Are We Helping?
As a cybersecurity practitioner in the private sector, this question has been nagging me in recent years. At this time, I think my short answer is: we haven’t been doing enough to serve the national interest of Western countries, but we’ve been doing plenty to accidentally serve the interests of adversaries who seek to undermine the national interest.
I understand this opinion might not be common, and that asserting it without attempting to substantiate the claim is not constructive. So in this post, I’ll try my best to elaborate with the limited perspective I have. My area of practice is within red teaming, so I’ll start there and zoom outward.
When I released SysWhispers in 2019, I genuinely thought the direct syscalls technique was a critical ingredient for EDR evasion. With hindsight, it is clear to me that my understanding of defensive sensors was immature. Perhaps like others who release offensive security tools, I had no incentive to seek nuance because of: (1) the direct social reward of hundreds of likes, stars, and re-tweets well past Dunbar’s number, and (2) the indirect financial reward that undeniably came from the popularity of this tool’s release (i.e. better job prospects). I still haven’t had the opportunity to use it on an engagement so my empirical sense of its efficacy came only from the anecdotal feedback of others.
What I gather from that experience and from discussions with red team peers is that the conventional wisdom for evading AV/EDR is to: (1) devise a bag of tricks (direct syscalls, unhooking, digital signatures, packers, obfuscators, encryptors, adding strings, AMSI patching, etc.), (2) duct tape together as many of them as you can, and (3) have some anecdotally-driven faith that it will work.
This is fine if their tactical purpose is to get some quick wins to keep the engagement going. But if their marketed purpose paints the impression that an elite team of ethical hackers will help defenders be resilient against determined adversaries who leave little to chance… Well, allow me to say that it is increasingly hard for me to imagine those actors struggling with evading defensive vendor products in the manner most commercial red teams do.
When red teams are expected to operate with this conventional wisdom for evasion (whether self-imposed or by stakeholders), we are making a trade-off:
The more we normalize and get rewarded for propagating it—especially when our livelihoods depend on doing so, the further we get from understanding how well-resourced adversaries operate, and the easier their work becomes from what they may perceive as our complacency and failure of imagination.
As I’ve alluded to in the past, our complacency in the commercial InfoSec ecosystem comes down to perverse incentives that optimize revenue over national security. The failures of imagination with commercial red teams is actually a symptom of this larger problem.
Consider a crude look at the whole:
-
In a market where most enterprises lack the expertise and resources required to comprehensively evaluate opaque vendor security platforms, there is incentive for organizations to simplify those purchasing decisions. Gartner and Forrester produce vendor rankings that compare their strategic vision against the strength of their current offerings. Others provide deliverables that help buyers evaluate offerings by testing platforms against attack chains of caught behaviour.
-
Sales and marketing executives for security vendors have the incentive to promote capital for shareholders by (1) portraying completeness of vision by advertising their platforms as a panacea where vigilance can be outsourced, and by (2) portraying the strength of their current offerings by steering engineering teams to “innovate” in the direction of passing tests.
-
Many customers of those platforms often have incentive to validate ROI on those vendor claims by tasking red team operators to evaluate their security stack and MSSP often at the opportunity cost of finding gaps unique to their environments that adversaries are actually motivated to exploit. For these customers, red teams ultimately drive purchasing decisions instead of helping counter the operations of adversaries.
-
Most red team operators (especially at consultancies) have the incentive to play along to maintain good performance scores, but also because circumventing vendor-made security platforms has deeply saturated red team training, conferences, and culture. Career progression is increasingly correlated with being able to bypass the best EDRs around.
-
Red team tool developers can earn more if they sell their tactical tools with an emphasis on baked-in evasion features, or open-source them to increase their future job prospects and salary. In any case, there is an incentive to help the customers of defensive platforms validate their purchase decisions.
-
Threat hunters and detection engineers working for customer-obsessed vendors have an easier time justifying their work when responding to customer complaints of undetected red team activity, and a relatively harder time justifying the detection of real world activity that adversaries do not intend to enter customer consciousness.
The incentives listed here are arguably true on their own, but how do they relate to each other? When these incentives depend on and reinforce each other, you get what complex systems researchers call “positive externalities”. The incentives in point 1 amplify the incentives in point 2, and all the way down.
An unintended and counterintuitive consequence emerges from these externalities, which is that the most capable adversaries can become increasingly capable. This is because degrading their operations while maximizing capital is often a zero-sum game. Time is a finite resource, and saying “yes” to some effort inevitably means saying “no” to another. Saying yes to maximizing capital does not seem to correlate well with maximizing national security. From the adversary perspective, they would benefit from having relatively more breathing room because we are too busy maximizing capital.
These zero-sum games characterize the status quo in the private sector. From the perspective of the private sector, this is not a problem and the status quo is functioning as intended because it enables all of the players in this system to optimally promote capital for themselves and their shareholders. From the perspective of the public sector that is supposed to provide for the security of its citizens, this status quo can weaken our collective incentive to counter the operations of adversaries who seek to undermine national security.
This point is important but it will be hard for some practitioners to absorb. While I frequently grapple with this point myself, I’m also reminded of the adage that it can be very hard to understand something when misunderstanding is essential to receiving your paycheck.
I do not intend to criticize how any of us make a living, especially when defending national security has never been an obvious part of defending the commercial enterprises many of us work for. But I think it’s important to be informed about the incentives that govern our actions, so we can reflect on the choices each of us can make to improve the well-being of the citizenry that adversaries target and not just the well-being of shareholders.
Ensuring the well-being of the citizenry is at the core of national security. An entity can become an adversary when their values and ambitions existentially clash with our own. The CRINKs are obvious adversaries because their authoritarian dispositions are existentially incompatible with the viability of free and open societies. It is in their interest to exploit the properties of open societies and market economies to sow division and dissolve our cohesion.
Should our intentions remain noble, we shouldn’t make it easier for them. Imagine how the situation could improve if every player in our commercial ecosystem had the courage to make choices that avoid this consequence:
-
What if market analysts grilled vendors more about what they do to disrupt adversaries during earnings calls or quadrant research?
-
What if vendor executives didn’t have the constant pressure to get on the quadrant and rapidly move their dot to the top right corner?
-
What if more CISOs acknowledged the inherent fallibility of vendor products against determined adversaries, and defended against the actions those adversaries take to increase the bottom line?
-
What if red team operators had more time to surface vulnerabilities that are unique to their target environments instead of validating purchase decisions on vendor-operated detection and response platforms?
-
What if threat hunters and detection engineers had more time to surface and degrade real-world operations instead of simulated/emulated ones?
While my perspective is too limited to recommend a concrete ten-point action plan for private sector practitioners, let this post serve as a reminder:
Regardless of what role you play in our commerical ecosystem, the decisions you make on a daily basis matter. Whether you are an executive or a frontline SOC worker, you have the agency to make choices and those choices will signal something about your disposition.
Will your choices maximize capital in a way that unwittingly furthers the interests of adversaries who undermine national security? Or will your choices help further the viability and cohesion of free and open societies—even when it’s the harder thing to do?
What is your north star?