I wish all security pros practiced a scenario-first mindset. Explanations based on risk scenarios before jumping to best practices, gaps, controls, compliance etc. I wrote an essay to coach on this: "Writing a risk scenario"

https://medium.com/starting-up-security/writing-a-risk-scenario-bdbe6e20bfcb

I wrote about that moment every security team faces when someone asks if they can work from China for a while, and then everyone freaks out.

https://magoo.medium.com/the-working-from-china-problem-18045ca8060a

I wrote about how detection engineering should be prioritized in a security program. Feedback and discussion welcome!

https://medium.com/starting-up-security/prioritizing-detection-engineering-b60b46d55051

Vulnerability Management: You should know about EPSS

https://medium.com/starting-up-security/vulnerability-management-you-should-know-about-epss-99cd27a7d591

Writing about risk because I haven't written in a while.

Here's "Beyond Controls: The Power of Risk Scenarios"

It's some stuff about boosting "scenario" usage in everyday security work.

https://magoo.medium.com/beyond-controls-the-power-of-risk-scenarios-218b9acc93f8

Wrote about risk communication: Talking about risk with thresholds.

Feedback welcome, thanks!

https://magoo.medium.com/talking-about-risk-with-thresholds-61011be2898f

So in late November, a panel of 26 of us ended up forecasting a 76% chance that Twitter would have an outage by Jan 30, which happened. Wrote about it here: https://magoo.github.io/risk-measurement/blog/forecasting-a-twitter-outage/

Condition #1 easily passed - several newspapers of record called it a widespread outage.
Condition #2 passes, though, DownDetector being the "measurement" that the newspapers cited just barely passes the rules as written.
Condition #3 was easy - could not read or write tweets.

The rules were written to capture a real gnarly outage, and this one sorta squeaked by right over the bar.

In the future, we might be able to use panels like this for more objective measurements of downtime: https://deadbird.singlepane.io/d/hI9vrUO4k/home?orgId=4&refresh=30s

Thanks to all the 🍕 panelists who participated!

CircleCI breach retrospective w/ IOCs and TTPs

Quick TLDR:

1. Malware on eng laptop
2. Stole active SSO session for a remote session
4. Generated production access tokens
5. Exfil'd customer ENVs, tokens, keys.
6. CircleCI encryption keys exfil'd too.

https://circleci.com/blog/jan-4-2023-incident-report/

Circle CI compromised.

Yes, it’s exactly like the tabletop scenario. Rotate secrets immediately.

https://circleci.com/blog/january-4-2023-security-alert/?utm_campaign=Incident+Storytelling&utm_content=security-alert%2C4jan2023&utm_dest=blog&utm_medium=soc&utm_source=twitter