We are going to be releasing a few blog posts on our thoughts on why we have to better communicate what works in actually securing something! This first post is on why we created our new class Offensive Techniques.
With all the "APT" hype, 0 Day discussions, and endless numbers of intrusions we were having a hard time not screaming at the IT industry and saying pull your head out! Our good friend Dino Dai Zovi hit the nail on the head of why we created the Offensive Techniques class. He did this with a couple of tweets that read "Oh, I see what you have been doing all of this time. Solving problems that don't exist while ignoring the real ones in front of your face." Followed shortly by, “For example: defending against pen tests and security researchers instead of actual attacks and attackers. How's that working out for you?" Countless numbers of times we have either conducted a test or incident response for a business that was decimated by some type of targeted attack. The techniques used by either us or the attacker are usually not what is being taught in traditional penetration testing classes in the industry. The attack didn’t have nessus run against it or some type of vulnerability scanner. They usually didn’t even have nmap (they used a batch file with a for loop and ping/netcat for a quick port scanner). The attacks combined deep operating system level knowledge to circumvent mis-configurations, some good custom tools, and even metasploit! So why is it with the rise in increased spending with IT security that we see little progression in defending and detecting against attacks that are not pulled off by a trained pen tester? It is because we don't train or watch for these types of attacks, and we never have. They have been going on for decades not just the past 5 years or so. Take a look at the regulations on companies/organizations in relation to securing data. The regulations are just a checkbox game and the results of these regulations really don’t improve security that much, if at all. You can implement everything from NIST 800-53 and we will still get in and wreak havoc! Organizations and companies are bogged down with bureaucracy to even adapt as fast as they need to. We have to change the cultural mind of mid-senior level executives, politicians, and even some system administrators. Offensive Techniques is teaching how to really conduct offensive cyber operations, not auditor based attacks. Offensive Techniques is one of many Attack Research classes designed to help change how we go about actually providing organizations/companies with real threat based/vulnerability based results on how they are truly vulnerable. It teaches the fundamentals of how to conduct real attacks.
We are debuting the class in October at Countermeasures 2012, but will be holding a class in the United States in November (more details to come on that). If you are interested in this or any other of our trainings reach out and send us an email at firstname.lastname@example.org