Page 11 - Cyber Warnings August 2017
P. 11
• Attackers do not respect org-charts. Departments are typically defined by skill-sets
and the need to organize work tasks. Attackers don’t care about these artificial
boundaries. If departments are partitioned silos which do not freely and quickly
exchange information, an attacker may pass through several areas of responsibility and
be long gone before personnel in the requisite areas can connect the dots.
• Attackers do not respect the way security tools are organized. An attacker may, and
probably will, cross through several layers of infrastructure. Don’t expect an attack to
necessarily bounce the needles on your monitoring dashboard or trip an alert. The thing
about turning on search lights is that potential intruders avoid them. Evaluate where the
shadows exist in your environment. That’s where an attacker wants to be.
• What are attackers trying to obtain? The answer to this question will continually
inform your security strategy. How often are security strategies employed which secure
one part of the organization while a gaping hole exists elsewhere? This is like putting a
sophisticated lock and alarm system on your front door at home, and then leaving the
back door wide open: it completely defeats the entire goal. An attacker is going to head
for the path of least resistance to their goal. If they can phish a secretary for the CEO’s
credentials and sail away in their pirate ship full of loot, why tangle with cannons?
• How would you get in from the outside? The view from inside your defenses is a
completely different perspective from that of the outside. When locked out of your
house, your mind starts to work differently than it did when you were inside. While
inside, you view entry as a function of its intended entryways. But when locked out, you
think in terms of openings, whether intended or not: a vent is a window is a door. Locks
are no longer a function of keys, they are a function of contact points with the door
frame which a wire or credit card can possibly alter. The first floor is no longer the only
entry level: second story windows, balcony doors, or basement window wells are just as
sufficient. The same is true with computer security: if you haven’t tried to get into your
organization from the outside through unintended means, there’s a high probability you
don’t have a firm grasp on the possibilities.
• How would you remain undetected once inside? After making an unauthorized entry
into your network, how would you remain undetected long term? Could you come and
go as you please without raising alarms? This is something that the typical penetration
test isn’t going to gauge, if for no other reason than time constraints. Even if you’ve
passed an audit with flying colors, it likely is no assurance that a future attacker couldn’t
camp in your environment indefinitely avoiding detection.
Thinking like an attacker can alone go a long way to helping assess a defensive strategy. This is
essentially what the purpose of threat modeling is – to anticipate the potential security threats
posed to an organization. But active offensive penetration moves beyond theory into reality,
where not only initial penetration possibilities can be validated, but impact can be assessed. It
also gives defenses practice against an active attack.
The following sections describe a few ways your organization can get started immediately with
offensive exercises which will provide new insight on your security posture and help improve
your organization’s defenses.
11 Cyber Warnings E-Magazine – August 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide.
