Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

4/20/2016
11:00 AM
Jeff Schilling
Jeff Schilling
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Internal Pen-Testing: Not Just For Compliance Audits Anymore

How turning your internal penetration team into a 'Friendly Network Force' can identify and shut down the cracks in your security program.

When evaluating or building a security operations program, one of my first steps is to ensure that a Friendly Network Forces (FNF) function is in place. I wish I could take credit for creating this concept. Readers with US Department of Defense backgrounds will recognize the nomenclature, commonly referred to as FNF or Blue Teams.  

What is FNF?

For most non-technical audiences, I describe FNF as internal penetration teams, but they do so much more. A sound FNF team will:

  • Search for gaps and seams through both internal and external penetration testing
  • Provide surveillance on critical portions of an enterprise that sophisticated threat actors will try to leverage 
  •  “Shake the door knobs” on security controls and devices to ensure they are working as they should (e.g. are those access controls really in place between segmented VLANs?)
  • Conduct proofs-of-concept (POCs) on zero-day or globally known vulnerabilities to see if an environment is vulnerable
  • Conduct insider threat surveillance

To truly gain the most of out these roles, it’s vital to look for certain attributes and skillsets.

For me, it is really simple. Team members must have extensive knowledge of how an enterprise environment is designed and possess a strong understanding of the most critical gaps and vulnerabilities. In fact, one of Armor’s FNF team members is one of our first employees, so he is someone who has a long history with the environment and understands each any every dark corner. It’s that important.

Understanding Threat Actors

FNF professionals should have the experience and contextual understanding of how real cyber threat actors target and attack their victims. There are great courses — the SANS-certified Network Penetration & Ethical Hacker course comes to mind — that provide solid foundations for this knowledge base. 

However, experience in leveraging this knowledge to penetrate networks is a difficult skill for potential FNF team members to acquire. Normally, you can’t apply this knowledge without facing legal or ethical ramifications.

That’s why alumni from national-level intelligence agencies or security consultants, who have worked as both close and remote access penetration testers, make great resources as do former incident response and forensics investigators.

Strong Moral Compass

Members of the team must be of high moral character. This might sound corny and obvious to some, but it is very important that members of the FNF team are very discreet in their activities and can be trusted with the highest levels of access within an organization. 

These teams watch everyone. They look for any and all anomalous activity — from the front-desk admin to the greater security team to the CSO. It’s even a good idea to include them on HR situations where an employee could be an insider threat. 

I am confident that if my FNF discovered that my laptop was compromised, they would have the authority and moral courage to let me and the CEO know that I screwed up. That is the litmus test for every member of our FNF team. This type of character and visibility should be present in every organization.  

More Than ‘Testers’

FNF teams are more than just internal pen-testers. When employed correctly, they will identify and shut down the cracks and seams in your security program. They will validate that your security operations team is doing what they say they are doing. And they will lock in on any unscrupulous, suspicious or erratic behavior within your organization.

I can’t imagine a mature security organization NOT having an FNF team. That is, unless they are afraid to know the truth. But as high-profile breaches have proven, this strategic ignorance will not prevent consequences. It only exacerbates them.

Gain insight into the latest threats and emerging best practices for managing them. Attend the Security Track at Interop Las Vegas, May 2-6. Register now!

Jeff Schilling, a retired U.S. Army colonel, is Armor's chief security officer. He is responsible for the cyber and physical security programs for the corporate environment and customer-focused capabilities. His areas of responsibilities include security operation, governance ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Introducing 'Secure Access Service Edge'
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  7/3/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5607
PUBLISHED: 2020-07-10
Open redirect vulnerability in SHIRASAGI v1.13.1 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
CVE-2020-15001
PUBLISHED: 2020-07-09
An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1. The OTP application allows a user to set optional access codes on OTP slots. This access code is intended to prevent unauthorized changes to OTP configurations. The access code is not checked when u...
CVE-2020-15092
PUBLISHED: 2020-07-09
In TimelineJS before version 3.7.0, some user data renders as HTML. An attacker could implement an XSS exploit with maliciously crafted content in a number of data fields. This risk is present whether the source data for the timeline is stored on Google Sheets or in a JSON configuration file. Most T...
CVE-2020-15093
PUBLISHED: 2020-07-09
The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. It allows an attacker to duplicate a valid signature in order to circumvent TUF requiring a minimum threshold of unique signatures before the metadata is considered valid. A ...
CVE-2020-15299
PUBLISHED: 2020-07-09
A reflected Cross-Site Scripting (XSS) Vulnerability in the KingComposer plugin through 2.9.4 for WordPress allows remote attackers to trick a victim into submitting an install_online_preset AJAX request containing base64-encoded JavaScript (in the kc-online-preset-data POST parameter) that is execu...