..

Learning Wrong Lessons from Offense

A really interesting talk from Haroon Meer at the t2 conference in Finland (2016)

A collection of points I wrote down while watching it, and that I would like to highlight:

  • Enterprises are still finding out they were hacked because stolen data often ‘self-advertises’ the hack. Where this isn’t the case, enterprises go months/years without knowing
  • Think like an attacker : Try thinking like a chef and see how well you do on the kitchen (quoting a post from 2008 emergentchaos.com )
  • the Cargo Cult Science in learning from offense

offense vs defense

  • offense has tight feedback loop (attacks either succeed or they don’t) vs defense can think it’s doing something meaningful when actually the only thing is that you have not been attacked on your watch yet.
    • defense ends up doing things that are of very little value like forcing ppl to change their pass every two weeks
  • offense understand cost better than defense does
    • offense knows cost of attacking and usually knows the value of the prize he’s after vs defense doesn’t necessarily know how the attacker values his information or how much it cost them to attack
  • only have to win once : discovering offense burns toolsets and TTPs. see
    • get to choose time & cadence
    • Complexity tends to favor the attacker
    • Attackers ability to throw things/tools away once they are not useful
    • Clarity : attackers specializing while defenders to it all
    • attackers write more code. Defenders need to write more stuff, own tools, rely less on blinking lights and SLAs (I really liked the way Haroon spoke about this one)

defender disadvantages

  • least privilege: ppl complain of lacking permissions, but no one complains for having too much access
  • enterprise obstacles: defenders attitude “if only they did it right”

defender adv

  • network awareness: attackers choose when but defenders choose where
  • custom detection: there’s value in things put together by defense, also, there’s value in a little of security by obscurity as long as it’s not the only thing you rely on. add variables that attackers can’t easily guess

what we can do

  • expect breach: how quickly can we detect it, how we can contain, how we can respond. and KNOW your network
  • Learn your stuff
    • USENIX Enigma 2016 – NSA TAO Chief on Disrupting Nation State Hackers bDJb8WOJYdA
  • Build it! Embrace the hackiness as in, get the solution that works; defense is a series of hacks too.