As the cliché goes, the only things guaranteed in life are death and taxes. But with the news of recent Google Fi, T-Mobile, Norton Life Lock, and Uber hacks, perhaps we should rephrase it to “death, taxes, and cybersecurity breaches.”
The growing number of these high-profile attacks combined with the countless attacks no one has heard about is why Pathfynder abides by the idea that it is not a matter of IF an adversary penetrates your cyber defenses, but WHEN.
Unfortunately, this simply comes down to two immutable realities: one, attackers have first mover advantage and two, humans are inherently imperfect.
To the first point, defenders do not set the time, tempo, or place of the inevitable attack – the hacker does. Worse still, your defensible areas are in constant flux because of new hires, staff turnover, installation of new systems, product updates, etc. The task of maintaining a tight external cyber defense is not an enviable one.
To the second point, people will always be your weakest link. It could be the use of weak or recycled passwords, an employee unwittingly clicking on a phishing email, or a contractor maliciously selling their creds to a criminal group. The result is the same – your exterior defenses will eventually fail in some way because of “human error”.
The Assumed Breach Model
For these reasons, Pathfynder often uses the “assumed breach model” when testing internal defenses. This isn’t to short-change the external kill chain stages – they should be tested as well. But if your priority is testing your internal defenses and your budget is limited, that money can be most effectively spent by acknowledging your exterior defenses WILL be breached over a long enough time horizon.
Just look at Uber last year. They have made substantial investments in cybersecurity. But all it took was one soft external entry point and then – wham! Front-page news.
With that in mind, we start our internal penetration tests by provisioning the least privileged, day-one active directory account available. From there, our operators test internal defenses with the goal of moving within the environment from user to user, crossing segmentation boundaries to access sensitive information, escalating privileges all the way to domain admin, and compromising your business’s crown jewels.
This isn’t a sprint to see how fast we can accomplish these objectives. It is a methodical, comprehensive look to identify as many attack paths as we can within a reasonable timeframe.
The goal of these assessments is clear: what paths did we take to compromise the engine of your business? What did the defensive team see or miss? And how can internal security be hardened? With that feedback, your defenders will be better equipped to shore up the internal holes that made the attack a success.
Your Internal Defenses Are Not as Secure as you Think
I am sorry to say this, but the data suggests it is true. While this is purely anecdotal, our operators achieve domain admin or comprise a company’s crown jewels in the vast majority of our internal engagements. Even scarier, we typically achieve our adversarial objectives within a few days of a simulated breach, with the record of complete compromise being less than one hour.
I am sure cyber thought leaders can weigh in on why this is possible. My bet is that internal penetration testing has taken a back seat to the seemingly more appealing idea of external testing, and more resources have flowed in the direction of breach prevention for a long time.
There are also a number of missed opportunities and foundational security gaps that contribute to weak defenses – buying security tools but then configuring them incorrectly, failing to ensure employees comply with minimum password complexity requirements, and not using multi-factor authentication, among other pervasive issues.
Regardless of the reason, the reality is that many companies have failed to make the necessary investments to level up their internal defenses for the breach that will inevitably come.
What to Do
If your company hasn’t tested its internal cyber defense, you should consider getting an internal penetration done as soon as you can roll it into your budget cycle.
I would even go a step further – conduct at least one large-scale internal pen test effort followed by a couple of smaller unit tests focused on specific steps in the cyber kill chain. The rationale here is that testing gets stale as your company changes with new staff, products, policies, and systems. Keeping pace with your ever-changing attack surface is difficult, but necessary.
Death, taxes, and cybersecurity breaches. Prepare for the worst. Hope for the best.
Comments