Security Conversation
Summary
Offensive Security is not inherently anti-security or anti-Defensive Security. It’s participation in the security conversation, shaping how we think about security. And, this participation requires technical transparency, openness, and tools to communicate these ideas. The impacts of offensive security, when informing the security conversation, can lead to major leaps and breakthroughs in security overall.
Some offensive security work is, today, welcome, well understood, and has clear paths to remediation. This is what some folks might refer to as “good” offensive security research. It has immediate security benefit or there’s a way to feed the business model of defensive security vendors. In some cases, this means immediate value capture from free public researcher labor. Vulnerability research and the process of coordinated disclosure are an example of this.
Some offense work though, isn’t welcome. It doesn’t fit into the box of how the available solutions address security problems. This work is sometimes treated as the dangerous ravings of anti-security heretics. But, anything that’s accepted and has a clear path to remediation NOW is something that was disruptive and shadowy-seeming in the past. Again, vulnerability research followed this path.
There’s an unfortunate externality to some offense work—criminal and nation state cyber actors love to co-opt code and tools from the security researcher’s eco-systems. This isn’t unique to security research though. Threat actors equally love system administration tools too. Anything that advances their objectives. For security research uniquely, something others seek to devalue, this externality attracts tough questions. Does the value of security testing, under the values and thinking of the past, outweigh the harm of their use by threat actors?
Well, I want to sidestep the question about security testing. Offense work is multi-faceted with a lot of different impacts. Security testing itself, especially from a business point of view, benefits from a proprietary “our tactics are our trade secret” approach. But, many in the profession understand that security testing isn’t the only end. Collectively, there’s a desire to share tools and information. Many find ways to balance eventual sharing with extracting business value from internally funded work. Why do security testers have this instinct? Where does it come from? It’s a desire to participate in the security conversation.
The value of offensive security work is fully realized by participation in the security conversation. That is, shaping how we think about security, how we think about our technologies, and informing our model of what’s possible. Participation in the security conversation requires technical transparency, openness, and yes—availability of tools to demonstrate difficult to understand or contextualize ideas. To those who scream, “I get no value from this now, therefor it has no value”—I’d challenge them to open their minds to the possibility that the intended audience is possibly the five people in the world, sometimes unknown to the researcher, who can understand the implications and are in a position to act on them.
Also, demanding this justification of value, in advance of release, is unfair. It’s not how this works. I think the creative energy and passion that births these leaps is something worth valuing and protecting—even if there’s a risk of short-term pain while the security conversation progresses.
Examples:
- Rootkit research seeding the know-how for DRM and EDR
- Firesheep forcing companies to finally address a widespread security issue with an available solution
- The Offensive PowerShell community and Microsoft collaborating on visibility as a security strategy
- Offense specialists, like Emeric Nasi, nerding out on the efficacy of and best practices of “available to all” mitigations like Attack Surface Reduction
- Mimikatz and Windows Credential Editor demonstrating credential harvesting in Microsoft Windows and starting a long road of efforts to address this
- Cobalt Strike’s DNS C2 led to an eventual defender awareness of and solutions to handle this tactic, where it was a known possibility, but a complete blind spot before.
- BloodHound turning an attacker methodology into a new defense discipline for solving a root-cause cybersecurity problem, present in most (all?) major Windows network breaches.
- Researchers seeking to inform others about how offense works and drive wide-spread understanding of these tactics and techniques
Relevant Note(s):