Update (Aug 11, 2020): This post has been the #1 post on /r/netsec for the last 15 hours or so. Follow the discussion in /r/netsec here and in /r/cybersecurity here.

A couple weeks ago, I read Martin Casado’s blog post about a16z funding a new startup called Material Security.

Reading his post led me to reflect on how direly personal digital security needs improvement.

Popular vs real mental model

You see, most people have a mental model of their digital security like this:

  • I have many separate digital accounts
  • Each account has a unique, long password and maybe 2FA

But here’s reality:

  • I have many separate digital…

You, a security consultant, wake up in medieval Europe.

You’ve been hired by a feudal lord, who has inherited a castle, some land, and a couple serfs, and is looking to secure his property. Luckily, right now, you just need to come up with a list of defensive security controls for him to put in place.

Here’s how I’d approach the problem.

Identify the threats

Regardless of whether you work in information security, national security, physical security, or another branch of security, you’re dealing with at least one active adversary.

Security is the only field — by definition — where this is true.

You need to identify your threats so you know what you need to protect against — but also so you know what you don’t need to protect against. …

In March of this year, I saw on Hacker News that Netflix had open sourced a tool called riskquant. I’d been toying with the idea of quantifying cybersecurity for a while myself.

A thought experiment

I started with the belief that if you could assign a number, from 0 to 100, to describe how secure an organization was, where 0 is “certain to be compromised” and 100 is “impossible to be compromised”, you’d get these benefits:

  • CISOs would have to worry less about getting hacked, provided their number was high enough
  • CISOs could easily get budget for security initiatives because they could demonstrate that these initiatives would increase this magic…

The goal of risk quantification is to express cybersecurity risks using numbers, instead of qualitative labels.

By doing this, the hope is you can more easily prioritize between different security initiatives, and track changes in your risk posture at a more granular level.

How is risk calculated?

Say you’d like to quantify the risks for a company.

I believe that you’ll want to identify the assets you care about, enumerate the risks to these assets, and then for each risk, assess its frequency and magnitude. See this talk to learn more.

(None of these four steps are trivial, and this post is dedicated only to assessing frequency. If you’d like to learn about the other three steps, you can email me and I’ll try writing up a post.) …

I have a lot more blog posts like this I plan to write. If you like this, follow me on Twitter to make sure you don’t miss any.

Think about the most complex frontends you’ve used. Frontends that made you wonder — “how did they create this”?

Here are some of mine.


Image for post
Image for post


Using honeynets to learn your attackers’ motives, skill level, TTPs, and determination

Many CISOs have a vague understanding of their organization’s threat landscape from reports like Verizon DBIR, previous security incidents, and threat intel.

To be fair, not understanding your attackers is probably fine. Your defenses should be based on the sophistication level of the adversaries you’re defending against. Which government, for example, is attacking you shouldn’t matter.

Still, I think most security teams would find detailed profiles of their organization’s attackers valuable. By profiles, I mean their attackers’:

  • Motives
  • Skill level
  • Determination level (targeted or opportunistic?)
  • TTPs
  • Identity

Knowing “the People’s Liberation Army is targeting our customer database” would help your security…

Capabilities organizations should have to respond to security incidents in corporate networks

Most security tools help you either prevent, detect, or respond to attacks. Response, in my opinion, consists of containment, investigation, and remediation.

In this post, I’ll list some useful capabilities for containing, investigating, and remediating attacks.


  • Quarantine an endpoint. This can be done by moving the endpoint to an isolated VLAN. It can help stop malware from spreading or an attacker from moving laterally.
  • Delete an email from user’s inboxes. The goal is to minimize the number of users who fall for a phishing email.
  • Block endpoints from contacting a IP/domain/URL. Blocking a IP/domain can help block C&C traffic. (Malware authors bypass this protection using domain generation algorithms.) …


Veeral Patel

software engineer at OpsRamp, ex-incident response consultant at Mandiant

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store