Date

A bit of a philosophical question to the reader:  What is the relationship of security defenders to offense/criminals?  I submit the current accepted belief sees us (the defenders) as a reaction to offensive tactics.  More precisely, security folk tend to observe “defense” as an effect of it’s cause, namely, “attack” or possibly “vulnerability”.  This rationality manifests itself through reliance on compliance programs or classical risk analysis ( R=(tva), ALE, etc). I think we can do better, but first need to rationalize security in a different light.  Resemblance.  We need to compare ourselves to our various adversaries and recognize we run similar operations.  Defense holds significant characteristics and qualities of “Offense”.  This includes attributes such as:

.. raw:: html
time, motive, ability, techniques, tools, tactics, procedures, operations security (and deception!), collaboration with peers, reputation, money, clarity of mission, infrastructure, law, enemies, competition, allies, customs/culture, politics, visibility, knowledge, skill, strategy, team size, team cohesion, maturity, experience, rapidity, incentive/reward, friction, customers, sellers, brokers, trust, primary loyalty,and more. (in no particular order and not exhaustive) .. raw:: html

I do think it’s healthy to consider defense and offense as one and the same instead of polar opposites.  If we can compare a defenders attributes versus a particular class of adversary we could potentially draw a consistent method of finding strategic weaknesses to learn from. So briefly applying this idea:  Our (as in defenders) five largest and consistent gaps compared to attackers include skills, collaboration, money, clarity of mission, and infrastructure.  The offense is better than us.  Indeed, not only do they collaborate as a community but they also freely lift novel techniques from legitimate security researchers.  They are not a cost center but actually turn a profit.  This happily leads to a very clear mission.  All this in combination also allows clever and resilient infrastructures. One fortunate item, the  broad offensive community is a black market.  Black markets focal point is trust.  Folks with authority should go focus on disruption of these trust reputations between members (linkages between sellers, brokers, customers, etc). rubbish? redundant? useful?