To ensure that an organization is secure, it can be tested using many simulated attacks – even those inspired by the work of armed forces
Cyber-attacks have become part of our everyday reality and no company or organisation can be sure it will not become a target of attackers. Therefore, it is much better to get ready for this possibility and let ethical hackers attack your network first, to get ready for any future attempts from real threat actors who can cause significant harm to any organisation. An expert who helps organizations to protect their most valuable digital assets, describes the current trends in cyber security testing. Jan Kopřiva, Team Lead of Incident Response and Offensive Security from ALEF, one of the largest IT suppliers in Central Europe, claims it is useful for everyone, even the wider public, to be aware of possible cyber security risks.
Media regularly publish articles about an increasing number of cyber-attacks during the pandemic. Do you also see this problem in your company?
We did – and sometimes still do – see a significant increase in the overall number of attacks in the environments of our customers. The types of attacks vary widely, though, depending on the type of customer. Attackers have increased their efforts in some areas while they have slackened in others.
Can we mention some examples where (in which fields) particularly the number of attacks increased?
Increases of some types of attacks could be seen by almost every institution on the planet, since there have been more “un-targeted” phishing attacks of certain types and attacks targeting VPNs and other remote access mechanisms. Some industries and business verticals have been hit harder than others, however, and on the global scale, the education sector, healthcare and some IT service providers were targeted more than most.
What are the common types of security assessments or tests and in which circumstances should they be used?
If we omit auditing, which is a type of assessment as well, the three main types of “technical” security tests, which have become somewhat standardized over the years, are vulnerability assessments, penetration tests and red team tests/exercises.
The basic type of testing is vulnerability scanning or vulnerability assessment, which is fairly cheap and quite easy to do. Pretty much any company can implement it using their internal resources, which is something most companies actually do. When they are mature enough, they might move on to the second type of testing which will enable them to mitigate some of the drawbacks of vulnerability assessments – false positive detections, among others. Penetration tests are based on both manual and automated attempts to break into the target systems by what we call ethical hackers or penetration testers. A company engages a team of penetration testers, and these people will then try to “attack” any in-scope system and find as many vulnerabilities in it as possible. They will also try to eliminate any false positive detections. The third type of security tests that we see more and more nowadays is the so-called red teaming. This type of test is based on an adversary emulation concept, which originally came from the area of armed forces.
How does red teaming work?
For red teaming, a company again engages some team of security specialists, but these people won’t try to go in and find all the vulnerabilities. Instead, they will make a threat model for the target organisation and determine which real world threat actors might target it. They will then identify the tactics, techniques and procedures that these specific attackers use and they will try to apply them to the target environment. This means that they will try to compromise the particular company using the same approaches and tools that a real world attacker would most likely use. This can give the target organisation a pretty good idea of whether/how a real-world attacker could penetrate their environment and what they might be able to do afterwards.
What are the newest trends in security testing?
One of them is the wider use of purple teaming – a cooperative activity in which blue teams (organizational security teams) and red teams engage together. It increases blue team capabilities by letting them learn from the red team approach and vice versa. Both teams benefit. The red team tries some attack and a coordinator verifies whether the blue team detected it. If it didn’t, the blue team will try to make improvements which would enable them to detect the attack in the future. If it did, the red team can learn how the detection works and may try to bypass it. Doing purple teaming can be quite beneficial for organisations which are mature enough to implement this kind of testing.
Do you cooperate with other security institutions or communities?
Yes, indeed. We offer incident response services, among others, and incident response teams have their own communities. Basically, there is one in every corner of the world. One of the two most important for us is based in Europe and the other, which is global, is based in the USA. We are part of these communities and within them, teams such as ours can exchange information. They can also cooperate when it comes to handling an incident or just sharing indicators of compromise related to an incident.
How can the wider public improve its knowledge in the security area?
There are many freely available internet resources that can help anyone gain a basic understanding of key security concepts and most security professionals who author them try to make the topic as approachable to a wider audience as possible. Another way to learn is to participate in specialized educational activities. The Cyber Security Challenge is a great example of this, because it enables us to bring in young students from high schools and universities as well as the wider public and let them know that cyber security matters. No matter whether they choose to be a cyber security specialist in the future or they just want to be secure users.
You also help to educate students. How long have you been doing it?
We have had a formal program for university students for many years and we have been working with high schools for about four years. We also organize workshops and presentations for wider student audiences.
Have the workshops already attracted some young people so much that they became more interested in cybersecurity or did they even take an internship with you?
Yes. At our seminars, students often come to us asking: How can I continue to learn? How can I get a job like yours? What should I study? Do you offer internships? Can our school cooperate with your company?
We try to do our best to support such students. Among other things, at the beginning of the year, I started publishing a series of educational videos on YouTube for young people who are enthusiastic about security.
We – and other companies – also already employ a number of former students, who were introduced to cyber security during one of our seminars. Some of them started working part-time during their university studies and then moved to full-time employment.
Why is cyber security interesting to you personally?
My job is fairly unusual. It enables me to know enough that I am able to talk to most cyber security experts about their work in detail – whatever their field is – even if I wouldn’t be able to do their job myself. I like that my work is never the same. I can try new aspects of cyber security every day, so it is constantly changing for me.