I’m at Black Hat this week and have taken a couple of great courses put on by SensePost. In these classes, there was a lot of discussion about how to “think like a hacker” when you design your defenses, and the processes to keep you secure.
The bottom line: Attackers are always looking for mistakes, outliers, and inconsistencies so they can use them against you. This means your security programs need to be robust, resilient, measurable, and – as much as possible – consistent (vs. ad hoc).
Focus on the targets, but don’t forget the relationships
We discussed a lot of different attack & defense scenarios this week, but one that kept coming up was one that I think is pretty common. In this scenario, your “crown jewels” are well protected, and are very hard targets to crack. You may feel safe, but if attackers are able to find a weakly configured, trusted host that is able to connect to your most precious systems they can get past your defenses and achieve their goals.
There are several lessons here:
- Evaluate your environment to ensure that you either harden the systems that can access your critical servers, or remove the trust relationship.
- Regularly assess your infrastructure for weaknesses and inconsistencies. There are various layers of this – vulnerability scanning, automated configuration assessment (comparing the actual state of your systems vs. your target security profile), user account audits, etc.
- Periodically hire an objective penetration tester to think outside the box and help you find your weaknesses.
- Be mindful of “information leakage” – do you have any publicly-accessible information on accounts, passwords, processes, etc. provide details of your security model or priorities? If so, do your best to expunge as many of them as you can. These kinds of clues can make it easier for an attacker to exploit you as a target.
- Don’t try to reinvent the wheel – there are great training programs, automated assessment tools, 3rd party guidelines, etc. that can help you mimic best known methods that have already been well-vetted by the information security community. Use them to accelerate your success.
- You’ll never be perfect, so develop the means to know when you have a problem (through automated, continuous monitoring, for example), quickly assess your options, make a decision, and act to address the issue.
- Vigilance means continuous monitoring and leveraging automation – but also ensuring you have enough data to reduce false positives (and false negatives). A clear understanding of system state can help you quickly rule out noisy, misleading events – if the events are flying but you quickly figure out what parts of the system have changed, when, and by whom, your job gets a lot easier.
- If your company grows by acquisition, or you suddenly “inherit” a bunch of infrastructure, these are all doubly important.
- Send your security teams, managers, etc. to training so they can keep up with what tools and techniques the attackers are using – the whole “know your enemy” concept.
These are a few things that are top of mind for me from this week, and I even have a few more days left! This is shaping up to be a very productive and enlightening week – and it was awesome to get some hands-on practice pwning servers in a live (lab) environment.
[July 24, 2012 22:43 – grammatical edits made to this article. –dam]