If you didn’t make it to Wild West Hackin Fest 2018, be sure to bookmark their page, www.wildwesthackinfest.com, for 2019 tickets. This event was loaded with elite talent, high level training, quality speakers, and plenty of shenanigans.
Notably, the keynote was given by Ed Skoudis, who’s presentation titled “The Top Ten Reasons it’s GREAT to be a Pen Tester…..And how you can help fix the problem“, really resonated. Ed is a pioneer as well as a respected authority in the infosec community.
One of my biggest takeaways from Ed’s keynote was the notion that “The purpose of red is to make blue better”. In other words, our job is NOT just to blow up a client’s infrastructure, pat ourselves on the back, and exit stage left. We have a responsibility to help the client understand what we did, how we did it, and what they can do to improve their security posture. This starts with the deliverable. If our reporting is not delivered in a manner which is comprehensive, constructive, and digestible at both an executive and technical level, then what value did we really add?
A few key elements of a meaningful report include:
- Detail the story of the test, including all steps taken by the team during the assessment, as well as the thought process behind the methodology.
- High level results and key takeaways.
- The technical portion of the report should be written in a matter that allows the customer’s internal IT staff torecreate the attach path.
- All findings should be evidence backed
- Provide a draft report to the client to allow for feedback and/or edit the narrative based on their observations.
Beyond reporting, it’s essential that we engage with the internal team in a collaborative manner. We are not adversaries. Let’s remember what our job is. Our customers hire us to help them achieve their goal (and ours) of improving the state of security within their organization – we work for them. As such, we must employ a team approach by educating the blue team on our findings in order to help them understand their vulnerabilities and how to best implement a plan to remedy organizational weaknesses. This approach helps to strengthen the provider/client relationship, increase trust levels, and most importantly, add value to the service we are providing. Absent this collaborative approach, we are merely exploiting a customer’s infrastructure without any regard for their ability to understand our processes, methodologies, and reported recommendations. Remember, if the internal teams’ perception of the test/tester is that we are simply being opportunistic all while making them look bad AND leaving a mess behind for them to clean up, do you think they will see the value in bringing us back for a future engagement? Something tells me it’s doubtful!
It’s time to level up! Did someone say purple team?
If you have any questions, don’t hesitate to contact us at FortyNorth Security!