In Infosec, everyone emphasizes that while defense is important, playing offense allows one to better plan one’s defense. While I do agree with this wholeheartedly, for Fun Friday I’ve decided to play devil’s advocate and take a more extreme perspective to bring up an odd point. Most of the time playing offense is just that - playing.

When people say offense, they mean they “play attacker”. They form a red team, they do a penetration test, they do tabletop exercises. These are good things, but this is not how an actual attacker works, at least not 100%. True attackers take a slightly different approach. I know this because of two important things: I have had to defend systems against serious attackers, and I have actually attacked systems.

At a previous job at a defense contractor, I got to see firsthand what it was like to have nation state attackers with a serious budget and excellent resources throw their full force into determined attacks. While I cannot go into a lot of details, let’s just say that the various attack groups (there were dozens) tried to attack so often that a typical week might show signs of 2-4 serious attempts per week. Zero days were used. When a vendor released a patch, there was always a surge of adrenaline as some of these APT actors had zero days that were no longer zero days, and they’d rush forth with an attack to try to beat the patching cycle.

Now as far as myself attacking systems goes, in my past I played true offense. I can say that at the time I was well aware I was crossing a line, and I knew it was bad. While I am not proud of it, I am not ashamed of it either. I could lie and say I was so good because I never got caught - but I think in reality I was lucky. So my version of playing offense not only differs from a lot of other people’s experience, it gives me a somewhat different viewpoint.

Yes I have done the pen test thing, I’ve even done physical pen tests, and yes red teaming is extremely helpful to understand your weaknesses as well as your processes to handle an active attack. But basing your defense strategy solely on the results of quasi-real scenarios can still leave you exposed.

A true attacker has a completely different mindset. They think in terms of target objectives instead of compliance checklists. Let’s say as an attacker your goal is a vendor’s source code, because the vendor develops a security detection product installed at some future targets, and you’d like to hit those targets undetected. As a side benefit, the source code tree itself could be used as a form of currency where one could possibly trade the source code for a zero day with another hacker, or sell it to the highest bidder after you’ve rung out its secrets for yourself.

As an attacker developing an attack plan, one would typically divide exploits into two categories - those that required user interaction and those that did not. The latter was preferred since if a user was directly involved, there was a greater chance chance of them figuring out there was something fishy going on (or even phishy, right?). One preferred to use something that would bypass human interaction completely.

An attacker never wanted to use a zero day. If you were caught by a clever admin, they might figure out this was a unique attack, report it to the vendor, and next thing you know the zero day hole has been closed. Therefore one tried low hanging fruit first, and slowly moved up the chain of complexity. Zero day was only used if you really wanted that objective and there was no other way. Back then a zero day meant that your vulnerability had been know publicly for exactly zero days. If you used it and admins starting discussing it on security mailing lists, it was no longer considered a zero day - even if there was no patch available. Some objectives were simply not worth the risk of burning a great zero day.

A hired pen tester, while not wanting to get caught, has one particular objective that they try to meet on every engagement - actual penetration into the target network. But the pen tester is not going to actually have a zero day. It would be considered irresponsible for a pen test firm to have a known vulnerability that they use to break into client systems that cannot be patched, leaving clients and the Internet at large at risk. Yes a pen test firm might have fully weaponized versions of known exploits, but that’s different. A zero day has no patch and is unknown to the public.

If you hire a penetration tester to test your company, there will usually be clauses in the Statement Of Work (SOW) that define the limits. No touching of production data, no physical access to server rooms, no threatening users to gain access, and so on. That’s fine as it makes sense for many reasons including a number of legal ones. Just remember a real attacker has no such limits. They will go after production data, they will threaten users, they will pose as janitorial staff to gain physical access, they will attack after they learn your security team is having an offsite team building exercise that everyone bragged about on social media. The pen tester will have a limited time frame for the engagement, whether it is a few days or a few weeks. A real attacker could be very patient and take months for just a single part of a multi-stage attack..

Once in, the pen tester and real attacker methods are usually similar - lateral movement gathering data as system after system are compromised. A big difference is that a real attacker will purposely leave in clever backdoors to regain access. Some of the APT actors would leave multiple backdoors on different systems, with one group of compromised systems on one backdoors, and a second group on another. That way if one of the backdoors was discovered and all machines were examined and scrubbed of one backdoor, there was still another way in. The really paranoid attacker will rotate through different backdoors every week or so, to help ensure long term access. Couple this with an attacker knowing the credentials of legit accounts, creating their own accounts, and creating exceptions for accounts to avoid multi-factor, and you begin to understand where that “advanced” part of APT really came from - even if they used an old lame exploit to gain access.

Obviously do the things we in infosec recommend constantly - stay patched up, strong passwords, use multi-factor, avoid the clicky-colicky of weird links especially in email. But listen, fellow nerds: you need to think about what this whole offense and defense thing means. The point is, when it comes to defense, there is offense and there is offense. Defend against both.