,
17 tweets,
7 min read
Read on Twitter
What data do we have to support the hypothesis that the free release of open source Red Team tools has improved the overall security posture of the internet?
I remember having a conversation with @carnal0wnage probably 15 years ago about “secret sauce”. He convinced me that the hoarding of knowledge and techniques was detrimental and only benefited those who truly relied on them (the actual bad guys).
It has been a near decade of free sharing. People have brought and shared their “secret sauce” at @DerbyCon every year and we are all so much better. Tooling hasn’t been the bar to entry for anyone in many years. Is the world a better place for it?
@DerbyCon If we pick an example of a tool discussed at Derby this year: There has been research (mostly private, aka "secret sauce" of TI and IR companies) into multiple groups who vary their persistence techniques to avoid target association.
@DerbyCon This tool builds upon previously released Red Team research to highlight a deficiency in tradecraft and testing. Many analysts look to tie things together by persistence techniques used when if fact a single actor could use varied or even random techniques.
@DerbyCon The adoption of this tool could cause a shift in thinking and lead to more analysts finding new attacks and discovering IOCs beyond the limited ones that big IR are willing to share with us that don't pay them.
@DerbyCon The tool makes it easier to implement into the Red Team workflow and goes well beyond a PoC. Clearly, it could then be adopted by lower-tooled threat groups and used in criminal attacks. If that happens, was the release of this tool wrong?
@DerbyCon Where does the fault lie? The tool author? Their employer? The industry? The conferences that require more than a working PoC before you can present? How long before this tool becomes a #DailyToolDrop where it might be described as "not legitimate"
@DerbyCon A quick search reveals that this has already happened:
@DerbyCon The next step, if it follows the sentiment that I have seen, is for people to start aggressively suggesting that the author intentionally supported the criminals or somehow profited from them.
@DerbyCon This argument completely ignores the fact that the industry, as a whole, only exists because of the criminals we are trying to prevent, detect and replicate for the purposes of future prevention. We are all "profiting" because of them.
@DerbyCon There is no Red vs. Blue in Infosec and anyone who is trying to push that has their own agenda. Red research pushes knowledge into the light by demonstrating actual, visible, understandable, in-your-face risk. That risk exists without the tools used to demonstrate them to you.
@DerbyCon This tool is just another example of how hard work and a concern about a shortcoming in the community leads to all of us getting better. I appreciate the effort that went into development, testing, slide building, practice and execution of the presentation.
@DerbyCon It is sad to think that there are actually people who are unwilling to share their work with us because they fear their motivation will be questioned or they will incur future liability to their reputation.
@DerbyCon When you dig into the argument people present for not releasing tools to the public you discover that most of them want to put them behind a pay wall. Knowledge for some. The "secret sauce" people won out in a lot of areas of infosec. We killed that elitism in our area - I hope.
@DerbyCon Anyone who talked to me at the conference knows that I am really concerned about this. Several of us are researching ways we could get better, but I am upset at how this is hurting us right now. It is going to have a chilling effect if we let it.
@DerbyCon Or maybe I am completely wrong. If I am, tell me. I want to know.
