Left and Right of Boom

Tim MalcomVetter
6 min readOct 8, 2019

--

This is a simple concept that at first blush may just seem common sense, but it is a powerful mental tool to approach security conflicts from both the offensive and defensive perspective. Some vernaculars swap the word “boom” for “bang” but the meaning is the same.

This concept is based upon military doctrine and can be found in recent popular culture books, but this very much has an application to Information Security. Here are a couple recent books if you enjoy this topic:

At its core, “boom” or “bang” is an unwanted, bad event for the defender — the initial contact from the offender. “Left of boom” is the set of events that occur in the timeline before the boom and “right of boom” is the set of events that follows. Very simple.

However, when the events are considered in this context, we can reason about what a defender can know ahead of time to both prevent and predict when “boom” will happen. This also creates semantics to describe the sequence of detection and response events following the creation of the incident, as pictured below:

Copyright @malcomvetter — please use with attribution.

To a novice defender in Information Security, the entire concept of this timeline may not even exist in mental schema at all. Our field, after all, has so many moving parts and complexity that a set of security controls is likely viewed by the novice defender to be binary: the controls either work or they don’t.

Left of Boom

An established penetration tester probably considers some events “left of boom,” but most notably leaves out “threat intelligence collection” and possibly doesn’t distinguish between “security engineering, vulnerability discovery and remediation” from an “automated prevention control.” A penetration tester who sent a malformed message to a system but didn’t receive code execution likely cannot determine if the root cause was the application layer code’s resilience to the attack or an automated prevention control immediately countering the attack.

It’s actually worth a tangent here. I contend there is no such thing as a prevention control, really. Every security control is really a detection control, some controls just have predetermined and automated response mechanisms which appear to prevent bad things from happening. A web application that prevents XSS or other injection attacks is really just good at detecting invalid inputs and responds by discarding the content before it can be injected. A firewall rule designed to block a port is simply detecting unwanted traffic by its protocol and port number and responding by dropping or resetting the connection request. This distinction is not just a nitpick — it ties in well with the “right of boom” concept. The “prevention” control detects “boom” and immediately responds by mitigating the impact from the “boom.” There are really two events in the timeline, but they are so close together they are practically indistinguishable until you put them under the proverbial microscope. This is obviously why security professionals have been enamored with prevention controls — they work quickly to correct bad things before an objective is achieved, so the impact is mitigated.

Right of Boom

In general, the shorter the distance “right of boom” to “containment and eradication” the less opportunity for the attacker to cause maximum impact and achieve objectives, but this isn’t always the case (as we’ll see below in the “speed” section). For some really large impact and high visibility breaches, the timeline between boom and eradication is moot, because detection happened long after the adversary reached their objective. Contrast this to security incidents the public never learns about, because the defenders are equipped and ready to detect, contain, and eradicate their adversary with a very short length of time “right of boom.” No objective was achieved. Did an infiltration happen? Probably, yes. But without the adversary achieving an objective, there is no impact to the victim, other than the expense of detection and response.

A great example of this which happens virtually everywhere daily is “commodity malware.” We can learn that these malware families are designed for wholesale attempts to access anything without much victim discretion. Just like defenders have a “right of boom” so do the adversaries in this instance, since there is a period of time before the commodity malware infections are triaged and second stages are deployed. As an industry, we’ve learned that many of these infections result in access sold by the initial adversary to a secondary adversary post-triage. If the defender’s “right of boom” can be shorter than the adversary’s, then the commodity malware can be contained and eradicated before escalation and hand-off to an “interactive” adversary attempting to position closer to the objective.

Additionally, some of the best defenders are shortening the timeframe “right of boom” by collecting intelligence “left of boom” on the key adversaries within their threat model. These defenders may scan infrastructure providers known to host attack infrastructure, observing indicators of fresh malicious infrastructure days or even weeks before attacks deploy payloads with it. There’s a whole art and science to this practice that is beyond the scope of this article, but the result is that defenders can shorten “right of boom” up to the point of making “boom” and “eradication” appear to be one event (i.e. prevention).

Adversarial Decision Making

From an adversarial tradecraft perspective, applying the concept of “left of boom” and “right of boom” can assist the adversary (real or pretend, e.g. red team) to decide on a course of action. Suppose an adversary has Tactic A and Tactic B to choose between. If the adversary can predict that Tactic A will be detected “left of boom” (during the attempt before anything useful is gained by the adversary) and Tactic B will be detected “right of boom” (after the tactic is used to gain an improved position towards an objective), then the adversary can clearly choose Tactic B.

To take this further, if the adversary believes both Tactic A and Tactic B to be identified “right of boom,” but Tactic B significantly later in the timeline (e.g. due to the amount of time it takes to inform a human responder of the event’s significance within a larger context of events), then the adversary can clearly choose Tactic B over Tactic A.

This type of reasoning is another example why the best adversaries are considering both their objectives and the defender’s likely next moves. Determining which tactic has a larger timeline “right of boom” takes either prior knowledge as a defender to build in the empathy and appreciation of a typical defender’s process, or it takes repeated hypotheses and testing during live compromises, with each potential variable used to test a hypothesis potentially burning the adversary’s entire attack infrastructure and success up to that position.

Speed

Another consideration is speed itself. If an adversary can hypothesize that a collection of tactics can enable the adversary to achieve an objective faster than a defender can detect and respond, then that adversary is very much thinking in terms of “right of boom.” Boom, again, is the first contact in the set of tactics used on the target, and the remaining tactics within the set happen “right of boom” but prior to containment and eradication. Typically, speed and stealth are mutually exclusive, but sometimes, going fast is worth the loss of stealth.

However, if the adversary’s mission is not a single objective, but rather a sustained set of repeated attacks to achieve multiple objectives, then speed as a means of being faster “right of boom” than the defender may be a worthwhile strategy. The defender can use the first successful objective as a “left of boom” input into future adversary contact by collecting indicators of compromise (IOCs), tactics (TTPs), and self-reflection to remediate vulnerabilities and introduce new detection controls making any future runs much, much more difficult without significant variation of adversary tactics.

Improve Your Capability

Whether you are an attacker or defender, thinking in terms of timelines “left” or “right” of “boom” will improve your capability, as well as your ability to reason about your opponent’s capability and intent.

--

--