Instructor: Alissa Torres
This webcast was originally aired on February 26, 2025.
Are you triggered by your junior analysts’ requests for network diagrams or baseline device configurations?
Are you easily offended by arcane questions about AV exception paths, approved authentication protocols, managed browser extensions and other things that most security teams don’t know?
When institutional knowledge is seemingly impossible to come by due to silos, egos and status quo, folks get worn down over time and stop asking.
Our assignment:
1.) Embrace the scary reality that there is stuff we don’t know but should.
2.) Do something about it.
Join us for a free one-hour training session with Antisyphon instructor, Alissa Torres, for talk therapy for capturing and facing your ugly Known Unknowns.
Highlights
Full Video
Transcript
Daniel Lowrie
Welcome, everyone, to the actual Anti-Cast today, which is Casting Light on the Known Unknowns, which, Alyssa, does sound very much like a way to win a bar bet through some weird double negative speaking. I love the title on this, but this is an actual thing, and you’re going to kind of walk us through some of these concepts and ideas, especially about things like “known unknowns.” Tell us a little bit about what we’re going to learn today.
Alissa Torres
Oh, well, hey, everyone, I’m happy to be here. Alyssa Torres. And I will say this is an opportunity that I hope everyone has today because, you got something on your chest, you want to rant about it, this is definitely that for me. You could call it a passion project, but I have a lot of those. what the known unknowns are, is like, hey, stuff on a daily that you ask, for example, is this normal?
And those answers are not easy. Many, times. So we’re going to talk about proper, motivation, overcoming, maybe some ego, some hesitancy.
I always call it turbulence: anytime something is preventing you from really tearing in and, making a win, that’s going to be the turbulence creeping up on you soon.
Daniel Lowrie
Oh, yeah, I’ve definitely experienced that. Anytime you start asking questions about things and you mentioned ego, that’s always a fun thing to butt up against, because people don’t like it when you go, hey, why do we do this?
And because it, for me, it doesn’t make sense. I’m just kind of rolling it around upstairs, and maybe I’m missing something, and people can get really defensive or, or whatever, because they don’t really like trying to answer those questions because maybe it’s.
It’s very complex, or maybe they don’t understand it as well as they think they do or they feel confronted because you dare to question anything that they have said and they’ve been here and they’ve done this, and who are you noob to come along and ask your questions?
So I really look forward to hearing some of your thoughts and insights on this. But that said, where do we begin with this journey?
Alissa Torres
Hey, I’ll go ahead. as I. I appreciate no long introductions. No, no. But normally I don’t have a slide that tells folks who I am. This is the slide.
I created this just for you, Daniel.
Daniel Lowrie
Oh, just for me.
Alissa Torres
This is, like, the first time Daniel and I are working together, so we’ll emphasize.
Daniel Lowrie
Everybody was telling me, like, oh, you don’t know Alyssa? Alyssa. Are you kidding me? I was like, yeah, I don’t. Haven’t had the opportunity. I’m looking forward to it.
Alissa Torres
Unbelievable. Yeah, yeah, no, but I have been, teaching in this space. Digital forensics and incident response and threat hunting and a little bit of purple team. I know we were mentioning a lot of Red team stuff before we started with that summit coming up, but, yeah, I, I can talk about memory forensics because I used to own that course.
I can talk about memory forensics for six days, ten hours a day. I can do that. and it’s one of my passions. like, but like I said, I have a lot of passion projects. I’m excited to share them with you.
Daniel Lowrie
Well, it sounds like you’ve got a bit of experience to be able to speak, to this very topic. Makes sense that you would have created this specific talk.
Alissa Torres
Opinionated and angry. That’s exactly what I am.
Daniel Lowrie
That’s, that’s what we love the best, right? That’s the makes the best talks.
Alissa Torres
Oh, absolutely. So last year it was for four. It was Valentine’s Day 2024 and I gave anti, cast on Big Mad Blue team. And like, obviously there was some anger behind that.
Now people are going to be like, big mad blue team. I’m going to watch that next. But there was definitely. It was a topic that incited my rage. But I don’t like, I’ve gotten over it. So this is the new topic.
This is the new topic that, that has me a bit unmoored. But let me share with you, let me share with you what’s going on here. Oh, and by the way, I teach Advanced Endpoint Investigations as part of the Antisyphon catalog.
It’s a 16-hour course. yeah. And I don’t know when is it going to be held. I think I might be part of that Kernelcon crew that’s teaching that’d be cool in Omaha. So. Yeah. All right, so big mystery here.
Big mystery as to what is she talking about with this whole known unknown. This slide explains it all. No, obviously it’s a quadrants. I’m going to be going through the ones in green.
They’re easy, what I’m saying? So let me jump in. known. Known. It’s the stuff you have documented or it’s the stuff your analysts know. Like the back of their hands, plural. it is stuff that’s built in muscle memory.
examples as shown on the left hand side of the Slide the other easy one, although frightening, the other easy one is the unknown. Unknown. we don’t worry about unknown.
Unknown. I mean yes, it’s probably, what keeps you up at night, but what are you really worried about? It’s that perhaps feeling of undefined sense of doom, like why am I feeling so the world is ending but unknown.
Daniel Lowrie
Is that the stuff you would, you would probably say is the I don’t know what I don’t know kind of stuff.
Alissa Torres
That’s beautiful. It’s the total absence of awareness. So yeah, it very well could be considered a blissful situation nirvana. And that’s exactly, that’s exactly it. So we’re going to take a moment to discern between well the darker colored quadrants here, the ones that really require a bit more explanation.
So yeah, on the left hand side the, not the focus of this talk, but it’s the unknown known. And you guys are going to be like I’m not following, I’m not following. But it’s green so it’s friendly.
Also on this slide. Anyways, we know that these particular nation state actors are seeking to gain remote access into our environment. We know that they’re properly motivated, incentivized, have the capability.
But the unknown aspects of that which I’ve just just described, known, known threat actors, the unknown aspect is the when they’re going to come knocking on the door, in what manner are they going to proceed?
I mean you, thank you threat intelligence, but yeah, you can know as much as possible about these particular groups. Well because they fall into that green category of known.
But there is some ambiguity as to what the timeline is, what are the procedures that are going to be executed there, in order to gain initial access. So you got it right, you’re squared away on the unknown known.
The focus of my rant today is on the right hand side of this slide which is I am actually tracking what I don’t know. Beautiful place to be.
Right. So I have a list of known questions about my environment, maybe about, about the skill set of the people I work with, about and, and have subsequent slides follow with excellent examples of things that you could track should you raise awareness to the like, oh man, I guess I don’t know that I don’t know what remote management, and monitoring tools are field support techs are using.
Wah, wah, wah. So yeah, you’re thinking like those are, those are good questions. And so we’re really seeking to delve into why do we even have a list of things like this? Questions that define us as the environment enterprise?
Daniel Lowrie
Alyssa, it’s funny, you make me think about some of my first experiences when I got into cybersecurity and I started to go to conferences. And you’re sitting in here, you’re listening to talks, and maybe this resonates with some of the people that are sitting there.
It actually still resonates with me. Now you start to hear about new tools, new. And it’s, and, or maybe just ways in which you can use a tool that you already have or implementing or ways that you can bolt, onto security or do things more securely.
And you’re sitting here listening and going, well, yeah, I know, like, password policies is a good thing, but I didn’t know you could do it like that. Or I didn’t know there was a tool out there that could enumerate X, Y or Z.
And you write that down and it become. Is that. Would you, would you define that as a known unknown now that I know what this is, or I know I kind of have some reference, some frame of reference to this particular concept or actual thing, an object.
And now I need to learn more about. I’ve learned that I don’t know enough about this. And that’s really what we’re saying when we say known unknown.
Alissa Torres
Oh, yeah, yeah, yeah. I’m, I’m recalling my, propensity to apply to jobs where I don’t actually know what all of the acronyms are in the job posting.
I, I remember, I know it’s a, it’s an old school digital forensics joke, but I never really understood, when I was applying for these jobs, what TSK meant. And I’m like, I’ll figure it out.
Obviously, I have a list of the expectations for the role. I’ll figure out what TSK means when I’m up against it just before I roll into the interview. and yeah, yeah, so you have a list of things you’re supposed to know.
Tsk. the Sleuth kit. But I figured it out before I showed up to the interview and that is what is most important. Yeah, tracking.
Daniel Lowrie
I like that. Yeah. And that, that’s an ever growing list, I’m sure, because there are so many things and that can be a little, a little, daunting to go, man, this list keeps growing about stuff I don’t know about. How the heck am I.
We get people all the time that come into our AMAs and things like this going, how do, how do you guys stay on top of all this stuff there? Seems like it’s a never ending deluge of learning. You’re like, yes, you just, you just get your spoon out and start eating.
Because that’s about the best you can do. You just have to continually learn. And if you’re not tracking it then it can become a little overwhelming, to be honest with you. So it’s, it is a good idea to start coming up with. These are the things that are going to get prioritized that I’m definitely going to learn more about soon.
And then when I get done with that, I’m going to move on to this and so on and so forth. So coming up with a plan can make that lift a little bit easier. But I like your idea right there of coming up with, you got to track this stuff.
Alissa Torres
True, true. All right, so I need to provide some examples because I already hear some folks that are attending right now and maybe like shout out to the folks that are listening to this anti cast back asynchronously.
you’re like, well, this doesn’t apply to me. I am currently, a team lead for our threat hunt capability at a transportation company, we’ll call it that passenger transport.
And so, detection rules, detection logic is near and dear to my heart because hey, as a threat hunter I am supposed to be focusing on that which is not signature.
Yeah, it’s supposed to be hard, not easy. You go after the signatures and you’re like, man, a set of conditions that exist, something is going to alert me or draw my attention to that machine, that application, that network traffic.
But as a threat hunter, you’re like, let me challenge myself. And so we want to better understand the detection logic, the custom rules that we have in play. So this brings me right back to the class that Hayden is going to be kicking off.
You gotta say SOC detection engineering crash course would be fantastic right now. But I also want to say I attended when I was at Mile High just this past month, I attended the presentation given by Weeks Bukima and it was all about evading edr, with command line alteration and that type of crazy, crazy stuff.
So in order to figure out what questions as a threat hunter I should be asking against data sets, get that might be eking their way past our detection rules. Well, you got to understand the criteria or the conditions that are baked into the detection logic.
And you’re like, just open it up. I don’t know what the problem is. But there may be open up the, the rule itself, but there may be some say threshold entry for understanding the query language or the manner in which this logic is presented to you.
you might not have access. You might not have access at all. I know, I worked at Palo Alto Networks. I was just talking with some current colleagues of mine about how Palo Alto Networks does not open source their detection rules.
I’m showing you right now a screenshot of Elastic, and they have all of their detection rules open source, open for public viewing. At least they have a pretty incredible catalog of detection rules.
Actually I might have pivoted and just grabbed a KQL query, because KQL know Microsoft, Sentinel and mde. Nevertheless, I need to know how it works in order to figure out, hey, maybe there’s a reason logic wise why this particular execution of cert util bypassed the rule and so gotta have that inquisitiveness to figure out how things work.
And I think that’s part of the joy of really working in security operations.
Daniel Lowrie
yeah, I’m gonna have to agree with you on that. It’s always fun to kind of analyze these things. I think that’s why a lot of us get into the business is because we like the puzzle of it. We like the hey, this is a mystery is kind of an Enigma box.
I want to know why that works. I hate not knowing how that actually functions. And so yeah, getting into the nitty gritty of what these things do and then kind of cataloging that, creating detections so that you can actually fire off.
And hey, we’ve got a little problem here. Someone’s probably take a look at this and what, what is exactly that’s going on? Boom, right here we figured out this is how the things work so that we know that this is a bad thing and that’s why we want to take a look at that.
Do you have any other examples for us?
Alissa Torres
Oh yeah, oh yeah. This is again a bit of a passion project because you’re always making some assumptions about how your end product, endpoints, security products are configured.
because the assumptions are based on potentially the benchmarks of how they’re supposed to be configured, compliance requirements like the best practices for configuration of an endpoint security product.
but oftentimes as these plans is pristine, crystallized examples of how hardened Windows 11 machine should, should be and in existence, that that really shatters upon taking flight in most environments.
So one of the things I like to look at is that very thing, how is. And this is Defender for Endpoint. Apologies for those people that are like, oh, I don’t want to see that. But you have Defender for Endpoint, just as an example.
How is Defender antivirus capability configured? and you’re like, of course, I know we’re running scans on a weekly basis. We, have real time. Actually, nothing is configured here in my screenshot.
But that’s probably not the way you’re at right now. You’re probably at a much more secure state of affairs. But, yeah, do real time detection? Is it turned on? Fingers crossed. or is it disabled because you have a secondary antivirus running on that particular machine?
but you got to know, you got to. You got to have an understanding. And one of those pet peeves that I have, that are recently encountered over my last year is a ton of security exceptions. And these are path exceptions for the antivirus or path exceptions for, say, execution prevention.
And you’re like, well, why are all. Why are these 50 exception paths in existence? Do we still need these? realize that an exception path is where the antivirus is not going to be looking.
Oh, it’s fine. It’s fine. So asking these questions, you’re thinking your detection engineers, your cybersecurity engineers are the ones that are looking at this stuff on a daily, and they should be well read in.
They should, have documentation for every. Why does that path exist? Why are we not tracking or attempting to block anything that executes out of the temp directory? but they should know. But because they look at it every day, that’s not the way things work.
It becomes just that background so you no longer ask questions about what you see every day. So I love it. I love,
Daniel Lowrie
Never ceases to amaze me how many people, they come up with so many justifications and so most of them are pretty lame. I’ll be honest with you. Like, hey, I need an exception for this software. Have we vetted it? Have.
Do we know any security about it? Like, who’s going to do updates? They. They don’t understand all the back end work that goes to just going, hey, I want this software on my computer. It’s like, I, I get you. I hear what you’re saying, and then AV is popping it. Well, why is AV going crazy on this?
Is it a known entity that has issues? And like, do you need weatherbug? I don’t feel like you do, but I hear you. I know you want it bad. I. I hear you. And then someone above your pay grade comes down and goes, just give Bob weatherbug.
Can you just. Just give him weatherbug. You’re like, well, note my. Note my exception to his exception, because I don’t think this is a good idea. And then you get to pull that paperwork out, I guess, at the. At the time of fallout.
Alissa Torres
Yeah. Some of the more intriguing questions as well, if you’re tracking, do you allow your users to log on to their Google accounts from their work machine? If so, are you allowing syncing between wherever else they’re logged into their Google accounts and the work machine?
And you’re like, tell me that again. What are you saying? But this is a fantastic way to get those artifacts from their Chrome browser extensions on your work machine. Even if it doesn’t sync the entire extension, you’re going to have artifacts.
You’re going to sync the, oh, credentials that are tucked into the browser, bookmarks. what could go wrong? So wild. so if you don’t know, you should be curious about these things.
because if you’re looking, at your data that’s being pulled from the endpoint through the lens of security operations of incident investigations, you’re going to come up against these questions. So, yeah, think. Think ahead.
Daniel Lowrie
Oh, hold on. We don’t do that here, Alyssa. Okay.
Alissa Torres
Absolutely not. All right, example number three. I like Daniel. You already made mention of this, really coming to a deeper understanding of how your tool works. So, one of my pet peeves, another one is what time zone is this massive amount of data being represented to me in?
Like, of course, it’s UTC universal, time. No, no. maybe one, of your massive data lake repositories is going to be presenting the data in utc.
Maybe another tool, your sim. I’m so sorry, your SIM decides that it’s local time. Only the best for you. So if you don’t know these things, and it’s not passed on or part of that institutional knowledge, you forget, because part of Incident Investigations is building out this beautiful timeline from all of the different data sources.
But if you don’t know how to manipulate some of the data to get it all to fit in on the correct timeline, you’re just. You’re lost. And I give this to you as a hot mess.
Daniel Lowrie
I love how you mentioned, like, people forget. Famous last words are always, I’ll remember, I’ll remember. It’s like, oh, yeah, you’re not going.
To remember that’s so true. best intentions. But I’ll say oftentimes we find out another department, another team is shopping for a product that we know we have the capability to support, based on what we already have rolled out in our environment.
So I think everyone, if you’re in cyber security, security operations space, you can think of at least one tool in your environment, maybe even on your home machine where you’re like, yeah, I paid for that tool, but I’m not using it to its fullest extent.
and, and that sucks because then you get into this cycle of maybe that functionality exists. But we’re already shopping, we’re already doing proof of capability and no one wants to go back and, and figure out whether, whether there’s what?
I don’t even know, a functioning sunroof on the old model. Mhm.
Well that, that would uncover the fact that they did not do their due diligence on the products we’re actually using. Right?
Alissa Torres
Yes, yes.
Daniel Lowrie
And we don’t do that here.
Alissa Torres
Yeah, sad, sad. but yeah, that would be example number three is deeper understanding of tool functionality. we find ourselves up against that. If you’re open minded and you can see what’s not in front of you, you can identify the gaps in knowledge.
The fourth one I present to you is a lack of understanding, a baseline. This is example number four. But everyone can also relate to this. I already gave you a little insight into whoa.
Our remote desktop support team, our service desk, how are they gaining remote access into our employees laptops, our employees machines. So hopefully you’re like, I totally have that answer.
I don’t know why she’s hung up on this. but with, without a very distinct understanding or capture of what baseline activity is, we could be flagging legitimate remote access.
that is legitimate from our service desk. and really what is this undercutting productivity? That’s availability. Productivity. On the flip side, if we don’t ask the question what does normal look like?
We could be allowing all of those favorite remote access tools from some of your most evil threat actors to come set up shop and be used illegitimately. So I like that one.
You probably, if you’ve spent time in your environment, you’ve probably identified some FTP traffic. Again, so sorry, but I spent a good chunk of time at Palo Alto Networks on their managed services team.
So in these stories I’m not talking about Palo Alto Networks, I’m talking about some of the managed services customers for threat hunting, that were on board at that time.
And so wild, so wild to initially go in and ask that question. As you’re getting oriented to a new customer’s environment, is this FTP traffic normal?
And you would hope that you’re not waiting for a managed service provider to ask your internal team that question. Right. You should already know like the back of your hand. Yes, on a monthly basis we have internal data transfers and it’s not really FTP, it’s SFTP or something like this that explains what is going to bubble up as a question, from whomever is going to roll in, whomever might be joining your team next or a contractor or someone who’s coming in to offer surge support.
Yeah, don’t let them be the ones that ask those hard questions. yeah, I love the. The question of how does our triage collection tool show up as a footprint on the remote endpoint that we’re collecting data from?
It is one of my favorite questions to ask. Long, long ago Tanium user Antainium as a endpoint collection tool used to just roll out a PowerShell base 64 encoded PowerShell script that would call all of the local tools baked into the OS on the box to pull back say a Windows tria.
Don’t worry, they don’t do it like that anymore. But you would look at say the prefetch or evidence of execution after you pulled back all of this triage data. The artifacts left on the box were so loud.
in a pretty disruptive. And you want to have a firm understanding of what your collection tool looks like. even if it’s quiet, super stealth. We want to know. Oh, for example, we just rolled out a new agent in our environment and it makes calls outbalanced to a bunch of cloud flare domains.
that’s knee jerk reaction unless I have that understanding of what normal looks like. and notably I just threw out an example of the. One of the reasons why this is hard to keep track of because of new introduction of technologies to your tech stack.
Rough.
Daniel Lowrie
It gets you every time. Won’t it gets you every time. Well, and it like you said, and I’m glad you did say that it is difficult. It’s not just an easy thing to do. It takes time, it takes effort, it takes people, it takes work hours.
It’s. You’re going to be on the struggle bus sometimes because things. Even though the process is difficult, it can get even more difficult with certain things. They get just much more Complex. And you’re like, why is this like this? Who’s the dev that made this?
Because, oh, man, I, want to buy them a ham sandwich that’s five days spoiled.
Alissa Torres
You understand your anger?
Daniel Lowrie
You do? Anybody that’s been there, done that, got the T shirt, goes, yeah, yeah, I, I. And unfortunately, that does cause us to kind of go, I, I don’t want to do this. It’s. It’s too hard. And you start justifying in your mind that, well, the, the actual probability of this being a problem is going to be this m.
And therefore, we, we like to justify away things we don’t want to do very quickly instead of just going, well, it’s time to roll up the old sleeves and get to work on this. Because if we are not tracking these things, somebody comes in and asks us, who, what, when, where, why, and how, and we go, that’s not going to be a great day for anybody.
Alissa Torres
So I like it. Daniel. Okay, you read ahead. So to better understand that, reticence that we experience when the new joint asks the question we don’t know the answer to.
and yet we’ve been here for years, we’re going to focus on these four levels of competence. Why not? so the first level of competence is going to be that, say, unknown.
Unknown. Right. Like, we don’t know we’re incompetent. So this is called unconscious incompetence. Like, I’m insulted already has insulted me. but, yeah, we go back to how we were defining the unknown.
Unknown. It’s. It’s bullis. Right. and people want to stay this way. Curiosity is discouraged. So when you have someone joining a team or doing that awesome. Or maybe it’s new leadership, and you’re like, man, that guy’s a jerk.
That guy’s a jerk because. Because he’s asking the hard questions. We don’t have time for that. so curiosity being discouraged. and some folks will point to. I think Daniel is starting to allude to this.
That operational tempo is prohibitive to you actually digging in and asking questions like why? and what if. Yeah, it’s, you actually need time in order to, spark that creative process.
And questioning is an aspect of creativity. No. Anyone who asks questions is a total jerk.
Daniel Lowrie
Oh, man. guilty. I am guilty.
Alissa Torres
I don’t care. Uh-huh. So, yeah, sources of resistance. So why do we hang out in that, say, unconscious incompetence for maybe longer.
Longer than we could even justify through explanation? I present to you three different reasons or sources of resistance. ego defensiveness. We alluded to ego at the top of this hour. This is.
Yeah. And nihilism. Nihilism.
Daniel Lowrie
Mhm.
Alissa Torres
So first I was going to put, I have three big dogs, who are my youngest kids, two, adult kids. But the dogs, man, the dogs. So I couldn’t even. On this slide, I could not even put a picture, a real picture of a dog wearing the cone of shame because I knew I’d be hurting some other dog owners, dog lovers.
So there is your drawing of a dog with the cone of shame. and it does have to do with that ego defensiveness. I think I have a link. I’m going to drop in because ego defensiveness is one of your cognitive biases.
if you like cognitive bias. I like it. I mean, I think it’s pretty incredible, all of the different biases that may be, intruding, encroaching upon, your ability to have a, well constructed debate.
We do that a lot in this household debate. But yeah, you never want to have a flawed logic as you approach a conversation, not an argument. So ego defensiveness is that very thing.
If I say I don’t know this and I admit that it’s an important piece of knowledge, then I have to also admit that I’ve worked here for years and still don’t know this thing.
So you have someone who’s new joining the team. You have someone who, is attending your brown bag for that your team is giving and they ask a question that unmoors you. Why are you unmoored?
Because you, I guess you’re feeling it. what is that called? Not long in the tooth? I don’t even know. Like there’s a little bit of arrogance to you. If you roll in and get unnerved by a question that, you don’t know the answer to.
Maybe it was all my time as a sans instructor that’s hardened me to expecting questions that I don’t know the answer to. but another.
Daniel Lowrie
Yeah, a lot of people just do not like to say the words I don’t know. Right. Because especially if they feel like they’re supposed to be an authority on something. Like on your slide here you have why is this new joint asking so many questions?
Who does he think he is? And I may or may not have been in that situation where I’ve heard those kind of words coming back at me. And I’ve had people always tell me that ad hominem is a surefire sign of a failed argument when you start attacking me personally instead of going, that’s a really good question.
And I don’t know. That’s. That should be a great, like, it’s fine that you don’t know. I mean. Or I say, it’s fine. It’s not fine that you don’t know, because you should, but it’s fine that you can admit that you don’t know. Then let’s get to the bottom of the issue.
Let’s. Let’s not sit here and point fingers at each other on who’s. Who’s a butthole. Well, let’s just get to. what I mean? It’s like if I sure as I don’t know, I’m new, that’s why I’m asking questions. Because I surely don’t know.
And if you don’t know and you’ve been here a while, that’s just pointing out an issue.
Alissa Torres
Yeah, and I, like, sometimes the retort is, that’s not our job. That’s someone else’s job. Think back to the antivirus exception paths. Yeah, it’s not my team’s job, but my team being in security operations is impacted by, this laundry list of places that antivirus or endpoint detection and response tools are not going to look.
So, yeah, even if it’s not your job to, say, have the answer or be able to explain the why, probably going to impact you in some form or fashion. at least that’s what I say to myself.
It’s never a waste of time to ask these questions. That’s what I say. Cone of shame.
Daniel Lowrie
I agree. Chad, if you agree, put your hand in the air and wave it like you don’t care.
Alissa Torres
So. So I like this, too. This is an also an inhibiting factor, to opening our eyes and becoming aware of what we don’t know. It’s called the Dunning Krueger effect.
And folks who are not trained in a particular area oftentimes will present themselves as more confident than they should be in their abilities. You probably can think of some folks, that you work with, maybe some, colleagues or family members, where you’re like, yeah, that person only thinks they know, or they only think they have a handle on how the Enterprise is laid out.
Configured, workflow, information flow. It’s, fascinating. So this cognitive bias, another one to check out. But it doesn’t mean that the more confident you are, the dumber you are.
This is just for Folks who have not yet begun to question their gaps in knowledge.
Daniel Lowrie
So there’s just a tendency for the, for the uninitiated, the un, the unknowledgeable, the unwise, to be confident because they don’t know what they don’t know.
Alissa Torres
Oh yeah. So I did promise in pre show banter, I did promise that there were going to be some references to one of my favorite series on Apple TV right now and it’s called Silo.
Come on, who loves that? So, in this regard, I’m not necessarily talking about the Apple TV series. If you don’t know it, you’ll love it. But this is the silos, the information silos that prevent us from being inquisitive, prevent us from, like I said on the last slide, stepping outside our lane.
And I know that there’s a couple of, of the perspectives on the safety of silos. You have that, resistance or hesitancy to share insights about what your team is doing.
Because the thought is the more people know about what your team is supposed to be doing, the more they will say, continue to inquire, or maybe the more they’ll expect of your team.
so that might be the resistance to sharing information upon being asked. But the flip side of this is of course if you have to go outside of your central team, your immediate team, in order to find out information about your enterprise, whether it be what does normal look like?
How are these things set up? What is group policy? yeah, you’re actually exposing a weakness. You’re exposing that vulnerability of not knowing. And so yeah, a lot of management in fact will discourage that type of external, say show of vulnerability.
Like don’t go asking the active directory people how they have things set up. We’re supposed to already know that. so the safety of silos, it could very well be considered, oh its own, its own prison in and of itself because it’s hard to get in, and sometimes quite hard to get out, as it’s discouraged, the culture discourages you from asking questions.
Daniel Lowrie
Stay in your lane, bro.
Alissa Torres
Yeah, yeah, yeah, yeah. I hope that this is not any of you like you work somewhere where you’re encouraged to seek the truth and not only are you encouraged, but it’s easy, right?
exactly who to call in order to get these questions answered. but so many, so many environments, as I know this to be true, don’t have easy access to subject matter experts in, in the proper space.
So there you go, organizational silos. I Love when I can point to a survey. This is survey of survey participants were polled those folks who are working in cybersecurity identify your collaboration gaps.
that is what is causing dysfunction across security teams. Heavy hitter, impeding incident response, impeding threat visibility. Kind of goes back to the detection, logic thing.
impeding the automation, enrichment automation. Automation of like workflows, playbooks and then information sharing. Terrible. But you got a scary. Stats are always good.
Hey, this third one, this third impediment or obstacle to actually becoming aware of what you don’t know is just a bad attitude in general. what we don’t know doesn’t matter clearly because we’re knocking out those incidents.
yes, that was Galaga. And I would like to say that I know some teams are working at that operational tempo where they do not have time to be the, that past entity who is assigned to go find the correct answer, find out, because, hey, my, my day in, day out job has me, say, strapped down 100 of the time.
So there are a lot of, impediments or obstacles to even generating the interest in seeking these things out. yes, I boiled it down to just a bad attitude.
But sometimes you’ll start off with a really positive perspective. and then the change is constant and continuous. So you might have known what the environment looks like, five years ago, but no one’s updated the, say, the network diagram since then.
No one’s keeping the asset inventory CMDB up to date. So change being constant, you fall into this. Why bother? It’s not going to stay up to date anyways.
maybe you are seeking perfection. So, yes, absolutely. and, maybe your motto is just keep your head down and crank out your, your tickets, crank out your work, burn through the incidents and, and call it, When you close, close out the day, it’s another one in the books.
So, is that depressing? three solid buckets as to why we may find ourselves stuck in that unconscious incompetence.
Daniel Lowrie
it’s funny you, you mentioned the change is constant. It reminded me of a time I, me and my dad were driving to New York City and we were, I forget, maybe we were in Virginia somewhere or something and my dad was telling me, he was, my dad was a truck driver for many, many years.
He said, you gotta, you gotta watch it through here. The cops, the cops work this area all the time. Ten minutes later he’s like, I haven’t been here in 20 years. I go, hold on. What am I looking out for? If you haven’t been here in 20 years, how do The cops work this area, and I need to watch my speed.
But time can have this weird dilation in our minds, and we can think that everything as it was five years ago when deep down we know that is not the truth. And we come up with these weird cognitive dissonance scenarios that goes, oh, yeah, this thing don’t make sense.
I need to probably upgrade my thought process here and move to. Because we. Stage one was unconscious incompetence. Well, now we’re conscious of these things and, we’re consciously accompanied, right?
Alissa Torres
Yeah. Oh, yeah. That’s what we’re moving to. But I have to give a little shout out to Zoltar. I love Zoltar. Every time I see a Zoltar fortune teller, you must pay him money so he can tell you, all the things, all the ways.
If you haven’t seen one, they’re still out there. And they’re still out there. Kick back to the movie. Big right. They use Zoltar.
Daniel Lowrie
Love that movie.
Alissa Torres
Good stuff. All right, so stage two, as we’re eking along is conscious incompetence. And this is supposed to be accompanied by motivation, impetus, a drive, excitement, curiosity, like, we should find out this stuff that we don’t know.
and a little tongue in cheek, because sometimes it’s not met with any of those. Any of those emotions. like I said, if you’re overwhelmed by what you don’t know, you may arrive at these list, items, and just be totally demoralized.
So, motivation, sure. but the motivation to learn has to be supported by management. There’s all kinds of, like, little tips and tricks at the back end of this deck. And we’re almost. Yeah, Daniel’s probably looking at the time like she better. She better move on.
Daniel Lowrie
I. I, trust you and your abilities. Slide deck. That might be misplaced, but it can.
Alissa Torres
Be really demoralizing to open your eyes to what you don’t know. I think in cyber security, we. We experience this on a daily. Yeah.
Daniel Lowrie
but it’s true. I’ve been there, got the T shirt.
Alissa Torres
The way we can rein it in is say, I just want to know about my environment. Don’t need to master. Was it boiled ocean? Learn everything at once. But let me just figure out what my environment should.
Should look like, how it’s configured. so, yeah, I’m really Speaking to institutional knowledge. and it’s not just institutional knowledge. It’s not just things that are documented, but it is a way of life. It’s what is burned in, like I was talking about muscle memory, this tacit understanding of how we do things.
and probably the biggest gripe about institutional knowledge is that which is not documented but stored between your most senior experienced analyst years.
yeah, in a past experience where they were fighting the dumpster fires, nothing was documented and there’s no ability to pass on that experiential. There it is, Dumpster fires, that experiential institutional knowledge.
Yeah. So y’all know, but what are, what are the barriers to growing this knowledge? Because we, we know it’s valuable. We have suffered the impact of people leaving without documenting.
They leave and they take the, all of those badges of honor, courage, dedication, all of those hard won battles they’re they’re taking with them as their own stories.
So of course that would be the first barrier is literally the people that the stories were built off of, the main characters of the last incident that we work through, they have, they’re no longer cast in future scenes.
That sucks. So, but don’t just think of it as an analyst who’s been through, trial by fire, but the engineers, the architects. I was hearing this in our change meeting, our ops meeting just this morning that, yeah, we don’t have anyone around anymore that was part of that project and part of that technology being rolled out in our environment.
So now you’re pretty much having to reverse engineer the manner in which it exists.
Daniel Lowrie
That seems like an odd form of insider threat, honestly, where you have someone that knows a lot about a system that is very crucial and critical to your operations and they get pissed off and just quit one day.
And they’re the one that knows all that stuff. and that might have been by design. I definitely know some people that have done that kind of thing where I’m not going to tell them I know this or give them all the information and give them just enough so that I can kind of maintain some control.
And therefore if they make me angry, I’ll leave and they’ll, they’re stuck, in the wind as it were, trying to figure out what to do. And they got to figure it out because that’s just how it is. And now maybe they have totally screwed themselves when it comes to further employment.
But people do some crazy things when they get emotional. So I have Definitely seen that kind of stuff.
Alissa Torres
Well yeah, throwing back to that five year old network diagram, a lot of the information that we’re going to gather. Should I motivate you to do so? A lot of the information that you’re going to be gathering about your environment is not going to be good six months from now, a year from now.
And I just point to this as information bit rots. Terrible because of infrastructure changes, mergers, acquisitions, divestitures or someone actually managed to get approval for that new insertion into the tech stack, like yet another endpoint agent, like how does that fit in and how does that ripple the the waters.
as we were becoming accustomed to that pristine lake, that we look out on now, the changes, creates this turbulence. Oh, there it is again. And that can be really difficult. other things that may get in the way of us growing the institutional knowledge and then very well demoralizing the interest in regrowing or continuing to maintain.
There is a chopping and changing of roles and functions. Who is assigned to what function. If you’ve ever received, received for example, now your team is going to be responsible for running the tabletop exercises.
maybe you didn’t get a handoff at all about how to do that. Maybe there was an easy button, but again that was not never captured and passed along. yeah, lack of management support. If your operational tempo is prohibitive to actually documenting anything or to reaching out via teams or whatever messaging platform you’re using to the system administrators, you’re never going to find the opportunities should management not support this pursuit to get those answers.
because that’s a, that’s a time suck. Honestly, restrictive operational tempo is largely the same. Poorly organized knowledge bases. Everyone is probably playing around with their confluence. I know, one of the past orgs I worked at paid some consultants to come in and evaluate the knowledge that was maintained in our confluence.
And I just made sure to back everything up. I’m like oh my God, this is terrible, it’s going to be destroyed. but yeah, that pretty much did happen. But there is a pursuit of better organizing your knowledge base.
and definitely worth looking into if you feel like you’re creating a new page of content and then it’s getting lost and no one accesses. Cool thing about confluence is you can see how many accesses, accesses how popular your pages.
So yeah, if you’re creating content that no one is making use of, you can pretty much figure that out straight away. and then, hey, lack of integration of new knowledge. And that really has us looking at, Let me see if it’s the next slide.
A. So the last bullet on the last slide points to what is essentially the premier, the top most phase of learning. before we were talking about the four levels of competence.
Now we’ll just overlay the phases. Six phases of learning. And in order for us to really make use of the new information or new knowledge that we’re being presented, we have to integrate it, incorporate it into our routines.
So rebake our playbooks now that that new technology has been introduced to the stack. I’m sorry, but you have to or you’ll never actually adopt the latest and greatest.
So yeah, you have to focus on integration. and then some people will actually complain that as soon as you start integrating and generalizing, you get a little bit sloppy and complacent.
So yeah, it, it’s constant, Red Bull or Monster or what is it, Celsius. got to stay constant. It’s constantly vigilant. And so I just want to kick out two remedies to resolving known unknowns.
There’s curiosity and courage and don’t know I’m going to tell you about curiosity and courage. la la la. curiosity. But this is actually in many teams being crushed, active crushing of analysts interest in how things work.
And that doesn’t sound right because largely that’s what brings us into this industry is having that question, this inherent question of how things work. What brought us here. so fostering a curious culture.
There’s lots of things to consider, but I always point to, and people make fun of me all the time about this, but psychological safety, as a leader, I’m a former Marine, I spent four years in the Marine Corps. Not to say that that was my best years of leadership as I was in my twenties.
But understanding that as a leader you have to set an example and be vulnerable. And certainly asking the dumb questions is one of the ways to show vulnerability and to open up that space so other people can, follow in suit.
We don’t want to be dumb, but we want to be able to voice what questions we have, that fall into that category of the dupe. We should totally know this. So I propose to you, anyone who’s asking the why or like, what is this how so?
Or what if? These are powerful questions, they call this the golden circle. That which is going to give us that drive, that impetus to understand the inner workings and, and really?
When we come to the table with recommendations on how to implement security controls, it only can benefit you to know how your security controls are already set up.
Daniel Lowrie
You got to become the, the caveman lawyer from snl. Remember that skit when he was like, I’m just a caveman, and your modern ways both frighten and confuse me. But I don’t understand how this works and point out their logical fallacy or their flaw and their reasoning it.
That. That does tend, to ruffle little feathers from time to time. But I only find that to be true with people that are very insecure. The, the smart people that I’ve come, up and have met in my life, when you ask them a question about why I don’t understand your logic, they go, that’s a great question.
And, you mentioned how we can feel a little insecure about asking that question because we might feel dumb. But smart people that I’ve, in my experience, they do. They do not think that you are dumb for asking something about something that you don’t know.
They think you’re very smart for doing that. So if you, if you, A good way to kind of push that feeling down, of feeling dumb is to just realize that only the insecure is going to try to mock you or make you feel bad about asking a question about something you don’t know.
Alissa Torres
And I’m sorry you have to work with these people.
Daniel Lowrie
Yes. It’s just life.
Alissa Torres
Now is not the time to be looking for a job. So make it work.
Daniel Lowrie
That’s right.
Alissa Torres
I’m just kidding. I’m just. I mean, I’m kind of kidding. but understand, like, we actually do better when, our curiosity is fostered, kicking over to courage. Yeah. Like I said, somebody has to be the first one to ask.
Someone has to be the first one to contact the team that. That is in charge of that domain. So admitting mistakes, challenging the day in, day out, operations, all of this super important, and just wanted to give a little shout out, that we make a difference.
you make a difference with every bold move that you make. But, every time I love that concept of the hive that I feel this way about, my threat hunt team is one of us will go out and engage and find a bit of information that further informs us about our enterprise, about our environment.
And we all benefit from that. and sometimes we’ll actually share it with other teams too. So I’m just saying, like, it does, it does make you better. Tons of Information. But this is what I posed to you as a challenge.
capture the questions. When you have someone coming in to join your team, a consultant that’s there to ask, an auditor, let’s capture those questions. make it an acceptable part of your work week. Curious Thursdays.
I hadn’t really said that out loud yet, so that’s funny. and then grow a backlog of known unknowns. Like, I have a backlog of hunts that if we had the time, we totally lob that one off and take it on as the next challenge.
We want to do the same thing with our list of we don’t know. Right? Prioritize, and action that backlog. Assign folks to find out, give them permission to seek the answers outside the team.
And, of course, what I’ve been emphasizing is lead with humility. Always, create a safe space where these questions can be asked. So I give this to you, Daniel. I mean, seriously, I make today amazing.
Daniel Lowrie
I will do my best. I am absolutely motivated after this talk. it reminds me, I. I read an article one time, I forget what company it was. I want to say it was a company in Australia or something, but they were a dev group. They created software, and it was either every Friday or every other Friday or something.
In a regular KD audience, they told their devs, do anything you want, work on anything you want. You’re not allowed to work on work today. Your job is to build something, play with something, learn something new.
And sometimes they would do that individually, and sometimes, little groups would form and they would start working on a project and they would come up with things. And sometimes that led to innovation and new ideas that they could then monetize.
They could say, what? We can actually create this product and ship it and box it and sell it to people. And I think it will be good for everyone. People will enjoy the product. This is a great idea. It led to a lot of that. And, not only that, but they had, like, a very.
When they. When they surveyed the. The employees, they were very satisfied in their work because they were allowed to be curious. They were allowed to question. They were allowed. They were given space to say, what? I just want to try something.
And the boss said, cool, go get it. Have fun. Enjoy. Right? Like, I think that we can get so bogged down with trying to hit bottom lines and. And deadlines and things of that nature, we forget to make today amazing and have some fun.
Right? It’s. It’s in, you and when you’ve got a happy workforce, you got happy people that are doing their job that they. That they like doing because they know that you are invested in them as good employees and wanting them to continue to grow in their knowledge and skill and ability.
It only benefits you as the employer. I don’t understand what we don’t understand about this interesting concept. It seems to elude many. but that said, we are at time. Alyssa, thank you so much for joining us today and giving this presentation, because I think it’s a benefit to a lot of us, and hopefully some people are out there.
Maybe they never thought about that. Maybe they never had it in that perspective, but today they’ve. They kind of had a little paradigm shift, and they said, what? I am gonna. I’m gonna allow for questions. I want to question what we do. I want to know the answer why.
So, again, thank you so much, Alyssa, for this presentation. I think it was very, very insightful and useful for a lot of us. That said, this is the time where we say thank you.
Everyone in Zoom has joined us in all the wonderful memeage that was made possible today and brought to you by all our wonderful followers here in, Not Zoom, Discord, but it is Zoom time where we go for a little Q and A.
So if you’re joining us through Zoom, we will have Q and A area. Need to get to that. There should be a. Let’s see if I can find this. This is always a trick for me to find where this goes. I think it’s in Breakout rooms.
And then ask Anti Siphon anything. I think that is the breakout room that you need to go to to join us for the Q and A. Alyssa, if you have time, we would love to have you, as always, but if not, we understand time is of the essence.
And, thank you, Discord. We’ll see you there. Until next time, everyone. Have a great day.
Alissa Torres
Bye, all.
Stay up to date on our upcoming live Anti-Casts and more at https://poweredbybhis.com
Don’t forget to check out our Course Catalog for our upcoming free and affordable cybersecurity training!