The most effective way to help others is to help them help themselves.
Jerry corstans
From translator
I bring to your attention the translation of the article by the CEO SpecterOps David McGuire
"A Push Toward Transparency" . I have no relation to this company and have never used its products, therefore the article serves not advertising purposes, but only a reason to reflect, discuss and use or refuse to use the approach proposed by the author.
David raises the issue of transparency in the information security industry, arguing that the dissemination of knowledge about tools and methods of work is not a threat to competitive advantage, but a very important step for all market participants who can significantly increase the overall security level of information infrastructures. In the comments I would like to see a discussion of this position: how compatible is it with reality, what prevents us from being transparent, and should we move from forming dependence on consultants and products to teaching customers how to independently counter threats?
Pursuit of transparency
Information security is a young area that continues to change rapidly in comparison with industries that have existed for centuries (for example, medicine). Like information security, medicine is designed to be a profitable business and serve the public good at the same time. Thousands of years have been spent by medical researchers to contribute to this area, share hypotheses and increase collective knowledge. To advance the hypothesis in medicine, it must be openly examined, verified, peer reviewed and protected. Such a system allows you to consciously and constantly improve the efficiency of the work of medical practitioners. Compare this with the current security situation. Ideas, hypotheses and research results are rarely published, as many see this as a risk of losing competitive advantage. The problem with this approach is that it slows down progress, limiting the spread of knowledge. Despite a number of restrictions, we strongly advocate transparency in information security.
At SpecterOps, we believe that the way we can increase the maturity of our industry is to contribute to a collective knowledge base. We are convinced that in order to charge the current system we must use in practice what we preach: the discovery of our ideas and hypotheses for testing and criticism. This is the basis of our approach to transparency and the key principle of our relationships with clients and the community. By sharing our knowledge of Tactics, Techniques, and Procedures (TTPs) of opponents, we hope to highlight the weak points in the systems that allow us to attack them, and also invite us to cooperate to eliminate these gaps.
Transparency in action
Let's look at the technology in which security studies were conducted publicly: PowerShell. The security capabilities of PowerShell have come a long way in the past five years, thanks to internal supporters at Microsoft and many advocates in the information security industry who have contributed to their advancement. But it was not always so. At some point, the attack surface provided by PowerShell was massive and obscure.
Some of our team members in 2015 created a project called the PowerShell Empire, which culminated in previous work in the industry, as well as projects and research of our team. Empire was at that time a post-exploitation tool on pure PowerShell, demonstrating how enemy actions can be replicated and enhanced during an imitation attack. Since the creation of Empire, we have seen several additional offensive PowerShell projects that have advanced the knowledge system much further than anyone could have done alone. The effect of such projects allowed those responsible for this direction at Microsoft to make informed decisions about developing additional security measures for PowerShell. We welcome these solutions for implementing measures such as AMSI, scripting tracing, and others in the latest versions of PowerShell.
To promote and increase the availability of protective ways to use PowerShell, our team created PowerForensics, providing investigative capabilities that were previously only part of heavyweight tools. Continuing research in projects such as Get-InjectedThread, with functionality usually related to endpoint agents and memory studies, makes it easy to use the investigative capabilities provided by the language. Today, using PowerShell is becoming less attractive for attackers, as their techniques are well studied. In addition, we see more extensive use of PowerShell protection measures by many organizations. Both aspects represent the evolution of the approach to security in the language, due to the spread of information and transparency.
Our commitment to community transparency
Each SpecterOps team member has benefited enormously from the spread of knowledge in the open source community of tools and techniques. We encourage everyone in our team to help the community with our research. The contribution, as a rule, is manifested in the form of entries in blogs, videos and articles for the transfer of our ideas. We believe that the creation and distribution of toolboxes allows other teams of security personnel to understand and base these ideas. We hope that these efforts will enable SpecterOps to have a significant impact on the industry, going beyond the customers we directly serve.
In terms of offensive research, the results of our work are often published immediately upon completion. Of course, there are exceptions to this rule: for example, vulnerabilities, to which the responsible disclosure approach applies. Our intention in publicly disclosing attacker methods is to help the industry detect and counteract the working approaches that are used or can be used in real attacks. Such a “burning through” of research efforts may seem illogical. We have two objections to this. First, publishing a potential attacking tech serves the public good, warning the industry about specific weaknesses. Secondly, in practice, we found that the publication of the methods used rarely immediately devalues the study.
From the point of view of defensive research, we recognize that the problem facing defenders is much more than the attackers, as can be seen by comparing the increase in the cost of effective defense with the cost of a successful attack. We believe that the industry can confront an adversary with unlimited resources only through the exchange of technologies and attack detection techniques. The accumulation of defense mechanisms guarantees only that we will fight as isolated teams against an enemy freely moving around the battlefield. Conducting any offensive research, we are working on issues of protection and resistance. In the case of defensive research, we provide opportunities that were previously available only in a small number of products. This does not mean that we are against ready-made solutions, but we believe that countering the attackers should be a universal opportunity and part of a common knowledge base. Projects such as PowerForensics, Bloodhound, Uproot, ACE, HELK and the Threat Hunter's Playbook are examples of this methodology.
Our commitment to transparency towards customers
Too often in our area, services and products are offered to customers in the form of a black box. Customers are invited to trust the marketing and / or reputation of the company. We believe that this has a negative effect on their ability to achieve lasting significant improvement. If the client wants to evaluate our capabilities, he can turn to our public works. Providing services, we provide our customers with the techniques that we use. Our goal is to always help create long-term knowledge and opportunities.
For example, in our assessments of attack modeling, we consider the educational component of the assessment significant. To systematically destroy attacking actions, clients must understand the TTPs used at each stage of the attack. We are working on educating our clients' safeguards so that they have a complete understanding of our approaches and how we achieve our goals. This may include working together in real conditions, providing a tool or source code for an implant developed during the attack, and organizing training for replaying attacks. During intrusion detection operations, we document the TTPs that we are trying to detect and the methods used to do this. Not all TTPs are the same in terms of prevalence, complexity, and secrecy. We work with clients to ensure that we are looking for, why certain TTPs have been selected, and how we collect and analyze data. The purpose of this cooperation is to provide the client with the necessary knowledge and skills so that he can independently collect and analyze information.
The goal of all our services is to educate clients and identify gaps in their defensive approaches. If we provide a non-transparent assessment, we will do a disservice to their ability to protect their systems. We are convinced that organizations should have their own ability to assess the security level of their infrastructures, and not rely solely on third parties to understand the surface of the attack.
Conclusion
SpecterOps believes that the desire for transparency reflects the progress in our industry. As representatives of the field that includes the public benefit mission, we should be more demanding of ourselves, rather than relying on an approach that creates dependency on consultants and products. Cooperating and contributing to the common body of knowledge, we can together resist threats that we could never effectively fight alone.
We do not claim that we are the only supporters of an open contribution to the industry. In fact, both members of our team and many others have already practiced what we stand for as a company. We also do not promise that we will publish every idea or invention. There are often legitimate reasons for businesses to protect information. However, what we do and will do will always strive for transparency.
Our suggestion: the next time a third-party organization tests the security of your infrastructure, demand transparency. Make questions. Try to understand the thinking and tools used. Do it not so much to understand the TTPs as such, but to better arm themselves, help your security people grow after the auditors leave. Just as we reject security through obscurity as a strong defense mechanism, we should abandon the effectiveness of attack through obscurity. We can really raise the bar in our area through collaborative learning.