We were contracted for a job to conduct a red team assessment of digital and physical assets of five government buildings, including courthouses. Our former employer signed agreements that outlined the scope and contract with the Iowa Judicial Branch. We were hired to test defenses from an adversarial perspective, to expose real vulnerabilities before criminals could exploit them. The engagement specifically authorized after-hours physical testing at the facilities.

During our week onsite for the engagement, we made entry into every facility without issue. At the Judicial Branch, a State Trooper found us working on a door with an under-the-door tool. We offered ID’s and contracts but he just requested a business card, laughed and said good luck as he badged through the door and closed it behind him. We eventually made our way in, left our business card on our point of contacts desk, and received a congratulations email the next morning.

At the Dallas County Courthouse our testing tripped the alarm, responding officers reviewed our credentials, confirmed our contract, and told us we were free to go. When the sheriff arrived, politics and a territorial disagreement changed everything. He ordered our arrest, evidently upset the State was performing work to better secure facilities without notifying him. In the morning when we were arraigned, it was clear he withheld information from the magistrate (like the fact that we were hired by the state, that he had verified on previous calls). The county prosecutor, who was working closely with the Sheriff, told the Magistrate we were a flight risk and successfully encouraged raising our bonds from $5,000 to $50,000 each. They dragged things out until the last minute before our trial, and only dropped charges after the Sheriff had words with our CEO (we’re not sure what that had to do with dropping the criminal charges against us personally, but then again, nothing about the arrest made sense).

That night changed our careers and our reputations.

Headlines labeled us criminals for doing the work the state hired us to do. The Sheriff and the State changed their stories multiple times, putting out plenty of statements to try to justify our arrest, despite us being completely in-scope and doing exactly what we were asked to do. Like we’d done on hundreds of engagements previously. Trust matters in security. Once damaged, it rarely returns on its own.

We didn’t pursue this case for money. We pursued it to restore the truth. The resolution allows us to move forward, but the lesson remains. Public safety suffers when politics replaces process.

Kaiju Security was built to do this work the right way.

We focus on adversarial simulation and real-world testing because criminals already think that way. Defenders and your organization must learn to do the same. Kaiju’s Red Team and Penetration Testing stresses realistic scenarios, clear authorization, and actionable results. Our Physical Security Assessments test access controls and procedures that technology alone cannot fix. Social Engineering services expose human risk with care and accountability. Ransomware Readiness work prepares organizations for threats that move fast and punish hesitation.

At Kaiju Security we believe in partnership. Effective testing requires coordination with stakeholders and law enforcement, documented scope, and professional conduct on every side. When those elements align, organizations fix problems before harm occurs.

We appreciate the support from clients, peers, and advocates who understood what was at stake. We remain committed to helping organizations uncover risk, close gaps, and protect people. Security improves when testing reflects reality and when institutions welcome the findings.

We’re ready to help. Contact us if you want to understand how adversarial testing strengthens defenses, explore our Red Team Services, review our Physical Security work, or learn how Kaiju prepares teams for modern threats. We will keep doing the work that makes systems safer, with clarity, discipline, and respect for the truth.

See our complete statement along with our attorney Martin Diaz’s here

After years of litigation, Dallas County has agreed to a settlement that resolves the case surrounding our wrongful arrest during an authorized security assessment at the Dallas County Courthouse.

The settlement confirms what has been true from day one: our work was authorized, professional, and performed in the public interest. What happened to us never should have happened and shouldn’t happen to anyone again – especially professionals working to make government institutions safer.

Penetration testing exists to identify real-world vulnerabilities before bad actors exploit them. The most effective way to test defenses is from an adversarial perspective — which is exactly what red team operations are designed to do. And yet, despite clear authorization and the verification of our identities and purpose at the scene, we were arrested, jailed, and publicly portrayed as criminals.

That arrest changed our lives. It created lasting reputational harm and professional damage in an industry where trust and discretion are essential. This was never about money — it was about restoring the truth and clearing our names.

What really happened?

In 2019, we were retained by the Judicial Branch (Iowacourts.gov), to conduct a red team assessment across both virtual and physical assets.

Physical testing was authorized at five locations, including a specific request to focus on after-hours covert entry testing under defined safeguards and restrictions.

We performed the engagement successfully, gaining access to every facility - often by trivial means - and delivered a comprehensive report detailing critical vulnerabilities and practical remediation steps.

At multiple facilities, our authorization was verified without incident. During testing at the Judicial Branch Building, for example, a state trooper encountered us, verified our authorization, and the assessment continued. Our point of contact emailed us in the morning saying congratulations, after he found our business card on his desk.

At the Dallas County Courthouse, we encountered an unlocked door late at night. After closing it and bypassing it to document two vulnerabilities, the alarm finally triggered. We remained on-site and continued testing while waiting for responders.

Six deputies and officers arrived, unable to gain access, and we safely made contact and met them outside. They were able to quickly verify us, confirm our contract with our point of contacts, and told us we were free to go. We stayed voluntarily, welcoming the opportunity to share remediation guidance and collaborate with law enforcement.

When the Sheriff arrived, some body cameras were turned off and the situation escalated abruptly. The Sheriff belittled us and said we were going to be arrested - he just didn’t know what for yet. He shouted expletives, saying the State “can’t do this”.

We were taken to jail in cuffs (despite the recommendation of one of the deputies that it was not necessary) and when we were arraigned in the morning it was clear the Sheriff withheld material information from the magistrate, including that we were hired by the State. We were then charged with felony offenses carrying up to seven years of prison time, and our bond was raised ten times the normal amount.

Then, the State deleted their contract from our company portal and tried to save face by disavowing us. Politicians inexperienced in security took the opportunity to grandstand and escalated the situation. The State investigated and, in attempts to soothe political pressure, imposed crippling restrictions that prohibit this type of testing - the only testing capable of identifying such egregious vulnerabilities.

In the meantime, the Sheriff’s story continuously changed to try to justify our arrest. While he never bothered to look at our paperwork before the arrest, he later made statements around arresting us for not being within the rules of engagement, or the State not having authorization to provide security services for courthouses (both of which are false, and neither of which should have been “resolved” by the criminal process we were subjected to).

We were advised to keep quiet while the Sheriff and the media spun stories defaming us. A month after felony charges continued to be pressed, our CEO made public statements vindicating us - which were met with a threat from another Sheriff that he would also press charges against us if our CEO kept making statements.

Ultimately, charges were reduced to trespassing, which we continued to fight, and were finally dropped within days of our trial.

Why this should concern every Iowan

This incident did not improve public safety. It undermined it.

It demonstrated how fragile security becomes when professional process is replaced by ego, politics, and gut reaction — and it sent a chilling message to security professionals nationwide: that helping government identify vulnerabilities can result in arrest, prosecution, and reputational destruction.

Taxpayers deserve accountability, because this case cost the public far more than money. It damaged trust — and discouraged the exact kind of proactive testing that prevents real harm.

An unprecedented arrest

We recognize that law enforcement officers operate in difficult conditions and often make decisions quickly. But this case was not about a split-second decision made in the fog of uncertainty. Officers on-scene had already addressed the situation in a rational and professional manner - and told us we were free to go. What happened next was a deliberate escalation—one that we firmly believe was motivated by personal pride and politics rather than public safety.

In short, this wasn’t leadership. It was misuse of power.

This settlement brings resolution, but it does not restore the years we lost or the damage that was done.

Iowa’s opportunity: lead, don’t react

In the wake of this incident, Iowa enacted restrictions that dramatically limit proactive security testing — the very type of testing that revealed serious vulnerabilities across every facility.

We understand the pressure to respond to public controversy. But laws written from fear and misunderstanding do not create safety — they create blind spots.

We are formally offering our time and expertise to help Iowa modernize its framework for authorized security testing, so that:

• Security professionals can operate under clear, enforceable authorization
• Courthouses and government agencies can test vulnerabilities responsibly
• Taxpayers can have confidence that their institutions are genuinely secure

Our hope is that the settlement marks not only the end of litigation, but the beginning of overdue reforms.

Looking forward

Despite everything, we remain committed to this work. In the years since the wrongful arrest, we built Kaiju Security – a security company with elite talent focused on adversarial simulation and real-world testing, because these vulnerabilities still exist and someone must find them before criminals do.

We appreciate the countless individuals who supported us, stood up for the truth, and understood what was at stake—not just for two individuals, but for the integrity of security testing and public safety across the country. The outpour of support from the hacker community was reminiscent of great historical moments when the community rallied around those wrongly persecuted for performing security research to keep us all safer. We were truly awed to see everyone rally around us and defend us and this work. We hope this resolution becomes a turning point — not just for us, but for the future of proactive public safety security testing in Iowa and beyond.

— Gary DeMercurio & Justin Wynn

Public Release - Martin A. Diaz

FOR IMMEDIATE RELEASE

SETTLEMENT IN DEMERCURIO AND WYNN V. DALLAS COUNTY AND CHAD LEONARD

On January 21, 2026, Gary DeMercurio and Justin Wynn entered into a settlement agreement with the Defendants in their lawsuit. The terms of the settlement are simple. In return for a Release and Dismissal of their lawsuit, the Defendants will pay Gary and Justin $600,000. Since this settlement involves a governmental entity, there is no confidentiality. In addition, there are no restrictions on Gary and Justin commenting on the events, the lawsuit, or the terms of settlement.

For Gary and Justin, this 6 year plus odyssey began immediately after they were told by six (6) law enforcement officials that they were free to go, those six law enforcement officials having confirmed that they were simply doing a job tasked by the Iowa Judicial Branch, a task that was to be kept from law enforcement in order to assure the validity and value of the security assessment. The investigation by the six law enforcement officials from two agencies was professional, practical, and surprisingly jovial. Gary and Justin shared their experiences, tips, and talent with these officers, and the video cameras caught all of it. By every account, Gary and Justin were professional, cooperative, and willing to share their vast knowledge of security. The fact that law enforcement had difficulty using their key cards to enter the closed Dallas County Courthouse was an ironic twist to this encounter. But this calm, cooperative environment changed the minute that Sheriff Leonard showed up. No one had asked him to come.

Gary and Justin are two of the finest security and cybersecurity experts in the country. When Sheriff Leonard arrived and the atmosphere changed, Gary and Justin remained calm, cooperative, and professional. Sheriff Leonard spent less than a minute with Gary and Justin before deciding that they were going to jail. And the rest is history.

This lawsuit was important to Gary and Justin for several reasons. First, and foremost, their reputations, well earned over many years, had been trashed in the media, their mugshots plastered for all to see, and they were silenced by the arrest and pending criminal charges. This was one opportunity to tell their world, the security industry, that they had acted professionally and were bound and determined to take back their reputations. Secondly, their industry needed them to fight back, to remind people that “security” in this world does not belong only to those that want to find ways to breach it. Rather, it belongs to those prepared to protect our lives, livelihoods, and truths.

Finally, Gary and Justin wanted to hold people accountable for what had happened to them. In a world that seems to shrug at the undermining of our principles, institutions, and values, we need people like Gary and Justin. They are the best of us, and efforts to undermine what they do make us all less secure.

One other thing needs to be mentioned. When all hell broke loose for Gary and Justin, the Iowa Judicial Branch lawyered up and did its best to distance itself from them, adding to the wrongful perception that they were guilty. It was not the institution’s best moment. Ironically enough, accountability for the Judicial Branch cannot be found in the Courtrooms it furnishes—the product of immunity granted by the Legislature. But that does not mean that it is not responsible. This was ultimately a “turf war” between the County Sheriff and the State’s Judicial Branch, and Gary and Justin were the toys of that feud. As one of my friends tells me about my golf game, “play better.”

I am thankful for the work done by Judge Amy Moore and appreciate the cooperation of Counsel for the Defendants. I wish all of them well.

I was honored to represent Gary and Justin and hope and trust that the people who once revered them now realize that there was never a valid reason to believe the allegations and charges that brought them on this 6-year odyssey. I wish them well and hope they regain their standing in their industry; we need them to be successful.

–Martin A. Diaz

After 15 years, I’ve learned something profound: it’s not hard. People have an innate desire to help others, to trust, or to offer advice. People like me exploit that—we twist, manipulate, and deceive—all in the hope that someone with more sinister motives won’t do it to them in the future.

Over the years, I’ve had people call me after a social engineering engagement and thank me. They’ve shared stories about catching someone in a lie, calling someone’s bluff, and, in one extraordinary case, even preventing an active shooter—all because they learned a lesson no one ever wants to have to learn. Frankly, I don’t blame them. It’s not pleasant to realize someone lied to you, and you fell for it—hook, line, and sinker—only to face that person later with no recourse other than “remediation training.”

I also happen to teach classes on information and cognitive warfare—fields that focus on how organizations and nation-states manipulate and lie to you, how they twist reality, and even how they convince you that the idea you’re fighting for was your idea all along. The internet was supposed to be a utopia, a network to connect ideas and progress humanity. But we all know that didn’t happen.

Normally, someone writing an article like this would dive into the “how” and the “why.” They’d explain how nation-states like China flood social media with polarizing opinions or how algorithms keep you in an echo chamber, surrounded by people and bots (mostly bots) who reinforce your beliefs to make you more malleable. They’d highlight how the “news” or “facts” your friends share are often propaganda (yes, from bots), based loosely on truth but warped beyond recognition because it works.

But that’s not what I want to do here. People are so polarized, so rusted into their institutional beliefs, that even if I laid out the truth, many would dismiss it as fake news. Not because it is, simply because they don’t want to agree or admit they have been duped for so so long. So instead, I want to talk about Superman, Star Trek, and the future… random rabbit hole I know.

Superman is an alien who believes in humanity more than humanity believes in itself. He’s a symbol of hope that resides in the choices we face every day. His stories remind us that the right path isn’t always easy, but it’s always there. “You have to decide the kind of man you want to grow up to be, Clark,” his father once said. And yet, despite all that power, he doesn’t dominate or control; he chooses kindness and compassion, standing firm in his belief that there’s always another way—even when it feels impossible.

Superman’s greatest power isn’t his strength or speed; it’s his capacity for hope. When a young girl stands on the edge of despair, ready to give up, he doesn’t take the easier path and fly in and save her with superpowers. He takes the time to save her with words: “You’re stronger than you think. You matter.” That “S” on his chest? It doesn’t stand for his name; it stands for hope—hope that we can rise above our worst instincts, that tomorrow can be better, that even in the darkest times, there is light.

Now think about the future. Most stories about what lies ahead are bleak: dystopias of mutually assured destruction, zombie apocalypses, or worlds where corporations or an evil AI rules. But one story stands apart: Star Trek. Gene Roddenberry imagined a future where humanity got it right—where poverty, hunger, and inequality were gone, and humanity explored the stars, thriving as a united species.

So, what if we got it right? What if humanity worked together for the betterment of our species? What would the future look like if we chose hope, like Superman, and believed in our potential to be better?

I’ve run simulations with multiple AI models, and all of them—every single one—paint a breathtaking picture of what’s possible. Here’s what the future could look like if we embraced collaboration and worked together:

2 Years: A World in Motion

Two years into this collaboration, the signs of change would ripple through everyday life. AI would quietly integrate into society, optimizing traffic, energy consumption, and even household chores. Renewable energy would become ubiquitous, with solar farms and wind turbines powering cities, and early fusion reactors on the horizon, promising limitless clean energy.

Healthcare would undergo a quiet revolution as AI-assisted diagnostics slash wait times and vaccines are deployed almost instantly during outbreaks. Nations, once rivals, would begin pooling resources to combat climate change and poverty. The world would feel smaller, more connected, as billions gain access to affordable internet, education, and opportunity.

5 Years: The First Leap Forward

By year five, the transformation would be unmistakable. Cities would hum with clean energy from advanced solar grids and fusion power plants. Smart systems would eliminate waste, and air quality in major metropolitan areas would noticeably improve. AI-driven technologies would dominate industries, from self-driving vehicles making commutes seamless to precision medicine extending lives and managing chronic diseases like diabetes.

Global health initiatives would eradicate diseases like malaria and polio, while universal internet access bridges education gaps, enabling even the remotest communities to thrive. Nations would act more like partners, working together to restore ecosystems, reduce poverty, and create a shared sense of purpose.

10 Years: A Transformed Daily Life

A decade into collaboration, humanity would feel reborn. Fusion energy would power everything, ending energy scarcity. AI would manage cities, making them cleaner, quieter, and more sustainable. Healthcare would be unrecognizable, with diseases that once ravaged populations now existing only in history books. Lifespans would extend as aging is treated like a manageable condition, and education would be tailored to every child’s unique strengths, leveling the playing field for all.

Lunar and Martian research bases would symbolize humanity’s collective ambition, proving that when we share resources and knowledge, anything is possible.

20 Years: A Unified World

In 20 years, humanity would thrive. Clean energy would be limitless, homes and cities operating with zero environmental impact. AI would act as partners, enhancing creativity and solving global challenges. Healthcare would be almost magical, curing diseases and significantly extending healthy lifespans.

Borders between nations would exist only symbolically, as humanity sees itself as one species united by shared goals. Regular missions to Mars and beyond would inspire the world, planting the seeds for humanity’s next chapter among the stars.

For the average person, life wouldn’t just be about surviving—it would be about thriving. The world would feel like a place of infinite possibility, a testament to what humanity can achieve when it chooses hope over fear and collaboration over division.

Maybe this year, we can dare to hope, instead of letting others tell us what to think.

“You’re stronger than you think. You matter.”

“You have to decide the kind of person you want to grow up to be”

The House Always Wins: Gaming Companies Channel Their Inner Casino

Let’s start with the big boys—gaming companies, the king NC Soft’s Lineage 2 comes to mind where in game items cost upwards of $10,000 and the company’s expectation is that every player spend $2,000 - $3,000 a month to keep up. You’d think they’d be content with just selling you a game and calling it a day. But no, they’ve got bigger fish to fry—namely, your wallet. And they do it using tactics straight out of the casino playbook.

Enter the loot box, the gaming industry’s version of a rigged slot machine. Sure, it’s all wrapped up in a pretty package—open this shiny box and maybe, just maybe, you’ll get something cool. Or, more likely, you’ll get trash, but hey, why not try again? Maybe next time you’ll hit the jackpot.

Here’s the kicker: unlike gambling in a casino, where there are regulations, oversight, and at least a pretense of fairness, loot boxes are the Wild West. No rules, no laws—just pure profit for the companies. And guess what? They know exactly what they’re doing. They’re targeting your brain’s reward system, making you think that next box will be the one. They’ve taken all the fun of a slot machine, mixed in a bit of FOMO, and cranked the manipulation up to eleven.

But don’t worry—it’s not just you. These companies are experts at getting everyone, especially younger players, hooked on the thrill. The difference? In a casino, you might walk away with some cash. In gaming, you’re just hemorrhaging money for digital junk that’s worthless outside the game.

Pay-to-Win: Because Fair Play Is Overrated

Then there’s the pay-to-win mechanic, another stroke of corporate genius. Why bother getting good at a game when you can just buy your way to the top? It’s like a credit card for virtual dominance. Don’t have the time or skill to compete? No problem—just swipe your card, and suddenly you’re untouchable.

Of course, this throws any semblance of balance out the window. But who cares, right? As long as the whales keep spending, the game companies are laughing all the way to the bank. And if you’re one of those poor souls who plays for free, well, you’re just cannon fodder for the paying customers. It’s a system designed to frustrate you into submission until you finally cave and start paying, too. Welcome to the money grind, where we replace effort with credit cards.

The Art of the Con: Scammers in the Gaming World

While the companies are busy milking you for all you’re worth, the scammers are waiting in the wings, ready to pounce on anyone who isn’t paying attention. And trust me, they’ve got their tactics down to a science.

One of the classics? Using a Fake PayPal invoice as a receipt of payment. Here’s how it goes down: some smooth-talking scammer approaches you, saying they want to buy that rare in-game item you’ve got. They agree on a price, send you a fancy-looking PayPal “Proof of payment”, and you hand over the item, thinking you just made some easy cash.

Except you didn’t. That payment is an invoice? And it’s real, but an invoice is an incoming payment, meaning they expect you to pay them. That’s when they flip the script, start excusing you of scamming them, demanding you give up the item or they’ll turn you into the police etc. By the time you realize it, your precious item is gone, and the scammer is already off selling it to someone else. — just the right amount of pressure to get you to act before thinking. This works very well on kids, they simply just don’t know better.

And let’s not forget, the number one targets ARE kids, who might not even understand how online payments work. So, not only are these scumbags thieves, but they’re also predators, preying on the young and naive.

Virtual Goods, Real Money: The Black Market You Didn’t Know Existed

Why do these scams work so well? Because some in-game items are worth serious cash—like, “I could buy a used car with this” serious, 2-3 years ago in the aforementioned Lineage 2 someone paid upwards of $45,000 for a digital sword, no that’s not a typo, FORTY FIVE THOUSAND DOLLARS. There’s a whole black market out there where people trade virtual goods for real money, and it’s as shady as it sounds.

Scammers know this, and they’re more than happy to exploit it. They’ll buddy up to you, gain your trust, and then pull the rug out from under you the moment you let your guard down. And once your item’s gone, good luck getting it back. The scammer’s already flipped it to some other sucker for a quick profit and companies like NC Soft actually promote scamming in their games, saying its “part of the game”, seller beware. Want that $45,000 sword you got scammed out of back? LOL good luck.

Protect Yourself—or Keep Getting Played

So, how do you avoid getting taken for a ride? For starters, be skeptical of anyone offering you a deal that’s too good to be true—because it probably is. Always verify payments directly through official channels, and if someone pressures you to act fast, that’s a huge red flag. Use secure trading systems whenever possible, and if you’ve got kids who play, make sure they know the score. Education is your best defense.

At the end of the day, the gaming industry is a big, shiny carnival of lights and sounds designed to separate you from your money (and no, not all companies are like this, many are simply trying to come up with a good revenue model, and happily keep producing content worth the price of admission). Whether it’s through the slick manipulations of game companies or the underhanded tricks of online scammers, the goal is the same: to get you to part with your cash, one way or another.

But now that you’re in the know, you’ve got a fighting chance. Stay sharp, keep your wits about you, and don’t let them play you for a fool. Remember, in the world of gaming, the game is always rigged—unless you know how to beat the house at its own game.

However, I did run a division of the international Quality Assurance team at Sikorsky for the CH53K and the UH60 for almost six years. I have a Black Belt in Six Sigma and am an ACE Master Practitioner. For those unfamiliar with these terms, it means I received extensive training in improving quality, increasing efficiency, standardizing processes, and making data-driven decisions.

This experience also means I have significant expertise in performing root cause corrective actions—it was kind of “my thing.” After reading the recent CrowdStrike RCCA (Root Cause Corrective Action) Report, I noticed that while it might make someone feel better about the issue because they see that a report was done, it doesn’t go nearly deep enough to identify the root cause. Alternatively, they may have reached the root cause but chose not to share it in the analysis, which leads one to ask, then why share it?

One of the most useful techniques I learned to ensure helicopters carrying 20+ passengers didn’t fall out of the sky was the “5 Why’s. It’s a straightforward method where you just keep asking “why?” until you get to the root of the problem. Five iterations are usually sufficient, but sometimes you need to dig deeper. The point is, when you can’t answer why anymore, you usually have found the root cause. (and no, I don’t know isn’t a reason to stop)

Here’s an example from CrowdStrike’s analysis:

Template Instance Stress Testing:

• Observation: Template Instances were not adequately stress-tested within the Content Interpreter.
• Why 1: Why were Template Instances not stress-tested properly? The stress testing process did not include a validation step for input field mismatches.
• Why 2: Why was this validation step missing? It was possibly overlooked during the test planning and design phases.

And then they just stop…..

This pattern occurs multiple times in the report. Now that you understand the “5 Whys” technique, it’s pretty clear that they should have asked “why?” again. Why was this validation step missing? They didn’t answer; they simply said, “Well, it was POSSIBLY overlooked.”

Imagine if, when building an aircraft, I said, “Well, it’s possible that the fan was machined incorrectly,” and then we just let the rest of the fans (the big fan that sucks in air and makes the engine go) be machined incorrectly because no one asked, “WHY was the fan machined incorrectly?” Yes, this is an extreme example, but crashing 9 million computers is extreme as well.

This issue recurs throughout the report, where CrowdStrike stops asking “why.” Why was this overlooked during the test and design phase? The reason for repeatedly asking is that perhaps it wasn’t overlooked; perhaps there was a different cause, but you’ll never know unless you keep digging. This is fundamental QA root cause corrective action that applies to any QA, from jet engines to, yes, even code. This report should not inspire confidence; it seems like a rushed effort to placate stakeholders and to stem the bleeding rather than a thorough investigation.

Maybe the issue was fixed? However, they surely did not release a proper root cause corrective action report, and for a company that just experienced a significant incident, that was a crucial step they should have got right.

Now, I will say CrowdStrike did addressed several immediate causes of the incident and provided corrective actions to prevent those specific issues from recurring. However, they certainly did not fully apply the “5 Whys” technique (among others) to dig deeper into the underlying reasons behind these proximate causes (and that underlying reason WOULD be the ROOT CAUSE.. hence the name).

What they should have dug deeper on:

• Investigated why their development and testing processes did not catch the parameter mismatch earlier.
• Explored why critical runtime checks were omitted in the initial development phase.
• Examined the root causes of why test planning and design phases did not cover all necessary scenarios.
• Analyzed why the Content Validator was initially designed with insufficient checks.

The crazy part is, after investigating the above issues, they may end up needing to going deeper, they may have found a thread to pull on and found out the entire QA process isn’t built properly. By not diving into these deeper layers, they may have missed systemic issues in their processes that could cause other, similar problems in the future.

As a former Quality Assurance manager, my only question is, why?

Here is the link to the release RCCA Report from CrowdStrike

https://www.crowdstrike.com/wp-content/uploads/2024/08/Channel-File-291-Incident-Root-Cause-Analysis-08.06.2024.pdf

At Kaiju Security, we are committed to keeping you informed about the latest cybersecurity threats. Today, we’re excited to share insights into a new exploitation technique, developed in collaboration with our team, and a new tool called PolyDrop, which exposes significant gaps in current antivirus and endpoint detection systems.

Bring-Your-Own-Script-Interpreter (BYOSI) Exploitation

By abusing trusted applications, attackers can deliver a compatible script interpreter along with malicious source code to Windows, Mac, or Linux systems. Once both the interpreter and the malicious code are on the target system, the source code can be executed via the trusted script interpreter, bypassing many security measures.

Introducing PolyDrop: A Multi-Language Exploitation Tool

PolyDrop is a powerful tool we’ve helped developed with the MalwareSupportGroup (https://x.com/mal_supp_grp) which is a collective of seasoned malware developers who have grown weary of the endless self-congratulatory hype surrounding the latest and greatest EDR solutions, which often seem more focused on burning through budgets than providing real security. PolyDrop leverages thirteen scripting languages to perform BYOSI attacks. These languages include:

• TCL
• PHP
• Crystal
• Julia
• Golang
• Dart
• Dlang
• Vlang
• Node.js
• Bun
• Python
• Fsharp
• Deno

AV and EDR Evasion: Our research shows (by Research we mean we have bypassed nearly every EDR with this method during our Red Teams) that these languages are wholly ignored by many antivirus vendors, including #MicrosoftDefender. This oversight allows the execution and establishment of reverse shells without detection. Widespread Vulnerability: This exploitation technique is currently undetectable by most mainstream Endpoint Detection and Response (EDR) vendors.

Vendor Vulnerabilities:

A total of 14 vendors cannot (or simply don’t) scan or process interpreted scripts, including:

#Alibaba, #AvastMobile, #BitDefenderFalx, #Cylance, #DeepInstinct, #Elastic, #McAfeeScanner, #PaloAltoNetworks, #SecureAge, #SentinelOne (Static ML), #SymantecMobileInsight, #Trapmine, #Trustlook, #Webroot

Additionally, 54 vendors are seemingly unable to accurately identify malicious interpreted scripts, including:

#Acronis (Static ML), #AhnLabV3, #ALYac, #AntiyAVL, #Arcabit, #Avira (no cloud), #Baidu, #BitDefender, #BitDefenderTheta, #ClamAV, #CMC, #CrowdStrikeFalcon, #Cybereason, #Cynet, #DrWeb, #Emsisoft, #eScan, #ESETNOD32, #Fortinet, #GData, #Gridinsoft (no cloud), #Jiangmin, #K7AntiVirus, #K7GW, #Kaspersky, #Lionic, #Malwarebytes, #MAX, #MaxSecure, #NANOAntivirus, #Panda, #QuickHeal, #SangforEngineZero, #Skyhigh (SWG), #Sophos, #SUPERAntiSpyware, #Symantec, #TACHYON, #TEHTRIS, #Tencent, #Trellix (ENS), #Trellix (HX), #TrendMicro, #TrendMicroHouseCall, #Varist, #VBA32, #VIPRE, #VirIT, #ViRobot, #WithSecure, #Xcitium, #Yandex, #Zillya, #ZoneAlarmByCheckPoint, #Zoner

Given the oversight in identifying malicious interpreted scripts, we have found that the 13 identified languages also escape detection by these vendors, including #CrowdStrike, #SentinelOne, #PaloAltoNetworks, and #Fortinet.

Our findings confirm that at least, #MicrosoftDefender considers these malicious payloads as plaintext.

Kaiju Security and the MalwareSupportGroup (https://x.com/mal_supp_grp) worked to develop this novel bypass technique and is currently working on the tool for a release this week, yes of course, just in time for DefCon. This underscores the critical importance of Red Teams, far beyond just a simple pentest. The inability of leading antivirus and EDR vendors to detect these payloads highlights the need for advanced threat detection and testing strategies.

Learn more and protect your systems: Stay ahead of emerging threats with Kaiju Security by visiting our website, contact us at info@kaiju-security.com or DM me here on linkedin!

Please do us a favor and share with your networks so we can put some pressure on these companies.

Stay secure,

Kaiju Security

CCTV cameras are the poster children of security theater. They record everything, sure, but they’re about as useful in the moment as a chocolate teapot. When a crime goes down, the cameras dutifully capture it all—giving you a great video to watch after the fact but doing zilch to stop the criminals in their tracks.

And let’s talk about image quality. Have you ever tried identifying a thief from a grainy, night-time shot? It’s like playing “Where’s Waldo?” with a side of frustration. Plus, there are always those sneaky blind spots that criminals seem to know better than the installers do (cough, cough, ask a Red Team, cough, cough).

The Human Element—or Lack Thereof

For CCTV to be effective in real-time, you need someone watching the feeds around the clock. But who has the manpower (or the budget) for that? Most of the time, footage just sits there, gathering digital dust until someone needs to play detective. Without an alert or obvious sign of trouble, no one’s checking those feeds. So, unless your intruder is kind enough to hold a “I’m a criminal” sign to the camera, your stuff is as good as gone.

As a Red Teamer, many times our scope includes not bypassing alarms—yes, that means purposefully setting them off. We have done hundreds of Red Teams, and I can count on one hand how many alarms we set off were actually monitored and responded to. Typically, we set off the alarm, stroll across the street, and sit at a park or coffee shop to watch the facility. Nothing happens. No one shows up—no police, no security, not even a manager. Then we simply go back into the facility with our persistent entry and complete the job. Yes I know, alarms and CCTV aren’t the same, but nearly every one of those facilities also had CCTV. If someone had checked when the alert went off, they would have seen two people bypassing locks to get into the facility.

Poor Setup and Open Access

A major issue with CCTV systems is that they are often set up incorrectly. The feed ends up being broadcasted on the local network, and many times the IP address is open to the public. This means that anyone with a bit of tech know-how can tap into the cameras. We’ve seen countless instances where a simple Shodan search reveals the IP addresses of publicly accessible CCTV feeds. It’s like putting your security footage on YouTube and hoping no one notices.

The improper setup doesn’t end there. Often, the people installing these systems have never actually broken into a facility themselves, so they miss critical vulnerabilities. They place cameras in obvious spots where they can be easily avoided or disabled. Worse still, installation issues such as exposed wiring or poorly secured cameras allow determined intruders to bypass or disable the system entirely. Before all of the installers start yelling at me, we all have seen poor work, and it is more common than uncommon. If you’re doing good work, good on you!

The Path Forward

So, how do we turn these glorified spectators into real crime-fighters? The answer lies in technology, policy, and procedure. Integrate AI and machine learning, and you’ve got a game-changer. These systems can analyze footage in real-time, flagging suspicious behavior and alerting someone instantly. This makes the cameras proactive rather than reactive.

We also need to upgrade camera tech. High-definition cameras that can handle low light conditions make a world of difference. Proper placement is key too—cover all those sneaky blind spots and ensure comprehensive coverage of vulnerable areas.

All the tech in the world isn’t going to ensure those responsible are doing their due diligence. We attack facilities at 1 a.m. for that very reason—we want to see if the manager or whoever is monitoring the CCTV, alarm, etc., will even wake up. What is the policy? Is there a procedure if you’re on vacation and your alert goes off? Does the alert go to multiple people? Do you review your camera logs, alert or no alert, every day? Why or why not?

The No-Alert Issue

Here’s the unfortunate reality: if an intruder manages a covert entry, without an alert, no one’s going to check the footage. Why would they? There’s no obvious reason to suspect anything is amiss. It’s like expecting a smoke alarm to go off silently and still prevent a fire. Without real-time alerts or proper policy and procedure, CCTV is just another way to watch your stuff disappear in grainy high definition. You should check, but almost no one does, and for those of you who say your organization does… get a Red Team to test it. You might be very disappointed and surprised.

Real-World Lessons

Take London’s extensive CCTV network. It’s great for post-crime analysis but hasn’t done much to prevent crimes. On the other hand, smart cities like Singapore and Dubai are integrating CCTV with other technologies, creating a more effective urban security network. These systems are linked with traffic sensors and social media feeds, providing a comprehensive and proactive approach to security.

And then there’s Bosch’s Automated Night Watch solution, a step in the right direction. This system uses AI to analyze footage and generate real-time alerts for suspicious activities. However, it’s far from perfect. The effectiveness of such a system hinges on having someone on the other end who actually responds to these alerts in real-time. Without real-time human intervention, it’s just another high-tech way to watch your stuff get stolen. It’s a good system, but it still needs to be buoyed with proper policies and procedures. (Dear Bosch, please send all spifs to Kaiju Security)

CCTV systems have the potential to be much more than passive observers if we use them correctly. Organizations need to embracing technological advancements focus on real-time response, along with proper policies and procedure, and then TEST the humans that are supposed to implement and follow those policy and procedures. Make some advancements and small adjustments we can turn these cameras into true defenders of public safety. Let’s make our surveillance systems work smarter, not just harder, and turn those front-row seats into actual security measures.

As a “professional thief”, unless it’s something like a nuclear facility where I know someone is watching the cameras, no one is afraid of the CCTV you have right now.

#CCTV #PhysicalSecurity #RedTeam #CCTVfails #Security

The Hacker Culture

L0pht Heavy Industries, founded in the early 1990s, was a group of seven hackers who all had a common goal: uncovering and exposing vulnerabilities in the systems that were rapidly becoming the infrastructure of the modern world. They operated out of a small loft in Boston, hence the name L0pht, working on projects that would eventually capture the attention of the world. In 1998, members of L0pht testified before the U.S. Congress, boldly stating that they could shut down the internet in 30 minutes. This testimony was a wake-up call, showing just how vulnerable our digital world was.

As the world’s networks grew, so did the realization of their vulnerabilities. Governments and corporations began to see the need for dedicated cybersecurity measures. What started as a niche community of passionate hackers quickly transformed into a “professional industry.” However, this transition has come with a price. As the corporate world entered the scene, it brought with it a focus on profit margins, EBITDA, and revenue over actual security. Whereas hackers saw the opportunity to use their curiosity and skills to unlock flaws, businesses simply saw it as a way to make money.

The incursion of businesspeople with little to no knowledge of security into the cybersecurity realm is disheartening for many old-school hackers. These corporate figures prioritize profit over protection, driving initiatives based on revenue rather than robust security practices. The focus has shifted from securing systems to maximizing financial gain, often at the expense of true security.

The original hacker ethos was anti-establishment; we did things because we could, because no one thought the way that we did about things. Many of us simply said to ourselves and our friends, “I wonder if I can …” and we would usually find a way. High school dropouts, nerds, people who didn’t get along with most others were who we were as a community; the only proof you needed to show you had skills was to actually just show you had skills. In the 90s, heck even 10 years ago, for a hacker to ask another hacker if they had a “certification” would have been a joke… quickly followed by a comment like “Yeah sure, I’ve got your cert right here… now where’s the system you want me to pwn?”

That curiosity and “Test your might” mentality has given way to certifications, costing thousands of dollars. They have slowly become “mandatory,” creating barriers to entry that are antithetical to the hacker ethos of open knowledge and community-driven improvement. A community that used to pride itself on being one of the very FEW in the world that didn’t require a formal education now finds companies like SANS replacing it with something significantly more expensive and, frankly, worse than a degree.

The old-school hackers, who’ve always prized practical skills and self-taught knowledge over any formal education, now find themselves in the ridiculous position of chasing certificates just to get a foot in the door.

“Oh? You have 20 years of experience? You hacked NORAD? You were able to systematically take over multiple companies and in turn transfer all assets to your name in a week? You were able to steal the Mona Lisa? You walked into the Pentagon and successfully exfiltrated data without getting caught? Wow, that’s amazing, but do you have the OSCP? Well, I do, so if you don’t, I guess you’re not getting past this gate.”

This shift is driven by corporate hiring practices that put these pieces of paper on a pedestal as the ultimate proof of competency, even though they’re often anything but. I have had better interviews from people without certificates than I ever did with.

The irony here is thick: the very rebels who once scoffed at structured learning are now jumping through hoops to collect certificates, not out of respect for what they represent, but because it’s become a necessary, albeit forced, rite of passage in this corporate-dominated landscape. The longer this continues, the more the newer people in the industry think this is the “norm.” With companies that hand out certifications, propagating the need for them as they’re able to pull in a full year of college tuition per person for a week-long class that becomes outdated in a few years.

For those of us that have been around for a while, if our younger hacker selves could see what the industry has become, we would all be sick to our stomachs.

DEF CON: From Hacker Haven to Corporate Spectacle

DEF CON, the world’s largest hacker conference, is a prime example of this transformation. Founded in 1993 by Jeff Moss (Dark Tangent), DEF CON began as an informal gathering of hackers eager to share knowledge and network. It was a sanctuary for those passionate about hacking, a place where innovation and creativity thrived without corporate interference.

Today, DEF CON is a massive event, drawing tens of thousands of attendees, including many from government agencies and large corporations. The intimate, underground vibe has been replaced by a commercial spectacle, often likened to “Disneyland for hackers.” Vendor booths and corporate-sponsored events are now commonplace, overshadowing the grassroots essence that once defined the conference.

One glaring example of this is the treatment of DEF CON speakers. Despite the significant revenue generated by the event, speakers—who volunteer their time and expertise—receive a meager $500 honorarium and a thank-you email. These are individuals who bring cutting-edge research and invaluable insights to the table, yet their contributions are undervalued and undercompensated. DEF CON wouldn’t be able to exist without the hacker community. This disparity highlights the growing divide between the hacker community’s values and the corporate world’s priorities.

My company has taught and spoken at multiple military events. In comparison to how we were treated at both DEF CON and Black Hat as speakers, it is night and day. To say we felt like rockstars would be an understatement. Escorts from the airport, lunches, military members excited to learn, organizations that actually appreciate that you are there. Certificates of appreciation, pictures, mugs, patches, Generals showing up to say thank you—the list goes on.

What was it I got from Black Hat again? Oh, that’s right… an email that said, “Thanks.”

The Struggle for the Soul of Security

The cybersecurity industry’s journey from its hacker-driven origins to its current corporate-dominated state mirrors broader societal shifts, reflecting a world where profit trumps passion. Professionalization has undeniably brought advancements in security practices and awareness, but it has also erected barriers and diluted the hacker spirit that once ignited innovation. Many times, those barriers are manned by people who are more familiar with EBITDA than the command line, and somehow they are the ones who “know” what a good hacker looks like.

True hackers, who once thrived on breaking barriers and defying norms, should now be rallying against the very industry they find themselves in. The spirit of collaboration and open knowledge exchange, which once defined the hacker ethos, is being suffocated by corporate greed and bureaucracy and security theater.

This isn’t what real hackers would have built. The corporate takeover of cybersecurity stands in stark contrast to the anti-establishment roots of hacking. The pioneers of this field were rebels, driven by curiosity and a desire to push the boundaries of what was possible—not by profit margins and shareholder interests. Today’s industry, with its overpriced certifications and rigid gatekeeping, is the antithesis of everything hacking stood for.

The fight to reclaim the soul of hacking is more crucial than ever. Hackers are pushing back against the corporate tide, determined to reignite the flame of true hacking. This battle isn’t just about preserving the past; it’s about ensuring that the future of cybersecurity remains true to its roots of innovation, curiosity, and defiance against the establishment.

Cognitive warfare involves using psychological operations, disinformation, and cyber tactics to alter perceptions, beliefs, and decision-making processes. It’s not just about spreading fake news; it’s about creating an environment where people can no longer discern truth from lies. This begins to lead people down the path of things like conspiracy theories. There is a deeper psychological aspect at play here where people are drawn to conspiracy theories because they offer a sense of understanding and control in a chaotic world (chaotic; remember this for later), satisfy the human desire for pattern recognition, foster a sense of community among believers, and boost self-esteem by making individuals feel they possess special knowledge. What is important here is how that understanding of conspiracy theories can be used to manipulate. The overall goal is to destabilize and manipulate target populations to achieve a certain strategic objective without the need for traditional military confrontation.

Both China and Russia are maestros in this sinister symphony. The Chinese government ramped up their cognitive warfare through spreading disinformation during the COVID-19 pandemic, blaming other countries for the virus’s origin and questioning the effectiveness of Western vaccines. They use state-controlled media and social media bots to amplify misleading narratives, for example; the narrative that the virus originated from a U.S. military laboratory to deflect blame and create confusion and chaos (there is that word again!). Many people don’t realize how easy social media is to manipulate using a bot. A social media bot is just an automated program that performs tasks on social media platforms, like posting, liking, following, and messaging, often mimicking human behavior to influence public opinion or promote content. Elon Musk has famously pointed out that around 20% or more of Twitter (X) accounts were bots, which translates to approximately 67 million fake accounts out of the platform’s 335.7 million users as of 2024. Think of what you could accomplish with 67 million voices all saying the same thing?

Russian disinformation campaigns have become infamous, particularly in the context of the 2016 U.S. presidential election. Russian operatives used social media platforms to deepen political divides and influence voters by spreading false stories and memes designed to inflame passions on both sides (similar to a technique the US and the UK used to destabilize Iran in the 1950’s). A notable example is the Internet Research Agency (IRA), which created fake social media accounts to spread divisive content and manipulate public opinion on controversial issues such as race, immigration, and gun control. And in case you’re wondering, yes, you probably follow, have agreed with and even promoted or reposted Russian and Chinese propaganda because you simply “agreed” with what you thought was a person’s viewpoint, or you liked the meme as it fit your feelings on the matter.

Take a look at the political climate in the United States around Donald Trump. The divide is stark and often beyond vicious. Russian efforts to meddle in elections weren’t about supporting a particular candidate; they were about fostering division and creating chaos, this is called “playing the long game”. They succeeded too, creating a significantly more polarized society, where people are quick to dismiss opposing views as misinformation. This is the essence of cognitive warfare: eroding trust in institutions, media, and between citizens, creating deep societal rifts, and making it harder for people to find common ground.

Social engineering, much like cognitive warfare, exploits human psychology. It involves manipulating individuals into divulging confidential information or doing something they shouldn’t or normally wouldn’t do. Both tactics leverage trust and authority but differ in scope. Cognitive warfare targets the masses, aiming to disrupt societal stability, while social engineering often focuses on smaller specific targets to breach organizations. While Social Engineering may seem small-scale compared to cognitive warfare, they share the same underlying principle: exploiting human nature.

So how can you spot cognitive warfare you might ask? Well, here are some signs: When the news seems too chaotic to believe, it’s likely a sign of overwhelming misinformation. Stories designed to provoke strong emotions are often tools of cognitive warfare. This has become the easy button for China and Russia in the United States, all I need to do to invoke emotion is say something like Donald Trump was the greatest president in history, and whatever side you fall on, the typical American falls, and falls hard. When you start to only see news that confirms your darkest beliefs, you are likely in an echo chamber created by cognitive warriors. Your lovely social media algorithms that like to show you things you like (then attach adds to them).. are easily manipulated into pushing you, and millions of others, into a dark corner, where the majority of what you see, is orchestrated. The unfortunate reality is, many times these techniques are used by not only foreign actors, but by organizations trying to sell you something, or collect data from you (hello Meta!).

Combating the threat requires vigilance and education. Always check multiple sources before believing, and most importantly, sharing information. Nations, not just organizations, should educate their citizens to recognize disinformation and social engineering tactics. Understanding both cognitive warfare and social engineering significantly empowers the population. Promoting media literacy encourages critical thinking and skepticism among the public.

Cognitive warfare threatens the very fabric of society by undermining trust, creating divisions, and sowing chaos. For countries, it’s a reminder that security isn’t just about physical defenses or cybersecurity measures; it’s about protecting the minds of your citizens. In a world where perception can be manipulated with a few keystrokes, vigilance and education are our best defenses.

The stakes in cognitive warfare are high, affecting not just national security but the everyday trust that holds societies together. By recognizing and combating these tactics, we can build a more resilient society capable of withstanding the digital onslaught. Stay informed, stay skeptical, and above all, stay united. In this vast expanse of our digital world, where data theft has become as effortless and desirable as swiping gold from an unguarded vault, we find ourselves at the crossroads of technology and treachery.

As we conclude our tour into the exploration of cognitive warfare, it’s crucial to understand the enduring power of repeated falsehoods. “If you tell a lie big enough and keep repeating it, people will eventually come to believe it.” This principle, often attributed to Nazi propagandist Joseph Goebbels, underscores the absolute potency of disinformation. Though there is debate over the exact origins and wording of this quote, the concept is beyond clear.

Adolf Hitler elaborated on a similar idea in his book “Mein Kampf,” stating that a big lie is more likely to be believed than a small one because people assume no one would fabricate something so grand. Hitler wrote, “In the big lie there is always a certain force of credibility; because the broad masses of a nation are always more easily corrupted in the deeper strata of their emotional nature than consciously or voluntarily; and thus in the primitive simplicity of their minds they more readily fall victims to the big lie than the small lie.”

The atrocities of World War II were predicated on enormous lies, demonstrating the devastating power of disinformation. Don’t just take my word for it—learn from history.

This insight into the psychology of deception is central to understanding cognitive warfare. It highlights how repeated disinformation can and does erode trust, creates divisions, and destabilizes societies. It can also be used to get many people to buy into something that they likely shouldn’t. By recognizing these tactics and promoting media literacy, critical thinking, and skepticism, we can fortify our defenses against these insidious threats. In a world where perception can be manipulated with a few keystrokes, vigilance and education are our best defenses against the manipulation of our collective consciousness.

“In the digital age, the most dangerous weapons are the lies we choose to believe.”

The Guesswork Gala: First off, the whole process of using the MITRE framework feels like a wild goose chase. You’re the organization, and instead of handing a professional team the instructions to “do your worst, act like a real attacker” you opt for threat modeling, trying to conjure up who’s going to hit you next. Then you jump into this labyrinth of the MITRE ATT&CK framework to pinpoint the attack vectors someone thinks, someone else MIGHT use, based on a guess if that hack really was, or was not that organization. But let’s face it, this is nothing more than sophisticated guesswork that companies charge a mint for and have sold this to organizations as a way to save money, increase security and fortify the “most likely avenue of attack”. Now, this is all according to the company selling it of course, convenient … isn’t it? The truth is malicious actors aren’t sticking to a script; they’re opportunists looking for cracks, not rehashing their greatest hits. How do I know? Myself, my team, my former co-workers, anyone that I know that is a red teamer operates this way, because the underground malicious actors operate this way. A few sayings come to mind; “If You Know the Enemy and Know Yourself, You Need Not Fear the Result of a Hundred Battles”, “In the Mind of a Hacker, Every Lock is a Challenge”, “The Best Defense is a Good Offense”. But none of these quite embody red teaming like “Think Like a Thief to Catch a Thief”. We / They don’t think, act, attack, or quite frankly do anything even remotely resembling threat modeling and using the MITRE frame work. Red teamers live in place like dark web forums, finding places that aren’t meant to be found, is what makes us tick. I promise you, the real bad guys, laugh at this method more than we do. We know, because frankly, we interact with many of them, we straddle that boundary between good and bad, wearing that grey hat knowing, not because it’s our job, it’s because we LOVE secrets, we LOVE knowing.

The Attacker’s Guidebook: Then there’s this: by laying out all the possible attack methods, aren’t we essentially handing over a playbook to the bad guys? Think about it. If you’re using MITRE to fortify your defenses, you’re also showing attackers what you’re guarding against. Not only that, but this method of choosing a threat actor, then guessing what that threat actors attack is going to be also gives other threat actors a likely attack NOT to perform. I KNOW they do this, because frankly, WE as red teamers do this. We can and do run threat modeling on an organization, but we do it to see the most likely area that they have been petesting for. So if we as red teamers do it, and we mimic the actions of malicious actors, one would think someone may want to listen. And what about the gaps? Those methods not covered in the framework? You can bet your bottom dollar that’s where these cybercrooks will pivot to, because it’s where WE pivot to. It’s like installing a state-of-the-art lock on your front door but leaving the window wide open and telling the world, you only check the defense of one vector at a time.

The Blind Spot Dilemma: The MITRE framework and most threat modeling strategies are glaringly blind to the unknown unknowns. They’re built on the backbone of what’s been caught and cataloged. But what about the attacks that slip through the net, the ones that are never detected or much more prevalent are those that are “misdiagnosed”? MITRE and threat modeling can’t and doesn’t account for these, and that’s a gaping hole in its armor. It’s like trying to predict tomorrow’s weather with last year’s almanac.

So, what’s the bottom line? While the MITRE ATT&CK framework might seem like a cybersecurity panacea, and to be fair, it does have its uses, it is far from a good model organizations should be basing their pentesting on by picking and choosing attack vectors. Relying on this tool is like playing darts in the dark. You might hit the bullseye, but more often than not, you’re just throwing blindly. The MITRE ATT&CK framework is a great tool, it’s just being used horribly wrong. In a world where cyber threats are as fluid as water, our strategies need to be just as adaptable, not stuck flipping through pages of what’s been done before, or basing an organization’s yearly testing on a best guess, while leaving everything that someone didn’t think about, out of the equation.

As a professional red teamer, I implore you to take a hard look at the MITRE ATT&CK framework and our reliance on it. Cybersecurity isn’t a static puzzle to be solved; it’s a dynamic battleground. Our defenses need to be proactive, not reactive, tailored to the unique contours of our organizations, and perpetually evolving. Anything less is just playing into the hands of those lurking in the shadows, waiting to exploit your next oversight. This doesn’t mean that a red team is the cure, it simply means you organization should be tested as close to a real scenario as possible, coming up with one or two attack vectors based on someone else guess, which isn’t even based on any active intelligence of that organization’s current infrastructure, is just absolutely bananas.

As a Red Teamer and professional, my hope is others heed this advice. As a malicious actor, and someone that enjoys exploiting an organization to show them how good our team is, I would hope this trend continues, because it makes us look great when we run roughshod over an organization.