Skip to main content

Security community tools help intruders

Security community tools help intruders
(Image credit: TheDigitalArtist / Pixabay)

To many ordinary home users and businesses, security software is nothing more than having antivirus protection and or endpoint security software. However, for enterprises the situation is more complex.

I expect adversaries will continue to leverage publicly released tools, often developed by penetration testers and security researchers, to compromise and control targets worldwide. 

This trend, publicized most effectively by Mandiant's Andrew Thompson, turns standard defensive thinking upside down. Unfortunately, it is difficult for those who work on the offensive side of the security team to recognize that this is the case.

The mantra for the past decade has been to "make intrusions more costly for the adversary." One of the costs an intruder used to have to consider was the development of tools and techniques to compromise and control targets. 

However, today the majority of intruders operate publicly released tools to accomplish their goals. This means that intruders can radically decrease their research and development costs, as that burden has already been borne by penetration testers and security researchers.

About the author

Richard Bejtlich is principal security strategist at Corelight.

Public offensive tool releases

The argument in support of public offensive tool release usually offered by penetration testers and security researchers is that they are simply recreating capabilities already known and perhaps utilized by top tier intrusion groups. 

By releasing new capabilities, the argument goes, defenders learn what is possible and can develop mitigations that work against penetration testers and actual adversaries. 

Their scenario plays out in the following manner:

  • An enterprise deploys assets in an insecure state;
  • Offensive security researchers and penetration testers develop and publish tools and exploits to take advantage of enterprise vulnerabilities and exposures,
  • Penetration testers exercise vulnerabilities and exposures in client enterprises, using the tools and exploits they developed, thereby demonstrating weaknesses to defenders,
  • Defenders mitigate the insecure assets, based on what they learn from the penetration test.

The reality of public releases

This scenario is true and occurs regularly. Unfortunately, a second scenario is simultaneously playing out:

  • An enterprise deploys assets in an insecure state,
  • Offensive security researchers and penetration testers develop and publish tools and exploits to take advantage of enterprise vulnerabilities and exposures,
  • Adversaries, ranging from nation-state actors to opportunistic criminals, exercise vulnerabilities and exposures in client enterprises, using the tools and exploits developed by security researchers and penetration testers,
  • Defenders perform incident detection and response, assuming they identify the adversary activity.

Those on the offensive side of the security equation are quick to point out why their work has merit. First, they argue that by creating and using their methods against clients, defenders learn how to defend those very tools. 

Second, they claim that it is not possible to differentiate between truly “offensive” and “defensive” tools. Third, they maintain that by discovering flaws in enterprise assets, in the medium- and long-term, overall security postures improve. 

These arguments are valid to a varying degree, and I could probably accept all of them without weakening the main point of this article.

Points of contention

Despite these three points in favor of the penetration tester and security researcher argument, I present three other points for consideration. These are reasons why offensive research and publication can negatively impact enterprise security.

The first is the development argument. 

Top tier groups may have had a near-monopoly on high-end development a decade ago, but examples offered by Thompson in 2019 demonstrate that this is currently not likely the case. Public security researchers are on par with, or above, the capabilities of many or most top-tier groups. 

Incident response teams like those run by Mandiant frequently encounter offensive public tools used by top tier threat groups. One cannot be sure if top tier groups shelve their native tools in favor of public ones, or if they never had the native tool to begin with, and directly began using the public tool once it was released. Nevertheless, public security tools and exploits are the weapon of choice for many intrusion groups.

The second is the attribution argument. 

Because public offensive tools are ready for use by anyone, defenders cannot rely on tool use for attribution. If a defender sees a tool or exploit used by only one group, then that tool or exploit usage can become a factor when performing attribution. If a threat group uses a tool available to anyone on the Internet, the usage of that tool by itself is not helpful for attribution. 

Some argue that attribution is not useful, but that is a discussion for another day. Clearly the number of indictments and other judicial and diplomatic actions taken by global governments over the past decade show that attribution is a critical component in actions to defeat intruders.

The third is the proliferation argument. 

Top tier intrusion groups are limited in number, and they are not targeting the entire security ecosystem. Once penetration testers and security researchers release new capabilities, this software become available to all intrusion groups, from the top tier actors to the lowest financially-motivated criminals. 

Suddenly, the whole digital ecosystem is at risk, from the very tools developed to supposedly reduce risk via security testing. What once may have only been available to a small number of threat actors is now ready to be used by any offensive party.

Continued frustration

The most frustrating aspect of this situation is that there is likely very little to be done about it. There is no point in trying to encourage penetration testers and security researchers to keep their capabilities private. 

It is indeed difficult to draw lines between “offensive” tools and “defensive” tools. However, it would be helpful for penetration testers and security researchers to release detection and mitigation information, or countermeasures for their new offensive capabilities, when they publicize new tools and exploits. 

I hope that work by people like Thompson can at least begin a dialogue about this topic, and explore the argument that releasing offensive security tools and exploits is not a “cost-free” exercise for defenders. 

The practice reduces or eliminates adversary research and development costs, while raising costs for defenders. It is time for the offensive security community to appreciate this situation and keep it in mind when they work to help defend their clients.

 

Richard Bejtlich is principal security strategist at Corelight.