Full Report
Hazel gets inspired by watching Wendy Nather’s recent keynote, and explores ways to challenge security assumptions.
Analysis Summary
# Main Topic
The provided context describes an internal reflection ("Hazel gets inspired by watching Wendy Nather’s recent keynote, and explores ways to challenge security assumptions") triggered by listening to a security keynote focusing on persistent, "Hard Problems" in cybersecurity and suggesting alternative approaches like "social engineering, defender style."
## Key Points
- Security remains challenging, echoing the InfoSec Research Council’s "Hard Problems" list from 2005 (e.g., identity management, insider threat, scalability).
- The complexity of modern security is amplified by supply chains, credential resale, and shared infrastructure.
- A suggested approach to challenging assumptions is employing "social engineering, defender style," leveraging people as assets rather than treating them solely as liabilities.
- The context implies a shift in perspective is needed when established methods (like traditional awareness training) fail or backfire.
## Threat Actors
- Not explicitly named or discussed in relation to the contextual challenge/inspiration theme. The focus is on defenders changing their approach rather than specific adversary tactics.
## TTPs
- The text *mentions* traditional failings, such as phishing campaigns being relatively simple ("not exactly carrying out rocket surgery").
- It discusses the failure of traditional defensive TTPs, noting an example where users who attended awareness training were *more* likely to click malicious links because they were testing defenses (e.g., responding to password strength tests).
## Affected Systems
- Not applicable; the context focuses on organizational assumptions and training effectiveness rather than specific technology vulnerabilities.
## Mitigations
- **Challenging Assumptions:** If current approaches are failing, defenders should try coming at problems from a different way.
- **Defender Social Engineering:** Utilizing users as assets by treating them well (implied mitigation against failing standard training).
- **Review Keynote Insights:** Consulting Wendy Nather's keynote for guidance on knowledge sharing, hiring, and addressing complexity.
## Conclusion
The primary takeaway inspired by the analysis is the necessity for defenders to re-evaluate why security is difficult by challenging entrenched assumptions, potentially using non-traditional methods like 'defender social engineering' to better engage internal assets, especially when legacy training methods prove counterproductive.