Why SMB’s Need to Utilize Offensive Security Engagements

By:  |  Category: Blog, Security Friday, November 2nd, 2018  |  No Comments
Offensive Security Engagements

My name is Dave Collins and I am a security analyst here at ETGI / DarkHound Security. I’ve previously written about threat actors targeting the small to mid-size business (SMB) space here and now I want to expand on the concepts I covered in that article. Today I want to focus on offensive security engagements and why they are beneficial to all businesses, specifically why the SMB space should consider contracting such engagements.

I’m a sports fan, so forgive my liberal use of sports metaphors—but it’s a good way to translate technical speak.

First, let’s focus on a good offensive strategy. There are a number of different offensive security engagements and offerings, but our DarkHound Security group primarily focuses on two. First is the vulnerability assessment, which is designed for building a baseline and letting clients know about their potential risk. This is a bit like the quarterback studying tapes of their opponent’s defense so they can read a blitz on game day.

Second (and more involved) is a penetration testing engagement. This starts with a base vulnerability assessment then goes a step further and actively attempts to compromise systems using publicly available exploits. This is like the defensive practice squad running the same defense as the team you play on Sunday, and having the offense try their plays to see how they work.

So why on Earth would I want to hire a firm to try and hack my network?

Here are a few good reasons:

It’s important to note that there are a number of different types of vulnerabilities and we do not test for everything. Stress testing, including distributed denial of service (DDoS) and denial of service (DOS) attacks are always outside our scope of engagement – meaning we never attempt such exploits. You wouldn’t want the practice squad to go full speed against the A-team every day before the game, as well as you don’t want anyone on your offense to get hurt.

Our goal is to help you learn about your vulnerabilities to maintain business continuity – not to try and push over your services. Secondly, it is important to verify if any vulnerabilities we find are actually exploitable. Just because it appears that there is a hole in the defense, the only way to be sure is to test it out.

In past engagements, I’ve conducted assessments where it appeared the client was vulnerable to one particular exploit. However, after attempting the vulnerability, we discovered (for one reason or another) the exploit didn’t work. Back to football terminology, if we discover what looks like a weakness in the defense, but don’t attempt to exploit it in practice and just assume our plan will work, we could be really sad on Sunday when we discover this weakness was intentional and left as a trap. Which leads to the final and most important part of a penetration test: adversary simulation.

If you could choose who attacks your network, would you rather it be a firm you’ve hired to help secure your resources, or an unknown attacker? Many adversaries are simply looking for low hanging fruit and trying to make a quick buck. Our assessments can help you build out the security of your resources to make it harder for adversaries to compromise your systems and networks.

You don’t want your networks to be compromised by anyone, let alone a young hacker with time on his or her hands. Our security engineers will transform your network to look like a less juicy target, so adversaries will take one look at your systems and keep going.

No cyber plan is 100% fail proof, but similar to a football team that has never taken a snap on the field to play a game, you do not want your resources touching the internet without checking to be certain they are secure. IBM reports that the average data breach costs $3.86 million dollars and the cost of each lost or stolen record is $148.

After a penetration test, in addition to having a report that will help you fix any obvious issues, you will also have a greater picture of the exploitable vulnerabilities on your system. It’s one thing to have an unpatched server touching the internet, it is another to see a screenshot of the engineer you hired to test your systems logged in to your server. This can also help your IT departments get buy-in from higher- ups within your organization for additional security services.

Simulating adversaries is millions of dollars less expensive than being hacked and having your reputation destroyed. Senior Consultant George Grachis said, “If you’re not doing scans and penetration tests, then just know that someone else is. And they don’t work for you.”

Warren Buffett famously said, “It takes twenty years to build a reputation, and five minutes to ruin it.” Given how expensive a breach can be, consider the relative cost of an offensive security engagement.

Contact EnhancedTECH at ([email protected]) or give us a call at 714-970-9330 and someone will be happy to schedule an assessment for you.

Leave a Comment
Read previous post:
Tips to Avoid Ransomware
Tips to Avoid Ransomware

Combatting ransomware is always on the forefront of cyber news. This week an article by Joe Merces, the former CIO of...