Photo Credit: dorisgoebel via Compfight cc
It’s funny how inventive creatures with peanut-sized brains can be. In the time since my daughter had her biggest wish fulfilled April of last year, where she got 2 rabbits, I have been skirmishing with my little family pentesters.
The lessons learned are about pentesting and threat surface reduction.
The rabbits have a cage placed inside a small garden. During the day the cage is open and they can wander around the small garden as they please, however this actually does not please one of them – the male. He wants OUT! Next to our house is a house with a humongous garden full of vegetables and fruits and these just call out to our male rabbit. It is irresistible for him so he spends all his time trying to break out – an analogy for cybersecurity defenders to pentesters or hackers trying to break in. This past year has been not unlike my previous CISO job.
Initial defensive perimeter setup:
On the picture below to the right in the bottom, you will see a small soft-mesh fence-in-a-roll. 2 of these rolls, tied together to add up to a total height of 70cm were the extent of the initial perimeter defenses. The gate from the picture comes later, since my kids could step over the first fence using a chair.
Pentester (rabbit) strategy:
- Over the fence into freedom
- Dig under the fence
The initial spot chosen for digging (far left of the picture; the hole can’t be seen but is still there) had clay-like earth packed too tightly for effectively digging. They dug into about 20 centimeters down and to towards the outside then gave up entirely.
First effective escape: Jumping over the mesh-fence at the lowest points, at points where there were no bushes behind. Impressively done. Threat vector analysis: Fence too low at certain points. Countermeasure: Strengthen fence with more poles.
Second effective escape: Jumping onto the chair the kids use to get out and then over the fence. Threat vector analysis: Chairs are bad, dude! Countermeasure: Move chairs to middle.
Third effective escape: Jumping over the mesh-fence by jumping onto it where it’s low and bent because the kids have been crawling over now that the chair is gone, making it bend down a bit from the weight then kind of crawling the rest of the way over and down to freedom! Threat vector analysis: Fence entirely too soft and bendy. Countermeasure: Deploy fence v2.0 at 80 cm height and in places where there are no bushes behind the fence, using stronger unyieldy material. Gate needed, chairs are bad and kids can’t crawl over this one. Also, at this point a change in executive management happened, the initial CEO got the boot for lack of results and a new took over.
Fence 2.0 initial threat modelling:
- Over fence 2.0: Not likely, rabbits! It’s high.
- Over fence 1.0 remainder: Not likely sharp poking branches on the other side; seems suidical.
- Dig under: Clay-earth, once-abandoned already, good luck!
- Gate has opening underneath, can they squeeze out? Countermeasure: Raise the floor under the gate with stones, cover with grass.
- Gate not closed: Gate closes with hasp, but kids can be social engineered by rabbits into not closing the gate when the rabbits behave extra nice and cuddly. Countermeasure: Security Awareness Training performed, with high success rate.
Fourth effective escape: Find spot with soft earth, dig hole under fence 1.0 in the corner.
Threat vector analysis: Ground too soft. Countermeasure: Deploy extra layer of net behind and weigh down with stones.
Fifth effective escape: Silly humans! We’re stronger than that, moving a bit of weighed down net is not problem to us! Threat vector analysis: Rabbits are strong! Countermeasure: Deploy fence 1.0 face down on the inside of fence 2.0 as ground-mesh protection.
Sixth effective escape: Dumb humans put fence 2.0 only where there were no bushes behind the fence. We just jump over fence 1.0 and avoid sharp poking branches. Threat vector analysis: Fence too low after all. Countermeasure: Deploy fence 2.0 all around the garden.
The impressive pentesters are sitting inside their cage, thinking hard. I’m awaiting your next move, guys!
Infosec Lessons from having rabbits:
- Pentesters will always find the weak spot in your defenses.
- Persistent threats are persistent.
- Mitigations are not always 100% effective.
- Mitigations that you do not deploy consistently do not work.
- You need to be able to detect and stop attacks, even if they use evasions.
- Security is a process; you need to keep improving.
- Reduce your threat surface as much as you can.
- And obviously, many of these troubles could have been avoided if MANAGEMENT had thought this through and created a strategic security program initially, right?