In an essay I published earlier today, I spoke about the recurring debate in information security regarding whether the unrestricted release of offensive security tools by researchers causes more harm or good. The answer is not a simple yes or no, and the question warrants coordinated research. I also called on educators to facilitate more structured debate about this topic so students understand the nuance that comes along with it and what questions that remain unanswered due to a lack of empirical research. I’m one of those educators, so I want to share how I’m facilitating this discussion.
Below, you’ll find an abbreviated lesson plan based on the Socratic seminar instruction method. The idea is that the instructor provides some initial background information, ensuring students can answer a few basic questions required to discuss the topic with some degree of competence. From there, the instructor poses an initial question and facilitates discussion between the students. The instructor asks follow-up questions as needed, and may attempt to ask position challenging questions if the debate flows too strongly toward a specific viewpoint. Finally, questions are asked to discuss how the issue moves forward before a summarization and closing thoughts are offered.
In many situations, this exercise is best facilitated as a whole-group discussion. However, You can also pose questions to small groups and ask them to synthesize their discussion for reporting back to the broader class. The overall objectives are:
- To equip students with the perspective necessary to evaluate the nuance of the OST release debate
- To give students real-world examples for which they can frame OST release discussions
- For students to recognize that the OST release debate is not an all or nothing proposition, and treating it as such creates a false dilemma
- For students to identify unanswered questions regarding the OST debate and how those might be answered through future research
You’re free to use this lesson as is, or adapt it as needed for your student group (I just ask that you link back to this blog).
These are questions the student should be able to answer before participating in the debate. Introduce these with a bit of discussion beforehand.
- What is an offensive security tool?
- What are examples of offensive security tools?
- How is OST release different from vulnerability disclosure?
Begin with an initial question to launch the debate. You can start with something that places the student at the center of the issue:
- If a researcher comes up with a new tool to automate an attack, should they release it publicly? Will it do more harm or good? Why?
Alternatively, tie the question to a scenario or concept the student already knows about to activate prior knowledge.
- Metasploit is a great example of an OST with massive proliferation. Do you think the release of Metasploit has had a net positive or net negative impact on the industry? Why?
- Mimikatz forced Microsoft to strengthen how they handle credential processing and increased awareness of credential-based attacks across some organizations. However, it’s also dramatically simplified the process of credential theft and lateral movement and has been used in numerous automated attacks. Do you think Mimikatz has had a net positive or net negative impact on the industry? Why?
These questions provide an opportunity to focus on more specific nuance of the debate and components that students haven’t yet considered.
- What types of organizations benefit most from OST release? Why?
- What types of organizations are hurt the most from OST release? Why?
- If you wrote an OST and it was used to cause significant damage to people’s lives, would you feel responsible?
Position Challenging Questions
The debate will often trend toward an extreme viewpoint thanks to group polarization effects or vocally strong personalities. Challenge that perspective by posing questions that lead to consideration of other viewpoints or may cause disorienting dilemmas.
If discussion trends toward OST release is universally bad…
- Is there a type of OST that, if developed, should be released?
- What features of OST help determine where the line is?
- If all OST releases stopped today, do you think security vendors and organizations with security teams would see an increase or decrease in the number of successful attacks?
- Are OST release restrictions a form of gatekeeping? If all OST release was banned, how might this limit newer practitioners or the distribution of knowledge?
If discussion trends toward OST release is universally good…
- Is there a type of OST that, if developed, should not be released?
- What features of OST help determine where the line is?
- The majority of businesses in the US are small businesses and don’t have their own dedicated security team. Do they benefit from OST releases? What is a scenario where OST releases could significantly hurt them?
- Consider a scenario where someone releases an OST that emulates a technique used by a structured adversary. As that tool proliferates, what impact does that have on intelligence teams seeking to perform attack attribution?
Moving Forward Questions
A complex and nuanced topic lacking much formal research means the debate shouldn’t end when class is over. Use these questions to spur deeper thought and provide more opportunities to challenge strongly held beliefs.
- How would you measure the malicious proliferation of OSTs?
- How would you measure the defensive proliferation stemming from OST releases?
- There are two extremes: unrestricted OST release and banned OST release. What intermediate steps exist between these extremes to limit damages that might occur from OST release while maximizing benefits?
- Are researchers releasing OSTs morally obligated to also release protection and detection tools/signatures/strategies?
- If you were to write a law governing OST release, what would it say? How would it be enforced? How would you measure its success?
- What features of OST would you use to assess whether it should be released?
As I wrote in the essay that accompanies this resource, the topic of offensive security tool release is nuanced, but important. The key takeaway here is that the optimal answer is probably not completely banning the release of OSTs or the unrestricted release of every form of OST. Instead, you must identify the key questions that must be answered to study and understand the topic further. As the industry collectively breaks the discussion down into more actionable components, we move toward meaningful change that isn’t a one-size-fits-all generalization.
If you use this outline and find it useful, I’d love to hear your results. This is a living document for me, so I’m also glad to incorporate other questions you find useful in facilitating your own discussion on this topic.