Malicious cyber activity now costs $300BN a year worldwide as traditional security models are not effective. Software development is accelerating faster than application security with the proliferation of new platforms, languages, and deployment methodologies. The age of quarterly security assessments is over as we migrate to the continuous deployment of software and dynamic cloud architectures. Therefore, as the status quo of infrequent security assessments fails to protect us from cyber threats because code is changing at such a rapid pace, Synack is finding success in employing Red Teaming tactics.
A Red Team, as defined in the draft of DoD Directive 3600.3 “DoD Information Operations Red Teaming” is:
“An independent, threat-based, and simulated opposition force that uses passive, active, technical, and non-technical capabilities on a formal, time-bounded basis to expose and exploit information system vulnerabilities of friendly forces.”
In order to design an effective security architecture to meet these current standards, organizations need to develop comprehensive threat models that illustrate the possible risks to their systems and utilize red teaming when exploring uncharted territory.
Threat modeling can help everyone understand the rationale behind specific security controls. It brings together stakeholders from engineering, operations and the executive team to brainstorm about the threats to the systems, thus resulting in a security model as a whole that will receive more support from the workforce.
A good starting point for the threat model is to build a data flow diagram (DFD) that shows how data transits the system. The ingress and egress points for data in the system will show us potential avenues for data manipulation and extraction. The DFD and the information known about the data elements will allow the team to construct a threat profile. What kind of data would an adversary want to extract from this sample system? From here, STRIDE is a suitable threat modeling framework and DREAD can be used to prioritize the threats.
Unfortunately, despite our best efforts, the model is constrained by the creativity of the team analyzing the system. Consequently, there will be threats that the team did not consider. What are the unknown unknowns?
“There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don’t know. But there are also unknown unknowns. There are things we don’t know we don’t know.” – Donald Rumsfeld
The threat model is a great starting point, but to begin discovering the unknown threats the team must act like the adversary. Red Teaming provides a great mechanism to test the efficacy of the controls and ensure stakeholders did not underestimate the ease of exploiting a specific threat. Even the best-designed security controls and threat assessments need to be tested from the adversary’s perspective.
“No plan of battle ever survives contact with the enemy.” – Helmuth von Moltke
The only way to be certain our controls are correct is to test them in an offensive manner with a group of hackers of equal or greater skills than the adversary. At Synack, we recruit and vett talented security researchers from around the world for the purpose of red teaming our clients’ assets. In addition to testing the efficacy of security controls against known threats, our team is incentivized to discover previously unknown threats – the “unknown unknowns.”
The complexity of modern infrastructure and applications necessitates a dynamic security model that oﬀers on-demand coverage and massive scale, without sacrificing the manageability and accountability necessary for control. Synack provides a technology solution that allows enterprises to extend their in-house security teams with a skilled and vetted global researcher community to execute a comprehensive red team engagement.
Without such a solution, how do you prove that your organization is sufficiently protected? What tactics do you rely on to make ensure a “Target-like” breach is not in your future?