Apparently Abraham Maslow said: “I suppose it is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail.” and I am sure you have heard this saying elsewhere. For example, they used it in this Kali Linux trailer. And I think it is a valuable quote about expanding your knowledge, toolset and horizon and everyone should try to fully understand it.
But over my time working in (offensive) cybersecurity, I kind of came up with a different statement:
“If the only tool you have is a hammer, you have to bang everyone.”
Please continue reading before you get mad at me (okay, you can get mad at me right away, for my poor choice of words). But a quick disclaimer: I am NOT advocating any form of violence.
My own story
I feel like my own background matters a little bit to explain this way of thinking.
Since I first googled “How to hack WiFi.”, I was instantly hooked with the amazing world of cybersecurity. I watched every hacker movie, all the cool YouTube videos, documentaries about Anonymous and I installed Kali Linux on e-v-e-r-y-t-h-i-n-g.
Source: https://www.reddit.com/r/linuxmemes/comments/134gwu0/true/
Later on I also learned more about different kinds of attacks and how to defend against them. When I had my first IT internship, my boss kind of said something like the hammer and nail quote (she also stated that there are probably not many people paying someone to hack stuff in a legal way, oh boi). Nevertheless, it was a valuable lesson and I started learning more about other aspects of security, and IT. But deep in my heart I always remained a hacker. I eventually ended up getting a student job at a big IT company, where I worked in some security roles before ending up as a full time penetration tester. In this company I truly had to learn what it meant to not only employ a hammer for every task. Security requires the collaboration of so many teams, skills and people. And I can not stress the collaboration aspect enough. So it is without doubt important, valuable and extremely eye opening to learn how others are approaching cybersecurity. Incident Response, Cyber Threat Intelligence, Compliance, Audits, Executives, Security Researchers and so many others all do different things, but have one common goal: Securing your organization. Talking to them, learning from them and helping each other is crucial to ensure your organization does not approach every security problem like a nail. In todays world it is the only way to succeed.
Why I still think you should do a lot of banging
Sorry, I kind of committed to this word play, but be sure, I am cringing too.
As I said, in the end deep down I am a hacker and I want to break stuff. And I suspect it is the same for others. They were hired for that one job, so that they can bring their unique expertise to solve problems. So what do I mean, when I say “banging”?
Essentially you are a kind of a hammer, because you there are certain things you are good at. Sure, maybe you are a hammer with a little, extendable screw driver (I am so sorry), and that is great. And that is the point of this rant:
You have expert knowledge in a very specific area and you have a very specific set of skills. I think you should apply those skills to as many problems as possible.
From my experience that helps a lot. For example: We have a Physical Security organization that employs many former military and law enforcement professionals and they have a very deep understanding of physical security but - as all of us - they are wired a certain way. Their focus is to make things safer by preventing, detecting, and investigating incidents. Of course they know about all the other ways to approach security, but they are thinking differently about some things. So for both of us it is great to try to apply our tools and knowledge to each others problems. I can talk to them about how I would break their security measures and they can share how they would prevent me from getting in. Both of us will grow from this exchange. And eventually it helps us to stop treating every problem like a nail. Only because I thought like a hammer about their problems and they thought like a big roll of duct tape about mine.
What to do after banging?
Don’t forget to verify and prioritize your ideas. This is probably the least fun part, but your organization probably works with limited resources like time and money (if not, let me know, I would love to send my CV). So it might be a great idea when the Red Team and Cyber Threat Intelligence (CTI) teams talk about how cool threat intelligence based Red Teaming would be. But consider your organizations security posture. Imagine the Blue Team is just working on implementing defenses against the most common TTPs and users just had their very first phishing training. Of course you can let two CTI analysts spend 2 weeks to find the most relevant APTs and afterwards the Red Team owns the entire network with a highly targeted spear phishing campaign followed by amazing evasion and lateral movement techniques. Your Blue Team has not really learned new stuff, because they already knew these gaps existed and therefore no defenses really improved. So it would have been better to run a Purple Team to see how the newly implemented defenses are holding up. The CTI analysts could have worked on prioritizing the TTPs the Blue Team should work on mitigating in the next cycle. So yeah, great ideas always need at least a decent timing to be real great ideas.
Conclusion
What I am NOT saying:
- Everyone should only do their stuff and not care about others.
- You should force your ideas and perspectives on others.
- You know the only right way to do stuff.
What I am saying:
- You should share your expertise with others.
- You should try to apply your knowledge to a wide range of problems.
- You should learn from others and help others grow.
What if I am wrong?
Well I had fun writing this article, if you think it was really bad and stupid, I have only one thing to say: “Sucks to be you.”. In all seriousness tho, this is only my perspective, informed by my own biases and experience. So by all means, if you think I got stuff wrong, let me know. I would love to hear other peoples take on this.
You can tell me how wrong I am on Twitter (sorry X) @Secbyaccident (or follow me, if you like my stuff) and you can read other shitty stuff to complain about over here: https://security-by-accident.com/ .