n the cyber-security field, the term OST refers to software apps, libraries, and exploits that possess offensive hacking capabilities and have been released as either free downloads or under an open source license.
It has been reported that Paul Litvak, a security researcher for cyber-security firm Intezer Labs, has compiled data on 129 open source offensive hacking tools and searched through malware samples and cyber-security reports to discover how widespread was the adoption of OST projects among hacking groups — such as low-level malware gangs, elite financial crime groups, and even nation-state sponsored APTs. The results were compiled in this interactive map.
On one hand, OST can be considered as a means of sharing lessons learned. If a researcher finds a vulnerability, then they will want to share their tool so that other members of the security community can find and resolve systems with the same vulnerability faster and easier. On the other hand, these tools could also be leveraged by cybercriminals, kiddie hackers and others whose aim is not to prevent security flaws but to exploit them.
However, in my opinion, preventing OSTs from being shared is not the answer. Even if one were to forgo the physical creation of an OST for a research paper where steps for the tool\’s recreation is laid out, the outcome would be the same. Cybercriminals are highly skilled programmers and could easily follow the steps and write their own software to execute their objectives. Indeed, they are bound to find a way with or without an OST. You would need to stop all videos, papers, schools etc. that teach individuals about vulnerabilities and make these available only to certain privileged and trusted individuals. Doing so, however, is not helpful. If anything, this just makes it harder for knowledge to spread amongst those doing good. Think of it this way, if you get a lock pick, you can use this to open a door for someone who has lost their keys. But it can also be used for criminal acts to open doors and steal valuables. Does that mean that lock picks should now be banned?
Maybe what we need is not its banishment, but a more controlled use of such tools. One should consider what malicious use an OST could have before deciding to share it more widely. The best thing to do is to have a greater number of security experts consistently and frequently utilising these tools to swiftly highlight vulnerabilities. Then based on those findings, establish remediation and resilience steps. I would be interested to see how many organisations have taken advantage of such tools to protect themselves year-round rather than during penetration tests conducted once a year.