Vault 7 - Why Professional Attackers Are Not Good Defenders
We reported on the Vault 7 leaks in early 2017. To summarize, Wikileaks published a large trove of hacking tools and related information apparently belonging to the CIA. Investigations showed that the leak itself likely took place in 2016. Our conclusion at the time was that...
“The geopolitical implications of the leak remain to be seen but at the time of writing we see no indicators for a major fallout.”
This assessment has held up well over the years. Outside of the information security community, few remember the term Vault 7 at all. At least, that was the case until this week when an internal investigation by the CIA into the breach was concluded. A copy of the report has been provided to the Washington Post which has published a comprehensive writeup.
What’s in the report?
The report outlines a surprisingly lax security infrastructure employed by the CIA team working on offensive capabilities. A former intelligence official quoted by the post states that “those employees are under constant pressure to find vulnerabilities in commercial software and other technology”. Anyone working in a corporate or government environment knows that protection and compliance measures have a tendency to slow down workflows. The higher the pressure, the laxer security measures tend to become.
But still, this lack of protective measures among highly skilled information security specialists is surely shocking. Or is it?
Why attackers are not good defenders
In truth, these findings will be unsurprising to most people working in information security. There are many different factors in play, but the basic takeaway is that people with exceptional skills when it comes to attacking are usually not good at defending themselves or their systems.
For one, there is a pervasive feeling of “it can’t happen to us” in many such groups. When you are literally among the best of the best worldwide in terms of skill and capabilities, it is easy to feel like nothing can touch you. This is especially true when working in teams. Of course, it is precisely this high level of skill that makes these teams attractive targets to 3rd party attackers.
For another, offensive security requires very specialized minds and skills. The development of binary exploits is a skill that is only perfected by few people even within the information security community. It requires an exceptional ability for abstract thinking and problem-solving. Unfortunately, those with highly developed skills in these fields are often not too good at mundane and administrative tasks. But mundane administrative tasks are what keep systems secure. In short, the skillsets applied to offensive and defensive security don’t naturally overlap.
Lastly, it can be exceptionally difficult to impose security measures on people whose job it is to break security measures. At the time of writing, nothing in the report indicates that security measures imposed by the CIA were circumvented by team members. However, this is a pattern that we keep seeing in our interactions with large organizations. When restricting the access or workflow of a data-entry worker, you can be reasonably confident that these restrictions will stay in place. When trying the same restrictions with an offensive security specialist, you will often discover that the restrictions were bypassed within minutes. Mostly because your staff member found them to be “annoying”.
The investigation into the CIA’s Vault 7 breaches revealed that the team working on offensive security tools had extremely lax defensive security measures in place. Since the skillsets required for attack and defense do not overlap, this is not as unusual as it appears.
We expect many similar leaks and breaches to happen in the future, as state actors struggle to find a balance between creating work environments that can attract top talent and keeping their systems secure.