Offense, Defense, and Blurry lines


About a year ago now I was listening to a bunch of Defcon talks.  One of those talks, though I can’t remember the name, left one of the most brilliant feelings to it: labels suck.

Labels are a slow death; they do not grow, they are often short-sighted, and are at best just a snapshot of time.  I very much dislike labels– and you should too… especially misused ones.  I remember as a developer being tweaked about someone calling me a “cowboy coder” as if it was a bad thing.  Not so much because it was intended as an insult, but because this person clearly did not understand, nor appreciate, the lifetime of effort and work that goes into running a ranch.  He must have read too much Jeff Atwood and watched way too many movies, and as a consequence drew erroneous conclusions.

It’s a fundamental element of human learning for us to categorize, prioritize, and bucket information in hierarchies for our own value.  However, this can prove  to be a disservice to us when those categories– instead of being ways to group and shape our understanding of information– become a zealot mantra that simplifies our focus in all the wrong ways.  By making things fit our own comfortable understandings, we really only disservice ourselves.

So before I go further, let me add that writing this post has been hard.  I do not intend to disenfranchise anyone.  I only intend to point out that perhaps taking some time to really unpack what we say might be of value– especially before we divide ourselves over it.

Offense and Defense

As far as I can figure it, we have come to consider the above terms as being completely separate from each other.  So much so, that we have made communities and conferences dedicated to each respectively.  This division is not wrong, per say, it’s just simply not very applicable to the sort of offense and defense utilized in combative realities.  In the context of sports, where both sides must play by a set of rules, the notion of an offensive line and a defensive line makes a great deal of sense.  This line of separation is useful so that individual players can assume roles to play within the course of the game.  But InfoSec a game.  Not to me at least.

The type of work we do isn’t predicated against rules– it’s all about technical realities and what I can get away with.  In fact it’s kind of funny, the offensive security guys already figured that out years ago.  When our defenders are lining up to do battle with their WAFs, they’ve already broke into their locker room and stolen all their stuff.  Yet, less funny, is that the title of “offensive security” is a bit of a misnomer.  These guys aren’t doing all offense all the time, out of sheer preservation they can’t.  Only berserkers do pure offense; they fight and fight and fight until they die.

The truth is that offense and defense is a part of every attack.  It’s also a part of every good defense.  But you don’t have to take my word on that:

“While opposing forms, the offense and defense are not mutually exclusive.  In fact, they cannot exist separately.  For example, the defense cannot be purely passive resistance.  An effective defense must assume an offensive character, striking at the enemy at the moment of his greatest vulnerability. … Similarly, the defense is an essential component of the offense.  The offense cannot sustain itself indefinitely.  At some times and places, it becomes necessary to halt the offense to replenish, and the defense automatically takes over.”  – Warfighting: United States Marine Corps

Wait… what?  That can’t be true right?  Well… think about it.  When I am testing an application, especially ones that are on the sly, I have to hide my traffic right?  I can’t just run tools that make lots of noise, or appear so abnormal it’s obvious I am there.  Stealth, it would seem then, is used for defensive purposes– because I want to remain un-noticed in my attack.  While I can always get back in if I am booted out, I cannot defend against it.  I hide, then, to be strong.

As a defender, playing another person’s game is a sure-fire way to lose.  At some point, you must regain tempo and cause your opponent to solve your problems.  In this area, we are sorely lacking in security.

But it gets better:

“We conclude that there exists no clear division between the offense and defense.  Our theory of war should not attempt to impose one artificially.  The offense and defense exist simultaneously as necessary components of each other, and the transition from one to the other is fluid and continuous” — Warfighting: United States marine Corps

So– if there is no division between the two… why do we have separate conferences?  Why do we have separate tracks?  We will, of course, always have intruders and protectors… but the difference between the two is generally that of initiative, timing and intent.    We all have the same tools we can use to solve problems, so what’s the difference?  Perhaps, if we can accept the fact that offense and defense exist together all the time, we can bridge the gap between the two sides.


Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: