Hack The Planet

Because if you don't, who will?

Thursday, July 9, 2026

Don’t Let Your (OODA) Loops Get Soggy

Over the holiday weekend I had some time to think (which can be a dangerous thing), and one of the things that has been on my mind is the need for real-time information to make quick, accurate, confident decisions. I put a short version of this up on LinkedIn, and the conversation it started was good enough that I wanted to expand it into a full post. When minutes matter, information wins. That lesson has been learned in every conflict this country has fought. It was true when riders carried word that the regulars were out. It was true when the Union cracked Confederate signals, when codebreakers shortened a world war, and when a forward air controller in Vietnam had seconds to sort friend from foe. The technology changes every generation. The requirement never has.

Col John Boyd distilled this into the OODA Loop (Observe, Orient, Decide, Act), and it is no accident that Observe comes first. Every decision inherits the quality of the observation that feeds it. If your observations are late, incomplete, or wrong, the loop doesn’t just slow down. It compounds the error. You orient on a false picture, decide with false confidence, and act on the wrong problem. Garbage in doesn’t just produce garbage out. It produces confident garbage, at speed, which is worse.

Most people who reference Boyd fixate on speed, on “getting inside the adversary’s loop.” But speed is a product, not an input. The input is observation. The fighter pilot who sees first, wins. The watch floor that spots the first sign of an intrusion has options that the one who finds it three weeks later does not. Decision dominance starts with observation dominance. There is no shortcut.

One of the replies to my LinkedIn post pushed on an important nuance, and it deserves space here. Observation is not a clean camera feed. Boyd himself put Orientation at the center of the loop, shaped by our genetics, our culture, and our previous experiences. Our default orientation, built from everything we have seen and done, affects how we observe the world and each engagement with an adversary. Our decisions and actions also impact our future observations, keeping the loop alive for the entire engagement.

This is where the idea of the Bayesian brain aligns nicely with Boyd. Each turn of the loop updates our orientation, and the more reps we have, the better our predictions and the faster our loops. This is why experienced analysts seem to “just know” where to look. They aren’t psychic. They have turned the loop thousands of times, and their orientation has been refined by every one of them. It is also why we need to be honest about the flip side. An orientation built on bad assumptions will filter out the very observations that would correct it. If you have ever watched an organization miss an intrusion because “that system isn’t internet facing” or “we don’t have anything anyone would want,” you have watched orientation defeat observation.

Here is the uncomfortable truth. Most organizations don’t deliberately consider how they observe. They don’t know what data and information is important to what they are trying to achieve. They don’t think about how they collect that information, or what it costs to collect it. And they don’t think about how to sort through the noise to get to the signal.

I have walked into plenty of environments that were collecting everything and observing nothing. Log sources feeding a SIEM that nobody tuned. Alerts covering every screen in the SOC while the analysts sat with their heads down, trained by years of false positives to ignore them all. Plenty of organizations pay to collect and store data they never actually use, which is noise with a bill attached. That is not observation. That is hoarding.

Fixing this doesn’t start with a tool. It starts with three questions, asked in order:

Why?

What is the mission of your organization? What are you actually here to do? This sounds basic, but I have sat in rooms where the security team could not articulate what the business does to make money or accomplish its mission. If you can’t state your why, everything downstream is guesswork.

What?

What do you need to protect to fulfill that why? These are your crown jewels, your critical systems, your data that actually matters. Not everything is critical, and pretending everything is critical is the same as protecting nothing.

How?

How are you going to protect your what? Now, and only now, do tools, telemetry, and collection strategy enter the conversation. Your how should be a direct answer to your what, which is a direct answer to your why.

When you work the ladder in this order, your observation strategy builds itself. You know what data matters, because it maps to what you protect. You know what to collect, because it gives you visibility into those things. You know what is noise, because it doesn’t. And you can finally have an honest conversation about the cost of collection, because every log source either serves the mission or it is a bill you are paying out of habit.

When you skip the ladder, you get what most organizations have. Shelfware, alert fatigue, and a very expensive pile of data that answers no questions.

As folks who have been through this process, it is our responsibility to help those who haven’t. Too many people in our industry try to sell the newest widget instead of working with clients to understand their pains and giving them guidance on how to solve them. Even if it isn’t buying your widget. The organizations that achieve decision dominance are not the ones with the most dashboards. They are the ones where accurate, contextualized information gets in front of the right people in time to matter. Whether it is a watch floor spotting the first sign of an intrusion, an analyst trying to remember where they saw that IP before, or a leader deciding whether to wake people up at 0200 for a perceived incident, the loop turns on observation.

Observe deliberately. Orient honestly. Decide with confidence. Act.

That is the work. Everything else is downstream.

posted by holliday at 2:38 pm  

Monday, September 15, 2025

Hackers – 30 years and counting

As I sit here working, and watching Hackers on the 30th anniversary of its release, I can’t help but feel nostalgic. I watch Hackers every year before DEFCON, and am always amused, that even though the visuals aren’t an accurate representation of hacking, the attacks themselves are. You see social engineering, OT hacking, reverse engineering, and more. It is fun to look back at a movie that shaped my career, and love of computers, the Internet and the chess game that is cyber security. 

There is something about this movie that makes me feel young again. When Razor and Blade come on and talk about Jolt Cola, I can still taste it. When Jolt Cola came back a few years ago I grabbed a bit to experience the memories again (even though I don’t typically drink soda). I have the soundtrack as part of my Hacking playlist, and when “Connected” by Stereo MC’s comes on I can’t help but dance in my chair. There are so many great memories aligned to this film.

In cyber security, I always find it interesting to hear what inspired someone get into the field. If it was a friend that showed them what they were working on, a movie or tv show, a book or some other path in. I have always enjoyed technology, and was lucky enough to have it around as I got into my formative years. I was also lucky to work at a telco startup (and many startups after that), and be able to get in with the information technology team which gave me access to many tools and mentors that helped me along the way. The movie Hackers inspired me through out with the knowledge that we are a community, and after spending the weekend at a wedding of some of my hacker family it still holds true. We are stronger than I.

I even made a shirt for DEFCON this year to honor the movie and the Gibson, which is a reference to one of my favorite authors (and the inventor of the word cyberspace).

So on its 30th anniversary, I raise a glass (or a can of Jolt) to the movie that taught me to see the world not just as it is, but as it could be — a place where a handful of hackers can change everything. Hack the Planet!

Now to get some popcorn and enjoy the rest of this movie. 

posted by holliday at 2:53 pm  

Monday, July 1, 2024

There are no holidays in Cybersecurity…

It wouldn’t be a holiday if a new vulnerability wasn’t released, causing IT and Cybersecurity practitioners to have to put their plans on hold to scan and patch their systems. I have spent more than my fair share of holidays at my desk, trying to make sure everything was resolved before I joined my family and friends in whichever festivities were going on.

We often speak about burnout at conferences, in blogs, and on podcasts, but we don’t always take the advice given, or have the opportunity not to work long hours when things go sideways. This isn’t always the case though. Sometimes we like to feel important, so we over emphasize an issue, letting everyone know how busy we are. How needed we are. And it is great to feel needed.

This can lead to unhealthy behaviors, and issues in your relationships (even with yourself). So the next time you see a vulnerability published just before a holiday, take the time to ask yourself, “Is this really something urgent, or do I just want it to be?” And depending on the answer, give yourself a break for the fire drill that is our lives sometimes, and enjoy some Fireworks or Eggnog with your tribe.

posted by holliday at 9:36 pm  

Tuesday, April 2, 2024

Why Social Engineering Remains a Top Concern for Organizations

In the ever-evolving landscape of cybersecurity threats, one that remains constant is social engineering. Despite advances in technology and tooling, social engineering continues to pose significant risks to organizations. We’ve all witnessed the devastating impact that social engineering attacks can have on individuals, businesses, and even governments. It was top of mind with some recent breaches, so I wanted to delve into the nuances of social engineering and explore why it remains one of the most common threats we face in cybersecurity.

Here is a quick description of social engineering for those that are newer to cybersecurity. Social Engineering is a tactic used by cybercriminals to manipulate individuals into divulging confidential information, granting access to sensitive systems, or performing actions that compromise the individual or organization. Unlike traditional cyberattacks that exploit technical vulnerabilities, social engineering exploits human psychology. Whether through phishing emails, pretexting, or impersonation, attackers leverage social engineering techniques to exploit human trust, curiosity, or fear.

One of the primary reasons why social engineering continues to thrive is its adaptability and versatility. Cybercriminals constantly refine their tactics to bypass sophisticated security defenses and exploit human vulnerabilities. Phishing emails, for example, have evolved from crude, poorly written messages to highly convincing replicas of legitimate correspondence from trusted sources, like an email from your bank, travel agency or even a family member. These emails often employ psychological triggers, urgency, or fear-inducing language to trick recipients into clicking malicious links or downloading malware.

Moreover, the widespread adoption of social media platforms, like Facebook, LinkedIn, Twitter, and Instagram has provided cybercriminals with a treasure trove of personal information that can be leveraged for targeted attacks. By profiling individuals based on their online activity, attackers can craft tailored messages that appear genuine and convincing. This personalized approach significantly increases the likelihood of success, as people are more inclined to trust messages that align with their interests, or social connections.

Another reason why social engineering remains a top threat is the inherent human element. No matter how robust an organization’s technical defenses may be, human error or manipulation can circumvent most security measures. Whether it’s an unsuspecting employee clicking on a malicious link, or a well-intentioned individual divulging sensitive information over the phone, human fallibility creates opportunities for exploitation.

The COVID-19 pandemic expanded the threat landscape by creating new opportunities for social engineering attacks. With the widespread shift to remote work, employees are more reliant on digital communication channels, making them susceptible to phishing scams, business email compromise (BEC), and other social engineering tactics. Additionally, the uncertainty and fear surrounding the pandemic has heightened emotional vulnerabilities, making individuals more susceptible to manipulation.

As cybersecurity professionals, it’s important that we remain vigilant and proactive in our efforts to combat social engineering threats. Education and awareness training are vital components of any organization’s defensive strategy. By educating employees about common social engineering tactics, red flags to look out for, and best practices for safeguarding sensitive information, organizations can empower their workforce to recognize and resist manipulation attempts.

Implementing robust technical controls such as email filtering, multi-factor authentication, and endpoint security solutions can also help mitigate the risk of social engineering attacks. Regular security assessments, including simulated phishing exercises, can also help identify vulnerabilities and gauge the effectiveness of security awareness training programs. Though phishing exercises need to be done carefully, to educate employees and not punish them, so that the right lessons are learned.

To wrap this post up, social engineering remains a pervasive and real threat to organizations of all sizes. By understanding the tactics employed by cybercriminals, raising awareness among employees, and implementing comprehensive security measures, organizations can strengthen their defenses against social engineering attacks. As cybersecurity professionals, it’s our collective responsibility to stay ahead of the curve and safeguard against this ever-present threat.

posted by holliday at 3:11 pm  

Thursday, March 21, 2024

Lack of Visibility slows the Zero Trust Journey

Visibility is key to Zero Trust

In the ever-evolving landscape of cybersecurity, the concept of Zero Trust Architecture (ZTA) has emerged as an incredible buzzword, but also as a beacon of hope in the battle against sophisticated cyber threats. The fundamental premise of ZTA is to distrust everything, both inside and outside the organization’s perimeters, and to verify every user and device attempting to connect to the network before granting access. However, the journey towards implementing ZTA has significant challenges, and one of the most significant obstacles organizations face is the lack of visibility.

Visibility, in the context of cybersecurity, refers to the ability to monitor and understand all activities and traffic within an organization’s network, including user behaviors, device interactions, and data flows. It is the cornerstone of effective security operations, enabling analysts and engineers to detect anomalies, identify potential threats, and respond quickly to incidents. However, achieving comprehensive visibility has become increasingly difficult in today’s complex, and bloated cybersecurity environments.

The proliferation of cloud services, the adoption of remote work, and the rise of IoT devices have expanded the attack surface and blurred the boundaries of traditional network perimeters. As a result, organizations struggle to gain real-time insights into their digital assets and activities, making it challenging to enforce the principles of ZTA effectively.

Here are some key ways in which the lack of visibility impacts organizations’ moves to Zero Trust Architectures:

  1. Incomplete Asset Inventory: This has been an issue for as long as I have been in the IT and cybersecurity space. Without full visibility into all devices and assets connected to the network, organizations cannot accurately assess their security posture. Shadow IT, where employees use unauthorized applications and devices, further complicates the situation. As a result, implementing ZTA becomes akin to building a fortress without knowing all the entry points.
  2. User Behavior Analysis: Zero Trust relies heavily on continuous monitoring of user behaviors to detect and prevent unauthorized access. However, without visibility into user activities across different platforms and applications, organizations cannot effectively distinguish between legitimate users and potential threats. This lack of insight increases the risk of insider threats and credential-based attacks going undetected.
  3. Network Traffic Monitoring: Effective ZTA implementation requires granular visibility into network traffic to identify anomalies and potential security breaches. However, the distributed nature of modern IT infrastructures, with data flowing between on-premises systems, cloud environments, and remote endpoints, makes it challenging to monitor and analyze network traffic comprehensively.
  4. Data Protection: Zero Trust aims to protect sensitive data by enforcing strict access controls and encryption mechanisms. However, without visibility into data flows and usage patterns, organizations cannot effectively identify and classify their critical data assets. This blind spot hampers their ability to apply appropriate security controls and encryption measures, leaving valuable data vulnerable to theft or manipulation.
  5. Incident Response: Timely detection and response are essential components of any ZTA strategy. However, without real-time visibility into security incidents and breaches, organizations struggle to contain and mitigate the impact of cyber attacks effectively. Delayed or inadequate incident response can result in prolonged downtime, financial losses, and reputational damage.

Some Ideas to Address the Visibility Gap:

To overcome the challenges posed by the lack of visibility and facilitate the successful implementation of Zero Trust Architectures, organizations must adopt a holistic approach to cybersecurity that integrates advanced technologies, robust processes, and skilled personnel. Here are some strategies to consider:

  1. Comprehensive Endpoint Protection: Deploy endpoint detection and response (EDR) solutions to gain visibility into endpoint activities and behaviors. Implementing advanced threat hunting capabilities can help proactively identify and mitigate potential threats before they escalate.
  2. Network Traffic Analysis: Invest in network monitoring tools that provide deep packet inspection and behavioral analytics capabilities. By analyzing network traffic patterns and anomalies, organizations can detect and respond to suspicious activities in real-time.
  3. User and Entity Behavior Analytics (UEBA): Leverage UEBA platforms to analyze user behaviors across multiple IT systems and applications. By establishing baselines of normal behavior and flagging deviations indicative of potential threats, organizations can enhance their ability to detect insider threats and account compromise.
  4. Data-centric Security: Implement data loss prevention (DLP) solutions to classify and protect sensitive data wherever it resides. Encrypt data both at rest and in transit to ensure confidentiality and integrity, regardless of the visibility into underlying network infrastructure.
  5. Continuous Improvement: Regularly assess and update security policies, controls, and technologies to adapt to evolving threats and business requirements. Foster a culture of cybersecurity awareness and collaboration across the organization to empower employees to play an active role in defending against cyber threats.

While Zero Trust Architecture offers a promising shift in cybersecurity, its effectiveness hinges on an organizations ability to leverage visibility into their environments. By addressing the visibility gap through a combination of technology, process, and skilled personnel, organizations can strengthen their security posture and navigate the complexities of today’s threat landscape with confidence.

Remember, in the realm of cybersecurity, what you can’t see can hurt you. Embrace visibility to illuminate the shadows and move towards a more secure future.

posted by holliday at 1:00 pm  

Monday, August 2, 2021

Another year, not like any other Defcon

As I prepare for another year of BlackHat and Defcon, this being the 15th year or so that I have attended, it has a completely different feeling than previous years. Last year, when the COVID pandemic was still in full swing, the conferences went virtual and I was relieved that both conferences were taking it seriously. I wanted to be onsite with my friends and hacker family, but it was the right thing to do to remain virtual and wait for the next year when we could be together.

Now we are in another upswing of the COVID pandemic, after it has started to tail off, and both conferences are in a hybrid mode. I scheduled myself to be onsite, after being vaccinated and taking extreme precautions for the last 18 months. I keep telling myself, I am taking the precautions necessary to attend and be safe. I am vaccinated, wear a mask, and have plenty of hand sanitizer. I still have concerns, but my desire to see my hacker family is overriding my fear.

With the time I have had to prepare, I think that I will be safe, but understand the number of folks that are cancelling their trips. Everyone needs to do what they feel is right, and with the COVID numbers spiking around the country, it is hard to feel safe anywhere.

So, this year at Defcon, will be like no other year, and hopefully like no future year. I will be in person, meeting up with the folks that are still going to be in person, and giving elbow bumps when appropriate and missing the folks that aren’t there with us in person, though I know they are there in spirit.

Hopefully next year we will be through the spikes of this pandemic and can all be together in person. Until then, Hack the Planet!

posted by holliday at 4:34 pm  

Monday, January 11, 2021

A new year, but what has changed…

As the clock struck 00:00 on January 1st, 2021, I felt a sense of hope. The year 2020 will be in our history books as one that tested the human spirit, and saw the best and worst of mankind. From a global pandemic, to some of the largest, and most high profile hacks, how could 2021 not be better? Well, I guess this is where the hold my beer meme should go.

Within a week we are not just talking about hacks, or politics, but full blown insurrection in the USA. When the armed mob of right wing domestic terrorists stormed the Capitol, it put an end to the idea that 2021 would be the gentler year that the previous. There continues to be more and more information being released on this attack on democracy, so we will see what these next few weeks bring.

One of the threads on this attack that has received attention on the InfoSec Twittersphere is that there were many unlocked workstations in pictures taken by the insurrectionists, and a laptop was stolen that may have included sensitive information. While there were a lot of takes on this, Jack Daniel made the most important one, pointing out that the safety of the people was the priority. We can sit back behind our keyboards thinking, “If an angry mob was storming my building I would definitely lock my workstation”, but let’s not kid ourselves, we would be fleeing.

There are measures that can be taken to get the human out of the loop, and with our threat model severely modified after the Capitol attack, here are a few to think about. Faster inactivity locks, so that if you aren’t actively working on the computer it will lock itself in a shorter time frame. This isn’t perfect, but it is easy and low impact. There is also proximity devices, that automatically lock a computer once the device is out of range. There are other options as well, and I am sure we are going to see them becoming more normal after Jan 6th.

When we look forward to the rest of the year, I think it is important to make sure we are trying to find ways to make security easier, to make it a default state.

Stay safe out there.

posted by holliday at 12:41 pm  

Thursday, May 14, 2020

A Brave, New World…

I have not kept up with my writing as much as I would have liked, and I thought maybe with a world changing pandemic I would finally find the time. Well a few months into social distancing and I am just now sitting down to write. #covidlife

It seems like a long time ago, but it was just March when I had my wings clipped and was no longer traveling. At the time admittedly I didn’t think it would be too long until I was back in the air and to business as usual. Now I see that we will won’t be going back to “usual”. It is good though, because we can find a better way to move forward and not rely on doing things a certain way “because that is how it has always been done.”

There have been many blogs and write-ups on how to work in our new, fully remote environments. We weren’t great at defending our networks when they were within our walls. Just looking at all of the breaches we’ve suffered tells us that much. How were we going to handle going remote?

Well, luckily George at Splunk put together a nice list of things we can do today to help protect our workers and our organizations while we adjust to this brave, new world of work. From monitoring our endpoints, to monitoring who is moving data they shouldn’t, it is a good guide for those that are looking for something that they can start doing today.

Dark Reading also put out an article on patching in a pandemic. Many of the ideas, like making sure you have a solid asset inventory, and patch prioritization are things that I think we should have been doing before we were thrust into this remote world world. Sadly, I think this has shown many that the IT Emperor had no clothes, and we are being forced to change our behavior and really start protecting our orgs because the light has been shined on us.

As we all work together on this journey, let’s remember that this is a trying time for everyone. So be kind, be safe, and Hack the Planet!

posted by holliday at 4:23 pm  

Friday, May 3, 2019

Lowest Cost, Technically Unacceptable

I have helped with many sales opportunities where there are Request For Proposals (RFP), or other types of questionnaires that are supposedly written to let the purchaser find out which products can meet the projects, or programs requirements. If you have been through this yourself, you know these are rarely written by the people that will actually be operating the tools. It is a very similar experience to reading job requirements written by an HR team that doesn’t know what they are really hiring for, but they have a template and a passion for filling it out.

“Wanted, a Junior Software Developer. Must have a Master’s Degree in Computer Science, 10 years experience in the newest technologies, and be a champion Samba dancer.”

When you read a lot of these you start to recognize what is really being asked for, or at least which direction you need to go. At this point you buckle down, answer the questions to pass the first set of eyes that is only looking for any “no” responses, but you also add clarifying terms to make sure the folks that originally requested the information or proposal get the depth they need to make a decision.

At this point you may be thinking, that’s great. You answered their questions. But hold on. It isn’t about being able to actually do the thing that was originally requested. It is about being able to almost do it, and also be cheaper than any other solution out there, even solutions that don’t actually meet the requirements but that made it through the first set of eyes, so it must work because they said yes to everything. As in, “Yes, we would like to be able to solve this problem someday.”

The saying, “Lowest Cost, Technically Acceptable” (LC;TA) may be the cause of more failures and breaches than any other accepted practice in Information Security. This lines up with compliance being the bar to hit, and not the bare minimum. When you build out an environment to check a box, but not to perform the actual task required, you will inevitably fail. If you build a fighter jet with the LC;TA mentality, you will have them falling out of the sky, unable to complete their mission. The same holds true for Information Security.

Let’s stop building things to fail by default. Let’s stop accepting that “Technically Acceptable” is…well, acceptable. Let’s push back on the powers that be, and let them know if they want to truly secure their environments against adversaries that are motivated, highly skilled and have time on their side, we need the right tools, the right people and freedom to build them. If they don’t, we may need to start walking away from the keyboard and find organizations that will.

/rant

posted by holliday at 7:39 am  

Sunday, February 17, 2019

Everyone else knows more…

I have a theory. I believe it is shared by many others, and I have probably written on it before, but just in case, here it is. The more someone says they know, the less they do, and the opposite. This is my Imposter Syndrome thesis. There are many blogs on this phenomenon, and we discuss it regularly as a community. That is not what this post is about though.

There are also many people trying to help new people get into the information security industry despite this feeling. While we work to recruit more people, one of the things I try to make sure they understand is that this is not a static field. You can not learn something once and feel confident that it will not change as soon as tomorrow.

So how do you keep up with all of the changes and advances in Information Security and our adversaries tactics and techniques? There are many approaches to this, but here is mine.

I find that I have to use multiple technologies and communities to keep myself abreast of what is going on, and where I need to spend more time and focus. I use RSS, Twitter, online groups and in-person meetups, with each providing different things to my overall understanding of what is going on.

For those unfamiliar with RSS, it is basically a way to compile updates from websites you are interested in. There are different RSS readers or applications you can use to bring your feeds together, and after the death of Google Reader I don’t know that any one is better than another. I have everything from corporate sites/blogs, personal InfoSec blogs, to news sites, so I don’t have to go to each one to see if there is anything new for me to see. There are a ton of sites out there, so having one dashboard to view them all in saves me a lot of time.

I also use Twitter pretty heavily to find updates that aren’t on my RSS, and also for things that are more current. It is kind of like email (RSS) versus text message (Twitter). Find people that are part of the community and start following. You will find more and more people and companies to follow that can help you keep up with the latest in vulnerabilities, data breaches and adversary techniques.

I also am a big believer in IRL (In Real Life) meetups, and community sharing. As you build up your relationships and friendships you may find that you join slack or keybase groups that share your interests. These can be incredibly helpful in helping you learn and stay current in Information Security, or whatever field you are interested in.

If you have a Defcon group, or other InfoSec group near you, attend the meetups. I have not been to an InfoSec meetup yet that was full of great people who were willing to help out people they had just met. Attending conferences helps with this as well. The BSides conferences are run across the planet and we are at a point where it is harder to find conferences not to go to, because there are so many available.

To wrap this up, there are so many ways to keep yourself up to date and learning everyday that you don’t have to pick just one. Find what works for you and don’t forget to engage with the community. There is no shortage of people willing to mentor and help others grow and learn.

posted by holliday at 7:25 pm  
Next Page »

Powered by WordPress