{"id":124447,"date":"2022-11-03T09:00:00","date_gmt":"2022-11-03T16:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=124447"},"modified":"2024-09-12T13:59:46","modified_gmt":"2024-09-12T20:59:46","slug":"identifying-cyberthreats-quickly-with-proactive-security-testing","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/11\/03\/identifying-cyberthreats-quickly-with-proactive-security-testing\/","title":{"rendered":"Identifying cyberthreats quickly with proactive security testing"},"content":{"rendered":"\n

The security community is continuously changing, growing, and learning from each other to better position the world against cyberthreats. In the latest post of our Community Voices blog series, Microsoft Security<\/a> Senior Product Marketing Manager <\/em>Brooke Lynn Weenig<\/em><\/a> talks with<\/em> Matthew Hickey<\/a>, Co-founder, Chief Executive Officer (CEO), and hacker of Hacker House. The thoughts below reflect Matthew\u2019s views, not the views of Matthew\u2019s employer, and are not legal advice. In this blog post, Matthew talks about application security.<\/em><\/p>\n\n\n\n

Brooke: How did you get into cybersecurity?<\/strong><\/p>\n\n\n\n

Matthew<\/strong>: If your dad is a car mechanic, you grow up learning about cars. During the 1980s, my dad was super into computers. He used to go to my grandma’s school and bring home the computers prior to anyone really understanding what they were. These were the filing cabinet days and the days of carbon paper. Only very academic people and fringe technologists were interested in cybersecurity. When I was in high school, I had networks in my house with networked games. I started picking apart how the phone network worked and how internet access worked. My dad was supportive. He said, \u201cIf a 13-year-old kid can break into it, maybe we should not be using it.\u201d<\/p>\n\n\n\n

I pushed hard to get myself in front of as many people as I could and ended up working for a group from the National Computing Center. They had begun selling cybersecurity assurance services and penetration testing. I built a portfolio of my work publishing papers and showing people how computer systems were broken and how you could hack into them. At the time, you could not go to college and do cybersecurity. I dealt with a lot of rejection letters and a lot of people saying no and then I got my first job\u2014that was 20 years ago. Now, I run my own company and I have written a book on the subject.

Brooke: What is most fascinating to you about cybersecurity?<\/strong><\/p>\n\n\n\n

Matthew<\/strong>: For me, it is the exciting element of offensive security testing. I take a low-privileged user on the system and say, \u201cI want to make this user become a high-privileged user without authorization\u201d and I will poke and probe my way through the system, testing all the boundaries and controls in place until I find ways to break it.<\/p>\n\n\n\n

I began on an interesting journey; looking at things like state machines, where a computer will go through a lifecycle of a connection. When you connect your system to a server in the office, the computer will keep track of different states. For example, \u201cDid you enter the right password?\u201d and \u201cShould it give you access?\u201d I find these kinds of problems intellectually challenging and quite enjoyable.

Brooke: How do you help clients define and set goals for security control?<\/strong><\/p>\n\n\n\n

Matthew<\/strong>: There is a saying that this industry is run on fear, uncertainty, and doubt. I often ask clients: \u201cIf a hacker broke in tomorrow and had free rein of all your systems, what are you most concerned about?\u201d We identify all the assets in the environment and their sensitive data and then review controls based on their concerns. Usually, they are most concerned about payment information and commercially sensitive information, or they are storing things that they perhaps should not have been storing, including credit card data and anything that could cause brand reputational damage.<\/p>\n\n\n\n

It\u2019s important to get board buy-in and foster a culture of cybersecurity in the organization and make it something that everybody in the company talks about regularly, like with phishing awareness.<\/p>\n\n\n\n

Another key thing is to never punish the user. If they are at work and opening emails, that is what you are asking that person to do. Even the best cybersecurity professionals will click on a phishing link eventually. It’s human nature. These psychological lures are designed to get people to click on them. One of the most effective is a fake FedEx or UPS notification. Nine times out of 10, people will click on the link to track that parcel because they want to know. The attackers know our psychology and our natural human behaviors and how to get attacks through our radar in a way that does not alert us that we are being attacked. Proper cybersecurity in an organization takes human error into account.<\/p>\n\n\n\n

Brooke: How do you reduce assessment times and identify threats faster?<\/strong><\/p>\n\n\n\n

Matthew<\/strong>: The MITRE ATT&CK\u00ae <\/sup>Framework<\/a> has been massively advantageous. It is a spreadsheet-based approach to understanding how an attacker behaves in an environment and it stems back to a paper written by Lockheed Martin. Lockheed Martin and the defense sector obviously were big targets for advanced persistent threats and cyber-enabled economic espionage, where nation-state actors break into their systems to steal information for espionage purposes.<\/p>\n\n\n\n

Lockheed Martin came up with what they call the cyber kill chain<\/a>, a timeline of an attack that starts at the very point that the attacker starts their breach into the network to the end\u2014where they have exfiltrated and stolen the information. They modeled this and identified that the earlier you stop the attacker along this kill chain, the better, because they must start over again. The further along the chain they are, stopping the attack will cost the attacker more resources in terms of time and exploits used.<\/p>\n\n\n\n

MITRE then came up with tools, techniques, and procedures. You can look at the threats in your industry and the known behaviors of threats targeting your sectors and begin unit testing those individual items. Instead of running a six-month engagement where we break into the client\u2019s environment and do all this stealthy stuff, like monitor your network, we test against the actual threats and against these component items. That narrows the time involved in assessment activities and they get the result quicker.<\/p>\n\n\n\n

Brooke: At what stage do clients bring your organization into the process?<\/strong><\/p>\n\n\n\n

Matthew<\/strong>: We work with a whole range of different clients, including people who have already built their product and people who have started to build their product. These kinds of strategies are usually very effective against large organizations\u2014multinational corporations and Fortune 500 companies.<\/p>\n\n\n\n

If you want to be effective in cybersecurity, the costs need to be on the attackers. We encourage organizations to move away from this longstanding engagement model and instead focus on doing unit tests against the actual situations they face. We call them cyber preparedness drills. We mimic the attacker’s behavior utilizing tools we’ve built, like these items we have published on GitHub for User Account Control (UAC) bypass testing:<\/p>\n\n\n\n