Offense or Defense? An Ethical Hacker’s Approach to Cybersecurity
January 2022
Which is more critical in the game of cybersecurity: offense or defense?
Many would argue that cybersecurity is, by nature, defensive, reacting to the threats in the world around us. Cybersecurity solutions make us think of antivirus, scanning, detecting, and removing known viruses from computers; firewalls to protect the IT infrastructure from intruders; VPNs to create secure entry points into corporate assets; and many more and varied technologies. But are defensive reactions limited? Can organizations become more proactive? How can they fight back against the ever-evolving threat landscape?
As an attacker, ethical hackers work on the offensive side, testing weaknesses, vulnerabilities and trying to force their way into systems in order to uncover where an organization needs to strengthen security.
At the WALLIX Momentum annual event, we spoke with two ethical hackers about their approach to cybersecurity:
Knowing about your passion for food and cooking, how do you go from culinary specialties to the defense of IT systems?
Clément Domingo: Between the two, I think there’s actually very little difference. Working with IT systems is very much like understanding a recipe, and adapting it to your tastes, if you will. And so in many ways they are quite similar.
For me, I began on the side of the attacker, doing offensive work for a few years. More recently, I’ve been doing more defensive work as it’s a bit more fun but it’s much more complicated. Hackers are generally in advance, but I’m sure we can be doing more defense today.
But of course you need the right ingredients…
Clément: Ah well of course. If we don’t have the right ingredients you can ruin the recipe, it can be burned or undercooked, lacking flavor… you need the right recipe.
Let’s talk a bit about the Blue Team
In the cybersecurity community, the Red and Blue teams terminology is used to define and delineate the roles within an IT security organization, as follows:
Red Team: The Red Team’s objective is to improve enterprise Information Assurance by demonstrating the impacts of successful attacks and by demonstrating what works for the defenders (i.e., the Blue Team) in an operational environment.
Blue Team: The term Blue Team is used for defining a group of individuals that conduct operational network vulnerability evaluations and provide mitigation techniques to customers who have a need for an independent technical review of their network security posture.
Clément: The Blue Team, today I’d say it’s an enormous amount of work compared to the Red Team. But I am convinced that to do a bit of both is essential to better understanding the ecosystem as a whole, and to successfully securing all that there is to secure.
The Blue Team is also the natural choice for IT systems administrators, network admins, and other IT types
Clément: I’m not sure that’s true. I think it’s a bit of a cliché, like the idea that all hackers and IT guys are in their basements with a hoodie on. But really, even if we have interests and tendencies as a sysadmin that maybe it’s more understandable to do Blue Team, it’s also not so clear-cut and set in stone. A sysadmin might just as easily be interested by the offensive and coding, or might be an analyst and doing defensive work in the Blue Team.
So to recap, the Red Team is verifying what’s in place on offense… pentesting, etc.
Clément: Yes, exactly. Guys on the Red Team are going to be the ones who like to break things, to think about things from a different angle. What I really like about Red Team is that anything is possible. If we’re told “no, you can’t do that,” well, we’re going to do it and we’re going to shake up the system and show that in the end, it wasn’t as well-secured as you thought.
Turning to you, Adrien, as more of a rum fan than a chef, that can facilitate analysis and research, no?
Adrien Jeanneau: Oh sure, it can really help to open up the possibilities, you might say. It expands the field of possibilities and thought processes especially as it gets late and your imagination is running to discover the weakness, to highlight the main security problem faced by an organization.
You two have one main thing in common, and that is the fact that you are two of the best “vulnerability hunters” in the YesWeHack community. Can you tell us about that?
Adrien: That’s right. We both participate in what’s called “Bug Bounties”, which is program in which we seek out weaknesses in coordination with companies. An organization will reach out to YesWeHack to say they’d like to test their IT system, their website, etc. by the community of researchers and in return for reporting on any vulnerabilities found, these researchers or “ethical hackers” are compensated with a reward of anywhere from 50€ to 10,000€ or even 20,000€ depending on the company and the significance of the vulnerability found.
Clément: Basically, we cyber-slap them, but only with their cyber-consent.
Let’s talk a little about some recent cyber-attacks
Clément: If we look at the attack on Colonial Pipeline last summer, it’s a really interesting example. The group that made the attack, DarkSide, a threat actor based out of Eastern Europe, is actually rather unusual in the world of ransomware. They have something called RaaS, or Ransomware-as-a-Service, which means that if you want to mess with someone, a company or a government, there’s no need to be a specialist in cyber threats. You just need money, and to know how to contact them on the Dark Web. You tell them what you want, and they provide you with everything you need to compromise whoever you want.
So it’s really a democratization of cyber-defense and cyber-attacks.
Adrien: What you need to understand is that this makes this type of attack possible for anyone, really. You just need enough money and DarkSide provides a turnkey solution, which opens the door to many more malicious actors to access this type of solution.
As we move into 2022, there are many newer technologies to secure: the cloud, AI, connected OT data…
Clément: Yes, absolutely. To summarize briefly, there are 3 types of data that can be attacked: Stored Data, saved in the cloud or in a data center, Processed Data in any type of IT system, and Archived Data. Today, we talk a lot about the Cloud and hybrid environments where data is stored both in the cloud and on in-house servers, all this adds way more complexity and significantly more vulnerabilities for IT security specialists like us to continue to uncover. And the big challenge for 2022 and the years to come is to find a solution that is resilient and can provide reassurance that our digital data is safe.
If someone were to attack data stored in the cloud, is the idea to prevent the company from restoring it and force the victim to pay for it?
Adrien: It’s exactly that. The idea is to completely block the IT system so they have no choice but to pay up. These days, ransomware do a few different things. First, to steal data and save it to either use or potentially resell on the Dark Web. They also encrypt data, and the most aggressive tactic, they might destroy it so there’s no trace of it left even if the ransom is paid. It can be in the cloud, it can be on local machines, it can happen anywhere.
Ultimately, they are just looking for the sensitive point in a company which, today, is data – client data, financial data, employee data – any data that has value and will have an impact on the company if it’s breached, deleted, or encrypted.
Ransomware attacks have become more and more frequent and severe. What can we do in 2022 and beyond to defend against them?
Adrien: The first thing would be to bring IT systems up to date as much as possible. I feel like it’s repetitive to say since the dawn of IT, but patch management is critical and really comes first. The second thing would be to keep a close eye on all the IT infrastructure that might be exposed. For example in my work with Bug Bounties, I sometimes find strange things, or in my experience on Red Team where a company declares that their IT and servers are 100% secure, no one can access them, that in fact one server was accessible. And it’s the one server that enables access to the rest of the IT system.
So it’s incredibly important to have complete awareness of the environment, to list all servers, to keep up with any projects in progress and what access rights users will need, for which reasons, etc. We’ve seen DDOS attacks where an IoT-connected refrigerator was used to jump to sensitive servers. It’s critical to carefully consider what is connected to the internet, if it’s necessary, and to ensure that anything connected is protected, not exposed so it can’t be used for lateral moves or to steal data.
Clément: To add to that, we’ve talked a lot about cyber-attacks and ransomware, but not as much about Incident Response when we intervene to stop or recover after an attack. There’s one thing we don’t often discuss, and it’s that the fact is, as a company today it is only a matter of time before you’re attacked. And if you don’t have a plan in place, don’t use a Zero Trust model, you’re going to have to reconstruct over and over, there will always been weaknesses. And so we really need to speak more about tools, Bastions, defensive strategies, to segment assets to prevent complete disaster.
Offense and Defense, Working Together
A well-rounded approach which merges offensive measures and defensive strategies is key to robust, effective cybersecurity. As our ethical hackers illustrated, understanding all sides of IT systems and infrastructures – as well as the technologies used to attack them – is critical to identifying vulnerabilities and paving the way towards more secure, resilient IT infrastructures in an ever-evolving threat landscape.