Lately I’ve been thinking of security operations in the context of the
duality of defensive and offensive operations. An offensive operation
may achieve little if it doesn’t account for security controls deployed
by a defensive team. Alternatively, a defensive operation must take into
account the tools and tactics used by various categories of offensive
operations. In this view, security operations is the combination of both
offensive and defensive operations. It is the competition between these
An offensive operation can exist without a defensive counterpart
however a defensive operation cannot exist in a successful or
sustained fashion without at least one effective offensive operation.
This perception that offensive operations do not exist, are
ineffective, or otherwise in a nebulous or unknown state is an
undertone in the continual incorrect risk calculations performed by
business leaders. This recently has been reflected by both Sony and
RSA breaches in 2011 and their apparent disregard for defensive
If security operations is the duality of defensive and offensive
operations, what is defensive and offensive operations? Offensive
operations is the willful and sustained intent of an actor or a
set of actors to control your technology or information against your
will. The operation includes actors as well as the actor’s specific
strategy, tools, tactics or procedures. For instance, the Zeus Trojan
is not an offensive operation but is a tool of an offensive operation.
Exfiltrating data through the use of encrypted RAR files to a drop
host is not an offensive operation but may be a procedure of one.
Defensive operations is the willful and sustained intent of actors
to prevent such control. This operation may include tasks such as
incident detection and response, architecture design, vulnerability
discovery and correction. More on what makes up a defensive operation
will be outlined in later posts.
The defensive posture built over the last several years has
strengthened to a degree which generally deters automated threats such
as worms or brute force scanners. The steady and slow advancement of
security over the last twenty years has yielded an unexpected result:
the offensive side has moved to sustained operations.
- Defensive operations must move to a sustained model of operation in
order to counter this growth of depth by nearly all offensive
- It’s in the best interest of offensive operations to have a
continuing bag of tools, tactics and procedures and use each as
needed over a large period of time.
- Offensive operations are no longer reliant on a particular exploit.
Unlike twenty years ago, such exploits are only a subset of tools at
the disposal of the offensive operation.
- Nearly all defensive operations are exceptionally bad at
acknowledging and sharing the offensive operations tools tactics and
procedures with each other. I suspect this lack of acknowledging or
sharing of information is a contributing factor to successes by the
- Correcting vulnerabilities as they are uncovered does negligible good
for the defenders while deterring known tools, tactics and procedures
has a greater impact.
If you haven’t read it, my cause and
post from last year attempts to compare defensive and offensive operations.