In this post, I discuss one key difference in the thinking between sophisticated adversaries and many of the red teams that try to simulate them, as well as what that means for tradecraft and tooling. https://t.co/FTEHcIsqsW

I don’t really talk about personal stuff on here, but this is important. My daughter’s leukemia has relapsed. We’ve been admitted to the children’s hospital for treatment, but it’s going to be a long road. One of the potential courses of treatment is a stem cell transplant..

https://t.co/vWzzQieSe4

Efforts like this stimulate the thought that a threat to EDR efficacy more subtle than a malicious kernel driver is another (competing) event-driven system that supports progress on objectives through calculated CoA recommendations.

Pleased to see @SpecterOps onboard with shifting away from Human-Is-The-Loop decision making to approaches that can better empower operators in commercial red teams. We're all probably about a decade late to the party but better late than never. 😀

Seeing things this way has implications on the design and development of platforms that enable product testing and decision support.

> Instead of thinking of the properties of procedures as having fixed values, consider them more like words in language, whose meanings can change depending on the context: “Time flies like an arrow. Fruit flies like bananas.”

> In computer network operations, contextuality says that properties of procedures, such as their efficacy or resilience to sensors, only exist within the context of a measurement.

There is something about this description of contextuality that deeply resonates with my understanding of the interactions between defensive and offensive procedures. I still think my understanding is limited, but consider the rephrasing of an excerpt from this article below:

One can tell how a red team operator thinks by which word in "information technology" they put most weight on in steering their engagement activity.

“The greatest goals are achieved through minor but continuous ekkedt [sic: effort].” This quote from Anatoly Dneprov's thought provoking short story, "The Game" (1961) has resonated with me lately. https://t.co/6wjpAYiwzE

https://t.co/8dlYWv8Inj

https://t.co/YRy4LT5p3r IYKYK.

https://t.co/Q6nNop3Dhv

Anyone else using Ross Ashby's "Law of Requisite Variety" as a way to frame their understanding of attacker-defender competition?

@the_bit_diddler showed me this blog post that I somehow missed last year. I'm blown away by well it articulates many of the challenges that are facing red teams. https://t.co/jlGuRMr1fL If you haven't read it yet, worth the 5 minutes.

I've long been interested in how EDRs work under the hood and how we can apply a more evidence-based approach to evasion. I'm happy to announce that I've written a book covering these topics with @nostarch which is now available for preorder 🎉 https://t.co/tHSWnVzuMX

Finally put pen to paper on a topic that's been irking me. Fun fact: there is no AI malware doomsday on the way, nor is there an impending arms race of AI-powered malware vs AI-powered EDR. That's just vendor-serving rhetoric.

Although the use of the algorithm here is undoubtedly contrived, it does surface interesting topics like state representation, action specification, and codifying tradecraft constraints into a reward function.

Here is an implementation of Monte Carlo Tree Search and how it could be used to optimize decision making for configuring shellcode loaders like @Optiv's Ivy tool. https://t.co/6AA3pIILGw

There is a difference in communication styles with defensive sensors, whether they are EDRs or even lasers. The words I use to describe this difference is broadcasting vs. narrowcasting. You can read more about that here: https://t.co/gNmWxoemhh