A Hacker’s Take on the Hardest Security to Crack

David Wolpoff (moose)
4 min readJun 23, 2021

Rarely have I heard someone tell me an IT problem to which the answer is: add a new piece of equipment. Rather, the best security posture is often a lean one that uses just a couple of tools to enforce each layer effectively.

More often than not, companies dump money into adding new layers of security without actually affecting new controls. Most of the time, when an IT team stands up a new system, they do so by copying over the configuration of an existing system that they know works.

The key is: the work isn’t done here. After you copy over a config, it is time to start reducing down the functionality until as little as possible remains. Most big-name security products have hundreds of services on them. But when you purchase them, you may only need 5. Shut off everything that is not immediately being used. If you need it in the future, you can always turn it back on. But in the meantime, if left enabled, it is a dormant window for me to crawl through whose security controls are unaltered and unwatched.

Less is More

Hardening a layer doesn’t have to be about adding new locks. If you want to secure a doorway, continuing to add locks would only help you for so long. What you really need to add is logging and monitoring, so when someone does try to pick your lock, you can see it on a security camera or a motion sensor and respond accordingly when your monitoring catches something.

Palo Alto would gladly sell you a pipedream about a one-size-fits all security posture that stands up, requires no maintenance, and will stay secure forever. But nothing remains secure forever. So you need to have a redundancy in place for when PAN itself is hacked.

This balance between leanness and redundancy is the key to the modern security posture, and it is not easy to achieve. VPNs can fail — you cannot ensure your VPN will never fail. But you can add redundancies and monitoring so that when it does fail, you know immediately, and your process can absorb and mitigate the damage. With just a couple of security solutions, least privilege, and monitoring, you have a poor posture with depth built in.

Why the Russian Nesting Doll Solution Doesn’t Work

There is a misconception in security that adding layers is always the way to make something more protected. But that is only true if the layers are strategically set up and segmentation is implemented correctly.

If I’m trying to break into a system and I see that it utilizes a WAF behind a WAF behind a WAF, I only need to break one to bypass the subsequent layers. It’s as if I’m breaking into a house, and the owner has put a hallway full of doors between me and the floor safe, but all the doors have the same lock. To me, it might as well be one door because I can utilize the same key over and over until I’ve bypassed all of them.

The same is true of individual boxes on a company’s network — if an IT team has segmented a network with Windows computers, but they all have the same admin passwords, I can jump from one to the next with ease because I essentially have a skeleton key.

Least Privilege in the Real World

It may seem like a tall order to run a system with the bare minimum of operational services at any given time, but you can turn it back on when an employee comes needing a particular privilege to do their job. Until then, why should attackers be able to access features your employees and users don’t even access?

One of Randori’s favorite customers uses precisely this method to make life very difficult for attackers. They do not use new SaaS equipment to add defensive layering but rather the reduction of functionality. As an attacker, this throws a real monkey wrench in my day. Instances of security solutions can be investigated, probed, and broken. Meanwhile, reducing functionality simply makes more of the system’s vulnerabilities useless to me. The perimeter hardens as its surface area shrinks. Even if I get root access to a box close to their crown jewels, it’s not sufficient to compromise the network environment because the device only gives me access to a walled garden.

Don’t Put All Your Eggs in One Basket

You can have the most incredible security solution on earth, but if it’s compromised, you’re out of luck. No matter which product you use, you need to diversify. Have more controls. Have a backup plan. Hell, if you’re a PAN Stan, you could deploy Palo Alto Panorama along with another Palo Alto solution. That way, if one fails, the other can at least see it.

The point is, you need to achieve balance. Putting all your eggs in one basket is as foolish as throwing them against the wall to see what sticks. You need to be precise and deliberate with each new addition, and when you’ve constructed the perfect house of cards, you need to blow on it a little to make sure it stays standing.

--

--

David Wolpoff (moose)

temporarily unemployed. previously co-founder @randori. once upon a time a red-teamer.