I’ve written endlessly on the need to disrupt the attacker-defender dynamic and that we are on the underside of the asymmetrical skew across the economic, informational, technological and educational rails.But now we see that we don’t even share the same view as our attackers when it comes to the style of defense that we choose to deploy in response to their assaults.
When one looks at attack vectors through the lens used by IT professionals and vendors, one doesn’t see things quite the same way as our hackers and pen testers do, even though we are both using the same lens. And given that these guys have exactly the same skills and use the same techniques as the cyber-terrorists, it would be a very good idea to pay attention to their view. After all, the only difference between the good guys and the bad guys is the flag under which they serve.
The attack vectors, the software tools, and the methodologies are all the same. That is after all, the objective of penetration testing, isn’t it?
The general view of the pen test and hacking community is that the countermeasures the IT security guys think will stop an attacker won’t even slow them down, and that some other defensive techniques that are thought to be totally arbitrary actually have a tremendous impact on our defensive posture.
The differences between perception and reality about defensive techniques are in serious need of realignment consistent with the informational gap that we’ve been discussing.Given that hackers and pen testers deal with the reality of security problems every day, reviewing their experiences dealing with cybersecurity is probably a good idea. Conferences like Black Hat and DEFCON are rich forums to discover and experience vulnerability information, methodologies and techniques from the hacker POV, but weirdly, most IT security professionals either don’t know this content exists or don’t know how to access it, or it could simply be that the hacker view is not highly regarded. This to me is even weirder.
One of the discoveries at a recent DEFCON for example, was that the tools hackers and pen testers use are not those that cybersecurity professionals would expect. The vast majority of cyber-mechanics prefer open-source or customized tools to the commercial variety. While none of these guys would admit to using illegal exploit kits, I am willing to bet that most of them are riding at least the CoreIMPACT or Cobalt Strike flavors.
Most pen testers also change tactics between engagements, mirroring their adversary’s behaviors to keep abreast of new techniques for work-arounds against new defenses. This continued streamlining of process for new engagements is also caused in part by the discovery of new vulnerabilities, configurations and software just like real-life aggressors would be doing.
Another reason why the professional IT cybersecurity community may tend to dismiss hacker and pen tester input owes to the sort-of snarkiness and anarchistic tendencies of the community. Most of these guys have high school degrees but eschewed college for their own home-schooled degree in advanced hacking. Only something like 30% have graduate degrees and the overwhelming majority don’t believe that technical certifications are useful for purposes beyond resume glitter. The majority view is that a technical certification is not a good co-indicator of talent or ability.
Our own pen testing guys are rock stars without technical certifications, yet have wowed employers like Microsoft and Symantec and have been banned from participating in the Capture the Flag contest at DEFCON because they won it too many times. The biggest advantage a pen tester has is how they think.
One of the most tangible benefits of consulting with this crowd is the ability to measure the flexibility and appropriateness of your defensive countermeasures. If they are less flexible than the attackers trying to get around them, they have between a slim and zero chance of being effective.
Protecting inflexibly against an attack pattern that is no longer relevant underscores the importance of incorporating live, battle-space penetration testing into your plans. Only through inventive probing by accomplished hackers can you adjust to continually changing attack strategies and polymorphous malware.
A recent hacker survey spoke directly to results in terms of how effective today’s countermeasures actually are in preventing intrusion. Respondents said endpoint security and robust security monitoring (46%) presented the most challenge during a pen test, followed by intrusion detection or intrusion prevention systems (21%) and firewalls (5%); but 29% said no countermeasure of any kind known today could stop a successful attack.
What is profoundly interesting then is that today’s corporate spending is led NOT by security monitoring or endpoint protection but rather instead by intrusion detection and prevention technologies and firewalls. This is like insisting that the noise you hear is coming from your rear end when your mechanic is telling you it’s the timing chain. Why hire the mechanic?
The other wisdom coming from this community is that 65% claim their targets don’t fix the things they know are broken and 75% of their targets focus all of their remediation energy (budget, resources, direction) on what they perceive to be critical vulnerabilities based on the government’s CVE list. The problem with this approach is that it only gives the defenders a false sense of security around security enlightenment that is not unlike checking boxes on an audit form.
Instead, the hackers believe that their targets would be more efficient focusing on repairing the actual vulnerabilities under attack and not on whether they show up on some official list. They’re big on outcomes and not so big on enlightenment.
The thoughtless remediation of CVE vulnerabilities fails to consider the reason that the vulnerability exists to begin with, ignoring best practice failings like poor patch management policies, the absence of a vulnerability management program, or an insufficiently prepared or non-existent security team. This approach also completely ignores the complexities of multi-staged attack vectors.
If we are not going to take the counsel of our hacker and pen test community under advisement, then we should at least adopt the principles of defense in depth because a layered defense is the only way to effectively mitigate some of the risk associated with ignoring the critical vulnerabilities that may be obvious to a hacker but for other reasons we may choose to ignore.
Sometimes following a pen test, we may understand and acknowledge the need for changes, but simply don’t have the time, skills, or money to implement.
What we should do is revisit the structure of our overall defense platform and make sure that we have controls in place to detect and identify threats before they become a breach. This is always easy to say and often hard to do, but so far, listening to the best advice from the troops on the front lines seems to be out of the question. If we continue to do neither, we are guaranteed to fall victim to cybercrime and whatever brand of mayhem that will ensue.Mar 8, 2017 Steve King
Related
