Introduction

Defense from a Different Perspective

A team of security analysts is working diligently around the clock monitoring for alerts and to prevent attackers from entering the network. They detect and contain any intrusions that slip by the preventative measures in place. A criminal threat actor sends a successful phishing email with a link that downloads malicious software, bypassing the company's antivirus detections. The attacker has now gained entry, unbeknown to the security analysts. The attacker goes to work, disabling security software to hide their activities and using built-in operating system tools to blend in with legitimate user activity. As a result, no security alerts fire. The security analysts continue to work, unaware of the malicious activity that's happening right under their noses. Shortly thereafter, the company receives a notification that a number of enterprise passwords and other company secrets have been compromised and made available for sale to other bad actors-all because the defenders were acting like traditional defenders and not thinking like members of the offensive community. Had they done so, they might have had a chance to avoid this catastrophic and all-too-common outcome. Enter the Active Defender.

The Active Defender is an alternative approach to the way cybersecurity defense has typically been practiced. The traditional approach is usually passive or reactive, waiting to respond to alerts or other indications of attack. The Active Defender, by comparison, is someone who seeks to understand an attacker mindset and embraces the knowledge gained from the offensive security community in order to be more effective. While we'll explore what, exactly, an Active Defender is in Chapter 1, let's first define the notions of defensive and offensive security teams used here.

In the broadest sense, defensive security teams consist of security professionals who are responsible for defending an organization's information systems against security threats and risks in the operating environment. They may work toward identifying security flaws, verifying the effectiveness of security measures put in place, and continuing to monitor the effectiveness of any implemented security measures. They may also provide recommendations to increase the overall cybersecurity readiness posture-in other words, how ready an organization is to identify, prevent, and respond to cybersecurity threats. I will be using defensive security teams here to also include folks who are responsible for securing the services they provide, such as system and network administrators, as well as developers, who are also responsible for operational functions, because it is not unusual for smaller organizations to rely solely on these folks for their cybersecurity needs.

Offensive security teams, on the other hand, consist of security professionals who are responsible for testing the defensive mechanisms put in place to protect an organization's information systems to determine whether they prevent attacks or at least detect them once they have occurred. One team of offensive security professionals might be responsible for penetration testing (pen testing). Pen testing only goes as far as mapping the risk surface of an application or organization to evaluate the potential routes of exploitation for an attacker and does testing against those routes to see whether they are in fact exploitable. Other offensive security teams may be responsible for full adversarial emulation, which completely emulates a high-capability, and/or well-resourced, goal-driven adversary that is attempting to compromise the network environment to achieve a set of operational goals. The goal of this activity is to assess threat readiness and response. Historically, these teams have sometimes been referred to as blue and red teams respectively, but the imprecise nature of this terminology is problematic. Therefore, I will be utilizing some form of defensive and offensive security professionals throughout this book.

Where We Are Now

Defensive security teams continue to be up against some pretty significant challenges. According to research provided by the Identity Theft Resource Center (ITRC), the number of data breaches reported as of the end of 2022 was 1,802, the second highest number of publicly reported data compromise events in a single year.i The average cost of a data breach in 2022 increased by 2.6 percent compared to the previous year, from $4.24 million to an all-time high of $4.35 million.ii Yet, organizations are spending more than ever on cybersecurity. Costs are up another 12.1 percent from the previous year and were expected to surpass $219 billion before the end of 2023.iii

Compromised credentials continued to be the most common initial attack vector, costing organizations an average of $4.57 million.iv The average time to discover and contain an attacker in an organization's network in 2022 was 277 days, down only slightly from 287 in 2021.v Furthermore, both the 2021 Verizon Data Breach Investigations Report (DBIR) and the Ransomware Report 2023 found that overall, older vulnerabilities continue to be what attackers are more often exploiting.vi Therefore, it should be no surprise that one area in particular with which organizations continue to struggle is vulnerability management.

Vulnerabilities are any method that a threat actor can use to gain unauthorized access or privileged control over an application, service, endpoint, or server, such as hardware or software flaws or misconfigurations. For example, there may be an unpatched weakness in the operating system on a server that would allow a threat actor to log in without needing the proper credentials. Vulnerability management is generally defined as the process of identifying, categorizing, prioritizing, and resolving vulnerabilities in hardware and software before they can cause harm or loss. Important to note that vulnerability management is not the same as a vulnerability assessment. The former is a full process, whereas the latter is a point-in-time view of discovered vulnerabilities.

The good news is that there have been some improvements in certain areas of vulnerability management. For example, the SANS 2022 Vulnerability Management Survey reports that the number of organizations stating that they have vulnerability management programs, whether formal or informal, increased from 92 percent to 94 percent over the previous year.vii Most notably, as of 2021, all organizations reported either having a program in place or plans to create one.viii

The bad news is that several issues continue to plague organizations in this area. For example, many organizations are not budgeting properly for vulnerability management, in terms of either time or resources. In addition, while defensive security teams are typically accountable for the vulnerability management process, they are not actually responsible for the work in many cases. Those who are responsible for addressing vulnerabilities typically have operational roles such as system administrators or network engineers. These operational teams are already overwhelmed with the amount of work they're facing, and they're often not rewarded for the efforts they expend in this area. Furthermore, while the business may expect that vulnerabilities are managed properly, it often does not require anyone to do so and, as a result, does not recognize or reward the work done by operational staff in this area. Perhaps most importantly, because new vulnerabilities can come from anywhere at any time and in any format, vulnerability management is a never-ending battle.

Another area where defensive security professionals are currently struggling is cloud computing, as evidenced by the fact that in 2021, according to the DBIR report, external cloud assets were more prevalent in both incidents and breaches than on-premises assets.ix As organizations adopt new technology, they often leave established security practices and monitoring tools behind, either because existing practices and tools will not work with the new environment and they don't realize they need new tools for this purpose or because they do not realize that they need to secure cloud resources. As a result, the maturity level of security in cloud computing for most organizations is often significantly lower than in their on-premises locations. Unfortunately, that leaves organizations blind to attacks in this space and, in some cases, can put on-premises assets at an unrecognized risk. For example, Azure Active Directory and Windows Active Directory are often tied together such that if one becomes compromised it can lead to a much larger problem. Furthermore, assumptions about who is responsible for managing cloud security and/or accidental misconfigurations can lead to data compromise or loss.

Offensive security teams seem to have a much easier time accomplishing their objectives. The NUIX Black Report, the only industry report to focus on responses from offensive security teams rather than focusing on data from specific incidents or interviews from cybersecurity leadership, offers some insight into their experiences. For example, while 18 percent of respondents stated they could breach the perimeter of a target within an hour, all of them were able to achieve that goal within 15 hours. Once inside the perimeter, more than half were able to move laterally to find their target within five hours, and in certain industries, such as hospitals and...