As access to technology evolves, so do the threats that stem from an expanding attack surface. The "check-the-box" method of cybersecurity is outdated and now regarded by most practitioners as insufficient. Compliance and other regulatory requirements with annual testing only add a point-in-time view and provide minimal real-world value to the delicate balance of vulnerability, threat, risk and consequence. To defend against the growing number and complexity of threats, companies need to be proactive, thoughtful and comprehensive in their defensive strategies.
This article illustrates how the integration of multiple threat management activities can be incorporated into a comprehensive and effective risk management strategy. To help in this endeavor, Optiv can lend expertise in various domains of information security, including application security (AppSec), incident response (IR), threat vulnerability remediation (TVR), risk analysis and more to secure their assets and information.
Case Study
A longtime Optiv client who historically purchased security products but not services reported events showing signs of a data breach. Customer data loss, regulatory concerns and fines were top of mind. Optiv jumped into action, interviewing stakeholders to understand pain points, objectives and areas of critical importance, which were used to devise a rapid incident response strategy.
Due to the client’s preplanning, Optiv's IR Team was positioned to mitigate the events suspected to cause the data leak. Committed to improving their security posture, the client partnered with us to establish critical reactive security measures that shored up security defenses and added logging as well as monitoring.
During this process, Optiv discovered servers and networks that were inadvertently exposed to the internet. One of these systems collected credit card data, which effectively classified the environment as part of a Cardholder Data Environment (CDE) as defined by the Payment Card Industry Data Security Standard (PCI DSS). Adding to the situation, the client used .NET, Java and Go as primary languages for custom software development, and these applications also contained sensitive data that were exposed due to insecure network design.
Most of the client’s data was hosted and stored in cloud environments while engineering teams used GitHub and Jenkins for building and managing code. Their high-impact business applications were critically overdue for security testing. Additionally, teams were progressing in the build-out of new application programming interfaces (APIs) without security in mind. Considering these factors, Optiv made the following recommendations covering the most relevant aspects of the client's business.
AppSec Services
- Secure Software Development Lifecycle (SDLC) Hardening and Roadmap
Issue: The engineering teams used different languages and methodologies for application development, creating organizational silos.
Solution: Placing a secure SDLC framework would allow the teams to collaborate and understand leading practices for secure development, risks to the company and software management practices — all aligned with the goal of adding standardization and security. Optiv’s AppSec practice proposed leveraging the OWASP Software Assurance Maturity Model (SAMM) to conduct an in-depth gap assessment. Drilling into each pillar of the framework, we identified the client's maturity level from multiple perspectives. Based on the results of the gap analysis, and in collaboration with client stakeholders, we developed a three-year roadmap to improve maturity and refine processes. The outcome enabled the client to produce more software, release it with speed and with higher security assurance.
- Code Review/Static Analysis
Issue: Discussions with the client revealed a lack of process for performing automated analysis of the code, during development or after deployment.
Solution: Integrating static application security testing (SAST) with Jenkins and GitHub made sense for this situation, with the goal of enabling the client to review the code themselves while leveraging automated SAST tools. We proposed automating code analysis, thus taking a ‘shift-left’ testing approach in adding security throughout the lifecycle and creating the much-needed development, security and operations (DevSecOps) approach. Additionally, our team recommended performing periodic manual secure code reviews of the most critical applications before major releases were published to production. These reviews provide a current-state assessment and sanity check of the code-level security posture, including any known vulnerabilities.
- Application Assessments/Dynamic Analysis
Issue: The client needed the ability to practice secure application design, development and testing.
Solution: Optiv recommended conducting periodic manual application assessments against business-critical applications to enable deep security inspection and high-confidence identification of exploitable weaknesses. Application teams gained visibility into vulnerabilities and risk, as well as detailed steps to reproduce the issues, exploit proof of concepts and improve remediation. These assessments empowered teams to evaluate and drive security assurance through the operational end of the application lifecycle just prior to going live with material updates and net-new applications.
In addition to AppSec, the client's network defenses needed evaluation, focusing on areas where an attacker could gain a foothold. As part of the incident response effort, Optiv’s Attack and Penetration (A&P) team conducted a series of tests to determine the effectiveness of the network’s defenses. The report output detailed a vast library of areas for improvement and was, in this case, leveraged by other testing teams.
A&P Services
- PCI Penetration Test
Issue: The client was subject to PCI testing requirements, and periodic penetration and segmentation testing of their CDE was a regulatory mandate.
Solution: Optiv’s A&P team conducted a PCI Penetration Test that attempted to breach the CDE network from various segments. A mix of different techniques and tools were used to obtain sensitive cardholder data. This engagement didn’t pose much of a challenge for the delivering consultants.
- Comprehensive Perimeter Internal and External Penetration Test
Issue: Externally facing servers and subnets added concern that a compromise would allow an attacker to move laterally, gaining access to internal networks.
Solution: Optiv’s A&P team leveraged adversarial emulation techniques to discover and exploit vulnerabilities. Once they gained a foothold, lateral movement and compromise ensued. The ability to move undetected enabled our team to find countable weaknesses in the network infrastructure.
Utilizing the collection of AppSec and A&P activities, Optiv collaborated with the client to bolster their defensive posture. Per the advisement from our experts, the long-term approach would include Cybersecurity Insurance Readiness (CIR) and Threat Vulnerability Remediation (TVR) services.
Optiv proposed CIR services to help the client understand and navigate the complexities of transferring cybersecurity risk to an insurance company. Their challenges were common to buying cyber insurance and included cost, business alignment and insurability. Our experts helped accelerate their path to obtain, maintain and reduce risk involved with cyber insurance.
Our TVR team’s testing activities uncovered high-risk issues, as well as several lower-severity vulnerabilities, then helped the client prioritize and plan remediation activities. Their goal, as in many organizations, was to prevent or minimize the effects of a breach. Optiv was able to staff vulnerability remediation consultants within their teams to assist with ongoing efforts.
Conclusion
This client’s story isn’t necessarily your company’s story. Optiv has teams of experts that can guide and tailor services to disrupt and mitigate the attack in times of need. We work alongside you to understand your specific needs, adding value with a host of experts for an end-to-end security solution that addresses your organization’s security goals.
For more threat team insights, visit our Source Zero platform, Optiv’s community of skilled individuals doing cutting-edge research and sharing their timely expertise.
Author Subramanya S. is a senior consultant on the Application Security Team in Optiv’s Management Practice. Read more Optiv blogs here.