Red Teams: When you can’t find the bad guys, make some up

Red Teams: When you can’t find the bad guys, make some up

You’ve spent money on security products that escalate nothing. You have a 24/7 SOC that hardly pays attention to their tools, or knows how to use them. You have intelligence feeds but have no idea what consumes them. Logs are inaccessible, slow to query, or non-existent. Defenders have stopped hunting and lost a sense of purpose.

That means it’s time for a Red Team to come in and fuck shit up.

Observability vs. Inspectability

I ran across this post, Putting observability first, on HackerNews.

It’s an interesting discussion, but unfortunately the term observability is overloaded. It is used in control theory as “a measure for how well internal states of a system can be inferred by knowledge of its external outputs” [1].

For several years I’ve been using the term “inspectability” to refer to the kind of observation of code execution to which the author refers. Inspectability is an important concept, especially for computer security, and is not often discussed.

It’s interesting to note that malware written in a language like OCaml would often be harder to reverse engineer than malware written in C, precisely because of the points the author makes.


Introducing the WeaselBoard!

Introducing the WeaselBoard!

I’ve also put up a link to that whitepaper and a slide deck at

First post!

Welcome to Moses Schwartz Dot Com!

DISCLAIMER: The views expressed on this website are my own and do not reflect the the opinions of my employer.