(And for those who celebrate, Happy Cybersecurity Awareness Month!)
Most people get ready for the spooky season with costume shopping and decorating. But if you want a real fright, check out the new white paper profiling the state of U.S. Offensive Cyber Operations (OCO) from Winnona DeSombre and Sergey Bratus. It is downright scary!
Even at 30 pages, it's definitely worth the read; DeSombre and Bratus are plugged in, thorough, and willing to go where others don’t dare. In a community that historically won't often even admit to conducting offensive operations, DeSombre and Bratus are not at all afraid to surface the challenges.
I don't want this post to be a summary of their paper (AI can do that). Rather, I wanted to talk about how Desired Effect came to be, as our thesis aligns with many of the paper’s observations.
Our many-years vision is premised on the fact that mission planners are often not operationally technical and need better tooling. "Cyber" is not the mission impact; it's an avenue to achieve the mission impact.
Our idea — as input into a black box: "I would like to have {this} specific desired effect. Here is my ultimate mission plan.” Based on the user's desired effect, our platform would work backwards. If the objective is a specific target, yes, we can provide you with the cyber capability to get you onto that target. But oftentimes, missions are not that simple. To deliver the capability to that target, you often need to work through several layers, and if you’re only thinking about the final step, the overall mission will be quite challenging. Further, what is often referred to as a single cyber capability is actually several subcomponents chained together.
And so the output of the black box: Here are all the components you will require, and for each component here is a list of sellers that have a solution that fulfills the objective, with pricing.
Essentially, one of our earliest visions of an end state was to build a “shopping list in a box”.
And thus our company, which focused on the customer's desired effect, was named, uh, Desired Effect Inc. Voilà! QED!
Held up against the backdrop of our vision, DeSombre and Bratus’ whitepaper is eye-opening. The authors see a world where the U.S. could be more dominant in offensive cyber operations, yet has boxed itself into a bureaucratic model that has struggled to keep up with the “speed of the internet.” At the same time, they clearly recognize the sobering reality that not everyone self-constrains the way the U.S. does, leading to asymmetry on the battlefield. They recognize that systemic changes are required for offensive cyber to continue to be successful. In particular, they note the importance of introducing a bottom-up approach, more open and flexible procurement, and accelerating the deployment of defenses. In our experience, this is exactly what is needed.
Now, when we are successful, we will address at least three of the opportunities and gaps posited in DeSombre and Bratus' paper.
“By contrast, multiple roundtable participants agreed that the U.S. government, without the private sector, cannot operate at the speed required to achieve bottom-up, opportunistic success at the scale necessary to achieve mission objectives. This is likely because the government is 1) slow to hear about the opportunity; 2) slow to authorize taking advantage of the opportunity (particularly due to legal and policy constraints); or 3) slow to act internally or contract out the activity”.
In order to secure something, you have to know where it’s vulnerable. DeSombre and Bratus observe that top-down strategic ops are how the U.S. has traditionally conducted OCO, with those ops originating with, “What do we want to achieve and how?” Then it flows downward to obtain the necessary accesses, and then impart the desired effect. (They define access as either tools to get from computer A to computer B, or to get from user level A to higher user level B).
The paper proposes a shift to keep up with the pace of change to both technology and target-opportunity, both of which can emerge suddenly and become obsolete quickly. Thus OCO ops could also originate with “What accesses are available?” flowing upward. Based on these accesses, now we can scope out what to do with them, and then cause your desired effect.
While DeSombre and Bratus imply the utility of adding a bottom-up approach is beneficial specifically because not all operations require zero-day accesses, I would argue that a bottom-up approach benefits tremendously when taking into account the zero-day marketplace.
I spoke about this in 2024 at BSides Las Vegas in a presentation dubbed “Confessions of a Bug Broker”. Vulnerability researchers often love to chase the newest, hottest technologies. Tesla is undoubtedly one of the largest “smart” vehicle manufacturers. But an exploit that operates against the telematics unit of a Toyota Hilux will probably fetch more money. Why? The paper argues that the U.S. historically prioritizes today’s targets over tomorrow’s. The list of known targets who operate a specific set of technologies will supersede the raw data pertaining to global adoption rates of others. The U.S. doesn’t procure because things are cool; because one day a thing might be useful. The top-down approach says we need to solve today’s problem… now. This works if the solutions are plentiful. It’s more challenging when solutions are tough to develop. This is in part why the paper argues for a bottom-up approach. In cyber, sometimes you have to recognize that even if today you don’t have targets leveraging a popular technology, acquiring tough-to-develop solutions can arm planners with more targeting options.
At Desired Effect, we provide the operational community with a picture of the exploit landscape in real time. This can include research conducted on products that aren’t globally mass-marketed, or indigenous to certain world regions, or that have niche use cases and audiences. There are several amazing focused and capable vulnerability research shops. But no one company has all the talent, all the answers, all the resources to prosecute all the research targets. Our global marketplace of independent researchers can draw inspiration from a variety of sources. This decentralized approach naturally lends itself to the bottom-up tactics that DeSombre and Bratus articulate. Our customers are tipped when new products enter the marketplace, and again when those products leave the marketplace. They can anonymously seed our Ignition List providing the vulnerability research community with topics for exploration.
This not only provides access to the exploits needed to stop today’s threats, but also engages the research community in thinking about the vulnerabilities we haven’t yet considered. Adversaries are already plotting how they will strike next, in ways we have yet to imagine. We need to get ahead of them.
“The economics would be incredibly compelling to firms entering the market if the right procurement and incentive structures are put in place. For one, smaller firms who produce offensive cyber accesses could potentially disrupt services contracts largely only obtainable by prime contractors — thereby making a profit, reducing inefficiencies in procurement, and passing on cost savings to the government.”
The paper didn’t say it, so allow me to: leveraging prime contractors for procurement has been awful for everyone except for prime contractors.
A quick, snarky overview: The government has at its disposal close and continuing relationships with a handful of large “cyber” prime contractors. The government tells each of its primes what access gaps it has, and tasks them with finding solutions. So that handful of prime contractors goes out into the world with a purpose. But they end up reading the same story online, talking to the same researcher, and coming up with the same solution list. Then the government receives one list from each of its contractors and thinks to itself, “Oh my, look at the vibrant market. These capabilities are so plentiful!” I asked for one specific access, and I have a handful of options! Now, when there are so many to choose from, there is no urgency in procurement. And when the researcher makes a sale or perhaps a disclosure, the entirety of the government’s myriad options vanish overnight — and they only find out about it at the moment they move to procure. That means all operational planners and executors assume they will obtain that access. There is so much lost productivity and opportunity in this.
And here's the other side of the coin. I've seen this happen way too many times to count: The researcher is often told what the price is. They are told the buyer is budget constrained or it’s a take-it-or-leave-it situation. In reality, the researcher has no idea what the buyer is paying, and too often it’s at a massive markup. This means the government buyer has overpaid and the researcher seller has been underpaid. The only winner is the defense contractor in the middle. DeSombre and Bratus note these inefficiencies and also note access platforms — like the one Desired Effect offers — produce immediate value for both buyer and seller. Sellers set their own rates and terms. Both parties have access to confidence-building market analytics to understand pricing trends and other key data points. Desired Effect will perform testing, vetting and validation, and packaging. Our fee for this service is a fixed and transparent 20%, which is charged to the buyer. Both parties walk away with confidence that the free market is serving up efficiency gains.
“In an era where offensive advantage depends on speed, automation, and creative improvisation, only institutions that understand how systems work will be able to anticipate and exploit those emergent properties before adversaries do.”
Yes! Love this, Winnona! At Desired Effect, we constantly preach that the very reason attackers are dominating defenders is because they work with the vulnerability research community, purchasing the knowledge and tooling to leverage flaws where defenders don't even know where to look. It is this unfair and perpetual advantage that eviscerates right through the costly defenses that enterprises have built up. If defenders want to be able to anticipate — and put compensating controls in place — before an attacker has the opportunity to even weaponize the vulnerability, they, too, need to engage the community. That's exactly what Desired Effect does! It allows defenders to join the conversation, obtain advanced warning and actionable guidance on risk mitigation. It empowers the most proactive measure of all — the ability to remove an exploit from circulation, thereby reducing its value to an attacker.
A desired effect is often applied to a particular mission or the goals of a specific customer. But the persuasive case made by DeSombre and Bratus is a reminder that we are all working toward a bigger desired effect. We want a world where information about security flaws is broadly accessible and available to operators in time to take action. We want a world where exploits are used to protect valuable interests, not weaponized for criminal activities. We want a world where operators are empowered with information so they can safeguard the critical assets of government and businesses, not where researchers are stuck selling exploits to criminals in the shadows. All of this requires us to step out of a defensive crouch and take a bold and proactive posture. Yes, we need to play offense better. That is how you take the lead and win. That is our desired effect.
Want to talk about how Desired Effect can support your mission? Get in touch.
