While having a beer with Ed Skoudis at Defcon 16, he shared an interesting idea he has been kicking around, something like “Exploit for the sake of exploiting, the bad guys do it, why can’t we… with permission of course.”
After the Defcon blur wore off, I followed up with him via email, I asked him if he could elaborate on that conversation, here’s what he said:
“Well, let me start by analogy… The people who make the best guns are not usually the people who are best at making bullet-proof vests. Likewise, swordsmiths are familiar with armour so they can craft their wares to slice through it, but might not be able to actually manufacture or even design armor. Trying to maintain a career where you are the best of the best attacker and the best of the best defender is likely impossible…. at least for most of us mere mortals. Thus, you may be able to be a better attacker by focusing must of your attention to the attack and somewhat less to the defense. That way, you can be more lethal, mimicking the abilities of the more skilled bad guys, at least as compared to trying to maintain a 50/50 or even 30/70 balance between attack and defend like most infosec pros do.
So, by having some people spend more time on the offense, even though they are not evil, we might get a better understanding of our risks from it, from an overall industry perspective.
That’s the idea.”
With that being said, I would really like to know why us pen testers always get pulled in when some box needs to be locked down. I guess it’s up to us to change the culture eh.