We are all familiar with the old adage, "Offense is the Best Defense". So how does this saying pertain to the realm of information security? Over the last several years, there has been tremendous growth in using offense strategies and techniques to help shore up the defense, e.g. password cracking, social engineering, SQL Injection, Cross Site Scripting (XSS), and even using libraries of pre-written vulnerability exploits. Using offense to help with the defense is a synergistic strategy than can improve your overall defensive posture, however with one important caveat, which is that offensive techniques can carry a much greater degree of risk than purely defensive techniques. So the key to using offense to help with the defense is to always conduct a risk assessment and carefully weigh the advantage of using a particular technique against its disadvantages before you use it, especially in a production environment.
The simplest and most effective method of using offense to support the defense is knowledge. Understanding the offense is critical for implementing a strong defense. This viewpoint is clearly evident by the popularity of various certifications and courses like the Certified Ethical Hacker (CEH) certification, numerous penetration testing certifications, and various excellent SANS courses on offensive information security concepts and techniques.
Another way of mitigating risk is to set up a test environment that lets you experiment with offensive tools and techniques. This will allow you to set up specific defenses and then attack them to help increase your understanding and help you improve the strength of your defense. It is becoming very common to use virtualized networks as a training ground to experiment and hone computer defense skills in a safe environment. A good example of this is in the U.S. military, once a year, the National Security Administration (NSA) hosts an exercise called CDX (Cyber Defense eXercise) where the military service academies (West Point, Annapolis, etc.) organized as BLUE teams (friendly forces) set up and defend their training networks against the NSA, which assumes the role of RED teams (enemy forces). WHITE teams (neutral forces) composed of various joint cyber units act as exercise coordinators/moderators/referees to maximize the training benefit. In this way, training in offense and defense skills are developed and refined in a completely safe and closed training environment.
Some offense techniques carry higher risk than others. Use pro-active, non-invasive, low risk techniques as much as possible, and then carefully augment your low risk techniques with higher risk techniques. In many cases, using proactive assessment techniques can be just as accurate with the benefit of very low risk. Vulnerability management has really improved over the years with the advent of credentialed scanning capabilities and can be extremely accurate and non-intrusive. Advanced vulnerability management systems, like nCircle IP360, incorporate extremely granular vulnerability metrics that take into account the temporal aspect of the vulnerability (how long the vulnerability has been around), the risk of a vulnerability, and the skill required to exploit vulnerability. One way to think of vulnerability assessment is as a low risk tool that allows you to do extremely detailed reconnaissance of your networks to help you understand your risk and prioritize your vulnerabilities. You can then use specialized offensive techniques to gain a better understanding of specific vulnerabilities, specifically within the context of other vulnerabilities. Vulnerability assessment (a low risk technique) is like conducting detailed satellite photo reconnaissance and offensive techniques like running pre-written exploits (a high risk technique) is like sending a patrol squad to check an item or area of interest. You will minimize risk and resource usage, if you do as much detailed satellite reconnaissance as possible before you send out patrol squads to look at specific items you need more information on.
And finally, a very powerful technique is actually attacking your network in order to find weaknesses, essentially using offensive techniques for non-malicious purposes, a term that often goes by the name of penetration (PEN) testing. PEN testing uses offensive techniques to find weaknesses or vulnerabilities in a system, so that you can then remediate them. They can range from low risk procedures like doing a password audit by running a password cracking program against a password hash file, to correspondingly high risk procedures like using libraries of pre-written exploits to uncover vulnerabilities.
Penetration testing tools like Core Impact, which nCircle IP360 is integrated with, are valuable tools because they allow you to use pre-written exploits and test them against your system. However, be aware that these exploits are in effect actual code that you run against your system. So the correct method to use penetration testing tools is to use them with precision to provide greater visibility into your vulnerabilities. In other words don’t use them like a cannon, use them like lasers. First, do your detailed reconnaissance with the best vulnerability management tools you can find and then after detailed analysis and planning use your penetration testing software as a precision tool to gain greater insight into specific vulnerabilities, or paths of exposure by exploring relationships between vulnerabilities.
So -- Is offense is the best defense? When it comes to information security the answer is no, because the offense offers too narrow of a view of your risk profile to be used on its own, i.e. a good defense requires breadth and depth, and offense doesn’t give you breadth. However, offense does add value in that it provides a method to test your defensive strategy, i.e. helps you analyze specific areas where your depth may be weak. So if you have haven’t already looked at offensive techniques I encourage you to add them to your defensive toolkit, especially by improving your knowledge of them by taking a course or pursuing a certification like CEH. Also make sure that before you use any of the high risk offensive techniques (like penetration testing) use low risk techniques as much as possible first (like vulnerability assessment, OS and system hardening, auditing, logging, and intrusion detection), and then do a careful risk assessment before you use high risk offensive techniques to drill down with extreme precision to examine specific vulnerabilities or specific avenues of exposure. Finally, make sure you understand that using high risk techniques on production systems is extremely dangerous, many even advise strongly against it. High risk offensive tools are great and can be very useful just make sure you know the risks.
