The Verizon Data Breach Report has been saying it for years. The Forrester/Veracode report Planning for Failure reiterates the same points. It is only a matter of time before your company is breached. Odds are you won’t know about the breach for months, someone other than your security team is going to tell you about it, and the response to the breach is going to be expensive, disruptive, time-consuming and…less than optimal.
If you’ve been breached before, or if you’re an enterprise of any size, it’s not like you don’t have an incident reponse plan, but as Mike Tyson famously said: “Everyone has a plan till they get hit in the mouth.” When is the last time you tested that plan? Is your plan 500 pages in a 3” three-ring dust-covered binder sitting on a shelf in the SOC? That’s not a plan, that’s praying.
Your ability to respond to breaches needs to be put into practice by sparring against partners who are peers or near-peers to the kinds of threat actors you face on a daily basis. How do you do that? By testing with realism:
Over long(er)-terms. Someone who wants what you have is not going to stop after a few days or even a few weeks. Adversaries whose efforts will accelerate by years because of stolen intellectual property don’t mind waiting months; adversaries who strategize over centuries don’t mind waiting years.
Goal-oriented. Serious threat actors attack you for a reason: they are going to get paid. Efforts that don’t help them accomplish their goals are time and resources wasted. The vulnerability-of-the-month may do nothing to advance their agenda; they’re going to find a way in that no one on your staff even knows exists.
In the context of your environment. The best security training in the world is still contrived. Even the most sophisticated training lab is nothing like the systems your security team have to work with every day.
Contrast the above to your average pen-test, which is short, “noisy,” and limited in scope. Pen-tests need to be done, but recognize that for the most part pen-testing has become commoditized and increasingly vendors are competing on speed and price. Is that how you’re going to identify and assess potential risks? Lowest bidder?
If we're breached I’ll call in outside experts.
As well you should, but what are you going to do while you wait for them to show up?
Even if you have a dedicated security team in your company, odds are that team is trained to “man the battlements” so-to-speak. They’re looking for known indicators of activity along known vectors; they’re not trained to fight off an enemy who has come in through a hole of their own making. It doesn't make sense to keep a staff of IR specialists on the team; that’s an expensive prospect for even the most security-conscious organization. But it does make sense to train your people in basic techniques, just enough to prevent wholesale pillaging. More importantly, they need to practice those techniques so that they can do them on a moment’s notice, under fire.
Your enterprise is not a castle. There is no wall that you can build that will be high enough or thick enough to repel all attackers. If your definition of defensive success is “keep bad guys out” you are setting yourself and our people up for failure. The true measure of defensive success is the speed at which you detect, eject and mitigate the actions of your attackers. If you don't have a corresponding plan to do that yourself - or to hold out long enough for the cavalry to come - and that plan is not regularly and realistically tested, you're planning for victim-hood.