Monday, April 27, 2020

The Duality of Attackers - Or Why Bad Guys are a Good Thing™

The Duality of Attackers - Or Why Bad Guys are a Good Thing™

It’s no secret I've been on a spiritual journey the last few years. I tell most people it’s fundamentally changed my life and how I look at the world. I’m also a hacker and I’m constantly thinking about how to apply metaphysical or spiritual concepts into my daily life. Because if they are true they should apply broadly and also to many aspects of our lives. One of the key things I’ve learned is that perspective drives an individual's opinion of a situation or event. Is something good? Is something bad? It all depends on the observer’s perspective of the situation.

My first Battalion Commander in the Army when I was having my welcome to the unit meeting said something I've never forgotten. He said “On any given day it’s better to be a Soldier, a DA Civilian, or a Local National (I was in Belgium)”. This stuck with me ever since even though i didn't know what to call it at the time….perspective. 

In late 2019 the Irresponsible Open Source Tools (intentionally not linking) debate took over Infosec twitter for a few weeks. Ever since that time I've been thinking about - “Are attackers a good thing?” Not red teaming, not pentesting but straight up criminals. The real steal your shit type, not the point and laugh type, the wreck all your things, steal all the things, potentially end your business type attackers. There were several people basically stating life would be better if attackers did not exist and I wasn't so sure about this. 

TLDR; I think Yes, attackers are a Good™ thing or rather not a Bad™ thing because they force us to adapt and grow. Growth Through Struggle.

But first, definitions:

“The art of drawing solid objects on a two-dimensional surface so as to give the right impression of their height, width, depth, and position in relation to each other when viewed from a particular point.”

“A particular attitude toward or way of regarding something; a point of view.”

Another way to think about perspective and how everyone can have their own is that “Everything (every person, place, thing, situation, event) is fundamentally neutral - they are neutral props with no built in meaning” [1] - the observer of the situation or event gives the event meaning.

The meaning we put, the meaning we assign to these neutral things completely determines the effect that we get out of them. Every situation can be viewed in many different capacities and it solely depends upon how you perceive it and the association that you create with it and your beliefs about the situation or event.

I'm currently fascinated with TV Shows that tackle this subject. Lucifer and Good Omens come to mind where the idea that the "bad" guy is sometimes the good guy if you evaluate their actions and the "good" guy is the bad guy as dictated by their actions or listening to their superiors.

As hinted at by the word "dual" within it, duality refers to having two parts, often with opposite meanings, like the duality of good and evil.
If there are two sides to a coin, metaphorically speaking, there's a duality. Peace and war, love and hate, up and down, and black and white are dualities. Another term for a duality is a dichotomy. Duality has technical meanings in geometry and physics. In geometry, duality refers to how points and planes have interchangeable roles in projective geometry. In physics, duality is the property of matter and electromagnetic radiation to be understood best through wave theory or particle theory.

“Your truth is truth, my truth is truth, but your truth is not necessarily my truth.”
Understanding and being aware of duality is vital to our human experience, as it allows us to see things from ‘both sides of the coin’ and better understand ourselves and others amid the collective. Most individual’s version of ‘truth’ culminates according to their past and current experiences, social conventions, and worldly views. To put it simply, duality is the nature in which everything holds opposing truths — all of which are true — at least in a relative sense.

Buddha & The Demon - Perspective

Extra Reading on Duality

I’ll be honest, after a lifetime growing up in the United States worrying about the next foreign country boogeyman and over a decade in the Army where the primary motivation was giving soldiers someone to “hate” it’s been quite a journey to try to see things other than a binary right/wrong & good/evil, etc. The intersection and interdependence of good and evil manifested for me (and I think plenty of others) in the following way: we don’t feel we are good unless we are fighting against evil. It’s the American Way! We can feel comfortable and secure in our own goodness only by attacking and destroying the evil outside us. I was, and still am to an extent, looking for evil to vanquish. This interdependence is at the core of Infosec. Without APT groups, criminals, malware, and every other form of virtual boogeyman (aka “the other(s)” or “the bad guys”) most of us have no reason for our Infosec existence.

Thinking of everything as fundamentally neutral has helped me drop some, but not all, of my old vocabulary and has given me space to pause and to think about how I feel about issues at a micro level and macro level. Taking that pause allows me to understand that my perspective on the situation is entirely what matters and that another person could have a TOTALLY different perspective on the situation (and Infosec twitter shows me...quite frequently does).

Criminals, Attackers, Bad People, etc and their actions can have a multitude of perspectives.

Take a company that gets compromised so badly they go out of business. From the perspective of the company CEO this is BAD. From another perspective, perhaps of a competing company CEO, this is GOOD, from the perspective of the attacker they got what they wanted so (GOOD) perhaps a bonus is coming, perhaps their family gets to eat or maybe they just get another BTC in their nano ledger. In-house defenders have “failed their mission” and now are out of work or maybe this was the event that finally prompted management to spend that money they’ve been asking for. Perhaps their failures were so embarrassing they have made it by name in tech-crunch articles and their careers may be over or at least paused. Perhaps they “lost” but their response was good enough that the general public thinks things are ok inside the company anyway.

For Infosec, I’m going to make the case that attackers are GOOD; at least from my perspective (as every opinion piece is). But, I’ll attempt to lay out bullet points for rationale for my current perspective. The following can be summed as “Growth through struggle”:

  • Attackers force defenders to consistently up their game. Attackers constantly innovate to get around the current detection techniques and technologies.
  • Attackers force Red Teams to up their game to keep up with their TTPs.
  • Defenders force attackers and Red Teams to up their game to keep up with current defenses.
  • Without virtual cyber boogeymen a 100+ billion dollar industry would sell less product and be required to innovate less.
  • Attackers force visibility into their politics and perspectives through the investigations into their motivations and TTPs. 
  • They give a large portion of Infosec a “purpose”. I’ve dedicated the last 20 years of my life in various verticals of IT to “keep bad guys out” and I'm positive I'm not alone.

If you’ve made it this far. Thank you! I realize the title is a bit click-baity and not really in line with the idea of duality or perspective but no one would have read “attackers are fundamentally neutral.” Although my hope is that are open to exploring that perspective now. I welcome your thoughts on the subject.



Anonymous said...

It's easy to sit around philosophizing on at the macroeconomics level, but your perspective shift is mostly just ignoring the real human suffering criminal threat actors cause. The infosec world does a whole lot of victim-blaming which helps them look in the mirror while they sell lots of services.

Try considering it from the perspective of the caregiver of an elderly citizen who just had his/her bank account cleared out by a "your social security number has been canceled" scam;

Now try considering it from the ex-employee of a small 75 person low margin business that was hanging on by a thread, fell for a phishing email that let the baddy's come in via an exposed service and burn it to the ground with ransomware.

The "bad guys is a good thing" argument is deeply rooted in remnants of social Darwinism and the toxic collectivism of the internet age; not some outcropping of spiritual enlightenment. In nearly every spiritual tradition the suffering of the individual is relevant in determining right action.

CG said...

Thanks for reading and commenting @anonymous

i appreciate your response. I'd like to hope i did convey that I did think about the vein of the first two examples your raised (bank account / ransomware) and that it would be difficult to see any good from that situation as the recipient but there must be alternative view points. What i mean is that those actors must on some level thought their actions were ok, or they wouldnt have done them.

This isnt a a celebration of criminal activity. For me it a critical thinking exercise to force me to think about the other perspective, what the antagonist is going though, and to think about the **possibility** of everything not being binary. As an example, the people that missed their plane on 9/11. This was horrible thing (missing the flight) until it wasn't.

"In nearly every spiritual tradition the suffering of the individual is relevant in determining right action." I'd ask for a reference here as i dont agree at all. I've provided mine for this particular thought exercise with the Bashar clip and life is meaningless/everything is neutral. For additional references i'd point you to the various universal laws

Again, thanks for the interaction!

Anonymous said...

One example are the Buddist precepts: commitments to abstain from killing living beings, stealing, sexual misconduct, lying and intoxication. There are others but this is the most relevant because to this discussion because the precepts are intended to minimize suffering (both for perpetrator and victims of these) even though Buddism has a tradition of Nondualism. Granted there are huge differences between the message and intent of the doctrines and the eventual incorporation into the messy lives of real people.

"What i mean is that those actors must on some level thought their actions were ok, or they wouldnt have done them." I don't think thats usually true; When you harm a friend and then later regret it: you often did so despite knowing it was wrong but you rejecting the right action because it was inconvenient. The world isn't always made up of rational actors; people enact revenge on a world they feel have slighted them often harming more people and creating a self repeating cycle. People convince themselves there is no other way and talk themselves into corners. People make mistakes, and maybe learn from them and evolve. People take a less optimal path out of sheer boredom to spice things up a bit; Maybe they don't really learn and just regret them the rest of their lives: progress isn't guaranteed, we're just as likely to slide backwards, or stagnate and see diminishing returns on our investments. ("people create their realities its a matter of their thoughts their beliefs their behaviors" - Bashar)

But my broader point was about the underlying collectivism and social Darwinism inspiring the post : I've met you briefly at cons, and listened to your shows long enough to know that real exposure to the personal level tragedies would create a deeper empathy; particularly for victims that didn't have personal accountability for the situation that lead to their victimization. (Example blameless victim: who would blame the victims of child pornographers using a "law of attraction" "the kiddos were asking for it" kind of argument). Criminal behaviors are behaviors we have decided are wrong because after centuries of trying it out: we didn't want to live in a might is right world. Like any frontier settlement of days past the internet is just waiting for rule of law to be competent enough so that everyday folk can enter the saloon without a six shooter.

Over a decade of IR/forensics talking here; good people get hurt by other peoples poor decisions and malicious actions. It's easy to think "it's for the best" from far away but up close its ugly: you see an attacker who dehumanized a victim enough to justify their actions; and the very human fall out. Sometimes you're just watching untreated mental illness play itself out in the stupidest way possible.

This is not to say I don't also see very preventable titanic sized incidents where the captain ignored every single warning of the iceberg ahead; and yeah those can feel like "Sorry bro, you fuckers finally got yours". Life is messy; but from far away we probably don't know enough about these situations to be deciding whether it's for the best. If we're saying early 1900's cities were better back when the mobs were running protection rackets that made the local butchers stronger: maybe our profession has taken a wrong turn somewhere.

CG said...

I appreciate your response @anonymous.

I love the perspective that i just need some more bad shit to happen to me to change my perspective/have more empathy. - definitely a valid take!

I don't agree with much of the rest of the reply or the misuse of spiritual concepts for you to maintain your position (even though you are certainly free to do it) and I'm not feeling it's worth my time or energy to explain my reasons as you've posted anonymously, but thanks for taking the time and energy to write & post it!


Anonymous said...

Anonymous posting is an occupational hazard when anything you say on the internet will later be quoted out of context and used against you to distract a jury away form hard evidence; I think limiting your investment in random annons is completely fair treatment. Thank you for the time spent reading, considering, and responding; and if you do change your perspective I hope it’s just run of the mill insight and not because "bad shit happened to you" or people you love.

Putting metaphysics aside - I'm not going to argue that bad guys aren’t good for business; I agree they are good for business and that business has been good. But I do think we're in danger of parasites killing the host if the trend of destructive attacks continue in the direction they have been heading; our industry seems to have a bias that perpetually underestimates and under reports the rate and efficiency by which these groups have been devastating and killing otherwise healthy businesses. “Buy more security” is only a viable answer if the products being sold are affordable and effective to withstand a targeted adversary: We both know they are neither: how many pentests end with 0 critical findings? Now consider that a company investing in an external pentest is far ahead of the rest of the pack.

nullbyte said...

Hello Chris,

Interesting views! This article is a well written philosophical piece on cyber-security. Indeed, 'good' and 'bad' are subjective to the point of view of the observer. Regardless of whether you want to pick a side or not, these dualities always exist, like a yin-yang.