Don’t Envy the Offense

December 28, 2014


Thanks to Leigh Honeywell I noticed a series of Tweets by Microsoft’s John Lambert. Aside from affirming the importance of security team members over tools, I didn’t have a strong reaction to the list — until I read Tweets nine and ten. Nine said the following:

9. If you shame attack research, you misjudge its contribution. Offense and defense aren’t peers. Defense is offense’s child.

I don’t have anything to say about “shame,” but I strongly disagree with “Offense and defense aren’t peers” and “Defense is offense’s child.” I’ve blogged about offense over the years, but my 2009 post Offense and Defense Inform Each Other is particularly relevant. John’s statements are a condescending form of the phrase “offense informing defense.” They’re also a sign of “offense envy.”

John’s last said the following:

10. Biggest problem with is that think in lists. think in . As long as this is true, attackers win

This Tweet definitely exhibits offense envy. It plays to the incorrect, yet too-common idea, that defenders are helpless drones, while the offense runs circles around them thanks to their advanced thinking.

The reality is that plenty of defenders practice advanced thinking, while even nation-state level attackers work through checklists.

At the high end of the offense spectrum, many of us have seen evidence of attackers running playbooks. When their checklist ends, the game may be up, or they may be able to ask their supervisor or mentor for assistance.

On the other end of the spectrum, you can enjoy watching videos of lower-skilled intruders fumble around in Kippo honeypots. I started showing these videos during breaks in my classes.

I believe several factors produce offense envy.

  1. First, many of those who envy the offense have not had contact with advanced defenders. If you’ve never seen advanced defenders at work, and have only seen mediocre or nonexistent defense, you’re likely to mythologize the powers of the offense.
  2. Second, many offense envy sufferers do not appreciate the restrictions placed on defenders, which result in advantages for the offense. I wrote about several of these in 2007 in Threat Advantages — namely initiative, flexibility, and asymmetry of interest and knowledge. (Please read the original post if the last two prompt you to think I have offense envy!)
  3. Third, many of those who glorify offense hold false assumptions about how the black hats operate. This often manifests in platitudes like “the bad guys share — why don’t the good guys?” The reality is that good guys share a lot, and while some bad guys “share,” they more often steal, back-stab, and inform on each other.

It’s time for the offensive community to pay attention to people like Tony Sager, who ran the Vulnerability Analysis and Operations (VAO) team at NSA. Initially Tony managed independent blue and red teams. The red team always penetrated the target, then dumped a report and walked away.

Tony changed the dynamic by telling the red team that their mission wasn’t only to break into a victim’s network. He brought the red and blue teams together under one manager (Tony). He worked with the red team to make them part of the defensive solution, not just a way to demonstrate that the offense can always compromise a target.

Network defenders have the toughest job in the technology world, and increasingly the business and societal worlds. We shouldn’t glorify their opponents.

Note: Thanks to Chris Palmer for his Tweet — “He [Lambert] reads like a defender with black hat drama envy. Kind of sad.” — which partially inspired this post.

Read More