Lately I’ve been shifting from offensive red team type of activities towards management and then towards blue team type of activities. During these transitions I’ve been more and more asking myself is infosec making a difference? I have to admit I got no clue what the answer to that question is, not even remotely. So I’ve decided to put my thoughts and ramblings into a blog post. Any particular reason? I’ve read multiple time that writing out thoughts, helps to organise them and also I just needed to orden my thoughts, maybe in doing so it will help me answer the question for my own specific context. If you continue reading you might experience a decent amount of emotions telling you ‘the guy that wrote this blog is WRONG!’, that’s ok. Feel free to correct me in the comments, it will aid me in finding new perspectives. I’ll try to stick to technical content next time ;)
It seems that after many years of pentesting stuff I got bored with it. Seems weird, since it has been one of my dreams but the repetitive task of achieving the same result with 80% the same techniques just didn’t feel right. This however could just be a fluke of the type of assignments I had to execute, who knows. Still, across the board and when talking with other people it seems that the following symptoms were also encountered by them:
- Security measures not implemented on all assets
- Mostly because company lacked full asset inventory
- Security measures did not cover the intended risk they should mitigate
- Mostly because the security measure was not well understood
The above thus in turn usually led to the same ‘tricks’ being useful over and over again things like:
- Guessable passwords
- Incorrect privileges
- Known vulnerabilities
- Think: previously reported by others as well
- Reusable passwords
- Unpatched systems
What was even more curious is that pentesting should uncover unknown risks and verify the impact, most of the time you could predict 40% of the report and obtain the other 60% if you’d just ask the people working at the company like the sys- and network admins. After many projects I couldn’t shake the feeling that it didn’t really seem to matter if another shiny report was delivered with all the things the company would have to improve over the next 6 – 12 months period.
STOP! You doom and gloom person, many projects also resulted in fixes during the project and a pro-active approach in mitigating the identified vulnerabilities, said the positive voice in my head. That is totally true, but was a pentest really the most cost-effective way to find those issues?
You might expect me to continue rambling about red teams now, but that’s such an (ab)used hype currently, that it would only confuse me further to throw that into the mix now. Let’s just say that I’m slightly more positive on that end.
So then, don’t ask me how, I transitioned into more management stuff. Suddenly, I was at the other end of the table. This was a weird experience, all that risk stuff we always talk about as infosec suddenly seemed, well less risky?
Don’t get me wrong I still believe that there is risk when not implementing proper security, I just don’t believe that the current infosec approach is the most cost-effective or best to solve the ongoing: expose something to the internet, get breached, do stuff, rinse & repeat that we all are participating in.
Often time people talk about reputation damage and loss of business when a hacking incident happens. Where are the numbers? How many companies have gone out-of-business after an incident? How much revenue did they loose in the next 3-5 years? What is the actual impact of being hacked as a company? Luckily when dealing with ransomware some of these questions can be answered and it seems to have had an impact on how willing companies are in addressing those issues. But what about other types of incidents, like espionage, defacing, bitcoin miners etc, can we measure the impact of those?
Which made me realize we don’t really seem to keep track as an industry, is this due to our age (relatively young industry) or just because we are afraid of what the numbers might say? I am familiar with some of the loss ‘estimates’ that are usually mentioned in the same sentence that also mentions ‘cybercrime’, I am probably too stupid to really understand those. I seem to have missed a good breakdown into how those numbers come into existence. My thoughts seem to mostly get stuck at the part where I read reports with numbers in them, but can’t find the ‘how where these numbers calculcated’, ‘can we reproduce this’, what’s the breakdown?
On the ‘this is now less risky’ paradox that I experienced, things like business email compromise (BEC) is one of those risks that have some good numbers reported in multiple reports. Yet, is the impact of a BEC attack worse than a bad business deal whereby the same amount is lost? If companies loose so much money with BEC, what’s holding them back in committing to the cost of buying and implementing MFA as a first barrier?
One of the items that I remember most about the management part, is that somehow there is always an excuse to not do something, and often times it seemed to me like a self-imposed problem, examples:
- The customer doesn’t want downtime
- We don’t know if it will work after the fix
- Let’s mitigate, the sprint doesn’t have room for it
- The business won’t accept this, let’s rephrase
In my honest opinion all of the above contain implicit assumptions and not even the slightest attempt in figuring out what the benefit or cost of the action could be. I’m of course writing down the more extreme examples which in turn is triggering my mind to counter that. Still, it was a weird experience to see how we create problems for ourselves, claim there is no time and just keep pushing the problem forward.
Which made me really wonder, how come other areas are able to communicate risk, impact and actions to undertake? Communicating financial risk, communicating the risk of having all employees on the same plane, etc. Are we as an infosec community really this bad at communicating what must be done, why it must be done, the cost of it and the risk that is mitigated by implementing the correct security measures? A little devil in my head firmly answered: yes! Still, this could just be the bubble I’ve experienced.
So what about the blue team side, well it’s a whole new rollercoaster, so that’s fun! I was amazed that not a lot of blue team stuff would be able to operate at the speed of attackers, either due to technological shortcomings or organizational fears of isolating the wrong account/person/machine. Also pretty amazed at the fact that blue teams have to navigate a pretty big pool of chaos, since so many software solutions exhibit ‘suspicious behaviour’. Even though it is doable to implement an allow-list company wide for software execution it takes an unreal amount of time & effort. Somehow everything seems so overcomplicated? Like if you compare it to attacking systems the way of working couldn’t be more apart. On the one side you can download and launch an attack on the other side you can download and ….configure for multiple hours….to defend a system. Also pretty please, the answer is NOT to restrict the ability to attack or to stop the spread of knowledge on how attacks work.
One thing that seems to be a constant imho: we are pretty bad at research, discover, scale it up and make it user friendly. Then again, it’s probably just the bubbles I’ve experienced, cause I have to admit that some of the stuff that Microsoft has been releasing is pretty sexy. It’s not the final answer but it definately is moving in the right direction.
What stills feels like a void is the part where as an infosec practicioner you see a project end. With products you see this happening, Windows, Chrome, Firefox implementing security improvements, raising the bar. You also see it happening with companies that provide their administrators with the right amount of support, they implement and improve their security. But most of my infosec experiences have been on the advisory part or the we’ll watch your stuff to detect attackers part. Am I defining infosec to narrow? am I too used to just witnessing the part of infosec that mostly advices and watches?
The writing of this blog was an intersting experience as well, even though the text is pretty chaotic the action of writing out my thoughts is pretty useful to figure out what about infosec still provides hope that we can move in a better direction than what we’ve been doing so far. Just not sure if experimenting with a public blog is the best way to go ;)