CANCUN–The offensive security research community has evolved in the last decade or so from a relatively small and insular group inwardly focused, to a large and rather vocal group with a wide variety of motives, opinions and skill levels. But, to hear Brad Arkin of Adobe tell it, the huge amount of talent in that community could be put to better use trying to develop new defensive technologies and techniques rather than searching for the next bug in an infinite sea of bugs.
Arkin, the senior director of product security and privacy at Adobe, said in a speech here that the best way for researchers to make a real mark in the industry is to bring their talents to bear on defensive technologies.
“I would say to the researchers here, work on defense. This is where you’re going to make a difference,” Arkin said. “If you come up with a new offensive technology, the bad guys will use it.”
Arkin said that the vast majority of the new attack techniques that have been deployed by malicious actors in the last few years are directly attributable to research done by the legitimate offensive research community. One of the reasons that’s so is that most of the attackers who are involved in financially motivated operations such as phishing and bank fraud just don’t have the time, talent or resources to do their own original research on attacks. They’re just taking work done by others and adapting to suit their own needs.
“Financially motivated attackers don’t invest in original research. It’s too expensive these days,” Arkin said. “It’s pen testers or it’s nation states or the people funded by them. That research is done by profession bad guys who have financial horizons that far exceed those of financially motivated bad guys.”
One of the interesting things that’s happened in the last few years is that the offensive research community, which had historically been at odds with the big software companies such as Microsoft, Adobe, Oracle, Apple and Google, has become a rich vein of talent for those same companies. Microsoft was the first of those companies to start hiring some of the top offensive researchers in the game, bringing in people such as Matt Miller, aka Skape, and Ken Johnson, who used the handle Skywing, to help work on defensive techniques. Both researchers had done a lot of work on methods for bypassing various defenses in Windows.
Google has followed suit, hiring a team of researchers that includes Michal Zalewski, Adam Langley, Chris Evams and others, as has Apple, which recently hired a young researcher known as Comex who had done a lot of work on jailbreak exploits for iOS. But there are plenty of researchers who have resisted the lure of corporate dollars and have remained on the outside. There also is the community of developers and researchers that has evolved around the Metasploit project, which Arkin said can be a good barometer of when an exploit has hit the mainstream.
“The biggest jump in exploits we see is right after the release of a Metasploit module,” he said.
Arkin also said that vendors are better off investing their resources in making it more difficult for attackers to exploit potential vulnerabilities than they are trying to find every last bug.
“The effort required to find the next bug never changed,” he said. “The thing that drives down the cost for attackers is offensive research. Now the new technique is cheap and accessible. Offensive research is driving the cost down at the same time defenders are driving the cost up.”