A platform for financial services must have an extremely high level of security. One of the techniques that we use at Pismo to attain that security level is applying the defence in depth concept for red team engagements. Let’s discuss how we do it.
Red x blue
Before examining our defence in depth practices, let’s think back on what a red team does. If you ask a random person what cybersecurity professionals do, you will likely hear that they help protect companies from “bad guys” such as hackers. Commonly, information security activities are associated with defensive instead of offensive actions.
Moving in the opposite direction, the so-called red team applies cybersecurity and ethical hacking techniques to uncover technical, physical and logical flaws. And this helps protect the company data and assets. The term “red team” is used in contrast to “blue team”, the group in charge of the defensive measures.
The security onion
Since the internet was born, information security has changed a lot. Many techniques were developed to increase the resilience of defensive mechanisms. Focusing solely on perimeter hardening has proven to be an ineffective strategy. Without other layers of defence, “once the main gate is compromised, the reign may fall into the hands of the outsiders”.
Given this introduction, I present the security (or defence) in depth concept, also known as security onion. This approach is used in information security to protect data or assets by using multiple layers of defence (e.g. web application firewall, DMZ network, intrusion detection system, antivirus software etc.).
The concept was conceived by the U.S. National Security Agency (NSA). It references the medieval defence structures. To invade a fortified city, you had to go through a moat, a drawbridge, a massive wall full of archers, a monumental gate, a middle wall guarded by infantry, and, finally, you would enter a city full of eyes wary of new faces.
Red team engagements
As you may have heard before, an attack is the best means of defence. We evaluate and map our protections from the outside and plan attack methods to uncover vulnerabilities. In other words, we reverse-engineer the security onion. Let’s see a few red team practices that we adopt at Pismo.
Map the company’s attacking surface.
- Check for exposed websites.
- Look for hosts with unintended open ports.
- Look for misconfigured domains.
- Periodically revise our web application firewall rules and run attacking exercises to find bypasses.
- Perform extensive open-source intelligence assessments ranging from opening buckets and public documents to prying into credential leaks.
Middle to internal layers
Focus on any exploitable path behind the curtains.
- Run phishing campaigns. The employees must be aware of threats and act as an additional line of defence.
- Assume any user can have their account compromised. If this happens, are there any unmonitored resources that may become a target?
- Check network isolation. Does your network reflect your topology design?
- Review container security practices. Given that an application running in a container is compromised, could an attacker perform a breakout?
- Search for logic flaws in DevOps processes (e.g. running unexpected commands directly from a pipeline).
- Execute regular penetration tests in internal and external applications.
- Run vulnerability scans frequently.
- Perform code reviews before deploying new applications and significant changes.
- Make wireless security assessments.
- Perform physical security evaluations.
You should never just trust that your shield will absorb any blow. The broader the scope of your red team engagements, the more effective your results will be in the long term. Furthermore, you must develop new defence techniques and ideas over time. Having a creative and diverse routine for assessing your environment will help you strengthen it and put the spotlight on security. More and more, we prove that we should never stay inside our comfort zone when it comes to security.