The following is an edited transcript of one of the topics in our discussion. For the entire conversation, play the podcast)
Howard: I want to touch on a report issued last month. It was published by the U.S. Cybersecurity and Infrastructure Security Agency on a red team assessment of an unnamed critical Infrastructure organization. A red team is a penetration test team for those who don’t know. A blue team is the defenders. The agency produced a detailed report showing all the steps the red team took to get around this organization’s defences. So, for IT and security teams, it provides many valuable lessons, and I think it’s worth reading.
Terry Cutler: This report highlights the importance of identifying and addressing vulnerabilities promptly — and that’s the keyword: timely — as well as the effectiveness of the incident response and recovery teams. We have to test all the time. Let’s say an outsourcing provider is monitoring a company. The company is always on their toes.
When they engage teams to do penetration tests unannounced and start attacking the IT system, they expect a phone call from the managed provider. But often, it doesn’t come because they’re not watching the environment properly. Many companies invest in traditional technology — a firewall, an antivirus, and encryption and think they’re safe.
But they don’t have proper detection technology to know that a hacker bypassed defences, got into the environment, and has been lingering there for six to 18 months before being detected. In the worst case, they don’t have a proper response plan to get the attacker out. So, by performing these types of exercises, we [penn testers] can light up the dashboard to see what’s working and what’s not.
Another type of test that would complement or replace a penetration test could be an adversarial test. It’s where we would come in with specialized software That could mimic a ransomware attack, a vertical or lateral escalation in an environment or even privilege escalation attacks.