A continuous term heard when working with non-security
focused IT groups, is that anything behind the internal firewall is “trusted”. This is somewhat of a pet peeve, and is
setting back organizational security.
Depending upon the business ear the non-security focused IT group has,
it can undermine the initiatives of the security group, because business tends
to take the path of least resistance. If
multiple parties are assuring the business Infosec is “being paranoid”, there’s
a possibility Infosec is going to lose out to keeping up front costs low,
hindering innovation (this is possibly a different topic at a different point
in time), and being overruled by the “trusted” mindset. Unless there is a dedicated compliance model
enforcing segmentation, encryption, etc., this can be a losing argument.
This is where Infosec teams need to take a more hands on
approach to their security and their internal threat model. The internal threat model should be assuming
malicious intent (or mistakes) by employees, along with attackers living on the
inside. When threat modeling, consider
bringing in and working with the non-security IT groups. Perform planning, where an attacker has
compromised an internal system with full privilege on that system. Step through
the process and what areas are now exposed by that system, and what lateral
movement can be achieved. We have to do
a better job of showing why things can’t be trusted.
For organizations with internal red teams (yay money!), this
is easy. Show the defenders the tools,
concepts, and IOC avoidance techniques.
The blue / infrastructure groups can look at the tools and the
information being gleaned from them. For
those that aren’t so lucky, where it’s a defender only environment, the blue
team is going to have to do a little more work.
External tests are normally tightly scoped, and don’t give a full representation
to fall back on. Start making the
assumption of compromise, and at the very least familiarize attack
methodologies that can demonstrate the theory.
Simply talking about it is not enough, because the non-security focused
IT groups may not understand the concepts or theories.
This is part of why this blog has been so quiet. When afforded time to research, most free
time has been spent researching attack methodologies that don’t require an
installation, and makes use of nothing more than what exists already within the
org. This allows for actual demonstration
on the ease of attack methodologies, for the non-security focused IT
groups. It helps if practical simplified
attack methods are demonstrated, and can potentially turn that into a game
changer. In the long run, Infosec is
going to need these groups working on their side, if the business culture is
going to change, and the term “trusted internal system” can be put to bed.
