Making defense as rewarding as offense
A Candid View
Today as a community we are still offense heavy with regards to published research and the appeal for many to enter the industry at a technical level. The reality today is that most organisations do not need even semi-sophisticated capabilities unleashed against them in order to breach. Instead, a phishing e-mail, a web app/services vulnerability or an unpatched system will often facilitate a compromise for a majority.
The sad reality is that most organisations are woefully immature with regards to resilience with the root cause in most cases being basic IT estate hygiene issues.
How do we make the defense of all organisations as appealing, rewarding and celebrated as the offense aspects?
offense is clearly rewarded
One of the first challenges is that offense is rewarded both by our industry and biologically. That is you set out on a mission to research and exploit a product, system, organisation and you win or you do not.
As things have become harder and more complex over the decades there often has to be mini rewards along the way but the outcome is the same. You either get a massive dopamine hit when you compromise your target or you do not.
In addition to free drugs, you get respect, the ability to travel internationally and potentially over time, recognition from peers, the wider technical community and if your offensive achievements are extra special, then society at large.
These are all rewards outside of the purely fiscal, which at times, can in their own right be extraordinary – just look at the public bug bounty top tiers and the top paying public vulnerability buying programs. For most these are seriously life changing amounts of money.
offense community is large and mature
The offense community has a common goal and a clear supply chain. From researches specialising in vulnerability discovery, countermeasure subversion and exploitation through operators able to stitch distinct vulnerabilities together to exploit targets, pivot through networks and achieve their intended action of target.
Due to fact that these dependencies and various tradecrafts are both complementary and interesting the community has done a very good job of self-organising.
Defense has a long way to go by comparison
defense today, within mature blue teams with large and varied estates to protect, is as compelling as any offensive activity. As someone who has done both as I got older the defense elements had a growing appeal. From ensuring the basics are done correctly through to working with development teams, building resilience in and into operational hunting.
However, in the real world compared to offense where you have a scope, smash the doors in, get the prize and walk away a hero, defense has a long way to go. This is in part due to non-technical issues such as organisation politics and money, which can be deeply demotivating and frustrating.
So let this be a call to action, a rallying cry if you will, to celebrate and build on what we have learnt at the sharp end of defense to make practical, workable solutions that scale whilst dealing with the basic and the sophisticated.