What is the main job of information security?
Is it to break things? Or to protect things?
I believe that most people would answer something along the lines of defending.
So if we agree that the end goal is to defend, why does it seem like infosec is mostly about the offensive side, and is this a problem?
This impression that offensive security gets more attention seems to be a common view based on my limited polling. To confirm it’s not only me, I did a quick poll in a few infosec channels (Signal, Mastodon and Discord).
The question I posed was: In YOUR experience, which part of infosec receives more attention from the community itself?
And the answers were:
40: Offensive security (attacking/red team)
6: Defensive security (protecting/blue team)
8: Neither/Other/Can’t say
Total sample size/n: 54
So ¾ of people share the same opinion as me. This confirmed that I am not too off track with my thesis, although I wouldn’t read too much into this data because of the limited and homogeneous sample base.
This question also spawned some good discussions and questions. For example, is it the wrong question to ask? Isn’t red team just an extension of blue team? And yes, the question can be improved. And offensive security is often a part of defensive (sometimes called purple), but there are also large parts of offensive security which do not work with the defenders. Sometimes it’s neutral research, and other times the activity directly targets the defenders’ ability to defend.
Does offense really get more attention?
While my little poll confirms my impression that infosec seems to be more about offensive security, I think1 most of the industry is actually focused on defense and most people work in defensive roles.
It might actually be more of a perception issue, which is interesting in itself. An interesting datapoint I found was that according to this pre-print InfoSec.pptx, the talks at the biggest infosec conferences were actually mostly defensive. While that paper only looks at a few conferences, it was still a surprise to me. I was under the impression that most talks at conferences were offensive. But that topic is a bit too big to go into here.
Is this a problem?
Yes? Maybe?… I don’t know.
At least there does seem to be a tension between what infosec is about and what gets the attention. This inconsistency seems like it would be detrimental in the long run.
Could it be one of the reasons why infosec is often such a thankless and stressful job? If you work in infosec and your work is 90% defense but you only get attention when there is a new attack, that might not be very motivating. Feeling that one’s work matters and getting appreciation for it is an important factor for being satisfied with one’s work.
A related issue is people who join the field coming in with the wrong expectations.
Why is this?
One reason is probably that it’s easier to break than build. That is true for most things except if you’re doing concrete sculptures. That means the initial exposure to infosec is often offensive.
The other reason is that hacks and vulnerabilities get into the news, while successful defenses are rarely newsworthy, because it is usually not clear what was prevented, if anything, by successful defenses.
Mikko Hyppönen put this well in his book “If it’s smart it’s vulnerable”:
When information security works flawlessly, it is invisible. And rarely is anyone thanked for stopping a disaster that didn’t happen.
What can we do about it?
One thing we should do is agree that the end goal of infosec is to defend. And celebrate the people who do it and help others do it.
We should make it more fun being a defender. Help build better tools to defend. Share them freely.
We should accept that it is currently harder to be a defender, and we should call that out.
Work together to share information to help defenders.
Juan Andres Guerrero-Saade, who knows much more about this than I do, recently had an interesting rant on the Three Buddy Problem2, about how part of the industry/community has an issue where it treats IOCs as too valuable to share, which causes all kinds of issues. We can’t force everyone to share everything, but we should celebrate and support those who do share.
We should try to make it easier to be a defender. And that also means don’t make it harder for defenders by immediately breaking or bypassing everything they come up with.
Breaking things is important
I’m not saying we should stop calling out issues. We don’t want to get sloppy with the defenses. But criminals have enough incentive already to build tools and find issues; is it really our job to help them?
So before you publish the next POC or publish info on how to bypass the latest detections, think about if this helps the defenders or the attackers.
The topic of offensive security tooling and full disclosures is a deep rabbit hole. It will get its own blog post at some point, but in short, I think a lot of people underestimate how much POCs and red-team tooling hurts defenders.
Conclusion
In the end, maybe the imbalance is intrinsic and impossible to change. But I believe we can and should try harder.
Our world is inevitably moving towards more information technology. And personally, I do not feel information security is improving. Rather, it feels the opposite is true and we are falling behind. If this has much to do with an internal conflict of offensive and defensive security, I can’t say.
But it’s time to make sure we celebrate defenders.
If you have thoughts or comments on this piece, comment on mastodon, bluesky or by sending me a email.
- But a little disclaimer that I have not researched this, and I have been wrong before. [return]
- https://securityconversations.fireside.fm/fixing-threat-actor-naming-mess at around 1h [return]