Boiling the Ocean

The following is a rough summary of a presentation I recently gave at the July 2019 YEGSEC meetup.


As I'm using it here, personal knowledge management is the practice of organizing, processing, and recalling the information you encounter during your career. I'm not talking about a corporate wiki, but something more along the lines of an engineering journal, scraps of paper, or your strained recollection of that thing you did that time that fixed the problem you're looking at right now.

Information Security is the land of the corner case, the weird exception, the seldom-turned stone. Attackers thrive on obscurity, on edge cases, on that one unpatched system, that one obscure bug. Managing this firehose of information is key to your success in the industry.

Personal knowledge management is also... personal. I'm going to try and keep things general as much as possible, but this is largely my solution to a problem I've wrestled with for most of my career.

The Elephant Google in the Room

"Never memorize anything you can look up." — Albert Einstein

My smug quoting of the above probably delayed my start on this problem by a decade or so. In the age of Google where everything is online, do we really need to concern ourselves with cultivating a personal library of knowledge when there is almost always going to be something better to be found elsewhere?

Yes.

The key part of the above is "that you can look up". Google is an incredible resource, but it is a haystack. When it's the eleventh hour on a pentest and all that lies between you and that ego-validating shell required to pop the box and achieve your goal is your flawless recollection of man-in-the-middle attacks using Bettercap, frantically sifting through 20,700 Google search results for that amazing post you read seven months ago is suboptimal.

Some more reasons:

  1. Our brains are awful computers. Recall is less a read operation and more of a read/write, with the quality of information degrading each recall. We're pretty good with the stuff we use frequently, but not so much with maintaining an archive of weird one-offs. Computers are generally pretty good at storing and indexing data and they don't care how often you read it.
  2. InfoSec is the Land of the Edge Case. As mentioned before, you'll likely need to keep tabs on a large number of data points that you infrequently use.
  3. Fast-Moving Industries Require Fast-Moving Professionals. Attackers have a strong incentive to move quickly and innovate. Defenders and those that emulate attackers must do the same. If you're not moving quickly, you should take that as a warning sign and figure out why--you could be falling behind.
  4. Learning Works Differently Than You Might Expect. Just letting the information wash over you is insufficient. Learning is an active process that demands your attention. This is one of the strongest arguments for personal knowledge management.

DIKW

Stolen from Wikipedia, the DIKW pyramid is a hierarchical relationship between data, information, knowledge, and wisdom.

We'll use Nmap as an example to explore this from the bottom up.

Things That Didn't Work

I have tried solving this problem many different ways. A good chunk of my time was spent archiving. I'd clip a page to Evernote or OneNote and trust that when I needed it I'd be able to find it. This made my haystack smaller, but there was a lot of duplication and it was largely a passive process. I was ingesting, not digesting.

I briefly flirted with a very complicated solution to this problem, but abandoned it because it was very complicated. All of my storage was in proprietary formats with minimal options for useful export.

Some Hard-Earned Principles

After learning from 15 years of failing to solve this problem, I established the following principles for my personal knowledge management solution:

The Markdown Wiki

My solution to this probem is a markdown wiki. I store the files in Google Drive and edit them with VS Code. Dropbox and vim would work. OneDrive and Emacs would too. The tools aren't important, the principles are.

A wiki is a collection of indexes and articles. Articles contain the meat, indexes contain the structure. The beauty of wikis is that the two are independent. You can create many different indexes all linking to a subset of the same pages.

Here's some suggestions for bootstrapping your own wiki:

  1. If there's any chance you're going to do it again, document it.
  2. Don't worry about getting it "right" the first time. That's not the point.
  3. Don't worry about there being better resources elsewhere. There are. Also not the point.
  4. It's fine to have a page with a single link on it (see #2). If you find an amazing resource that you don't need right now, bookmark it using this technique and fill in the details when you have the occasion to work on it.
  5. Start with an index page that just has links to your other pages. Create sub-indexes as things get crowded.
  6. Avoid having the same information in more than one place. It creates friction when you're looking things up.

Here's what my IIS page looks like:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
# IIS

## MS15-034

Vulnerability check: `curl -v SERVER_IP -H "Host: anything" -H "Range: bytes=0-18446744073709551615"`

## Tilde Enumeration

To enable: `fsutil.exe 8dot3name set 0`

To resolve this, disable 8dot3 naming: `fsutil.exe 8dot3name set 1`.

## References

- [Tilde Enumeration](https://github.com/WebBreacher/tilde_enum)

Here are some other pages that are good to have in your wiki:

Resources

<<
>>