Yesterday I had a very interesting discussion with the security director of a large corporation. He began making changes to the way they handle corporate security after having two Red Team assessements done in the past year.
The conversation centered around the way I think about security and the way today's majority of organizations handle their IT and Security departments. He was really interested in knowing our (the Team) opinion about his new approach.
During the conversation, I mentioned several times that security is dynamic and not static. In today's world, where adversaries come from different parts of the world and have different motives/goals, you can't just fill up a security checklist and call it a day. Today's adversaries are not static, they adapt, find new techniques constantly, new exfiltration ways, new ways to bypass current security measures and, more importantly, new ways to trick people. You have to contantly challenge your security measures and play by the same rules as the attackers: no rules. If you only focus on past threats, as most checklists and security guidelines often do, then you remain wide open to attacks.
Being PCI compliance, for example, will only get you to a basic level of security, a starting point. But it is important that you improve and build from there. You can't rely on lists or certications alone, the world of security is fluid. Fail to see this and it doesn't matter how much money you throw at the latest Firewall or monitoring software, you will get breached. In fact, you need to realize that you will get brached regardless. Plan for that, know what to do and how to make it harder for the adversary to get what they want.
I am not a good hacker or even a good physical security profressional, I'm quite average, in my opinion. However, I think I have the right mindset and to me that is important. I try to show, to explain this mindset to the people that ultimately will benefit the most: the decision making people.
Red Teaming is a key for this. Red Teaming is dynamic, like the attackers. Red Teaming can challenge each part of the security plans separately, or as a whole - or both. A good Red Team can help bring awareness to the right people, the decision making people. And yes, sometimes it scares the living shit out of the top executives and senior management, but then they can really begin to address the problem.
You have to continuously challenge your assumptions. In fact, don't assume, verify. If you keep on throwing money at the problem, without focusing on the roots and causes, without focusing on how the problem changes when you interact with it, it will only make the problem worse.
The way I see it, the current world of security is devided into two very distinctive groups: the "saving-my-ass people" and the "risk-taking people". The former, the majority, are contented with the checklists. Their assess are legaly covered and when the next breach happens they can say "but we followed the standards...". The later, well, these are the people making the difference in the security world, coming up with new ideas and taking the fight back to the adversary. Red Teaming lives in this world, the world that is ready to take the next step.
In what group do you belong?
Think about it.