I recently partnered up with the CISO Executive Network to provide guidance for their executive members on how enterprise organizations can build a more proactive security model. As a hacker and founding team member of Randori, I am deeply passionate about shifting the narrative away from the “find and fix” mentality towards an offensive security mindset. Over the course of a series of discussions, it was enlightening to see how forward leaning CISOs are adopting and evangelizing an offensive security mindset during these peer discussions. While the CISO Executive Network is closed for members only, I wanted to share some key takeaways from our discussions, so you can start that journey toward a more proactive security program.
Now is the Time to Move Security Operations from Reactive to Proactive
Moving to a proactive security posture has many requirements and moving pieces. Fundamentally, a proactive approach requires calculating and managing risk. To properly understand and calculate risks, you must know what is exposed, and manage threats based on those exposures. With the ever-changing threat landscapes, the speed at which new systems are being deployed and to avoid burn out, you must automate as much as possible to validate assumptions.
Utilizing these concepts, let’s expand upon them a bit and use the real-life example of the ever-present threat of “access control and identity management” to show how you, as a security professional, can use these concepts to transform your organization from reactive to proactive. This is only one example, it’s one that I have used and exploited many times in my role as a hacker.
Step 1: Get an Attacker’s Perspective
Knowing what is exposed and how adversaries are thinking about those exposures is the first step in being able to proactively defend. It is impossible to prioritize the next defense to work on without knowing what exposures exist.
Good attack surface management tools should both reduce exposed surface and give insights into how adversaries are targeting exposures. This context is more than a CVE that needs to be patched, and should help defenders understand the security ramifications of all exposures.
As an adversary looking to compromise your users’ credentials and thus their identities, one of my first steps is to find the places users login. Login pages can be used to craft convincing spear phishing campaigns, confirm usernames schemes, brute force passwords for users, or login with compromised accounts.
While login pages are an interesting characteristic of deployed software, that is only a small part of the equation. Is that login page used to manage a VPN, or is the service limited to changing the background color on a marketing website? As an adversary, I know the VPN is being used to protect a critical security boundary.
Do you know all the login portals your organization has exposed? Do you know which portal is more interesting to an adversary?
Step 2: Risk-based Threat Management
With a list of login pages and knowledge around the criticality of the service, you can prioritize and manage threats. Risk-based threat management helps prioritize what systems to patch, which networks to segment, and predict the potential attack paths that need to be defended against.
When managing risk, assume that compromise is inevitable. Plan for compromise and initial access does not have to turn into a full breach. Always remember, when the adversary is on your network you have home field advantage, make sure you use it. Every risk that is managed should make your network a little bit more hostile to the adversary.
For the VPN with a login page, you can verify that MFA is in use to combat phishing and brute force attempts. Ensure logging is enabled, and the right team has visibility and is watching those logs, and critically has a plan in place for when something pops up in those logs.
Step 3: Automate and Validate Assumptions
Every plan is perfect until it gets implemented. The best way to know where a plan will fail is to make use of it. Having a plan that lets you validate assumptions has the added benefit of being able to ensure that the system still is in the desired state. The problem then becomes the monotony of continuous discovery and testing. This is where automation comes in. Computers will happily do repetitive tasks for as long as is needed.
Network security posture is changing constantly, with organizations migrating to the cloud, the adoption of DevOps workflows and increasingly mobile or work from home staff. Automated processes and validation are the only way to keep ahead of an ever-changing threat landscape.
When was the last time you verified the list of login portals that are connected to the internet? Do you know when a new team stands up their own infrastructure and potentially requires a new VPN? Did they follow the new plan to make sure MFA is in use and that logging is enabled?
Summary
CISOs know that having proactive security operations is the path to building an organization that is resilient in the face of compromise. The adversary will be nimble and will move quickly. Do not build your security program around reactive solutions. Investing in offensive security tools can help augment your short-staffed team and inject the attacker’s perspective into your security insights.
Luckily, the process doesn’t have to be wildly complicated. It all starts with knowing how and where you are exposed, and how adversaries target exposures. With that knowledge, you can manage and minimize and validate exposures to ensure the next big exploit that hits the news doesn’t ruin your team’s day.
