Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More
Get access to immediate incident response assistance.
Get access to immediate incident response assistance.
Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More
My background in IT comes mostly from a nomadic perspective. In my years of IT and InfoSec, I've had the makings of a career consultant -different client each week, different city, different nature of work. It's been a long and diverse journey, and I've loved just about every minute of it. I wake up every day and say "hey, I get to be a pretend bad guy and get paid for it!"
Some things are consistent, however, and I'm not talking about the flight delays or lost luggage - your most common adversary is a network run by an IT team. Most of the time that team is a wonderful, hard-working group of people, many of whom are forced to wear a number of hats on a daily basis to keep the clocks turning, the network up, and the users working. Of those hats, the most conspicuously absent is that of Offensive Security.
"Offensive Security? That's what I pay you for!"
This is, in part, true - organizations hire qualified penetration testers all the time, and it's money well spent! However, many of these same organizations forget a few things:
Try as you might, security is enough of a moving target that you will likely never find "everything". On a scale of who has it the "easiest", it's probably the bad guys - they have unlimited time, no restrictions, and don't really care what resources they may knock over on the way. Penetration testers have to work with the constraints of scope, time, and a delicate touch, but even we get the advantage of not having "network tunnel vision" - that is, we see the network from a perspective most IT teams do not. Finally, IT teams have the hardest job - they are tasked with fixing myriad issues/weaknesses/vulnerabilities, whereas penetration testers(and by proxy, bad guys) only need to find one.
That's where the concept of "security self-defense" comes in. It's difficult to gain the same broad base of security knowledge when you only see a single setup day to day (vs the thousands of networks we get to see per year), but you can still learn the methods of offensive security and how to "think like a bad guy". Let's take a look at some useful areas of concern.
Man-in-the-Middle(MitM) Attacks
Man-in-the-middle (MitM) attacks are a very potent, multi-faceted, and devastating class of infrastructure based attacks. To defend against them takes the correct blend of network architecture, host, and network services configuration security and hardening. The best way to understand and secure against these attacks is to learn the mechanics of how they work. What is the attacker looking for? How about:
Host-based Attacks
It's tempting to think of compromise as vulnerability x leads to exploit y, but this is almost never the case. In fact, it's quite common to exploit normal functionality on systems in order to gain access. This has the added advantage that it appears as normal traffic and not a signature of a specific exploit. Items such as LLMNR, NetBIOS over TCP, and null enumeration can all combine to provide accounts for an attacker, all without even having to connect to the target machine first. Worse yet, user-based security gaps (such as password re-use)can provide headaches for containing a compromise.
Loose Data
An IT team's greatest nightmare can be the users themselves and the data they're tasked to manage. No matter how many policies they put into place, users will still be users - and that means leaving useful data (to a pentester) lying about. Whereas that Visio diagram of the network may be something you see every day, it's a wonderful find for an attacker. Router configs, user data in spreadsheets, even leftover scan data - all of these can be used as information for further compromise.
The Upshot
If you learn to think like an attacker, you can gain insight into how you configure your network, apply your policies, and better understand who/what you are protecting against. The idea that you cannot be 100% secure should not discourage you; rather, it should encourage you to find a happy medium wherein you can be "compromise resistant" enough to properly detect and respond to incidents before they become harmful.
Barry O’Connell is General Manager of EMEA at Trustwave with over 20 years leading digital transformation and cybersecurity organizations. Follow Barry on LinkedIn.
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.
Copyright © 2024 Trustwave Holdings, Inc. All rights reserved.