Left of boom cover Giacomo Lanzi

“Left of boom” and “right of boom”: having a winning strategy

Estimated reading time: 7 minutes

When we talk about “left of boom” or “right of boom” we are referring to a concept that may appear superficial. Instead, it is a powerful tool that offers the ability to analyze security conflicts from both a offensive and a defensive perspective. In a hypothetical timeline of an attack, what is left of boom refers to what happens first. Similarly, what is on the right is what happens next.

In common parlance, the term “bang” is very often used instead of “boom”, but the meaning remains the same. In essence, it is the event itself around which the previous and subsequent period is analyzed.

So, “left of boom” is the set of events that occur before the attack . “Right of boom”, on the other hand, is the set of events following the “boom”. This is the essential difference between the two terms. If defensive stocks can detect events in the “left of boom” period, solutions can be found and adopted to predict when the “boom” will happen.

left and right boom timeline
Visual representation of the timeline , the event (Boom) and the actions or tools to the right and left of it.

For an inexperienced person in cybersecurity, these concepts regarding the timeline of a cyber attack may not even be considered, for this reason many companies prefer to use a SOCaaS.

Left of Boom

A good penetration tester can detect some “left of boom” events, but they often miss out on gathering threat intelligence. Sometimes it is unable to distinguish concepts such as “security engineering, vulnerability discovery and remediation” from “automated prevention control”.

There is actually no real good prevention tool, more security checks are detection checks. Some of these controls integrate automated response mechanisms that prevent the succession of unpleasant events.

A web application that prevents XSS or SQLI attacks is really useful for detecting invalid inputs and responds by discarding the content before the injection can occur.

A firewall designed to block ports simply detects unwanted traffic in relation to the protocol used for the connection and the number of the port you want to access, interrupting and resetting the connection request.

These examples tie in well with the concept of “right of boom”. The prevention checks detect the “boom”, the event, and respond immediately, stemming the possible damage. “Left of boom” and “right of boom” are so close in the timeline that they are hardly distinguishable, until you do a careful analysis of the events.

This is one of the reasons why IT security professionals love prevention checks. They work quickly to fix errors before the hackers achieve their goals, limiting the damage.

A SOCaaS in these cases is one of the best solutions to adopt to protect the integrity of a computer system.

Right of Boom

Generally the shorter the distance between the “right of boom” and the response time to a threat, the lower the consequences of a possible cyber attack. Obviously this is only a logical consideration, it does not apply as an absolute rule.

For some breaches, the timeline between the event and the complete elimination of the threat is questionable, as detection occurred after the hacker achieved his goal. If the hackers they manage to infiltrate the system but are stopped in time, causing no damage to the infrastructure. In this second case, therefore, there is no “boom” we are talking about.

An example of right-of-boom

To better explain the concept of “right of boom” we could take a common “malware” as an example. Malware is generally developed to mass attack many devices, without much discretion. By “right of boom” we refer to that period of time that has passed since the malware infection occurred.

If you have read the other articles published by us you will have learned how hackers use these types of infections for the purpose of collect sensitive information , which is resold to a third party. If the “right of boom” is shorter than the time it takes the hacker to sell this information, the damage can be contained.

The best security systems manage to shorten the “right of boom” time by managing to gather information on attackers in the “left of boom”. This can be achieved by implementing countermeasures based on the threat model. These tools allow you to scan entire infrastructures, observing new threat indicators days or even weeks before attacks are deployed.

As we’ve seen in other articles, attacks don’t always happen quickly. In fact, the hackers involved are more likely to act in a slow first period just to gather the information needed to launch the attack. In the “right of boom” period, useful tools such as cyber threat intelligence and a threat hunting team come back < / a>.

Left of boom strategy
A strategy that also takes into account what happens before an attack is much more effective.

Why “Right and Left of boom” concepts are important

If we put ourselves in the hacker’s perspective, the concept of “right of boom” and “left of boom” can help to decide which course of action is best to take.

Suppose a hacker has two methods of breaking into a computer system. If one of the two methods could be detected in the “left of boom” period, while the other one in the “right of boom”, it is obvious that the hacker will prefer the second. In fact, this would guarantee more probabilities successful attack.

Similarly, between two methods that can be detected “right of boom” we choose the one that has the most chance of being detected late . The longer it takes from boom to detection, the greater the chances of success. This kind of reasoning is important in determining which tactic has a broader timeline.

Thinking in this light is not easy at all, requires advanced knowledge from the security expert. It also requires having to consider all those hypotheses that could potentially determine the success of the hacker.

Speed

A hacker is able to predict whether, using certain tactics, he would be able to reach the goal faster than the expert trying to detect attacks. The “boom” is the first contact, in the set of intrusion tactics used to illegally access a computer system. The remaining tactics are placed before and after it.

Speed and stealth usually cancel each other out. In fact, very often you can be faster by sacrificing some stealth.

Speed and stealth don’t get along very well when it comes to cyber attacks. Being stealthy, avoiding leaving traces, requires more attention and therefore inevitably also more time. However, if the aim of a hacker is not a single goal but a series of multiple goals, to be fast can be effective.

To defend against attacks, Indicators of Compromise (IOCs) can be collected to remedy existing vulnerabilities and to introduce new detection controls, making the computer system more secure.

Conclusions

It is important to understand the timeline concept of attacks, and we have seen how the concepts of “left of boom” and “right of boom” affect the response mechanisms to intrusion threats.

The concepts we’ve seen in this article, while they don’t add anything concrete to a system’s defense or attack techniques, offer a point of view. In the constant struggle between hackers and security operators, having a winning strategy means not only having efficient tools, but also planning in detail every detail, before and after attacks.

To find out how a SOCaaS can help you monitor your business infrastructure and catch the “left of boom” clues, do not hesitate to contact us, we will be able to answer every question and offer you a solution for your company.

Link utili:

Useful links:

Share


RSS

More Articles…

Categories …

Tags

RSS Dark Reading

RSS Full Disclosure

  • Disclosing Vulnerability of CLink Office 2.0 May 23, 2022
    Posted by chan chan on May 23Dear Sir/Madam, I would like to submit a vulnerability found on CLink Office 2.0. I had contacted the vendor 60 days before but in vain. # Exploit Title: Multiple blind SQL injection vulnerabilities in in CLink Office 2.0 Anti-Spam management console # Date: 30 Mar 2022 # Exploit Author: […]
  • [tool] tplink backup decryptor. May 23, 2022
    Posted by retset on May 23Yet another "tool" to decrypt a backup configs for some tplink wifi routers. Only tested on latest fw for "Archer C7". I hope that it will be useful for someone. https://github.com/ret5et/tplink_backup_decrypt_2022.bin
  • SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP® Application Server, ABAP and ABAP® Platform (Different Software Components) May 18, 2022
    Posted by SEC Consult Vulnerability Lab, Research via Fulldisclosure on May 18SEC Consult Vulnerability Lab Security Advisory < 20220518-0 > ======================================================================= title: Multiple Critical Vulnerabilities product: SAP® Application Server ABAP and ABAP® Platform (Different Software Components) vulnerable version: see section "Vulnerable / tested versions" fixed version: see SAP security notes...
  • PHPIPAM 1.4.4 - CVE-2021-46426 May 18, 2022
    Posted by Rodolfo Augusto do Nascimento Tavares via Fulldisclosure on May 18=====[ Tempest Security Intelligence - ADV-03/2022 ]========================== PHPIPAM - Version 1.4.4 Author: Rodolfo Tavares Tempest Security Intelligence - Recife, Pernambuco - Brazil =====[ Table of Contents ]================================================== * Overview * Detailed description * Timeline of disclosure * Thanks & Acknowledgements * References =====[ Vulnerability […]
  • LiquidFiles - 3.4.15 - Stored XSS - CVE-2021-30140 May 18, 2022
    Posted by Rodolfo Augusto do Nascimento Tavares via Fulldisclosure on May 18=====[ Tempest Security Intelligence - ADV-12/2021 ]========================== LiquidFiles - 3.4.15 Author: Rodolfo Tavares Tempest Security Intelligence - Recife, Pernambuco - Brazil =====[ Table of Contents]================================================== * Overview * Detailed description * Timeline of disclosure * Thanks & Acknowledgements * References =====[ Vulnerability...
  • Watch multiple LockBit Ransom get DESTROYED Mass PWNAGE at scale! May 18, 2022
    Posted by malvuln on May 18Watch multiple LockBit Ransom get DESTROYED Mass PWNAGE at scale! https://www.youtube.com/watch?v=eg3l8a_HSSU
  • github.com/malvuln/RansomDLLs / Catalog of current DLLs affecting vulnerable Ransomware strains. May 18, 2022
    Posted by malvuln on May 18Reference list for my Ransomware exploitation research. Lists current DLLs I have seen to date that some ransomware search for, which I have used successfully to hijack and intercept vulnerable strains executing arbitrary code pre-encryption. https://github.com/malvuln/RansomDLLs
  • APPLE-SA-2022-05-16-2 macOS Monterey 12.4 May 17, 2022
    Posted by Apple Product Security via Fulldisclosure on May 16APPLE-SA-2022-05-16-2 macOS Monterey 12.4 macOS Monterey 12.4 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213257. AMD Available for: macOS Monterey Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed […]
  • APPLE-SA-2022-05-16-6 tvOS 15.5 May 17, 2022
    Posted by Apple Product Security via Fulldisclosure on May 16APPLE-SA-2022-05-16-6 tvOS 15.5 tvOS 15.5 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213254. AppleAVD Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD Impact: An application may be able to execute arbitrary code with kernel […]
  • APPLE-SA-2022-05-16-5 watchOS 8.6 May 17, 2022
    Posted by Apple Product Security via Fulldisclosure on May 16APPLE-SA-2022-05-16-5 watchOS 8.6 watchOS 8.6 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213253. AppleAVD Available for: Apple Watch Series 3 and later Impact: An application may be able to execute arbitrary code with kernel privileges Description: A use after free […]

Customers

Newsletter