At some point, organizations seem to have confused hacking
certifications with the ability to breach systems at the level of state actors. An unfortunate side effect has been to equate penetration tests
with actual breaches.
They aren’t the same.
You'll likely not guess this from the balance of conference topics and social media posts skewed towards red teaming but red teams are just another capability within a cyber security
program.
Really, they are.
Not every competency within a security links back to that capability's value. Organizations seem to treat anyone that has a simple hacking certificate
as if they represent a red team capability that will bring tangible value to the security program. And that's not always the case.
Fact: Penetration tests are contrived events.
What makes them contrived is that, with very few exceptions,
there are rules of engagement,
limitations, off-limits machines, and other constraints that real life
adversaries don’t have to follow. The more constraints, the less a pen test
models a real world event.
This brings us to what I refer to as the “shade tree state actors”.
This group is comprised of that large percentage of the 80% that honestly
believe that they have much better skills than they do.
They tend to be loud in their approach. Downloading known
and discoverable tools that support their work. Noisy in
terms of the artifacts that they unknowingly leave behind. Often, previous
successes were in organizations that weren’t good at monitoring for even noisy
activity inside of the perimeter with credentials gained via social engineering
rather than technical means.
When we exercise a internal red team capability comprised of
shade tree state actors and ask them to provide value, we’ve may have
unknowingly set the bar extremely low. So
low that the scenario again isn’t representative of a real world bad actor at
all. In this case, a scenario in which we assume that the activities, abilities,
and range of testing for our shade tree state actors mirror the capabilities of
actual intruders.
And then everyone is
surprised when a breach occurs.
I’m not against in-house red teams. There is a sound
rationale for a full time internal red team capability when an organization is
well funded and mature in most of their other areas. You’ll need to be in a
position to pay for top talent. Top talent that can translate their activity to
artifacts, tools, and techniques from which the blue team can benefit. That’s a red team that I like to see.
That said, too often, smaller organizations with a low to
middle-of-the-road level of cyber security maturity divert resources to a full
time red team capability that can be better used in maturing, building capability,
and reducing disruptive incidents in other parts of the program.
They could gain
more value from outsourcing periodic pen tests that shift across a number of
highly skilled and dedicated pen test organizations. They’d have additional benefit
of the contractors using different approaches with each pen test likely
yielding more overall value than the organization can afford otherwise hire.
Let’s not confuse the requirement to test security controls
with the requirement to have a red team. , There are much more fundamental
investments small to medium companies can be make to test those controls on a
full time basis. Investing in a robust IT audit program comes to mind which
coincidentally will also tend the find many of the mundane and less sexy issues that occur as part of real world breaches on a much more cost effective basis.
Sexy or purposeful.
It’s your program, make the most of it.
Follow me on Twitter
for discussion and the latest blog updates: @Opinionatedsec1. Or, start your
own discussion using #crazygoodcyberteams on twitter or Linkedin and I'll read
it.
SEE ALSO
No comments:
Post a Comment