Uploaded byprithaaash
PDF, PPTX128 views

Left of Boom-Shift Left in Security

The document discusses the concept of 'left of boom,' a strategic framework in cybersecurity that emphasizes proactive measures to prevent cyber attacks before they occur, akin to military strategies for disrupting threats. It explores how adversaries exploit vulnerabilities quickly and emphasizes the importance of continuous monitoring, testing, and understanding attacker behavior to strengthen defenses. The approach aims to shift the mindset of defenders to anticipate and mitigate attacks effectively before the critical incident ('boom') happens.

Embed presentation

Download as PDF, PPTX
Left of Boom Detect and Stop Attack Before the Boom !!
Prologue • Attacker gets access to CT, MRI scans image and modifies to add and remove evidences of pathology such as cancer • Adversary attacks API exposed to internet in UAT environment to retrieve access credentials to get access to sensitive data • Adversary discover forgotten database open to internet to steal sensitive information • Ransomware group gets admin access using vulnerable sensitive service, moves laterally and encrypts important data leading to system shutdown • Adversary gets open access to admin panel, uses default admin password to get access to edge device pivoting which performs lateral movement inside the network • So what is common in them?
🡨 of Boom Racing against an Adversary Arnab Chattopadhayay Co-founder, FireCompass
“Left of Boom” is a common military phrase used to describe the timeline of events before an explosion or incident – a period when you still have a chance to prepare and avert a crisis. The phrase "left of boom" is a military idiom that refers the U.S. military's effort to disrupt insurgent cells before they can build and plant bombs
Left of Boom in the context of Cyber At its core, “boom” is an unwanted, bad event for the defender — the initial contact from the offender. “Left of boom” is the set of events that occur in the timeline before the boom and “right of boom” is the set of events that follows. If we applied this to the cyber domain, Left of Boom would refer to those proactive initiatives and actions that are designed to prevent/preempt (or minimize risk associated with) an adverse cyber event
Left of Boom from an Adversary Perspective Adversaries have also taken a liking for this strategic paradigm So how to adversaries use this strategy? • Adversarial decision making • Speed • Improvement in capabilities Let's see a few examples
Left of Boom Influences adversary decision making Search for exposed Dev/UAT environment and Exploit Target not protected like production Late detection - bigger RoB Attacker triggers the event at the perimeter to gain access Small LoB, less opportunity to take action Search for Open RDP port, Exploit and get admin access Misconfiguration of sensitive service Small LoB, gets admin access by compromising one protocol Very little time difference between finding open sensitive service and triggering attack Small LoB, less opportunity to take action Steal sensitive data by Exploiting Open DB port exposed on Internet (for a small amount of time) Unknown Assets left exposed Attackers continuously monitoring for opportunity and acted fast Even though the exposure was for limited time, it was an unknown exposure Small LoB helped attacker to complete the attack before defender's action Open ssh port on Cloud VM allowing attacker to scrape information Open Cloud Bucket exposes API Keys Open SMB Port allows access to Windows network
Speed: First perspective An adversary will most likely choose a collection of TTPs that enables the adversary to achieve its objective faster than a defender can detect and respond Boom, again, is the first contact in the set of tactics used on the target, and the remaining tactics within the set happen “right of boom” but prior to containment and eradication). Typically, speed and stealth are mutually exclusive, but sometimes, going fast is worth the loss of stealth.
Speed: Another perspective If the adversary’s mission is not a single objective, but rather a sustained set of repeated attacks to achieve multiple objectives, then speed as a means of being faster “right of boom” than the defender may be a worthwhile strategy from the adversaries’ perspective However, the defender can then use the first successful objective as a “left of boom” input into future adversary to remediate vulnerabilities and introduce new detection controls making any future runs much, much more difficult without a high-cost imposition on the adversary.
Attacker Empathy Whether one is an attacker or defender, thinking in terms of timelines “left” or “right” of “boom” will improve capability, as well as the ability to reason about an opponentʼs capability and intent. We call this ability “attacker empathy”
In summary • Think and Act like an attacker • Continuous monitoring to discover new assets and changes in existing ones • Continuous testing - focus on Initial Access points - stop attacker before Boom !! • Emulate Adversaries • Scale testing to Internet scale • Adversaries will and do use the exact same paradigm to determine their own strategies • It is therefore key to exercise attacker empathy in general in the spirit of “Active Defense”

More Related Content

PDF
Left of Boom
byprithaaash
 
PDF
Sexy defense
byIftach Ian Amit
 
PDF
Cyber Guerilla 1st Edition Jelle Van Haaster
bykeleoscat
 
PDF
Talking SoS with Shawn Riley - Cyber Resiliency Effects on Adversary Activities
byShawn Riley
 
PPTX
BSides Huntsville Keynote - Active Cyber Defense Cycle
byRobert M. Lee
 
PDF
201408 fire eye korea user event press roundtable
byJunSeok Seo
 
PDF
Cyber Guerilla 1st Edition Jelle Van Haaster
byikhinegabri
 
PPTX
Intro to a Data-Driven Computer Security Defense
byRoger Grimes
 
Left of Boom
byprithaaash
 
Sexy defense
byIftach Ian Amit
 
Cyber Guerilla 1st Edition Jelle Van Haaster
bykeleoscat
 
Talking SoS with Shawn Riley - Cyber Resiliency Effects on Adversary Activities
byShawn Riley
 
BSides Huntsville Keynote - Active Cyber Defense Cycle
byRobert M. Lee
 
201408 fire eye korea user event press roundtable
byJunSeok Seo
 
Cyber Guerilla 1st Edition Jelle Van Haaster
byikhinegabri
 
Intro to a Data-Driven Computer Security Defense
byRoger Grimes
 

Similar to Left of Boom-Shift Left in Security

PDF
Why_TG
byTOP GUN
 
DOCX
Cyber CapabilitiesExampleIT 298 BohmanJanuary 6th, 2014.docx
byfaithxdunce63732
 
PDF
Big data security in the cloud: Buzzword Bingo!
bySpiceworks Ziff Davis
 
PDF
Cyberwarfare
bySpace Defense Newsletter
 
PDF
CSW2022_08_behaviours.pptx.pdf
bySaraJayneTerp
 
PDF
Caccia alle Minacce: Intelligence e Hunting nel cyberspace
bySpeck&Tech
 
PDF
CEMA and Information Manoeuvre in the A2/AD Battlespace
byLeonardo
 
PPTX
The Information Warfare: how it can affect us
byLuis Borges Gouveia
 
PPTX
International Cooperative: APT Hunting
byJoshua Lawton, MBA
 
PPTX
Behavior based cqb short
byTrevor Thrasher
 
PPT
DOC_OPSEC security operations of a group.ppt
byDavidweshwak1
 
Why_TG
byTOP GUN
 
Cyber CapabilitiesExampleIT 298 BohmanJanuary 6th, 2014.docx
byfaithxdunce63732
 
Big data security in the cloud: Buzzword Bingo!
bySpiceworks Ziff Davis
 
Cyberwarfare
bySpace Defense Newsletter
 
CSW2022_08_behaviours.pptx.pdf
bySaraJayneTerp
 
Caccia alle Minacce: Intelligence e Hunting nel cyberspace
bySpeck&Tech
 
CEMA and Information Manoeuvre in the A2/AD Battlespace
byLeonardo
 
The Information Warfare: how it can affect us
byLuis Borges Gouveia
 
International Cooperative: APT Hunting
byJoshua Lawton, MBA
 
Behavior based cqb short
byTrevor Thrasher
 
DOC_OPSEC security operations of a group.ppt
byDavidweshwak1
 

Recently uploaded

PDF
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
PPTX
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
PDF
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
PPTX
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
PDF
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
PDF
apidays New York 2025 | AI in Application Security
byapidays
 
PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
PPTX
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
PDF
final.pdf
byomarbishtawi04
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
PPTX
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PDF
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
PDF
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
PDF
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PPTX
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
PDF
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
apidays New York 2025 | AI in Application Security
byapidays
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
final.pdf
byomarbishtawi04
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 

Left of Boom-Shift Left in Security

  • 1.
    Left of Boom Detectand Stop Attack Before the Boom !!
  • 2.
    Prologue • Attacker getsaccess to CT, MRI scans image and modifies to add and remove evidences of pathology such as cancer • Adversary attacks API exposed to internet in UAT environment to retrieve access credentials to get access to sensitive data • Adversary discover forgotten database open to internet to steal sensitive information • Ransomware group gets admin access using vulnerable sensitive service, moves laterally and encrypts important data leading to system shutdown • Adversary gets open access to admin panel, uses default admin password to get access to edge device pivoting which performs lateral movement inside the network • So what is common in them?
  • 3.
    🡨 of Boom Racingagainst an Adversary Arnab Chattopadhayay Co-founder, FireCompass
  • 4.
    “Left of Boom”is a common military phrase used to describe the timeline of events before an explosion or incident – a period when you still have a chance to prepare and avert a crisis. The phrase "left of boom" is a military idiom that refers the U.S. military's effort to disrupt insurgent cells before they can build and plant bombs
  • 5.
    Left of Boomin the context of Cyber At its core, “boom” is an unwanted, bad event for the defender — the initial contact from the offender. “Left of boom” is the set of events that occur in the timeline before the boom and “right of boom” is the set of events that follows. If we applied this to the cyber domain, Left of Boom would refer to those proactive initiatives and actions that are designed to prevent/preempt (or minimize risk associated with) an adverse cyber event
  • 6.
    Left of Boomfrom an Adversary Perspective Adversaries have also taken a liking for this strategic paradigm So how to adversaries use this strategy? • Adversarial decision making • Speed • Improvement in capabilities Let's see a few examples
  • 7.
    Left of BoomInfluences adversary decision making Search for exposed Dev/UAT environment and Exploit Target not protected like production Late detection - bigger RoB Attacker triggers the event at the perimeter to gain access Small LoB, less opportunity to take action Search for Open RDP port, Exploit and get admin access Misconfiguration of sensitive service Small LoB, gets admin access by compromising one protocol Very little time difference between finding open sensitive service and triggering attack Small LoB, less opportunity to take action Steal sensitive data by Exploiting Open DB port exposed on Internet (for a small amount of time) Unknown Assets left exposed Attackers continuously monitoring for opportunity and acted fast Even though the exposure was for limited time, it was an unknown exposure Small LoB helped attacker to complete the attack before defender's action Open ssh port on Cloud VM allowing attacker to scrape information Open Cloud Bucket exposes API Keys Open SMB Port allows access to Windows network
  • 8.
    Speed: First perspective Anadversary will most likely choose a collection of TTPs that enables the adversary to achieve its objective faster than a defender can detect and respond Boom, again, is the first contact in the set of tactics used on the target, and the remaining tactics within the set happen “right of boom” but prior to containment and eradication). Typically, speed and stealth are mutually exclusive, but sometimes, going fast is worth the loss of stealth.
  • 9.
    Speed: Another perspective If the adversary’smission is not a single objective, but rather a sustained set of repeated attacks to achieve multiple objectives, then speed as a means of being faster “right of boom” than the defender may be a worthwhile strategy from the adversaries’ perspective However, the defender can then use the first successful objective as a “left of boom” input into future adversary to remediate vulnerabilities and introduce new detection controls making any future runs much, much more difficult without a high-cost imposition on the adversary.
  • 10.
    Attacker Empathy Whether one isan attacker or defender, thinking in terms of timelines “left” or “right” of “boom” will improve capability, as well as the ability to reason about an opponentʼs capability and intent. We call this ability “attacker empathy”
  • 11.
    In summary • Thinkand Act like an attacker • Continuous monitoring to discover new assets and changes in existing ones • Continuous testing - focus on Initial Access points - stop attacker before Boom !! • Emulate Adversaries • Scale testing to Internet scale • Adversaries will and do use the exact same paradigm to determine their own strategies • It is therefore key to exercise attacker empathy in general in the spirit of “Active Defense”