Building a Modern Security Engineering Organization
-
Upload
zane-lackey -
Category
Technology
-
view
7.998 -
download
3
description
Transcript of Building a Modern Security Engineering Organization
![Page 2: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/2.jpg)
Who is this guy anyway?
• Built and led the Etsy Security Team – Spoiler alert: what this presentation is about
• Recently co-founded Signal Sciences to productize effective AppSec approaches
![Page 3: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/3.jpg)
This talk is a collection of lessons learned from building and adapting a security
team
![Page 4: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/4.jpg)
For security teams, the world has changed in fundamental ways: – Code deployment is now near-instantaneous
![Page 5: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/5.jpg)
For security teams, the world has changed in fundamental ways: – Code deployment is now near-instantaneous
– Merging of development and operations means more people with production access
![Page 6: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/6.jpg)
For security teams, the world has changed in fundamental ways: – Code deployment is now near-instantaneous
– Merging of development and operations means more people with production access
– Cost of attack has significantly dropped
![Page 7: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/7.jpg)
Near-instantaneous deployment?
![Page 8: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/8.jpg)
A technical diagram of tradi7onal waterfall code deployment
![Page 9: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/9.jpg)
What is this shifting to?
![Page 10: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/10.jpg)
Etsy pushes to production 30 times a day
on average
![Page 11: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/11.jpg)
Constant iteration in production via feature flags, ramp ups, A/B testing
![Page 12: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/12.jpg)
But doesn’t the rapid rate of
change mean things are less
secure?!
![Page 13: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/13.jpg)
Actually, the opposite is true
![Page 14: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/14.jpg)
They key to realize is vulnerabilities occur in all development methodologies
…But there’s no such thing as an out-of-band patch in continuous deployment
![Page 15: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/15.jpg)
They key to realize is vulnerabilities occur in all development methodologies
…But there’s no such thing as an out-of-band patch in continuous deployment
![Page 16: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/16.jpg)
Compared to: “We’ll rush that security fix. It will go out … in about 6 weeks.”
- Former vendor at Etsy
![Page 17: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/17.jpg)
What makes continuous deployment safe?
![Page 18: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/18.jpg)
![Page 19: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/19.jpg)
Source: h<p://www.slideshare.net/mikebri<ain/advanced-‐topics-‐in-‐con7nuous-‐deployment
![Page 20: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/20.jpg)
The same culture of graphing and monitoring inherent to continuous
deployment can be used for security too
![Page 21: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/21.jpg)
Surface security info for everyone, not just
the security team
![Page 22: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/22.jpg)
![Page 23: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/23.jpg)
“Don’t treat security as a binary event” - @ngalbreath
![Page 24: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/24.jpg)
Building a (k-‐)rad culture *Mullets sold separately
![Page 25: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/25.jpg)
In the shift to continuous deployment, speed increases by removing
organizational blockers
![Page 26: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/26.jpg)
Trying to make security a blocker means you get routed around
![Page 27: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/27.jpg)
Instead, the focus becomes on incentivizing teams to reach out to security
![Page 28: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/28.jpg)
Keys to incentivizing conversation:
– Don’t be a jerk. This should be obvious, but empathy needs to be explicitly set as a core part of your teams culture.
![Page 29: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/29.jpg)
Keys to incentivizing conversation:
– Don’t be a jerk. This should be obvious, but empathy needs to be explicitly set as a core part of your teams culture.
– Make realistic tradeoffs. Don’t fall in to the trap of thinking every issue is critical. • Ex: Letting low risk issues ship with a reasonable
remediation window buys you credibility for when things actually do need to be addressed immediately.
![Page 30: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/30.jpg)
Keys to incentivizing conversation:
– Coherently explain impact. “This would allow all our user data to be compromised if the attacker did X & Y” paints a clear picture, where “The input validation in this function is weak” does not.
![Page 31: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/31.jpg)
Keys to incentivizing conversation:
– Coherently explain impact. “This would allow all our user data to be compromised if the attacker did X & Y” paints a clear picture, where “The input validation in this function is weak” does not.
– Reward communication with security team. T-Shirts, gift cards, and high fives all work (shockingly) well.
![Page 32: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/32.jpg)
Keys to incentivizing conversation:
– Take the false positive hit yourself. Don’t send unverified issues to dev and ops teams. When issues come in, have the secteam verify and make first attempt at patch.
– Scale via team leads. Build relationships with technical leads from other teams so they make security part of their teams culture.
![Page 33: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/33.jpg)
Keys to incentivizing conversation:
– Take the false positive hit yourself. Don’t send unverified issues to dev and ops teams. When issues come in, have the secteam verify and make first attempt at patch.
– Scale via team leads. Build relationships with technical leads from other teams so they make security part of their teams culture.
![Page 34: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/34.jpg)
Access restric7ons
![Page 35: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/35.jpg)
Startups begin with a simple access control policy: Everyone can access
everything
![Page 36: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/36.jpg)
As organization grow there will be more
pressure to institute access policies
![Page 37: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/37.jpg)
The key to remember is don’t take away capabilities
![Page 38: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/38.jpg)
Methodology: 1. Figure out what capability is needed
2. Build an alternate way to perform the needed function in a safe way
3. Transition the organization over to the safe way
4. Alert on any usage of the old unsafe way
![Page 39: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/39.jpg)
Methodology: 1. Figure out what capability is needed
2. Build an alternate way to perform the needed function in a safe way
3. Transition the organization over to the safe way
4. Alert on any usage of the old unsafe way
![Page 40: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/40.jpg)
Methodology: 1. Figure out what capability is needed
2. Build an alternate way to perform the needed function in a safe way
3. Transition the organization over to the safe way
4. Alert on any usage of the old unsafe way
![Page 41: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/41.jpg)
Methodology: 1. Figure out what capability is needed
2. Build an alternate way to perform the needed function in a safe way
3. Transition the organization over to the safe way
4. Alert on any usage of the old unsafe way
![Page 42: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/42.jpg)
EX: SSH access to production systems
![Page 43: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/43.jpg)
Security policy goal: Eliminate unneeded access to production systems – Why do developers do it? Ex: To view error logs
– Build alternate approach: Send the logs to central logging service (ex: elasticsearch, splunk, etc)
– Publicize the new tooling to the organization
– After majority of transition, alert on any logins to production systems by non-sysops
![Page 44: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/44.jpg)
Security policy goal: Eliminate unneeded access to production systems – Why do developers do it? Ex: To view error logs
– Build alternate approach: Send the logs to central logging service (ex: elasticsearch, splunk, etc)
– Publicize the new tooling to the organization
– After majority of transition, alert on any logins to production systems by non-sysops
![Page 45: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/45.jpg)
Security policy goal: Eliminate unneeded access to production systems – Why do developers do it? Ex: To view error logs
– Build alternate approach: Send the logs to central logging service (ex: elasticsearch, splunk, etc)
– Publicize the new tooling to the organization
– After majority of transition, alert on any logins to production systems by non-sysops
![Page 46: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/46.jpg)
Security policy goal: Eliminate unneeded access to production systems – Why do developers do it? Ex: To view error logs
– Build alternate approach: Send the logs to central logging service (ex: elasticsearch, splunk, etc)
– Publicize the new tooling to the organization
– After majority of transition, alert on any logins to production systems by non-sysops
![Page 47: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/47.jpg)
Increasing a<acker cost
![Page 48: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/48.jpg)
Specifically, some thoughts on: – Bug Bounties
– Attack simulations/pentesting
![Page 49: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/49.jpg)
Bug Boun7es
![Page 50: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/50.jpg)
Bug bounties are tremendously useful. If you’re not working towards launching one,
strongly consider it.
![Page 51: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/51.jpg)
Common concerns about launching a bounty:
1. Budgetary concerns. Money is almost never the main motivation for researchers, you can launch a bounty with just a hall of fame and still get great submissions.
2. Risk of inviting attacks. You’re already
getting attacked continuously, you’re just not getting the results.
![Page 52: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/52.jpg)
Common concerns about launching a bounty:
1. Budgetary concerns. Money is rarely the main motivation for participants, you can launch a bounty with just a hall of fame and still get great submissions.
2. Risk of inviting attacks. You’re already
getting attacked continuously, you’re just not getting the results.
![Page 53: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/53.jpg)
Common concerns about launching a bounty:
1. Budgetary concerns. Money is rarely the main motivation for participants, you can launch a bounty with just a hall of fame and still get great submissions.
2. Risk of inviting attacks. It’s the Internet.
You’re already getting pentested continuously, you’re just not receiving the report.
![Page 54: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/54.jpg)
The ultimate goals of a bug bounty are threefold:
1. Incentivize people to report issues to you in the first place
2. Drive up cost of vulnerability discovery and exploitation for attackers
3. Provide an external validation of if your security program is working (or not)
![Page 55: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/55.jpg)
The ultimate goals of a bug bounty are threefold:
1. Incentivize people to report issues to you in the first place
2. Drive up cost of vulnerability discovery and exploitation for attackers
3. Provide an external validation of if your security program is working (or not)
![Page 56: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/56.jpg)
The ultimate goals of a bug bounty are threefold:
1. Incentivize people to report issues to you in the first place
2. Drive up cost of vulnerability discovery and exploitation for attackers
3. Provide an external validation of where your security program is working (and where it’s not)
![Page 57: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/57.jpg)
Before you launch, record what vulnerability classes you expect to see and what you don’t.
Compare this against the issues actually
reported.
![Page 58: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/58.jpg)
Before you launch, record what vulnerability classes you expect to see and what you don’t.
Compare this against the issues actually
reported.
![Page 59: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/59.jpg)
Keep metrics on: – Number of bugs reported and severities
– Time to remediation of reported issues
You want both of these metrics to trend down over time
![Page 60: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/60.jpg)
Practical considerations:
– Inform all teams before bounty launch, especially non-engineering teams • Ex: Customer Support
– Attacks will start almost immediately
For Etsy bug bounty launch, time from announcement to first attack: 13min
![Page 61: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/61.jpg)
Practical considerations:
– Inform all teams before bounty launch, especially non-engineering teams • Ex: Customer Support
– Attacks will start almost immediately
For Etsy bug bounty launch, time from announcement to first attack: 13min
![Page 62: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/62.jpg)
Practical considerations:
– Your first 2-3 weeks will be intense. Have as many people as you can dedicated to triage and response
![Page 63: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/63.jpg)
Practical considerations:
– Operationally review any helper systems for scaling problems beforehand • When 10-100x traffic hits helper systems your
security team uses, what falls over?
– Money almost never the overriding factor, hall of fame is
– Researchers are generally great to interact with
![Page 64: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/64.jpg)
Practical considerations:
– Operationally review any helper systems for scaling problems beforehand • When 10-100x traffic hits helper systems your
security team uses, what falls over?
– Money is almost never the main motivation for bounty participants, hall of fame credit is
– Researchers are generally great to interact with
![Page 65: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/65.jpg)
Practical considerations:
– Operationally review any helper systems for scaling problems beforehand. • When 10-100x traffic hits helper systems your
security team uses, what falls over?
– Money is almost never the main motivation for bounty participants, hall of fame credit is
– Key to great researcher interaction is frequent and transparent communication
![Page 66: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/66.jpg)
XXX
Running effective attack simulations
![Page 67: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/67.jpg)
Problems with “pentesting” are well understood in the offensive community
but not as well in the defensive community
![Page 68: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/68.jpg)
Pentests typically result in a list of
enumerated known vulnerabilities to be patched, not data on how a real attacker
would operate against a given environment
![Page 69: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/69.jpg)
Attack simulations should be done to learn how attackers are likely to achieve goals
against your organization
NOT to show compromise is possible
(spoiler alert: it is.)
![Page 70: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/70.jpg)
Use this attack data to focus where/how to build detection mechanisms
![Page 71: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/71.jpg)
From an organizational side, attack simulations compliment vulnerability
enumeration/compliance/etc
![Page 72: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/72.jpg)
Four keys to effective attack simulations:
1. Goal oriented • “Obtain domain admin”, “read the CEOs email”,
“view credit card data”, … • Ask attack team for input on goals, they’ll come
up with ones you didn’t think of
2. Full ganization in scope • Have attack team call a contact if they’re about
to do something risky
– several week simulat – ion
![Page 73: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/73.jpg)
Four keys to effective attack simulations:
1. Goal oriented • “Obtain domain admin”, “read the CEOs email”,
“view credit card data”, … • Ask attack team for input on goals, they’ll come
up with ones you didn’t think of
2. Full organization in scope • Have attack team call a contact if they’re about
to do something risky – Ex: Instead of throwing an exploit that lands “most of
the time”, grant access to the target system with temporary credentials
![Page 74: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/74.jpg)
Four keys to effective attack simulations:
3. Simulate realistic compromise patterns • Start the attack team on a:
– standard laptop/desktop to simulate phishing/clientside compromise
– database or web server to simulate SQL injection/RCE • 0days aren’t cheating, they’re reality. Attack team
should be encouraged to use them.
– Break simulation down into iterations: • Don’t spend the full engagement time on only round
of testing, once one team achieve goal(s), then swap in new attack team to achieve the same goal(s) – Ex: We try to run 3-4 iterations per several week
simulation
![Page 75: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/75.jpg)
Four keys to effective attack simulations:
3. Simulate realistic compromise patterns • Start the attack team on a:
– standard laptop/desktop to simulate phishing/clientside compromise
– database or web server to simulate SQL injection/RCE • 0days aren’t cheating, they’re reality. Attack team
should be encouraged to use them.
4. Break simulation down into iterations: • Don’t spend the full engagement time on only round
of testing, once one team achieve goal(s), then swap in new attack team to achieve the same goal(s) – Ex: We try to run 3-4 iterations per several week
simulation
![Page 76: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/76.jpg)
The project output should be attack chains showing how attack team went from A->B->C
to achieve goals, what steps they took and why
![Page 77: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/77.jpg)
Just as importantly, what steps they didn’t take
Ex: “We didn’t try to find internal network diagrams on your wiki because zone transfers were enabled so we could got enough data about your network from that”
![Page 78: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/78.jpg)
Remember, the goal is to simulate realistic attack behaviors and patterns that can be
used to enhance detection
![Page 79: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/79.jpg)
In addition, simulate varying attack profiles from quick & loud to quietly maintaining
persistence
![Page 80: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/80.jpg)
Over multiple iterations learn what behaviors overlap between attackers and what strong signals of lateral movement in
your environment look like
![Page 81: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/81.jpg)
TL;DR (The section formerly known as “Conclusions”)
![Page 82: Building a Modern Security Engineering Organization](https://reader034.fdocuments.net/reader034/viewer/2022051322/540d67118d7f72767e8b4992/html5/thumbnails/82.jpg)
• Adapt security team culture to DevOps and continuous deployment by: – Surfacing security monitoring and metrics – Incentivize discussions with the security
team – When creating policy, don’t take away
capabilities
• Drive up attacker cost through bug bounty programs, countering phishing, and running realistic attack simulations