Feed on
Posts
Comments

Bolted on

What did my friend actually mean with bolted on? For sure he means a security solution that might or might not be well integrated into the operating system and even if that is a big issue in itself the real challenge was that the user interfaces sometimes mandated some serious training to be able to use making the cost of using the solutions a lot higher than solutions using a familiar interface that looks like the operating system or other applications built for the operating system.

Is this really a security problem? Yes, because it consumes resources that could be better spent to provide a higher degree of security. Instead of having a team of eight he needs a team of ten just to cope with a few solutions that uses non-standard interfaces and non-standard integration.

So first thing when he´s back from vacation is to replace those solutions with some that is better integrated with the rest of his tools. Best of suite beats best of breed.

Happy new year

It is somewhere between late night and early morning. Family has stopped celebrating, the bottles of champagne are empty and everyone is sleeping. Only the security architect is awake.

During the festivities I had a long discussion with a friend of mine of the futility of cybersecurity. How hopeless it is to try to stay on top. Either you loose within a few hours or you spend hundreds of thousands of Swedish Kronas on consultants that only implement security solutions that you don´t understand and have challenges to operate afterwards. His simple question to me was: How on earth am I supposed to come out on top of this?

I had to give it some thought as he was actually pointing to that my work didn´t provide a value to a company. After some clarifications, there was champagne involved, I understood that it wasn´t my work in particularly that was the problem but all those non-standarised technical solutions that was challenging to integrate and operate that was the problem.

We boiled it down to three larger problems:
• bolted on rather than built in, meaning that the user interface was not standarised so that the staff needed to train specifically how to navigate
• siloed solutions, so an event in one tool was challenging to correlate with another albeit a well working SIEM solution with trained staff
• measuring the effectiveness, they bought tools others bought but it was hard to show effectiveness as the only way to prove was conducting expensive pentests that still would find another way through the defenses

We didn’t find any good solutions this night and when the Gin and Tonic was served we forgot about it but now I´m sitting here thinking about it and I might have and idea moving forward. Drop in here in a few days I I´m sure I have cracked a few bright ideas. Until then: Happy new year!!!

A customer of mine have asked me to device a security strategy for them. This will be an interesting task. The background to this assignment was that I was doing a presentation of cost effective security management using MITRE Att@ck as an example to prioritise your actions. After the presentation their CISO came up to me and asked if I had time to help them with a few weeks assignment. They are currently in the process of creating the plan for the following years and update the way they are tackling the security threats and would like to bring in smarter ways of managing security.

My task in this assignment will be to help them create a framework containing the needed policies, processes and methods to enable a good measurable security posture using my way of thinking as a template. This will be interesting and I´ll post the results here later in January.

When I first read about MITRE Att@ck I realized it was good stuff, but I didn´t expect a major company to adopt it so fast. ?

One of my core mantras when I discuss security is to do the right things first. So how do you know that you are doing the right thing, isn´t that what the risk analysis is for? Correct! Five points to Gryffindor! There is however a better way to move forward. Imagine that someone has already done a very thorough risk analysis on a technical level that you could reuse. Say hi to MITRE Att@ck .

This framework points to a very important part in my campaign for better security globally: Do the right things first! This means that you should make sure that you block all known attacks using the tools available to you so that you then can spend time on the more challenging attacks. Not a hacker in the world will bother about using Spectre-attacks if your admins will click on a link on a workstation the use for both mail and domain admin tasks. MITRE Att@ck lists a number of attacks, attack play books, that you need to protect against. This framework is also used to evaluate the effectiveness of different security tools.

So take a good look at MITRE Att@ck and start using it today.

In the aftermath of the pentester´s failed attempt to get hold of Active Directory we started to discuss the long lead time of getting a pentester onsite. Sure, it´s mainly a question of resources and money but there is an underlying challenge seldom thought of. Today security functions is not static or passive. They have active components, they are updated, they work in conjunction with humans and are a lot more fluid in their functions than before. The standard pentest is normally just some person coming in testing a solution not taking the active defenses into account. The deliverable is a report explaining the identified flaws and we are sitting there with a long (or short) list of actions to take.

This isn´t good enough. You would want to have something more similar to the real world attacks. Entering the red and blue team. So, what is that in reality? Well the blue team is your Cyber Defence Centre doing it´s daily work and the red team is bunch of pentesters trying to find ways into the environment. The strength is the mutual learning when the red team explains how they did attacks and the blue team explains how they responded. With an ongoing campaign you will end up with a security level far surpassing anything you have today. And by the way, drop that IDS project, will you?

Sure, I´m not to fond of pentesters. Not that they don´t do a good work, making sure a solution is secure is important and there is always the possibility that I have assumed something that´s wrong. So testing is a good thing. It´s just that some are really cocky and view themselves as state of the art security consultants. Well…when we had the pentest done on the ESAE I told you about last time I was the one that could be cocky.

It didn’t start out good. The pentester arrived in the stereotype black long coat and with the typical set of gear that any pentester need. With a bit superior voice he told me that: ‘He´ll be delighted to become domain admin again. It´s just a Microsoft Active Directory.’ He managed to intimidate the CISO so I quietly told him: ‘Let him try. We´ll go have a coffee and I promise you that he´ll be here within two hours and ask for a user account’.

So we went down to the cafeteria and started to discuss Tier 1 security. After 1 h and 53 minutes the pentester came down and, with a lot less confidence in his voice, told us that he is now ready to use a user account to move forward because we passed the first tests. He left and I became a bit cocky and told the CISO that he´ll be here within an hour asking for a domain admin account. I was wrong with 15 minutes. It actually only took him 45 minutes to give up.

‘Apparently you have done a decent job in security against standard user access but getting to be a domain admin is easy so I´ll go for the hashes now. But I would also ask for the domain admin account to test the rough admin scenario.’ I knew that he hadn´t found any domain admin hashes because I had reports from Azure ATP the whole time.

If you give them a domain admin account, your are bound to lose but I told the CISO to have faith in me. He´ll be here just before lunch. We continued discussing Tier 1 and Azure and the pentester came down again, with wild eyes and asked me: ‘How on earth can you give me a domain admin and still be secure?’

I was wrapping up an ESAE implementation at a customer the other day where my team had done a tremendous work, as always, in building a secure forest for managing their AD. One of the last tasks was to order a pentest of the solution. I´m perfectly fine with that, I´m even eager to let them have a go, as it´s a way to learn about weaknesses that we could fix.

We were scheduled to go live in about two weeks and I was quite a bit surprised to learn that we have to postpone the go live-date with six months due to that the resident pentester didn´t have the time. Talk about a security function becoming a blocker for modern security. My customer became very frustrated and there was a lot of yelling until we actually got the management to priorities this as we are to provide a critical security service for them.

I think I dare to say that pentesting in its current form here died today and I´m holding the gun.

How do you evaluate your security functions and how do you decide what security to invest in? Is an IDS the way to move forward or implementing the recommendations from NIST Digital Identity? Better stick with the IDS because it´s a thing you can implement so it is easier to measure the progress of the number of IDS flows you could integrate into the SOC. They might be encrypted and useless but at least they cost a lot of money and it is measurable. Who would care about better credential hygiene? How do you measure the effectiveness of a password of 16 characters instead of 8?

This is where attack playbooks join the match. An attack playbook is a description of how an attack works. There are a number of those that can be used to measure if an security mechanism actually does its work.

The simple theorem is this:
Break all known attack playbooks and add monitoring and response functions. After that you can invest in what ever security you have but don´t spend a single penny before you have managed all attack playbooks. Do reach out to you resident security architect for tips how to do this.

One of my core skills is conducting risk analysis, to be more precise, I tell my customer to quit fiddling with esoteric attacks and focus on the real challenges, like good passwords, MFA and credential hygiene. One common question I get is: Who would like to attack us? We have no money reserves like a bank, we don´t take credit cards like retail, we are not a government entity so why would someone bother (and why should we pay good money for security).

First of all, before answering the question, I must make my position clear here: You should never spend money on a security consultant doing risk analysis if you havn´t done the homework, meaning following the vendors best practices.

So why should you bother? Well, it´s quite easy: You can never control how someone might make money on your data, your computers or your environment. The obvious is ransomware: they encrypt you pay for access. Not so obvious is the cryptocurrency miners that utilize your computers for cryptocurrency mining. Less obvious is speculation in raw material. Just imagine if a company would produce iron or aluminum, a hacker got access and plants a ransomware on the servers and then buys a lot of the resource that is produced. The ransomware would then be activated removing a few producers creating a deficiency and that would rise the price. Or what if someone is speculating in that your stock price would fall?

You can never know how they make money on your downfall but it might be in a way you cannot control so make sure that you protect yourself in the first place.

I meet with many security departments in my line of work. One thing that has been showing it´s ugly face during the last two years is the reference to ‘The network group’, often spoken with a bit of fear. Anytime that I present Credential Theft Mitigation or Identity Security it is unavoidable that someone reference that ‘network group’ just like they are the deciding force for security. No matter if it´s the CISO, the CIO or any other, apparently the firewall administrator is the king and god when it comes to security.

I have spent some time helping a customer managing this and what we concluded was the following:
-network security seldom solves modern security problems
-network security normally has the privilege of problem definition for security due to history
-network security is normally backed by strong vendors with a large number of three-letter-acronyms to cloud the discussion
-network security points at Cloud act as a reason to keep the resources on-prem.

Did I mention that the pentester got domain admin for the fifth year in a row within a few hours? But that is of course the serverpeople fault.

To be frank, a lot of resources are spent on network security projects that has little to no validity in a modern world. Network security has played it´s role but is now to a large extent obsolete and should be regarded as legacy.

Moving forward, network security should first of all be mandated to use domain user accounts, no network management should be allowed to use local accounts. Second is to use privilege access workstations. There are so many vulnerabilities and flaws built in to the management of networks, despite the number of mechanisms they have, that having dedicated management workstation should be a no-brainer. Third, network security should be second to identity security, or even better, part of the security department.

Older Posts »