Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Teaching Security Self-Defense

My background in IT comes mostly from a nomadic perspective. In my years of IT and InfoSec, I've had the makings of a career consultant -different client each week, different city, different nature of work. It's been a long and diverse journey, and I've loved just about every minute of it. I wake up every day and say "hey, I get to be a pretend bad guy and get paid for it!"

Some things are consistent, however, and I'm not talking about the flight delays or lost luggage - your most common adversary is a network run by an IT team. Most of the time that team is a wonderful, hard-working group of people, many of whom are forced to wear a number of hats on a daily basis to keep the clocks turning, the network up, and the users working. Of those hats, the most conspicuously absent is that of Offensive Security.

"Offensive Security? That's what I pay you for!"

This is, in part, true - organizations hire qualified penetration testers all the time, and it's money well spent! However, many of these same organizations forget a few things:

  • The engagement is very focused and specific, such as PCI. In these types of engagements, the tester is intent on compromising a specific set of networks and data, in this case of the cardholder variety. While just about everything can be "fair game" in order to effectively simulate a PCI breach, these types of engagements are meant to test a narrowly defined block of network real estate. This makes it easy to overlook distant or non-affiliated (but still important overall) segments, such as development networks.
  • Even with a non data-specific penetration test, it's important to remember that penetration testing is not designed to find all vulnerabilities. It may sound disheartening to think that you may remediate attack vectors 1-5 that were uncovered during testing, only to find that next year there is an additional vector due to a newly discovered vulnerability. Or, perhaps, a manager with an unpatched laptop was on vacation during the last pentest. Testing has a time constraint, whereas the bad guys don't.

Try as you might, security is enough of a moving target that you will likely never find "everything". On a scale of who has it the "easiest", it's probably the bad guys - they have unlimited time, no restrictions, and don't really care what resources they may knock over on the way. Penetration testers have to work with the constraints of scope, time, and a delicate touch, but even we get the advantage of not having "network tunnel vision" - that is, we see the network from a perspective most IT teams do not. Finally, IT teams have the hardest job - they are tasked with fixing myriad issues/weaknesses/vulnerabilities, whereas penetration testers(and by proxy, bad guys) only need to find one.

That's where the concept of "security self-defense" comes in. It's difficult to gain the same broad base of security knowledge when you only see a single setup day to day (vs the thousands of networks we get to see per year), but you can still learn the methods of offensive security and how to "think like a bad guy". Let's take a look at some useful areas of concern.

Man-in-the-Middle(MitM) Attacks

Man-in-the-middle (MitM) attacks are a very potent, multi-faceted, and devastating class of infrastructure based attacks. To defend against them takes the correct blend of network architecture, host, and network services configuration security and hardening. The best way to understand and secure against these attacks is to learn the mechanics of how they work. What is the attacker looking for? How about:


  • Eavesdropping - an attacker may just want to listen in to see what hosts are communicating, what they are saying, and gain insight from any plaintext protocols.
  • Session hijacking - with a tool (such as SpiderLabs 'thicknet), sessions such as SQL server sessions can be hijacked to introduce rogue commands. For example, an attacker may trigger a command to add a user or change privileges.
  • Data manipulation - Even simple web traffic can be manipulated, such as adding a UNC path to capture NTLM hashes.

Host-based Attacks

It's tempting to think of compromise as vulnerability x leads to exploit y, but this is almost never the case. In fact, it's quite common to exploit normal functionality on systems in order to gain access. This has the added advantage that it appears as normal traffic and not a signature of a specific exploit. Items such as LLMNR, NetBIOS over TCP, and null enumeration can all combine to provide accounts for an attacker, all without even having to connect to the target machine first. Worse yet, user-based security gaps (such as password re-use)can provide headaches for containing a compromise.

Loose Data

An IT team's greatest nightmare can be the users themselves and the data they're tasked to manage. No matter how many policies they put into place, users will still be users - and that means leaving useful data (to a pentester) lying about. Whereas that Visio diagram of the network may be something you see every day, it's a wonderful find for an attacker. Router configs, user data in spreadsheets, even leftover scan data - all of these can be used as information for further compromise.

The Upshot

If you learn to think like an attacker, you can gain insight into how you configure your network, apply your policies, and better understand who/what you are protecting against. The idea that you cannot be 100% secure should not discourage you; rather, it should encourage you to find a happy medium wherein you can be "compromise resistant" enough to properly detect and respond to incidents before they become harmful.

Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More