The security community is continuously changing, growing, and learning from each other to better position the world against cyberthreats. In the latest post of our Community Voices blog series, Microsoft Security Senior Product Marketing Manager Brooke Lynn Weenig talks with Matthew Hickey, Co-founder, Chief Executive Officer (CEO), and hacker of Hacker House. The thoughts below reflect Matthew’s views, not the views of Matthew’s employer, and are not legal advice. In this blog post, Matthew talks about application security.
Brooke: How did you get into cybersecurity?
Matthew: If your dad is a car mechanic, you grow up learning about cars. During the 1980s, my dad was super into computers. He used to go to my grandma’s school and bring home the computers prior to anyone really understanding what they were. These were the filing cabinet days and the days of carbon paper. Only very academic people and fringe technologists were interested in cybersecurity. When I was in high school, I had networks in my house with networked games. I started picking apart how the phone network worked and how internet access worked. My dad was supportive. He said, “If a 13-year-old kid can break into it, maybe we should not be using it.”
I pushed hard to get myself in front of as many people as I could and ended up working for a group from the National Computing Center. They had begun selling cybersecurity assurance services and penetration testing. I built a portfolio of my work publishing papers and showing people how computer systems were broken and how you could hack into them. At the time, you could not go to college and do cybersecurity. I dealt with a lot of rejection letters and a lot of people saying no and then I got my first job—that was 20 years ago. Now, I run my own company and I have written a book on the subject.
Brooke: What is most fascinating to you about cybersecurity?
Matthew: For me, it is the exciting element of offensive security testing. I take a low-privileged user on the system and say, “I want to make this user become a high-privileged user without authorization” and I will poke and probe my way through the system, testing all the boundaries and controls in place until I find ways to break it.
I began on an interesting journey; looking at things like state machines, where a computer will go through a lifecycle of a connection. When you connect your system to a server in the office, the computer will keep track of different states. For example, “Did you enter the right password?” and “Should it give you access?” I find these kinds of problems intellectually challenging and quite enjoyable.
Brooke: How do you help clients define and set goals for security control?
Matthew: There is a saying that this industry is run on fear, uncertainty, and doubt. I often ask clients: “If a hacker broke in tomorrow and had free rein of all your systems, what are you most concerned about?” We identify all the assets in the environment and their sensitive data and then review controls based on their concerns. Usually, they are most concerned about payment information and commercially sensitive information, or they are storing things that they perhaps should not have been storing, including credit card data and anything that could cause brand reputational damage.
It’s important to get board buy-in and foster a culture of cybersecurity in the organization and make it something that everybody in the company talks about regularly, like with phishing awareness.
Another key thing is to never punish the user. If they are at work and opening emails, that is what you are asking that person to do. Even the best cybersecurity professionals will click on a phishing link eventually. It’s human nature. These psychological lures are designed to get people to click on them. One of the most effective is a fake FedEx or UPS notification. Nine times out of 10, people will click on the link to track that parcel because they want to know. The attackers know our psychology and our natural human behaviors and how to get attacks through our radar in a way that does not alert us that we are being attacked. Proper cybersecurity in an organization takes human error into account.
Brooke: How do you reduce assessment times and identify threats faster?
Matthew: The MITRE ATT&CK® Framework has been massively advantageous. It is a spreadsheet-based approach to understanding how an attacker behaves in an environment and it stems back to a paper written by Lockheed Martin. Lockheed Martin and the defense sector obviously were big targets for advanced persistent threats and cyber-enabled economic espionage, where nation-state actors break into their systems to steal information for espionage purposes.
Lockheed Martin came up with what they call the cyber kill chain, a timeline of an attack that starts at the very point that the attacker starts their breach into the network to the end—where they have exfiltrated and stolen the information. They modeled this and identified that the earlier you stop the attacker along this kill chain, the better, because they must start over again. The further along the chain they are, stopping the attack will cost the attacker more resources in terms of time and exploits used.
MITRE then came up with tools, techniques, and procedures. You can look at the threats in your industry and the known behaviors of threats targeting your sectors and begin unit testing those individual items. Instead of running a six-month engagement where we break into the client’s environment and do all this stealthy stuff, like monitor your network, we test against the actual threats and against these component items. That narrows the time involved in assessment activities and they get the result quicker.
Brooke: At what stage do clients bring your organization into the process?
Matthew: We work with a whole range of different clients, including people who have already built their product and people who have started to build their product. These kinds of strategies are usually very effective against large organizations—multinational corporations and Fortune 500 companies.
If you want to be effective in cybersecurity, the costs need to be on the attackers. We encourage organizations to move away from this longstanding engagement model and instead focus on doing unit tests against the actual situations they face. We call them cyber preparedness drills. We mimic the attacker’s behavior utilizing tools we’ve built, like these items we have published on GitHub for User Account Control (UAC) bypass testing:
These types of common attacker behaviors should be well-detected and even better detected by Microsoft Defender than they were previously. Simply scripting, even if it’s in the PowerShell command shell or the .NET developer platform and creating standard individual tests for specific items in the ATT&CK® framework and running those as simulations gives you better results.
Brooke: What advice would you give to cybersecurity leaders on how to manage their budgets?
Matthew: There is a big push in the industry to do what is most interesting. Clients will say, “I want you to simulate a real attacker. I want the best hackers to throw everything you have at the system.” They want to spend a ton of money simulating a real attacker and I usually discover they have not covered any of the basics, like telemetry, alerting, or network defense.
It is easy to bring people on board, but if you have not looked at your environment and the basics, there is no point hiring a team to mimic your attacker and do a full six-month red team engagement. Your attacker is going to break into your network for free anyway, so you might as well focus on how you can use that budget to build better defenses to alert your team. So many companies do not know how many systems or databases they have, for instance. They do not have an accurate picture of what is happening in their environment. They look to the penetration testers who end up telling them more than they know about their network.
Leaders should always ask: Do you have an accurate picture of the patch levels in your environment? If someone opens malware, can you see the events? Do you get the telemetry?
You could buy the best security system around and if it is getting 150 alerts a day but nobody is paying attention, it is useless because no one is going to ever act. When looking at your budget and how to spend it effectively, focus on granular engagement. When you hire a firm, hire one that has a good background and good understanding that can make effective use of that budget.
There are three approaches. There is a black box assessment methodology, where we know nothing about the environment, the target, or the target network. Then, you have a gray box methodology, where a client might share a little bit of information, such as what is given to a new starting staff member in an area where there is a high employee turnover rate. And third, there is a white box assessment, where they give us anything we want to know and we can see what they see. From our experience, you get the best results from white box assessments and from doing bite-sized exercises as your security provider is better informed and not reliant on guesswork achieved through the other two common methodologies.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.