No Offense to the Red Team-Time for the Blue Team to Win!
Part 1, discussed how defenders have to work very hard, yet seem to receive little glory as compared to the offensive side. Despite the heavy task loads and a lot of drudge work to contend with, defenders are measured by a different yardstick, one which probably makes real and sustainable successful goal attainment increasingly difficult. If Red Team testing is just a confirmation of the numerous security gaps defenders must try and plug, are such expectations realistic, or fair? Plus, does it not seem illogical, that the more easily obtainable goal of offence, with odds greatly in an attacker’s favour, are perceived as more sexy than defense and the offense receives all the attention?
Stanley Morgan research division released a paper, “Cybersecurity: Time for a Paradigm Shift” which informs us that;
“Unfortunately, more security doesn’t necessarily mean better security. In fact, the current strategy of most organizations—layering on many different technologies—is not only proving ineffective, it is overly complex and expensive.” ‘The status quo is not sustainable,’ says Keith Weiss, head of U.S. software coverage for Morgan Stanley. Even as companies spend more on security, losses related to cybercrime have nearly doubled in the last five years.”
“What’s needed, say security experts, is a new paradigm.”
The question is, what would the nature of such a paradigm shift be? How would it shift the advantage to defenders?
Nick Fick from last post also said the following here,
“We need to make a change. Rather than relying on imperfect prevention techniques, or waiting for a breach to happen and then reacting to it, defenders need to “turn the map around” and hunt proactively for the attackers in order to root out adversaries before they have a chance to do real damage. This is the next frontier of cyber security.”
Whoa! Okay, I do agree with the need for change. But is threat hunting a paradigm shift that will cover all the bases and scale? So say we set up the “Shoot-out at the Cyber Corral”, in your network. This may give defenders a bit of chance to play digital cowboy and maybe even the playing field somewhat, but is it possible to verify statements about how successful this threat hunting detection will be? What if we end up at only 50-50? (That might be an improvement.) Some fun factor added to Blue Teams and defense might start to seem a bit sexier, unless a very serious attack is missed, right? Who’s going to remember last weeks’ sexy when this weeks fail is all over the headlines? Might as well kiss that defender sexiness good-bye.
No, I don’t believe threat hunting is the correct new frontier, even if it might help somewhat,- right now. I have something else in mind for defenders.
Recall again, the Marcus Ranum quote from last post;
“Wouldn’t it be more sensible to learn how to design security systems that are hack-proof than to learn how to identify security systems that are dumb?“
What if our networks, devices, and gateways were built with systems more inherently secure, with some capability to self-protect for their own security and integrity, instead of “imperfect prevention techniques”? Isn’t this the goal of the NIST sp800-160 intiative, providing a framework for System Security Engineering leading to “Trustworthy Computing”? See my post here for a summary and links.
Trustworthy computing has been applied to computing systems that are inherently secure, available, and reliable. From Wikipedia,
“The National Security Agency (NSA) defines a trusted system or component as one “whose failure can break the security policy”, and a trustworthy system or component as one ‘that will not fail’.”
The Morgan Stanley paper says what’s needed is not more security, but better security. I see threat hunting as more security. It might detect more (but not necessarily all) adversaries already in your network, in time to limit some serious damage, but it doesn’t do anything to change the actual security of the systems that are being defended. Are any noted improvements from threat hunting quantifiable, consistent, and verifiable?
What about actually fixing systems so they attain a level of inherent security? Even if adversaries manage to sneak into your network, they would be unable to execute a successful attack. Wouldn’t this kind of paradigm shift qualify? Plus, how effective will threat hunting be when it comes to embedded devices such as pacemakers, insulin pumps or the security of automobiles? In those cases, some inherent security to resist unauthorized tampering is required, is it not?
The reverse case-when the offense can’t breach
Imagine if you are a defender, and your world now looks like the following:
- You have moved away from the world of vulnerability-centric security. You spend far less time on “vulnerability-management” and repetitive, time-consuming activities such as scanning and patching.
- You’ve shifted from “School of Network Speed Bump Controls” and adopted trusted computing, kernel level enforcement and labelled security.
- Your environment is default-deny. You can whitelist user end-behaviours and enforce need-to-know, least privilege, and need-to-access systems with the authorization rules for user behaviours delivered by reference monitors.
- Your networks and privileges are designed so attempts at unauthorized actions flag attention in real-time. You have network visibility and context-awareness for every user on your network.
- You now benefit from automation, a lot of it, and AI.
- You are no longer constantly putting out fires, no more clean-ups on aisle 7, and no more trench warfare.
- You can make statements about your state of security that are mathematically verifiable, and consistent.
- You have moved from the risk model to the trust model. You know how much you can trust your systems and data. You are able to control … what you need to control. Your systems can’t be tampered with in an unauthorized way.
- You know … that a pen team or RT can not succeed.
- Hacking challenges are used mostly to confirm that you have set up your security protections properly.
- You operate from the vantage point of “Defender Advantage“!
I’m fairly sure that the points listed above would make most defenders feel sexy. I can hear defender brains pinging like a pinball machine from all those dopamine hits right now! Any defenders out there who wouldn’t like this? Are you thinking, “If only….”
Also, you can stop imagining now. You’ve just read a summary of what is delivered by the Trustifier model.
Delivering the SEXY!
Experiencing some victories and goal attainment will deliver to defenders a taste of the dopamine. But we’re talking about more than an occasional win. What defenders need to experience is the total confidence that they will win nearly all the time!
Confidence is sexy!
Confidence that your team has the knowledge and tools to succeed and win consistently, is what allows one to “swagger” like a winner. Like an individual who is full of confidence and thinks of themselves as a winner. Those folk come off as sexy and attractive, all the time.
Currently the Red Team has all the confidence. The Blue Team defenders don’t. That’s what defenders need. It’s the knowing, that you have achieved a state of “Defensive Advantage” and trustworthiness with provable assurance of your systems. It’s the knowing that you will stymie and frustrate testers, attackers and adversaries alike. You have confidence because you know the status of your defences before you go begin the challenge! You know you have the capability to make life extremely difficult for pen testers and Red Teams, and adversaries alike.
This the Trustifier attitude whenever we face a Red Team challenge. Have you had the experience of telling a Red Team that they weren’t going to succeed this time? It’s more sexy than you can imagine. Here’s an example.
Some time ago, Trustifier KSE handed a highly skilled Red Team their first fail to breach in over 8,000 challenges. In the planning stages the Red Team was warned by Trustifier that on this occasion, they were going to be disappointed. What was interesting about that event, was that exploitable vulns were left purposely unpatched. The Red Team was informed beforehand that this would be the case, because how else could one demonstrate that systems with vulnerabilities could be protected?
There were also no conditions placed on tools allowed. When the Red Team couldn’t breach from external vantage, (a first for them), they were signed in as first a regular user, and finally given admin passwords. They still failed to reach their objective to reach the target directories. You can read our commentary on the event here.
Let’s just say that after the event there was plenty of congratulations and back-slapping being offered to Trustifier’s CTO and team leader. To the spectators who were following along at this event, this defensive win was exciting, and sexy! Beforehand, I was personally worried that something might go wrong, but I was reassured the challengers would not succeed, and they didn’t.
Defense can be sexy… but how would you know?
Here’s the problem. You’re not anywhere close to this. You’re still struggling with preventing unauthorized access to the IT vulnerability surface on those vuln-by-default, discretionary access control systems that permeate enterprise networks, cloud, and mobile devices. You’re likely still dependent on langsec design-flawed signature based speed bump detection, to try and slow attackers.
Real Defences – REAL prevention.
On the other hand, real defences result from applying security engineering and design; using trusted systems to tailor trustworthy zones, trusted enclaves, and trustworthy pathways, – chains of trust or “Defender Chains”. These are defences that really reduces attack surface, and doing so turns the advantage to defenders. It means there are fewer unknowns. I know there are many who will be quick to bring up the subject of the previous barriers of complexity and overhead that existed from traditional implementations of trusted computing and high assurance, (and rightly so). However, KSE is an innovative implementation of trustworthy computing. Feel free to enlighten yourself about how KSE and TUX AI simplifies security here.
No offense, to the offence!
All change, especially one that changes a paradigm, can alter experiences and outcomes. Remember, our goal is for defenders to get ALL the dopamine hits, and the attackers, none! Ideally, we want to see that it’s the Red Teams that will be singing the blues in future. At least as far as digital data security goes. Remember that comprehensive testing will also include non-digital defences such as physical security.
Sure the Red Team will be frustrated, perhaps claim that they just needed a bit more time, joke that you as a defender just had a lucky day, or there was some kind of trickery afoot. But they would be wrong of course, because they don’t understand. They have just come across technology that works in a way unlike any other they are accustomed to. Your defences no longer have the vulnerability-centric model as an Achilles Heel, and they can now withstand misconfigurations, stupid user tricks, and the malicious insider threat.
Although your Red Team may start feeling blue, there will still be a role for pen testing and Red Teaming, but more to confirm that the defensive architectures and security settings have been set up properly, in order to enable and support business activities. In this world, the Red Team will be doing a real service when they actually find something that wasn’t done properly, and they will deserve a dopamine hit. This might be a collaborative, Purple Team role and perhaps this is better.
Still don’t believe that defense can’t be sexy?
Currently, Trustifier technology is fending off a dozen defense contractor and 3 DoD Red Teams in a challenge event. That’s 15 Red Teams, simultaneously. To make it interesting, our side has been deliberately clicking on bad links.
We’re into the third month now. According to the pundits, isn’t the Red Team always supposed to win? So far that hasn’t happened. Watch for the reveal around the end of this month! If you suspect that TUX AI has played a role in this, you might be right! In the meantime, you can learn more about the challenge, here.