Think like a bad guy: Know your environment
Original post for HPE Security Research Blog 7/29/2015
Security teams often lament the lack of support from IT or application owners in identifying critical assets. The logic statement goes something like this: if we don’t know what is important, we don’t know what to protect. This frustration is an example of the buzzword context. Without context, organizations default to an unwieldy “protect everything” stance. Consider a bad guy, he may be after targeted intellectual property in your environment, but just as often, he is fishing, hoping to get lucky. In this respect, the defender and the bad guy are on equal footing. A network exists with valuable information, and neither side knows what or where.
Reconnaissance is the first step in all attack models
The bad guy understands it is his job to mine for gold. It may take him months to stealthily scan, identify, and catalog your environment. He knows the SharePoint servers, domain controllers, database and application servers. Unfortunately, many defenders do not do the same.
Sun Tzu said, “If you know neither the enemy nor yourself, you will succumb in every battle.”
Thinking like a bad guy, starts with reconnaissance. This is your network and as a defender, it is your responsibility to learn it. If you have a vulnerability scanner or simply nmap and a web browser, you have the tools you need. Some examples of reconnaissance you can perform:
Read press releases for services, products, keywords, or technology partnerships.
Search LinkedIn or other social network sites for individuals from your company looking for specialized or common technology skills.
Review the internal company portal for information or initiatives that may not be public.
Scan and document all devices on your network.
Establish the complete list of critical infrastructure such as authentication servers, email and such, and then attempt to categorize what is left based on your research.
These activities are maturity markers; changing security to a business context conversation from burden of proof (tell me what I should care about) to the confirmation of your assessment (these items appear valuable). Network management tools, CMDB systems, and other sources can provide defenders a head start, but many settle on piecemeal or incomplete technology solutions for a problem as simple as time-consuming, messy work.
Defenders have the inside advantage, it is time to use it.