For quite some time, I was under the impression that infosec was notoriously fickle. In that, I mean that both defensive and offensive capabilities are constantly evolving. It wasn’t until recently that I started noticing that my logic was a bit flawed and I began questioning the industry. Is infosec the rapidly-evolving animal that we portray it as? Or, is the argument of rapid change just a fallacy?
Before I continue, I must state that this is all entirely opinion driven and that I could 100% be wrong in every way. This is just how I’m starting to see some things. Of course, I'll have some images in here to break things up and try to bring some humor. Also, expect typos; I did this on a phone. I will fix them as I can.
Forgot about MS08-067
APT28, Edward Snowden, ShadowBrokers, WannaCry, Petya/NotPetya/Nyetya, Cryptolocker, Zeus, Stuxnet, Flame, etc… the list goes on of either “threat actors” or malware. The interesting thing, however, is that all of these attacks leveraged exploitation vectors which bypassed most, if not all, security controls in place. This doesn’t necessarily mean that defensive measures failed. Rather, it shows that they are deficient or poorly implemented. In the case of Edward Snowden, we saw a classic insider attack (I’m not taking sides…that’s just what it was) that managed to fly under the radar of the NSA—impressive. In the case of Petya, we saw a classic lack of security for a widely distributed software. In the case of WannaCry, an exploit for Windows SMB was leveraged. Sure, it was a supposed NSA-leaked exploit; but it’s not the first SMB exploit. Did we forget about MS08-067??
We aren't changing
Okay, enough examples. What am I getting at? Well, it’s rather simple; we aren’t changing, the names are. Sure, some of this is all within a small timeframe. The issue, however, is that we as an industry continuously pitch that everything is changing, the “threat landscape” is growing, and that we need “next-gen X or Y technologies.” Do we, though? I remember a time when limiting access to exposed services on your network was a high-priority thing; the 90s taught us that. We got smart and ensured that accessing services required authentication; later on including encryption and stronger passwords. We didn’t evolve, we learned. Learning is not an evolution, it’s a survival trait.
I’m aware that some vulnerabilities are new and so are the exploits. I’m not focusing specifically on a vulnerability/exploit level. This post is about questioning whether or not we are really changing.
We were wizards
System admins used to watch logs for system issues, including irregularities (security events) on an almost wizardly level-
-and on a per-system basis. Eventually, it came to a point where some organizations had thousands of endpoints and server systems; rendering the ability to read logs on a per-system basis impossible. Suddenly we had to have a way to view all events. After a few years of syslog servers and aggregators, we were introduced to SIEM. This product had the ability to correlate logs/events and build an alarm to notify an analyst of an issue. While SIEM greatly increased efficiency, analysts are still looking at logs. Sadly, many analyst positions are entry level or deemed as starting grounds for security people (an argument for a different time). Don’t misread that point, SIEM has certainly helped decrease the amount of most events, however, it is merely reactive. After all, several large-scale businesses have been effected by spreading methods relying on SMBv1—not cool. So, we’re still looking at logs, fighting with vendors about issues or support, and failing to fully integrate SIEM in some cases. How is that “changing”? We’re only changing the technologies and names, yet the issues and breaches continue.
Why? Why are will still falling victim to attacks that, in their very nature, are leveraging reinvented wheels? —some dating back over 15 years. I can speculate, however, there isn’t really one single answer and I don’t want to rant. We’ve created standards, established governance committees, created certifications—for what? Sure, we’ve minimized the overall attack surface of some business and ensured they are following a set of universally-accepted standards. Then, an organization following all those guidelines exposes data via poor coding practices on their web site. How did all of those hours securing their environment help?
They're Nihilists, Donny
I’m not intending on setting the stage for a nihilistic view of the information security industry, however, sometimes it really feels that way. I remember hearing about how “we defenders have to be lucky all the time. Attackers only need to be lucky once.” How over glorifying is that? Luck?! There is no luck in finding that your organization can’t configure firewall rules or properly implement authentication to all services. If your hoping “defensive luck” will save you, then you’ve already failed.
Alright, enough seeming gloom. Enough complaining. Enough seeming like a total nihilist. Finally, enough unanswered questions. How do we start fixing some of the issues we have in security and actually changing? Let’s go back to the basics.
- Start evaluating what should and shouldn’t be on your network
- Perform gap assessments to see where you are lacking
- Regularly ensure secure coding practices to the best of your ability
- Have regular security assessments performed
- Implement monitoring
- Implement vulnerability management
- Remediate to the best of your ability
- Have SLAs that make sense and be flexible with them, in a good way, if you can.
- Know your networks
- Hire for passion (kudos if you do)
- Purchase techonolgies that make sense...not just another blinky box that will "save you from APT"
- ...and many many more things...
Lastly, start changing the way you do security. Don’t just learn to be secure. Remember, evolution takes time; don't be overwhelmed. Let’s be the force that drives to a secure today and tomorrow.
Hopefully not too painful of a read. While this was a bit of an opinion post, I'd really appreciate people helping to come up with how we can evolve security and make a difference...rather than just continuing on, reinventing the wheel, and just saying things are broken.
Again, I'm probably 100% wrong in all of this. :P