"Rather than defense being offense's child - could offense be the less mature, younger sibling who can only break things?"

Two differing views on Security have been presented to me in the last 24 hours. Add to that a conversation with my 3 year old son and I've had my mind spinning about the place of Offensive and Defensive security.

Yesterday when I was playing with Duplo my oldest child asked:

Why can girl0 (his 1 year old sister) only break things?

— 3 year old, boy0

I then went on to explain that she doesn't yet have the skills to put the blocks together, and for her the only way to play with duplo is to knock the blocks down or pull them apart.

I've recently started reading @adamshostack's new book, Threat Modelling[1]. In the introduction he has a section titled "Think Like an Attacker" Considered Harmful" where he states the following:

The advice to think like an attacker doesn't help most people threat model. ..... You don't need to focus on the attacker to find threats, but personification may help you find resources to address them.[1]

Then this morning whilst reading my twitter stream I came across the following retweet.

In light of @adamshostack's statement it niggled away at me all day. During the day I was trying to work out whether the two very short statements were conflicting. My thinking was (in a very simplified manner) "Rather than Defense being offense's child - could offense be the less mature, younger sibling, who can only break things?" Of course analogies, like a car with a hole in it's gas tank, have limitations so I'll stop there.

Upon further reflection I don't think that the two statements are in conflict. They were addressing very different aspects of the security ecosystem. Adam was talking about Threat Modelling to provide defense, whilst John was talking about offensive research. Even though I wanted my analogy to work, they're two very different fields and both statements can exist without conflict.

The Plan from here

So the my plan is to continue considering both offense and defense. In my day-job I'll continue to improve my defensive techniques by improving my teams threat modelling skills, yes that may even involve playing the "Elevation of Privilege" game.

But as a hobby I'll be pursuing an offensive path by firstly completing the Penetration Testing with Kali[2] with the end goal OSCP certification. This is not to improve my thinking as an attacker, but rather to get a better understanding of the tools and techniques used by today's penetration testers.

There will likely be more posts about the Offensive Security course as I progress through it.


1 - http://threatmodelingbook.com/

2 - https://www.offensive-security.com/information-security-training/penetration-testing-with-kali-linux/