Security is an afterthought. If you work in any division of any organization, outside of the security bubble, you rarely - if ever - consider it. It’s expensive. It’s a hassle. If you manage people or processes, you don’t want the overhead. Sure, you could get hacked. But what are the odds? What is the real impact of that? It’s like buying car insurance: you’ll probably just get the cheapest policy possible, as that will do just fine.

What is the bottom of the barrel ”car insurance” for cyber security? Antivirus.

The role of antivirus

Every organization needs antivirus. Without it, they are exposed. Antivirus will block any known malware from entering or infecting your computer systems.

It does this by looking for suspicious file types or known executables (malware, or malicious software) that hackers use. Depending on the antivirus software, it may even look at suspicious web traffic and help warn of malicious websites or those which are tracking cookies without consent.

If you read the above closely, you would have noticed where I said antivirus will block any “known malware” from impacting you. Emphasis on known. Antivirus will not stop advanced hackers, nor does it try to. This is not in its wheelhouse.

The role of vulnerability scanning

This is where vulnerability scanners come in. Hackers will often scan public facing infrastructure (websites, databases, networks) of a company to determine the version of each piece of software being used.

For example, a hacker can use the free NMAP scanning tool to notice that a website is hosted with the Apache HTTP Server version 2.4.0. They could do this with a common terminal command, such as:

nmap -Pn -sV example.com 

Leveraging this knowledge, they could ping the Common Vulnerabilities and Exposures (CVE) database and find that this version of Apache suffers from the following vulnerability:

“The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior.”

Taking this one step further, the attacker could then attempt to take advantage of this vulnerability and cause harm to the organization hosting the website.

Vulnerability scanners solve this problem. They scan all software in use, match it up to the CVE database and determine when you have an unpatched version of software on your computer. You can then take the action of upgrading your software to a patched version.

If you read the above carefully, you would notice the term “unpatched”. This means the scanner will only find vulnerabilities that are known and are tangibly connected to software versions. Scanners do not try to guess at potential vulnerabilities nor do they exploit a found vulnerability to determine the likelihood of adversarial success.

The role of red teaming

Red teaming is the perfect tool to expose what antivirus and vulnerability scanning are not designed to find.

When an advanced adversary attacks, they link normally benign actions into a chain that is malicious when looked at holistically.

This chain is what red teaming is intended to expose. If a red teamer can execute a malicious chain without detection, they are showing a weakness which needs to be addressed.

The goal of red teaming is simple: use creativity and offensive security knowledge to find and fix otherwise hidden vulnerabilities.

Until the MITRE CALDERA platform hit the market (and now the Prelude Operator), red teaming was a luxury that only the government and major organizations could afford. These organizations could budget for several full-time individuals to spend months creatively hacking their network before an adversary did the same. This labor-intensive process proved helpful, but ultimately expensive and inconsistent.

The time and cost associated with red-teaming left most organizations out in the cold. They were relegated to using antivirus and vulnerability scanners, leaving them exposed to advanced hacking groups, or even just mid-level hackers looking to make a buck.

If you are in charge of security for your organization, learning the strengths and weaknesses of each of these popular security assessment methodologies is invaluable. Each is necessary for a complete security posture.

With red teaming now an easily consumed commodity with open-source and freely available tools, individuals at smaller organizations can now use the same technology that the government funded - and continues to use - to protect its own networks.

Good luck. And stay safe.