Photo by Geran de Klerk on Unsplash

Attacking Without Announcing

Five policies to test your organization's security

By Rafael Alvarez | June 21, 2022 | Category: Opinions

We talk a lot about the advantages of extreme connectivity and information availability, but too little about how our company, client and even personal data is secured. Here we want to guide you on some management policies we suggest you can take advantage of to determine with high precision how secure your information and systems are and how effective your defense measures are. We also want you to realize what could happen if you don't apply these policies.

From our experience, we know that business leaders usually assume that buying more technology would resolve all their security problems. In fact, such a "solution" could worsen the situation, because poorly implemented, built or configured technology is the source of all security vulnerabilities.

On the other hand, for modern companies, protecting their information by making it inaccessible or keeping it on paper is no longer viable. In a world where digital transformation is the norm, exposing more information to the client is a must. This transformation's benefits go from improving transaction times and costs to rising service windows and client satisfaction. Operations that were only possible on-site during office hours are now possible anywhere, 24 hours a day, seven days a week, all year long.

However, the digital transformation can lead us to consider some risks and raise questions such as the following: Can the buyer modify the product price before paying for it? Can an employee know the salary changes of his coworkers? Can members of the labor union read board minutes? Can a guest get network administrator passwords? Can someone connect to the enterprise network, turn on a mic on the manager's computer and listen to conversations? Can a client modify the website of our company? Can we check the medical record of another person on the Internet?

Securing your organization

The question "how secure are my organization's systems and information?" is answered by making real, ethical cyberattacks. There are several names for this: ethical hacking, penetration testing, red teaming, among others. Five management policies are derived from this approach:

  1. Continuous attacks: Attacks on your organization's systems must be performed to find vulnerabilities that allow malicious attackers to take control of your operations and information assets. The word "continuous" means that these attacks must follow a specific and stable frequency (quarterly, biannual, etc.). When this policy isn't clear, organizations tend to stop further attacks with the excuse of being unable to fix the vulnerabilities found in the previous cycle. Once your organization wisely applies this policy, you can take a step forward to the next one.

  2. Zero-knowledge attacks: It makes no sense that attackers (red team) perform security testing when defenders (blue team) know the times and places of their intrusions. It's absurd that, in these attacks, red team members report progress or request permissions from blue team members, organization staff with links to defense software/hardware vendors or bosses involved. In order to know with certainty the security level of your company, these exercises must be as close to reality as possible. In real life, malicious attackers will not notify when, how and where they might attack, what techniques they might use, what their penetration level is, what machines they own and what information they have disclosed. Because of this, your organization should have restricted privileges for acquiring information about the security testing. Only a minimum amount of personnel should know about it. This is known as a zero-knowledge policy.

    Red team vs blue team

    Security exercises: red team vs. blue team (image taken from here).

    This policy implies that those responsible for your organization's security should not be the ones to organize and coordinate ethical hacking tests. Knowing about the attacks in advance, they may show tendencies to prepare for them unrealistically, seek to limit their scope to strong zones and avoid disclosing critical vulnerabilities to their managers so as not to jeopardize their current positions. And although it is now trendy to have purple teams, a combination of attackers and defenders, you should maintain a clearly defined objective: to know your security level precisely. These mixed teams can contaminate test results due to a conflict of interest in the company's organizational design. To proceed on the basis of this policy gives you an outstanding advantage: knowing your organization's actual detection and reaction capabilities in the event of an attack. If the blue team doesn't know whether the attacker is a white hat hacker (i.e., red team hacker) or a black hat hacker (i.e., malicious hacker), it will always be in a state of alert and respond according to defined procedures: blocking, reporting, incident handling, etc.

  3. Relentless response: React relentlessly to every detection regardless of the hackers' intentions. This policy allows you to keep the incident response engine well oiled, evaluate the quality of the hired red team and the efficiency of your defense investments, and also helps you achieve cost reductions or apply penalties that make attack exercises pay for themselves after some frequency.

    Information protection

    Continuous protection of business information (image taken from here).

  4. Total intrusion: This policy is the direct implication of the previous two. The red team must have a complete authorization on paper and email and all forms of legal protection from the company's highest authority (i.e., CEO or manager) to apply any offensive tactics to obtain information, modify data, access workstations or shut down services. Everything should be allowed to ensure maximum severity and compromise security at the highest level. If this policy is not put into practice, the ethical or white hat hackers you hired will have their hands tied and will be limited in their identification of vulnerabilities. They will have restricted possibilities to explore paths through which malicious attackers could move and to detect the security issues you should remediate. In the end, if they don't find anything significant in the penetration testing, it will surely be due to the limitations you imposed on the red team. Consequently, your uncertainty about your organization's security could increase or, to make things worse, you could mistakenly think that everything is safe.

  5. Coherence: If you ask managers, "Between availability and confidentiality, what is most important?" Most of the time, the answer will be "both." But if you ask them "Would you shut down your servers given an attacker's presence?" Answering "yes" would place confidentiality above availability. However, the typical response is that they would keep their servers running and try to deal with the attacker. It is common among organizations to have availability at a higher level than confidentiality and integrity in the precedence list. While availability is for them the most important element of the triad, it is paradoxical that many don't authorize red teams to test their defensive capabilities against DoS (denial of service) attacks. In this case, the invitation is the following: turn your restrictions into motivations to receive attacks from a red team. In this way, you can verify with the help of an ally how vulnerable your company is to malicious attackers.

Conclusion

Applying these simple policies, Continuous attacks, Zero-knowledge attacks, Relentless response, Total intrusion and Coherence, you can know how secure your systems really are, improve their security at a whirlwind pace and save money. You don't have to buy technologies that generate huge, incomprehensible vulnerability reports, many with false positives and a lack of context about the real impact of vulnerabilities on your organization.

Would you like to assess your systems' security with the help of the largest red team in the Americas? Don't hesitate to contact us!