Boiling the Ocean
The following is a rough summary of a presentation I recently gave at the July 2019 YEGSEC meetup.
As I’m using it here, personal knowledge management is the practice of organizing, processing, and recalling the information you encounter during your career. I’m not talking about a corporate wiki, but something more along the lines of an engineering journal, scraps of paper, or your strained recollection of that thing you did that time that fixed the problem you’re looking at right now.
Information Security is the land of the corner case, the weird exception, the seldom-turned stone. Attackers thrive on obscurity, on edge cases, on that one unpatched system, that one obscure bug. Managing this firehose of information is key to your success in the industry.
Personal knowledge management is also… personal. I’m going to try and keep things general as much as possible, but this is largely my solution to a problem I’ve wrestled with for most of my career.
Elephant Google in the Room
“Never memorize anything you can look up.” - Albert Einstein
My smug quoting of the above probably delayed my start on this problem by a decade or so. In the age of Google where everything is online, do we really need to concern ourselves with cultivating a personal library of knowledge when there is almost always going to be something better to be found elsewhere?
The key part of the above is “that you can look up”. Google is an incredible resource, but it is a haystack. When it’s the eleventh hour on a pentest and all that lies between you and that ego-validating shell required to pop the box and achieve your goal is your flawless recollection of man-in-the-middle attacks using Bettercap, frantically sifting through 20,700 Google search results for that amazing post you read seven months ago is suboptimal.
Some more reasons:
- Our brains are awful computers. Recall is less a read operation and more of a read/write, with the quality of information degrading each recall. We’re pretty good with the stuff we use frequently, but not so much with maintaining an archive of weird one-offs. Computers are generally pretty good at storing and indexing data and they don’t care how often you read it.
- InfoSec is the Land of the Edge Case. As mentioned before, you’ll likely need to keep tabs on a large number of data points that you infrequently use.
- Fast-Moving Industries Require Fast-Moving Professionals. Attackers have a strong incentive to move quickly and innovate. Defenders and those that emulate attackers must do the same. If you’re not moving quickly, you should take that as a warning sign and figure out why–you could be falling behind.
- Learning Works Differently Than You Might Expect. Just letting the information wash over you is insufficient. Learning is an active process that demands your attention. This is one of the strongest arguments for personal knowledge management.
Stolen from Wikipedia, the DIKW pyramid is a hierarchical relationship between data, information, knowledge, and wisdom.
We’ll use Nmap as an example to explore this from the bottom up.
- Data is raw information without context. Think Nmap’s man page. It tells you a lot about the various sorts of things Nmap is capable of, but not much about why you might want to use any of them.
- Information is data that is useful to us. Think of a blog post telling you which of the things might apply to your use case.
- Knowledge is what happens when you take that information, digest it, apply it, refine it, record it, and repeat. You’ve used Nmap for 20 assessments and have the notes to prove it.
- Wisdom is what happens when you do the above enough to achieve mastery. Nmap is now an appendage.
Things That Didn’t Work
I have tried solving this problem many different ways. A good chunk of my time was spent archiving. I’d clip a page to Evernote or OneNote and trust that when I needed it I’d be able to find it. This made my haystack smaller, but there was a lot of duplication and it was largely a passive process. I was ingesting, not digesting.
I briefly flirted with a very complicated solution to this problem, but abandoned it because it was very complicated. All of my storage was in proprietary formats with minimal options for useful export.
Some Hard-Earned Principles
After learning from 15 years of failing to solve this problem, I established the following principles for my personal knowledge management solution:
- Clipping is Useless. It leads to duplication, is often tied to proprietary storage formats, and is too passive.
- Closed Platforms and Proprietary Formats Are Dangerous. This process, if done correctly, is going to take a lot of work. You don’t want that work tied to a specific platform or file format that makes migration/backup/search anything less than insanely easy.
- Plain Text is Great. Plain text isn’t going anywhere. It’s universal. You can email it someone and they can immediately work with it. It’s greppable.
- Structured Plain Text is Glorious. When you can bake in some structure, you can do things like easily transpose your knowledge to other formats. Markdown is king here. See Pandoc for an example of this flexibility.
- Inter-Document Linking is the 🐝’s Knees. Tim Berners-Lee was on to something. Linking from one document to another, related one, makes navigating knowledge so much easier.
- Ingest/Digest/Regurgitate. This is an active process. Live in your notes. Work out of them in and into them. New information should improve them.
- If It’s Almost Effortless, You’re Doing it Wrong. This is not the easy solution. It’s the effective one.
The Markdown Wiki
My solution to this probem is a markdown wiki. I store the files in Google Drive and edit them with VS Code. Dropbox and vim would work. OneDrive and Emacs would too. The tools aren’t important, the principles are.
A wiki is a collection of indexes and articles. Articles contain the meat, indexes contain the structure. The beauty of wikis is that the two are independent. You can create many different indexes all linking to a subset of the same pages.
Here’s some suggestions for bootstrapping your own wiki:
- If there’s any chance you’re going to do it again, document it.
- Don’t worry about getting it “right” the first time. That’s not the point.
- Don’t worry about there being better resources elsewhere. There are. Also not the point.
- It’s fine to have a page with a single link on it (see #2). If you find an amazing resource that you don’t need right now, bookmark it using this technique and fill in the details when you have the occasion to work on it.
- Start with an index page that just has links to your other pages. Create sub-indexes as things get crowded.
- Avoid having the same information in more than one place. It creates friction when you’re looking things up.
Here’s what my IIS page looks like:
# IIS ## MS15-034 Vulnerability check: `curl -v SERVER_IP -H "Host: anything" -H "Range: bytes=0-18446744073709551615"` ## Tilde Enumeration To enable: `fsutil.exe 8dot3name set 0` To resolve this, disable 8dot3 naming: `fsutil.exe 8dot3name set 1`. ## References - [Tilde Enumeration](https://github.com/WebBreacher/tilde_enum)
Here are some other pages that are good to have in your wiki:
- TODO.md: Get your ideas out of your head and onto paper. This keeps your working memory free to actually work on problems.
- Learning_Roadmap.md: What are you going to be when you grow up? Plan your goals, prioritize them, and revisit as needed.
- $COMPANY.md: When you’re leaving a job, write down why. Also write down what you hope to get from the new one. Review this as needed to detect blind spots in your reasoning.
- Winning.md: Document your wins. The things you were proud of at the time that you’ll forget two years from now. This is helpful when you’re reflecting on your job, or updating your resume.
- Kind_Words.md: As corny as it will feel, write down the compliments you receive. When shit is shitty, this will help you cheer up and give you some perspective. It will also help you identify common threads (i.e. your strengths).