Friday, November 24, 2006

Digital Security Lessons from Ice Hockey

I'm struck by the amount of attention we seem to be paying to discovering vulnerabilities and writing exploits. I call this "offensive" work, in the sense that the fruits of such labor can be used to attack and compromise targets. This work can be justified as a defensive activity if we accept the full disclosure argument that truly bad guys already know about these and similar vulnerabilities, or that so-called responsible disclosure motivates vendors to fix their software. This post isn't about the disclosure debate, however. Instead, I'm wondering what this means for those of us who don't do offensive work, either due to lack of skills or opportunity/responsibility.

It occurred to me today that we are witnessing the sort of change that happened to the National Hockey League in the late 1960s and early 1970s. During that time the player pictured at left, Bobby Orr, changed the game of ice hockey forever. For those of you unfamiliar with hockey, teams field six players: one goalie, who guards the net; two defensemen, who try to stop opposing players; and three forwards (one center and two wings), who try to score goals.

Prior to Orr, defensemen almost never took offensive roles. (Forwards didn't pay much attention to defense, either. Only in 1978 did the Selke Trophy, for best defensive forward, start being awarded.) When Orr began playing, he wasn't satisfied to control the puck in his defensive end and then hand it off to one of his forwards. He jumped into the play, sometimes carrying the puck end-to-end, finishing by scoring himself. Twice in his ten year career he even lead the league in scoring -- scoring more goals than forwards. He didn't neglect his defensive duties, either. He was named league best defensement eight years straight.

What does this mean for digital security? It's easy to identify the forwards in our game. They discover and write exploits. Some of them can play defense, while others cannot. Many of us are traditional defensemen. We know how to impede the opposing team, and we know enough offense to understand how the enemy forwards operate. A few of us are goalies. Aside from clearing the zone or maybe making a solid pass to a forward, goalies have near-zero ability to score goals. (Yes, I remember Ron Hextall.) That's the nature of their position -- they can't skate to the other end of the ice!

Anyone who plays a sport will probably recognize the term "well-rounded." Being well-rounded means knowledge and capability in offense and defense. I think it applies very well to ice hockey and basketball, less so to soccer, somewhat well to baseball, and not at all to football. I see well-roundedness as the proper trait for the general security practitioner, i.e., the sort of person who expects to work in a variety of roles during a career. This is the ice hockey model.

I do not recommend following what might be called the [American] football model. Football players are exceptionally specialized and usually ineffective when told to play out of position. (Could you imagine the kicker playing on the defensive line, or the center as a wide receiver?)

Returning to the hockey model, remember that there are three positions, with varying degrees of offensive and defensive responsibilities. Goalies focus almost exclusively on defense, but they try to make smart plays that lead to break-outs. Defensemen concentrate on defense but should contribute offensively where possible. Forwards concentrate on offense, but help the defensemen as well. How does this model apply to my position in digital security? I consider myself a defenseman, but I'm trying to develop my offensive skills. (At the very least, better knowledge of offensive tools and techniques helps me better defend against them.) I have no interest in being a goalie. Being a forward would be exciting, but I'm not sure I'll have an opportunity or job responsibility to fully develop those skills.

I suppose it's even possible to become a coach or trainer (like skating guru Laura Stamm). You don't have to actually play the game, but you quickly become irrelevant if you lose touch with the game.

Does the extreme specialization of the football model apply? I think it may for large consultancies (or perhaps for the security market as a whole). In a large consultancy, you can be the "Web app guy" or the "incident response gal" and make a living. Outside of that environment, perhaps at a general security job for a company, you're expected to be good at almost everything.

I've written before that it's unreasonable to be good at everything, despite the unrealistic desire of CIOs to hire so-called "multitalented specialists." I recommend choosing to be a goalie, defenseman, forward, or coach/trainer. Be solid in your core responsibilities, but remember Bobby Orr's example.

How do you fit into my hockey model?

11 comments:

jbmoore said...

I think one can focus one's skill sets where jobs overlap. For instance, bare metal disaster recovery skills can transfer easily to some types of digital forensics work. Both positions involve data recovery and hard disk cloning/manipulation. So, it might be possible to easily convert a disaster recovery specialist into a decent forensic investigator with a little training. The same applies to network traffic analysis for network engineers. Analyzing malicious network traffic is a subset of general traffic analysis. But one can't expect a bare metal hard drive expert to be able to read a network trace. There are likely bright individuals that can, but you'll get more bang for the buck from a team of experts than a generalist in a corporate environment. One brain can only know so much. The generalist functions as a filter of sorts solving 75-80% of normal everyday problems, but the generalist will need to consult an expert to solve the other 20% of issues (or consult google). What you are talking about is similar to how one system administrator described system administrators? Most system administrators are mechanics. They can diagnosis a system just by the sound or behavior it exhibits and fix it. The rarer breed of system administrator is the systems analyst. He or she will analyze the problem and engineer a permanent solution that eradicates the problem. As digital security matures, the generalist will find it harder to cope with all the skill sets necessary to perform the job. This is a general trend in any engineering, scientific or technical human endeavor. Eventually, the amount of knowledge and number of tasks becomes so overwhelming that one must specialize in order to be effective.

John Ward said...

A hockey reference, and you didn't use a picture of either Gretzky, or the Hanson brothers. Rich, I am disapointed.

Anonymous said...

While using New England players - you should reconsider the american football analogy. Troy Brown of the New England Patriots played most of his career as a wide receiver. He played almost an entire season on the defense - putting up some good stats. He also played 3rd string quarterback in the pre-season taking snaps from center.

There are special "utility" players out there. They are unique and do not represent the majority in any industry. When coach Belichick looks at putting players on the roster he doesn't look for the best at position, he looks for players that are "football smart".

I think we need more "security smart" players in IT. It doesn't mean that they are experts at a particular position, but have the intelligence to understand what is happening and when they need to engage additional "position" players.

Thoughts?

-Mark

Anonymous said...

I'm always quite suspect of analogies, and most especially of sports analogies, but I think there might be some merit in this case, though I'll argue a bit with the ratios.

3 to 2 to 1 is the ration you outline but I think the ratios in information security are much more slanted. It would seem to me that there are very few offensive security researchers focused solely on "scoring" an 0-day or big vulnerability. I'm sad to say there may be only slightly more defensive players who manage to play some offense as well. It strikes me that we're in an era of goalies, for one reason, in the infosec world "forwards" get the notoriety but "goalies" get paid.

With a few exceptions, such as pen-testers, some gov groups, and a few vulnerability researchers at think tank type companies, there aren't many offensive infosec jobs available. Like you (Richard) I've been working on my offensive skills but unless a person can already write win32 payloads by hand in their sleep there's not much work for a "transitional player" who's moving from offense to defense. It just won't pay the bills. My free time is spent almost exclusively on offensive work and reading, but its all for myself and maybe, someday, a job in the future. My job is still solely on defense, and until I'm given permission at work to "take the puck myself" Bobby Orr style that's what my role is confined to.

I'm not sure if that's right or wrong. The offense is the fun stuff. The few times in the lab I worked in at school where I got to pop boxes was among some of the most fun I've ever had on a computer. When my school team competing in iCTF got our first break through I don't know if I've ever felt so invigorated. But when the resumes got sent out and companies started coming back to me with jobs most of that offensive knowledge was in the back seat. The Shellcoders Handbook might be fun, but it's your Tao of Network Security Monitoring that's making me better at my job. I don't know what the future holds, but that's how it is at the present.

So for now I'll keep plugging away at the Gera Examples and see if I can "get a breakaway" sometime.

Anonymous said...

What a great post. As a network security opportunist, developer, and hockey player myself it's great to see such a mindset actually written out in words on a blog somewhere. Ive seen a few chess-based roles mentioned as related to NSM but picture yourself playing w/ chess and only 6 pieces each and a wide open field and you have yourself a nice challenge that can keep you going for a while ;-)

Fast forward a few years from Orr and you have a much more technical game, Devils playing the trap, the umbrella on the powerplay, boxing the penalty kill, and the effectiveness and importance of the line change.

The ice hockey model should be in your next book!

- Jon

Richard Bejtlich said...

Scott,

Ignore the ratios. I did not intend for them to have any significance whatsoever. I was just explaining the game to those who might not know it.

Anonymous said...

"How do you fit into my hockey model?"


Does "puck" count?

Anonymous said...

Richard,

I agree that in a concrete sense the ratios really don't matter. In a more abstract sense I think they are important and I was simply trying to illustrate the huge gap between the relatively small number of "offensive" security pros and the much larger group of "defensive" security professionals, with very little overlap. My point, and I think more than somewhat yours, is that both groups need to move closer towards the middle, less goalies, and more defensemen who know how to shoot as well as check. It's my hope that these more well rounded security pros will be best equiped to face the challenges ahead.

Anonymous said...

I guess if you consider the following then the hockey analogy works...

fights during the game would equate to time spent arguing that additional budget is required to meet the requirements. (you win some, you lose some).

Penalty minutes are "time spent in irrelevant meetings"

Icing is what you do when you send your technical team to training/vacation.. you push as much work for later as possible why they are out.

Short handed goals - when your analysis process quickly identifies the attacks against your network and computing resources.

Adam said...

Speaking of offensive security knowledge, I saw yesterday a video on Foxnews on people complaining about "How-to" videos for picking locks being posted on Youtube. In the video they talk about holding Youtube liable in court. I wonder how well that would go if publishers for offensive infosec books were held liable if LE found security books in an attackers home. You can see the video here
http://www.foxnews.com/story/0,2933,233037,00.html
On the left under VIDEO click on "YouTube Guide to Crime."

Anonymous said...
This comment has been removed by a blog administrator.