Skip to content

Instantly share code, notes, and snippets.

@jaredhaight
Created August 22, 2021 20:49
Show Gist options
  • Save jaredhaight/b1e368881e2bf260e9f636c7088b222c to your computer and use it in GitHub Desktop.
Save jaredhaight/b1e368881e2bf260e9f636c7088b222c to your computer and use it in GitHub Desktop.
Why I took down Faction

Most OST development is focused on novel tricks, or the latest attack vector, a constant escalation of capabilities. Developing a novel technique is done in a vacuum and if the developer does spend any time researching and documenting detection around a technique, expanding the detection to a network of more than a 100 endpoints is typically a non-trivial task.

Developing mature detection and response capabilties in an organization is a monumental effort, it's not a big surprise that most organizations struggle to catch "boring" attacker techniques (creating scheduled tasks, adding local users to computers, modifyig groups, etc) and while these organzations struggle to keep up, the barier to entry on being an "advanced" attacker gets lower and lower as new tools and techniques come out.

It's easy to take the approach that these organizations that are struggling with infosec get whats coming to them. "Well, maybe they should take infosec seriously if they don't want to get hacked" or "The attacker could have just as easily used tool X instead of this tool that I wrote". This line of thought doesn't sit right with me, is a step removed from saying that some place "deserved" to get hacked. No organization deserves to be hacked, same as no person deserves to have thier purse snatched. Victim blaming is short sighted and doesn't help anyone.

So If most organizations can't effectively detect boring or common attacker techniques, what value are we providing by making it easier to do this advanced stuff? To develop tooling that is focused on being undetectable and highly impactful? That's not to say that there is no value in OSTs, they help to test security postures, they help to challenge assumptions in detection. I think that the number of organizations that are able to get that value out of OSTs is very small though. The majority of the value in these releases are for people who don't have (or want to invest) the resources to develop a given technique or tool. Sometimes this is small pentest shops or infosec departments, sometimes this is some script kiddy who wants to ransomware a hospital.

I can't control how the tooling I develop is used, I can't control if it's used as part of a pentest against a fortune 500 or as a way to hack a small regional bank in some city. I can however decide what I contribute to the world and I've decided that I don't want to contribute to projects that are designed for attacking.

Ultimately this is why I decided to take down Faction. I did the math on how many people could be helped by Faction and how many people could be hurt by Faction and decided that I didn't like the numbers. I'd encourage people developing OSTs to do a similiar analysis, your project will be used maliciously, what are you ok with? I don't fault anyone for coming to a different conclusion than I did, but it's absolutely something that any offensive tooling developer should give serious thought to.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment