Today I finished Advanced Penetration Testing by Wil Allsopp. I don’t know what quantifies the term “advanced” when it comes to security, but I do see difficulty ratings on a lot security things, I think I’ll just leave it. The heart of the book was about emulating an advanced persistent threat, or APT, which is one of the branches of security that most interests me, so it was a good read.
The examples were a little… contrived, maybe? at times, but given the mentions of being based on a previous real world exercise I’m sure they are all valid. I’ve also found it to be the case that most security related examples are oddly specific to one situation, I think it’s just part of the nature of the discipline. But I find it extremely unfortunate, especially coming from a background in mathematics. In maths every problem has a solution (unless you’ve proven otherwise, but I’m talking more high school maths right now), and you can work out that solution by identifying the kind of problem, and using various techniques, it’s very algorithmic (as is computer science, for the most part, in my experience), and the problems and techniques are all fairly broad. One problem is made up of many different parts and techniques can be used on various kinds of problems.
That contrasts to most of security education, in my experience. In security techniques and problems are very specific, and examples are even more so. At best you can group things into various categories like post-exploitation and information gathering. You learn privilege escalation or exploitation by learning a bunch of random, unrelated techniques, that when faced with an actual problem, you’re meant to just throw a bunch of things at until the magic word root pops up. I don’t really know where I’m going with this, but I don’t really like this model of education. I think we need to come at it from a different angle, a more whole picture. Not that I have that angle, perhaps I’ll write about it after ruminating on it for a bit longer.
Or maybe I’m just thinking about it wrong. For example in maths, you learn calculus and a bunch of techniques to throw at integrals until you have an answer you like. Or in computer science you learn about loops and conditionals, and then you throw them at problems until you have an algorithm that does what you want. However, what I think the difference is, is that there’s always a bigger picture. These loops and limits can be used to solve simple, contrived problems, but they can also be used as small parts of big problems and solutions like quicksort or finding the curl of a vector field, and even though you didn’t know what vector calculus was when you first differentiated, you knew that it was a small building block in the bigger picture, and that it was important, and it would be a tool used to solve important problems. (In my time doing maths at uni I never even used vector calculus to do anything remotely applied (I was more of a theoretical guy anyway), but I still knew that it was just a technique used in bigger picture, that a bunch of things I’d already learned went into learning it, and that it would be used as a technique in other things I would learn (had I gone on to pursue further levels of mathematics).) Even though maths can be broken into distinct disciplines, they all intertwine and are used in conjunction when solving a unique problem, and perhaps naively, I think a complete picture of mathematics exists, even if we as a species may never fully comprehend it.
I think that’s what’s missing from the world of cyber security. But perhaps it’s too applied, too real world and too messy, for a complete picture to exist. But I think there at least exists a big-er picture, and that it’s missing from the education of this great art. Not that I could put it into words, but I feel it, just out of reach, and it constantly frustrates me that I don’t know it. I think that perspective is paramount to all understanding, and to all learning. Perhaps I’ll go into education one day, and share it, once I’ve found whatever it is.
Anyway, I thought about just ending there, but I will actually say a little more on the book. It was good, a little more big picture and focused than The Hacker Playbook (which I’d just call a broad collection of tools), which was cool. It went over a few techniques of attack vectors, with a focus on social engineering, and developed different aspects of a C2. It was very practical, with a focus on technique over tools, and I appreciated that each example was covered more or less from the start to the end of the engagement. All in all a solid read, and covered the APT vibe pretty well.
My Portfolio 