Hi,
I'd like to
present a very interesting article I read recently - "Is Offensive
Security the Future?" by JOHN WALKER http://www.tripwire.com/state-of-security/risk-based-security-for-executives/connecting-security-to-the-business/offensive-security/
I find it quite fascinating
that we are seeing far too many
successful attacks take place against organisations who are actually spending
small fortunes on their security defences and capabilities, which at the same
time are still leaving them insecure post the granting of a valued ‘tick’,
which leave the assessed organisation still exposed to the nightmare of their
unknown unknowns. We have to look beyond what is seen as red-team testing, and
embrace an activity which encompasses the dark-arts of our adversaries, which
goes well before the world of penetration testing, and over focuses on what we
already know, or think we need – to subject it to a programme of security
testing. I am talking about the operational black-team, working under the
same rules as would hackers, attackers, hacktivists, organised cyber-criminals,
and those state-sponsored attackers.
Qs:
1. Are the operational black-teams future of IT
security ?
2. Would you agree that: "...absolute ultimate goal
of using such a black-team to operate under the unconventional terms
of reference of Offensive Security, is to take the pen, pencil and any document
which accommodates the placing of a tick, and committing it to the tray of
compliance led ‘Soft Security.’ " and this " ‘it is not
the case that we are so smart, but more a case of the average organisation is
deploying inadequate security’. " ?
3. Are we winning or losing ?
Q1. Yes, they will be. Most of the countries have special IT branches to prevent uncertain events. We are fighting with sophisticated methods of hacking. Every software is bugged. You can fight with it, you can test it and still it can be hacked. Like in your article. Even after tests you can get hacked.
ReplyDeleteQ2. Look at my article. Risk management, consider security in your company as a big security project. Define risks at the begining, try to prevent them, analyse them. It won't save you, but it can seriously minimize the impact.
Q3. We are definitly losing.
RQ1 I think most of the biggest world's corpos have black-teams too. But the question is: Are they for Defence(prevent) or for Attack ? Where is the border between this two things ?
DeleteRQ2 You have to know how attack to define risks of that type...
RQ3 We are loosing and entering in to the Shadow...
1. Are the operational black-teams future of IT security ?
ReplyDeleteI wish, I could say "yes". Given the fact that security researchers are few and far between, it is highly unlikely. Conversely, we're seeing teams of "security professionals" that don't want to go beyond legal regulations.
I don't blame them, it is often what they are told to do by their managers. Who are usually complete ignorants when it comes to security (but great specialists on business side of equation).
2. Would you agree that: "...absolute ultimate goal of using such a black-team to operate under the unconventional terms of reference of Offensive Security, is to take the pen, pencil and any document which accommodates the placing of a tick, and committing it to the tray of compliance led ‘Soft Security.’ " and this " ‘it is not the case that we are so smart, but more a case of the average organisation is deploying inadequate security’. " ?
Interesting statement, but completely unrealistic. There aren't many companies out there who can afford to hire so highly skilled professionals. At the same time, highly skilled professionals, no matter what discipline are rare. Let us think for the moment: some imaginary consultancy hires the best of the bests security researchers and forms black team out of them. How many companies these guys will be able to cover? Not too many, I am afraid.
And that's the reason why security companies' future seems bright. If it weren't for mismanagement, I bet all of them would be rising very fast.
3. Are we winning or losing ?
I bet you heard about Sony (who didn't?). Lesser known are RSA tokens breach, or Lockheed-Martin security leak (based on broken RSA token algorithm...).
I wish, I could say we're winning, but the sad truth is that the opposite is happening.
RQ1 "Who are usually complete ignorants when it comes to security (but great specialists on business side of equation)." - great :)
DeleteRQ2 " security companies' future seems bright" - yes but I think that they are hired now not only for test but for sneak attacks too
RQ3 yes
1. No i don't think so. I'd rather see some security procedure being enforced to prevent the access to the most confidential data, but still using the same buggy software. you wonder why? Firstly, because it will be much cheaper than managing the black-team. And secondly, only through conscious behavior you're able to prevent some unwanted scenarios. The ignorance is NOT blessed here. And what's kind of obvious, there simply won't be enough IT security specialists to staff all the black-teams everywhere - mentioned mediocrity will bite you as certainly as Gauss distribution.
ReplyDelete2. Here it looks like I've already given my view by providing answer to question #1. Not much add frankly speaking.
3. Who are 'we' in this context? And what is the thing we're fighting here for?
We as Users or companies against hackers?
Or we people against government agencies (these guys have their own black-teams?
Or government agencies against hackers? :)
RQ1&2 You have to know how attack to defense and attacj is the best defense.
DeleteRQ3 :))))
1. Are the operational black-teams future of IT security ?
ReplyDeleteIn my opinion yes, I agree with Mateusz P, I think we have a lot of kinds problems with hacking. In my opinion every software may be hacked. I have a good example. My mom pass the exam ,exam is very secure (every person who try pass exam have a separate room with cameras and etc, she pass the exam and certifcate arrived by traditional mail from America. Couple of weeks ago she received email from this institution about hacked company system. She again recieved certificate .to home from America. So in my opinion every system can be hacked
2. Would you agree that: "...absolute ultimate goal of using such a black-team to operate under the unconventional terms of reference of Offensive Security, is to take the pen, pencil and any document which accommodates the placing of a tick, and committing it to the tray of compliance led ‘Soft Security.’ " and this " ‘it is not the case that we are so smart, but more a case of the average organisation is deploying inadequate security’. " ?
I am agree with Mateusz P.
We can't eliminate hacked our system but we can minimalize this with apply security policies and etc,
3. Are we winning or losing ?
In my opinio we are losing.
RQ1 I think most of the biggest world's corpos have black-teams too. But the question is: Are they for Defence(prevent) or for Attack ? Where is the border between this two things ?
DeleteRQ2 You have to know how attack to define risks of that type...
RQ3 We are loosing and entering in to the Shadow...
Q1. Yes, I think that they will be. Most of the countries and the biggest organizations have special IT teams to prevent uncertain events. They are fighting with rare and very specific methods of attacs. Every software always have some bugs and errors. They just need to be find. You can try everything that is possible but you will always lost.
ReplyDeleteQ2. We never prevent in 100% bugs, errors and attacks. We should focus on making them as small as possible, we should focus on preventing them as much as possible
Q3. I think that we are losing
RQ1 I think most of the biggest world's corpos have black-teams too. But the question is: Are they for Defence(prevent) or for Attack ? Where is the border between this two things ?
DeleteRQ2 You have to know how attack to define risks of that type...
RQ3 We are loosing and entering in to the Shadow...
1. The operational black-teams in any area, including IT Security, are very bad ideas. It was historically proven that sooner or later every such operation is impossible to control in the long run and it turns into a criminal or terrorist endeavor.
ReplyDelete2. Most likely yes, that is the average case. And one more argument against employing a black operations as a war tool.
3. We are slowly loosing, but hopefully with the quantum encryption methodology and new AI capacities we shall regain the lost ground.
RQ1&2 Yes it is a possible danger. But in most battles in this world GOOD wins only when have BIGGEST "MOTHERFUCKER" on his side...
DeleteRQ3 Computers never win with humans brains....
Q1. I think that this approach is future of IT security. But there must be some border, people that were taken from black side should leave their past behind. I know that some companies will use their skills in not proper matter.
ReplyDeleteQ2. I must agree that we cannot prevent attacks but we may make them harder to make. I think that this kind of approach we should consider as additional test case in our software development proce
Q3. If companies started to use this kind of approach they know they are losing and I must say they are losing badly. From a client perspective it is a big plus because they know that companies want to improve their security so consumer business is much more safe.
RQ1 "people that were taken from black side should leave their past behind" :)
DeleteRQ2 YES
RQ3 :)
Most corporations prefer "invoice driven development", as I call it. It's hard to convince stakeholders that they have to invest in things that don't generate income. I don't think that security black teams are the future simply because corporations prefer "tick in a box" strategy and believe that security breach won't happen to them.
ReplyDeleteI'm not sure what did you mean in your last question. I feel quite safe in the web and I had only one security incident in my career - some Turkish "hackers" changed index.html on web page I manage. It took around two minutes to fix it and change all passwords.
thx for comment
Delete1. Black-teams are just the part of the modern security concept, so won't agree that's the only direction for the future. It's just another area of defense.
ReplyDelete2. I can agree, but I have a impression that author is excessively overwhelmed by this idea - which is also not new. Idea of "black-team" is exactly that old as the idea of "hack-team". What came first - locked doors or a thieves ?
3. I would say, that the game is lost form the beginning, because it is no the game on an equal footing. You can't watch the door whole time, but on the on the other hand try imagine that you're living in a block and there are so many other doors that you must be doing something, to bring the thieve's attention.
thx for comment
DeleteQ1) I am not sure are operational black-teams future of IT security. IT security has a very wide range and this teams can be one of available protection method. Companies are ignoring risk of cyber attacks till they are not victim
ReplyDeleteQ2) User is the weakness point of each security. We hope that we will never been attacked. You can not ensure 100% security. We can minimize risk by proper procedures and solutions.
Q3) It is a draw in my opinion, but we are too often step behind .
thx for comment
DeleteSo called black-teams are for sure part of future of IT security. It's not something that came from nowhere - it means that the demand for such professionals raised because of specific reasons. Actually, being on that "bad side" provides the best opportunity to find any gap in particular IT system.
ReplyDeleteWe need to assume, that system which is immune to any kind of attack simply does not exist. Some time ago I've heard about way of testing new software by one of companies - they simply release new version of product and then receive feedback from end users. That way of testing brings results closest to reality, in security manner is the same.
Answer for the last question is sad - we are definitely losing.
thx for comment
Delete1) I think that the most important national and business organizations going or soon will aim at the their conversion.
ReplyDelete2) It is difficult to guarantee total safety, the faith in which often led to destruction mighty of this world
3) In my personal opinion we are losing.
thx for comment
DeleteWe are losing and we will always lose as long as people do not change their attitude. In my opinion, a hacker can break into any computer connected to the network. The best anti-virus so far is our brain. As we think of hackers, it is the first thing that we arises, pimply 13-year-old, who is sitting somewhere in a tiny little room and makes viruses, because it considers it a lot of fun. It's probably too big generalisation. Among hackers they are indeed 13-year-olds, but there are also those who have, for example 43 years and deal with this in a fully professional. Most recently in Ukraine closed 600-person company that dealt only data-stealing software development. -:(((
ReplyDeletethx for comment
Delete1. I am not sure if they are a future. They are definitely a good way of finding weak place in the company security. They also show the mechanism of the attack, so it could be better understand and prevented. But I also think that it might be a little expensive and that's why won't be common.
ReplyDelete2. In my opinion it is not possible to prevent the attacks in 100%, but we could decrease the danger.
3. I have no opinion.
thx for comment
DeleteThis comment has been removed by the author.
ReplyDelete
DeleteKatarzyna Scibisz6 December 2015 at 20:48
I think that black-teams may be one of the parts of the development of IT security systems but even if the tests are at a high level, unfortunately, the main security hole may be people in such tests.
It seems the teams play a great role in the process of prevention from cyber crimes.
We will never prevent all the occurence and the statements in Q2 are unreal. How much can we spend on highly skilled professionals? How much resources will it consume?
Are we winning? No, we are slowly loosing the advantage. IT systems are more and more comprehensive so it will be more difficult to prevent unwelcomed occurence.
More attention should be paid during software development. It seems obvious but many small wrong decisions result in poor performance.
thx for comment
DeleteI read this article with great interest because I am interested in security in general. Currently when all the world is connected via the Internet, cyber security is the most important issue for everybody. Regardless us individual people or us workers we should be very sensitive about our data safety. At home we can use only typical software or hardware things but in company we must think about the security more widely and more flexibly. Therefore I agree with the statement that we should use operational black-teams to increase the level of our security. I think this is the future of cyber security when we would like to defend against this real threat. Typical things as firewalls, IPS, IDS or others which don’t save our organization comprehensively enough. Every day around the world a lot of hackers try to conquer our security.. Therefore only operational black-teams can successfully prevent against real danger. Black-teams work as hackers will be able to seek and find vulnerable point in our security successfully. I think this war between hackers and IT security stuff endless and one day hackers will win but next day “good guys” will win. This follows the scheme of the fight between the good and evil as in books about never-ending war between angels and devils.
ReplyDeletethx for comment
Delete1. Are the operational black-teams future of IT security ?
ReplyDeleteThere will be always security hole in software. That's the reason why usually hackers are after released from prison hired by biggest IT company. That procedure is nothing new, it's so old as computers. So answer is yes, this is how it was and how it will be.
2. Would you agree that: "...absolute ultimate goal of using such a black-team to operate under the unconventional terms of reference of Offensive Security, is to take the pen, pencil and any document which accommodates the placing of a tick, and committing it to the tray of compliance led ‘Soft Security.’ " and this " ‘it is not the case that we are so smart, but more a case of the average organization is deploying inadequate security’. " ?
In my opinion the goal of black-team is to find the gap in the software. In corporation, unfortunately, it comes to placing of a tick and committing it. Even so, that team are necessary in biggest companies. Average organization only could pay for the good security. The cost is hight, that's why usually the security in such companies are in low level.
thx for comment
Delete3. Are we winning or losing ?
ReplyDeleteSometimes we are winning, sometimes losing. It depends on what the most intelligent hacker recognize as interesting to hack. Even such company as Facebook or twitter had in their history security slip up. For sure we should not give up.
thx for comment
Delete1. Are the operational black-teams future of IT security ?
ReplyDeleteIt is sad that it comes to present idea of black-teams of IT security who have goal to find weakness in our and even probably in our competitors software and networks. I think the next step will be AI supporting IT security and next… I rather not be a bad news messenger.
2. Would you agree that: "...absolute ultimate goal of using such a black-team to operate under the unconventional terms of reference of Offensive Security, is to take the pen, pencil and any document which accommodates the placing of a tick, and committing it to the tray of compliance led ‘Soft Security.’ " and this " ‘it is not the case that we are so smart, but more a case of the average organisation is deploying inadequate security’. " ?
I am not first-class expert of IT security but I have had honor to work with managers who were deeply educated in plenty of security aspects. But still I have difficulties to answer this question, because almost all security enchantments that I tried are not 100 % secure and the only benefit of reasonable implementations unfortunately can give us some additional time of fairly secure state.
3. Are we winning or losing ?
Who are we? It community are divided. Even scientific community started to compete against themselves. So maybe I would give general answer of this type of question. In today’s wars in the end we all loose. And even now, in this sad times I look ahead to another breakthrough that can integrate computer science crew. :)
thx for comment
DeleteHmmm... In the "offline" world there were always good guys and bad guys. Unfortunately good guys need to play by rules - bad guys don't have such constraints. And yeah, sometimes bad guys want to become good but I'm afraid that those are not the best in the job. From my point of view it's the same in the online world. And even if there are some really highly skilled pros, they are limited by regulations. BTW, I'm surprised that I couldn't just google "black team IT security" with any satisfying result - are they that good? ;-) However I'm not sure that "black teams" are the future of IT security. I think that programmers and administrators should do better job and force security team to be better in their job. Companies' CIOs should realize what are current standards. Mediocrity in this field exists because it's just to easy to satisfy companies with poor job. Hackers, crackes (whatever ;-)) are going to be better and better and IT security guys need to be prepared.
ReplyDeletethx for comment
DeleteIn my opinion we are losing. I agree we cannot prevent attacks but we may make them harder to make. Security team concept it's another way to improve security in company. My experience shows that it isn't as popular as other penetration testing method.
ReplyDeletethx for comment
DeleteHi
ReplyDeleteI think that it could be situation when the operational black-teams will be future of IT security. I think that because almost all of IT attacks are carried out by the hackers or black-teams. I'm almost sure that peace of that black teams are prepare to be hackers. It is thin line between be hacker or be in the black-teams. Do you agree with me?
I would like to answer your for your second questions but it is not simple - there are many people who has got good point of that question - there are not 100 % security level to prevent our data. But we have to working about it and teaching personel of IT risk.
yes the line is very thin. sometimes the same people are on both sides
Delete1. Are the operational black-teams future of IT security ?
ReplyDelete> I heard there are companies / agencies using such approach to be prepared against harmful attacks against their services. This is indeed a beneficial approach unless there is an attacker outside able to see, think and do in a way that our black-team turns into sitting ducks. Sounds like trolling ? Maybe.. There is nothing perfect..
2. Would you agree that: "...absolute ultimate goal of using such a black-team to operate under the unconventional terms of reference of Offensive Security, is to take the pen, pencil and any document which accommodates the placing of a tick, and committing it to the tray of compliance led ‘Soft Security.’ " and this " ‘it is not the case that we are so smart, but more a case of the average organisation is deploying inadequate security’. " ?
> Sorry, I didn't understand.
3. Are we winning or losing ?
> I don't think we are either losing or winning. Remember, attacker also has a life and expenses. You are safe from being hacked, as long as the value of hacking you is smaller than the amount-value of time that attacker needs to spend on you to hack.
1. Are the operational black-teams future of IT security ?
ReplyDeleteThey are definitely one of the ways to increase security. It also depends on the black –team members themselves.
3. Are we winning or losing ?
As long as this field develops, it is a good sign.