November 1st, 2022

Adversaries are better at continuous improvement than you are.

It’s a bold statement, right? It’s true. I’ve spent the past 24 years in IT and security and most of that time was on the defense side working in MSS, enterprise security software, professional services, etc. With this experience, I now understand the adversarial position and it’s changed my perspective on security. Adversarial testing is considered by most to be an annual exercise to test defenses and preventative measures, and it does. However, it doesn’t consistently improve your team’s capability to detect, protect and respond to threats to your organization. A red team engagement covers this, right? Sure. Red teaming will test your team’s ability to detect a quiet attacker and the ability of your team and technology to respond. Unfortunately, this is a snapshot in time which does not consider the dynamic threat landscape.  We often see a team work diligently to fix the findings that are exposed and then return to day-to day management and operations until the next test. All the while, more vulnerabilities are encroaching on organizations at alarming speed. This just isn’t good enough in my humble opinion. Relying on security technology to keep data safe is not the only answer. 

The following graph from IDC supports that the human layer is the linchpin to improving security. As spending increases on products, so do the breaches…

No alt text provided for this image

Bad actors, just like ethical hackers work daily to improve their skillset, increase their speed, and ability to go undetected. Every free minute they have is focused on learning and improving.  To match pace with the threat actors, the defense world needs to shift their thinking and embrace the human aspect of security and continuing testing methodology. This type of teaming allows for improved collaboration with the testing group, refinement of detection capability and focused testing of processes and procedures. Cooperative continuous testing allows for the red team to launch an attack while the blue team works to detect.  If they can’t, then the red team engages a feedback loop with the blue team to improve the detection capability for the attack and explains the tactics, techniques, and procedures in detail. Once detection is confirmed the team moves on to a new target. In the end, this feedback loop ensures that the defense team has learned what the attack looks like and they know that they have the right signatures and tools to detect it. Notice that I have not mentioned a product. This is all about improving the people component of security. Products are a critical piece of security strategy, but the people who use the products are what makes the difference between weak and strong security.

Adversaries, are working daily to improve their ability to infiltrate, abuse and bypass the technical controls that are designed to protect. It’s time to bring that mindset to the defense teams and be as good at continuous improvement as the adversaries.

Joe Petre – Vice President – PLEX Cyber