Despite CSO efforts, ethical-hacker A teams “always get their man”
- 21 April, 2016 10:46
Dedicated teams of hackers-for-hire are on the ground in Australia and are throwing everything including the proverbial kitchen sink at business networks to identify and exploit often significant vulnerabilities – before the real bad guys do.
Conventional penetration testing has emerged in recent years as an acceptable and important part of regularly testing a company's security defences.
Yet even as pen-testing has gained in stature, one security expert says its normalisation within many businesses has left many of those businesses complacent and unprepared to deal with a full-fledged attack by determined and well-resourced outsiders.
“When we attempt to attack the environment we are showing the customer how all of their traditional security controls are failing when they come up against a mission-oriented adversary,” Jackson McKinley, senior manager for Mandiant Consulting with FireEye, recently told CSO Australia.
FireEye recently leveraged its extensive roster of skilled security experts – many of whom have unconventional capabilities such as the authoring of malware – to launch its Red Team Operations in Australia and, McKinley warns, their track record so far confirms that businesses here still have a lot to learn about security within its enterprise-wide context.
“If you want to test your A game you bring an adversary who brings your A game,” he said. “All security professionals aim to produce good results for their customers and I personally have never seen the team not produce a result. They always get their man and they are always able to produce a result for the customer.”
In some cases the target organisations have detected the red team's activities and the exercise escalated into a “game of cat and mouse” but this actually emboldens the security teams: “They are looking to turn those skills that they have honed over so many years of experience, and to turn this into a result for customers,” says McKinley, who has watched the team members having “an awful lot of fun” then they finally manage to breach the victim organisation.
These sorts of wargames reflect the growing need for organisations to bolster their security defences in an era where human targets are continuing to prove extremely easy to manipulate.
Despite years in which CSOs have been all but begging users to be smarter about what they click on, in one exercise McKinley's team peppered a company with spoofed emails purporting to be from the IT department and promising the chance to win an iPhone 6S for employees that clicked on a link to test the strength of their password.
In the Silicon Valley-based technology company of 600 people, some 400 receipients clicked on the link and entered their passwords into a fake portal.
“Even if only one or two employees had clicked on it, the attack would still have been successful,” McKinley said.
“They would still have stolen some credentials and woul dahve been able to penetrate the environment. The point is that you can't just rely on the people – so having a layered defence and regular testing can help.”
That testing must extend far beyond email and network-defence systems, with Mandiant also launching focused penetration testing services for other online systems that present major risks including industrial control systems, Internet of Things (IoT) devices, and mobile applications and devices.
Each of these domains presents a significant weakness for most enterprises and regular testing is increasingly being recognised as a crucial part of the security defence. Gartner recently flagged security testing as one of the biggest growth opportunities for technology providers in a global information-security market that grew by 4.7 percent to be worth some $US75.4 billion in 2015.
And research firm ReportsnReports has predicted that security-testing services would grow at 14.9 percent annually through 2019, when it will be worth $US4.96 billion. Much of that growth will come as companies recognise that their security remediation can be aided by engaging security testers with the same skills that a real attacker would bring to the table.
The process may be humbling for security staff who watch their defences being systematically breached or disabled, but McKinley said most companies rightly see the whole activity as a learning process. “The teams that do this are very talented individuals who are extraordinarily good at what they do,” he said. “They're able to craft malware, phishing attacks and exploits just like an attacker would do.
Not only do they get an understanding of how to breach a network, but how they would defend it. A lot of learning happens after an attack – and it's a lot better to work on this with a friendly team than an unfriendly team.”
Participate in this short survey on IT security strategies across the Australian market and go in the draw to WIN a 360Fly camera vailued at $689.