Cyberattacks and ransomware breaches are on the rise, and a plethora of new tools have been introduced to the market with the promise of solving the problem.
While innovative solutions are always welcomed by IT leaders when it comes to security, tools alone often are not enough to yield true and lasting results.
InterVision delivers continuous Penetration Testing as a Service (PTaaS) leveraging the RedSpy365 solution. With InterVision, companies can continuously assess their security posture by mimicking the tactics and methods used by attackers in the real world.
As important as cutting-edge technology and new solutions are to unlock their full potential, there is an additional aspect needed- experts on the other side of the solution.
Seasoned security professionals can identify trends, put together complex streams of data, and analyze alerts to gain deeper insights into the true nature of your security posture.
Read on for more information from InterVision’s Darren Manners on the importance of pairing security solutions with security experts for the most impactful results in safeguarding your critical IT infrastructure and data.
It’s critical to pair your security solutions with expertise and skills.
Part of the problem with security is that it fails to understand the adversary’s skill set. Instead, it attempts to match the adversary’s skill set with defensive tools. The problem with defensive tools is that they often require tuning – very few being hands-off and low engagement. There is nothing wrong with a good tool in the hands of a knowledgeable analyst. The problem is that analysts these days aren’t always security-dedicated and wear multiple hats. Bad actors are very specific in their pursuit of knowledge and are extremely dedicated.
So imagine the scenario where you have a soccer(football) team that consists of only a goalkeeper. One man or woman against an entire team of bad actors. No contest. They get to kick a ball at the goal all day and only need to score once. So, what can an organization do? Well, some add in a defensive line aimed at stopping the attacks further up the field – not allowing the attackers to just breeze in and kick a ball. They attempt to create dedicated security analysts, tasking them to use defensive tools.
This is where most companies fail. Without understanding the adversary or the skill set required, calling a security analyst a security analyst with little or no training or experience is like pitting an experienced and seasoned attacker against a brand-new defender who is only learning how to play the game. It will be no contest. This is regardless of the defender’s toolset. Also, what can become a problem is the reliance upon the tool. A security analyst who doesn’t understand the tools in play can have a false sense of security. So unless red buttons flash and sirens go off, the new security analyst may not see the subtle indicators that may have given the game away.
I get the argument that experts have tested tools and should auto-tune, etc. However, the environments that tools are placed in are so varied; the skill sets so differing that blaming tools just doesn’t make sense at times. We must live in a world we do not have, the one we would like to have. (at least until AI becomes better 😉 )
Adding a security tool to your IT infrastructure without a seasoned analyst is a recipe for disaster. It is why InterVision delivers Penetration Testing as a Service, not a standalone product or tool. And it’s why we are an ecosystem, not a platform. It is also the reason why, when creating the crowdsourced marketplace, I targeted gathering the “know-how” of a tool or content – putting that tool or know-how into a scenario, allowing the content creator to sell that content – not just the results of their labor. It’s the ‘know-how’ that is important. It is the secret sauce. If penetration testing is an art form, then the marketplace is where offensive security professionals will sell their content and be commissioned for new work.
Some companies even have another layer. In soccer(football), that is called the midfield. They may be seasoned analysts who know tooling and understand the threat actors. They may use threat intelligence to see what the other team is up to. That way, they can adjust their formation (security posture) accordingly. Of course, adding another warm body with little or no skill will not suffice. It’s the skill of the analyst that will be tested. Just like the defensive players, the midfield must also be highly skilled.
The problem with all these skill requirements is that there is a lack of personnel available to fill these positions. I have always been aware that the “everyone is a ninja” offensive security industry requirement is not achievable in the real world. I think there can be a happy medium, though. I’m trying to create the new UX in RedSpy365 to be composable, matching the skill and experience of the analyst and growing with them as they grow in their career. At the same time, security personnel from managed security companies can augment their team and perhaps fill in the gap or conduct knowledge transfer.
So, hopefully, you have created your cyber security team. Perhaps you are partnering with other companies, like InterVision, to augment skills that your team may lack. They stand ready every day to defend you. You probably need to practice now. This is where penetration testing comes into play. You’ve got a game plan. You test it.
In testing, you look for vulnerabilities, mistakes, and misconfigurations, but also you start to use implants (malware) that can mimic modern attacks and bypass defenses. This is really where the skill set lies. Most Endpoint Detection and Response/Anti Virus (EDR/AV) can be bypassed. The skill set of the attacker is to understand the telemetry sent by the EDR/AV and to conduct an attack using OPSEC-safe techniques – i.e., techniques that will not trigger the EDR/AV. That is why we have the RedSpy365 Scout – an advanced implant that mimics advanced attackers.
In lateral movement by an attacker, there will be a trail. They obviously will do actions to move from one system to another – but their skill is to either mimic a normal user so as not to set off any alarms or to conduct hunter/killer techniques to limit the telemetry being sent by the EDR/AV so that no alarms can trigger. This is complicated. This is a tradecraft. Anyone who says this can be a press-button process doesn’t understand their adversary. Much like a defensive tool must be tuned for unique environments, attackers must also use techniques tuned for that environment. It is pure tradecraft. You will be amazed at their dedication and knowledge if you ever talk to a high-level attacker. They are very purpose-driven – and they enjoy what they do.
Moving stealthily from system to system is not easy. Ransomware is much simpler in comparison. It has a limited set of actions it must perform and is much easier to script.
When you do practice, though, make sure the team you practice with can test your defenses with modern tactics, techniques, tools, and procedures. Pairing whatever solution you choose with equally innovative expertise is critical to success. You will fight as hard as you train. The costs of not training are very high, and no one wants to score their own goal.
Secure Your Future with InterVision
Don’t leave your security to chance. Pairing cutting-edge solutions with seasoned expertise is the key to safeguarding your IT infrastructure and data. Discover how InterVision’s PTaaS and expert analysts can help you stay ahead of cyber threats. Contact us today to start strengthening your defense and ensuring your organization’s resilience against attackers. Your security starts here.
