Full Report
We recently gave a talk at the ITWeb Security Summit entitled “Offense Oriented Defence”. The talk was targeted at defenders and auditors, rather then hackers (the con is oriented that way), although it’s odd that I feel the need to apologise for that ;) The talks primary point, was that by understanding how attackers attack, more innovative defences can be imagined. The corollary was that common defences, in the form of “best practise” introduce commonality that is more easily exploited, or at least degrade over time as attackers adapt. Finally, many of these “security basics” are honestly hard, and we can’t place the reliance on them we’d hoped. But our approach doesn’t seem to want to acknowledge the problem, and much like an AA meeting, it’s time we recognise the problem.
Analysis Summary
# Best Practices: Offense-Oriented Defense Paradigm Shift
## Overview
These guidelines address the limitations of relying solely on traditional, common "best practices" in security defense. The core philosophy advocates for understanding attacker methodologies ("Offense Oriented Defence") to design more innovative, less predictable, and resilient defenses, recognizing that standardized practices often lead to standardized, exploitable bypasses.
## Key Recommendations
### Immediate Actions
1. **Acknowledge Defense Limitations:** Conduct an internal, honest assessment of your current security controls (like password policies, patching effectiveness, and AV efficacy) against known attacker tradecraft, rather than just auditing against existing internal policies or compliance checklists.
2. **Prioritize Attacker Modeling over Checklist Compliance:** Begin integrating threat intelligence detailing *how* adversaries are bypassing current controls into immediate risk scoring, rather than relying solely on abstract risk enumeration.
3. **Document Common Bypasses:** Immediately document specific, known bypasses for your standard security controls (e.g., horizontal brute-forcing against standard account lockouts, common AV evasion techniques) to ensure immediate mitigation planning.
### Short-term Improvements (1-3 months)
1. **Deconstruct "Best Practices":** For every mandated "best practice" (e.g., password complexity, patching frequency), actively test and develop countermeasures for the common ways attackers subvert these standards (e.g., developing detection for credential stuffing or compensating controls for unpatched legacy systems).
2. **Implement Targeted Technology Evasion Testing:** Move beyond standard vulnerability scanning to perform checks specifically designed to bypass commonly deployed perimeter and endpoint technologies (e.g., testing WAF rules against obfuscated input, testing AV/EDR evasion techniques).
3. **Improve Technical Priority Linking:** Establish a verifiable mechanism to link high-level risk assessments (GRC) directly to specific, high-impact technical mitigation tasks that directly counter known attacker techniques, moving beyond generic spending justifications.
### Long-term Strategy (3+ months)
1. **Foster Innovative Defense Architectures:** Shift defense budgets away from simply adding more "common technology" (UTM, SIEM, etc.) toward implementing controls that are fundamentally harder for attackers to reuse across multiple targets (i.e., defenses that are highly contextual or proprietary to your environment).
2. **Institutionalize Threat Emulation:** Integrate regular, adversary-focused security testing (beyond standard penetration testing) designed to leverage the latest known attack patterns, ensuring defenses evolve alongside attacker capabilities.
3. **Redesign Reliance on Human Compliance:** Reduce the organizational reliance on security basics that are proven to be "honestly hard" to maintain perfectly (e.g., 100% endpoint patching compliance) by engineering compensating controls that do not depend on perfect human execution.
## Implementation Guidance
### For Small Organizations
- **Focus on High-Leverage Baselines:** Instead of trying to implement every "best practice," focus on implementing the *most critical* controls that attackers are currently using to gain initial access in your sector, and then immediately layer a non-standard defense designed to frustrate common bypasses.
- **Leverage Audits for Intelligence:** Use external compliance audits not just for checking boxes, but as a source of insight into where your standard defenses are falling short, thus feeding the "Offense Oriented" mindset.
### For Medium Organizations
- **Dedicated Evasion Testing Budget:** Allocate a specific, small budget for dedicated adversarial testing—not just vulnerability assessment—focused on testing the efficacy of existing layers (AV, network segmentation) against evasion.
- **Decouple Compliance from Security Effectiveness:** Ensure that compliance teams and policy creation teams regularly consult with technical teams who are actively testing defenses against real-world attacks to prevent policies from calcifying around outdated or easily circumvented controls.
### For Large Enterprises
- **Centralized Threat Library:** Develop an internal, centralized knowledge base of common bypasses and attack chains mapped specifically to the defense technologies deployed across the enterprise.
- **Cross-Functional Innovation Teams:** Mandate collaboration between GRC/Risk teams and Red/Purple teams. Risk prioritization must be informed by findings from adversarial simulation that prove how existing controls are defeated on a day-to-day basis.
- **Strategic Avoidance of Commonality:** Actively seek defense solutions that deviate slightly from industry standards where feasible, thereby denying attackers the benefit of widely shared "long rope" solutions developed against common walls.
## Configuration Examples
*The context emphasizes that specific configurations are often the point of failure (e.g., standard password lockouts fail against horizontal brute-force). Therefore, specific configurations should be customized to prevent known bypasses rather than adhering to generic minimums.*
**Conceptual Configuration Shift Example (Password Controls):**
* **Instead of:** Standard: Account Lockout after 5 failed attempts across the domain.
* **Offense-Oriented Configuration:** Implement risk-based throttling or continuous authentication monitoring that detects velocity and geographic anomalies indicative of horizontal brute-force attempts, even if individual login attempts are spreading across multiple low-value targets.
## Compliance Alignment
While the article suggests current compliance systems can drive "teach the test" behavior, the *Outcomes* of Offense-Oriented Defense should align with:
- **NIST Cybersecurity Framework (CSF):** Focus improvement efforts around **Identify (ID)** (by better understanding threats) and **Protect (PR)** (by implementing more resilient controls).
- **ISO 27002 (Control Objectives):** Specifically review controls related to **A.12 Operations Security** (especially changes and patch management), ensuring testing validates operational effectiveness against evasion, not just procedure adherence.
- **CIS Critical Security Controls (CSC):** Use the CSC as a starting baseline (the "wall"), but immediately prioritize which controls require **innovative compensation** based on known bypasses within the organization's stack.
## Common Pitfalls to Avoid
- **The "New Tool" Trap:** Assuming that purchasing a new technology (UTM, WAF, DLP) equates to a better defense, especially if the deployment mirrors common configurations that attackers already know how to bypass.
- **Ignoring Horizontal Attacks:** Over-relying on controls that focus on vertical privilege escalation (e.g., single-user lockouts) while ignoring shared, common vulnerabilities used in lateral movement or horizontal brute-forcing.
- **Policy Stalemate:** Allowing security policies to be written solely by GRC or compliance teams without mandatory input from teams that actively attempt to break those policies.
- **Viewing Current Defenses as Static:** Treating existing "established best practices" as static solutions instead of recognizing they degrade over time as attacker toolsets advance.
## Resources
- **Adversary Simulation Playbooks:** Resources detailing current TTPs (Tactics, Techniques, and Procedures) from groups like MITRE ATT&CK, serving as the foundation for understanding "what attackers attack."
- **Internal Threat Emulation Findings:** Documentation detailing how proprietary or common industry controls were successfully bypassed in internal testing scenarios.