My background in IT comes mostly from a nomadic perspective.In my years of IT and InfoSec, I've had the makings of a career consultant -different client each week, different city, different nature of work. It's beena long and diverse journey, and I've loved just about every minute of it. Iwake up every day and say "hey, I get to be a pretend bad guy and get paidfor it!"
Some things are consistent, however, and I'm not talkingabout the flight delays or lost luggage - your most common adversary is a networkrun by an IT team. Most of the time that team is a wonderful, hard-workinggroup of people, many of whom are forced to wear a number of hats on a dailybasis to keep the clocks turning, the network up, and the users working. Ofthose hats, the most conspicuously absent is that of Offensive Security.
"OffensiveSecurity? That's what I pay you for!"
This is, in part, true - organizations hire qualifiedpenetration testers all the time, and it's money well spent! However, many of these same organizationsforget a few things:
- The engagement is very focused and specific, such as PCI.In these types of engagements, the tester is intent on compromising a specificset of networks and data, in this case of the cardholder variety. While justabout everything can be "fair game" in order to effectively simulatea PCI breach, these types of engagements are meant to test a narrowly definedblock of network real estate. This makes it easy to overlook distant ornon-affiliated (but still important overall) segments, such as developmentnetworks.
- Even with a non data-specific penetration test, it'simportant to remember that penetration testing is not designed to find allvulnerabilities. It may sound disheartening to think that you may remediateattack vectors 1-5 that were uncovered during testing, only to find that nextyear there is an additional vector due to a newly discoveredvulnerability. Or, perhaps, a managerwith an unpatched laptop was on vacation during the last pentest. Testing has atime constraint, whereas the bad guys don't.
Try as you might, security is enough of a moving target thatyou will likely never find "everything". On a scale of who has it the"easiest", it's probably the bad guys - they have unlimited time, norestrictions, and don't really care what resources they may knock over on theway. Penetration testers have to work with the constraints of scope, time, anda delicate touch, but even we get the advantage of not having "networktunnel vision" - that is, we see the network from a perspective most ITteams do not. Finally, IT teams have the hardest job - they are tasked withfixing myriad issues/weaknesses/vulnerabilities, whereas penetration testers(and by proxy, bad guys) only need to find one.
That's where the concept of "securityself-defense" comes in. It's difficult to gain the same broad base ofsecurity knowledge when you only see a single setup day to day (vs thethousands of networks we get to see per year), but you can still learn themethods of offensive security and how to "think like a bad guy".Let's take a look at some useful areas of concern.
Man-in-the-middle (MitM) attacks are a verypotent, multi-faceted, and devastating class of infrastructure based attacks.To defend against them takes the correct blend of network architecture, host,and network services configuration security and hardening. The best way tounderstand and secure against these attacks is to learn the mechanics of howthey work. What is the attacker looking for? How about:
- Eavesdropping - an attacker may just want to listen in tosee what hosts are communicating, what they are saying, and gain insight fromany plaintext protocols.
- Session hijacking - with a tool (such as SpiderLabs'thicknet), sessions such as SQL server sessions can be hijacked to introducerogue commands. For example, an attackermay trigger a command to add a user or change privileges.
- Data manipulation - Even simple web traffic can bemanipulated, such as adding a UNC path to capture NTLM hashes.
It's tempting to think of compromise as vulnerability xleads to exploit y, but this is almost never the case. In fact, it's quitecommon to exploit normal functionality on systems in order to gain access. This has the added advantage that it appearsas normal traffic and not a signature of a specific exploit. Items such asLLMNR, NetBIOS over TCP, and null enumeration can all combine to provideaccounts for an attacker, all without even having to connect to the targetmachine first. Worse yet, user-based security gaps (such as password re-use)can provide headaches for containing a compromise.
An IT team's greatest nightmare can be the users themselvesand the data they're tasked to manage. No matter how many policies they putinto place, users will still be users - and that means leaving useful data (toa pentester) lying about. Whereas that Visio diagram of the network may besomething you see every day, it's a wonderful find for an attacker. Routerconfigs, user data in spreadsheets, even leftover scan data - all of these canbe used as information for further compromise.
If you learn to think like an attacker, you can gain insightinto how you configure your network, apply your policies, and better understandwho/what you are protecting against. The idea that you cannot be 100% secureshould not discourage you; rather, it should encourage you to find a happymedium wherein you can be "compromise resistant" enough to properlydetect and respond to incidents before they become harmful.