Presentation Material
Abstract
Today’s attacks succeed because the defense is reactive”. I have been researching attacks and offensive techniques since the past 16 years. As the defenses kept catching up and closing open doors, we attackers looked for new avenues and vectors. Upon looking back on the state of defenses during my days of One-Way Web Hacking in 2001 to Stegosploit in 2016, a common pattern emerges. Defense boils down to reacting to new attacks and then playing catch-up.
It is time to transition defense from being reactive to proactive. This talk discusses seven axioms for implementing proactive defense strategy and measures for the future, concluding with a blueprint of the next evolution of pro-active defense architecture.
AI Generated Summary
The talk critiques the historical shift in cybersecurity from innovative, ground-up hacking toward industrialized, compliance-driven defense. It argues that reactive measures—such as exploit mitigations and signature-based tools—consistently fail because they address symptoms, not root causes, and are easily bypassed by attackers exploiting inherent complexity, termed “Nakatomi space” (gaps in complex systems). A key example is Rowhammer, a hardware-based attack that defies traditional software defenses.
The speaker proposes redefining security around proactive, intelligence-driven defense. Central to this is establishing a well-engineered security data warehouse to collect and analyze internal telemetry (e.g., using tools like OSquery) rather than relying on external threat feeds. Defense must be separated from compliance; the CISO role should focus solely on attacker defense, while a distinct chief compliance officer handles audit requirements. User behavior should be managed via a maturity curve, segmenting users into groups (hopeless, uninformed, proactive, rockstars) and targeting guidance only at the uninformed to shift the overall curve.
Practical techniques include deploying creative, active defenses like canaries and honey tokens to detect intrusions early. Metrics are essential for measuring effectiveness and justifying security investments to leadership. The core implication is that organizations must accept persistent vulnerability, shift resources from compliance to internal intelligence and proactive detection, and empower blue teams with organic tools and data to outthink attackers.