The death of the corporate hacker - Why your corporate security sucks.

The death of the corporate hacker

I am a cybersecurity professional and for the last decade have gotten paid to break into some of the biggest corporate networks. My expertise is breaking in and showing gaps in both the detections and the response by security teams. I get to social engineer, write malware and setup up attacker infrastructure. My value to the business is I can break in and help improve security posture before a real threat actor does.

The culture has shifted heavily. Corporate security culture has now turned into process heavy workflows that promote the least technical literate employees. Security policies are heavily reliant on vendor specific tools or software without any understanding of abilities beyond what is offered by a salesman.

What the fuck happened in the last decade? Where is this going and how do you profit?

More money more problems

The pay in offensive cybersecurity was always great. This money started bringing in a large amount of new people who were solely motivated by salary numbers they saw on glass door. These new people might have watched an episode or two of MR. Robot and decided to pursue the career in college. Many of these new people don’t even like being on computers. The high salaries brought a lot of people in.

We were all noobs at one point. That has never been the problem. But the normies have faked their knowledge and succeeded in moving up the corporate ladder. The security programs at many big companies are now ran by people who are scared and lack the natural curiosity that this space requires.

Fear brings out the self preservation instinct. Decision makers outsource the burden of responsibility to 3rd party vendors. After all, “nobody ever got fired for buying IBM”. These tools are often expensive and contain a ton of proprietary vendor lock in. Employees are often brought in to fill roles. They are trained on the spot and learn to do a specific task or job without understanding the whys or hows of the tools they use.

When those tools fall short, nobody notices because nobody knows.

Middle management chooses to drown in a sea of bureaucracy. The clarity of opaque processes helps to distract away from their technical shortfalls. Projects turn into a circle jerk of process heavy busy work rather than value adding technical work.

Return of the chaos

The tech recession is here. Increase in interests rates has constricted the amount of free floating cash that was floating around. Layoffs happen, divisions get cut and companies go out of business.

The contraction in VC funding means less “security startups” are funded and slowly the vendor landscape trims the fat. Big vendors stop innovating and competition dries up. Big businesses won’t cut on spending when it comes to vendors. They fear the losses due to a breach and rely too heavily on vendors to pacify that fear.

While businesses go out of business there is one sector that increases during recessions… crime.

Crime is the OG stimulus package

The crime rate goes up the less economic prosperity a country has. Recessions stimulate all sorts of petty crime, fraud and even violent crimes.

When times are hard criminals are more aggressive. It has been a long time since we saw a proper recession. As the economic outlook deteriorates you will see an increase in threat actor activity (both internal and external).

How will management respond?

Faced with the risk of layoffs and budget cuts, managers will double down on what they know: Process. The focus will shift to checking boxes and circle jerking the higher ups. This is a terribly dangerous position to be in for a company.

High performers will be shunned to either leave or get in line. Falling in line is better for an employee’s career than risking existing processes while attempting to further the company’s posture.

Those who are capable won’t speak up or to the extra work. Those who aren’t capable will parrot the company lines and work harder on their digital equivalent of bureaucratic paper work.

The catalyst for change

The higher level decision makers will be flying blind. There is a lack of proper communication with real risks until there is an incident.

Incidents are the real catalyst for change. The decision maker feels blindsided by whatever breach happened. They will send directives from the top down scrambling middle management to procure answers to questions they are not able to answer. Usually explanations are carefully thought out and blame is not placed. Instead, there will be a great revival for improvements moving forward which often include a new policy or process to be created.

These catalysts for change don’t cause systemic changes. They are temporary and end up benefiting middle managers who thrive in the order of creating new processes.

When the catalysts is permanent

The one scenario where the catalyst is permanent is in a major breach. An incident large enough to cause an existential threat to the company. Usually this forces C-level execs and even VPs to step down.

A new leader is announced and restructuring of the organization begins. This is the point in time when the most technically proficient employees can improve their career drastically.

In the chaos of new processes being created, old policies rewritten there is a loss of confidence in middle management. This loss of confidence in middle management can be used to help advance your career.

Management is scared. They don’t want to the truth of their technical incompetence to be found. New projects are more likely to get approval. Anything that shows your technical proficiency is transferred to your management team.

There will be a large amount of opportunities to hunt down vulnerable services or hosts as C-level directives asks for all hands on board to find any existing threat to the network.

This is the time to grind out large time slots and show your proficiency. Automate away most of your scanning and don’t show your work until you have findings. You want to show off your skillset.

Nobody cares how hard you worked. You want to show results.