On Offense Informed Defense: Why do we buy the things we buy? (Part 1)

Ask any experienced offensive tester about the latest whiz-bang infosec tool, and you’ll get a predictably skeptical response.  Sometimes skeptical would be putting it mildly.  You’ll hear impassioned arguments like “You shouldn’t worry about Advanced Super Fuzzy Panda APT # 4,172 hand-writing zero days when you have SMB and RDP exposed to the Internet!”  Then they’ll pile on: “Any Spring2019!, Welcome1!, Pa55word, or other weak passwords on your network that can be trivially sprayed? Would you know if you’re being sprayed? Are you sure? Are you really sure? How do you know?”

And the discussion would go downhill from there.  The sad reality is that most experienced offensive testers don’t think too highly of the current “state of the art” defensive tools.  Sure, some are better than others, but in the end, these tools – and the way they’re implemented – barely slow the attackers down.  Given that cyber is a domain of conflict that strongly favors offense over defense, this shouldn’t be surprising.

I have worked with hundreds of firms over my 23 years in the information security industry.  Those firms – and their peers – spend collective zillions on infosec tools that, for the most part, do not make them better defenders.  Why?

Defending against ghosts and magic

The problem is rooted in the disconnect between attackers and defenders.  Good attackers know a lot about defenders, but most defenders know next to nothing about attackers.  Let me say that again: attackers understand the defense; defenders don’t understand the offense.  The outcomes in the cyber world are similar to what would happen on the sports field if the offense had the defensive playbook in advance.  The hapless defenders wind-up battling ghosts that seem to always be two steps ahead of them.  The defenders find themselves permanently stuck in a “react and defend” posture.  Against an offense with lethal efficacy, this largely random defensive “play calling” is entirely ineffective.

When attackers are successful, they often operate freely in the victim network for months or years. When they are finally detected, it’s almost always due to some derivative activity (credit card fraud, an unrelated investigation, etc.) rather than the actual defenders figuring out that they were beat.

We’re spending more than we ever have before on information security. We’re employing more people than ever before in information security roles.  For decades, we’ve seen Information Technology investments yield exponential positive value per fixed dollar cost.  But not in security.  It’s fairly obvious that much of what we’re doing as defenders isn’t adding security value.

Our first line defenders are often new to information security and have limited experience and instincts to inform their reactions.  This reality is exacerbated by the infosec talent shortage resulting in the rapid creation of new infosec professionals by universities, community colleges, trade schools, and other career programs.  Prof. Gene “Spaf” Spafford, renowned for first analyzing the Morris Worm more than 30 years ago, reminded us during the 2017 Petya/NotPetya/WannaCry event that “many information security professionals were [now] experiencing their first worm.”

When exposed to attacker tools, many defenders react as though they’re seeing magic.  Ask defenders about basic attacker tools and techniques (think Mimikatz, Responder/SMBRelay, Hashcat, Bloodhound, password spray tools, etc.); you’ll hear a depressing and dangerous lack of awareness, understanding, and appreciation.  Worse, the defenders making the budget decisions tend to be the most removed from offensive awareness. 

Creating an Offense Informed Defense

To remedy this, defenders – at all levels – must be continually informed and aware of offense capabilities.  Defenders must understand what tools and techniques attackers will use against their networks and how their defenses (people, processes, and technology) fare when faced with those tools and techniques.  Choosing and deploying defenses that lack this vital offense awareness will result in security value no better than selecting defenses at random. This is the subject of Part 2!