Date

Lately I’ve been thinking of security operations in the context of the duality of defensive and offensive operations. An offensive operation may achieve little if it doesn’t account for security controls deployed by a defensive team. Alternatively, a defensive operation must take into account the tools and tactics used by various categories of offensive operations. In this view, security operations is the combination of both offensive and defensive operations. It is the competition between these two operations.



An offensive operation can exist without a defensive counterpart however a defensive operation cannot exist in a successful or sustained fashion without at least one effective offensive operation. This perception that offensive operations do not exist, are ineffective, or otherwise in a nebulous or unknown state is an undertone in the continual incorrect risk calculations performed by business leaders. This recently has been reflected by both Sony and RSA breaches in 2011 and their apparent disregard for defensive personnel.


If security operations is the duality of defensive and offensive operations, what is defensive and offensive operations? Offensive operations is the willful and sustained intent of an actor or a set of actors to control your technology or information against your will. The operation includes actors as well as the actor’s specific strategy, tools, tactics or procedures. For instance, the Zeus Trojan is not an offensive operation but is a tool of an offensive operation. Exfiltrating data through the use of encrypted RAR files to a drop host is not an offensive operation but may be a procedure of one.


Defensive operations is the willful and sustained intent of actors to prevent such control. This operation may include tasks such as incident detection and response, architecture design, vulnerability discovery and correction. More on what makes up a defensive operation will be outlined in later posts.


The defensive posture built over the last several years has strengthened to a degree which generally deters automated threats such as worms or brute force scanners. The steady and slow advancement of security over the last twenty years has yielded an unexpected result: the offensive side has moved to sustained operations.


Some conclusions:

  • Defensive operations must move to a sustained model of operation in order to counter this growth of depth by nearly all offensive operation categories.
  • It’s in the best interest of offensive operations to have a continuing bag of tools, tactics and procedures and use each as needed over a large period of time.
  • Offensive operations are no longer reliant on a particular exploit. Unlike twenty years ago, such exploits are only a subset of tools at the disposal of the offensive operation.
  • Nearly all defensive operations are exceptionally bad at acknowledging and sharing the offensive operations tools tactics and procedures with each other. I suspect this lack of acknowledging or sharing of information is a contributing factor to successes by the offensive operation.
  • Correcting vulnerabilities as they are uncovered does negligible good for the defenders while deterring known tools, tactics and procedures has a greater impact.

If you haven’t read it, my cause and effect post from last year attempts to compare defensive and offensive operations.