Are You Offended by Offensive Security?
A commonly held belief in the realm of digital security (cyber security for the new folks and the media) is the methods employed are strictly defensive in nature. Networks prepare for and wait for an attack, defend against the attack, respond as needed and maybe even report the attack to the authorities. If the attack was successful and not detected, the authorities contact the network in a reverse fashion. This process repeats itself thousands of times a day across the world.
Rates of actual convictions for computer crimes range from 89%[i] for small countries to .5% for larger ones[ii]. This does not reflect the actual number of people accused of committing such crimes, only the total number of people charged for such crimes and are convicted in a court.
IMB’s Xforce Threat Activity Exchange[iii] shows current malicious activity across all monitored and reported IP addresses across the globe. At any given moment, there are hundreds of attacks represented on the exchange in a lovely colored chart of the world. There's nothing new to this information, just a different way to express it.
Defensive posturing is the art of fortifying assets with multiple types of protection. In the physical world there are walls, barbed wire, security guards with vicious attack dogs, doors, walled doors with vicious attack dogs and so forth. The digital world has firewalls, intrusion detection systems, packet sniffers, access controls, authentication methods and more, but sadly no vicious attack dogs. Networks combine these physical and digital products in a constant game of trying to protect their assets.
We already know how well that is working out for them. Target, Sony, Coca Cola, Starbucks and all the banks out there have made the headlines for being attacked.
Law enforcement expects organizations and people to perform due diligence on protecting their assets. Leaving your valuable jewelry out in the open in public would be frowned upon by the police detective who writes the theft report. Likewise, not changing the default password on a network switch or VMware server will also cause dismay from the shareholders as they pay out on lawsuits for data loss.
Due diligence is much like the cavepeople huddled around a fire during the dark of night. They expect the fire (law enforcement) to protect them from the vicious attack carnivores as they circle around the flames. As the evening wears on, the flames must be stoked and maintained which means somebody has to go get more firewood. Those who go to get that firewood may not come back because they’ve ended up as a meal for something else.
This means the fire is limited in scope and resources. Law enforcement can only do so much with what they have. As the animals see the fire wane, they approach closer and begin picking off one caveperson at a time. If one of the animals catches fire, the cavepeople at least get a buffet for their efforts. This is little comfort since each night this same routine repeats itself. The fire is only a single tool and cannot be expected to protect everyone against all hungry animals out there. We must look at another method.
Offensive security has had a bad reputation for years. It's considered vigilantism by some. Others will say that you're taking the law into your own hands. There are political and legal issues with reprisal against the wrong parties if you counter attack. The arguments are endless, yet nothing really seems to change the cyber security environment except more high profile attacks. Argue all you want, changes only happen when someone is willing to make those changes.
Paul Asadoorian and John Strand offered a solution at the 2012 RSA convention[iv]. Their approach was to suggest three phases of annoyance, attribution and attack to ward off malicious intruders. Using the same tools as penetration testers, these could be become offensive weapons, the presenters acknowledged.
They also suggested tagging data and documents with web bugs to activate whenever that asset was used outside the intended environment. This is similar to the inkbombs used on department store merchandise that explode if the garment leaves the perimeter. This is also very much like the ink packets used in banks that stain money stolen during a heist.
Is that offensive security or just good advice? Both.
In the history of war, there's never been a battle won by waiting for the enemy to attack first. If you happen to wait for the enemy, then it's called an ambush and you have the upper hand due to the element of surprise and firepower. No military commander has ever told their troops to sit and wait for the enemy to strike first. There is no tactical advantage to such strategy, but security professionals are expected to do this exact same thing each and every day. We wait and then respond. We add more kindling to the fire, hoping we don’t get eaten next.
It’s a little like watching a horror movie. You know that the victim shouldn’t go down into the basement alone, but they do anyway. Doesn’t the sound of a chain saw and screams give the victim the slightest hint that bad things are happening in the basement? But they go, armed with a faulty flashlight and no cell phone signal. They meet their doom, over and over again.
Forgive my bluntness, but this is stupid. Defensive security is no way to go through life. We tell our kids not to be victims of bullies; we tell them to stand up to school thugs. We don’t practice what we preach though. Even police departments in the U.S. have paid ransoms to get their data back from ransomware thieves. The fire itself has gotten burned.
At what point are you going to stop playing the game where you don’t even know the rules? Penetration testing is not the same as an attack. A penetration test has a scope with limitations and boundaries. An attack has a goal and no time limit. In order to conduct a proper security test, you must use the Open Source Security Testing Methodology Manual (OSSTMM). If you want to prove trust in your network, you have to have a scientific and mathematically proven method instead of just some cool software.
Stop waiting for the bad guys to go away. They aren't going to leave. Start conducting proper security testing and become active in your role as a security professional. Grab the OSSTMM and start pursuing the animals eating all your friends. That fire is not getting any bigger.