The recent Sony Pictures breach is a stark indicator of how complete and thorough a compromise could be. Sensitive email conversations between executives, marketing plans and various projects have all been exposed and while the rumours have flown thick and fast as to the identity or sponsors of the attacks, for illustrative purposes, it really doesn't matter. The ultimate point being that a small group of individuals of sufficient skill can compromise a multi-billion dollar company.
Traditional defences in information security have focused on well-established axioms. "Defence in depth", "least privilege" are but a few. But how do we deal with threats where conventional defences fall short, or the game is so heavily stacked in favour of the attackers? It is well known at this point that the asymmetry of information security lies in their hands. How do we even the game?
Defenders must firstly accept that prevention is virtually impossible. That's right - they must accept that, no matter how much money they spend, it is unlikely to be sufficient.
I've spoken to security leaders in all manner of corporates - large and small. It seems no matter how much (or how little!) they spend on security it is never enough. All it takes is one small mistake - from one user clicking a link and downloading malware, to a lazy administrator setting a weak password or a more widespread practice like not patching an environment. The next thing you know, someone has domain administrator rights and the whole thing falls over like a house of cards.
Firstly, defenders must be meticulous. They must be thorough. There must be a zero tolerance for mistakes. Unfortunately, most people are not and most organisations really do not apply enough discipline (and for those that do, most not consistently) to cover the basics. If you are still trying to get a grasp on patching, still have issues with users clicking links and still running administrator rights and setting weak passwords, then you are already on the back foot.
What I find more alarming is the trend that most organisations still choose not to perform scenario based penetration tests ("red team" type exercises) to determine how effective the organisation is at detecting and preventing a security incident. Longer, more thorough and more costly than a penetration test - which is often done on a per application or per project basis - these tests are designed to cover a period of time (e.g. 1 to 3 months) with an end goal objective. Examples might be: get access to the CEO's email, locate a particular Excel spreadsheet, etc.
What is interesting is the responses back as to why people will NOT participate in an exercise!
"Oh - we know we'll fail."
So you'd rather believe you're secure with everything you’re spending and not have peace of mind? Or is it that you don't want to find out about how severe the gaps might be and how much more work might be involved to fix them? Classic Ostrich Risk Management.
"This is too costly."
So what's the cost if you get pillaged? Your clients think you have no idea how to protect your network and their data, and lose confidence in you? Will they cease trade with you? What's the cost in dealing with the media and brand damage when it goes pear shaped? The cost to your business goes up especially if you're purely an online business too.
What breaches like Sony Pictures tell us is that attackers leave clues. Those clues can be captured in logs. Firewalls, proxies, authentication credentials, netflow collection, IDS/IPS, WAFs, and so on. These things may not protect you. But they can provide a warning to you. Red teaming exercises will allow you to evaluate the effectiveness of your detection capabilities and allow you to work on plans to increase the risk and potential complexity of a breach. It is an iterative process that must be repeated over time, the lessons continually applied and used to shape the security program of your organisation.
This type of testing has been blogged about on CSO.com.au before in 2011. It isn't new. Haroon Meer back in 2010 presented how with anything from $100k to $500k USD it would be feasible to hire a team of hackers that could break into anywhere. And yet, many organisations still think ISO27000 compliance will help them to prevent a sophisticated attack. The fact is, attacking is cheap. Skilled resources are found in any country. It does not require them to be funded by a nation state. And more often than not, it is surprisingly easy.
While it is true that attackers only need to succeed once, it is equally true that well entrenched defenders need to only succeed once in detecting them. So you need to accept that you are going to be compromised. Devise some realistic scenarios and begin testing your organisation to see how you respond. Business resilience practices have been doing these sorts of scenarios for years to improve their BCP. Why is red teaming any different? Is it any less a disaster if your executive's email winds up in the news all around the world like Sony Pictures right now?
It is increasingly apparent that the modern day security professional must look beyond preventative controls and place much greater emphasis on detection, response and other controls which can help shift the asymmetry further in favour of the defender