Sunday, December 28, 2014

Don't Envy the Offense

Thanks to Leigh Honeywell I noticed a series of Tweets by Microsoft's John Lambert. Aside from affirming the importance of security team members over tools, I didn't have a strong reaction to the list -- until I read Tweets nine and ten. Nine said the following:

9. If you shame attack research, you misjudge its contribution. Offense and defense aren't peers. Defense is offense's child.

I don't have anything to say about "shame," but I strongly disagree with "Offense and defense aren't peers" and "Defense is offense's child." I've blogged about offense over the years, but my 2009 post Offense and Defense Inform Each Other is particularly relevant. John's statements are a condescending form of the phrase "offense informing defense." They're also a sign of "offense envy."

John's last Tweet said the following:

10. Biggest problem with network defense is that defenders think in lists. Attackers think in graphs. As long as this is true, attackers win

This Tweet definitely exhibits offense envy. It plays to the incorrect, yet too-common idea, that defenders are helpless drones, while the offense runs circles around them thanks to their advanced thinking.

The reality is that plenty of defenders practice advanced thinking, while even nation-state level attackers work through checklists.

At the high end of the offense spectrum, many of us have seen evidence of attackers running playbooks. When their checklist ends, the game may be up, or they may be able to ask their supervisor or mentor for assistance.

On the other end of the spectrum, you can enjoy watching videos of lower-skilled intruders fumble around in Kippo honeypots. I started showing these videos during breaks in my classes.

I believe several factors produce offense envy.

  1. First, many of those who envy the offense have not had contact with advanced defenders. If you've never seen advanced defenders at work, and have only seen mediocre or nonexistent defense, you're likely to mythologize the powers of the offense.
  2. Second, many offense envy sufferers do not appreciate the restrictions placed on defenders, which result in advantages for the offense. I wrote about several of these in 2007 in Threat Advantages -- namely initiative, flexibility, and asymmetry of interest and knowledge. (Please read the original post if the last two prompt you to think I have offense envy!)
  3. Third, many of those who glorify offense hold false assumptions about how the black hats operate. This often manifests in platitudes like "the bad guys share -- why don't the good guys?" The reality is that good guys share a lot, and while some bad guys "share," they more often steal, back-stab, and inform on each other.

It's time for the offensive community to pay attention to people like Tony Sager, who ran the Vulnerability Analysis and Operations (VAO) team at NSA. Initially Tony managed independent blue and red teams. The red team always penetrated the target, then dumped a report and walked away.

Tony changed the dynamic by telling the red team that their mission wasn't only to break into a victim's network. He brought the red and blue teams together under one manager (Tony). He worked with the red team to make them part of the defensive solution, not just a way to demonstrate that the offense can always compromise a target.

Network defenders have the toughest job in the technology world, and increasingly the business and societal worlds. We shouldn't glorify their opponents.

Note: Thanks to Chris Palmer for his Tweet -- "He [Lambert] reads like a defender with black hat drama envy. Kind of sad." -- which partially inspired this post.


Anonymous said...

In your example, doesn't Tony have 'offense envy'? Given he uses offensive tactics tools and procedures to inform defense...? And wasn't that really the point ? That attack research shouldn't be squelched as an information source to defense?

Richard Bejtlich said...

I offered the Tony Sager story as an example of how red teams can do something more useful than write reports and walk away. I think what some are missing is the oddity, to put it mildly, of saying "offense and defense aren't peers."

halvar.flake said...

I may be second-guessing the motivation for the original tweet, but I did not read it as an encouragement that attack teams should "dump reports and walk away".

I think non-offensive organisations are almost constantly at risk to not have enough expertise about how attackers operate to mount a strong defense. Very few organisations employ "realistic" attackers, and not all organisations have access to high-quality intelligence about how actual attacks work (and even then, access to intelligence does not equal understanding).

For me personally, the original tweet resonated - I have often been in discussions where defensive activities of very dubious value were proposed due to an insufficient understanding of how attackers operate / how attacks work.

The attacker gets a relatively quick feedback loop on his actions - normally, he can quickly see if he is successful or not. The defender has to work really hard to see how successful he is, and attackers won't tell a failing defender that he is failing. The way I interpreted the original tweet, it was a reminder that a defender has to be constantly vigilant in trying to understand how an attacker operates.

The graph-vs-lists tweet resonated for a different reason: Transitivity of trust has -for ages- been known to be the silent killer of network security, yet progress on defending better on this front has been slow - the web of dependencies that any organisation has is very depressing, and few organisations make a concerted effort at minimizing and controlling these dependencies.

So I wouldn't discount these tweets as "attacker envy" - they are reminders to avoid common mistakes. Twitter, by virtue of extreme brevity, does not lead to very nuanced statements.

Todd Miller said...

To your third point, Richard, I think the the platitudes do the good guys a grave disservice. I think more so now than ever, you see defensive teams sharing more data than ever. The difference is that the sharing is not necessarily done in the open as much. They're more in an industry specific ISAC or done behind closed doors. I think those folks that are complaining about lack of sharing are short-sighted.

Or perhaps they weren't invited to the party :)

Tony Sager said...

Hey Richard - this is Tony, now retired from NSA. Thanks for the nice comments!

To the first commenter, I *promise* I do not have "offense envy". But after a 35 year career as a defender in a primarily offense-minded organization, I *do* have "offense admiration". It's fair to say that I lived with and studied attackers for decades, in hopes of becoming a better defender. And I made sure that we had the attacker mindset as we planned defenses.

Of course our understanding of (the Other Guy's) Offense must inform Defense, just as understanding Defense naturally informs Offense. Another reason I brought those teams together under the same manager - people who operated Red Teams for us often had *no* experience in running complex networks, and so did not understand the options and processes of defense, leading them to make bad choices as (mock) attackers, and so giving us less-than-useful results.

Richard nailed the right issue from my view - implying that defense is somehow less worthy or exciting than offense. As a life-long Defender (as vulnerability-finder and manager), I refuse to concede equal footing. I think Defense is wonderfully exciting and challenging and important - no less (or more) so than Offense.