07/11/2020: I'm updating this post to express a different
perspective but the same concepts. In fact, I'm a pentester now, so I
switched sides, so to say.
However, the concepts I wanted to convey with this post remain,
in my opinion, absolutely paramount, regardless of the circumstance I
originally published this post in 2018. Some steps ahead toward a purple
team implementation were made, and this is yet more critical in this
post-pandemic world. I hope you'll keep enjoying reading it (M.C.).
I participated in a very exciting
PeerTalk on Pentesting and had a long and stimulating conversation with all members, featuring, among others, Georgia Weidman.
I couldn't believe she really took the time to participate and she found some of my points valid.
I had to pinch myself, I mean WOW!
However, this post isn't for me to brag about this achievement, but to wrap up some concepts emerging from the panel that I found absolutely paramount.
The most important of which is, in my opinion, that we need to move over the strict red team/blue team distinction and to rethink and redesign the role of pentesters in general, along with the purpose of penetration testing overall.
In fact, there seems to be an over-emphasis on offensive security and on red teamers for the heck of it, without thinking of what a pentest can actually add in terms of value for a business nor of what lessons an organization can learn from it.
Though a shift seems to have started developing, as the best and brightest hackers, such as my former boss Dave Kennedy and John Strand, are re-evaluating defensive security and developing solutions to help defenders and assist companies to defend better, a lot of work seems to be needed in order to improve things under this point of view.
Don't get me wrong, offensive security is fun, I LOVE offensive security and I love being a red teamer, but blue teamers (including myself) are the often unsung heroes here.
Blue teamers need to be right all the time. Red teamers (and black hat hackers) only need to be right once and they're in.
If you pwn an organization this is sure fun, but it's pointless and needless if you don't give that organization the tools to address the vulnerabilities that allowed you to hack in.
I get it, being a red teamer can be as cool as it gets.
You're paid to hack and to break stuff, and I love it, it's a dream come true.
However, there are two types of overlooked considerations to keep in mind:
- A pentest is done to support a business and its result must be explained in business terms. We conduct a pentest to make sure a company knows what its vulnerabilities are and addresses them before bad guys can exploit them. If pentesters submit a report without explaining how to address these vulnerabilities, they give the company no actual service. A pentester should be like a consultant and sit beside the corporate management to understand how the organization's processes work and how to improve on the issues discovered. I recently participated in a security assessment for a company in my new role and it's been an eye-opening experience. Jeez, there are billion aspects to be factored in, so many that your mind starts blowing, and so much overlooked stuff that you ask yourself how these persons manage to even stay in business. Then you realize their priorities aren't yours. Their priorities are running the business and make money, not fighting bad guys like you do. They don't understand all these gizmos and why should they? That's not their role. We're not (always) the center of the universe, guys. You need to talk to these guys making it clear they might lose their proprietary information, which could mean for them that they'd have to close business. It's business survival.
- A pentest should be conducted in order to empower the blue team, not to brag about how good we are at popping up shells. Sure, popping up shells is fun but pretty much pointless if we assess a company and then we find the same exact vulnerabilities one year later. This means that we as security professionals and the industry overall failed. We sucked. My greatest pleasure as a security professional would be if I made a follow-up pentest on an organization and I found out I couldn't easily hack in by using the most common techniques, such as SQL injection.
That would mean they actually implemented my recommendations and they made their systems more secure. That would mean I contributed to make the world a little bit more secure place.
That doesn't exclude totally they might get hacked in the future, but it definitely makes them more secure. It could also potentially save their company and have a positive impact on people's lives, in terms of avoiding job losses.
Wrap-up
We're not making all this progress as an industry, and that's because we're failing.
Have you ever wondered why overlooked vulnerabilities like SQL injection or XSS, dating back decades, are still within OWASP Top 10 vulnerabilities list?
No one addresses this type of problems or bothers advising organizations on how to address these issues.
Bug bounties now normally even exclude them from their scope.
They're too common, not so sexy for marketing purposes. Well, guess what, that's how companies like Equifax got breached, though.
Several pentesters deliver their reports (not always well done) and that's it.
On the other hand, though, even when security consultants/pentesters
do provide good remediation recommendations and the report adds value to
the client, the client organization often completely disregards them,
because they don't take security seriously. All they care about is for
consultants to check the box saying they're PCI compliant. Well, this is
the most discomforting thing you can experience as a pentester, because
it makes you feel helpless.
This needs to change.
We need to move away from this blue team/red team adversarial perspective.
We need to create a non-hostile environment, where the two different teams can work together and address what can be done, instead of focusing on childish memes and bullying behaviors.
OK, we hacked in, we showed their admins suck, right.
But how much would you like for you to be in those sysadmins' shoes, having to analyze pile loads of logs to find a needle in the haystack?
Not so fast, bro!
Then, by the way, that kind of behavior speaks volumes about your professionalism.
Not sure you'd be the kind of guy I'd personally like to work with.
We're security professionals, we all work together to make this world more secure, even though from different angles.
Let's come together instead of hurting the whole community with this kind of bullcrap.
Like I stated, the brightest guys in the offensive security community have understood this and are trying to promote an effort towards a more global view.
However, much remains to be done and organizations selling snake oil, like those indiscriminately promoting bug bounties as a silver bullet, hurt the community even more than this wrong attitude.
Security is a mindset, not a product.
It's easier for marketers to sell a product because a product is something you can touch, easier to understand than a mindset shift that causes corporate culture to change.
Buying/selling a product can be a fast process, but changing a corporate culture may require a long time.
Scary, right?
All big changes are, but we need to do this or we'll see more and more organizations compromised, economies and lives ruined and eventually, if we consider the possible implications of a hack on the electoral system, the very concept of democracy worldwide undermined.
Episode 57
Comments
Post a Comment