My next class:

Offensive or Defensive Security? Both!

Published: 2016-06-09. Last Updated: 2016-06-10 06:22:12 UTC
by Xavier Mertens (Version: 1)
1 comment(s)

Sometimes students ask me the best way to jump into "the security world". I usually compare information security to medicine: You start with a common base (a strong knowledge in "IT") then you must choose a "specialization": auditor, architect, penetration tester, reverse engineer, incident handler, etc. Basically, those specializations can be grouped in two categories: "offensive" and "defensive". Many people like the first one because it looks more funny and the portrait of the hacker as depicted in Hollywood movies is tough! Being involved in a few call for papers for security conferences, I see a clear trend in submissions focusing on offensive security.

If breaking stuff is always nice (playing the "red team"), being able to defend them against attackers is also very rewarding (playing the "blue team"). So, back to the first student's question: Which side of the force to choose? I can't answer this question for you! It's a very personal choice based on your feelings but one thing is certain. There is clear overlapping between offensive and defensive security. Why? Here are two examples.

First from a defender perspective. To be able to properly defend your assets, you must know what techniques and tools will use the bad guys against you. This is the principle of "Know your enemy!". If you're involved in a security incident, your knowledge of the bad side will be very helpful to find how your server was compromised. If you're implementing a solution or writing some code, try to think as a bad guy and ask yourself "How would I try to break my setup".

On the other side, from an attacker perspective, you can improve your tasks by using defenders' techniques. While performing a pentest, we don't have unlimited time. A good idea is to rely on forensics investigation techniques. Indeed, operating systems like Microsoft Windows are well-known to keep trace of all the user activities in multiple places. It is possible to trace back all the actions performed by a user (which applications he started, the last files opened, network shares mounted, etc). This is a gold mine for a pentester too. Imagine that you just compromised a computer. You've your Meterpreter shell ready. And now? To save your time, just check the latest files opened by the victim, there are chances that they will be business related and contain juicy information. Which internal sites he visited? That's nice targets to pivot! 

So, offensive or defensive security? Choose the one you like but think about both!

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

1 comment(s)
My next class:

Comments

Nice post Xavier,

As a IT security professional with 25 years of experience on both sides of the battle lines, I have found it more rewarding to be able to help system owners develop a security program for "all the things" that are important to them. That can be a daunting task unto itself because many businesses and organizations have many things to be concerned about.

- Business operations and requirements
- Data integrity, confidentiality, and availability
- Customer perception and relations
- Cost of ownership and operations
- Legal requirements
- Scalability and responsiveness to change
- Resource availability (supply chain and HR)
- Employee and partner relations
- Things you may never have considered

All of the things of concern have to be plugged into some sort of risk management program that helps determine a path forward.

As you stated "know your enemy" is important... it is also just as important to "know yourself".
I lost count the number of times I was asked to help improve a security program where the first 2, much less the first 6, items on the Critical Security Controls list were only marginally addressed.
It is impossible to protect all the things, if you do not have answers to
- What are all the things?
- Why the things exist?
- How are the things configured or arranged?
- Where they are located?
- Who uses/manages them?
- What is each thing expected to do for the organization?
- What would happen if the things were corrupted, disrupted, or eliminated?

Achieving deep knowledge of all the things can seem to be an impossible mission. It is a endless marathon of effort. Patience and persistence will be needed in truckloads.
I argue it is possible if the system owners provide the willpower, directive, and resources necessary to get things done and keep on top of it.

As a security professional, it is my primary job to educate, convince, and negotiate with the business owners what is necessary, how it can be accomplished, and what it will take to maintain it once established... all while providing confidence that the effort and expense is worthy.

"If you know the enemy and know yourself you need not fear the results of a hundred battles." - Sun Tzu

Keep fighting the good fight!!.. no matter what part of the war you choose to engage.

Diary Archives