SecurityCertified

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Monday, May 24, 2010

More on Black Hat Costs

Posted on 6:48 PM by Unknown
About a year ago I wrote Black Hat Budgeting, explaining how an offensive security team might spend $1 million. I said

"I submit that for $1 million per year an adversary could fund a Western-salaried black hat team that could penetrate and persist in roughly any target it chose to attack."

Tonight Jeremiah Grossman asked via Twitter:

jeremiahg@taosecurity regarding black hat budgeting, does defense-in-depth exacerbate the value cost inequity for defenders http://is.gd/cnGW9

I was tempted to squeeze some sort of reply into less than 140 characters, but decided to answer here instead.


  • First, vulnerability research is not free. Funny enough the No More Free Bugs movement is about one year old now. Charlie, Dino, and Alex are right -- it costs real resources to find vulnerabilities in software, with the level depending on the target.

  • Second, exploit development is not free. It is not trivial to devise a reliable, multi-target, stealthy-if-necessary exploit for a discovered vulnerability. Projects like Metasploit have made it a little easier since the days of one-off code for every proof of concept. Still, professional exploit writers still spend a lot of time on Metasploit, commercial alternatives, or their own mechanisms.

  • Third, victim management is not free. Everyone likes to talk about "risk management." Let's flip that notion around and think from the intruder's perspective. One of the features separating amateurs from professionals is the degree to which the intruder can manage his or her presence in the victim enterprise. The greater the persistence of the intruder the more professional the intruder, almost by definition. It takes a decent amount of work to stay present and/or undetected in an enterprise, depending on the defender's capabilities.


So, black hats have a lot of costs to manage, beyond those in my original post. I can pretty confidently argue, however, that intruder costs are dwarfed by defender costs. To the extent that "defense in depth" (DiD) applies additional costs yet do not meaningfully reduce exposure and vulnerability, DiD does indeed "exacerbate the value cost inequity for defenders."

Aside: a quick way to identify ineffective DiD is to review network diagrams showing "firewall stacks." I mean, seriously, in 2010, who needs more than one "traditional" firewall on a network segment? 10 or more years ago I remember network security people thinking you needed multiple different firewalls to they would each "catch something different" or cover for errors. These days everyone lets 80 and 443 traverse the firewall so malicious traffic just uses those services. How much money is wasted on these "traditional" designs?
Email ThisBlogThis!Share to XShare to Facebook
Posted in | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • DojoCon Videos Online
    Props to Marcus Carey for live streaming talks from DojoCon . I appeared in my keynote , plus panels on incident response and cloud secur...
  • Bejtlich Speaking at TechTarget Emerging Threats Events in Seattle and New York
    I will be speaking at two events organized by TechTarget , for whom I used to write my Snort Report and Traffic Talk articles. The one-da...
  • SANS WhatWorks Summit in Forensics and Incident Response
    I wanted to remind everyone about the SANS WhatWorks Summit in Forensics and Incident Response in DC, 8-9 July 2010. The Agenda looks gre...
  • Sguil 0.7.0 on Ubuntu 9.10
    Today I installed a Sguil client on a fresh installation of Ubuntu 9.10. It was really easy with the exception of one issue I had to troubl...
  • Microsoft Updates MS09-048 to Show XP Vulnerable to 2 of 3 CVEs
    Microsoft published a Major Revision of MS09-048 to show that Windows XP Service Pack 2 and Windows XP Service Pack 3* are now Affected So...
  • BeyondTrust Report on Removing Administrator: Correct?
    Last week BeyondTrust published a report titled BeyondTrust 2009 Microsoft Vulnerability Analysis . The report offers several interesting ...
  • Human Language as the New Programming Language
    If you've read the blog for a while you know I promote threat-centric security in addition to vulnerability-centric security. I think ...
  • DNI Blair Leads with APT as a "Wake-Up Call"
    AFP is one of the few news outlets that correctly focused on the key aspect of testimony by US Director of National Intelligence Dennis Bla...
  • SANS Forensics and Incident Response 2009
    The agenda for the second SANS WhatWorks Summit in Forensics and Incident Response has been posted. I am really happy to see I am speakin...
  • NYCBSDCon 2010 Registration Open
    Registration for NYCBSDCon 2010 is now open. As usual George and friends have assembled a great schedule ! If you're in the New York...

Categories

  • afcert
  • Air Force
  • analysis
  • announcement
  • apt
  • attribution
  • bestbook
  • blackhat
  • books
  • breakers
  • bro
  • bruins
  • certification
  • china
  • cisco
  • cissp
  • cloud
  • clowns
  • commodore
  • conferences
  • controls
  • correlation
  • counterintelligence
  • cybercommand
  • cyberwar
  • dfm
  • education
  • engineering
  • feds
  • fisma
  • freebsd
  • GE
  • ge-cirt
  • hakin9
  • history
  • impressions
  • information warfare
  • ipv6
  • law
  • leadership
  • malware
  • mandiant
  • microsoft
  • mssp
  • nsm
  • offense
  • oisf
  • packetstash
  • philosophy
  • pirates
  • powerpoint
  • press
  • psirt
  • reading
  • redteam
  • reviews
  • russia
  • sans
  • sec
  • sguil
  • snorby
  • spying
  • threat model
  • threats
  • Traffic Talk
  • training
  • tufte
  • tv
  • ubuntu
  • usenix
  • verizon
  • vulnerabilities
  • wisdom
  • writing

Blog Archive

  • ►  2013 (16)
    • ►  September (1)
    • ►  August (1)
    • ►  June (2)
    • ►  April (2)
    • ►  March (1)
    • ►  February (3)
    • ►  January (6)
  • ►  2012 (60)
    • ►  December (4)
    • ►  November (5)
    • ►  October (3)
    • ►  September (10)
    • ►  August (2)
    • ►  July (6)
    • ►  June (6)
    • ►  May (4)
    • ►  April (2)
    • ►  March (9)
    • ►  February (6)
    • ►  January (3)
  • ►  2011 (108)
    • ►  December (3)
    • ►  November (7)
    • ►  October (11)
    • ►  September (9)
    • ►  August (18)
    • ►  July (10)
    • ►  June (5)
    • ►  May (4)
    • ►  April (13)
    • ►  March (17)
    • ►  February (2)
    • ►  January (9)
  • ▼  2010 (193)
    • ►  December (14)
    • ►  November (11)
    • ►  October (6)
    • ►  September (16)
    • ►  August (15)
    • ►  July (26)
    • ►  June (15)
    • ▼  May (15)
      • National Security Strategy is Empty on "Cyberspace"
      • Digital Security Is Not Just an Engineering Problem
      • "Privacy" vs "Security" or Privacy AND Security
      • More Evidence Military Will Eventually Defend Civi...
      • SANS WhatWorks Summit in Forensics and Incident Re...
      • Forget Pre-Incident Cost, How Much Did Your Last I...
      • More on Black Hat Costs
      • Watch Your WHOIS Entries
      • Review of Masters of Deception Posted
      • Review of Cyberpunk Posted
      • Review of The Hacker Crackdown Posted
      • Everything I Need to Know About Leadership I Learn...
      • Papers Not PowerPoint, Plus Tips for Improvement
      • Bejtlich to Speak at SANS Forensics and Incident R...
      • The Face of Information Warfare
    • ►  April (15)
    • ►  March (16)
    • ►  February (19)
    • ►  January (25)
  • ►  2009 (123)
    • ►  December (10)
    • ►  November (17)
    • ►  October (21)
    • ►  September (13)
    • ►  August (20)
    • ►  July (21)
    • ►  June (21)
Powered by Blogger.

About Me

Unknown
View my complete profile