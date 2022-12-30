Successfully reported this slideshow.
Left of Boom

Dec. 30, 2022
At its core, “boom” is an unwanted, bad event for the defender — the initial contact from the offender. “Left of boom” is the set of events that occur in the timeline before the boom and “right of boom” is the set of events that follows. If we applied this to the cyber domain, Left of Boom would refer to those proactive initiatives and actions that are designed to prevent/preempt (or minimize risk associated with) an adverse cyber event.

Left of Boom

  1. 1. Prologue • Attacker modifies volumetric 3D (CT, MRI) scans to add and remove evidences of pathology such as cancer • Technique based on AI (Deep Learning), specifically Conditional-GAN (convolutional neural networks) • Uses a deep learning technique called Generative Adversarial Network (GAN) used to alter (add or remove tumors in/from) CT scan images resulting in serious consequences • Consequences include falsifying research evidence, impact on duty of care, TERRORISM, ASSASSINATION, AND EVEN MURDER • Countermeasures are available although seldom implemented or implemented effectively
  2. 2.  of Boom Racing against an Adversary Sachin Deodhar Arnab Chattopadhay
  3. 3. “Left of Boom” is a common military phrase used to describe the timeline of events before an explosion or incident – a period when you still have a chance to prepare and avert a crisis. The phrase "left of boom" is a military idiom that refers the U.S. military's effort to disrupt insurgent cells before they can build and plant bombs
  4. 4. Left of Boom in the context of Cyber At its core, “boom” is an unwanted, bad event for the defender — the initial contact from the offender. “Left of boom” is the set of events that occur in the timeline before the boom and “right of boom” is the set of events that follows. If we applied this to the cyber domain, Left of Boom would refer to those proactive initiatives and actions that are designed to prevent/preempt (or minimize risk associated with) an adverse cyber event
  5. 5. Left of Boom: Live in the past to protect the future In the Intelligence Community there is a common saying: Future is our Business In other words, if we are discussing historical events, we have lost the game The Left of Boom paradigm lets us reason about what a defender can know ahead of time to both prevent and predict when “boom” will happen. This also creates semantics to describe the sequence of detection and response events following the creation of the incident
  6. 6. Left of Boom: A Defender’s Perspective Organizations have traditionally implemented many security controls that fall into this category Novel initiatives are being embraced however that also fall squarely into this category: • Nothing (?)  Network Threat Analytics (NTA) • NGAV  EDR • Atomic CTI  Behavioral CTI • Forensics  Incident Response  Threat Hunting/Detection Engineering • Penetration Testing  Adversary Emulation, ASM, Full Spectrum Red Team Operations • Passive Defense  Active Defense
  7. 7. Left of Boom from an Adversary Perspective Unfortunately, adversaries have also taken a liking for this strategic paradigm So how to adversaries use this strategy? • Adversarial decision making • Speed • Improvement in capabilities Let's see a few examples
  8. 8. Left of Boom supports adversary decision making Tactic A Tactic B Tactic A: Can be detected LoB Tactic B: Can only be detected RoB Which tactic will the adversary choose? Hint: Later is better! Tactic A Tactic B Tactic A: Can only be detected RoB Tactic B: Can also be detected only RoB but significantly later than Tactic A Which tactic will the adversary choose? Hint: Later (Later) is even Better! Best adversaries consider both their objectives and the defender’s likely next moves. To know which tactic has a larger timeline “right of boom” takes either: • Prior knowledge as a defender to build in the empathy and appreciation of a typical defender’s process, or • Repeated hypotheses and testing during live compromises OR OR
  9. 9. Speed: First perspective An adversary will most likely choose a collection of TTPs that enables the adversary to achieve its objective faster than a defender can detect and respond Boom, again, is the first contact in the set of tactics used on the target, and the remaining tactics within the set happen “right of boom” but prior to containment and eradication). Typically, speed and stealth are mutually exclusive, but sometimes, going fast is worth the loss of stealth.
  10. 10. Speed: Another perspective If the adversary’s mission is not a single objective, but rather a sustained set of repeated attacks to achieve multiple objectives, then speed as a means of being faster “right of boom” than the defender may be a worthwhile strategy from the adversaries’ perspective However, the defender can then use the first successful objective as a “left of boom” input into future adversary to remediate vulnerabilities and introduce new detection controls making any future runs much, much more difficult without a high-cost imposition on the adversary.
  11. 11. Attacker Empathy & Active Defense Whether one is an attacker or defender, thinking in terms of timelines “left” or “right” of “boom” will improve capability, as well as the ability to reason about an opponent’s capability and intent. We call this ability “attacker empathy” Attacker empathy is an integral component of the Active Defense strategy
  12. 12. In summary • While the term Left of Boom has its roots in the world of kinetic conventional warfare, it finds a place in asymmetric warfare and cyber defense as well • The Left of Boom nicely defines the semantics related to various proactive strategies to defend against advanced threats • It is important to note adversaries will and do use the exact same paradigm to determine their own strategies and make their decisions when engaged in a cyber conflict or attack • It is therefore key to exercise attacker empathy in general in the spirit of “Active Defense”

