They say that the best defense is a good offense, as football fans or anyone that’s played a game of Risk might agree. But how does this idea look when you apply it to cyber security? F-Secure Principal Security Consultant Tom Van de Wiele joins this episode of Cyber Security Sauna to talk about offensive and defensive approaches to cyber security, and how defenders can use these strategies to protect their systems, operations and data. Listen or read on for the transcript. And don’t forget to subscribe, rate and review!
Janne: Tom, it seems like breaches and security incidents happen so regularly that they’re just a fact of life. So is the issue just that companies are completely incapable of protecting themselves?
Tom: Well, security incidents happen all the time, and most companies do not know what they’re looking for, not just because they lack tools and methods, but also they don’t really know what they should be protecting, and what it is that is worth protecting. So that means that if you don’t really know who you’re up against, you’re not gonna be successful in trying and detecting ways of people trying to get to the things that are the most important to your business.
Do you often find that the things companies are trying to protect might not be the things attackers are after?
We’ve seen it multiple times that companies try to defend themselves against the most outlandish scenarios, where actually what they should be doing is making a shortlist of the worst case scenarios and go from there. One does not have the resources or the budget, nor the people, to be able to protect everything. Not everything is as important, worth protecting. So that means figuring out what the worst case scenarios are, figuring out who you’re up against, as part of a threat model, is really the key to success here.
When we’re saying offensive security, what are we talking about?
We’re talking about testing companies on how their security is doing, and if the security measures that they have taken are actually protecting the things they’re supposed to protect. So we’re trying to see what investments companies have made when it comes to resources – people, training, tools, methods – and to see if they actually hold up in detecting, limiting, and to some extent, stopping attacks against some of the most important resources within companies.
So simulated attacks.
We simulate attacks, and we’re in the business of adversary simulation.
When you’re doing offensive security, what are some of the scenarios you use in trying to establish a company’s security position?
Some of the tests that we perform are to see if the company is able to detect our attempts at for example guessing passwords to a certain account linked to a certain resource, ticketing system, Active Directory. What we could try is to use our login and password that we have gotten from HR, just being any kind of employee, and trying that combination of login and password against every single computer in the network. These things should be visible to companies.
Other examples are can we access other networks from the network that we’re on? Which shouldn’t be the case. If we are both on the same network as two normal workstations representing two normal employees, our workstations should not be able to communicate. And we’ve seen that for a lot of companies, this is not what is going on because there is a lot of ransomware that’s able to spread from one computer to another. But also things like are preproduction and testing environments, that typically have less security, are those properly shielded off from the production environments? So then any kind of abuse or misuse cannot happen undetected.
Based on these scenarios, we can determine what the maturity is of the companies trying to defend against these kinds of attacks, and to see, one, did they actually see them, and two, what was their process in trying to respond to them? And based on those two phases, we perform what’s called a postmortem analysis to see where improvements could be made, and what extra process or technology needs to be introduced to be able to have adequate detection and response capabilities.
How good are companies at following up on that report and improving their security position?
Once they have the actual data in front of them, it is very hard to dispute. Either they saw a certain attack or they didn’t. Either someone followed the process or they didn’t. Once they have the evidence it is easier for companies to be able to respond to these and to make the investments that they need to make to improve the situation. But sometimes it can be a bit of a burden to convince companies that they might have security issues, and that these issues might go unnoticed. And without performing these kinds of offensive tests, it really is our word against the company’s word. So through doing, we try to, using these very simple scenarios, try to measure how much maturity these companies have, and where their maturity lies and where there is room for improvement.
What is your definition of defensive security?
Well, there’s some basic concepts that every defense strategy needs to have. And those of course are not new, but they are important. For example, limiting any kind of complexity when it comes to your networks, software, hardware, and the processes that you’re using. Making sure that you’re limiting attack surface. That means having requirements in place to know what you are using and for what purpose, and turning off what you’re not using. That also means making sure you train people in concepts that have to do with information security, not just cyber security, so they know how to act and how to behave in certain situations. And of course to be able to detect abuse or misuse on your networks, in your processes, hardware, software, is to ensure that you have meaningful logs when it comes to audit trails, so that any kind of incident or potential incident can be spotted as early as possible.
Threat hunting is starting to become a trendy word in cyber security. What exactly is threat hunting, and why is it important?
Threat hunting means that you have a recurring process that is aimed at testing individual processes of companies to see if they hold up against the most important attacks aimed at what you’re trying to protect. That means a constant cat and mouse game of performing attacks and seeing, on the defender’s side if they can be identified, if they can be slowed down, and if they can be stopped. So it’s really measuring the incident response processes of a company as a whole and to see how they measure up against the actual attacks being performed by companies like ourselves, who are trying to simulate the attacks to see how companies stack up, but also to introduce new creative ways of getting into companies, to make sure that companies are protected against the attacks of tomorrow.
Speaking of attacks of tomorrow, is the key here understanding who and what your attackers are, and what they’re after?
Exactly. The key here is threat modeling and knowing who will attack you and why. And it’s only by knowing who will attack you and how, that one can start making a defense strategy. So that means knowing the difference between a targeted attack and an opportunistic attack, and knowing that people will make mistakes. Most incidents happen because people make simple mistakes, because they’re human, and humans make mistakes. But a defense strategy should not be based on whether a person clicks on the wrong thing or doesn’t. Security works in layers, always has. Which means that you need to create an environment for yourself where multiple layers exist, where defense and detection mechanisms need to be placed, and where certain security measures might be the most effective.
So it’s not only knowing who your attackers are, but also who your attackers aren’t.
That’s correct. Because a lot of budget can be spent on attacks that might never happen. So one needs to look at the actual probability of a certain attack playing out. And again, the ones that are gonna happen the most are based on human error, are based on people forgetting laptops or phones in taxis or public transportation, or simply incidents that are not really incidents, because they might be some piece of malfunctioning technology, or might be false positives. Being able to distinguish between what is an incident and what isn’t in a timely fashion is the key difference between getting your entire company compromised and being able to stop an attack while it is happening.
Is there much of a difference in adversaries facing different industries? For example, do banks and consumer goods manufacturers attract different threats?
Absolutely. Companies and financial institutions are the ones who are gonna be hit the most. Because they’re sitting on things that can be monetized easily. And that is really what 99% of the adversaries are going for. Which is either being able to transfer money, credit cards or anything that can be easily monetized. On the other hand, what we also experience, and we’ve documented this in our incident response report that we released months ago, is that certain industries are receiving more targeted attacks when it comes to, for example, the construction of shipping containers to certain intellectual property that has to do with the medical sector, to construction, logistics, because these adversaries are more interested in either the disruption of these services, or to actually steal the intellectual property for their own gain.
What’s a typical way in for these attackers?
Well, it kind of depends on what they’re after. I mean, first and foremost attackers try to get a foothold into the network. They will try anything to get to that in an as cheap way as possible. So that means sending emails with malicious attachments containing malware, that means setting up phishing portals to be able to phish your credentials and with that log on back into your VPN gateway, or gain access to the network that way. Or if these are targeted attacks for example the theft of intellectual property, what we call industrial espionage, there we see actual physical attacks happen, where people are waiting outside the smoker’s entrance, or people just dropping by the office during the weekend while the cleaning crew is cleaning the offices, where they either steal a laptop or they try to get some kind of foothold in the network by placing a device on the network. We’ve seen these attacks happen, we’ve done incident response on them. So we have kind of an inside view as to how these attacks are constructed and how these criminals operate.
So it’s not just script kiddies. Sometimes it might be worthwhile for the attackers to actually show up at your place if the target is worth enough money.
Oh, absolutely. So if the target is high enough in value, attackers will actually mobilize themselves and actually go to the physical location to see what is they can exploit to be able to, again, get that foothold in the network, and to be able to gain access to the thing they want access to.
That also means that there’s a whole ecosystem in place where certain people are only tasked with finding vulnerable computers on the internet, but also once they’re inside to be able to find where the information is stored, and once they have found that, to try and exfiltrate that data towards a secure location so they can sift through it to be able to find the information that they’re after. And this is really coming back to the industrial espionage angle, where certain groups are interested in certain information that they can use for all kinds of benefits, be it economically, be it resale value, or any other reason.
So even a low-skilled script kiddie attacker might hit paydirt and be able to sell off their foothold in the dark markets.
Exactly. We set up a lot of honeypots, so we kind of see which countries or who, rather, is trying to hit our honeypots. Sometimes we even have conversations with these people just to be able to find out where they’re from and what they’re doing. And combined with all the other online testimony that is out there, there are certain groups that are only tasked with scanning for vulnerable computers, then you have a second group who take that list and try to exploit these computers and once they have gained access, they will sell it to a different group who is only interested in buying open and vulnerable computers for the purposes of denial of service, but also to use those computers to see if any of those computers are part of a network that has something on it that is valuable to, for example, a group of criminals or a state actor.
So are attackers always going to be a step ahead?
Attackers only have to find one way in. But when you turn that around, attackers have to have perfect attacks, because defenders only have to detect one thing to be able to spot an attack in progress. Unfortunately most companies lack the capabilities to be able to detect a coordinated attack head-on. Which means usually when we perform incident response services, the attacker is already well-established into the network, has several footholds, and then it becomes extremely hard and costly to be able to remove the attacker from the network.
So why is detection so hard? With all the data on breaches available, why are we finding it so hard to find attackers in our systems? There’s so many places you can find indicators of compromise, threat intelligence, stuff like that, does that information help or does it distract companies from other things they should be doing?
Companies have to handle a lot of information, and sometimes they get lost in the vast amount of information they are supposed to collect. Not just because of regulatory compliance, but also just household data for health check reasons. So first and foremost, companies should be able to distinguish what information or logs they need for incident response, how long they need them, and what they’re for. That’s part one. Part two is to be able to correlate this information into meaningful information that’s actionable. Because sitting on a lot of information is one thing. If it’s not actionable, then it’s basically worthless. So that’s number two. And number three, once certain triggers have been handled, where there are certain indicators of compromise as you already mentioned, then companies need to be able to know what to do and respond accordingly. And that means when it comes to resources, but it also means depending on the response time necessary versus the threat that is actually going on.
Is it more common for companies to fail in detecting stuff, or after they’ve detected stuff, in being able to react to it?
Some companies have just so much data they have to log that they’re actually drowning in the amount of data. Other companies have the data but don’t have the resources internally to be able to act upon the data because they don’t have enough manpower. And some companies have the manpower but sometimes production and outages get the priority, versus investigating any kind of potential incident, and that’s a pity.
So data collection is vital for detecting and responding to incidents. Is that something where companies typically fail? Do you have any war stories to share?
We come across a lot of different situations where companies think they have control but actually they don’t. We’ve been in situations where the customer comes back to us and then kind of jokingly says that he hopes the breach can be detected within the last 24 hours because that’s how many logs they have. We’ve been in situations where companies have had their entire logging infrastructure compromised, where the first thing the attacker did was to wipe all the logs at the centralized log repository, including the backups, which means now you have no logs. Or where certain logs are being created, but they turn out to be useless. Because either time zones haven’t been synced, certain elements in the actual logs are useless, or where the logs themselves cannot be correlated in any meaningful way, which means the company is losing time while the incident is going on, and that could be prevented.
A recent case we had is where there was a suspicion of someone hacking into a website. That web farm, collection of web applications and websites, was behind a load balancer and it turns out that all the logs, as part of all the web applications, only had the IP address of the load balancer in front of them, rendering all the logs useless.
Can you think of common examples of things organizations worry about, but that aren’t real problems?
There’s a few examples. Usually the zero-day discussion comes up because they’re still a lot of technology being sold to be able to stop zero-day attacks. And some might work and some might not. But your typical criminal is not going to leverage zero days, because one, they cost money; two, the target has to be important enough to be able to “burn” a zero day on. Because once you’ve launched your attack it can be detected, it can be logged and analyzed and now your secret, unpublished exploit for that vulnerability that no one knew about, is now exposed. So we’ve seen for example, in the case of Equifax, that you don’t really need zero days because companies still struggle with patching their software and there’s still a lot of companies trying to win the patch race.
There’s a lot of trading going on when it comes what services are being ran or are exposed on the internet and what version numbers that they’re running. So you have people exchanging text files with every single mail server on the internet and the version number of the software they’re running. Which means if tomorrow that new vulnerability comes out for which someone has written an exploit that doesn’t have to be a zero day, well they can just look up the information in their database and immediately attack those kinds of servers. So they don’t have to actually scan the entire internet to be able to exploit these kinds of services, because they’re already sitting on the information as part of their information gathering efforts.
So zero days are still something that companies try to protect themselves against, where they’re not actually protecting themselves against the most common scenarios, which as we already mentioned, is someone leaving a laptop on the bus, so you better have full disk encryption on that laptop with some kind of lockout mechanism to make sure that an opportunistic thief cannot just jump back into your network. It could be a forgotten phone somewhere, it could be a phished password. These are far more common as attack scenarios than zero days. But there are still a lot of companies that think zero days are important, depending on what kind of industry they’re in.
Perhaps the biggest misconception is that companies think that with software and security updates, that their security efforts should stop there. But unfortunately, there’s a lot of time between the publication of a certain vulnerability or exploit, and the actual patching. That doesn’t mean patching isn’t important. It’s certainly a security best practice to keep your software up to date as fast as you can. But attackers will try anything to get into a certain service or company. So that means that they will use known vulnerabilities, and not necessarily zero days, which a lot of companies are still trying to protect themselves against using all kinds of products. And there’s nothing bad about these products, but maybe that money can be spent somewhere else, in a way that the security of your company doesn’t have to depend on whether or not someone clicks on something malicious in an email, or someone launching a certain exploit against one of your exposed services.
Security should really be about layers, with certain detection mechanisms tied to those layers so that any form of compromise can be detected as early as possible, and so that you have the necessary slack space to be able to come up with some kind of containment strategy to ultimately stop the attack from spreading further into your network.
Layered security has always been an industry thing. Why do we still have to give this advice out to people?
Because it’s still a very hard thing to implement, and there’s different ways of skinning a cat, in that most networks will be fundamentally different from other networks. We have lots of best practices when it comes to perimeters, when it comes to demilitarized zones as we call them, DMZs, but unfortunately most companies are still compensating for the fact that they have flat networks which don’t necessarily have encryption or transport security on them. Which means once you are able to crack that outer shell, it becomes really easy for an attacker to move around in the network. And it shouldn’t be that easy for attackers to move around laterally in a network without being detected.
So are zero trust networks the key here? Are companies ready for that?
Well in an ideal situation, that would be the solution, or one of the solutions. But unfortunately, not all companies have Google’s mindset or money when it comes to that. And a lot of companies are still struggling with legacy IT assets, be it mainframes, be it older technology, or even applications that only run on older operating systems or else they lose their support contract. So companies are still struggling with IT decisions they made five, ten, fifteen years ago, and they’re trying to kind of tippy-toe around those kinds of assets to try at least do something when it comes to security. And unfortunately, a lot of bad decisions can be made there which allows an attacker to roam free in a network undetected.
So where does offensive security come into this?
Performing attacks just like criminals would is a really great way of measuring the security maturity of a company, and how well they are doing when it comes to detection and stopping potential attacks. Again, back to the whole flat network topic, it is extremely difficult to be able to track attacks in flat networks. And being able to perform these kinds of attacks helps companies not only raise awareness about these problems, but also making sure that they can find the necessary attention and thus budgets to be able to do something about them.
So I guess offensive security is just taking a look from the attacker’s point of view and making sure you have the same information they’re gonna have.
Exactly. It’s a way of benchmarking all your security controls as a whole, to make sure that you have all the protection mechanisms and detection mechanisms in place to be able to protect the things that really matter.
How resource-heavy is this? What if my company doesn’t have the manpower or the money to do stuff like that?
Well, there’s a lot of investment that needs to be made when it comes to having the actual IT infrastructure, having people that are trained in spotting and recognizing attacks while they’re going on, and also being able to perform certain duties when it comes to forensics and log analysis. Some companies choose to build their own teams, other companies outsource this towards partners that are specialized in this, to make sure that they have these requirements covered.
Are in-house teams going to be effective enough? Are they going to have enough opportunities for practice, as it were?
Well, those people spend a lot of their time in classrooms being taught the latest techniques by attackers like ourselves who actually develop these attacks and see what’s really happening at companies performing incident response. So they’ll have to study a lot to be able to make sure that they’re up to date on the latest attacks, and they should be able to have the necessary freedom and resources to be able to adapt detection and response strategies to the attacks of tomorrow. And that is a full-time job. That is why most companies choose to outsource this to a specialized partner, and they have to make a certain cutoff point where they know how to detect a certain incident, and once it’s confirmed it might be a potential incident, they’re able to outsource it to a company that specializes in this.
What are the advantages of having an in-house team versus outsourcing this stuff?
It all depends on the size of the company. If your company or organization is big enough to be able to have follow-the-sun 24/7 incident response capabilities and you have the necessary budgets to train people in the latest techniques and have the processes in place to be able to respond to attacks, then insourcing might be the right choice. But a lot of companies do not have that kind of international presence, nor do they want to spend the budget on having to train people, buying new technology and techniques, so they prefer to outsource to a partner that has 24/7 support and is able to assist these kinds of companies if a suspected breach happens.
How useful are all these threat intelligence services out there?
You know these traffic signs warning you against loose rocks falling down when you’re driving in a mountainous area? I kind of compare threat intelligence services with that kind of traffic sign, in that it tells you something might be coming your way, but it doesn’t really tell you what, how or how to react to it. So the thing you always have to keep in mind when you are buying threat intelligence services is that what does that threat intelligence service have to tell you that you would drop everything you’re doing right now and act upon it? So how useful is it when the threat intelligence service tells you there’s more Android-based malware on the rise? How does that translate into your threat model, how does that translate into changes in your defense and response strategy? So I’m not saying threat intelligence isn’t valuable, I’m just saying it needs to be placed where it needs to be, so it can actually play an important role as part of your defense strategy. And not all companies are able to be able to digest that information in a meaningful way.
Well, I hope this chat gave all our listeners some insight into offensive and defensive security. Thanks for being with us today, Tom.
Thanks for having me.
That was the show today, I hope you enjoyed it. Get in touch with us through Twitter @CyberSauna with your feedback and comments. Thanks for listening, and be sure to subscribe.