The world of Cyber Security is an ever evolving battle between malicious actors and security professionals. Every time blue teams finally think they have the upper hand, the next MS17-010 comes knocking, leaving us rather chagrined. This battle cannot be fought by attempting to ‘cure’ the problem. More often than not the peddlers of such cures get hacked themselves, which demonstrates the point rather nicely.
No, instead we must learn from the mistakes of the past. Attempting to cure a problem you know nothing about rarely goes well, so first you must study your enemy. The best way to do that is detection. By far, detection is the most underrated form of protection at the disposal of blue-teams. Take, for example, a recent engagement colleague of mine was involved with. The aim was to assess a Secure Operations Center’s response to increasing levels of malicious activity. From a ‘cure’ perspective, everything was tight. Automatic rate-limiting was in place, and there were more CAPTCHA and anti-csrf controls than you could shake a stick at.
Of course, that didn’t stop our plucky pentester breaching and then shelling an application. The SOC were perplexed – how on earth could this have happened?! Well, turns out that the ‘cures’ liberally applied to every corner of their estate didn’t recognise the new signature of the exploit, and they weren’t actively trying to detect anything so it slipped right on by. After all, why bother – your firewall will stop it, right Mr Zuckerberg?
Joking aside, the evidence is out there and it’s not hard to come by either. It’s clear that attempting to cure a problem that evolves at such a ridiculously fast rate is naive at best, and farcical at worst. But all is not lost. As I said before, upping the stringency of detection can help to combat these issues before they are allowed to flourish. Our flummoxed SOC could have avoided a very serious security incident (not to mention an awkward debrief call with their CISO) had their attention been on detecting issues as opposed to curing them.
This raises a very important question, given all this seemingly irrefutable proof do people insist on trying to prevent these issues? Some argue it’s ego, some argue it’s cost – I prefer to take a less cynical outlook on life and attribute it to naivety. Following Occam’s Razor, it’s easy to see why this has become a stumbling block. Stopping an attack is the simplest theoretical solution, whereby attempting to go through the rigmarole of discovering something you don’t know exists is clearly the greater challenge. However, as with all rules there are exceptions, and the tricky landscape of cyber security is open to such exception.
Combating this perceived naivety is a massive challenge as well, because if there is one thing that people really dislike – it’s being called naive. Persuading a generation of people who equate FireWall + AV with true security that in fact they need a multi layered approach to security that combines the aforementioned elements along with testing, detection mechanisms and lots of user training is no easy feat. It is doable though – the average cost of a breach in 2021 was 2.8 million pounds. Time to swallow some pride, and start moving to a detection based approach to defence.
Now to be clear, I am not advocating for throwing all your antivirus licenses in the bin tomorrow, solutions such as these absolutely serve a purpose and are an important part of defence. Instead, I am simply asking you to reframe the pivotal question in your mind. Stop asking yourself if you can prevent the hackers, and starting asking if can you see them.
Liam Follin, Consultant, Pentest People
Join our virtual event (Detection is Better Than Cure) on the afternoon of Friday 16th July to hear Liam discuss the following topic:
Detection is a vital part of a true defence-in-depth approach to security. Incorporating rigorous security testing throughout development lifecycles, and ongoing testing post-deployment is vital to ensure that security is upheld. We will put forward the case that true ‘cures’ don’t exist, and getting solid detection (both live and point-in-time) mechanisms in place is the number 1 way to reduce the likelihood of breaches.
• Real world #cybersecurity issues that technology can help you to avoid all together
• An overview of the Sophos Managed Threat Response (MTR) Service, encompassing what the service includes, why it was created and how customers are benefitting from it.