On (Structured) Data

The offensive security industry is a curious one. On the one hand, we are ahead in various trends (or “thought leadership,” as some would have us term it) and are used to literally “moving fast and breaking things.” On the other hand, we’re far behind similar disciplines.

The offensive security industry is often behind in terms of proper software engineering for offensive tooling, due to the asymmetric nature of offensive engineering and the lack of commercialization opportunities in the private sector. This has resulted in the post-exploitation sector of offensive security not taking full advantage of structured data, which is used extensively in the defensive industry. This post explores the differences between red and blue data, and why structured data is important for offensive tooling.

On the red side, tools handling OSINT and scanning have generally been welcoming of structured data, while post-exploitation tools have not. False positives and false negatives are handled differently on the offensive side, as the base rate fallacy does not affect offensive operations as much due to the targeted and smaller scale of data collection. Offensive operators think in terms of “what’s possible”, while defenders think in terms of “what’s happened”.

The defensive industry has made huge strides in the collection, enrichment, and processing of large amounts of structured data, while the red team/post-ex side has not made the same strides in using structured data to determine what all is possible. On-host versus off-host processing is another factor to consider, as the bottleneck then becomes the throughput and ability to get data through the communications channel rather than the restrictions of processing power on the target host.

The proper collection, processing, and enrichment of “offensive” data can provide an immense amount of utility for the red team community. It could allow us to centralize data from all tools in an engagement in the same place, giving us the chance to exploit various connections exposed by the data’s structure. If all of our offensive tools produced and worked with structured data, the possibilities would be endless. This post is the first in a series exploring the potential of structured data in offensive security.

📓 On (Structured) Data

👉🏽 The offensive security industry is a curious one. On the one hand, we are ahead in various trends (or “thought leadership,” as some would have us term it) and are used to literally “moving fast and breaking things.” On the other hand, we’re far behind similar disciplines. 👉🏽 The offensive security industry lacks proper software engineering for offensive tooling. 👉🏽 Lack of commercialization opportunities in the private sector hinders offensive engineering progress. 👉🏽 Post-exploitation sector of offensive security fails to utilize structured data effectively. 👉🏽 The differences between red and blue data in offensive tooling. 👉🏽 Red team tools embrace structured data, while post-exploitation tools do not. 👉🏽 Offensive operations prioritize "what's possible" rather than "what's happened". 👉🏽 Defensive industry excels in collecting, enriching, and processing structured data. 👉🏽 Red team/post-ex side needs to leverage structured data for determining possibilities. 👉🏽 On-host versus off-host processing is a significant consideration in data analysis. 👉🏽 Utilizing structured data can centralize offensive tools and expose exploitable connections in engagements.

🔗 source link: https://posts.specterops.io/on-structured-data-707b7d9876c6

🔗 summarized content: https://hut.threathunterz.com/battlefield-intel/articles-and-reports/on-structured-data

#OffensiveSecurityIndustry #StructuredData #RedVsBlueData #DataProcessing #Utility