|
Sickening posted:The culture you build in security should be to embrace findings with positivity. Having a green scorecard is the goal but is far more likely a symptom of your company having blind spots. This is my mid term goal. Short term is figuring out where someone is hiding all the findings and the toys, and get my house in order.  medium term is turning some insular groups into an integrated service.JehovahsWetness posted:We get that security requests can really gently caress up a roadmap and we pitch in as much as we can so sec doesn't get seen as the bad guys. (We stress that we're an engineering org and are part of product development / corp infra it and we're here to help. Exactly my goal. It's complicated by the fact that this is a place quilted together by m&a. Cannon_Fodder fucked around with this message at 21:15 on Oct 14, 2023 |
#
?
Oct 14, 2023 21:12
|
|
|
|
| # ? May 24, 2024 23:23 |
|
|
JehovahsWetness posted:Our sec teams are all almost all ex-product devs / sre / devops people so anytime we have and incident, finding, pentest, etc any follow-on requests are accompanied by an offer for one us to pitch in hours to get it fixed, make a PR or whatever. We get that security requests can really gently caress up a roadmap and we pitch in as much as we can so sec doesn't get seen as the bad guys. (We stress that we're an engineering org and are part of product development / corp infra it and we're here to help. Our relationships with the rest of the company is good enough that teams will proactively bring us design plans and poo poo for feedback really early in the process rather than trying to get a green check right at the end. It does help that we're probably heavy on graybeards.) I don't mind it being an offer and I have been this mindset for a while. Regardless of the size of the business though, the risk is all around reasonable expectations. There are types of employees/teams/departments/divisions/whatever that will take these offers as permanent transfers of responsibility and that simply won't fly with me. I refuse to become a full time digital janitor of your digital smell dump. Its very easy to talk people into creating things. Its harder and harder to hammer it into their skulls that creation comes with plans of maintenance. I am often the bad guy because I won't rest on vague promises of upkeep, but relentless in my demand for concrete plans.
|
|
#
?
Oct 14, 2023 23:38
|
|
|
oops
|
|
#
?
Oct 14, 2023 23:46
|
|
|
Too often it's a case of a red team being brought in to bust the network and the network/blue team already know it can be done but there was never buy in by management to finance fixing the holes in the first place. So it immediately becomes an adversarial relationship from the beginning and its just downhill from there.
|
|
#
?
Oct 15, 2023 03:15
|
|
|
unknown posted:Too often it's a case of a red team being brought in to bust the network and the network/blue team already know it can be done but there was never buy in by management to finance fixing the holes in the first place. I think this is hitting the nail on the head. If possible, blue team should have documented the issue and sent it and the solution up the chain through all the right channels, so they can just point to it and shrug if anyone gives them poo poo.
|
|
#
?
Oct 15, 2023 06:33
|
|
|
Apparently a 0-day exploit going around for the Signal messaging app, related to the data within message previews: https://hax0rbana.social/@adam/111236822600142276
|
|
#
?
Oct 15, 2023 10:13
|
|
|
PalaNIN posted:Apparently a 0-day exploit going around for the Signal messaging app, related to the data within message previews: What's the usual disclosure path for these things? Rumor on twitter/mastodon -> https://www.zero-day.cz/database/?s...ORS%5D%5B%5D=16 -> ?
|
|
#
?
Oct 15, 2023 13:53
|
|
|
BonHair posted:I think this is hitting the nail on the head. You're making the assumption that the blue team even exists and isn't just another title for some admin who's constantly being pulled into other work of greater emergency so never gets a chance to even document an issue in the first place. Generally that's how it goes in most companies I see.
|
|
#
?
Oct 16, 2023 02:02
|
|
|
The greatest value in adversarial work/exercises in most cases is indeed justifying the value proposition for increasing blue team resources. P much "look assholes, we weren't lying to you, this poo poo is jank and we do need money/time/people to improve it"
|
|
#
?
Oct 16, 2023 15:10
|
|
|
Really, you shouldn't spend money on red teams before you've fixed the most obvious issues your security team keeps shouting about.
|
|
#
?
Oct 16, 2023 15:24
|
|
|
While that would be ideal, management is management.
|
|
#
?
Oct 16, 2023 15:28
|
|
|
It's true, buying a pentest is a one time, measurable and budgetable action which does something related to security. Having a guy just telling you what the test would find is nebulous in all the important ways, especially since the recommendations are gonna include stuff like "keep things updated regularly" which is just gonna keep being nebulously expensive forever.
|
|
#
?
Oct 16, 2023 15:44
|
|
|
Many orgs have obligations that require some kind of pentesting at least annually.
|
|
#
?
Oct 16, 2023 15:58
|
|
|
Sickening posted:Many orgs have obligations that require some kind of pentesting at least annually. Exactly, and seems to be getting overlooked here. If your company maintains some company-wide security certifications they are often REQUIRED to do these tests. That said, yeah the red team doesn't need to be assholes about it.
|
|
#
?
Oct 16, 2023 16:29
|
|
|
Has anyone used the NSAs free pen testing service?
|
|
#
?
Oct 16, 2023 16:51
|
|
|
Don't know about that one but historically if you needed a free pentest you just claim to be unhackable on twitter
|
|
#
?
Oct 16, 2023 16:53
|
|
|
BonHair posted:It's true, buying a pentest is a one time, measurable and budgetable action which does something related to security. Having a guy just telling you what the test would find is nebulous in all the important ways, especially since the recommendations are gonna include stuff like "keep things updated regularly" which is just gonna keep being nebulously expensive forever. We ran a pentest, literally everyone went  , now we're spending millions on upgrades, and plan on running another pentest after we're done fixing the major issues.We're 100% going to find a bunch of new poo poo that the old test didn't find, I just know it. But I also know that our networks will be in much better shape, with new firewalls and a lot of work put into re-establishing proper segmentation that had eroded over years of "gently caress it stopped working, we gotta fix it now now now" type maintenance.
|
|
#
?
Oct 16, 2023 17:12
|
|
|
GrunkleStalin posted:Has anyone used the NSAs free pen testing service? If you're talking about what I think you're talking about, that is made available by CISA through the DoJ. Yes plenty of entities have taken them up on the offer, and my understanding on background is that there needs to be a national interest served by your request.
|
|
#
?
Oct 16, 2023 18:22
|
|
|
You'll know when the next set of documents are leaked by whoever steps up to be the new Snowden
|
|
#
?
Oct 16, 2023 18:31
|
|
|
unknown posted:Too often it's a case of a red team being brought in to bust the network and the network/blue team already know it can be done but there was never buy in by management to finance fixing the holes in the first place. A good pen testing team should aim to bridge that gap and relay to management the constant struggle that blue team is dealing with and why they need resources. The goal of the pen test is not to prove that the network can be hacked, it's to demonstrate the ease of doing so using specific methods/techniques so that remediation efforts and future prevention can be targeted at the correct areas.
|
|
#
?
Oct 16, 2023 18:32
|
|
|
If your pentest/red-team is has any political sense at all they'll also highlight what's realistically actionable.
|
|
#
?
Oct 16, 2023 18:53
|
|
|
FungiCap posted:Exactly, and seems to be getting overlooked here. If your company maintains some company-wide security certifications they are often REQUIRED to do these tests. Yeah, but they're still just compliance paper tigers if no one actually follows up on the recommendations. They're not required because testing is fun/lucrative*, they're required with the more or less explicit purpose of finding holes to patch. It's like having a fire marshal come in to tell you to not clear the lint traps on your industrial dryers. It makes sense the first time, but if he keeps finding the same lint, he didn't actually help you, you just wasted both your time and also the place is gonna burn down. *Well maybe because it's lucrative Wibla posted:We ran a pentest, literally everyone went This is absolutely how it should be. This is the kind of organisation that can do yearly prentests, at least if you can keep the momentum. There's always gonna be something, the goal is to have it under control mostly so you only have manageable stuff to fix and maybe a few theoretical scenarios that would be too costly to fix. Such as certain key people getting phished. You can't protect perfectly against that.
|
|
#
?
Oct 16, 2023 18:58
|
|
|
I feel like it's hard not to be somewhat adversarial when I see sysadmins online complaining that they "didn't need to replace that [10 year EOL printer] it had a vlan/ACL isolating it". clashes between overwhelmed sysadmins who don't fully grasp why layered defense is mandatory and infosec teams who are fundamentally zero trust and paranoid feels inevitable despite all the good faith efforts both sides make. we have a guy still complaining to upper management about password security awareness messages because he read a crappy book about zero days once and thinks all intrusions are like his spy novels.
|
|
#
?
Oct 16, 2023 18:59
|
|
|
Sysadmins/Blue team not being overly defensive when given results from a pen test. Managers understanding that it's not a dress down of their employees or their capabilities. Red teamers not being arrogant assholes and being part of the solution. Pick 2 scenario?
|
|
#
?
Oct 16, 2023 19:10
|
|
|
I feel the solution is not to have a red or blue team at the end of the day, but one department who is gonna break and fix the poo poo. I dont know how feasible that is at larger companies but when we have to do in house pentesting, our company isnt big enough to just hand patch notes over the wall to infrastructure because they are already slammed with stuff. So we have to basically make patch notes, tell infra what we're gonna do, and then fix it when infra gives us a window.
|
|
#
?
Oct 16, 2023 19:35
|
|
|
FungiCap posted:Sysadmins/Blue team not being overly defensive when given results from a pen test. More circular in my opinion: 10) Budget reduction/freeze over time 20) External red team test to see how well the company does [ie: mgmt trying to prove old budget wasn't necessary] 30) Budget increase to fix problems since they didn't "pass" 40) goto 10 This provides lots of political opportunities for boardroom fights and poo poo. A good CEO can stop the cycle, but most aren't that good.
|
|
#
?
Oct 16, 2023 20:05
|
|
|
FungiCap posted:Sysadmins/Blue team not being overly defensive when given results from a pen test. I'll take three out of three Security/Infra side leadership that wants to know the things they don't know, because that's the only way to fix them. IT leadership that can leverage politics to get their stuff - "well, doing this will reduce our cybersecurity insurance rates and make stakeholders happy if we phrase it right" Outside contractors doing red team who don't have a stake in internal politics and aren't competing for an overall part of the internal IT budget, but want happy repeat customers.
|
|
#
?
Oct 17, 2023 03:36
|
|
|
I don’t know anything about how security teams work, but would it be feasible to rotate people between red and blue teams so those defensive/adversarial people get to appreciate things from the other side’s perspective?
|
|
#
?
Oct 17, 2023 06:47
|
|
|
just a kazoo posted:A good pen testing team should aim to bridge that gap and relay to management the constant struggle that blue team is dealing with and why they need resources. That right there is the ideal. Time is one of the most important currencies. The longer it takes to break in the less things are broken into, no place is impenetrable, but going hand in hand to make poo poo harder and require more and more resources to break in is a pretty good mark that you're doing something right. beuges posted:I don’t know anything about how security teams work, but would it be feasible to rotate people between red and blue teams so those defensive/adversarial people get to appreciate things from the other side’s perspective? It's not necessarily like each side is completely siloed off from the other, though remote and wfh settings do kind of assist with that these days, each side is essentially a specialist side. Having jacks/jills of all trades is nice and dandy when you're short handed and need people to do both, but people that specialize in either side are sort of invaluable because that usually means they're taking or have taken expensive certs and have the experience to run in those teams hopefully pretty efficiently. Jiro fucked around with this message at 07:21 on Oct 17, 2023 |
|
#
?
Oct 17, 2023 07:15
|
|
|
Prepare two containers the Security team will each draw from. Each container is either Red/Observer or Blue/Observer. Yes, some people will be on both Red and Blue. If you have valuable data, this will come up in real life.
|
|
#
?
Oct 17, 2023 07:35
|
|
|
beuges posted:I don’t know anything about how security teams work, but would it be feasible to rotate people between red and blue teams so those defensive/adversarial people get to appreciate things from the other side’s perspective? As mentioned, breaking poo poo and fixing it are two different skillsets. Besides the 1337 h4x0rs in the red team not necessarily being very good at actually segmenting networks, it's also a different workflow and motivation. If you're breaking in, you get to be more creative and intuitive, which appeals more to some people. If you're defending, you have more planned and routine stuff, and hopefully a bit more systematic approach, which again is very appealing to some people. Not that rotation is a bad idea, but you also gotta work on people skills, understanding of company politics and the shared goal narrative, so everyone understands how their job ties into making profit for the shareholders, including all the relevant puzzle pieces before that. I think external pentesters often have a few young hotshots hacking away and then a senior guy writing up the report and communicating in a constructive way with the client.
|
|
#
?
Oct 17, 2023 13:46
|
|
|
I don't think blue/red can do a full tour of duty style rotation on the other side, but you can/should mix up. It's fun for both (reason #1 honestly), you can sometimes catch poo poo early on the blue side, you red siders get precious inside knowledge for better lateral movement shenanigans, etc. It makes everyone better to tighten the feedback loop, basically.
|
|
#
?
Oct 17, 2023 14:00
|
|
|
Defenestrategy posted:I feel the solution is not to have a red or blue team at the end of the day, but one department who is gonna break and fix the poo poo. I dont know how feasible that is at larger companies but when we have to do in house pentesting, our company isnt big enough to just hand patch notes over the wall to infrastructure because they are already slammed with stuff. So we have to basically make patch notes, tell infra what we're gonna do, and then fix it when infra gives us a window.
|
|
#
?
Oct 17, 2023 17:29
|
|
|
evil_bunnY posted:You need competing/independent interests if you want things to keep moving IME. We keep things moving because we have to complete routine testing as part of our contracts and insurance obligations, and we fix poo poo because we have to remediate our findings again as part of our contracts and insurance obligations. 
|
|
#
?
Oct 17, 2023 17:49
|
|
|
https://arstechnica.com/security/2023/10/actively-exploited-cisco-0-day-with-maximum-10-severity-gives-full-network-control/ "Although Cisco has yet to release a software patch, the company is urging customers to protect their devices. That means implementing a stop-gap measure to keep vulnerable devices from being exploited and running a host of scans to detect if devices have been backdoored. "Cisco is committed to transparency," a company representative wrote in an email Tuesday. "When critical security issues arise, we handle them as a matter of top priority, so our customers understand the issues and know how to address them."We are working non-stop to provide a software fix and we strongly urge customers to take immediate action as outlined in the security advisory." The previously unknown vulnerability, which is tracked as CVE-2023-20198, carries the maximum severity rating of 10. It resides in the Web User Interface of Cisco IOS XE software when exposed to the Internet or untrusted networks. Any switch, router, or wireless LAN controller running IOS XE that has the HTTP or HTTPS Server feature enabled and exposed to the Internet is vulnerable. On Monday, the Shodan search engine showed that as many as 80,000 Internet-connected devices could be affected." 
|
|
#
?
Oct 17, 2023 22:10
|
|
|
Silly Newbie posted:I'll take three out of three This is how it should be but it is extraordinarily rare to find all three. I think the relationship between insurance rates and cyber hygiene needs to get further correlated, but that progress has been pretty slow, instead its regulated industries that drive the red team market.
|
|
#
?
Oct 17, 2023 22:30
|
|
|
Jiro posted:https://arstechnica.com/security/2023/10/actively-exploited-cisco-0-day-with-maximum-10-severity-gives-full-network-control/ Fun fact: This was discovered during a TAC call.
|
|
#
?
Oct 17, 2023 22:30
|
|
|
just a kazoo posted:This is how it should be but it is extraordinarily rare to find all three. I think the relationship between insurance rates and cyber hygiene needs to get further correlated, but that progress has been pretty slow, instead its regulated industries that drive the red team market. That's totally fair. What I described is the situation I'm in, but I'm also in private equity owned construction (more or less), so there's very little regulation and it's easy to play the "doing this and showing that we've done this will make the money overlords happy". This also turns on the money faucet for hiring red team type engagements. If I was in a big publicly traded company or a < $20M revenue family owned, I'd be screwed and none of that would work. Another favorite is "if we don't do this, Microsoft/Meta/etc might stop hiring us in favor of someone who does". The relationship between cybersecurity doing stuff and actually getting insurance is very real. Last year I was midway through a project to MFA all of our field people VPN connections, but had some pushback from the business over disruptions. I did an assessment with our insurance provider, they said "if you MFA your VPN we'll take you from 50/50 coinsurance to 90/10", and the business leadership got told to suck it the gently caress up in a hurry.
|
|
#
?
Oct 18, 2023 05:18
|
|
|
spankmeister posted:Cuts down on the noise but isn't going to stop a determined attacker. Also it can cause problems because the geoip databases aren't perfect. (Whatever you do, keep them up to date) The GeoIP databases are also really incestuous with multiple databases basing entries on others. https://geolocatemuch.com/ has a good listing of the different database providers, and has information on how to maintain your own geofeed file to reduce the chance of your own IPs being mislabeled. They also don't rely solely on whois registration data because the address for an organization isn't necessarily the location in which the prefix is in use. Relying only on country-level accuracy is a lot safer than trying to rely on it for state or even city level accuracy, but again, it's not perfect. This process of making a determination is their "secret sauce". There's a reason that MaxMind wants you to accept Terms of Use that include indemnifying them from loss associated with the use of their correction form to submit a correction to their database.
|
|
#
?
Oct 18, 2023 22:24
|
|
|
|
| # ? May 24, 2024 23:23 |
|
|
IOS XE (Xtra Exploitable)
|
|
#
?
Oct 19, 2023 03:47
|
|
