I put together a simple, web-based tool inspired by @sounilyu's Cyber Defense Matrix. Quickly visualize program maturity, controls, roadmap, more. - Customizable asset classes - PNG export - JSON export/import Overview📄 Tool 🛠️

RT @Wietze: 🚀 Today I'm launching ArgFuscator: an open-source platform documenting command-line obfuscation tricks AND letting you generate…

RT @SecurePeacock: Today at WWHF @Wietze is dropping Invoke-ArgFuscator 👀

RT @ryanaraine: Dave Aitel, writing on DailyDave: "This is probably my new favorite podcast, with an uncensored take on current infosec e…

RT @ryanaraine: Quick ear-check with the listeners: What's the ideal length of your favorite podcast?

Some expected victim disclosure to be jarring, but the SEC rule normalized it overnight. One of the last bastions of caginess, opacity in this industry are the products and services that a company uses. But when material incidents occur, optimize for transparency and learning.

"2022 zero day was used to raid Fortigate firewall configs. Somebody just released them" -

@ac1dgoddess Inventory matters, for the same reason it matters if you replace nmap with ~100 other dual-use tools. Usage (provenance in particular) should inform threat detection. nmap + known nmap source = meh nmap / nmap-like activity + unknown nmap source = threat

@FrankMcG @BlueTeamCon Source of ongoing debate 🙃 Chase each platform, cross-post galore, but engage poorly everywhere? Optimize for impressions? Engagement? Attempt to grok audience sentiment? 👈 Hardest—moves come in waves, big externalities at play. But again, it's fragmentation vs. migration.

Cybersecurity stat of the day: The average delta (in years) between CVE assignment and addition to the CISA Known Exploited Vulnerability (KEV) catalog is 2.8 years. 🤯

Another day, another email warning "attackers may be exploiting FortiGate devices". Folks. Your Fortinet gear might as well exist *primarily* to grease the skids of initial access for bad actors. These devices help more adversaries than they stop. I think we're past "may be" 🤣

@jeremiahg An assumption on my part, which I realize is dangerous, is that liability is absolutely coming. That said, if I understand your argument, it's that liability would have been a more useful place to start, instead of starting with control mandates. I can get behind that.

@jeremiahg I guess the point I'm trying to make is that "doing something" here *does* depend on "doing something else, too." Have to start somewhere. Getting any leverage over an unregulated industry where we have an acute problem is better than nothing.

@jeremiahg A good q for all the infosec nihilists out there: What's the alternative? Literally do nothing (status quo)? Ban sale of consumer Internet devices (lol)? Something else entirely? Honest question: What gets us "iOS updates" effectiveness, for devices at 20x lower cost/margin?

@jeremiahg The consumer router as a test case: Companies yeet millions (🤷) of these into homes, to be abused with impunity. The most basic monitoring + periodic updates doesn't make the problem go away, but is orders of magnitude better than doing literally nothing at all (status quo).

@ImposeCost Interesting observation. I think younger me was more likely to "focus" on weaknesses. Today, I don't focus on them, but I do pay much more attention to their nature + impact. Some weaknesses are just that (ultimately, opportunities). Some are purely toxic traits (bye bye).