This is a simple concept that at first blush may just seem common sense, but it is a powerful mental tool to approach security conflicts from both the offensive and defensive perspective. Some vernaculars swap the word “boom” for “bang” but the meaning is the same.

This concept is based upon military doctrine and can be found in recent popular culture books, but this very much has an application to Information Security. Here are a couple recent books if you enjoy this topic:

At its core, “boom” or “bang” is an unwanted, bad event for the defender — the initial contact from the offender. “Left of boom” is the set of events that occur in the timeline before the boom and “right of boom” is the set of events that follows. Very simple.

However, when the events are considered in this context, we can reason about what a defender can know ahead of time to both prevent and predict when “boom” will happen. This also creates semantics to describe the sequence of detection and response events following the creation of the incident, as pictured below:

Image for post
Image for post
Copyright @malcomvetter — please use with attribution.

To a novice defender in Information Security, the entire concept of this timeline may not even exist in mental schema at all. Our field, after all, has so many moving parts and complexity that a set of security controls is likely viewed by the novice defender to be binary: the controls either work or they don’t.

Left of Boom

It’s actually worth a tangent here. I contend there is no such thing as a prevention control, really. Every security control is really a detection control, some controls just have predetermined and automated response mechanisms which appear to prevent bad things from happening. A web application that prevents XSS or other injection attacks is really just good at detecting invalid inputs and responds by discarding the content before it can be injected. A firewall rule designed to block a port is simply detecting unwanted traffic by its protocol and port number and responding by dropping or resetting the connection request. This distinction is not just a nitpick — it ties in well with the “right of boom” concept. The “prevention” control detects “boom” and immediately responds by mitigating the impact from the “boom.” There are really two events in the timeline, but they are so close together they are practically indistinguishable until you put them under the proverbial microscope. This is obviously why security professionals have been enamored with prevention controls — they work quickly to correct bad things before an objective is achieved, so the impact is mitigated.

Right of Boom

A great example of this which happens virtually everywhere daily is “commodity malware.” We can learn that these malware families are designed for wholesale attempts to access anything without much victim discretion. Just like defenders have a “right of boom” so do the adversaries in this instance, since there is a period of time before the commodity malware infections are triaged and second stages are deployed. As an industry, we’ve learned that many of these infections result in access sold by the initial adversary to a secondary adversary post-triage. If the defender’s “right of boom” can be shorter than the adversary’s, then the commodity malware can be contained and eradicated before escalation and hand-off to an “interactive” adversary attempting to position closer to the objective.

Additionally, some of the best defenders are shortening the timeframe “right of boom” by collecting intelligence “left of boom” on the key adversaries within their threat model. These defenders may scan infrastructure providers known to host attack infrastructure, observing indicators of fresh malicious infrastructure days or even weeks before attacks deploy payloads with it. There’s a whole art and science to this practice that is beyond the scope of this article, but the result is that defenders can shorten “right of boom” up to the point of making “boom” and “eradication” appear to be one event (i.e. prevention).

Adversarial Decision Making

To take this further, if the adversary believes both Tactic A and Tactic B to be identified “right of boom,” but Tactic B significantly later in the timeline (e.g. due to the amount of time it takes to inform a human responder of the event’s significance within a larger context of events), then the adversary can clearly choose Tactic B over Tactic A.

This type of reasoning is another example why the best adversaries are considering both their objectives and the defender’s likely next moves. Determining which tactic has a larger timeline “right of boom” takes either prior knowledge as a defender to build in the empathy and appreciation of a typical defender’s process, or it takes repeated hypotheses and testing during live compromises, with each potential variable used to test a hypothesis potentially burning the adversary’s entire attack infrastructure and success up to that position.

Speed

However, if the adversary’s mission is not a single objective, but rather a sustained set of repeated attacks to achieve multiple objectives, then speed as a means of being faster “right of boom” than the defender may be a worthwhile strategy. The defender can use the first successful objective as a “left of boom” input into future adversary contact by collecting indicators of compromise (IOCs), tactics (TTPs), and self-reflection to remediate vulnerabilities and introduce new detection controls making any future runs much, much more difficult without significant variation of adversary tactics.

Improve Your Capability

Written by

Red Team Leader at Fortune 1. I left my clever profile in my other social network: https://www.linkedin.com/in/malcomvetter

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store