Throughout the roiling (and often tiring) discussion over the release and disclosure of “offensive security tools” (OST – previously addressed here), one disadvantage is constantly referenced to show the harm of publicly-available hacking tools and techniques. Put most simply, individuals cite how many organizations either have little or no security expertise, tooling, or personnel. Therefore, arguments that publicly available tools and techniques can improve security are irrelevant for nearly all small and many medium-sized organizations and enterprises – from the neighborhood small business through physically large but technically immature organizations such as local government agencies. Thus, the security tools that might enable large, well-funded entities (think, the US Department of Defense or multinational corporations) to improve their security posture ultimately end up inflicting severe harm to the long-tail of organizations using computers for communications, operations, or business.

While my previous post on the security tool discussion argued for a nuanced middle ground between positions, I find the above argument quite compelling and am sympathetic towards it – but at the same time, I find it somewhat irrelevant for the OST discussion as it conflates two distinct issues. Essentially, the anti-OST argument takes two concerns – the public and free availability of powerful offensive security tools, and the security weakness of many organizations – and combines them to focus only on the former point, ignoring how the latter may have separate causes and solutions. While tools such as Mimikatz or Metasploit certainly lower barriers to entry to cybercrime (or worse), that such tools may disproportionately impact small, poorly-funded, or poorly-organized entities seems to be a different concern entirely.

When viewing the argument as a single issue related solely to the availability and distribution of hacking tools, one would likely be tempted to make an equivalence between this anti-OST point and frequent “but think of the children” examples used to further arguments against encryption, pornography, social media, video games, heavy metal music, and various other entities. There might be something to be said for this line of investigation, but I think this is both undesirable and unnecessary – undesirable as such an approach quickly injects an unhealthy level of emotion into the discussion, and unnecessary for the point brought up previously. Namely, it appears we’re combining two issues in this case (tool availability and small/medium/public enterprise vulnerability) but only focusing on the tool question.

To show how the two are occasionally linked but fundamentally separate issues, we can look at one of the primary concerns of many organizations: business email compromise (BEC). From 2016 to June 2019, BEC is believed to have impacted more than 166 thousand organizations costing over $26 billion. While some BEC attacks leverage weaponized documents and information-stealing malware to facilitate access to email accounts, many others rely on a combination of social engineering, domain similarity, and email spoofing absent any open source hacking tools. Furthermore, even in the case of malware use, tools leveraged usually (although certainly not always) focus on paid, non-public criminal tools as opposed to combining various open source or freely-available techniques.

Thus, an entire category of attack exists – BEC – that costs organizations millions (and the global economy in aggregate, billions) while largely avoiding the types of tools currently giving information security persons heartburn. The take-away point is somewhat simple: While offensive security tools may be sufficient to impact small and medium businesses, they are not necessary to do so, even at levels so great as to induce operational disruption or shutdown (in this case, bankruptcy due to loss of funds). The confusion of necessary and sufficient conditions is hardly rare, but serves to confuse two separate points which each have different causes, corrections, and responses.

This should not be interpreted as my saying that publicly-available offensive tools are not significantly harmful for organizations that cannot invest in dedicated security teams and tools. However, the offensive tool portion is but one aspect of a far bigger problem – simply declaring offensive tools illegal or unethical, regulating them, or otherwise eliminating their presence will not remove the risk to such entities. Thus, another, larger problem is revealed through this oft-cited disadvantage to offensive tooling. Phrased as a question: how does a society ensure that small or technically poor organizations, from ten-person machine shops to local school districts, achieve necessary minimum levels of security to avoid huge, aggregate social impacts, such as the billions siphoned away in BEC operations?

When looking at certain sectors such as the loosely-defined “critical infrastructure” areas (we’re currently at 16 and counting by US Department of Homeland Security definitions), governments (to a greater or lesser extent depending on where) have invested resources and effort for the purposes of security. Yet as previously described in this blog, critical infrastructure often depends upon smaller vendors and suppliers for effectiveness, and these entities typically receive little or no attention from government-led defensive efforts. In addition to entities such as the “Mittelstand” for manufacturing, there are a variety of local government or entities removed from typical “national security” discussions (schools, hospitals, election authorities, local businesses, etc.) that have no budget or resources for information security, yet are also directly targeted by malicious activity. As stated in other articles, such activity can range from espionage (e.g., stealing designs from supporting manufacturing entities, or providing initial access vectors to critical infrastructure through supply chain attacks) to monetization (holding a school system hostage via ransomware). Irrespective of purpose, the result remains roughly the same – organizations with very little capability for self-defense are targeted and compromised by entities with better resources yielding disruption, with resulting social and economic impacts beyond the individual impacted entity leading to aggregate net losses in economic activity, social utility, and overall well-being.

Given widespread societal and economic reliance on such entities and that the costs of information security (either preemptive costs for defense, or recovery costs after an incident) are not remotely captured in existing systems, we’ve largely arrived at an economic negative externality for not only offensive tools but for the expansion of IT in general. The proliferation of publicly-available offensive tooling may accelerate aspects of this process, but it is hardly responsible for creating it. Rather, the combination of widespread (even indiscriminate) digitalization, criminal identification of relatively simple money-making opportunities, and near total lack of any state response to actions (e.g., consistent or reliable criminal prosecution) make for an ecosystem where very real, difficult problems would exist irrespective of the availability of PowerShell Empire or Mimikatz.

While one tempting response would be to blame victims for running unpatched, out of date, or insecure IT infrastructure, this hardly seems fair given the widespread push towards adopting digital platforms and processes in even small businesses. “Just patch” or “just move everything to Chromebooks” might make a certain degree of sense absent context, but represent inactionable, unhelpful statements across all entities given the diverse situations in funding, resources, requirements, and expertise. As a result, one may be tempted to say that we have arrived at some sort of impasse between increasing exploitation of the entire digital landscape and the inability of organizations beyond (some) national governments and (most) large corporations to actually do anything of consequence to detect, defeat, or deny such actions.

Yet this seems both defeatist and absurd. Moreover, as noted earlier, the concept of negative externalities to circumstances (in this case, increasing digitalization of operations across all organization sizes and maturity levels) seems to capture some of the current dilemma, especially within the context of market failures. In this precise situation, advancing technological implementation and expansion to cover nearly all entities engaging in society or the economy produces various efficiencies (filing forms online, business via email instead of post or fax, etc.), but also imposes costs (or at least risks) in the form of an expanded threat landscape to organizations. As such, while “large” players can continue to thrive in a more efficient and effective technical landscape, smaller (or less mature) entities are left as “easy targets” to opportunistic, amoral entities.

The above appears to fit rather well the cases for government intervention in economic activity when such activity on its own fails to correct for or address negative outcomes produced through completely free activity. Intervention to correct market failures is a key feature of liberal economics, and is reflected in other spheres of activity from workplace safety requirements to environmental regulations. Presumably, some level of government intervention might be of value in this realm: making resources available to smaller organizations for defense or recovery purposes; providing funding for training or development to improve the security posture of local governments; or creating response capabilities to assist critical entities (such as cities or school districts) when recovering from an attack like some sort of digital FEMA.

Yet, such efforts quickly become incredibly large and difficult to manage given the sheer number of entities requiring assistance. Furthermore, as previously argued here, governments have largely abandoned huge swaths of the cyber landscape to private companies over the past two decades and in many use-cases may be unsuitable (or outright unfit) to intervene short of questionable military or intelligence service intervention in domestic affairs. While certain elements of public response seem worthy of further investment and expansion – such as expanding law enforcement capabilities to actually investigate and eventually prosecute or otherwise defeat criminal enterprises victimizing smaller, less capable organizations – other areas may be far too costly or beyond the reasonable reach or authority of national governments to pursue.

Another view takes the idea of market failure far more literally. In this case, the IT ecosystem in which all organizations – from Fortune 10 corporations to local school districts and small fabrication shops – all essentially use the same sort of hardware and software for tasks on greatly differing scales and requirements. Thus many of the same technical and administrative requirements expected of an organization with a reasonably well-funded, capable, and dedicated IT department are also extended to organizations lacking such resources. A manageable attack surface in some realms thus becomes a completely unknown, unexamined threat landscape in others leading to potential disasters. All of the functionality and capability (with concomitant potential vulnerabilities or possibilities for abuse) in a modern operating system or office program are shared completely between entities with wildly differing levels of technical capability, with very little recourse towards procuring simpler, less feature-rich alternatives that would ease management and limit potential abuse.

Some examples do exist – from Windows 10 S to Chromebooks to Google’s office suite – that abstract away some difficulties or just simply make many advanced features that also introduce a larger attack surface unavailable. Yet such products typically appear undersupported, poorly thought out for “light” commercial or administrative use, and seldom marketed against (more profitable) systems and services that also bring in “feature bloat” for most users. So while we may want to look to governments to try to “solve” the market failure of current IT adoption (and risk extension) to small/medium/public entities, there appears to be significant scope for the market itself to introduce solutions that are better tailored to and feature improved security and management for such entities. Perhaps government intervention would still be required in such an instance by sending a “market signal” through collective purchasing and negotiation among the many local government entities existing in North America, Europe, and beyond – with the resulting product similarly suitable for smaller businesses as well. But thinking that the tech giants from Microsoft to Apple to Google to Amazon are completely blameless (or at minimum, cannot be expected to do better or conduct themselves differently) would appear to miss quite powerful opportunities to address issues.

Overall, the current technological ecosystem fails many small or otherwise limited organizations by extending enterprise-grade technologies to them while expecting enterprise-level expertise and resources to manage, defend, and operate such systems. As such, the rapid proliferation of BEC and ransomware is a symptom of an underlying disease: providing organizations with tools and creating subsequent expectations (or requirements) for management that these entities are neither resourced nor qualified to achieve. Even the rapidly-expanding private cyber security industry is out of scope in this instance given the eye-watering costs of MSSP contracts and similar services. While the information security industry may presently bemoan publicly-available offensive tooling as bringing about doom such as small business bankruptcies or school district shutdowns, such items will occur even if every OST is banned or eliminated as the fundamental problem enabling such actions will remain.

In this case, providing security is itself addressing a symptom rather than a cause. More interesting still is addressing the root cause of extending overly-complex, difficult to manage technology to all organizations irrespective of capability or maturity, while mysteriously expecting such organizations to maintain a reasonable, consistent security posture. In this light, the overall technology industry needs to rethink how systems, services, and software are provided to effectively bridge the gap between hugely expensive Active Directory deployments and the individual person using a tablet computer to formulate something readily available, consistent, and easily maintained and secured. Some efforts appear in this direction, but none have either been successful in the market, or leave much to be desired in terms of functionality and usability. Yet failing to address this point will mean we will continue to argue about and decry one of the main points against OSTs for the foreseeable future.


1 Comment

Merle Dumdei · 01/04/2020 at 05:26

Can I simply say what a comfort to discover an individual who actually understands what they are talking about on the net. You definitely realize how to bring a problem to light and make it important. A lot more people have to check this out and understand this side of your story. I was surprised that you aren’t more popular because you definitely possess the gift.

Comments are closed.