In my previous post, I wrote about how denial can profoundly impact an organization’s ability to secure their IT infrastructure. We see article after article on how IT security is broken and needs to be fixed. Our Randori Co-founder and CTO David “moose” Wolpoff recently wrote about how VPNs are an attacker’s prime target and that organizations typically have them out of mind. Denial. There are lots of technical and non-technical problems that contribute to the brokenness; I think a major reason is us — humans’ ability to deny. A big part of this problem is the inability to properly define and comprehend the word “target.”
We need a cultural change. Currently target is a dirty word. But that is only because leadership is afraid of what it would mean if everything were a target. But everything IS a target, and protecting only part of your attack surface makes no sense. Denial. Picture protecting a house: if the front door is locked, and the back door is unlocked, an adversary is going to use the back door.
Here at Randori, we get to talk to lots of security practitioners, both prospective Randori customers and current customers. We recently came across a twist on organizational denial that is worth sharing. Adversaries, both persistent and nonpersistent, are out there on the internet, performing slow reconnaissance on your network. It is happening now. Randori Recon takes the attacker’s perspective of your network, treating each network, host, and IP address as something an attacker is interested in. That’s right, each asset is a target! The twist here is we were told that the security team could not use the term ‘target’ internally when discussing their compute assets with the business. Target has a negative connotation and would not go over well. Denial. Everyone everywhere needs to understand that attackers are out there attempting to uncover the asset that will let them in.
Unfortunately, denial is not a viable security strategy. Or, as my friend and colleague, Phatty put it recently, hope may be taking up too much room in your toolbox. In order to truly protect your system, you need to know what to protect. And for that, you need to know what your attack surface actually looks like to an attacker. The Randori platform provides organizations with access to the authentic attacker’s perspective. This is because our platform was built by a team of real-life hackers. I’ve spent enough time with our CTO “moose” and our attack team to know that from the attacker’s perspective, everything is a target.
All this made me think of another example, from a non-technical friend of mine. You may recognize this in yourself or others. He thinks it’s ok to use the same password on all his accounts because ‘Who would want to go after him?’ Denial. To improve we must think like the adversary. Randori takes the attackers approach to reconnaissance. We use low and slow TTPs to identify and prioritize your attack surface targets. This allows our platform to identify the set of juiciest targets that are ripe for compromise — the very same way an attacker will.
We have to understand our propensity to deny — in us and in our organizations. Of course your physical and cloud compute assets add value to your business. At the same time they are targets to attackers.
But that doesn’t need to scare you. In fact, once you know this, you can use it to your advantage. If you understand how an attacker views your attack surface, you can prioritize your remediation steps (such as patching or adjusting controls) to remove or reduce the temptation on the assets that are most important to you. This way, you will reduce the risk to the assets that matter most and avoid wasting time and money patching low-risk areas.