The Cybersecurity Gap: Between Want and Need
As a senior penetration tester, I’ve seen an alarming trend among companies of all sizes. I’ve tested the security of global Fortune 50 companies, all the way down to small or regional companies with a couple hundred employees. They almost always have one thing in common—CISOs can get distracted from the basics they need by the shiny new objects they want.
AI, ML, Zero Trust; they’re new and promising technologies that have the ability to revolutionize cybersecurity. Yet almost all of the companies I’ve pen tested have big security holes, and they completely overlook something as simple as the CIS basic controls.
From my perspective, as a hacker who has tested companies of all sizes, what CISOs really need are three things:
- An audit on their implementation of the CIS controls
- A pen test to verify the controls (control 20)
- Red Team assessments to test their IDR (control 20).
When I’m on a pen test debrief call, I like to use the CIS controls to talk about findings and where they equate to gaps in the controls, because the CIS controls are, in my opinion, the easiest to understand and implement. The CIS controls consist of 20 controls in three groups: basic, foundational and organizational—in order of maturity. I repeatedly find that even the largest and most mature companies have gaps in the basic controls, which are:
- Inventory and control of hardware assets
- Inventory and control of software assets
- Continuous vulnerability management
- Controlled use of administrative privileges
- Secure configurations for hardware and software on mobile devices, laptops, workstations and Servers
- Maintenance, monitoring and analysis of audit logs
The other night, while working through a Red Team training exercise, I bypassed Microsoft Antimalware Scan Interface (AMSI) and successfully executed a malicious PowerShell script by simply changing one variable name. It takes a little more work to get a binary to bypass Defender and other antivirus solutions, but it’s still not difficult to learn. Any basic hacker or pen tester can find YouTube videos and blog posts explaining how to do it. I think you can imagine what a nation-state hacker can do to bypass detection of malicious code.
CIS basic controls 2.7 through 2.9 are known as “implementation of application whitelisting.” Application whitelisting is a set of controls that requires to you generate signatures of allowed executable files, and anything that’s not whitelisted simply will not run. This one control would effectively block unwanted software from running, even if the malware were created by the most skilled hackers. This control is also one of the least expensive to implement because AppLocker is included in Windows 10 and Windows Server. Why don’t more companies implement it? Because it takes work and time, and if you get it wrong you will make users angry. I have implemented AppLocker. It was almost completely painless and resulted in only a few helpdesk calls because I followed a simple, effective plan during implementation.
A recent SANS newsletter was focused almost exclusively on the latest corporate ransomware victims. Ransomware is not a new threat. I implemented AppLocker whitelisting in response to ransomware more than five years ago. Why is application whitelisting so slow to catch on, shouldn’t it be a priority?
If I had to pick one thing that is most likely to be the center of attention of CISOs and boards over the last few months, it would be the FireEye breach, which was caused by a supply chain attack from backdoored SolarWinds software. As a security engineer, I’ve worked with FireEye network appliances. They are regarded as some of the best security appliances you can buy. So, how did FireEye get breached, and how can you prevent it?
The truth is you can’t prevent a breach, you can only delay it. You must be able to detect a breach and respond quickly. The only reason why we know about the FireEye breach and SolarWinds is because of an effective Incident Detection and Response program, where FireEye detected the malicious activity. If an actor targets you, with enough time, skill and resources, your controls will be bypassed. However, without incident detection and response (IDR) any malicious actor who gains access can live in your network for years.
Are you investing in a Blue Team to monitor and respond to alerts, and on third-party consultants to run Red Team exercises to test for gaps in IDR? Let’s suppose for a moment that you manage a smaller company and use a managed security services provider (MSSP) instead of an in-house Blue Team. You should trust but always verify by running Red Team exercises to test the IDR process effectiveness. If your company is too small to have Blue team and Red Team exercises, it’s even more critical that you close any gaps in the CIS controls and implement Application Whitelisting.
In short: Focus first on CIS (or NIST) basic controls. Use a third-party to audit and pen test those controls. And finally, test the IDR capabilities using a Red Team exercise. Once you have documented and eliminated any discovered gaps, you’re ready to start evaluating the “new shiny” security gadgets.