Sunday, February 04, 2018

thoughts on attack automation

axiom: there is no perfect security

because there is no perfect security we can say with certainty that systems will never be perfectly secure. if we close one vulnerability there will always be another to take it's place. we can spend an unending amount of money/time/effort on closing vulnerabilities and still remain vulnerable. in the process of doing this we would go bankrupt because no one, not even the largest companies in the world, have unlimited resources to spend on security.

therefore, eliminating all the vulnerabilities is not a viable strategy. instead a promising alternative is to approach the problem of security from an economic standpoint. while we can't eliminate all the vulnerabilities, we can eliminate some, and if we eliminate the ones that are easiest to exploit then an attacker's job becomes harder and more expensive to carry out. if we make the attacker's job hard enough then the value/benefits they derive from succeeding in their attack (success will always be possible) would no longer cover the cost of launching that attack.

attack automation doesn't make an attacker's job harder. quite the opposite in fact, it makes it easier. attack automation is carried out by attack tools. as a general rule, attack tools reduce the complexity of performing an attack. tools automate the fiddly bits to save an attacker time and effort but in so doing also save the attacker from needing to know how to do the fiddly bits themselves. this means that a larger population of attackers will become capable of carrying out a particular attack because the technical complexity of performing the attack is reduced. it also means there is a larger pool of targets to victimize because the lower cost of performing the attack makes attacking lower value targets economically viable.

additional automation to save the attacker time and effort when selecting targets and launching attacks is also possible, as the recent release of autosploit has highlighted. this lowers the cost of scaling up the attack so that a single attacker can attack a larger group of victims at a lower cost.

the argument can be made that attackers are entirely capable of making these automated attack tools themselves so it doesn't matter if security researchers do it as well. however, when researchers make the automated attack tools, not only do attackers enjoy cost savings with respect to launching attacks, they also enjoy cost savings with respect to developing the tools to launch attacks.

all of these cost savings for the attacker work against defenders. when the cost of performing an attack is reduced it means that attacks that didn't need to be defended against before (because they were too expensive to launch relative to their payoff) must now be defended against, and that increases the costs for defenders because it requires more to be done.

these cost savings are also permanent. attacks don't get harder, they only ever get easier. offensive security researchers are permanently changing the economics of mounting various attacks in the attackers' favour in an effort to incentivize defenders to do what the researchers think should be done to chase after the zero-vuln goal (a goal which we already know to be unattainable) without regard to the economic realities those defenders face.

enforcing their will, their vision of what security should be on others is misguided and damaging. there is no one-size-fits-all approach to security, and where the fit is bad there will be undue burdens with respect to cost and/or unfortunate breaches that might legitimately have been avoided if attackers had not been given a helping hand.

if attackers can build the tools that make their lives easier by themselves, then let them do it. make them pay the cost of doing it. stop subsidizing attackers in the name of security research. years ago the security research community embraced the idea that there should be no more free bugs - why then are the cybercriminals still getting bugs, and exploits, and frameworks, and more for free after all this time?

0 comments: