Tuesday, July 19, 2016

Why you Should Attack Your Systems - Before "They" Do

You can't hack and patch your way to a secure system.

You will never be able to find all of the security vulnerabilities and weaknesses in your code and network through scanning, or by paying outsiders to try to hack their way in.

The only way to be secure is to design and build security in from the beginning:

  1. threat modeling and risk assessment when designing apps and networks
  2. understanding and using the security features of your languages and frameworks, and filling in any gaps with secure libraries like Apache Shiro or KeyCzar…
  3. hardening the run-time using guidelines like the CIS benchmarks and tools like Chef and Puppet and UpGuard
  4. carefully reviewing every change that you make to code and configuration before putting them into production
  5. training everybody involved so that they know what to do, and what not to do
This is hard work, and it is unavoidable.

So what's the point of penetration testing? Why do organizations like Intuit and Microsoft have Red Teams attacking their production systems? And why are Facebook and Google and even the US Department of Defense running bug bounty programs, paying outsiders to hack into their system and report bugs?

Because once you've done everything you know how to do - or everything that you think you need to do - to secure your system, the only way to find out whether you've done a good enough job, is to attack your systems - before the bad guys do.

Attacking your system can show you where you are strong, and where you are weak: what you missed, where you made mistakes. It will uncover misunderstandings and hilight gaps in your design, in your defensive controls, and in your logging and monitoring. Watching your system under attack, watching what attackers do and how they do it, understanding what to look for and why, how to identify attacks and how to respond to them, will help change the way that you think and the way that you design and code and set up and run systems.

Let's look at different ways of attacking your system, and what you can learn from them:

Pen Testing

Pen testing - hiring an ethical hacker to scan and explore your application or network to find vulnerabilities and see what they can do with them - is usually done as part of due diligence, before a new system or a major change is rolled out, or once a year to satisfy some kind of regulatory obligation.

Pen testers will scan and test for common vulnerabilities and common mistakes in network and system configuration, missing patches, unsafe default settings. They'll find mistakes in authentication and user set up logic, session management, and access control schemes. They'll look at logs and error messages to find information leaks and bugs in error handling, and they will test for mistakes in some business logic (at least for well-understood workflows like online shopping or online banking), trying to work around approval steps or limit checks.

Pen tests should act as a reality check. If they found problems, a bad guy could too - or already has.

Pen testers won't usually have enough time, or understand your system well enough, to find subtle mistakes, even if they have access to documentation and source code. But anything that they do find in a few days or a few weeks of testing should be taken seriously. These are real, actionable insights into weaknesses in your system – and weaknesses in how you built it. Why didn't you find these problems yourself? How did they get there in the first place? What do you need to change in order to prevent problems like this from happening again?

Some organizations will try to narrow the scope of the pen tests as much as possible, in order to increase their chance of getting a "passing grade" and move on. But this defeats the real point of pen testing. You've gone to the trouble and expense of hiring somebody smart to check your system security. You should take advantage of what they know to find as many problems as possible – and learn as much as you can from them. A good pen tester will explain what they found, how they found it, why it is serious, and what you need to do to fix it.

But pen testing is expensive and doesn't scale. It takes time to find a good pen tester, time to set up and run the test, and time to review and understand and triage the results before you can work on addressing them. In an Agile or DevOps world. where changes are being rolled out every few days or maybe several times a day, a pen test once or twice a year won't cut it.

Red Teaming

If you can afford to have your own pen testing skills in house, you can take another step closer to what it’s like dealing with real world attacks, by running Red Team exercises. Organizations like Microsoft, Intuit and Salesforce have standing Red Teams who continuously attack their systems – live, in production.

Red Teaming is based on military Capture the Flag exercises. The Red Team - a small group of attackers - try to break into the system (without breaking the system), while a Blue Team (developers and operations) tries to catch them and stop them.

The Blue Team may know that an attack is scheduled and what systems will be targeted, but they won't know the details of the attack scenarios. While the Red Team’s success is measured by how many serious problems they find, and how fast they can exploit them, the Blue Team will be measured by MTTD and MTTR: how fast they detected and identified the attack, and how quickly they stopped it or contained and recovered from it.

Like pen testers, the Red Team's job is to find important vulnerabilities, prove that they can be exploited, and help the Blue Team to understand how they found the vulnerabilities, why they are important, and how to fix them properly.

The point of Red Teaming isn't just to find bugs - although you will find good bugs this way, bugs that definitely need to be fixed. The real value of Red Teaming is that you can observe how your system and your Ops team behaves and responds under attack. To learn what an attack looks like, to train your team how to recognize and respond to attacks, and, by exercising regularly, to get better at this.

Over time, as the Blue Team gains experience and improves, as they learn to respond to - and prevent - attacks, the Red Team will be forced to work harder, to look deeper for problems, to be more subtle and creative. As this competition escalates, as both teams push each other, your system - and your security capability - will benefit.

Intuit, for example, runs Red Team exercises the first day of every week (they call this “Red Team Mondays”). The Red Team identifies target systems and builds up their attack plans throughout the week, and publishes their targets internally each Friday. The Blue Teams for those systems will often work over the weekend to prepare, and to find and fix vulnerabilities on their own, to make the Red Team’s job harder. After the Red Team Monday exercises are over, the teams get together to debrief, review the results, and build action plans. And then it starts again.

Bug Bounties

Bug Bounty programs take one more step closer to real world attacks, by enlisting outsiders to hack into your system.

Outside researchers and white hat hackers might not have the insight and familiarity with the system that your own Red Team will. But Bug Bounties will give you access to a large community of people with unique skills, creativity, and time and energy that you can't afford on your own. This is why even organizations like Facebook and Google, who already hire the best engineers available and run strong internal security programs, have had so much success with their Bug Bounty programs.

Like Red Teaming, the rewards and recognition given to researchers drives competition. And like Red Teaming, you need to carefully establish - and enforce - ground rules of conduct. What systems and functions can be attacked, and what can't be. How far testers are allowed to go, where they need to stop, and what evidence they need to provide in order to win their bounties.

You can try to set up and run your own program, following guidelines like the ones that Google has published or you can use a platform like BugCrowd (https://bugcrowd.com/) or HackerOne (https://hackerone.com/) to manage outside testers.

Automated Attacks

But you don't have to wait until outsiders - or even your own Red Team - attack your system to find security problems. Why not attack the system yourself, every day, or every time that you make a change?

Tools like Gauntlt and BDD-Security can be used to run automated security tests and checks on online applications in Continuous Integration or Continuous Delivery, every time that code is checked in and every time that the system configuration is changed.

Gauntlt (http://gauntlt.org/) is an open source testing framework that makes it easy to write security tests in a high-level, English-like language. Because it uses Cucumber under the covers, you can express tests in Gherkin's familiar Given {precondition} When {execute test steps} Then {results should/not be} syntax.

Gauntlt comes with attack adaptors that wrap the details of using security pen testing tools, and sample attack files for checking your SSL configuration using sslyze, testing for SQL injection vulnerabilities using sqlmap or checking the network configuration using nmap, running simple web app attacks using curl, scanning for common vulnerabilities using arachni and dirb and garmr, and checking for serious vulnerabilities like Heartbleed.

BDD-Security (https://github.com/continuumsecurity/bdd-security) is another open source security testing framework, also based on Cucumber. It includes SSL checking (again using sslyze), scanning for run-time vulnerabilities using Nessus, and it integrates nicely with Selenium, so that you can add automated tests for authentication and access control, and run web app scans using OWASP ZAP as part of your automated functional testing.

All of these tests can be plugged in to your CI/CD pipelines so that they run automatically, every time that you make a change, as a security smoke test.

You can take a similar approach to attack your network.

Startups such as

provide automated attack platforms which simulate how adversaries probe and penetrate your systems, and report on any weaknesses that they find.

You can automatically schedule and run pre-defined attacks and validation scenarios (or execute your own custom attacks) as often as you want, against all or parts of your network. These platforms scale easily, and provide you with an attacker's view into your systems and their weaknesses. You can see what attacks were tried, what worked, and why. You can use these tools for regular scanning and testing, to see if changes have left your systems vulnerable, to evaluate the effectiveness of a security defense tool, or, like Red Teaming, to exercise your incident response capabilities.

Running automated tests or attack simulations isn't the same as hiring a pen tester or running a Bug Bounty program or having a real Red Team. These tests have to be structured and limited in scope, so that they can be run often and provide consistent results.

But these tools can catch common and serious mistakes quickly - before anybody else does. They will give you confidence as you make changes. And they can be run continuously, so that you can maintain a secure baseline.

Why you need to Attack Yourself

There is a lot to be gained by attacking your systems. You'll find real and important bugs and mistakes - bugs that you know have to be fixed.

You can use the results to measure the effectiveness of your security programs, to see where you need to improve, and whether you are getting better.

And you will learn. You'll learn how to think like an attacker, and how your systems look from an attacker's perspective. You'll learn what to watch for, how to identify an attack, how to respond to attacks and how to contain them. You'll learn how long it takes to do this, and how to do it faster and easier.

You'll end up with a more secure system - and a stronger team.

33 comments:

Andrew303john said...

Finance Assignment Help

We at Fullassignment.com bring to you the most significant Finance assignment writing service at the best cost. With long stretches of understanding we are prepared to give assignment help over the globe.You will be guided here with a portion of the information of Finance assignment which could assist you in deciding writing a Finance assignment. Nonetheless we uneuqivocally prescribe you to benefit Managerial accounting assignment help from our specialist to find out about marketing and its scope.

https://fullassignment.com/

Unknown said...

Do you realize there is a 12 word sentence you can tell your crush... that will induce intense feelings of love and instinctual attraction for you buried within his heart?

Because deep inside these 12 words is a "secret signal" that triggers a man's instinct to love, please and guard you with all his heart...

12 Words Who Trigger A Man's Desire Response

This instinct is so built-in to a man's genetics that it will make him try harder than ever before to build your relationship stronger.

Matter-of-fact, triggering this influential instinct is so mandatory to having the best possible relationship with your man that as soon as you send your man one of these "Secret Signals"...

...You will soon notice him open his heart and mind to you in such a way he's never expressed before and he'll perceive you as the one and only woman in the galaxy who has ever truly appealed to him.

Unknown said...

Strange "water hack" burns 2lbs overnight

Well over 160,000 women and men are losing weight with a easy and secret "liquid hack" to drop 1-2 lbs every night as they sleep.

It is easy and works with anybody.

Just follow these easy step:

1) Grab a glass and fill it up with water half the way

2) And now learn this awesome hack

and become 1-2 lbs skinnier the next day!

Rajani said...


Hi, Amazing you know this article is helping for me and everyone and thanks for sharing information.
DevOps Online Training
DevOps Training
DevOps Training in Ameerpet

Ethan jurk said...

What a fantastic post !!

Canon Printer Not Responding Quickly

augustwalker said...

HP OfficeJet 8702 All-in-One HP OfficeJet 8702 Wireless Printer Setup All-in-One Series Full Feature Software and Drivers Details The full setup+ programming.

KAMPUSBET said...


Promo 20rb dibulan penuh berkah yuk buruan hanya di AGEN POKER ONLINE new member diberi 20k skuyy wa :+85510903838

BestTrainingMumbai said...

There are numerous parts of this article on which I agree with you. You have created neural connections in my cerebrum not utilized frequently. Much obliged to you for getting my neurons bouncing.
SAP training in Kolkata
Best SAP training in Kolkata
SAP training institute in Kolkata

Anirban Ghosh said...

There are various pieces of this article on which I concur with you. You have made neural associations in my cerebrum not used as often as possible. Thankful to you for getting my neurons bobbing.
SAP training in Mumbai
Best SAP training in Mumbai
SAP training institute in Mumbai

CloudLearn ERP said...

There are different bits of this article on which I agree with you. You have made neural relationship in my cerebrum not utilized as regularly as could be expected under the circumstances. Appreciative to you for getting my neurons bouncing.
SAP training in Mumbai
Data Science training in Mumbai
Best data science training in Mumbai

SEOBusinessIndia said...

Your writing style says a lot about who you are and in my opinion I'd have to say you're insightful. This article reflects many of my own thoughts on this subject. You are truly unique.
SEO services in kolkata
Best SEO services in kolkata
SEO company in kolkata
Best SEO company in kolkata
Top SEO company in kolkata
Top SEO services in kolkata
SEO services in India
SEO copmany in India

Hempguys said...

An excellent blog is helpful to us. Thanks for the post.

hemp meds
biocbd+
CBD oil

Nomjal said...

Impressive blog post. I always appreciate such content writing skills.
https://mamby.com/post/why-does-covid-19-affect-health-professionals-so-much
https://medium.com/@aaryan.smith/why-does-covid-19-affect-health-professionals-so-much-3b447775f11c
http://demandingbizservices.over-blog.com/principle-of-quality-assurance-of-a-drug-set-by-fda
https://www.dermandar.com/user/pharmaconsulting/
https://www.free-ebooks.net/profile/1001089/biotech-research-group
https://bbpress.org/forums/profile/brggroup
http://www.lawrence.com/users/Pharmaconsulting/
https://forums.matterhackers.com/user/pharmaconsulting

Anu said...

Excellent blog I visit this blog it's really awesome. The important thing is that in this blog content written clearly and understandable. The content of information is very informative.
DevOps Training in Chennai | DevOps Training in anna nagar | DevOps Training in omr | DevOps Training in porur | DevOps Training in tambaram | DevOps Training in velachery

Packers And Movers Bangalore said...

Packers And Movers Bangalore Local Household Shifting Service, Get Free Best Price Quotes Local Packers and Movers in Bangalore List, Compare Charges, Save Money And Time at
Local Packers And Movers Bangalore

Packers And Movers Mumbai said...

Excellent Blog! I would like to thank for the efforts you have made in writing this post. I am hoping the same best work from you in the future as well. I wanted to thank you for this websites! Thanks for sharing. Great websites! @ Packers and Movers mumbai

Packers And Movers Mumbai said...

Lovely Website, Maintain the fantastic work. Thank you so much!
Local Packers and Movers Mumbai list, Cheap Packers Movers Mumbai Charges, Affordable, Best Household Shifting Mumbai @ Packers and Movers mumbai

John Ken said...

Islamabad Escorts

Islamabad Call Girls

Pakistani Escorts

escorts in Pakistan

Click Here

Click Here

Click Here

Click Here

Click Here

Lahore Call Girls Escorts

Pakistan Escort Service

Muhammad Azwar said...

Nice Post Also Check This Out
About Islam
Dynamic Movies

Packers And Movers Mumbai said...

Packers and Movers mumbai
Packers And Movers Mumbai to Ludhiana
Packers And Movers Mumbai to Jalandhar
Packers And Movers Mumbai to Amritsar
Packers And Movers Mumbai to Faridabad

Hurry said...

ATT Tech Customer Care Number
ATT Customer Service Number
Reset And Setup ATT Email Account

un known said...

Thanks for Sharing This Article.It is very so much valuable content. I hope these Commenting lists will help to my website
devops online training
best devops online training
top devops online training

Ava Devis said...

very interesting post, you can check more post related to United Airlines Ticket Booking

Mercy Smith said...

If you want to know complete information about United Airlines Cheap Flights

Mercy Smith said...

Nice blog..
Are you want to book your flight tickets at United Airlines Booking, but worry about how to book then here you will get complete information, our customer service 24*7 available, if you face any issues then contact with our technical experts.

mercy smith said...

Thanks for sharing this information you can easily book your flight tickets at united airlines reservations official site, we provide 24*7 customer service.

Packers And Movers Chennai said...

Packers and Movers Chennai Give Safe and Reliable ***Household Shifting Services in Chennai with Reasonable ###Packers and Movers Price Quotation. We Provide Household Shifting, Office Relocation, ✔ ✔ ✔ Local and Domestic Transportation Services, Affordable and Reliable Shifting Service Charges @ Packers And Movers Chennai

Packers And Movers Jaipur said...

Get Packers and Movers Jaipur List of Top Reliable, 100% Affordable, Verified and Secured Service Provider. Get Free ###Packers and Movers Jaipur Price Quotation instantly and Save Cost and Time. Packers and Movers Jaipur ✔ ✔ ✔ Reviews and Compare Charges for household Shifting, Home/Office Relocation, ***Car Transportation, Pet Relocation, Bike SHifting @ Packers And Movers Jaipur

Radhya said...

Great blog thanks for share with us.
Best website development company in Lucknow.

Anonymous said...

Great blog. Please visit our services turnkey services

360DigiTMG AI Course in malaysia said...

I would prescribe my profile is critical to me, I welcome you to talk about this point... 360DigiTMG AI Course in malaysia

DEVID WARNER said...

Connect HP printer to mobile through 123.hp/setup· Switch on your HP printer and open the 123.hp.com website on your phone.

dataanalyticscourse said...

good information seeking more such blogs in future.
360DigiTMGmachine learning course

Site Meter