Skip to main content

Cooking and Hacking Parallels

Hey folks!

Been a while since my last post and I've been looking for something a little different to write and feel inspired enough about.

I'd like to talk about my obsession with food, practicing the culinary arts and the relationship it has to my work as a infosec practitioner.

I've been a foodie as long as I can remember. Growing up, my mother was very encouraging about exposing me to as many different cuisines and foods from around the globe as possible. I'll admit that this made it near impossible to swap lunches in school for all the things kids typically want but it was a blessing in the long run.

Being a foodie and a home cook is more than just about enjoying a dish. It's about appreciating the effort that went into it, what the dish means, why was it prepared this way, what did I like or dislike, what emotions does it invoke, so on and so forth. I think at least a few of those points we can all relate to. A certain dish can bring up memories, cheer you up, create a shared experience with loved ones and wash all worries away at least for the moment while you dig in to something delicious.

While I have been cooking all my life, it was half-assed and just to have something to eat. Only recently have I rediscovered my love and passion for creating dishes and enjoying the literal fruits of my labor. Not to mention being able to share these dishes with friends and loved ones and watch their faces light up.

I'm going to try and explain why I feel that digging into to cooking from an academic as well as mental and creative process is helping me with my actual day to day work. In fact, I could argue some processes in infosec helps my cooking, too.

Tackling New Challenges

The first challenge I took on in my culinary journey of late has been training. Studying french techniques, taking classes and applying lessons learned as often as I can. It's very easy to look at something and feel discouraged to attempt due to "not being good enough" or "over my head" or any of the self de-motivating thoughts and issues that can pop in our heads. If you can push past those thoughts and say "fuck it...let's give this a shot" right then and there you've already accomplished something and that is a special feeling if embraced. Just the act of giving something a try, succeed or fail, is beautiful. 

Infosec is full of challenges and the approach to tackling them may be different from person to person. For me it feels very similar to tackling a new dish:
  • Do I understand the purpose of this dish
    • Is it sweet, savoury, fried, shareable
  • Do I even have the physical ability to tackle it
    • Do I need a cast-iron pan, smoker
  • Can I work in the time this will take
    • Planning a head, sit in the oven for a while, have to stir the pot constantly
  • Have I found all the correct ingredients
    • Do I need to substitute, adapt
  • Do I know what the finished product will look like
    • Firm cook time, does it just "look" ready
When I think of the above I hear (in a hacking perspective) research my target, assure my own resources and capabilities, prep my tools, execute and understand my endgame.

Mise en Place

Mise en Place is a French term you'll hear pretty early on in culinary training. It basically means "everything in its place". This is a very fancy way of saying prepare in advance.

When tackling a new dish or any old dish for that matter, prep is everything. You don't want to start dicing and peeling the second it's supposed to go in the pot. 

When I setup my mise en place for a dish in my kitchen, I try to create a visual and logical workflow. So for example, let's take the setup for cooking a steak. You may say "Well, take out steak, put in pan, cook then eat" and in a sense you're right. For me however it would look something like this:
  • Counter right of stove - prep station
  • Stove - where we'll cook
  • Counter left of stove - plating station and serving
Within those components, a further breakdown of preparation:
  • Prep station (idea is everything is ready, in an order of sorts and within arms reach)
    • Steak out and room temperature, seasoned and ready for the pan
    • Mise en place bowls with sprig of rosemary, crushed garlic, slices of butter
    • Pinch bowl for Maldon salt
    • Squeeze bottle for my cooking oil
    • Fork/spatula/tongs for flipping the steak
    • Basting spoon
  • Stove (even this needs prep!)
    • All the pots and pans needed, on the stove in their position, heat on/off
  • Plating station
    • A resting rack/tray for the steak to rest once out of the pan
    • Plates at the ready
    • A mental image of how I will plate the food
Very long story short, preparing will be invaluable to how your dish/pentest will come out. 

Mastering Foundations

Let me be very clear, I am FAR away from mastering anything but I returned to the very basics. Foundations are so important because with a firm grasp over them your ability to explore creativity, improvise and adapt is enhanced through the roof. You can go grocery shopping and just look at simple ingredients and say "ahh that will burn X fast, that doesn't work with this, these have a lot of water inside" etc.

I spent a lot of time researching and practicing salt and oil. Yep you read that right. Understanding cooking salts vs. finishing salts, cooking oils vs. finishing oils. It changed EVERYTHING!

Infosec is extremely similar in my opinion. It's so easy to just want to get into security but skip the foundations. I for one am not one of those people that says you have to know how to program or be a 10yr network admin. However, those types of "foundations" for lack of better terms, probably can "elevate" your current abilities. There's nothing wrong with going back to basics and brushing up.

Applying Finesse

Similar to having a solid foundation, finesse shows up in cooking and I would argue in security. In a cooking context, whisking is something I learned a lot about that I never really considered before. The size and "space" in the whisk affects how much air gets whipped in, over whipping something, the pattern (often in culinary training they'll teach a figure 8 pattern in the bowl). If I'm on a pentest or something similar, maybe controlling how aggressive a scan is, how many systems I have beaconing home at once, how many "moves" per day I'm executing on target. 

There is a time and place for being delicate or gentle with your approach to a technique. This is also no indication of a lack in difficulty, in fact usually much harder and can take considerable practice to get right.

Practice, Practice, Practice

Speaking of practice, I think this one we can all grasp and agree it applies to nearly everything you could want to learn about anything.

In cooking, a great example of this is knife skills. Sometimes you have people who are naturally gifted at certain things but for the rest of us we have to practice. I love making dishes that require me to dice, mince, quarter or chiffonade because it means I get to practice without being wasteful. At first I just care about the technique and not speed. Getting consistent and even cuts are what's important and ninja speed, Iron Chef cutting speeds I can worry about later.

In security, one part of practice that I admit can be hard for people, especially student or recent into the industry, is to get exposure to things like a large scale and complex AD environment. Some amazing folks in the industry build CTFs and events and online labs, some free and not much cost to help people get that exposure and practice.

I think a major enemy of learning is not applying lessons learned. When available and safe to do so, fail. In cooking, I've learned so much more about how NOT to do something than how to do it. Personally, the failures and dont's offer me far more than the do's.

Think I'm going to wrap this up here but I hope something in this post was of value to you. 

Happy hacking and cooking to you my friends :)

Popular posts from this blog

Leveraging WEF and the HELK

In an effort to have some more content on this blog (wow life gets busy sometimes!) I thought I'd write up this post on how to configure Windows Event Forwarding and the awesome project, HELK.

On a bit of a side-note, this post coincides with an event we run up here in Toronto, Canada called the Canadian Collegiate Cyber Exercise (C3X). This year we are running the first real iteration (although we executed a pilot version last year which you can see here: and part of the design will be providing the students with HELK.
OK back on track. I'll admit that when I first learned about Windows Event Forwarding it seemed a little daunting. A few of the posts I first read seemed confusing and a lot of moving parts. To the newcomer, Windows Event Logs can also be fairly intimidating which is why projects such as HELK are so fantastic to be openly and freely distributed.
So why leverage WEF? Well, at a very basic level (and this whole post wi…

We Break So We Can Build Better

Hello again friends!

Today I'm writing this post to shed a little preview light on how our team that builds C3X (Canadian Collegiate Cyber Exercise) will be approaching the design for the 2019 competition.

We are doing a lot of different and fun things this year which means all of us are very excited and at the same time have a beast of a project ahead of us.

I'm also going to discuss areas where you can help out and be a part of this wonderful event.

C3X Overview Entering its third year, the C3X is a competition that puts student teams from various Canadian colleges and universities who are enrolled in cyber security programs a chance to defend a controlled environment against a team of offensive security professionals. That's the short and sweet version but there is so much more.
Ben Wells (@1StealthMove) and I created this in 2016 and saw the first event happen in 2017. Why did we do this? Canada isn't exactly overflowing with combative challenges. Sure we have plen…

C3X2018 Genesis Review

What a year this has been. C3X2018 "Genesis" just wrapped up on October 24th and I couldn't be happier (and happy that it's over because I forgot what real sleep feels like).
For those of you who have no idea what I'm talking about, the Canadian Collegiate Cyber Exercise or C3X is an event that Ben Wells (@1StealthMove) and myself started working on in 2016, and brought  into reality in 2017 with a beta run of the event. You can watch the trailer from last year here:

So why did we create  C3X at all? Sadly, Canada doesn't have too many red vs. blue, cyber war game type events (at least to my knowledge) and as far as RedBlack is concerned, that's a shame. We have a lot of CTF's and the like, but there's no shortage of those already. We've also come to learn that many students do not get the required and needed exposure of  learning about defending Windows environments, ActiveDirectory and being able to put what they've learned in school to th…