For the first 5 Minute Conference Talk (5MCT) series, Tim MalcomVetter — Director of Red Team Operations — shares ideas on how an internal red team can best provide value, how that value can be measured, and characteristics of common security postures found at companies. While originally presented in the context of an internal red team, the ideas are equally useful for how a penetration tester interacts with their clients.
A dichotomy in the pen testing industry is that security consultants tasked with breaking into an organization are defenders first. When performing work for a client, the defenses in place must be understood by security consultants. This understanding may result in bypassing security boundaries and demonstrating a risk that may have been previously unknown. Security posture improves over time as findings are remediated, lessons are learned, and internal processes improve. A sign of unhealthy competition is if the overall security of an organization does not improve — no return on investment.
Other signs of unhealthy competition may involve alienating clients, the client not asking for advice, recurring issues year over year, or poorly described recommendations. The defenders who commissioned a pen test should be considered the pen tester’s customer. Customers shouldn’t be talked down to or otherwise alienated.
Healthy competition involves getting executive buy-in for a penetration assessment where both sides want to see improvement. When the pen test is complete, the security consultant should recognize positive attributes of the defender’s security program while lobbying for additional tools for the defenders so security consultants can be detected more quickly.
Some metrics for scoring security consulting companies year over year:
- Track which Tactics, Techniques, and Procedures (TTPs) are used over time. As TTPs are used, logging and alerting should be configured to detect them if prevention is not possible.
- Security consultants should leave intentional Indicators of Compromise (IOCs) to test an organization’s assumptions about their security controls.
- Use the FAIR model — an international standard quantitative model for cyber security and operational risk. Is the amount spent on security operations less than the estimated expense for a breach?
- Measure the amount of projects created due to security findings.
- Defender metrics: mean time to containment, mean time to eradication, mean time to vulnerability remediation.
Poor Security Posture
- Organizational pocketing of assessment results
- Default credentials
- No multi-factor authentication
- No logs
- No egress traffic restrictions
- Passwords everywhere
- Mean time to compromise: minutes
Organic Security Posture
- Users have month+year or season+year as their password
- Incomplete or incorrectly deployed multi-factor authentication
- Anti-virus is on, but no one pays attention
- Command and control sails through to uncategorized domains
- No network segmentation
- Partial detection, but improper incident response
- Mean time to compromise: 72 hours
Good Security Posture
- Most external authentication has multi-factor authentication
- Security Operations Center exists with proper training, incentives, and most logs
- An incident response team exists with an Incident Response Playbook
- Defaults on commodity tools are blocked
- Egress filters present significant friction for command and control
- Newly registered and uncategorized domains are blocked
Great Security Posture
- All external authentication requires multi-factor
- Security Operations Center is world class and process driven
- Incident handlers are patient and do not take rash containment steps
- Nothing default or textbook works for an adversary
- Impossible Traveler and cloud provider IP addresses are prevented from connecting
- Egress friction is a massive challenge for threat actors
- Deception controls exist and match the environment
To move the meter forward, recurring pen test and purple team assessments to validate security assumptions will continue to help. Execute the fundamentals flawlessly, balance risks appropriately, while security consultants continuously push clients toward improvement — iron sharpens iron. You win or you learn.