Despite CSO efforts, ethical-hacker A teams “always get their man”

Dedicated teams of hackers-for-hire are on the ground in Australia and are throwing everything including the proverbial kitchen sink at business networks to identify and exploit often significant vulnerabilities – before the real bad guys do.

Conventional penetration testing has emerged in recent years as an acceptable and important part of regularly testing a company's security defences.

Yet even as pen-testing has gained in stature, one security expert says its normalisation within many businesses has left many of those businesses complacent and unprepared to deal with a full-fledged attack by determined and well-resourced outsiders.

“When we attempt to attack the environment we are showing the customer how all of their traditional security controls are failing when they come up against a mission-oriented adversary,” Jackson McKinley, senior manager for Mandiant Consulting with FireEye, recently told CSO Australia.

FireEye recently leveraged its extensive roster of skilled security experts – many of whom have unconventional capabilities such as the authoring of malware – to launch its Red Team Operations in Australia and, McKinley warns, their track record so far confirms that businesses here still have a lot to learn about security within its enterprise-wide context.

“If you want to test your A game you bring an adversary who brings your A game,” he said. “All security professionals aim to produce good results for their customers and I personally have never seen the team not produce a result. They always get their man and they are always able to produce a result for the customer.”

In some cases the target organisations have detected the red team's activities and the exercise escalated into a “game of cat and mouse” but this actually emboldens the security teams: “They are looking to turn those skills that they have honed over so many years of experience, and to turn this into a result for customers,” says McKinley, who has watched the team members having “an awful lot of fun” then they finally manage to breach the victim organisation.

These sorts of wargames reflect the growing need for organisations to bolster their security defences in an era where human targets are continuing to prove extremely easy to manipulate.

Despite years in which CSOs have been all but begging users to be smarter about what they click on, in one exercise McKinley's team peppered a company with spoofed emails purporting to be from the IT department and promising the chance to win an iPhone 6S for employees that clicked on a link to test the strength of their password.

In the Silicon Valley-based technology company of 600 people, some 400 receipients clicked on the link and entered their passwords into a fake portal.

“Even if only one or two employees had clicked on it, the attack would still have been successful,” McKinley said.

“They would still have stolen some credentials and woul dahve been able to penetrate the environment. The point is that you can't just rely on the people – so having a layered defence and regular testing can help.”

That testing must extend far beyond email and network-defence systems, with Mandiant also launching focused penetration testing services for other online systems that present major risks including industrial control systems, Internet of Things (IoT) devices, and mobile applications and devices.

Each of these domains presents a significant weakness for most enterprises and regular testing is increasingly being recognised as a crucial part of the security defence. Gartner recently flagged security testing as one of the biggest growth opportunities for technology providers in a global information-security market that grew by 4.7 percent to be worth some $US75.4 billion in 2015.

And research firm ReportsnReports has predicted that security-testing services would grow at 14.9 percent annually through 2019, when it will be worth $US4.96 billion. Much of that growth will come as companies recognise that their security remediation can be aided by engaging security testers with the same skills that a real attacker would bring to the table.

The process may be humbling for security staff who watch their defences being systematically breached or disabled, but McKinley said most companies rightly see the whole activity as a learning process. “The teams that do this are very talented individuals who are extraordinarily good at what they do,” he said. “They're able to craft malware, phishing attacks and exploits just like an attacker would do.

Not only do they get an understanding of how to breach a network, but how they would defend it. A lot of learning happens after an attack – and it's a lot better to work on this with a friendly team than an unfriendly team.”

Read more: Hybrid GozNym malware targets customers of 24 financial institutions

Participate in this short survey on IT security strategies across the Australian market and go in the draw to WIN a 360Fly camera vailued at $689.

Start survey NOW

Join the CSO newsletter!

Error: Please check your email address.

Tags hackersransomware attackersInternet of Things (IoT)FireyeiPhone 6sattacksCSOmalwarephishing attacksIT departmentcyber security

More about CSOFireEyeGartner

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place