Comments on: Think Like An Attacker?

By: Joshua Lewis

Joshua Lewis — Fri, 19 Sep 2008 19:38:12 +0000

Hey Adam,
My name is Josh Lewis. I am a blog researcher. I came across your blog through some other blogs I was reading while I was doing some research for one my clients, “Solera Networks” in the network security industry. I got distracted and was intrigued by your blog post about your concern in network security. Hopefully you are familiar with the new Tivo. If you are I felt inclined to talk about you because I think Solera Networks has some products out there that are somewhat unique and new to the industry (data capture appliance devices) and would give you some great information to write about on your blog – I know how hard it is to find topics to write about sometimes. If you were interested I could even have them send you a demo version of the software if you want to check it out in more detail. Or if it would make it easy to write I could setup a time for you to ask questions from an engineer at Solera networks and transcribe the interview for you so you can post it on your blog. At the bottom of this email I will copy paste a general overview of what their products do.
If you are interested don’t hesitate to contact me, and keep up the great blog; yours was for sure one of the top in the industry that I came across.
-Thank you
Joshua Lewis
jlewis@twelvehorses.com
Solera Networks DS Appliances provide protection against the unknowns. They give your organization Total Network Recall—enabling IT and security professionals to get to the root cause of a network security or performance problem, minimize the effects on your business, and ensure quality of service. By recording all data that passes over the network, Solera DS Appliances give your network a memory so you can see everything on the network and can replay any traffic when needed.
•Capture speeds up to 10 Gbps (Miercom Performance Verified™ report – March 2008 – http://www.soleranetworks.com/miercom/)
•Storage scalability to expand window for longer recall time
•Up to 8 gigabit ports (10/100/1000)
•Two 10Gb fiber capture ports
•Appliance platform with certified hardware configuration
•Full traffic regeneration capabilities and PCAP creation
•Open API’s for integration with third-party tools and automation of data collection
All interesting traffic can be replayed exactly as it was captured, creating a controlled environment to investigate new unknown threats. Combined with Solera DeepSee™, organizations can search through the captured data to create a real world context around a threat by rendering “artifacts.

By: Ryan Russell

Ryan Russell — Fri, 19 Sep 2008 18:47:22 +0000

I see, you’re not talking about a person, you’re talking about people. You can teach a programmer to think like an attacker. It does tend to fall apart when you’re talking about programmers.

By: John Kelsey

John Kelsey — Fri, 19 Sep 2008 10:22:07 +0000

I think this exhortation has several goals.
Perhaps the most important is to get the designer to stop looking for reasons attacks are impossible, and start looking for reasons they’re possible. That’s a pattern I’ve seen over and over again–smart people who really know their system also usually like their system, and want it to be secure. And so they spend a lot of time thinking about why their system is secure. “Nobody could steal our PIN because we encrypt it with triple-DES.”
Back in my consulting days, I don’t know how many times I wound up finding major problems by just sitting there with one of the designers of a system, asking questions from the perspective of someone who wanted to find an attack, instead of someone who wanted to find a reason attacks were impossible. The designer often had all the information needed to find those attacks–that is, often, the attacks weren’t something out of crypto like a replay attack or a side-channel attack, where a non-cryptographer might just not know about them. Instead, it was common for these attacks to be stuff that kind of fell out of the description, things that came out from the second or third probing “why can’t I do X” sort of question. They hadn’t found those attacks because they weren’t looking for them.
A second goal of that “think like an attacker” exhortation is to get people to realize that, in order to know whether their system is secure, they need to learn something about what tools and resources an attacker is likely to have. “Wow, you mean RC4 encryption doesn’t protect the integrity of my data?” But as you said, that does require some studying up on attacks, and there’s never an end to that, there are always more attacks to learn about. (Go read a book on con men and their techniques. Or a paper about lock security from Matt Blaze. Or read about the techniques the commercial botnet/virus criminals are using. Or the tricks being used in espionage. Or….)
Third, there’s a mindset of being an attacker. I don’t know how to teach that. It’s not just about intelligence–I’ve worked with stunningly brilliant people who don’t seem to have that mindset, and with people who are much less brilliant in that brute-force impressive brain sense, but who just seem to have the right kind of mind to break stuff. I suspect (without any data at all to back me up) that this is more like a talent, which can be developed or ignored, but probably not created. A big part of this seems to me to be getting some kind of internal reward from breaking something, so that you’re willing to stand in the shower till the water gets cold thinking about how to break this scheme you just read about, or willing to sit through dinner with a notebook in your hand, muttering to yourself about partitions in the set of pairs of inputs or minimum conspiracy sizes to subvert an election or whatever.

By: mom

mom — Wed, 17 Sep 2008 20:15:43 +0000

Dear Adam: thank you for a cogent, thoughtful and very helpful reply. You certainly have a way with words!
Love, Mom

By: Adam

Adam — Wed, 17 Sep 2008 19:49:05 +0000

Ryan,
Saying “It would be helpful to you if you learned to think like an attacker” is exhorting people to learn that skill. Demanding that they do it, or implying that they’re stupid for not knowing how to do it is actively counter-productive.
Much more important, most software engineers have failed to take even the “learn to” approach to thinking like an attacker. When my advice is ignored over and over again, I try to think of a new approach that will work better.

By: Ryan Russell

Ryan Russell — Wed, 17 Sep 2008 15:14:48 +0000

Saying “think like an attacker” is exhorting people to learn that skill. Telling people to think like a professional chef is appropriate if they’re going into the catering business. And they will have to learn what that means.
If one does not know how to think like an attacker, and is concerned that they might not do things correctly… good. They’re on the right path to correcting that.