Successful Collaboration in Cybersecurity: If the Only Tool You Have Is a Hammer…

Apparently, Abraham Maslow said: “I suppose it is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail.” I am sure you have heard this saying elsewhere.

And I think it is a valuable quote about expanding your knowledge, toolset, and horizon and everyone should try to fully understand it.

But over my time working in (offensive) cybersecurity, I kind of came up with a different statement:

“If the only tool you have is a hammer, you have to bang everyone.”

Please continue reading before you get mad at me (okay, you can get mad at me right away, for my poor choice of words).

My own story

I feel like my own background matters a little bit to explain this way of thinking.

When I first googled “How to hack WiFi.”, I was instantly hooked by the amazing world of cybersecurity. I watched every hacker movie, all the cool YouTube videos, and documentaries about Anonymous and I installed Kali Linux on e-v-e-r-y-t-h-i-n-g.

Later on, I also learned more about different kinds of attacks and how to defend against them. When I had my first IT internship, my boss kind of said something like the hammer and nail quote (she also stated that there are probably not many people paying someone to hack stuff in a legal way, oh boi).

Nevertheless, it was a valuable lesson and I started learning more about other aspects of security, and IT. But deep in my heart I always remained a hacker. I eventually ended up getting a student job at a big IT company, where I worked in some security roles before ending up as a full-time penetration tester.

In this company, I truly had to learn what it meant to not only employ a hammer for every task. Security requires the collaboration of many teams, skills, and people. And I can not stress the collaboration aspect enough. So it is without doubt important, valuable, and extremely eye-opening to learn how others are approaching cybersecurity.

Incident Response, Cyber Threat Intelligence, Compliance, Audits, Executives, Security Researchers, and so many others all do different things but have one common goal: Securing your organization. Talking to them, learning from them, and helping each other is crucial to ensure your organization does not approach every security problem like a nail. In today’s world, it is the only way to succeed.

Why I still think you should do a lot of banging

As I said, in the end deep down I am a hacker and I want to break stuff. And I suspect it is the same for others. They were hired for that one job so that they can bring their unique expertise to solve problems. So what do I mean, when I say “banging”?

Essentially you are a kind of a hammer because there are certain things you are good at. Sure, maybe you are a hammer with a little, extendable screwdriver (I am so sorry), and that is great.

And that is the point of this rant:

You have expert knowledge in a very specific area and you have a very specific set of skills. I think you should apply those skills to as many problems as possible.

From my experience that helps a lot.

For example: We have a Physical Security organization that employs many former military and law enforcement professionals and they have a very deep understanding of physical security but — like all of us — they are wired a certain way. Their focus is to make things safer by preventing, detecting, and investigating incidents. Of course, they know about all the other ways to approach security, but they think differently about some things. So for both of us, it is great to try to apply our tools and knowledge to each other’s problems. I can talk to them about how I would break their security measures and they can share how they would prevent me from getting in. Both of us will grow from this exchange. And eventually, it helps us to stop treating every problem like a nail. Only because I thought like a hammer about their problems and they thought like a big roll of duct tape about mine.

What to do after banging?

Don’t forget to verify and prioritize your ideas.

This is probably the least fun part, but your organization probably works with limited resources like time and money (if not, let me know, I would love to send my CV). So it might be a great idea when the Red Team (a team that legally attacks an organization, to test defenses) and Cyber Threat Intelligence (CTI) teams talk about how cool threat intelligence-based Red Teaming would be. But consider your organization’s security posture.

Imagine the Blue Team (the team defending an organization) is just working on implementing defenses against the most common TTPs (common techniques used by attackers) and users just had their very first phishing training. Of course, you can let two CTI analysts spend 2 weeks to find the most relevant APTs (Advanced Persistent Threats, large, government-funded attacker groups) and afterwards, the Red Team owns the entire network with a highly targeted spear phishing campaign followed by amazing evasion and lateral movement techniques.

Your Blue Team has not really learned new stuff, because they already knew these gaps existed and therefore no defenses really improved. So it would have been better to run a Purple Team to see how the newly implemented defenses are holding up. The CTI analysts could have worked on prioritizing the TTPs the Blue Team should work on mitigating in the next cycle. So yeah, great ideas always need at least a decent timing to be real great ideas.

Conclusion

What I am NOT saying:

• Everyone should only do their stuff and not care about others.
• You should force your ideas and perspectives on others.
• You know the only right way to do stuff.

What I am saying:

• You should share your expertise with others.
• You should try to apply your knowledge to a wide range of problems.
• You should learn from others and help others grow.

What if I am wrong?

Well, I had fun writing this article, if you think it was really bad and stupid, I have only one thing to say: “Sucks to be you.”. In all seriousness tho, this is only my perspective, informed by my own biases and experience. So by all means, if you think I got stuff wrong, let me know. I would love to hear other people’s take on this.

You can tell me how wrong I am in the comments or on Twitter (sorry X) @Secbyaccident (or follow me, if you like my stuff).