At Gray Tier, would like to reshape how network defense strategies are thought about. Network security policies are usually an afterthought. Put up some firewalls over here, sprinkle some IDS over there; maybe a host based monitoring system and presto - secured! Being compliant is not the same as being secure. No longer can an organization go through this robotic thinking of network security and assume that is good enough. Recently more companies are conducting penetration tests either by internal teams or external companies as a service. The issue with network penetration testing is that this assessment is only a snapshot in time of the organization's network security posture. As soon as something is changed within the network, is the previous assessment still valid? Networks are by nature complex systems-of-systems, and it’s very difficult to know if there are second or third order effects to adding, removing, or changing one of those systems. Moreover, your network might be secure, but are your business partners network’s secure? What kind of trust relationships do you have with them (e.g. Target)?
We start our approach by assuming the network is already compromised. As you are creating this hard shell around your network, the inside is more vulnerable than ever. In fact, by some accounts insider threat is considered the number one threat to network security, and yet it’s usually the least thought about in a serious manor. Yes, you could lock down the end user (we’re talking to you HBSS) to the point where users are virtually unproductive, but at what cost to company bottom line and employee retention. One can hardly blame system administrators for draconian usage policies. Can you really trust your users not to click on the next phishing email, or not put an infected USB device into the network? Some organizations have gone as far as creating a zero-tolerance policy; stating that employees will be fired if they click on a phishing email. In our opinion this is possibly one of the worst security decisions management could possibly make. A policy such as this will scare users to the point where no one will self report, and make the user come up with creative ways to circumvent policies. Then you have an infected system on the network which has not been reported. Also, what happens when the CEO clicks on a phishing email? With the assume breach mind-set what’s important is how you detect and mitigate threats on your networks, and end users are just as important as network defenders.
The goal of network security is to protect critical information and systems. Rather than simply rely on system administrators and network defenders to protect networks we flip this approach around. Network security should take a holistic approach by including the users as much as the external defenses, but how can you train the user to be the first line of defense when they have other tasks and jobs? Gray Tier Technologies has it roots in U.S. military cyber wargames. The idea during these wargames are to simulate known threats actors and their techniques. The military term is Opposing Force (OPFOR). OPFOR techniques could span simple Denial of Service (DoS) attacks to other highly sophisticated methods and simulations. These attacks are non-malicious applications with the sole purpose of training users and administrators. If done correctly, the users also start to understand what abnormal activity on their workstations looks like. During these wargames all users are fair game as targets, and by simulating an attack the user starts to understand the effects of their actions on the network. What do phishing attacks really look like? How does a malicious CD and USB take over a system, even though the security policy forbids the devices to run? What actions should user take if they believe there has been a compromise? Why is calc.exe running as administrator, for example? This will also test and train the network defenders to identify malicious traffic, and even start to recognize so-called Advanced Persistent Threats (APTs). More importantly it turns the entire user base into network defenders. Gray Tier Technologies believes security policies should have detect, report, mitigate components, and every user on the network is responsible for security.
--Gray Tier Technologies, LLC.