Moving from the Defender’s Dilemma: A New Perspective on Pen Testing

by James Stanger | Oct 10, 2018

A photo of a foosball table with red and blue playersI got a professional two-fer kick in the head the other day. Or, is that kicks in the head? It involved discussions about the real use of the pen testing team. Let me explain.

The first came as I was discussing with Tim Crothers, the vice president of cybersecurity at Target, the most important reason to use a pen testing team: to improve the blue team, and create useful, meaningful metrics. We were talking about how the “act like a hacker to stop the hacker” approach just really doesn’t work. Neither does the "quarterly compliance" pen test.

Instead of improving security, simply doing pen tests for compliance reasons or because it’s going to stop the hacker leads to a whack-a-mole approach to cybersecurity. Instead, you use the pen tester/ red team” to give the blue team a chance to improve its security controls.

Image of the red team (penetration testers) and blue team (cybersecurity analysts)

Those controls could be any number of things, including security information event management (SIEM) tools, an intrusion detection system (IDS) or log monitoring tools.

Why Security Solutions Aren’t Working, and Adopting the Right Perspective

I could tell that he was a bit uneasy as we talked. Then, he told me why: he said that another serious problem in pen testing is that most folks tend to think in terms of the defender’s dilemma, rather than the attacker’s dilemma. I didn’t know what he was talking about, really. He then told me about how he heard from a Microsoft employee that as we focus on the attacker’s dilemma, we get a better focus on our blue team operations.

You see, most companies still worry about how one vulnerability can lead to a catastrophic attack. That’s the defender’s dilemma: All it takes is one attack, and your entire company is compromised.

That’s not a useful perspective, really: it’s irredeemably fear based, and it’s a perspective that just doesn’t work well when you’re trying to build a sophisticated, comprehensive security approach.

So, Tim and I then turned our attention to talking about the importance of finding indicators of compromise and how the more you focus on the hacker kill chain (for lack of a better phrase), the more you’ll turn your attention away from fear-based defender’s dilemma thinking to a proactive, more useful approach: focusing on the attacker’s dilemma.

Seven steps of the cyber kill chain: 1. Reconnaissance 2. Weaponization 3. Delivery 4. Exploitation 5. Installation 6. Command and Control 7. Actions on Objectives

The Lockheed Martin Cyber Kill Chain

The Hacker Lifecycle: Discovery, penetration/foothold, escalate privileges, internal reconnaissance, lateral movement and persistence

Alternative/Complementary Hacker Lifecycle 

The Attacker’s Dilemma: The Better Perspective

As an attacker pursues targets and takes steps along the hacker’s lifecycle/kill chain, all it takes is a single alert to reveal all your activities. That would completely halt the entire operation. This was quite the revelation – or kick in the head – to me, because it was so simple: the cybersecurity industry has known the hacker lifecycle/kill chain for decades. Yet, it has completely failed to look at the lifecycle from the right perspective. 

Less than a week later, I got another kick to the head. On the second occasion, I was talking with Chris Hodson,a chief information security officer (CISO) in London. We were discussing how new developments in multifactor authentication (MFA) and two-factor authentication (2FA). We were discussing advancements in privileged access management (PAM), biometrics, 24x7 monitoring, micro-segmentation, and managed detection and response.

“But, none of these things is really going to work unless we focus on what the hacker is doing,” he said.

“You mean, focus on the attacker’s dilemma?” I sheepishly stated.

“Well, call it what you want, mate,” Chris said and then went on to explain how you can end up spending millions on the wrong solutions, unless you use the red team correctly.

If you focus on the kill chain or the hacker’s dilemma, it’s possible to really hone in on the risk faced by your company. We’ve heard for decades, now, about how you can calculate risk:

Risk = Probability Multiplied by Loss

Identifying the Interstices

But that’s such an academic, dry way of looking at cybersecurity. I find that if you focus on the kill chain and then consider how your own company uses networks and computing resources, you can very quickly identify the most at-risk resources.

As the red team and blue team focus on the attacker’s dilemma, they identify the interstices on the network, or the hard-to-reach places where one technology connects with another.

Here are a few examples of interstices:

  • Where meet space (people, employees) and cyberspace (e-mail, instant messaging, Web pages) converge
  • Where industrial control system (ICS)/Supervisory Control and Data Acquisition (SCADA) systems connect to a traditional network
  • When and where legitimate employees gain physical access to a building
  • Connecting a webpage to an SQL server.
  • Connecting SMS/mobile and web technologies together for 2FA
  • Where domain name service (DNS) servers resolve requests
  • Where private blockchains are accessed by traditional computing resources (e.g., web browsers)

I couldn’t help but bring up Edmond Locard, a fairly obscure French guy who died just after I was born, and his concept of the Exchange Principle.

Focusing on Indicators of Compromise

Want more on metrics?

Learn more about establishing security metrics in CompTIA's latest research report, 2018 Trends in Cybersecurity: Building Effective Security Teams.

Even though Locard lived in a pretty much pre-internet world, his points help us focus on the attacker’s dilemma: when a crime is committed, the perpetrator will bring something to the crime scene and will leave something behind.

By focusing on the attacker’s activities, the blue team and other workers can better map controls to indicators of compromise. We can do a much better job of using the red team to help create useful cybersecurity metrics.

The conversations I had with Tim and Chris were really pretty good kicks in the head. They really helped crystalize the importance of focusing on the actions of the attacker. Think of it this way: There’s no real way to get any real metrics unless you first focus on the right things. At RSA 2018 in San Francisco, we saw more than 6,000 cybersecurity vendors. I mean, that’s insane – how do you make any sense of that? Well, focusing on the attacker is a great way to start.

See how your skills fit into cybersecurity with our quiz, Are You Red Team or Blue Team?

Leave a Comment

Boost your Career with a Certification

Find out more about our Certifications

How to get Certified

4 Steps to Certification

Already certified? Let us and others know!

Share Your Story