tag:blogger.com,1999:blog-4088979.post4101402717329087579..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Don't Envy the OffenseRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger5125tag:blogger.com,1999:blog-4088979.post-62636087178535425462015-02-09T13:08:21.278-05:002015-02-09T13:08:21.278-05:00Hey Richard - this is Tony, now retired from NSA. ...Hey Richard - this is Tony, now retired from NSA. Thanks for the nice comments! <br /><br />To the first commenter, I *promise* I do not have "offense envy". But after a 35 year career as a defender in a primarily offense-minded organization, I *do* have "offense admiration". It's fair to say that I lived with and studied attackers for decades, in hopes of becoming a better defender. And I made sure that we had the attacker mindset as we planned defenses. <br /><br />Of course our understanding of (the Other Guy's) Offense must inform Defense, just as understanding Defense naturally informs Offense. Another reason I brought those teams together under the same manager - people who operated Red Teams for us often had *no* experience in running complex networks, and so did not understand the options and processes of defense, leading them to make bad choices as (mock) attackers, and so giving us less-than-useful results. <br /><br />Richard nailed the right issue from my view - implying that defense is somehow less worthy or exciting than offense. As a life-long Defender (as vulnerability-finder and manager), I refuse to concede equal footing. I think Defense is wonderfully exciting and challenging and important - no less (or more) so than Offense.Anonymoushttps://www.blogger.com/profile/06889809501614361215noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-37138241106397149422015-01-07T14:55:47.434-05:002015-01-07T14:55:47.434-05:00To your third point, Richard, I think the the plat...To your third point, Richard, I think the the platitudes do the good guys a grave disservice. I think more so now than ever, you see defensive teams sharing more data than ever. The difference is that the sharing is not necessarily done in the open as much. They're more in an industry specific ISAC or done behind closed doors. I think those folks that are complaining about lack of sharing are short-sighted.<br /><br />Or perhaps they weren't invited to the party :)Anonymoushttps://www.blogger.com/profile/14568680875110886356noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-62125342728983092552015-01-06T10:35:00.741-05:002015-01-06T10:35:00.741-05:00I may be second-guessing the motivation for the or...I may be second-guessing the motivation for the original tweet, but I did not read it as an encouragement that attack teams should "dump reports and walk away".<br /><br />I think non-offensive organisations are almost constantly at risk to not have enough expertise about how attackers operate to mount a strong defense. Very few organisations employ "realistic" attackers, and not all organisations have access to high-quality intelligence about how actual attacks work (and even then, access to intelligence does not equal understanding).<br /><br />For me personally, the original tweet resonated - I have often been in discussions where defensive activities of very dubious value were proposed due to an insufficient understanding of how attackers operate / how attacks work.<br /><br />The attacker gets a relatively quick feedback loop on his actions - normally, he can quickly see if he is successful or not. The defender has to work really hard to see how successful he is, and attackers won't tell a failing defender that he is failing. The way I interpreted the original tweet, it was a reminder that a defender has to be constantly vigilant in trying to understand how an attacker operates.<br /><br />The graph-vs-lists tweet resonated for a different reason: Transitivity of trust has -for ages- been known to be the silent killer of network security, yet progress on defending better on this front has been slow - the web of dependencies that any organisation has is very depressing, and few organisations make a concerted effort at minimizing and controlling these dependencies.<br /><br />So I wouldn't discount these tweets as "attacker envy" - they are reminders to avoid common mistakes. Twitter, by virtue of extreme brevity, does not lead to very nuanced statements.halvar.flakehttps://www.blogger.com/profile/12486016980670992738noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-46837401438092316572014-12-28T21:58:36.455-05:002014-12-28T21:58:36.455-05:00I offered the Tony Sager story as an example of ho...I offered the Tony Sager story as an example of how red teams can do something more useful than write reports and walk away. I think what some are missing is the oddity, to put it mildly, of saying "offense and defense aren't peers."Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-23035108421246949352014-12-28T21:51:23.792-05:002014-12-28T21:51:23.792-05:00In your example, doesn't Tony have 'offens...In your example, doesn't Tony have 'offense envy'? Given he uses offensive tactics tools and procedures to inform defense...? And wasn't that really the point ? That attack research shouldn't be squelched as an information source to defense?Anonymousnoreply@blogger.com