Digital Offense Capabilities Are Currently Net Negative for the Security Ecosystem




Proposition

Digital offense capabilities are currently net negative for the security ecosystem.[0]

The costs of improved digital offense currently outweigh the benefits. The legitimate benefits of digital offense accrue primarily to the security one percent (#securityonepercent), and to intelligence, military, and law enforcement agencies. The derived defensive benefits depend on the nature of the defender. The entire security ecosystem bears the costs, and in some cases even those who see tangible benefit may suffer costs exceeding those benefits.

The Reason

Limitations of scaling are the reason why digital offense capabilities are currently net negative.

Consider the case of an actor developing a digital offense capability, and publishing it to the general public. 

From the target side, limitations on scaling prevent complete mitigation or remediation of the vulnerability.

The situation is much different from the offense perspective.

Any actor may leverage the offense capability against any Internet-connected target on the planet. 

The actor can scale that capability across the entire range of vulnerable or exposed targets.

The Three

Only three sets of actors are able to possibly leverage an offense capability for defensive purposes.

First, the organization responsible for developing and maintaining the vulnerable or exposed asset can determine if there is a remedy for the new offense capability. (This is typically a "vendor," but could be a noncommercial entity. As a shorthand, I will use "vendor.") The vendor can try to develop and deploy a patch or mitigation method.

Second, major consumers of the vulnerable or exposed asset can take similar steps, usually by implementing the vendor's patch or mitigation.

Third, the security one percent can take some defensive measures, either by implementing the vendor's patch or mitigation, or by developing and acting upon detection and response processes.

The combination of the actions by these three sets of actors will not completely remediate the digital offense capability. The gap can be small, or it can be exceptionally large, hence the net negative cost to the digital ecosystem.

The Insight

From the intruder side, little to no limitations on scaling mean the intruder can leverage the digital offense capability against all vulnerable targets.

This is the key insight that produces digital offense capabilities as net negative for the entire security ecosystem:

Offensive scale is superior to defensive scale.

Stated differently:

An intruder actor can leverage an offense capability against any vulnerable target.

Few (if any) defenders can leverage a derived defense capability against all vulnerable targets.

Those who object to this argument are likely one of the three actors.

Objections: Vendors


Vendors may have the strongest case for being able to scale defense, depending on the nature of the vendor's offering.

Vendors who provide software or other capabilities that require customer action for updates are in the weakest position. If customers do not update, they remain vulnerable.

Vendors who mandate automatic updating are in a stronger position. Customers receive the update, with the effectiveness of the update mechanism being the major limitation.

Vendors who operate "as a service" offerings, such as the major cloud and email providers, are in the strongest position. They can silently improve their offering without user involvement. They can scale defense across their service as they more or less completely control it.

Objections: Major Consumers


Major consumers may operate with or without the involvement or action of vendors. When the major consumer is operating an on-premise instance, for example, they can be in a position to implement a mitigation or remediation. Such major consumers have teams that qualify them as being in the security one percent, so in some ways this dual-counts the defensive benefit.

Some major consumers may remain vulnerable, however, regardless of their relative size or nature. The SolarWinds case has shown that organizations with multi-billion-dollar information technology budgets can be as helpless as those outside the security one percent.

Objections: The Security One Percent

The security one percent is likely to voice the loudest objections. The security one percent are individuals working in entities with the budget to fund a blue (defense) team, and probably a red (offense) team.

As mentioned in a previous blog post, the security one percent can use offensive tools to equip their red or penetration testing teams. Those teams, nonexistent outside the security one percent, can work with or against blues team to determine if countermeasures are effective. 

The security one percent is generally oblivious to their privilege. I was personally not aware of this mindset until the rise of ransomware in 2018-2020. 

The exceptions are two-fold. One group who is aware of their privilege comes from "the other side of the tracks." They worked for an entity without a security team, perhaps in a non-IT role, or a non-security role. Another exception involves people who volunteer or consult with entities outside the security one percent. They see the gap between their own capabilities and those they are trying to help. 

One portion of the security one percent is particularly critical: those who rely upon offense for their income, or enjoy it as a hobby. They reject any sentiment or policy prescription that threatens their livelihood or enjoyment, regardless of the larger societal cost. Addressing the concerns of this group requires a separate blog post.

Summary

The difference in the capabilities of the vendor/major consumer/security one percent triad and the rest of the security ecosystem is the result of defense failing to scale as effectively as offense.

When an actor publicly releases a digital offensive capability, especially in the form of working code, generally any threat actor can leverage that capability against any vulnerable target.

The inverse is not true. Any defensive capability, derived from the offensive capability, can generally not be leveraged to protect any vulnerable target. 

Free or open source tools, training, or knowledge are helpful, but they require deployment, tuning, comprehension, commitment, and a host of other capabilities that do not scale as effectively as offensive code. While using offensive code has a learning and operational curve, it is nowhere as steep as that facing defenders.

The strongest and most helpful exception is found in vendors who offer "as a service" capabilities. They can independently and comprehensively improve their security posture with little to no involvement from the vulnerable population. (An exception, for example, is offering, but not mandating, multi-factor authentication. Only by adopting MFA does the population improve its security.)

Conclusion

The summary yields three conclusions:

1. Limiting the availability of digital offense capabilities, such that they are not public and within the reach of any threat actor, will likely limit offensive options for intruders, thereby increasing their operational costs to research, develop, deploy, and maintain offensive tools.

2. Increasing the use and reliance upon "as a service" offerings will likely improve the security of the ecosystem, as defensive measures can be scaled across the entire vulnerable population.

3. The rise of "as a service" offerings will likely drive intruders to target those offerings directly, rather than the independent assets distributed across the ecosystem.

There are no "solutions" in digital security -- only trade-offs.[1] 

I am cautiously optimistic that some combination of the first two conclusions would offset the rise of the third conclusion, generating a net positive improvement in digital security. 

Too many in the digital world have treated security as a technical problem with technical solutions. While technical matters play a role, the centrality of the digital ecosystem means that it should be treated as a public policy concern. That strategy is at least two decades overdue.

Please direct comments on this post to Twitter.

Endnotes

[0] I'm very confident this argument holds for public digital offense capabilities. After publishing this post I realized I assumed this perspective but did not make it explicit. Hence, this note.

[1] I derive this phrase from one of my public policy professors, Philip D. Zelikow, who noted that there are no solutions in public policy -- only trade-offs. 

Comments

Post a Comment

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or pol
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti
Read more