Welcome back! My Eagles won again and beat an undefeated Tampa Bay team with a great defense, on the road, which was awesome. Miami absolutely destroyed Denver to the point where the Broncos should be called the Denver Foals. Ouch. We're all scratching our heads as to how the Rams keep losing games they should clearly win, the 49ers look for real, and the Bills reminded the Commanders why they never do better than 3rd place in the NFC East year after year.
Interestingly enough this 3rd week of football was all about offense. Teams won big by having great offensive strategies that flexed around the defensive strategies of their opponents, so let's close out our security team roster discussion with building a great offensive strategy for an organization.
Offense
Most of us have become accustomed to outsourcing our offensive strategy which, in my opinion, is perfectly fine - but if you can build the resources to have offensive components in-house, you'll find it easier to adjust to emerging threats with agility, and you'll find the costs are lower in the long run.
On the football field the offense is broken into "games". The passing game and the running game. Each has strengths and weaknesses, so most teams try to strike a balance, but it does depend greatly on what the other side enables. In cyber security the approach is similar. Your security passing game involves all of the outward-facing and long-term approaches that help identify risk and vulnerabilities utilizing the techniques (and tools) your adversary would use. Your security running game would leverage proactive but usually tactical methods of shoring up technologies and improving security processes to drive a more proactive approach.
The real advantage of building an in-house offensive security discipline is enabling the business overall to be proactive. We have gotten used to security being this thing where we wait around for something to happen and then we put all of our efforts into minimizing and mitigating that thing. This is part of the Firefighter approach I always talk about, but remember, Firefighters also see prevention as a big part of their job.
SIDEBAR: From a value proposition standpoint, you should approach offensive security as critical to your company's ability to significantly reduce risk. While offensive strategies do not replace the defensive strategies everyone should employ, a sound offensive strategy can reduce the risks your defensive strategy has to focus on, and that can lead to long-term cost savings. Articulating the value of your security program using the onion method (defense in depth) is a great way to help non-technical people understand the rationale behind layers of security that might seem costly on the surface but really save money in the long run.
The Passing Game (Outward-Facing)
Your passing game should involve the things I'm sure you're already familiar with like penetration testing, app sec testing, and red teaming. The key here is to leverage personnel to identify weaknesses using exploits that are similar to what you'd expect threat actors to use. We want to game our own systems, safely, to minimize and mitigate risk. This is us taking the ball into our own hands, and being proactive to solve issues that create risk.
When it comes to penetration and app sec testing most people think this can only be done well using 3rd party resources. I wouldn't necessarily disagree - however, having internal resources focused to testing makes it more a continuous improvement activity instead of a point solution. Leveraging IAST (interactive application security tools) can dramatically improve the security of platforms and applications developed in-house both for internal and external consumption. This would be extremely costly to outsource, but with internal resources, you could do this as part of the development cycle adding value immediately and reducing mitigation time which improves security for your organization (there's your value statement for an in-house appsec engineer). The best part is some of the most effective tools for this are open-source or cloud-based, making them versatile and easily consumed.
On the social side, in-house social testing that leverages test scripts can be very effective in supporting the building of a security-aware business culture. We know that helpdesk-centric social engineering attacks are on the rise; a focus on random screening of employees along with your anti-phishing campaigns can be an effective way to help employees detect bad actors.
Lastly, red teaming is extremely effective, but admittedly in-house red teams are only appropriate for larger organizations. If outsourcing this function, non-routine testing is advised - you shouldn't know when it's coming. Retain a firm to perform 3-5 tests over the course of the year at random times to get the most out of the engagement.
Red teams use ethical hackers to emulate real attacks using common and bleeding edge tactics, techniques, and procedures (TTPs) against your assets. The work your special teams do in helping to assess your risk surfaces can enhance this work by ensuring everything that needs to be covered is covered. Internally your red team should consist of at least 2 resources with experience in both ethical hacking and technical documentation. The results should be well documented and reproducible.
The Running Game (Inward-Facing)
I liken the running game in security to trench work. This would be things like systems hardening, standards development, segmentation, exploit development, and vulnerability mitigation.
Systems hardening is an often-overlooked aspect of proactive security management in my opinion. I think this is mainly due to the idea that edge mitigation is enough - prevent the bad things from getting in and you're golden. I'm of the opinion that gates within gates are better than just gates at the perimeter. Systems hardening represents those additional gates. For example, thinking about your own infrastructure, have you set MaxCachedSockets (reg_dword) to zero on each windows server? Do you leverage golden images locked down on a VTL to prevent tampering? Have you deleted the null session keys in your windows servers?
Associated with hardening is the development of standards. Documented standards provide a checklist for IT to work from which can dramatically reduce issues due to misconfiguration - which remains one of the primary vectors for security incidents in most organizations.
Segmentation and micro-segmentation strategies have become more important lately thanks to the proliferation of ransomware. A team dedicated to both developing standards and procedures for segmentation AND supporting the IT team in segmenting systems and ensuring continuous review of deployed systems both pre and postproduction can make a huge difference in the impact of systems and technology risks for most organizations. Outsourcing the engineering of this can put you at a disadvantage in the long run...your business is guaranteed to evolve; not having in-house resources to evolve these strategies with your business can have a negative impact.
Let's not forget the cloud...treat cloud environments like extended infrastructure you only touch via a browser. With that said ALL of these techniques need to be leveraged against cloud infrastructure on a continuous basis. You also have to manage technology sprawl and shadow IT, both of which are common in cloud environs.
Conclusion
All-in-all building a robust security program requires leveraging an approach that helps you position your strategy appropriately for your business and understand relative and real risks (special teams), appropriately defend the organization's technology, people, and processes (defense), and proactively manage assessed risks to minimize impact and mitigate risks before they have a chance to become incidents (offense).
Articulating the value of this strategy to the business is how to get what might feel herculean, done. Good fortune to all my CISOs out there!
###