A debate recently flared up on Twitter around creating and sharing high-quality Offensive Security Tools, such as Empire. Richard Bejtlich came out against, saying that OST tools were doing more harm than good.
“We believe that Powershell and Empire framework will remain a major threat vector employed by APTs, malware authors, and Red Teams.” SO WHY ARE YOU UPDATING IT? You are improving capabilities you explicitly say are *used by bad guys.* Scottie, beam me up from this bizarro world. https://t.co/3Pnrrel5DA— Richard Bejtlich (@taosecurity) December 23, 2019
I was about to reply to him pointing out that OST are how Red Teams are able to convince Blue Teams that they need to take the situation seriously. But Amit Serper had just made the same point.
Because that's the only way everyone moves forward. The red team's purpose is to improve the blue team. If APTs won't use PSEmpire they'll create something unknown for themselves (which they often do). Keep sharing knowledge ➡️ keep getting better. https://t.co/G2Gtdwt2pT— Amit Serper (@0xAmit) December 23, 2019
I thought that was the end of it, but then Andrew Thompson showed up and dropped a blog post of his that sent my brain into Cognitive Dissonance Level 7—which is a good sign that an opportunity for learning may be in the area.
OFFSEC as a discipline serves the interests of security. Offensive Security Tools (OSTs) aid OFFSEC in serving the interests of security. OST release on the public internet is not the best way to do it. More in my blog: https://t.co/xplmbJs1Px— Andrew Thompson (@QW5kcmV3) December 23, 2019
Then I started chatting with my friend Joel Parish, and he mentioned something interesting. He said the whole conversation made him revisit his ideas about gun control. And I was like, “What? How does it…oh.”
So that’s why I’m writing this—to compare the two. And specifically to ask and answer the question of how one can be generally pro-gun control and pro-OST at the same time.
When I say guns I mean reasonable guns.
I think the best place to start is by acknowledging for both guns and OST that there is both positive and negative. It’s hard to argue against a handgun or shotgun for home defense, or for Nmap or Burp for protecting your own assets.
I think the disagreement lies at the extremes where one or more thresholds are reached, and those thresholds can be of multiple types.
- Proliferation: some tipping point of too many guns
- Power: people having access to AK-47s and body armor
- Indefensibility: armor-piercing rounds, undetectable construction materials
I’ve written about similar tradeoffs in regard to gun control, and what they taught me then was that weapons don’t exist without context.
This reminds me of what I just learned about genetics, actually, which is basically that it’s useless to talk about what a gene does without knowing the environment it’s in.
For guns, I think it’s possible to have an environment where having a gun in the house is better for that homeowner, and better for society. And the same goes for concealed carry law.
But, crucially, there’s a multi-variate threshold beyond which adding additional guns becomes bad and/or where removing guns becomes good.
This is all a matter of data.
This is a big assumption, and one of the reasons the gun control debate is so squishy.
Assuming a community can agree what good and bad mean, and we can measure the variables that we’re testing against, e.g., current crime rate, average age of males, education level, current number of guns, etc., we should be able to adjust variables and observe changes. Or we can look at multiple communities where those variables are naturally different.
But each society should have some ideal number and type of guns based on these shared goals and variables.
As I talked about in that piece on gun control, you could have a situation where the local criminals are robbing people and businesses with impunity using handguns, and they’re doing so because they know their targets are not allowed to carry them.
Adding a concealed carry law and doing an advertising campaign around lawful gun owners fighting back could massively reduce gun crime in that environment, which is a position that many seem unwilling to consider.
But once you inject more guns into the population, you still have young men, and you still have alcohol, and you still have accidents. So while a certain type of harm might have decreased, you might have significantly increased the number of kids being hurt with those same pistols at home, or random fights resulting in shootouts. Just because the guns were there when they weren’t before.
Right, so let’s transition to OST.
It seems to me that the crucial point is whether the presence of the offensive tool adds to the defense of the population. And similar to guns, it seems like this happens in two main ways.
- Raising awareness and visibility
- Improving resilience via benign exposure to real-world TTPs and compromise
But both of these require that you actually benefit from them happening to you.
If you can make a tangible change by learning about a TTP, then the OST that made that happen was helpful. If you can make a tangible change that improves defense against the same TTPs after being battered, then it was helpful to take the whoopin.
I think—and I’m not sure this is correct—that the argument being made by Richard and others is that some of the tools are so good that you can’t realistically defend against them.
If awareness doesn’t help you, and getting owned by the Red Team doesn’t help you—then why are we doing it?
Maybe the tools are so good that any defenses erected become negligible upon the next attack. Or maybe it’s theoretically possible to defend against them, but most people don’t have security teams, so the point is moot.
I think those are the two main points being conflated and/or argued in this debate.
Is the state of security so bad that more OST is like dropping off guns in a bad neighborhood? Where you know you’re only going to produce more victims, and not more deterrent or resilience?
Or is the state of OST tools so good that more OST is like releasing plans to an undetectable poison that you can make in your kitchen, and that can kill tens of thousands with a thimble full.
If one or both of those is true—and to the extent that they are—I absolutely see the point. Those are some of the same reasons that people are pro-gun-control.
Me personally, I’m all about understanding the environment that the weapons are being introduced into. Having data on it. And therefore knowing how your stimuli will affect outcomes.
35% of orgs, WITH A CIO, have ZERO cybersecurity staff, per 2018 Gartner global study of 3,160 orgs with CIOs. What do you think the stat is for those without CIOs? Probably also zero. Twitter infosec is the top 10%, at best, arguing with each other. https://t.co/TXD8G2oJRJ— Richard Bejtlich (@taosecurity) December 23, 2019
Richard is talking about how few companies actually have any legitimate defenses, and the percentage that can defend against a decent Red Team is way less than 65%, so that seems to be driving his position.
I can’t say I disagree with that.
I had a crazy idea this morning that I don't actually believe, but thought would be a great book idea.— ᴅᴀɴɪᴇʟ ᴍɪᴇssʟᴇʀ (@DanielMiessler) December 16, 2019
What if all this local municipality hacking and ransomware was part of a government resilience exercise?
Don’t want to patch? Cool. Prepare to be shut down.
But I also said recently on Twitter that it would be super interesting if all these city ransomware cases were actually a Federal government Red Team exercise designed to do tough love resilience training.
In other words, if you can’t survive this then you’re not going to survive what China, Russia, and Iran are about to throw.
So here’s where I think I stand on this.
We shouldn’t try to ban OST as an alternative to doing the hard work of hardening.
- OST can do good and can do harm.
- How much of each you’re getting depends on multiple environmental factors.
- If it’s possible to learn from OST and get better as an organization, city, or country, I lean heavily towards MORE OST.
- Where it is completely impossible to learn and improve from OST, or where the OST is so advanced that it makes learning/improvement pointless, I am willing to have a conversation about controlling it.