Are You Offended by Offensive Security?

March 28, 2016 | Views: 6407

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

A commonly held belief in the realm of digital security (cyber security for the new folks and the media) is the methods employed are strictly defensive in nature. Networks prepare for and wait for an attack, defend against the attack, respond as needed and maybe even report the attack to the authorities. If the attack was successful and not detected, the authorities contact the network in a reverse fashion.  This process repeats itself thousands of times a day across the world.

Rates of actual convictions for computer crimes range from 89%[i] for small countries to .5% for larger ones[ii]. This does not reflect the actual number of people accused of committing such crimes, only the total number of people charged for such crimes and are convicted in a court.

IMB’s Xforce Threat Activity Exchange[iii]  shows current malicious activity across all monitored and reported IP addresses across the globe. At any given moment, there are hundreds of attacks represented on the exchange in a lovely colored chart of the world. There’s nothing new to this information, just a different way to express it.

Defensive posturing is the art of fortifying assets with multiple types of protection. In the physical world there are walls, barbed wire, security guards with vicious attack dogs, doors, walled doors with vicious attack dogs and so forth. The digital world has firewalls, intrusion detection systems, packet sniffers, access controls, authentication methods and more, but sadly no vicious attack dogs. Networks combine these physical and digital products in a constant game of trying to protect their assets.

We already know how well that is working out for them. Target, Sony, Coca Cola, Starbucks and all the banks out there have made the headlines for being attacked.

Law enforcement expects organizations and people to perform due diligence on protecting their assets. Leaving your valuable jewelry out in the open in public would be frowned upon by the police detective who writes the theft report. Likewise, not changing the default password on a network switch or VMware server will also cause dismay from the shareholders as they pay out on lawsuits for data loss.

Due diligence is much like the cavepeople huddled around a fire during the dark of night. They expect the fire (law enforcement) to protect them from the vicious attack carnivores as they circle around the flames. As the evening wears on, the flames must be stoked and maintained which means somebody has to go get more firewood. Those who go to get that firewood may not come back because they’ve ended up as a meal for something else.

This means the fire is limited in scope and resources. Law enforcement can only do so much with what they have. As the animals see the fire wane, they approach closer and begin picking off one caveperson at a time. If one of the animals catches fire, the cavepeople at least get a buffet for their efforts. This is little comfort since each night this same routine repeats itself. The fire is only a single tool and cannot be expected to protect everyone against all hungry animals out there. We must look at another method.

Offensive security has had a bad reputation for years. It’s considered vigilantism by some. Others will say that you’re taking the law into your own hands. There are political and legal issues with reprisal against the wrong parties if you counter attack. The arguments are endless, yet nothing really seems to change the cyber security environment except more high profile attacks. Argue all you want, changes only happen when someone is willing to make those changes.

Paul Asadoorian and John Strand offered a solution at the 2012 RSA convention[iv]. Their approach was to suggest three phases of annoyance, attribution and attack to ward off malicious intruders. Using the same tools as penetration testers, these could be become offensive weapons, the presenters acknowledged.

They also suggested tagging data and documents with web bugs to activate whenever that asset was used outside the intended environment. This is similar to the inkbombs used on department store merchandise that explode if the garment leaves the perimeter. This is also very much like the ink packets used in banks that stain money stolen during a heist.

Is that offensive security or just good advice? Both.

In the history of war, there’s never been a battle won by waiting for the enemy to attack first. If you happen to wait for the enemy, then it’s called an ambush and you have the upper hand due to the element of surprise and firepower. No military commander has ever told their troops to sit and wait for the enemy to strike first. There is no tactical advantage to such strategy, but security professionals are expected to do this exact same thing each and every day. We wait and then respond. We add more kindling to the fire, hoping we don’t get eaten next.

It’s a little like watching a horror movie. You know that the victim shouldn’t go down into the basement alone, but they do anyway. Doesn’t the sound of a chain saw and screams give the victim the slightest hint that bad things are happening in the basement? But they go, armed with a faulty flashlight and no cell phone signal. They meet their doom, over and over again.

Forgive my bluntness, but this is stupid. Defensive security is no way to go through life. We tell our kids not to be victims of bullies; we tell them to stand up to school thugs. We don’t practice what we preach though. Even police departments in the U.S. have paid ransoms to get their data back from ransomware thieves. The fire itself has gotten burned.

At what point are you going to stop playing the game where you don’t even know the rules? Penetration testing is not the same as an attack. A penetration test has a scope with limitations and boundaries.  An attack has a goal and no time limit. In order to conduct a proper security test, you must use the Open Source Security Testing Methodology Manual (OSSTMM). If you want to prove trust in your network, you have to have a scientific and mathematically proven method instead of just some cool software.

Stop waiting for the bad guys to go away. They aren’t going to leave. Start conducting proper security testing and become active in your role as a security professional. Grab the OSSTMM and start pursuing the animals eating all your friends. That fire is not getting any bigger.






Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. I think there are a few factors to take into account when considering an offensive strategy:

    1. Many businesses and organisations have a great deal of reluctance committing financial and skill resources to fighting an adversary they can barely understand, let alone see. They are often managed by a generation of directors who are out of touch with modern threats and often don’t understand the value of their technological resources. Convincing the head of marketing to remove email addresses, direct phone numbers and Skype accounts of employees from the company website would be common sense to a security minded person. But the marketer fears that you would make the business inaccessible to new customers, particularly if the nature of their business requires human contact to build relationships. You need to be able to think in their terms as well as your own. In this case suggest having contact forms on the website. Customers can still contact staff and hackers have fewer details to make an attack with.

    2. Reputation and saving face to avoid litigation and loss of business play a massive role in the under-reporting of cyber crime and the sharing of forensic data as a result. Creating a community outside of these businesses to share this data is great, but it would be useful to form micro chapters within high risk businesses and agencies as well so as to raise awareness of it in real time. Right now the only real equivalent of that is the data collected by major security vendors whose products are used in said businesses.

    3. Defensive security I suppose plays on the idea of what was mentioned earlier about committing skills and resources to fighting a poorly understood threat. Using the war analogy, the recent Western military forays into Afghanistan, Iraq and Libya shows how an aggressive pro-active approach can go terribly wrong and even result in escalation when poor planning and suspect agendas are at work. Offensive security has its place but you must choose your battles wisely. Assessing what is most at risk in your company vs what is valuable will be the difference between getting board approval and funding and being the fear mongering cretin creating needless inefficiencies. Examples of good but practical measure would include having email security filter software in place and staff training on IT security best practice, vs the over the top practice of installing disk drive encryption on all 500 company desktops and ensuring all directors use passwords, biometric prints, mobile phone codes and voice recognition each time they login.

    The article is interesting to read and there is an eagerness to take the fight to the enemy so to speak. We just need to be sure that common sense is applied and a certain degree of sensitivity to our clients interests are taken into account.

Page 2 of 2«12
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?