People like to group things into categories, like problems and solutions. But in the security world, automatically lumping certain technologies into the “solutions” category leads us astray — they can be problems too. The security industry relearned this last month, when Russia-linked ransomware group REvil compromised the Kaseya VSA, leading to widespread lockouts and upwards of $70 million dollars worth of ransom demands.
Out of Sight ≠ Out of Mind
Let’s look at VPNs, one of my favorite targets, as an example. These made the news recently as well, when FireEye revealed several exploited vulns in Pulse Secure VPNs, and let’s not forget the Palo Alto bug…
Rarely have I heard someone tell me an IT problem to which the answer is: add a new piece of equipment. Rather, the best security posture is often a lean one that uses just a couple of tools to enforce each layer effectively.
More often than not, companies dump money into adding new layers of security without actually affecting new controls. Most of the time, when an IT team stands up a new system, they do so by copying over the configuration of an existing system that they know works.
The key is: the work isn’t done here. After you…
Security tools are kind of like credit cards. Not enough and you won’t function; too many and they all become useless.
Running a security program involves a great deal of trust. You have to trust your team to effectively carry out their roles; you have to trust that hackers do not know everything about your system; and you have to trust that your security vendors’ products are secure. But we know that you can’t trust anything, including third-party security vendors. There’s an entire marketing movement around it: “zero trust.”
One needs to look no further than the bevy of vulnerabilities…
The US’s largest fuel pipeline was hit with a ransomware attack that took it offline. It is expected to be inoperational for more than a week. The scale of such an attack has left many in the security community wondering what went wrong. At Randori, we take the position that these attacks are inevitable, and that as a defender, you have to ask yourself when they will happen, not if.
For a look at why, we have to turn the clocks all the way back to 2012, when I gave an interview explaining why SCADA (Supervisory Control and Data Acquisition)…
I’m Givin’ Her All She’s Got, Captain!
I’m not the first person to point out that burnout in infosec is hitting a fever pitch. 2020 was a tremendously difficult year for security. Fueled by the pandemic and work-from-home, ransomware and other attacks boomed, high-profile breaches littered the news, and the business world continued its mass exodus from on-prem storage and operations to the cloud. Research by CIISec indicates that over half of security professionals have either left a job due to burnout or have worked with someone who has.
As your friendly neighborhood hacker, I’m going to make the argument…
The Russians are probably lurking elsewhere in a Solarwinds victim’s environment, but that shouldn’t shock you
The SolarWinds hack (and now Exchange) has taken over the news recently, and many security practitioners are curious about how to respond. As an attacker, I will candidly tell you that if you were breached, your best strategy is to assume Russia has established a presence in your network, and respond (reimage your endpoints) accordingly. It’s easy to feel like hackers are unstoppable forces of nature. But they make mistakes, take risks, and above all, fear being caught. …
Red-teamers find the gaps between security controls and visibility, whereas the pentest typically surfaces problems within specific controls. For practitioners who have to choose between a pen test or red team engagement, it comes down to the maturity of your security program and the questions you want to answer.
As a red teamer, I am frequently asked, “Should I do a pentest or hire a red team?” My response is always the same: that’s not entirely the right question. …
Security is a farce because “security” is neither the objective nor a value in itself. And in any case, it’s not a game you can “win.”
Any non-trivial organization has unknowns: unknown assets, unknown weaknesses, unknown adversaries, unknown changes. Beyond that, mistakes happen, and sometimes exploits happen long before patches. That’s life. Compromise is inevitable. So if you define any compromise as “losing,” then you’ve doomed yourself to loss by definition, you’re a bad defender, and you should find a different line of work.
The harsh reality is that s*%t happens, and sometimes the bad guy “wins.” That’s to be expected. But not-so-secretly, your compliance program has known this for a long time (that there will always be risk), which is why you don’t lose your…
This is part three of a series on hacker logic — weaponizing a vulnerability. Check out parts one (doing reconnaissance) and two (figuring out what asset to exploit) to catch up.
Just as water flows to the lowest point, hackers are usually looking to take the path of least resistance. They want to be able to break into a system as quietly and with as little effort as possible — and with the fewest exploits. Once an attacker finds a tempting asset on your attack surface to exploit, they will typically deploy a few different tricks and techniques to find…
Every company is subject to the same reality: Compromise is inevitable
The security industry is reverberating with news of the FireEye breach and the announcement that the U.S. Treasury Department, DHS and potentially several other government agencies, were hacked due (in part, at least) to a supply chain attack on SolarWinds.
These breaches are reminders that nobody is immune to risk or being hacked. I’ve no doubt that both FireEye and SolarWinds take security very seriously, but every company is subject to the same reality: Compromise is inevitable.
The way I judge these events is not by whether someone is hacked, but by how much effort the adversary needed to expend…
David Wolpoff (moose)
moose. co-founder @randori. red-teamer. security can’t be fixed. practice how you fight. www.randori.com
