Some time ago, big company, a large financial organization, suffered a major security breach. Hackers were able to infiltrate the network by sending an email with a malicious attachment to an unsuspecting employee. Worse – once inside the network, they were able to gain access to sensitive file shares by guessing the password of a top-level user. The hackers took these files and demanded ransom in order to return the files to big company.
Organizations – like big company – that have been the victims of security breaches, know how painful they are and are willing to put a lot of effort and resources into fixing as many security issues as possible.
In order to mitigate the password guessing attack, big company first looked into its password quality security controls. They used a security tool to identify weak passwords – meaning an attacker could guess them easily, even without knowing their hash. It appeared that 10% of their passwords were weak. They used this number as their metric and over the next few weeks, worked to decrease the number. They worked with project owners and employees to change their passwords and after a few months, they again counted weak passwords. The situation was much better – only 1% of passwords were easy-to-guess. While not perfect, it was a significant improvement.
Later that year, CYE was hired to conduct a red-team exercise at big company. Among other things, the CYE team used phishing emails to gain access to the internal network and guessed passwords for sensitive data shares – meaning, they replicated the real-life big company breach after the mitigation project was complete. How could that be?
From the perspective of big company, the risk of password-guessing attacks seemed ten times less likely, but from the perspective of a hacker, the difficulty of such an attack hardly changed. Why? Because once inside the network, the attacker can guess one or two passwords per employee without being detected and blocked. With tens of thousands of systems, users and passwords, 1% of weak passwords still has the potential to put big company at 100% risk. In fact, the metric big company used to measure itself was nearly irrelevant.
This issue appears in many organizations, across different domains. You may be monitoring 99.9% of your hosts, but somehow the attacker is able to find and install malware on the one old host – where your EDR isn’t installed. Or, maybe all of your web applications are up-to-date and secure, but the attacker found the one old website that could be breached in order to gain ground.
Nothing stops sophisticated attackers (who spend countless time and effort understanding organizations and who are savvy and experienced enough to guess countless passwords without getting caught) or opportunistic attackers (who simply try to infiltrate a large array of random organizations) from trying their luck time and time again. This is true when an attacker tries to breach your Internet perimeter, as the cost of getting caught is almost zero. However, even if they gain access to some of your internal assets – be it in your network or on the cloud – they usually have to be noisy and slow in order to get kicked out before seizing the chance to cause damage.
The security of your critical assets is best measured from the attacker’s perspective. That’s why you have to conduct periodic — or, better yet, continuous — penetration tests and security assessments. This does not mean that you should not deploy EDRs, improve your password quality, secure your web applications and so on. However, it does mean that you can identify high priority projects if you look at your security from the attacker’s perspective. It also doesn’t mean security metrics are useless. What it does mean, however, is that choosing the wrong metrics can be very problematic for your organization. Once you start measuring your progress in one way, it can be very difficult to suddenly stop and start measuring it in a different way. CISOs will feel pressure to show that their company’s numbers are improving over time, even if that does not mean much for the organization’s security posture. This can give organizations a false sense of security and get in the way of other, more important cyber-security projects or metrics. Since your time and money are finite, this can actually hurt your security posture.
At CYE, we organize security issues (actually, mitigations that are tied to security issues) in a graph that shows how attackers can exploit them in sequence to access business-critical assets. Then, we measure the improvement of the risk based on the graph. This way, we have a better idea of how best to stop the hacker. Maybe it’s better to do certain things first, like blocking network access to sensitive file shares, deploying multi-factor authentication, revoking access to sensitive files from most employees, or just monitoring password guessing more effectively. It could be a combination of security controls and there could be other, more pressing attack vectors altogether. The best way to find out is to arm your company with the tools, resources and expertise it needs in order to see the picture from the point-of-view of the attacker.