Well his, your pentest

    In the field of information security, something is constantly happening - it is developing, new means of protection are emerging, which, according to their description, everyone is able to. None of the hacker can break through them into your information system and make their dark hacker affairs. When you read about modern SIEM and anti-apt solutions, pride takes on how everything became simple in the world of information security - set yourself hardware and software for several million, and you will be happy to hire a couple of employees to monitor this “zoo” "- and generally perfect. Most of the heads of companies, security administrators and sales managers of these most modern solutions think about this.

    And in principle, a fairy tale is almost real. Machine learning, integration with the cloud, constant replenishment of signatures with incident incidents - all this helps a lot in developing protection tools. But, giving a lot of money for it, companies forget that such solutions need to be customized for a specific information system, that default settings will not save during an attack, that the information system does not function in a vacuum.
    Other companies choose more low-cost options for protection - once in a lifetime they will order a security analysis service and believe that now they have everything in order. And they are very indignant when something happens! After all, really - everything was done to protect the company. What went wrong?

    The purpose of this article is to speculate on the security of the company, and also to find out whether such services as penetration testing are needed at all and why information security is expensive.

    Some life situations

    So, let's begin. The situation is quite ordinary and familiar to many. Frightened by Russian hackers (and hackers of other nationalities), the director of the company decides to pay a round sum and implement an anti-apt solution into the information system. An idea worthy of respect. Money paid, the solution implemented, put the "boys" to respond to incidents. According to the vendor, everything is set up in such a way that it will work, as they say, out of the box. Everything is perfect. The director of the company is almost in nirvana, but terrible happens here. The purchased solution begins to constantly report attacks. Constantly. Almost 24/7. “Boys,” who must respond to all the appeals and unrest of anti-apt solutions, say that nothing critical happens, but the spam notification of the attacks continues. Users can not work normally and fall asleep tech support complaints. The director cannot go to the sites he needs, download an interesting film, his favorite computer virus is beating in death convulsions. No one understands what is happening, but everyone knows who (or rather what) is to blame. And a volitional decision is taken - disconnect a new thing, put it in a locker until better times. The world flourishes again, calm and measured rhythm are returned to the company. The director exhales ...

    The second situation is also trivial. Remedies are purchased, even seem to work more or less stably, without causing negative. And then notifications about incidents begin to arrive. The “boys” who monitor the SOS signals try to react, but they either don’t work quickly or they don’t work at all. Protection turns out to be useless, like a fire alarm that is not connected anywhere.

    Situation three, even more recognizable. The director decides that the company can do with modest means of protection, "no frills", and to check whether everything works, you should conduct penetration testing. In his opinion, pentest is carried out once and guarantees the protection of the company from hacking "for the rest of your life." Penetration tests have been carried out, the report has been written, the praises to the means of protection are sung, and the company is being hacked. The director is turning gray ...

    True, familiar situations? Let's understand why this happens.

    Why is it like this

    Any anti-apt solution, SIEM, a more or less intelligent remedy, requires special configuration for a specific information system. Under each. There is no miracle protection, there is no “big button” that is pressed - and everything works right away, without any additional actions.

    Everyone knows that there are false-positive and false-negative positives in any system. In this case, respectively, false positives are when any legitimate actions in the system are taken for an incident, false negatives are when the incident is taken as legitimate actions.

    How to set up a company's security to reduce the number of false positives?
    The optimal solution is to conduct a full-fledged black box penetration test. Ideally, of course, the Red Team. Perfectly perfect: first a pentest to set up, then a Red Team - to check if the Blue Team is even more sensitive to set up and train the team to respond quickly to signals from the protections. In this way, we will be able to solve the problem with insufficiently fast response of employees. True, this sequence results in a round sum, sometimes unaffordable for the company.

    Penetration testing? Seriously? These reports from scanners can help us?

    The main problem with penetration testing is for mainstream companies this has become mainstream. It is useless to order a pentest and get a report on the found simply because it is “stylish, fashionable, youthful”. But if penetration testing is done qualitatively and lessons are learned from it, this is a very useful thing.

    Lesson 1. Coherence in the work of the incident response team and delegation of authority.

    In the event of an incident, a rapid response plays a huge role. Therefore, the Blue Team team should be coherent - understand the areas of responsibility and promptly share information. Of course, such a high level of interaction is difficult to achieve, but well-conducted penetration testing — artificial creation of incidents that provoke a response from the means of protection — helps the team understand the sequence of actions and the specificity of response in such situations. This does not mean that the team is simply learning from a specific pattern (for specific incidents) and it has a stupor if an attack of a different type occurs. In this case, it is important to understand the principle of interaction, define areas of responsibility (not in theory, but “in real life”) and experience everything live.

    Lesson 2.Prioritization of company assets.

    It is clear that there is information of varying degrees of criticality, and it is necessary to prioritize assets. To distract attention, attackers often conduct simultaneous attacks on various company resources. A large number of incidents are created, and the Blue Team team must respond intelligently - understanding which attacks are dangerous for critical information and which are “white noise”. In the event that the initial priorities are not placed or are placed incorrectly, the company risks to react not to those incidents.

    Lesson 3. Checking the response of protective equipment and their proper configuration.

    Conducting a penetration test helps the Blue Team understand how defenses respond to an attacker's specific actions. For example, if a user password is bruised and it periodically blocks, it is important not only to block the account for a while, but also to notify the incident response team. If your protectors do not react to the actions of the pentesters, then they need to be properly configured. But you should not get carried away, otherwise users simply will not be able to work normally.

    These are probably the three main lessons that can be learned by penetration testing. The main point is that pentest should be performed not “for a piece of paper”, but seriously and responsibly. The ideal solution is the Red Team (full emulation of apt grouping actions). This is really a long time, honestly, with the maximum possible bypass of remedies. As always, you have to pay for quality, so this kind of service is very expensive.

    Instead of conclusion

    And the essence of this fable is: use your resources wisely. Even the most expensive means of protection will not ensure the safety of your company if there is no coherent incident response team. You need real security, not paper security, so you should invest in an “honest” security check.

    Also popular now: