If you’re coming into this series late, go read parts one, two, and three to catch on the previous rules of Adversarial Engagement. In this post, we’ll highlight the last of my four ground rules - by sticking to these rules, we’re able to achieve the best possible results for our clients.
Rule 4: As Much Time As You Can Afford To Spend And Still Get Value
It’s very easy for clients to want a one-week on-site penetration test. It’s cheap, it gives everyone the impression of having done something, and you get a report! What could be better?
Well, I guess it depends on what you want to get for your money. Do you want to train your SOC to detect a consultant running nmap -T 5 from a conference room against your internal /16? Yes? Good, because that’s what you’ve done. Is China going to attack your network that way? Sorry, nope.
Actual adversarial emulation engagements take time. Sometimes, unfortunately, a lot of it. I was doing a six week long engagement with a client, it was going awesome. I’d phished into the network, compromised the entire corporate domain, gained access to a treasure trove of protected information, I’d figured out a way to exploit a forgotten rule in a firewall to bypass two-factor authentication, and was just about to get into a control system network that was the holy grail of access. I’d even identified the users required that I was going to have to compromise in order to get the credentials needed to hop into that network.
And then we ran out of time.
Sucks, right? I mean, it was still a huge win for us, the client was overjoyed with the report, but there were security mechanisms in that segregated network that we’d both (us and the client) wanted to test. And we didn’t get to because it there was just so much to do while flying under the radar. While we’re pretty confident those mechanisms would have worked to detect our activity (if the analysts watching were doing their jobs), it would have been nice to give the client the warm and fuzzy on that. And in the mean time, they’re performing our recommendations to harden the rest of the network so they can detect and eliminate malicious activity before it gets to that point.
It can be hard to justify the extra dollars from the client’s perspective if you’re not continuing to show value, but it’s also very hard to figure out how long it will take to accomplish key objectives before you even begin. After all, a good adversarial emulation engagement starts with zero knowledge of the target - so how long will it take to compromise the network? There needs to be a certain amount of wiggle room in the contract so that the client gets a good return for their investment but also ensures that the consultant has enough time to complete the key objectives.
Let’s put it this way: China doesn’t hack your network for a week and then go away. They hack it for years on and off. And they’re patient - they’ll wait until you make a mistake and then capitalize on it. If it takes a year for someone to screw up and e-mail a password to a critical system, well, you’d better hope the bad guys haven’t just been waiting for that to happen. Because they do - and when they’re on your network for an average of 229 days, that’s a lot of time to watch for mistakes.
I’d like to think that the industry is slowly realizing the truth of these rules as we’re shifting away from “Run Nessus and Paraphrase The Findings” style engagements. However, not all customers truly understand - or care - about testing the actual operational security of their network. Some, still, only care about getting that checkbox that said someone came and ran Nessus. Some don’t understand that attackers can see the value in their network even if they themselves can’t. Some think their entire network can be assessed in a week. And some, still, think that the attackers will only try to exploit that handful of well-hardened production systems and ignore the rest of the network.
Let’s change that.