Dangerous Assumptions: Why Adversarial Testing MattersEmploying the precision of the scientific method to find your true vulnerabilities By: Trenton Ivey
Science is awesome. Or, more precisely, the scientific method is an awesome best practice for determining what's true and what isn't.
Unfortunately, many organizations fail to apply the scientific method to cybersecurity. So, instead of proving that they're secure, they just kind of assume they are. As a result, they remain unacceptably vulnerable to common threat actor tactics — especially those associated with ransomware.
Fortunately, there's a proven way to apply the scientific method to your organization's cybersecurity: adversarial testing.
Adversarial testing allows you to know your cyber adversaries. It entails having skilled, experienced cybersecurity professionals attempt to penetrate your environment using the same techniques that real-world cybercriminals do. It thus uniquely enables you to empirically discover exactly where your cyber defenses are working and where they fall short.
Armed with that empirical knowledge, you can then take concrete steps to strengthen your defenses precisely where and how they need strengthening — dramatically reducing your exposure to cyber risks.
The danger of assumptions
When you wake up feeling fine, you don't go to the emergency room — because you assume there's nothing terribly wrong with you. That's natural and reasonable.
But that's also why we get check-ups at the doctor: to test our assumptions about our health. Doctors, after all, can tell us about health problems that we can't detect ourselves. They can even find currently minor issues that could potentially become something big.
This principle holds true in cybersecurity as well. Assumptions don't have to be egregiously wrong to have potentially destructive consequences. We know your cyber adversaries don't need a huge opportunity to achieve their malicious goals. They just need an opening.
Here are some potentially disastrous assumptions that SecOps teams commonly make regarding their organizations' environments:
- We have all our CVEs patched
- Our DLP will prevent anyone from exfiltrating code
- We can detect malicious PowerShell activity on any endpoint within 10 minutes
- No unauthorized outsider can get physical access to our physical Ethernet
- Our admin-level privileges are sufficiently segregated
It's well beyond the resources of most SecOps teams to test all these assumptions while still doing the critical day-to-day work of shoring up defenses, securing adds and changes to the enterprise environment, responding to alerts, and proactively threat hunting.
This is why adversarial testing is so important. You must scientifically test your cybersecurity assumptions. And you need a third party to do so.
The importance of iterative collaboration
Musicians practice daily. And coaches constantly run new practice drills to shore up any weaknesses they discovered in their team's last game.
The same principle holds true in cybersecurity. Adversarial testing works best when you do it repeatedly. Here's the truth: No one does well on their first adversarial test. The Secureworks® Adversarial Group (SwAG) almost always finds multiple egregious problems.
On the other hand, organizations typically do much better on the next test. And because they have far fewer glaring problems, our adversarial testers can dig deeper to uncover other issues that — while not as severe — could result in a dangerous breach.
Does this mean that you should plan on endlessly repeating large-scale adversarial testing forever? Absolutely not. Just the opposite, in fact. If you apply adversarial testing best practices, you'll likely achieve a level of security maturity within 4-6 iterations that will allow you to apply adversarial testing in a much more focused and efficient manner going forward.
But no one gets there in one shot. And no one gets there by simply “fixing things.” As in any scientific endeavor, you can't just implement a fix and assume that you've solved your problem. You test the assumption that you've solved the problem under valid experimental conditions. If you have truly fixed the problem, great.
If not, you go back to the drawing board and get it right.
The benefits of adversarial best practices
You're investing a lot of time and effort into cybersecurity. So, the real question isn't whether adversarial testing can help you. It's how much you should spend on adversarial testing — and how that spending can optimize the value you get from your total cybersecurity budget.
Well, here are some thoughts:
- Reduced risk. The safest organizations are those that constantly perform experiments to see just how safe they really are — or really aren't.
- Fact-based budget allocation. By highlighting where your defenses are weakest, adversarial testing helps you pinpoint where to best spend your money — whether it's on new technologies, more staff, or more training.
- Improved skills. Adversarial testing provides unequaled hands-on training — because your team gets to deal with real-life attacks in your real-life environment.
- Smarter technology decisions. No pre-purchase technology evaluation can match a post-purchase evaluation in production. Only adversarial testing can reveal if your vendors' claims hold water.
- Mitigation of regulatory consequences. Regulators are much less likely to impose heavy fines, code-of-conduct requirements, and/or other penalties if adversarial testing has been part of your due diligence.
To learn more about SwAG adversarial testing services, check out our new white paper. Or contact us here. It's always a good time to scientifically test your cybersecurity assumptions — before those assumptions turn into a breach!