When Offense and Defense Become One (and evidence against the gold conspiracy)

It’s been a while since I’ve gone into abstract security theory…

Computer security specialist Ed Skoudis points out on the SANS blog that, at very high levels, offensive techniques and tools are often useful for defensive purposes… and vice versa.

In other words, at some point the defender becomes an attacker (trying to attack the attacker’s attack) and the attacker becomes a defender (defending against the defender’s attack on the attacker’s attack).

Presumably after enough time passes, the layers of attack and defense are folded in on each other until we see a sort of computational Damascus steel (or the geek’s approach to Hegelian dialectic).

In all seriousness, this does mean you always have to maintain a bit of knowledge and fluency in both sides of the security game. It also means that, in a pinch, extreme strength on one side can be used for the other. Certainly Clausewitz and Napoleon observed that attack can be used for defense… but defense can enable attacks that would otherwise never make it to succeed.

Defense can even be a form of attack: in attacking unsuccessfully, the adversary loses resources and we gain potentially valuable information.

Evidence against the gold conspiracy: The guys over at Monetary Metals looked at the charts and concluded the recent gold price drop was due as much to people selling physical gold as it was to people selling paper gold… in other words, if you believe their analysis, a sudden $10 billion sale of gold futures was not the only or necessarily the definitive cause of the gold price drop. (http://monetary-metals.com/april-21-2013/ — free, 10 second registration required, mailinator.com for the win)

http://pen-testing.sans.org/blog/pen-testing/2013/04/08/when-offense-and-defense-become-one

“…many of the techniques covered in his SANS 575 course on mobile device security and ethical hacking could also be used for mobile device forensics analysis. That is, Josh’s work on analyzing mobile device apps and images for information leakage and other vulnerabilities could likewise be applied in a forensics fashion to find evidence. Similarly, Steve Sims, author of the SANS 660 course on advanced penetration testing, and I were chatting a couple months ago about how some of the techniques in his new advanced exploit writing course (advanced use of static and dynamic analysis of software to find flaws) are similar to those used in the SANS 610 course on reverse engineering malware. Furthermore, Rob Lee, lead author of SANS courses on Digital Forensics (particularly SANS FOR408 and FOR508), and I had been chatting about the topic of offensive forensics over the past six months or so. With offensive forensics, the goal is for attackers who have gained access to a target environment to locate and exfiltrate sensitive information without getting noticed. It uses forensics techniques to find the needle in the haystack, and to steal that needle.[…]

It’s kind of a beautiful symmetry about how offense and defense techniques and skills sometimes merge at sufficiently advanced levels. On the surface, you may think that this is merely a restatement of the idea that “Offense must inform defense.” But, it’s not. It goes deeper. While it’s true that offense must inform defense (you can’t properly defend unless you know what the attackers are doing), we’re talking about offense and defense techniques being used “contra cyclical” and in fact, becoming integrated into one.[…]

we’ve got a multi-billion dollar segment of the infosec industry that is actually built on selling commercial rootkits, also known as endpoint security suites.[…]

As bad guys build ever-larger botnets for evil, crime, and a good dose of mayhem, they are hitting some stumbling blocks in managing hundreds of thousands to millions of machines. These are the same stumbling blocks that good guys faced in large enterprises […] we’ve got an offensive technology (botnets) using defensive admin capabilities at ginormous scales. […]

Once the malware is implanted, that attacker wants to defend that asset and its communication channel in the target environment, or else all the work of infiltrating it in the first place has gone to waste. The communications channel itself needs to be subtle and certainly encrypted, lest the attackers tip their hand to defenders. Again, we see defensive techniques used to protect an offensive maneuver.[…]

Some of these blue teams have used traditionally offensive techniques (such as deployment of Metasploit’s Meterpreter) on their own guarded systems to help give them control over the machines so that they can detect and eradicate the red team’s presence. Again, here we see a traditionally offensive tool used for a defensive purpose.”

Advertisements
%d bloggers like this: