One chapter into the book Network Attacks and Exploitation: A Framework by Matthew Monte and I'd ordered a second copy to give to a friend. Three chapters in, and I thought it should be required reading for every reporter who covers an infosec story. Now that I've finished it, I think it should be read by just about everyone who comes near infosec for professional reasons, regardless of expertise and experience.
But I'm also the kind of infosec crime junkie who considered the book's page one disclaimer to be an invitation to intrigue: "This does not constitute an official release of CIA information."
Network Attacks and Exploitation describes how attacks work (or don't), why defense is a continual failure, and spells out exactly what can be done to tip the balance. This book lays out specific plans for making tactical decisions in the heat of the moment, managing to give readers a manual for concrete strategies atop the constantly shifting sands of computer security.
The book also cuts through the BS to nail down defensive priorities so readers can develop (or organize) an individuated, strategic tradecraft of one's own.
The beginning sections of Network Attacks are wonderfully straightforward explanations of exploitation, attacks, defense, and the things screwing up both sides from total success (including the problem of having humans in the mix).
Journalists and digital activists will especially gain from reading the book's sections about bulk data collection (whether through surveillance or theft) for the purposes of spying (intelligence) -- be the spies official or clandestine. The book clearly explains how Directed and Strategic data collection works, what happens once mass data collection is underway, and carefully parses out why it's extremely difficult to use this data effectively.
Some readers will dislike that Monte doesn't pick sides: It's a gold mine for defensive strategy, yet the book gives equal time and insight into how attackers can improve their strategies. I found it refreshing and extremely informative. Its apolitical approach allows readers to see how all the moving parts of attack and defense work; to this end, the book's overarching aim is to stop the reader from thinking about security as focused on any specific event, such as an attack that steals data.
Instead, the focus is analyzing the specific elements of attack and defense and to understand what attackers must do in order to be successful -- all forming a framework of methodology and strategy for attack or defense.
This book is the one you should hand to your organization's decision makers. If they read it, you won't need to explain basic attack and defense concepts, paving the way to smoother, faster solutions -- and better purchasing decisions.
For instance, in Chapter 4's section "False Asymmetries" the book dissects two of the biggest pain points in modern defense: Cost and attribution.
"People constantly cite cost and attribution as the great asymmetries in cyberspace," Monte wisely points out, "but these are strategically irrelevant."
Various sources put defender spending on IT-related security at 50 to 70 billion dollars a year, a figure that surpasses what each country in the world, excluding the top 5, spends on their armed forces. And yet the defense still fails, rather spectacularly. ... The supposed asymmetry of cost is actually just a lack of defensive coordination.
... What does full attribution change? Nation states maintain their innocence with an ever-weakening shield of plausible deniability as mountains of evidence pile up against them. ... But do not expect blame to slow down espionage.
In attack and defense, a lot of our attention gets spent -- or wasted -- poring over the deficiencies of the defender, and the advantages of the attacker.
Rather than get stuck in this mindset like everyone else, Network Attacks looks at the uneven relationship in terms of what the constant advantages and disadvantages are of both sides (especially the disadvantages of attackers) to show the points where attackers are reliably weak and defenders can increase strength.
The chapter "Attacker Frictions" lays out attacker weaknesses, among which include updates and buggy attacker software, and multiple attackers.
For instance, if a network has been owned, it has probably been owned by several attackers at the same time, and they'll screw each other up or get everyone caught thanks to conflicting operational security practices.
"Defender Frictions" points out many things that give defense disadvantages, like flawed and buggy software, and the book points out that (like buggy software) the security community itself is often a pain point for both defenders and attackers.
The last half of the book goes deep into offensive and defensive strategies, pulling apart key case studies in language that appeals to infosec professionals while making easily understood, relevant real-world analogies.
Offensive Strategies (Chapter 7) is packed with concrete advice on leveraging innovation, operational security, minimizing exposure, program security, cost, and much more, with sections on how to measure each of these areas. Monte also provides specific questions in bulleted format to directly guide readers through tactical decisions -- developing a clear, flexible strategy for attackers.
The opening of Defensive Strategies (Chapter 8) tells us, "The central reason for continual defeat is the widespread lack of acknowledgement that the attacker has a strategy. ... The oversight manifests in the continued acceptance, deployment, and redeployment of inherently insecure technologies."
In other words, organizations are doing Hail Marys with anti-virus software when instead they should be looking at what it is they have that's worth stealing, and prioritize applying risk management to the important things that attackers will strategize to get. Monte explains specifically how to do this too, including how to make your cloud security an effective problem for the attacker's strategy.
Network Attacks and Exploitation: A Framework is a practical guide to attack and defense; it calmly and clearly guides the reader through cultivating advanced, resilient strategies in an era when snake oil and abstract ideas rule the day. If attack, defense, strategy, or just having the upper hand are your bailiwick, you might devour this book as I did, almost like a guilty pleasure.
- Author has deep experience in corporate and government vuln and security ops
- Technical info for pros, framed in real-world analogies everyone can understand
- Establishes a framework readers can individuate for tailored strategies
- Productively explains how popular approaches fail in fixing overall problems
- Explains how to improve (and account for) weaknesses in the human chain
- Teaches effective defensive strategies alongside robust offensive strategies
- Valuable insight into how what's affordable for attackers dictates attacks
- Insight into unexpected areas, such as bulk data collection
- Dismissive of popular conventional wisdom that a breach is inevitable
- Some readers will dislike apolitical stance
- Dad humor
Who should read it: Attackers, defenders, indie hackers, enterprise security decision makers, infosec journalists, infosec attorneys, anyone trying to protect a network or intellectual property, strategy nerds, operational security obsessives.