Which takes more skill - defence or attack?

[HTRegz]

Hey Hey,

There are very few "good posts" found in the pages of this thread... one of the better ones is chsh's... It does vary and the question he has posed is much better.

This thread topic, and the attitude of the authors posts, reek of skiddiness... The language itself, "skill", reeks of skiddiness as well.

Why does it seem that the l33t hax0rz insist on using the word skill? I've got mad sk1llz y0!... Is skill a quantitative measure??? I think not... My girlfriend is skilled at using a computer... She can get online, use IE and other basic windows apps, use the word processor, connect the components of the PC, clean her computer and update her AV... does this mean she's prepared to defend or attack a computer.... no.. I'm quite a good cook and very skilled in the kitchen... but I'm not ready to prepare a world class mean for Chef Ramsey (Hell's Kitchen)...

How about using a word like knowledge.... Which requires more knowledge, attacking or defending... or Which requires a higher level of knowledge, attacking or defending... At that point the author should have been asked to clarify attacking or defending what.... A corporate network is the assumption that has been made... but it's still only an assumption... regardless of how certain individuals want to fly off the handle in attempts to belittle other members of this forum. No one ever really asked the direct question "What are we attacking and/or defending"..

Next you have to look a little more indepth... Why does it seem that everyone thinks of coding when they think of attacking.... I've seen coding mentioned several times.. I don't need to know **** about code... with the packet building programs available today (hping, nemesis, etc) and the variety of other tools... such as fuzzers (PeachFuzz, Spike, etc) and the existance of point and click GUIs for coding... I could attack without ever really writing a piece of code..

The same for defending... no need for coding... The real knowledge comes from your knowledge of networking or the inner workings of an operating system... and this goes for both attackers and defenders.... I need to know how various TCP Flags work... then I'll know that a a large number of SYN packets can render a port useless... and from the defenders point of view that my network must be protected against excess SYN packets bound for the same destination..

The only real answer is that the level of knowledge required for both is the same... The above example demonstrates how both attacker and defender must have the same knowledge in order to attack or defend depending on their position.

I can't get over the number of people that have said this is talking about corporate networks but then said both professional auditors and skiddies.... Don't walk the fence, you're either talking Professionals on both sides, or Amateurs on both sides...

It takes the same level of knowledge for a home user to protect their computer (point and click; download and install a firewall) as it does for a skiddie to exploit the latest MS Vuln (point and click; download and run)..

This works it's way across the board from Idiots to Newbies to Amateurs to IT Professionals to Security Professionals... The knowledge level must be the same regardless of whether you are attacking or defending... That's the only way to make this a fair comparison... Drop the word skill... forget it ever existed... how much knowledge do you have... and I'm not talking that pre-canned CCNA garbage that anyone's grandmother can get in an afternoon... I'm talking actual useful knowledge...

I've rambled quite a bit, so I'm going to cut it off there.... g'nite.

Peace,
HT

[¤The¤Spe©ialist]

as it does for a skiddie to exploit the latest MS Vuln (point and click; download and run)..

Point and click is a myth.

You need to have a "working" exploit for starters. Let alone you need to take an exploit and a machine with alot of up-time and make it automaticly exploit other computers for you when your not around. You need to make sure it consistently and constantly works. Editing other people's stuff... this would require what? Maybe a minor amount of "programing skills".

Most exploits don't come with the option to mass exploit a thousand web-servers. Thats usually up to the user to automate the process... that along with anything that happends after exploitation. This was almost explained pages ago. And anytime you see the letters "PoC" together like that... you know it'll pretty much only make the program seg-fualt and not much else.

Skiddie this and that... some of you guys say that and act as if you're one step above just another average Joe Blow.

[HTRegz]

Originally posted here by ¤The¤Spe©ialist
Point and click is a myth.

You need to have a "working" exploit for starters. Let alone you need to take an exploit and a machine with alot of up-time and make it automaticly exploit other computers for you when your not around. You need to make sure it consistently and constantly works. Editing other people's stuff... this would require what? Maybe a minor amount of "programing skills".

Most exploits don't come with the option to mass exploit a thousand web-servers. Thats usually up to the user to automate the process... that along with anything that happends after exploitation. This was almost explained pages ago. And anytime you see the letters "PoC" together like that... you know it'll pretty much only make the program seg-fualt and not much else.

Skiddie this and that... some of you guys say that and act as if you're one step above just another average Joe Blow.

Hey Hey,

It's not a myth... it's just that the definition of 'skiddie' varies between us.... I consider a skiddie to be someone who uses point and click.. Someone who get's their hands on an expired version of CoreImpact and sets back their computer clock so that they can use it (but not obtain updates) or someone that downloads WinNuke or Netbus or the GUI DCOM exploits that came out very shortly after the DCOM exploit was released... Even the ones that download the PoC off k-otik (frsirt) and FD.... some of that code can be quite dangerous... and then writing a batch file to hit multiple IPs, or compiling the code is not work.. The people that actuall create working copies of the exploit and modify it, etc... I place them a great deal above your standard skiddie...

Peace,
HT

[cacosapo]

Originally posted here by Tedob1
average attack = find firewall...move on
or
find firewall, determine type then google for exploits. didn't work...move on
thats if we're talking 'average'.

Exactly what i think.
When we go "above the average" for attackers, we start to find "specialists".
A guy that has a specific knowledge of a few exploits. And a guy that can use and/or make several tools to explore those few exploits.
Some of those guys can master more than one discipline but its pretty uncommon.
On the "white site", we have the "average admin". An average admin must know how to successfully defend against "average attacks":
- well known exploits
- maintain patches up-to-date
- follow best-pratices recommendations... etc .etc
What is above an "average admin"?
what are the skills, in your opinion, of a "specialist admin"?
What kind of company need these "master admin"?
I would like to heard your opinions.

[embro1001]

I definitely agree that the sysadmin has the harder job. The larger the network, the harder the job. An attacker has the luxury of time to wander the network, get a feel for it, and discover any weak spots. A defender has minutes to hours to detect and fix a break in before his boss starts breathing down his neck. A boss's breath is never good.

[zENGER]

I would say the defender has a much harder job due to the following:

Defense: One to many. There is one thing to protect and many people coming from different angles to get it. You have to protect against all of the possible manors in which someone could attack it. I don't agree with Gore in this respect because I don't see this conversation being related to home users who want nothing coming through. If that were the case, I could secure a computer easily by dropping it into the middle of a cement truck. It would be completely secure. I see this more posed about securing a network, when you DO want some information coming in and going out, such as maybe a webserver or email server.

Attack: This is a one to many relationship also, but it means you have multiple people to attack. If you have one thing you're good at, such as a specific exploit, you keep searching until you find someone vulnerable.

Now, if you're going to take out the one to many relationship and point a single attacker against a single network, things might even out.

My vote goes to defender since to stay on top of things requires you to be one step ahead of any attacker. I would say that in general an skilled attacker and skilled defender would have probably a good amount of overlap in their knowledge. Each would know multiple exploits. The attacker would know how to use them, and the defender would know how to defend them. I think each of those actions is equally skillful if you aren't just googling for the answer.

So, My vote goes like this....

Home network - Defense is easier
Mid-size network - Attacker is easier (due to the fact that some services are available to the outside)

Now a professional attacker who is finding and developing new attacks, vs. a professional defender who is looking for new attacks and mitigating them, I think this ground is pretty equal.

[gore]

Just like the attacker has to stay a step ahead of the defender....

How many of you in this thread have actually rooted a box without ANYONE knowing about it?

How many people defend against that each day? (All of us I'd assume).

For each successfull attack there are 200 non.

[embro1001]

Originally posted here by gore
Just like the attacker has to stay a step ahead of the defender....

How many of you in this thread have actually rooted a box without ANYONE knowing about it?

Does a corporate network count? They didn't know until I told them. It was a lame attack (poor defense on their part), but it's worth something...

[cacosapo]

Originally posted here by gore
Just like the attacker has to stay a step ahead of the defender....

Agree too. Attacker should know a way to circumvent the defender' defenses (to be successfully). So attacker should (at least one discipline) know more than the defender.
BTW, a think that defender is allways a step back of the attacker, since most of our defenses are "reactive". We only know how to defend when we get the first attack.
Its our nightmare - 0-day exploit.

[embro1001]

But it's always easier to attack a known enemy than defend against an invisible one, so as far as skill goes, the defender must have more... it's not really a matter of an attacker knowing "more" (as if knowledge was, indeed, quantifiable), but rather knowing something "new". Having knowledge of a new 'sploit generally puts the attacker on higher ground, regardless of his "skill".