infosec industry has always had to keep up with such fast-paced changes. Things can get difficult, repercussions can be severe, expectations are high and you always need to be one step ahead. It never really feels like you are providing a final solution to a problem, but merely delaying it as much as possible.
This is when the power of the infosec community kicks in. Mihai Vasilescu, Security Research Engineer at Keysight Technologies, offers a very empathic view on the difficulties cybersecurity specialists might find themselves in and, of course, some of his tips and tricks on how to turn such difficulties into learning opportunities. And so much more.
Our series of interviews with industry leaders and specialists aims to provide, among others, real life stories and resolutions in the hopes that they will become guidelines for overcoming challenges in this profession.
Coming back to Mihai, he starts with…
Addressing the elephant in the room
Of course, achievements and high scores are valuable. But, at the end of the day, how many threats do they actually eliminate for good? Specifically, there are some topics that Mihai thinks should be more thoroughly analyzed by specialists working in the field (and not only). One would be:
That the infosec industry is really competitive, which is really good – and needs to keep up with everything. It’s just that it feels like there’s a lot of pressure towards having the most certifications, the most 0days discovered / most APTs analyzed. And, at the end of the day, the reality is that most of us are going to have to deal with more commodity malware, reused PoCs off the Internet, phishing emails. And we’re not even at a point where we as an industry can say – look, all these day-to-day problems – we’ve got it figured out.
Separately, it seems the shortage of infosec specialists isn’t going to go away very soon. It looks like even though the challenges the infosec business is facing – the increase in the number of attacks, increase in the complexity of these attacks – the number of specialists has increased, but not on par.
What about procedures vs tools
With old issues that never really seem to go away and new attacks piling up, the workforce gap is just the cherry on top. Yet there is a light at the end of the tunnel. Take it from someone who has had his fair share of experience in the field. When things become overpowering, don’t overthink them, just go back to the basics – HOW is more important than WHAT:
The infosec area is a pretty tough business, especially when you’re new. There are always new threats, new attacks, new tools, new certifications, new products.
This might sound boring, but sticking to the basics – learn procedures, understand protocols – not tools. Tools come and go, but DNS / HTTP / etc. are still here. Understanding how they work, how they are abused and how you can protect them is much more important than knowing how to use a tool to do it for you.
For me, it was incredibly helpful to get involved in side projects, helping with various extra-curricular projects, like the Security Summer School. Or just trying to help out people facing similar issues with various projects. Explaining, debugging and fixing are a great way to strengthen your knowledge.
Indeed, practice makes perfect. And when you surround yourself with people who are going through what you’re going through, you get the best kind of practice. In a nutshell, that’s why and how DefCamp started.
Companies are more cyber aware
The current state of the industry proves that creating a place where infosec specialists share their ideas, struggles, experiences and solutions was the right thing to do. The number of cyber attacks has been on the rise in recent years. Ransomware attacks have become increasingly common and alarming – sometimes, even human lives are at stake. And highly impact breaches like the Colonial Pipeline will most definitely keep the headlines for some time.
In turn, organizations have become more aware of such potential threats and potential damage, and are now starting to take drastic measures. This is, perhaps, the most important change in perspective that we’ve started witnessing in the past years. To support such measures and make a positive impact, infosec specialists come into play.
Remember: A good infosec expert should be a Jack of all trades and master of all
Cybersecurity specialists are the ones that can eventually make a difference. As Mihai states, the broader their knowledge, the easier it will be for them to do so.
I think more companies are open to ensuring security measures.
Recent year breaches / vulnerabilities uncovered plus the ransomware attacks have clearly had an impact. Just think of the ransomware attacks on healthcare / hospitals in 2020 led by Trickbot and Ryuk. Or the Colonial Pipeline ransomware attack.
These attacks are affecting not just some computer systems – they are affecting people’s livelihood and, at times, it could potentially endanger them physically. This is the point where more and more companies and organizations draw the line.
I don’t believe there’s one particular field of expertise that’s needed, but rather knowledge in many fields. Just like in the defense in depth approach, you need different knowledge in different areas – you need people that are experts in incident response, malware analysis, network visibility, endpoint monitoring.
Cybersecurity is such a dynamic field, it gives you no time to get bored, but plenty of time to explore. It may come as no surprise, but education (sometimes even self-education) is key, as every experience levels you up.
Just as cyberattacks are getting more sophisticated, targeted and widespread, teams need to keep testing new and improved counterattacks, defences and services.
When risks get bigger, security should get better
In this regard, Mihai brings a fitting example from his own daily activity:
One challenge we’re working on is validating the performance of existing security solutions and the risk and exposure of the organization in the scenario of an attack. More and more malware works like “as a service”, making them more and more configurable, per target, per region etc. – Trickbot is known to drop ransomware on the infected systems, while Trickbot itself would sometimes be deployed via the Emotet malware. While some aspects of these attacks can be tested / recreated – as an internal phishing awareness / test, other parts of the attack are difficult to recreate and measure.
If you can’t measure, can you really be sure you’re safe?
Nowadays, security controls are comprised of lots of devices and services – firewall, endpoint protection, email filtering, DLP, network visibility etc. All of them need people with experience to configure, manage and monitor and one small mistake can generate lots of problems. This is why we try to emulate all the steps of an attack and identify potential areas to improve security controls.
This is just a snippet of Mihai’s expertise. We’re sure that he is willing to share more with the community, as he will be attending this year’s DefCamp edition. He has done so many times before but, just as you can never get bored in cybersecurity, you can never get enough of DefCamp:
I’ve been attending DefCamp for more than 7 years now and I still enjoy every year.
I’ve spent some editions giving a go at the hacking challenges, others trying to catch up with people that I don’t see too often. And, obviously, I try to attend the presentations that I find interesting.
A lot of the work that we do in our team goes to research and implementing new methods of detecting attacks in the wild.
This year, we’ll see some really interesting presentations. One is a novel way to tackle a very old problem that never really disappears – phishing, and this was actually the result of an internal hackathon project. The other is regarding adversary emulation replicating the techniques used by malicious actors, as closely as possible, while not introducing any risk to the infrastructure.
In the end, the infosec industry doesn’t have that many specialists (yet 🙂 ) and most of us probably work in small teams – so it’s really good that we get together once a year and have a chance to at least… hang out for a couple of days.
Join us at the end of November to connect with Mihai – and many others from the Keysight Technologies team!
Last but not least, we take this opportunity to mention that DefCamp 2021 is powered by Orange Business Services. Moreover, this edition is possible with the support of our main partners: Keysight Technologies, Cegeka, Garrett, Secureworks, Bit Sentinel, and our partners Pentest-Tools and CyberEDU.