Pen-testing engagements are generally a breeze for most red-teamers; roadblocks are few, despite the ones in place being expensive and often paid for by very large companies.
Chris Nickerson has been running such engagements for 15 years and he sees companies that throw more money and more servers at security solutions as having far less success than those organizations, big or small, that understand an attacker’s behaviors and defend accordingly. It’s better to manage against an attacker’s tactics, techniques and procedures, Nickerson said, rather than run a program whose main objective is patching vulnerabilities.
“If you manage your lifecycle on vulnerabilities, that’s a negative-sum game,” said Nickerson. “Manage against TTPs and you have a feasible understanding of what an attacker’s position is. When you know that, you have an idea of their capability.”
Nickerson will be delivering a day-one keynote on Wednesday at Source Boston where he will describe some of the defensive tricks and approaches that have given his red teams fits over the years. One thing he plans to stress is that a lack of resources is no excuse to putting these barriers in place in most cases.
“Almost none of it needs to really be implemented by anyone of substantial technical understanding,” said Nickerson, CEO of Lares Consulting of Denver. “There are changes you could make tomorrow,” he said, that would impede many approaches used by advanced attackers.
Some of those approaches are simple such as stopping strings from running in a stored procedure, or treating workstations as workstations, and not as servers—applying and enforcing appropriate controls to both.
Organizations, he said, are suffering from vulnerability and technical debt fatigue where flaws are addressed, often wholesale, without context to the risk to an organization. Understanding offensive security, he said, helps create defendable positions. During pen-tests, Nickerson said, there is a commonality among successful organizations.
“Normally, it’s the people who have an interest in running active simulations with us and not expecting the simulation to be an output event, but an interactive event,” Nickerson said. Some clients, he said, have evolved to the point where they are playing along during a simulation, jabbing back at attacks rather than being leveled by a haymaker and waiting for the consultant’s final report to tell them what’s wrong.
“Those are the ones who do are making giant strides and progress toward creating defendable positions,” Nickerson said. “Too many people think XYZ product or patch will save you.”
Nickerson’s keynote closes out Day 1 of Source Boston. Richard Thieme opens the show Wednesday with his keynote address on the psychological impact of being a security professional. Diedre Diamond, founder of the Cyber Security Network, and Deborah Plunkett, former director of the NSA’s Information Assurance Directorate, are the Day 2 keynotes.
Conference owner Rob Cheyne said that the event’s three tracks present not only technical content, but will help professionals in the trenches talk to business people—and vice versa.
“One thing we started experimenting with last year was adding in some other elements like speed networking and lightning talks to get people out of their comfort zone,” Cheyne said. “This event is not meant to be just another hacker conference. It’s meant to be a place where a CISO, an executive, a researcher and a developer can all be involved in parts of the lifecycle that touch security.”