It is the threat that is advanced not the technique. That was my whole point. If corp users with all their security teams are still victims how much more are individuals. Or does the world outside of tech bubbles not exist?
Also, macros and docm are only small vector, most non technical people for example would open say...a jar file with a PDF icon that came from an email from a compromised account of someone they know, and trust me I've seen plenty of non corp users without the typical mandatory phishing training fall victims,lose large sums of money,etc...
I have no clue why you don't think spear phishing is an advanced thechnique. Just recently I stumbled upon a word exploit being used and it was not "spear" phising just normal stuff. Does it have to be sophisticated and impressive to be advanced? Often, the most damaging exploits are the ones with minimal attack complexity (a CVE vector that adversley affects the score mind you). Regarsless of your opinion , the offensive way is to use the easiest and quietest method.
As to my comment, the author stating the material teaches people "core cybersecurity concepts" is what I disagreed with. Memory safe lanuages and exploit mitigation solutions make these software exploit techniques very difficult to pull off. Plus, any decent EDR solution easily detects and blocks exploitation of browsers,productivity apps and other well known initial access vectors, so you're basically left with mostly linux that is not hardened and even then only on servers and network devices since most people don't run Linux desktop (and to my point the post does not even touch windows).
Essentially, my point is that any infosec education that is not informed of current practical threats and attacks while very fun to go through, it may not provide as much value as you think.
Even in a tech company/startup where everyone uses linux and mac, it is much more important to have good security architecture and hygeine, do authentication properly (you're exploit proof but someone exposed their ssh private key and got you pwned),knowing risk analysis, threat modeling,incident response,etc... Is much more "core" while exploitation of software and even spearphishing are "edge" concepts.
>Does it have to be sophisticated and impressive to be advanced?
Yes. I think this is where our opinions differ. It is always a joke to be reading a blog post about an advanced attacker and the exploit is, as you say, the user clicked a jar with a pdf icon.
I agree completely about things that add value to corporations. This is why I am not working corporate security at a startup. I do not care so much about implementing U2F policies or server authentication methods, even though these are much more impactful for the business. I work for a small company, work on less impactful things (in regards to corporate security), and enjoy myself considerably more. If I could stomach the other stuff I would make more money, but I prefer to enjoy my work and hack on obscure things.
Your namesake with eternalblue is quite advanced (even though it was n-day). That stuff is interesting. Reverse engineering that stuff is interesting. I think these things prepare people to do that sort of work.
That's fine,having a specialized interest is ok,just don't say that is a "core concepts of cybersecurity".
You like impressive exploits and vulnerability research,which is good,that upstream work is useful in downstream "core" security whether it be for corporations (a 2 person startup is one) or consumers.
It is the threat that is advanced not the technique. That was my whole point. If corp users with all their security teams are still victims how much more are individuals. Or does the world outside of tech bubbles not exist?
Also, macros and docm are only small vector, most non technical people for example would open say...a jar file with a PDF icon that came from an email from a compromised account of someone they know, and trust me I've seen plenty of non corp users without the typical mandatory phishing training fall victims,lose large sums of money,etc...
I have no clue why you don't think spear phishing is an advanced thechnique. Just recently I stumbled upon a word exploit being used and it was not "spear" phising just normal stuff. Does it have to be sophisticated and impressive to be advanced? Often, the most damaging exploits are the ones with minimal attack complexity (a CVE vector that adversley affects the score mind you). Regarsless of your opinion , the offensive way is to use the easiest and quietest method.
As to my comment, the author stating the material teaches people "core cybersecurity concepts" is what I disagreed with. Memory safe lanuages and exploit mitigation solutions make these software exploit techniques very difficult to pull off. Plus, any decent EDR solution easily detects and blocks exploitation of browsers,productivity apps and other well known initial access vectors, so you're basically left with mostly linux that is not hardened and even then only on servers and network devices since most people don't run Linux desktop (and to my point the post does not even touch windows).
Essentially, my point is that any infosec education that is not informed of current practical threats and attacks while very fun to go through, it may not provide as much value as you think.
Even in a tech company/startup where everyone uses linux and mac, it is much more important to have good security architecture and hygeine, do authentication properly (you're exploit proof but someone exposed their ssh private key and got you pwned),knowing risk analysis, threat modeling,incident response,etc... Is much more "core" while exploitation of software and even spearphishing are "edge" concepts.