It's Sunday afternoon and the coffee shop is buzzing.
Soccer moms between breaks. Beat neck poets debating the world's problems. Basically a tapestry of people that pretty much matches the tapestry of concoctions available on the coffee menu.I try to engross myself in an e-book, but it isn't long before my attention is drawn by a discussion two men are having.
"We just installed a new threat intelligence system..." says the portly fellow to my immediate left.
"Really, that is great! We are redoing our perimeter defenses and trying to think through how we can develop better layers" adds the gentleman seated across the table from Mr. Threat Intelligence.
I let the conversation linger for a few minutes, eliciting small tidbits of information, before chiming in and introducing myself. It isn't long before we exchange business cards (one is a CIO with a NJ based insurance company and the other the CISO of a NYC based finance firm) and talk more about what intelligence systems the CISO evaluated before settling on his final choice. We explore the issues that prompted the rework on their perimeter and where they are in planning as well as how long before they get those issues fixed.
Now you dear reader, probably are thinking, "how stupid are they? They have this discussion with someone they don't even know in a public place! I would never ever do that..." uh, chances are yes you would. It isn't because you are unprofessional, stupid or shortsighted, it is simply because you are a good person.
Often I am asked "what is the biggest challenge faced by a CIO or CISO trying to secure their environment?" My answer is always "they are good people" which leaves the questioner scratching their head.
Admittedly that is a low tech answer, but I assure you it is the foundational reason that most organizations get successfully breached. Reality is that most people involved in the securing of systems are good people. They are not criminals, spies or terrorists; they simply do not have the perspective of evil and that leads to a failed and realistic understanding of the threat environment.
Don't believe me? Then let's play a game and see how well you do in protecting your environment. In this game, I am going to attack your organization and I am going to do it right here and right now. All you have to do is keep doing what you are always do and just be honest.
Great...let the game begin.
Here is my one question "What is the attack surface of your organization?"
Chances are you detailed your networks, computing devices, VOIP systems and you supply chain (if you are on top of your game). You have probably done a great job, or believe you have done a great job, of securing your perimeter, have risk management in place, run tabletop simulations and have continuous monitoring in place. In fact I sense you getting a little cocky, maybe even daring me to attack you and to see if i can get into you systems. What is a little penetration testing between friends, right?
Remember this is just a game...you answered my question and now I am going to circumvent your defenses.
It will only take me a weekend, if that, but I can tell you that I have a 99% success rate in using this attack. So before we go further, you might want to double check all of your systems, perimeter defenses and other practices, because I am going to get to you and do some serious damage.
Here we go...
Check your website and other open source intelligence for the names and backgrounds of your executive team and IT employees (LinkedIn is a great source for this information).
Figure out where they live. Really their home address, shopping patterns, clubs, hobbies. I am going to become their new best friend, stalker and adversary all rolled into one. I am going to do this using open source software, your team members Wifi auth signals and some Google maps.
Compromise their home and personal networks as well as all computing devices on those networks.
I think you know what happens in Step 4...
So how did this happen?
Well, it starts with you being a good person.
I am not a good person, well not all the time.
When I break into systems (yes legally—penetration tests we call it), I don't approach it as a good person. I approach from the perspective of an evil person. When my associates and I undertake an operation, we employ the same thinking used by a cyber-spy, terrorist or criminal.
This methodology of thinking is vastly different than what most people charged with securing technology systems are comfortable doing or even capable of doing.
We have no qualms in following your CIO home, booking a hotel room in the same hotel where your CEO is staying during an upcoming board meeting or conference and getting to know them personally. We love sending your IT staff cool gifts that contain voice activated recorders or software defined radio systems. We will pose as members of a school sports team to get to your kids Facebook page and eventually send them a photo of our puppy that has embedded malware. Our phishing e-mails don't promise you recovered riches in Nigeria, but we do use Ancestry.com and obituaries to tell you that there is a problem with your recently deceased parent's death certificate and we require your assistance.Evil doesn't have rules, political correctness or manners.
Evil goes well beyond conventional and acceptable and lives in the world of the uncomfortable. What a good person defines as an attack surface is comical to someone who has no rules.
The attack surface is anything and everything that you place at their disposal - from bad code and poor practices to lack of operational security and even the insecure home networks of your executives.
Evil compromises your security cameras, your Android devices, your cloud based source control, your reliance on open source libraries, your firmware. The only way to fight back is to fight evil with evil. By no means does this mean that you should become evil, but you need to think as someone evil. For many people in the business of securing technology that is just not possible.
Many of us in this industry, I would suspect the vast majority, are just not capable, wired or desire to step into the dark side. Unfortunately, this is exactly the reason that compromises will continue at the unprecedented rate we currently have been seeing unfold over the past few years.
You cannot create effective perimeter defenses, risk management strategies, table top simulations, security strategies, supply chain strategies and other practices, if you are not really even sure just how vicious, visionary and committed your attackers have become. For some this article will do no more than provide a chuckle, yet for others you will probably feel a cold chill or nauseous feeling, realizing that despite your best efforts and investments, the reality is that you are against an enemy who is operating from a place that you do not understand.
Hopefully you do have a chill or a sick feeling in the bottom of your stomach. I want you to feel naked and afraid.
Why would I want this for you? Because to truly fight back an attack, you must first understand where you stand and nothing is more liberating than the truth. If you are feeling off after realizing that there are those who would go after your executives at a coffee shop, then you are taking the first step in fighting back and not just following the latest trends.
Before closing out the article, I want to offer you some suggestions.
First, stop saying "hacker", "black or white hat" or "breach."
They are old school words that do not convey the reality of what you are facing today and will continue to face for the foreseeable future. You are being attacked, full out, no holds barred attacked. The people carrying out those attacks are attackers.
Changing your vocabulary, will change your perspective and approach.
There is a world of difference between saying you were mugged and someone attacked you on the street. The same difference exists between being hacked and attacked. Sony, Anthem, OPM weren't hacked, they were attacked by highly skilled and amazingly talented, yet evil, attackers. Train your people to understand they are under attack - the world has changed. Keep thinking you are up against hackers, then you are going to lose.
Secondly, create environments where you don't squelch reality, but foster reality.
Too many times I hear cyber-security specialists state "well what are the chances?" or "that is too far fetched." Yes you do have to quantify the probability of risk, but in today's world that probability for the far fetched risk is higher than you would expect. Make sure that you are not applying a rational explanation to something that for others is highly probably. When I teach workshops I introduce attendees to "RRT" or Rational Response Theory. The short of it is that you, because you are inherently good, will rationalize things before you accept that as evil. Be very careful what you are rationalizing, because it could come back to haunt you.
Lastly, don't become evil. Stay good, the world needs good people like you.
If you want to know how evil thinks, go hire operators, not people in suits. They are out there, they have good hearts and souls, just really complex minds that border on scary.
But you should keeping being you...
As far as those two men I met in the coffee shop.
After I learned a bunch about them and their systems, I told them who I was and what I do for a living. Once we got past the pale faces and fears of having said too much, they realized they learned a valuable lesson. Evil lurks everywhere, sometimes it's online, in China, the Middle East or sometimes it is a group of cybersecurity operators in NJ, just enjoying a decaf mocha.