In conversation recently, a fascinating question came up related to security operations work:
“Given the advisory nature of SecOps work, if there are dueling camps, how do you know where to fall when it’s your turn to speak?”
And the answer to that is simple: you fall back to your own values.
We deal with many shades of grey all the time, and that can be both exhausting and frustrating to have to navigate. The number of stakeholders never seems to wane, only wax, and at a certain level in your career you hit a point where you realize that, more often than not, your decisions will please one camp and disenfranchise at least one other. As an autistic I often default to viewing issues in binary terms, which doesn’t fit the world well. As a kid who went through his parents divorcing, working through complex corporate politics can trigger some existential-level anxiety in me. It’s not a fun time. And we don’t talk about any of it nearly enough.
But having built SecOps and Threat Intel programs from scratch, I learned one thing that will help more than any other once you’re pushing through hostile fog of war in threat hunting, detections engineering, and ultimately larger system architecture or policy decisions: consistency in your values eclipses any other political consideration. And far from making you a stick in the mud or keyboard warrior, what it does is provide a strong foundation from which to operate.
The first step in building a security program is defining the values under which it will operate. They’re guides, and can be flexible ones. But they are absolutely essential for building anything more than a paper-thin veneer of a program. Without fundamental values, the program may sway any which way the wind blows, and progressive accomplishments are harder to build upon. But by choosing the values that inform the program - especially SecOps - and communicating them from the first moments onward, you build not just a reliable framework for decision-making, but also trust.
And in security, of course, trust is critical.
In particular, you build the trust of users and stakeholders that team decision-makers are aligned and dependable, and the process weeds out arbitrary short-term thinking. By communicating this from the beginning you simultaneously establish expectations with partner organizations and create an understandable internal framework to fall back on in harder times. Like when your team is responsible for guidance that will make one executive’s day, and another exec’s naughty list. How do we decide where to fall? Well, that work might already be done - what are our values? How do they apply to the current moment?
Founding a security program on values provides another benefit: staying consistent to those values creates a kind of “compound interest of trust.” People know where you’re coming from even if your decision rankles them, and by your actions you build a narrative about your team as you go.
Start the story of your program with the values that will inform it. Tell the story of your program by staying consistent to them, and navigating the “Oh crap, how do we decide?” moments will become simpler. You’ve already defined the strategy; what remains is agreeing on the tactical level. Then evaluate, adapt, and move on to the next one.
This is security. There’s always a next one.
Articles
- Spycloud - ShinyHunters, Supply CHAINS$ & Sketchy New Criminal Forums - Excellent little writeup on some current goings-on in the threat landscape. Spycloud work is always top-notch and insightful. Incidentally, two of the authors are presenting at SLEUTHCON on Friday: Smish and Chips: A Crash Course in Chinese Smishing, Carding, and Fraud.
- infoblox - Amusing Numerology: Analysis of the Numbers in Domain Names - “The numeric component is not just noise appended to make domains unique. It encodes decisions baked into the generator at design time, decisions that stay constant regardless of which infrastructure cluster the domain lands on, which registrar was used, or when registration happened. That invariance, if detectable, makes the numeric component a particularly reliable provenance indicator for the cluster merge problem: determining whether multiple distinct clusters are actually produced by the same generator.” - Some people love trains. Some love shipping containers. Some people know everything about planes, or sports teams. Me? I love Infoblox research. Always scratches that data-rich itch right behind my ear.
- flyingpenguin - Can Someone Please Explain Whether Cloudflare Blackmailed Canonical? - Sort of an ongoing question these days: Cloudflare selling some of the only viable protection against threats they themselves host or act as passthroughs and obfuscators for. A review of pDNS data shows that Cloudflare protected DDoS/booter service Beamed, which 313 Team used to disrupt Ubuntu services until Ubuntu signed on with Cloudflare. That’s not to mention, at least at the time this screenshot was taken, TeamPCP and Breachforums were using Cloudflare services to protect a site organizing a competition on who can breach the biggest supply chain:
- ArsTechnica - Fired hacker twins forget to end Teams recording, capture own crimes - Guys. Pals. Brohams. Come on. Just hit the “Leave Meeting” button if you’re going to commit a crime. Please. Do it for the investigators, things like this just aren’t sporting. I’m like a T-rex in Jurassic Park. I want to hunt.
- Twitter - THORchain incident update - “The leading theory is an exploit in the GG20 TSS implementation, allowing vault key material to leak over time. The attacker may have reconstructed the vault private key and executed unauthorized outbound txs” - One of the hardest things to defend against is a patient adversary. This vault key attack sounds really fun, too.
- GNW (PR) - Bitcoin Depot Initiates Voluntary Chapter 11 Process to Facilitate an Orderly Wind-Down and Sale of the Company’s Assets - They’re blaming Know Your Customer regulations, but anyone in any kind of proximity to the scam threat landscape could’ve told you the overwhelming majority of cases in which bitcoin ATMs surface is normal people losing thousands of dollars to scammers.
- The Record - FCC pushes ban on security updates for foreign-made routers, drones to 2029 - Posted without comment.
- Knostic - New VS Code extensions attack campaign: SaassyCode - ManageRBLX & TrelloBlox - As usual, Knostic doing good work around AI matters. VScode extensions are probably one of the biggest problems in any enterprise that does development work and apparently the $80 billion that Microsoft has spent on Copilot isn’t enough to get the same results as Gadi Evron, Sounil Yu & company stacked in a silicon trenchcoat.
Research Papers and Reports
- RIPE - Exploring Iran's Internet Shutdowns Using Cloudflare Radar - Short talk at 20 minutes, but absolutely fascinating topic, even with the network lighting back up at the moment. In the digital era, visibility is key to understanding actual impact in the world. I could’ve listened to a couple hours more of this, or even just a constant radio channel - a numbers station of Iranian IP blocks lighting up and going dark, or moving in and out of Iranian ASNs and M247.
- USENIX - DNS Cache Poisoning Like it's 2006 - Well, since path traversal is popular this year, it makes sense that DNS cache poisoning would turn up too.
- Verizon - 2026 Data Breach Investigations Report - The hallowed; the venerable; the yearly infosec coffee table book of horrors. Growing focus on vulnerability exploitation, among other trends.
Tools and Resources
- Rivian - AI-SAST - An AI-driven static application security testing tool that’s probably worth putting through the motions if code analysis is your jam.
