Today, at the very end of 2019, I want to write about the event I attended in April. Sorry for the delay ?. This doesn’t mean that CISO Forum 2019 was not Interesting or I had nothing to share. Not at all! In fact, it was the most inspiring event of the year, and I wanted to make a truly monumental report about it. And I began to write it, but, as it usually happens, more urgent tasks and topics appeared, so the work eventually stopped until now.
At CISO Forum 2019 I participated in two panel discussions. The first one was about Offensive Security and Red Teams in particular.
Vulnerability Management and Red Teaming
Honestly, Offensive Security is not my topic at all. I work on the Defensive side. But in fact, the discussion became very interesting. There were the colleagues who work on security within organizations:
- CTO of QIWI and the founder of Vulners Kirill Ermakov
- Famous security lady Mona Archipova
- Serg Rysin from GTLK
- and me 🙂
And the guys from security consulting and system integration:
- Vitaliy Malkin, Head of Security Assessment Team at Informzaschita
- Igor Motroni, currently Senior Security Testing Specialist at BI.ZONE, at time he also worked in Informzaschita
The discussion was moderated by Dmitry Gadar, CISO of Tinkoff.
We started our conversation with the question: does pentest make any practical sense? 😉 For the most part, we agreed that pentest makes sense if the organization already has some implemented security processes that should be verified (or it will be just a formality). Pentest can be used for begging money from the business. But this means that communication between security and business is broken. The business is also used to such fear selling, so such methods don’t work well anymore.
Pentests/Red Teaming usually begin with a Vulnerability Scan, so I had the opportunity to share my opinion on how to do it right. I started by mentioning the presentation of colleagues from Informzaschita. They talked about “shades of Red Teaming” just before the discussion. Red Teaming can be hardcore and practical (“burgundy”) or you can give the attackers more additional data about the infrastructure (“pink”). And here was my point: the VM process should provide all neccesery information for the Red Team.
Why can the collaboration between Red Team and VM team can be highly beneficial?
- Vulnerability Management provides good knowledge across the entire infrastructure; however it is rather theoretical: “Fix this host, because we mark it red until we mark it green.” Not a very healthy activity to say the least. And it’s hard to convince IT and owners of the systems that it’s important.
- Offensive (pentest, red teaming) is the most practical, the healthiest part of all Information Security. When some real IT system is demonstratively compromised, it makes a great impression on the responsible people and decision makers. Their work is visible.
- From the one hand, the competitiveness (offensive vs defensive, red team vs blue team, pentest vs soc + infrasec) is great, because it keep both teams toned and allows the manager to distribute the bonuses according to some concrete achievements: the system was hacked / was not hacked, the breach was found / was not found.
- But because of the same competition the attackers may not see the whole infrastructure and behave actively. As a result, big part of infrastructure is out of scope and we have the ‘security by obscurity’ situation and quite formal VM process as well.
- So, IMHO, the right way is to link the infrastructure analysis (Vulnerability Management) with offensive activities as much as possible. If the Red Team needs a network map and accessibility information – here it is, if they need to know all the vulnerabilities on all the hosts – no problem. Just hack the systems and help us (Infrastructure Security and Vulnerability Management) implement the right practices.
Then I talked about my attitude towards the Breach and Attack simulation solutions. I’m still skeptical. If they really attack and get an access to the systems – that’s great. If they only show a “theoretical” possibility of exploitation, it is not very interesting.
Do we need Pentest / Red Team if we already have Vulnerability Management?
I believe that in the ideal case, when we can automatically fix any vulnerability in our infrastructure or say for sure that’s it’s not exploitable, we could live with Vulnerability Management only. To say the truth, all attempts to optimize the installation of security updates (“patch this, it’s critical; don’t patch this – it’s not”), including the latest Predictive Prioritization concept, seem quite weak and awkward if you keep in mind how little we know about all existing vulnerabilities. I REALLY want to see the universal fully automated remediation and Patch Management as well, but I DON’T think we are close to that and what we have on the VM market has many compromises. So, until we have much better Vulnerability Prioritization and Vulnerability Remediation, additional verification work is required. It can be done inside Vulnerability Management team, but it would be much better to perform it as part of the Red / Pink Team activities.
And of course, do not forget about alternative measures when normal remediation is impossible. Another big topic: vulnerability remediation requires a lot of communication with IT and it that can be rough (here are some more links to my telegram channel):
- It’s important to clarify that Vulnerability Management guys (and the entire IT Security Team) are doing the best in the given situation, caused by bad decisions of other people from IT and Business, and to keep in mind how the things should be done right. Otherwise, there is a huge risk of being stuck in the “Stockholm syndrome”.
- Treat any vulnerability as if it was ALREADY exploited by an attacker in a major incident, and everyone are going to blame you for it.
- What if we found this vulnerability, but for some reason it was not fixed properly and on time, what could be the reason?
A career in Information Security abroad
The second Panel Discussion I participated in was about building InfoSec career abroad. I was the only one in this panel among 10 other people who didn’t work abroad even a day of my life. 🙂 I was there because of my interest in the topic and my vacancy monitoring project. And I certainly had some experience in job interviews, got some job offers, just didn’t accept them.
I gave a short presentation about my view on this topic:
- Many vacancies appear on the global InfoSec labor market every day. For example: 1,608 “Vulnerability Management” vacancies were published a week before conference:
- United States 611 73.5%
- United Kingdom 66 7.9%
- Europe: Blue Card Zone 56 6.7%
- Most of vacancies are for locals and most companies are not ready to relocate people
- Main difficulties: work permits and visas, language skills (except English), specific education requirements, security clearance and citizenship
- It makes sense to relocate a specialist ONLY if he/she has unique competencies that locals do not have AND this company really needs these competencies. Therefore, you should know what can you bring to the organization and be ready to demonstrate it (personal branding, networking, etc.).
- Is it worth it? In terms of Net income, cost of living, and the number of offers, Moscow, St. Petersburg, Minsk, and Kiev for can be much better for Information Security specialist than many other locations. Of course, the situation can change and there are things besides money…
These additional benefits were discussed by colleagues in the hall and by teleconference. I will not mention all this, the moderator of the discussion Andrey Prozorov put it all together in his blog (in Russian): part1, part2. part3. part4.
In conclusion
It was an excellent conference. I really liked it and I am going to participate in 2020 as well. 😉
Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.
А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.
Pingback: CISO Forum 2022: the first major Russian security conference in the New Reality | Alexander V. Leonov