<div dir="ltr"><div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">I'm kinda sad no mentioned Mr. Bejtlich's example from Air Force history. In support if his point he mentions the Air Force became focused on tools and tactics at the cost of strategic thinking.</div>
<div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><br></div><div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">He stopped there because the example fits his point. Dave and other offensive firms are the tools and tactics focused crowd and lack the strategic understanding he has as network a network defender.</div>
<div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><br></div><div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">Continuing forward in Air Force history a major change happened: the expensive programs designed to put pilots in air combat began to be replaced by tools and tactics. The USAF has proven that there is a place in air dominance for cheap, replaceable drones. This doesn't sit well with older AF pilot types who are being replaced by drones.</div>
<div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><br></div><div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">If you look at the A-10 decommissioning you will find a mirror for Mr. Bejtlich's belief in defender superiority and transforming the Air Force into a more agile organization that is representative if offensive approaches to security. I think this mirror is why Mr. Bejtlich has a problem with offensive security. He comes from an org where you have to constantly be moving forward to get promoted and the leadership pretty much comes from fighter pilots. If the AF replaces pilots with drones how will anyone get promoted? Back to IT if offensive security can show value then what will become of his plans/budgets for hundreds of networks sensors, people to deploy them, time to analyze results, and mitigate findings. He will end up in the boneyard right next to the retired A-10s.</div>
<div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><br></div><div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">If somebody wanted to twist the knife the subject of the book referenced in Mr. Bejtlich's post is about John Warden. He is often quoted as saying:</div>
<div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><br></div><div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">"Real exploitation of air power's potential can only come through making assumptions that it can do something we thought it couldn't do...We must start our thinking by assuming we can do everything with air power, not by assuming that it can only do what it did in the past."</div>
<div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><br></div><div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">Doing what Mr. Bejtlich does and adapt Air Force lessons to IT that quote is a glowing endorsement for offensive security types...</div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Mar 11, 2014 at 6:18 PM, Moses Hernandez <span dir="ltr"><<a href="mailto:moses@moses.io" target="_blank">moses@moses.io</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Something caught my eye:<br><div><div class=""><div><br></div><div><span style="color:rgb(51,51,51);font-family:Verdana,Arial,sans-serif;font-size:13px;line-height:16px"> "He emphasizes the role of encryption to defeat many defensive tools, but ignores that security and information technology architects regularly make deployment decisions to provide visibility in the presence of encryption."</span><br>
</div><div><span style="color:rgb(51,51,51);font-family:Verdana,Arial,sans-serif;font-size:13px;line-height:16px"><br></span></div></div><div>Meta Data matters, even just the patterns that are used in transmitting data could matter. There potentially could even be signature matching on protocols like voip that could give attackers a signature to match to a person. An argument could be made that Meta Data matters to some people at some level. Encryption is only a finite means to an end. If intelligence data and its importance only has a finite life then encryption may be good enough for the moment that it is needed for. At the same time, you can from a defense point of view understand that bad stuff is happening even if encryption is used. </div>
<div><br></div><div>As for the comments above, if I have learned anything in my career it is that I have only been that much better because I have had to be on both sides and have had my offensive skills influence and feed my defensive skills. The same can almost perfectly said of the inverse. </div>
<div><br></div><div>Oh and</div><div class=""><div><br></div><div> "<span style="font-size:13px;font-family:arial,sans-serif">Look, Richard Beitlitch </span><a href="http://taosecurity.blogspot.com/2014/02/the-limits-of-tool-and-tactics-centric.html" style="font-size:13px;font-family:arial,sans-serif" target="_blank">thinks I don't know anything about "Strategy"</a><span style="font-size:13px;font-family:arial,sans-serif">."</span></div>
<div><span style="font-size:13px;font-family:arial,sans-serif"><br></span></div></div><div><font face="arial, sans-serif">I will be the first to admit, compared to someone who has lived and breathed warfare, I don't know If I could claim I know anything about strategy. What I can tell you is this, we need better tools to go hand in hand with 'people and process', so I'm excited to see Innuendo in action. </font></div>
<div><font face="arial, sans-serif"><br></font></div><div><font face="arial, sans-serif">m</font></div><div><font face="arial, sans-serif">@mosesrenegade</font></div></div><div><font face="arial, sans-serif"><br></font></div>
<div><font face="arial, sans-serif">Full Disclosure: The opinions here do not reflect the opinions of my Employer.</font></div><div><font face="arial, sans-serif"><br></font></div></div><div class="HOEnZb"><div class="h5">
<div class="gmail_extra"><br><br><div class="gmail_quote">
On Tue, Mar 11, 2014 at 12:28 PM, Justin Seitz <span dir="ltr"><<a href="mailto:justin@immunityinc.com" target="_blank">justin@immunityinc.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Weird I couldn't see Richard's response through all the marketing for<br>
his products and books. Must have been the thick cloud of big data APT<br>
threat intelligence in the way.<br>
<br>
I guess I also find it funny that there are a number of defense folks<br>
who love to use/paraphrase this statement Richard makes:<br>
<br>
"First, I recognized that it's written by someone who is not responsible<br>
for defending any network of scale or significance."<br>
<br>
Right. Offensive firms (you all should be pissed by this statement by<br>
the way) are not responsible for defending networks. Period.<br>
<br>
Posts like this, Richard, are why I turn off Twitter by 9am most days.<br>
<span><font color="#888888"><br>
Justin<br>
</font></span><div><div><br>
_______________________________________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com" target="_blank">Dailydave@lists.immunityinc.com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br>
</div></div></blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com">Dailydave@lists.immunityinc.com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br>
<br></blockquote></div><br></div>