SANS Penetration Testing

When Offense and Defense Become One

By Ed Skoudis

Over the past month or so, I've been pondering a phenomenon and some of its implications, running the idea by some of my friends to spur some interesting conversations. I've spoken with penetration testers, security researchers, military planners, forensics experts, defensive operators, incident response specialists, red teamers, blue teamers, and a variety of security curmudgeons about it. The idea is this: at sufficiently advanced technical levels, offense and defense sometimes merge and become one. Offensive techniques can be used to achieve defensive ends; defensive means can be used to achieve offensive ends; and, sometimes, the inherent technical skills of offense and defense are actually identical. I don't claim that this is a particularly new idea, but I do think that it can be fun to contemplate and is perhaps useful. Let me tell you how I came to this observation, and then expand on some examples and implications.

While I was at the RSA Conference in February, my buddy Josh Wright contacted me and told me how many of the techniques covered in his SANS 575 course on mobile device security and ethical hacking could also be used for mobile device forensics analysis. That is, Josh's work on analyzing mobile device apps and images for information leakage and other vulnerabilities could likewise be applied in a forensics fashion to find evidence. Similarly, Steve Sims, author of the SANS 660 course on advanced penetration testing, and I were chatting a couple months ago about how some of the techniques in his new advanced exploit writing course (advanced use of static and dynamic analysis of software to find flaws) are similar to those used in the SANS 610 course on reverse engineering malware. Furthermore, Rob Lee, lead author of SANS courses on Digital Forensics (particularly SANS FOR408 and FOR508), and I had been chatting about the topic of offensive forensics over the past six months or so. With offensive forensics, the goal is for attackers who have gained access to a target environment to locate and exfiltrate sensitive information without getting noticed. It uses forensics techniques to find the needle in the haystack, and to steal that needle.

Also, John Strand and Paul Asadoorian have been doing some really great things with offensive countermeasures, presenting sessions and teaching classes on how defenders can set things up to really mess with attackers in their midst and artfully strike back "in degrees" as their website puts it. John and Paul have done some great thinking along those lines, and it's fun to chat with them about it.

These chats together got me thinking. It's kind of a beautiful symmetry about how offense and defense techniques and skills sometimes merge at sufficiently advanced levels. On the surface, you may think that this is merely a restatement of the idea that "Offense must inform defense." But, it's not. It goes deeper. While it's true that offense must inform defense (you can't properly defend unless you know what the attackers are doing), we're talking about offense and defense techniques being used "contra cyclical" and in fact, becoming integrated into one.

Also, this concept is not a mere restatement of "The best defense is a good offense." That's also true, but it tends to focus on kicking the crap out of your adversaries so you don't have to defend against their advances. This is different. We're talking about a two-way symmetry, including how offensive skills can be used defensively, defensive skills can be used offensively, and how these skills merge.

Also, please note that I'm not saying that offense and defense always merge, or that they are always the same thing. But, I think the techniques behind each have more in common than is typically observed.

When I first ran the idea by my friends, some of them jumped on board immediately as we started brainstorming through various examples. Others opposed the idea at first, but as I cited more examples, they became more convinced. A few even told me that they found the convergence and symmetry rather beautiful, and may be useful in re-applying offensive or defensive techniques in new contexts that we haven't considered before.

In addition to the examples cited above (mobile app and image analysis, malware/software static and dynamic analysis, offensive forensics, and offensive counter measures), to illustrate this convergence further, consider these examples:

  • Endpoint security suites: Have you ever pondered what these tools really are? With their integrated anti-virus, personal firewall, and host-based Intrusion Prevention Systems, they operate at a fairly low-level of most operating systems, hooking all kinds of system calls so that administrators can maintain control of the machine. Wait? that's a rootkit! The only difference between an endpoint security suite and most rootkits is the level of functionality and who controls it: good guy administrators or bad guys. So, we've got a multi-billion dollar segment of the infosec industry that is actually built on selling commercial rootkits, also known as endpoint security suites.
  • Botnet infrastructure administration: As bad guys build ever-larger botnets for evil, crime, and a good dose of mayhem, they are hitting some stumbling blocks in managing hundreds of thousands to millions of machines. These are the same stumbling blocks that good guys faced in large enterprises: How can you properly manage and maintain control over vast numbers of systems? You build a rock solid infrastructure and robust admin communication capabilities, that's what you do. Botnet operators are certainly amping up the sophistication of their remote, distributed administration capabilities. Further, they need to protect their administrative servers to prevent them from being compromised by investigators. Extreme hardening, detailed analysis, and DNS-fast-flux techniques all come in handy to bad guys to maintain control of their botnets. So, we've got an offensive technology (botnets) using defensive admin capabilities at ginormous scales.
  • Protecting command and control channels of implanted malware assets: Forget widespread botnets for a while. An attacker may spend days, weeks, months, or more getting a piece of malware implanted in a target environment infecting just a small number of Very Important Computers (VICs, anyone?). I dunno, maybe they are used to operate industrial control systems or centrifuges or something. Once the malware is implanted, that attacker wants to defend that asset and its communication channel in the target environment, or else all the work of infiltrating it in the first place has gone to waste. The communications channel itself needs to be subtle and certainly encrypted, lest the attackers tip their hand to defenders. Again, we see defensive techniques used to protect an offensive maneuver.
  • Capture-the-Flag games: I am an avid CtF player, and enjoy offensive, defensive, and analytic challenges. I've observed that even in traditionally defensive games which explicitly prohibit counter attack, sometimes offensive techniques can be helpful in maintaining control of systems participants must defend (without violating the rules of such defensive games). For example, at the amazing Cyber Defense eXercise (CDX) challenge sponsored by the NSA for the various military academies in the US, blue teams are required to prevent, detect, and respond to attacks by the red team against an infrastructure the blue team builds. Some of these blue teams have used traditionally offensive techniques (such as deployment of Metasploit's Meterpreter) on their own guarded systems to help give them control over the machines so that they can detect and eradicate the red team's presence. Again, here we see a traditionally offensive tool used for a defensive purpose.
  • CyberCity Missions: I have the honor of working with a team that is building NetWars CyberCity, a cyber range in the form of a miniature, 6' x 8' city with various real-world assets such as a power grid (complete with SCADA systems), water reservoir (with Human Machine Interfaces), traffic light system, railroad (again SCADA controlled), and more. CyberCity is designed to help show cyber warriors, their leadership, and military planners that computer attacks and defenses can have kinetic impact: moving things, breaking them, or even destroying them. Various CyberCity missions challenge participants to prevent terrorist bad guys from wreaking physical havoc in the city through computer attack. For example, we have a mission in which bad guys have hacked into the power grid to cause a blackout. What's more, these same bad guys have reconfigured utility company computers so that their normal operators cannot login to them to turn the lights on. Cyber warriors must hack into the utility with the goal of turning lights on: offensive techniques to restore power, thus achieving a defensive goal. In another scenario, cyber warriors must take over a rocket launcher so that they can redirect its aim from its current target (the commercial district of CyberCity) and have it fire harmlessly over the horizon (all captured in real-time video, natch). In yet another mission, terrorists have loaded a radiological weapon on a train and are threatening to detonate it in the residential quadrant of the city. Cyber warriors must take over the train and stop it or derail it. In many (but not all) CyberCity missions, we see how traditionally offensive tactics can achieve significantly defensive goals.
  • The Wonderful Psexec: As we've written recently on this blog, psexec is a great tool for administering Windows environments, as it gives admins the ability to run arbitrary commands on fully patched remote Windows machines. But, bad guys use this same tool for the same reasons good guys do: it is free, flexible, powerful, and anti-virus tools tend not to detect it given its widespread use by good guys for admin. A tool used for administration becomes an attack tool, and in the process helps evade detection by yet other defensive tools. The intertwining of attack and defense grows ever more complex.

I'm sure you can think of tons of other examples beyond those described above. Perhaps some of your examples may actually open new avenues for interesting work and research! Try to think of some traditionally defensive techniques that can be used in an offensive fashion, and brainstorm how some offensive techniques can be used defensively. Feel free to share your ideas in the comments below.

Thanks for reading!

-Ed Skoudis.

P.S. I'll be doing a presentation next week at the SOURCE Boston 2013 conference in, well, Boston. I'm very excited about the conference as a whole, with some great speakers on a vast number of topics across a broad spectrum of ideas and technologies. I'm presenting a new talk I've just completed called "Kinetic Pwnage: Obliterating the Line Between Computers and the Physical World." Yeah, it's got a lot of CyberCity lessons learned stuff in it. :)

Also, if you are interested in the arts of offense and defense, and how the two influence and impact each other, you may want to check out my SANS Security 504 course on hacker attacks and incident handling. I'm really looking forward to teaching it at SANS San Diego in May!

1 Comments

Posted December 25, 2013 at 8:25 PM | Permalink | Reply

Perry

I am experiencing some of the cognitive dissonance that is touched upon here. Many of the tools used to protect information are the same as those used to attack them. People who build them are aware, no doubt, that they can be used offensively, but do they put enough effort in describing how they can be used offensively, and more importantly, what mitigations could be used? From what I've seen, there is little discussion on their websites of this aspect of their tool. And the tools are sufficiently dangerous that the 20 controls includes ensuring that even permitted software be found only on permitted devices to be used by permitted people. The danger of these tools is known. Just not heavily discussed on the websites that provide them, it seems.

Post a Comment






Captcha


* Indicates a required field.