The attacker vs defender mindset must be pervasive in the design, implementation and testing of every security technology for it to be successful. This isn’t just in thinking like an attacker, but also in welcoming outside testers to find flaws in implementations.
As a security solution creator, deployer, or practitioner, it is not comfortable to think that all of our hard work can be evaded by the right craft of wizardry, but keeping that in mind and taking one out of Popper’s Falsification concept of continually seeking others to find weaknesses in our security implementations and resolving them along the way is key to a robust security stack.
This is a philosophy that I take seriously, and one that I try to make a tenet of anyone I know to be involved in the creation or deployment of any type of security technology. It is one that permeates into several of my hobbies as well. It is so very important because it is often seemingly trivial for an attacker with the right knowledge to walk clean through what appeared to be an otherwise sound security control.
I have been fortunate enough to apply this tenet in many areas of computer security, but a side hobby of mine is physical security. A shout out here to two channels that I really enjoy; Stuff Made Here, and Lock Picking Lawyer.
Shane at Stuff Made Here has a Youtube channel that takes new approaches to making creative things from scratch. He is really creative in his implementations, but, by his own admission, isn’t a particularly well-versed lock engineer. He decided to attempt creating an “unpickable lock” from scratch. Basically from first principles, he designed and machined two new lock concepts that he felt would solve the picking problems of other locks. They are neat designs that are fun to game through in their own right.
In an effort to collaborate and assess the designs (in the vein of considering the perspective of an attacker), he then sent them to a rather gifted lockpicker, Lock Picking Lawyer, to see if they were indeed unpickable.
Long story short, the locks were picked/bypassed/decoded in not much more time than turning a key would take. Lock Picking Lawyer came up with some rather simple solutions to each of the vulnerabilities, some of which Stuff Made Here decided to counter in his high-craft, over-engineered fashion.
I wanted to share the visual example with you as an illustration of the importance of a pervasive attacker/defender mindset in every part of the security solution’s creation and deployment.
In computer security we often see similar situations. Algorithm creators with the best intentions use the data and tools at their disposal in an attempt to protect against a known threat only to find that the algorithm is very easy to circumvent. One common example that was envogue for a while was to use crude domain generation algorithm detection to predict if a domain was legitimate, or used by malware as a part of its backdoor communication. Many of these algorithms would false positive on non-word domains such as google.com unless they are explicitly allowlisted. While allowlists aren’t always signs of weak algorithms, and are sometimes unavoidable, they generally don’t point to an ideal solution.
Another common example is creating “impossible travel” algorithms to detect that an authentication attempt must be an attacker if it occurred from an IP too far from the previous attempt to have traveled legitimately. While this approach may seem great at first glance, they need to take into account things like VPNs, and fundamental IP geolocation issues to be robust.
This said, there is strong merit in the fresh approach taken by Shane at Stuff Made Here in his quest to build a better lock. He purposefully attempted to make a better lock without first studying everything that had been done in the field so that his approaches wouldn’t be tainted by prior ‘expertise’.
At ActZero, we routinely do the same thing -- our data science team will design the initial algorithm without consulting prior art. We then audit this design with the attacker’s mindset, against prior art, and domain expertise to ensure that the novel approach is not easy to circumvent, fixing whatever is needed up to and including shelving the whole approach along the way.
I discuss the perspectives of attackers and defenders in a more formal concept, with my colleague Adam Mansour, in our webinar entitled “Thinking About the Adversary: Offensive and Defensive Strategies.” I represent the attacker perspective, while Adam represents the defender. Feel free to watch the recording here.