I have noticed something about our field. The lack of vision we have. We get comfortable with our knowledge, and are afraid of being wrong. We blind ourselves which makes us susceptible to attacks.
Unfortunately this feeling can eventually lead us to feeling like this when things go wrong:
I am not saying there is anything wrong with being confident in what one knows. I am talking about blinding ourselves. We have been seeing some old techniques and tactics come back into play again. We aren’t watching for these because they were eradicated years ago perhaps, or never were much of a threat. Instead they are being used as one part of an attack. We also get caught up in not only attribution, but a blame game. It is “X” companies fault. The legacy system needed only works on “Y” OS so it is the OS companies fault. I see this all the time. Watch twitter enough and you will see it too. The thing is we are all to blame. We have our hatred of X company because of reasons. We prefer Y because it seems more secure. We discount the simple answer immediately until we wind up taking the long way around and come back to it after eliminating the more complex and sexier looking possibilities.
There are reasons for so many things. For instance legacy and the countries infrastructure. I saw a talk at Cyphercon on the basics of ICS threat hunting. Lesley Carhart gave some basic information on the world of ICS so we could understand things better. There are reasons that upgrading systems are so slow in that world. Very good reasons, such as making sure your power is not interrupted. All the majority of us see is, legacy bad, change it now, instead of learning why legacy is needed.
The world of the theoretical is lovely, but it is not always achievable. We have to learn that. We have to take off the blinders and understand that we may be wrong, that the old ways may come back in a vicious circle. We need to realize that we do not know so much, and that it is okay not to know. What is not okay is to have tunnel vision.