Getting the best ROI on asset protection

What if the best way to protect a key asset is actually nothing directly related to it?

Suppose we have application X, which allows users to make large payments. Application X is considered a critical asset by the organization that owns it and a number of people are dedicated to ensuring its security. Perhaps they conduct a penetration test to explore the application's attack surface and possible routes to exploit that system. Perhaps they patch any issues they find and engage with the application's developers to implement a secure development process to reduce the likelihood of issues appearing in the future. However, when the organization performs (or is subjected to) a red-team-type engagement, the red team are still able to access the application with ease. Why? The red team did not exploit anything.

This isn't a new concept to most people in security. As application and platform security improves and become less of an appealing target for attackers, it is often much easier for them instead to attack the application’s users who have the necessary access and use their accounts. As a consequence, if we look at an attack end to end, the majority of attacks follow very similar steps:

Step 1: Phishing email

Step 2: Host compromise & persistence

Step 3: Attack positioning/Lateral Movement, typically via Active Directory

Step 4: Objective reached

In practice, rather than just application X, an organization will have applications A-Z, all considered important. From MWR’s experience of performing Attack Path Mapping exercises (white box exercise to enumerate the most likely end-to-end paths an attacker will take to achieve an objective), Targeted Attack Simulations (black box exercises to simulate a real attack on an objective) and investigating real-world incidents as part of its Incident Response service, the vast majority of attacks are currently following these broad steps.

However, applications or assets are typically considered only as standalone projects (step 4) and are not kept in mind when considering the larger attack process (steps 1-4). This often means the earlier stages of an attack are far easier to inflict than they should be, as the controls in place around the asset are largely ineffective as the attacker is not exploiting anything.

Another essential question for an organization to ask itself is how confident is it that it has a comprehensive view of the ways an attacker could achieve an objective? For example, if their objective is obtaining information, can the organization be sure its most sensitive information is only in the places it knows for certain? Controls at step 4 may be rendered useless if the information can easily be retrieved from an employee’s inbox as well.

This is not to say focusing on the end goal is not important; pen testing should still be part of the security process. However, if we are considering the bigger picture, it is unlikely to be where organizations receive the best return on investment.

When trying to protect applications A-Z, a single control focused on Steps 1, 2 or 3 will provide security on all applications. Controls focused on step 4 provide security only on one.

To explore this further, the key questions for an organization to ask itself when evaluating its security profile are:

  • Does it know what it considers to be its most critical business assets?
  • Does it know the paths threats are most likely to take to compromise those assets?
  • Has it identified the controls that provide the biggest improvements to either preventing or detecting those paths?



Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.