I strongly believe in the importance of approaching security from both a proactive and pragmatic perspective. Compliance and policy focused security, while it may promote the enforcement of some valuable controls, tends to stagnate and create a bloated security program that is fraught with misprioritisation. Too often it leads security teams to become so involved in working through checklists that they completely overlook the real threats faced by their organisation. This begs the question: how does one go about adopting an approach that addresses this?
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
- Sun Tzu, Art of War: Chapter 3 (Attack by Stratagem)
When posed with a challenge or problem, don’t just look at how you can solve it – approach it from the perspective of your adversaries too. Of course, this first requires you to understand who they are, which may include:
- Criminal organisations, e.g. cybercrime gangs.
- Insiders, e.g. disgruntled employees.
- Competitors, e.g. corporate espionage.
- Activists, e.g. eco-defence groups.
- Advanced Persistent Threats, e.g. State-sponsored actors.
Once aware of who they are you can develop a profile of them through experience and research: learn what their TTP‘s, capabilities, values and objectives are. Resources such as MITRE ATT&CK, the APT Groups and Operations spreadsheet, Malpedia, vendor reports (a great example), and threat intelligence platforms and communities will be of great assistance. Also consider the adversaries of your suppliers and clients, as supply chain compromise isn’t at all uncommon (example). Cast your sensors out into the world and catch wind of any signals that indicate a shift in their behaviour or objectives. Get inside their head and equip yourself to look at the world through their eyes. What motivates them to get out of bed in the morning? Use their profile to evaluate how they’d approach your issue and what opportunities it may create for them. Structure can be applied to this process through implementation of the OODA loop:
- Observe: Realise your issues and ingest new, relevant information pertaining to the changing conditions of your environment.
- Orient: Analyse your observations and apply your mental models to them to develop a perspective that prepares you to choose a course of action. This process consists of two phases:
- Destructive deduction: Break your existing models into parts.
- Creative induction: Take the parts, factor in your observations and experience, and build newer, more relevant models.
- Decide: Form suggestions towards an action or response plan and deduce all potential outcomes.
- Act: Carry out your plan and any associated pre-cursor tasks, then repeat the loop until you achieve a desired outcome.
The Operational Excellence Society have a great infographic that visually illustrates the process. The Art of Manliness has also produced an introduction to the OODA Loop that explains it far better than I could hope to. It’s well worth a read.
Employing an adversarial mindset enables you to produce more robust and innovative products, services and processes by forcing you to think well outside of the box (or dissolving it altogether) and being more critical in your decision making. You will make better decisions and discover avenues of thought that would otherwise not have been possible.
In a similar vein, the mindset helps to qualify and apply context to the risks that an organisation face. It will provide answers to common questions like:
- “Is this really something that we should be making a priority of?". Should you be prioritising the implementation a set of controls that do not mitigate any techniques used by your adversaries, simply because it’s encouraged by a policy or standard; or should you be focusing on pushing for that EDR rollout because PowerShell and WMI are almost always used to move around networks (and you’re currently running with vanilla EPP)?
- “Is this scenario realistic?". Is your attacker likely to burn a 0-day on you, or is it more probable that they’ll spear phish tactically selected staff? Is a well-resourced APT group going to use Metasploit or a C2 framework that they’ve developed themselves? Are the 4 hours that you’ve put into building a perfect phishing template reflective of the messages that your staff are being impacted by? Even the UK NCSC has raised doubts about the typical approach to phish testing (reference).
Ultimately this is a process of proactive self-improvement that can be further abstracted to apply to all facets of business and life. For all intents and purposes an “adversary” could be the power grid or similar service that you’re dependent upon, a new transport route or even a marketing campaign. But it is not a static exercise that can be wrapped up in a framework or checklist. The world is always changing and throwing new obstacles and opportunities at you, so just like any adversary you must remain adaptable. As parameters change over time it must also be ensured that you cater for both the present state and the longer-term. As food for thought, consider the potential that an adversary has a long game plan or objectives that are dependent on unstable factors.
It’s also important to account for personal bias. Every person has a unique background and values set that defines their outlook. Applying multiple perspectives to something is likely to produce a better outcome than that of a single person. The way you interpret something may not be how a fellow team member does.
Train like you Fight
Remember, we only have to be lucky once. You will have to be lucky always.
- IRA Spokesperson (reference)
In much the same way as you cannot just read about martial arts and expect to handle a real fight, you cannot expect to survive a breach if you’re not rehearsing them. If you fail to drill your worst-case scenarios then you will almost certainly be mentally, physically and technically unprepared for when the worst comes your way. It is not a case of whether it’s going to happen, it’s a question of when and how. “When” is somewhat out of your control but you can make an effort to determine the “how”.
Adversarial thinking must be applied at all levels of your organisation. All that matters to an attacker is that they achieve their objective - scope and ethics are not of concern to them:
- Attackers will happily pick the nicest person in your office and socially engineer them with no regard for their feelings.
- If a competitor can beat you to market by executing a stolen idea faster than you can, they will.
- There is no room or item in your building that is out of bounds to a burglar.
- Your power company is unlikely to give you any special treatment if you lose power, your UPS fails and the starter on your diesel generator has seized.
With this we can begin to form some action points:
- Assume a breach has occurred and develop your capabilities and strategies accordingly.
- Include security in your business continuity planning and funding.
- Be comfortable with being uncomfortable. Now is always a better time to find out that something in production is vulnerable than when you’re facing a full-on breach. Don’t steer clear of production just because its what businesses have come accustomed to doing. There are also a lot of businesses suffering very preventable breaches. Again, attackers don’t care about scope.
- Do not substitute the need for a red team assessment with a penetration test. Imposing constraints does not permit accurate emulation of the approach that a true bad actor would take. The methods used in penetration testing may feature in red teaming, but that’s only a very small subset of what red teaming touches on. There is certainly a time and place for penetration tests, like baselining the security of an application prior to its deployment, but a red team will truly emulate your adversaries, test your organisation as a whole and leave you far more resilient to genuine attacks. The output of a red team assessment will help your defenders to fully understand where they’re lacking and how they can improve.
- A good defender has an intimate understanding of what they’re defending against. Grant them daily reading time to stay on top of the threat landscape and regular research time to deep dive into subjects of interest.
- New Zealand is a small nation and very few organisations have the budget for regular red team assessments, let alone their own security resources. Introducing the concept of adversarial emulation to your defenders helps to fill in some of the gaps in between assessments. Unless you test your defences you must assume they’re not working, so make testing a core part of your operations. Tools like Atomic Red Team (and my MITRE ATT&CK wrapper for it) and Prelude Operator will help test your detection coverage and teach defenders where to look and for what. If an actor uses a specific tool, see if you can get your hands on it too. I’ve listed some of the freely available options here.
Finally: read. My Resources page has a couple of sections in it full of books and online resources that I’ve found to be useful. While it is arguable that the adversarial mindset cannot be taught, reading and listening can still give you a great deal of insight that broadens your perspective.