Over the weekend we had to respond to a call from a customer. The Team not only provides Red Teaming services, but we can act as first responders due to our experience in digital forensics as well.
This particular customer had a breach via one of his new suppliers. One we hadn't tested yet. We work very closely with this customer and every time a new service or supplier is brought on board, we provide the initial security and threat asessment. In this case, we hadn't have the chance to test them. The supplier, we learned during the weekend, was wide open to attacks.
The Team is now helping mitigate the issue with the supplier, while our customer's CERT is looking into their own networks and systems.
All this brings me to a very simple truth that I've mentioned before many times: the real world is a special case.
The real world is more complex than your testing lab. The real world doesn't obey the rules you impose. The real world is not a vacuum, like most security certifications will have you believe. The real world behaves following its own chaotic rules, or lack thereof. If you try to plan for it, set your defenses only once and call it a day, the real world will eat you alive.
Attackers, adversaries - the bad guys - don't play by your rules. They play by their own and, like the numbers of adversaries, these come in many shapes, colors and intensity. If you think you know your adversary and plan for it only once, based on only one assumption... Well, you are not thinking straight.
The real world is a special case.
More and more we are seeing the increased complexity of the adversaries. Whether it is nation sponsored, crimilar or simply curiosity, the new breed of attackers don't get stuck trying to find the right exploit for your firewall or web server, they just go around them, they find the weak links somewhere else. And yes, more often than not the weak link is the people that provide you with services, the suppliers, the partners...
Do they know your adversaries? Do you know their adversaries? When it's the last time your partners had a security assessment done? How often they do it?
Are they compromising your security posture? A posture you worked hard to build and implement?
Always cover your angles. Never assume, always verify.
Yes, the real world is a special case.