- How do you know that your defences are good if you don’t test them?
- What lengths would your adversaries take to compromise your systems?
- Adopt the same offensive mentality as your adversary in order to test your defences
You have your security strategy, you know (most of*) your threats/vulnerabilities, you implemented a top-down well oiled security program, policies, procedures, processes, technology, etc. You’re now safe…
As mentioned in a previous blog, security must be tested either by you or by your threat.
The Mandiant Threat Landscape report shows that intruders can be on your network for 243 days before being detected. (1)
Let’s be ignorant and ask a few questions:
- How did they get through our defences?
- Why did it take so long for them to be detected?
Let’s assume that all the policies and technology is capable of keeping the adversary out, how would *you* know? Business is evolving, computational power is getting cheaper, inter connectivity is expanding, attack information is easily accessible and adversaries adapt. With all of that in mind, is your security program evolving?
This gap between the security program and the adversaries’ capabilities is the current risk to the organisation.
From the last blog, an assessment would have been made to find out an organisation’s assets and threats. As part of the threat analysis, some consideration would have been made to examine the likelihood and the capabilities of the threat.
Risk mitigation will consider the threat analysis then apply the appropriate risk treatment.
A lot of threats could be addressed by going through a ‘checklist’, this would be considered to be a ‘baseline’. However to stop a determined adversary, advanced threats, etc some innovation is required. As a penetration tester, you need to be innovative and think outside of the square to find ways to get in, this is where innovation is practised.
Back to answering question 1, To be a good security professional you have to think like *the* threat, adversary, a pen tester in order to minimise the risk of a threat from compromising your organisation.
As for the second question, it is obvious that the adversary was not detected at the time of entry and that raises other questions: how well oiled is your security program? Is it measurable? Were the right vulnerabilities addressed?
To answer this, you need to put your defensive hat on…