I am fortunate enough that some of the new topics that I have discusd lately have generated interest in the community and the industry. As such, there are obviously voices that do not agree with the approach (I still like to call is SexyDefense, although the more adult part of me agreed to SDES – Strategic Defense Execution Standard).
More pointedly – there is the argument of “what would an offensive player know about defense”, and “defense is hard, we’ve done it [for our customers] forever, and people are fairly happy”. I’d like to tackle these two head on:
Yes, I’m mostly an offensive security person. I cannot deny my passion for Red-Teaming (heck – I’m good at it, and I enjoy it. Deal with it), nor my past research on finding issues with systems and organizations. Nevertheless, as we all know – practicing offensive security is done in order to boost defenses. Its main role is to find flaws in the defensive mechanisms and then amend them. Here comes the tricky part – amending them is also something that I do. I know, a shocker! But fortunately I’ve had a chance to work not only with small businesses, enterprises, and F-100 companies, but also with nation states and multi-national organizations… So yes – I know how hard defense is, and I have also practiced it and can say that I actually enjoyed it – especially since I was able to “sign off” of some great improvements in the defensive posture of such organizations. Last but not least – guess what happens after a Red-Team engagement is over? Right – a long, hard look at the systematic failures and vulnerabilities of the organization. And how to fix them, and how to prepare for another attack such as the one that the res-team simulated. (reality reminder – red-team is essentially adversarial modeling – probably the only true test of how an ACTUAL attack is going to look like on your organization. And guess what? It doesn’t look like a Nessus scan or a Metasploit autopwn…).
Second – yes, defense is hard. And this “newfangled” approach is something that has not only been tested in the real world, but it also makes sense <gasp>. Our old approaches of detection and “prevention”, using the same old tools (spell Anti-Virus, Firewall, Intrusion Detection/Prevention, DLP, and what-not) are not working. Let me say that again:
It’s not working!
Why? Simply – we keep chasing our tails with the same old issues. We are really good at Incident Response (some of us are making a nice chunk of money off it), but we really suck at actually improving the security posture over time. Hence my reference to ambulance chasing (i.e. incident response), vs. DNA research (actually changing the defensive strategy and posture to cut the number of incidents).
Personally – I have enjoyed some really tricky incident response engagements that challenged me and my customers (and sometimes led to the satisfying “gotcha” moment when coordinated with LE). Nevertheless, organizations do not really learn from such incidents. They have a short memory span, and get back to their old “look at the blinky lights on the firewall appliance” approach. However, changing the DNA is something waaay more interesting and rewarding. And that’s what we are trying to do here folks…
So – are you going to stay an ambulance chaser and keep rejecting the idea that your revenue stream may be affected if organizations take defensive security more seriously, or are you going to help the change and actually make an impact?