The more I understand about the overall threat environment, the less I know about the overall threat environment.
The more I understand about the interconnected systems in the overall threat environment, the more I understand about defense.
If you query the right kind of security nerd, roughly 10% of infosec practitioners by my anecdotal count, you will find not just someone who learned about Systems Thinking and keeps it in the mental toolbox for the right moment, but someone who the topic is formative for, someone who dived deep into the nature of different types of systems, and how similar and different systems can interact with each other. I’ve found it goes well beyond computer systems - we have colleagues who have studied deeply on natural or artificial ecosystems, on the vast array of biological systems at hand, on industrial production systems and complex gas processes. Governance systems familiarity is a hit due to its proximity to compliance systems. Firearms systems are a regular special interest of American security practitioners.
The lessons we learn from studying disparate systems often come to fruition in a completely unrelated discipline - or one that appears unrelated, anyway. Or overlaps serendipitously with a current puzzle or problem to overcome. It’s one of the reasons that Bioanalytics graduates are highly sought-after as business data analysts.
In the early 1980s as genetic engineering took some of its first truly artificial strides, one of the primary problems to overcome was how to introduce a desired gene into a cell experimentally without engaging with the larger multicellular organism - breeding the gene in, in other words. Then some mad scientist decided to coat particles of hard metal with genetic material, sprinkle them on a projectile, and fire it straight into a cell with a .22 caliber bullet’s worth of gunpowder.
Voila. The entire field of biological ballistics - or biolistics - was born. Usage continues to the present day. Some scientist, somewhere, is firing live ammo (probably at plant cells) in order to induce genetic transformation.
The sheer brute novelty of this method continues to amaze me.
“Normal science,” wrote the philosopher Thomas Kuhn in his ironically paradigmatic book The Structure of Scientific Revolutions, “the activity in which most scientists inevitably spend almost all their time, is predicated on the assumption that the scientific community knows what the world is like.”
As an industry, we largely seem to be convinced, or are at least trying to convince others, that we know what the world is like. Often to my embarrassment, I can only say that I’ve never been confident about knowing what the world is like, whether we’re talking about life in general or cybersecurity in particular. That internal posture of curious insecurity shapes not only my reticence, but also my expansive experience of the possible.
And I often worry that as a sort of industrial science, we really have convinced ourselves that we know what the world is like, and most of our time is wasted dawdling in mop-up operations. All available incentives push us toward the middle of information security as a science rather than the edges. Most leave us tired at the end of the day, without the energy or resources to push imaginative boundaries.
What happens if I start looking at each problem not from the perspective of someone who’s supposed to know what the world is like already and simply be reactive to it, but from the perspective of the madman that fired the first gene-coated bullet into a cluster of cells and then carefully watched for signs of transformation to appear?
Podcasts
- Lawfare - The Shadowy World of Ransomware with Professor Anja Shortland - The interview was strong enough that I insta-ordered Shortland’s book “Dark Screens” - so definitely worth listening to. Worth keeping in mind it’s from a political economy standpoint, in order to set expectations, but the more perspectives we have on this the better.
Articles
- FBI/IC3 - Cyber-Enabled Strategic Cargo Theft Surging - Between this and the use of insecure webcams to better target kinetic strikes, getting more and more interesting to see how perverse incentives in the technology sphere lead to dire consequences in meatspace.
- UK NCSC - International cyber agencies share fresh advice to defend against China-linked covert networks - Despite not meriting many headlines in recent news cycles, this activity and advice is becoming more and more relevant as PRC activity continues to evolve.
- Mxsasha - Taking down a European network with a TLS certificate: my RIPE NCC RPKI exploit chain - “A single shared session cookie and missing CSRF protection allowed me to make authenticated changes to the RPKI Dashboard and RIPE Database, which control routing configuration for networks from Europe, the Middle East, and Central Asia.” - Clever research that continues to show how paper-thin our protections are at a global scale.
- watchtowr Labs - The Internet Is Falling Down, Falling Down, Falling Down (cPanel & WHM Authentication Bypass CVE-2026-41940) - “Hello! Yes, it's all a disaster again!” - This cPanel auth bypass is the stuff of nightmares. I’m surprised more havoc hasn’t bubbled to the surface.
- NTPpool - DNS configuration tampering on one of our GeoDNS servers - “We found that a volunteer who provided hosting for one of our GeoDNS servers used their access to manipulate DNS zone weights for the NTP Pool service domain.” - Fascinating bit of malice here. Timing can do weird things to computers and other equipment, so an attack on the NTP pool can have widesweeping, unanticipated repercussions. On my to-do list to start looking more deeply at hypothetical NTP attack impacts now.
- Quad9 - Negative Trust Anchors - I had never heard of Negative Trust Anchors before, but came across it as a result of the DENIC .de DNSSEC debacle yesterday. Really fascinating mechanism with very complicated incentives and consequences. Also, I very much appreciate how cautiously Quad9 approaches it.
- Twitter - eth[.]limo DNS hijack post-mortem - Credit where is due, looks like the eth[.]limo folks set things up right, with services reliant on DNSSEC, so when DNS was compromised, the blast radius was severely limited.
- Cloudflare - Agents can now create Cloudflare accounts, buy domains, and deploy - Even laying aside the likelihood of misconfigurations leading to massive unexpected spends, I’m just going to say this is the worst and most abusable idea I’ve heard all year.
- BIML - Recursive Pollution and Model Collapse Are Not the Same - “The number one risk in LLMs today is recursive pollution. This happens when an LLM model is trained on the open Internet (including errors and misinformation), creates content that is wrong, and then later eats that content when it (or another generation of models) is trained up again on a data ocean that includes its own pollution. Wrongness grows just like guitar feedback through an amp does.” - A good, quick post about an important difference in LLM training risks, and given the abuse of LLMs for influence operations lately and subsequent re-ingestion of that material by LLM scrapers, something that looks to be a clear possibility, if not probability.
- CNN - US special forces soldier arrested after allegedly winning $400,000 on Maduro raid - The prediction market folks are speedrunning what insider trading folks found out a while ago: while the methods are complicated, once established, it’s very very easy to connect an uncannily “lucky bet” to an individual.
Research Papers and Reports
- FBI - 2025 Internet Crime Report - (direct PDF link) - 26% increase in known losses from 2024 feels like a bad omen.
- Europol - Internet Organised Crime Threat Assessment (IOCTA) 2026 - “The abuse of the Domain Name System (DNS) allows criminals to effectively exploit the time period between domain registration and LE intervention.” - Lots of good information here, but unsurprisingly, it continues to always be DNS. Of the interesting trends we’ve seen lately, dead drop DNS C2s are probably at or near the top of the list.
- arXiv - What hackers talk about when they talk about AI: Early-stage diffusion of a cybercrime innovation - Some very interesting conversations and trends here from studying cybercrime forum conversations. I love when research focuses on the human nature of adversaries given how much it can affect operational behavior.
Tools and Resources
- BushidoToken - Awesome-Ransomware - Github repo of ransomware-fighting resources curated by a first-rate threat intel analyst from Team Cymru.
