Left and Right of Boom

Copyright @malcomvetter — please use with attribution.

Left of Boom

An established penetration tester probably considers some events “left of boom,” but most notably leaves out “threat intelligence collection” and possibly doesn’t distinguish between “security engineering, vulnerability discovery and remediation” from an “automated prevention control.” A penetration tester who sent a malformed message to a system but didn’t receive code execution likely cannot determine if the root cause was the application layer code’s resilience to the attack or an automated prevention control immediately countering the attack.

Right of Boom

In general, the shorter the distance “right of boom” to “containment and eradication” the less opportunity for the attacker to cause maximum impact and achieve objectives, but this isn’t always the case (as we’ll see below in the “speed” section). For some really large impact and high visibility breaches, the timeline between boom and eradication is moot, because detection happened long after the adversary reached their objective. Contrast this to security incidents the public never learns about, because the defenders are equipped and ready to detect, contain, and eradicate their adversary with a very short length of time “right of boom.” No objective was achieved. Did an infiltration happen? Probably, yes. But without the adversary achieving an objective, there is no impact to the victim, other than the expense of detection and response.

Adversarial Decision Making

From an adversarial tradecraft perspective, applying the concept of “left of boom” and “right of boom” can assist the adversary (real or pretend, e.g. red team) to decide on a course of action. Suppose an adversary has Tactic A and Tactic B to choose between. If the adversary can predict that Tactic A will be detected “left of boom” (during the attempt before anything useful is gained by the adversary) and Tactic B will be detected “right of boom” (after the tactic is used to gain an improved position towards an objective), then the adversary can clearly choose Tactic B.

Speed

Another consideration is speed itself. If an adversary can hypothesize that a collection of tactics can enable the adversary to achieve an objective faster than a defender can detect and respond, then that adversary is very much thinking in terms of “right of boom.” Boom, again, is the first contact in the set of tactics used on the target, and the remaining tactics within the set happen “right of boom” but prior to containment and eradication. Typically, speed and stealth are mutually exclusive, but sometimes, going fast is worth the loss of stealth.

Improve Your Capability

Whether you are an attacker or defender, thinking in terms of timelines “left” or “right” of “boom” will improve your capability, as well as your ability to reason about your opponent’s capability and intent.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store