Control 18 has only five safeguards, yet you can spend an entire year preparing for it. Matt Lee of Pax8 and I will help you understand each safeguard and the importance of getting this right and the pitfalls to avoid.
[00:00:06] Welcome to MSP 1337. I'm your host Chris Johnson, a show dedicated to cybersecurity
[00:00:13] challenges, solutions, a journey together, not alone.
[00:00:22] Welcome everybody to another episode of MSP 1337. It is that time of the month.
[00:00:29] It is Fireside Chat with the infamous Cybermetley of PAX 8. Matt Lee, welcome to the show.
[00:00:38] Man, 18 times later, that is a year and a half best I understand this.
[00:00:45] Of you and I get never. I think if I can count correctly it is, I mean,
[00:00:49] because it is only that one time of the month. So I will say this.
[00:00:53] I think you've been on more than four Fireside Chat.
[00:00:58] Yeah, you're not released one other time.
[00:01:00] But other things too. But still, I, you know, I digress for the audience listening,
[00:01:06] we've got some things in store that will take this beyond CIS topic,
[00:01:10] team maybe some governance and physical and environmental.
[00:01:15] But more than that, I think we have to say that while the band could break up,
[00:01:21] because I thought about my own solo career.
[00:01:25] I learned real quickly that. Yeah, it be audience says no CJ,
[00:01:32] we listen because of those that you bring on the show, not because you have the
[00:01:37] shows and that's fair. That's fair. That's fair. If all I can do is be a
[00:01:42] facilitator to bring in the best of the best and so be it.
[00:01:47] I will continue to do that until I cannot find anybody that meets that criteria.
[00:01:51] Today, however, we are focused on CIS control 18,
[00:01:56] pen testing, penetration testing. This is the probably the most controversial
[00:02:04] save our control domain. And I'll shed some light a little bit for those
[00:02:09] listening that anyway, it's participating in the trust mark program.
[00:02:14] You know that you've filled out a survey said to prioritize the control
[00:02:18] domains in a logical order and what you should go about
[00:02:22] pursuing satisfying those safeguards objectively. And lo and behold,
[00:02:27] there's been a more than a few who have said the first thing that we do is we do a penetration
[00:02:33] test. Oh, no. And I don't want to give that too much time on our shutter day, but I think
[00:02:40] it lends itself to some things that are misconstrued to begin with about what penetration
[00:02:45] testing actually is. And some other things that I think we we should talk about, but just to give
[00:02:52] sort of a broad overview, it's the trusty effectiveness and resiliency of enterprise assets
[00:02:59] through identifying and exploiting weaknesses and controls. And I want to be clear about this
[00:03:05] exploiting not just identifying, just finding, hey, look, we should probably we should
[00:03:11] patch this and then right and simulate the activities of the actions of an attack or like actually
[00:03:18] doing it, right? Like we're talking about a year. And so there's a couple of pieces that I want to point
[00:03:23] out to the listeners that may not know this, like pentasting of like, hey, I tried to brute force
[00:03:28] through the firewall find got it. Maybe web applications or some other things that you might do.
[00:03:34] But remember this is not limited to just the technologies that show up on, you know, a network
[00:03:40] scan. It also includes people and processes. And I will tell you just before we get into this,
[00:03:47] I had an opportunity before I came to comp to bid on a pentast. And one of the things that I had
[00:03:53] to do as part of this RFP was it said, you will be asked to sign a waiver that you will not
[00:03:59] hold us responsible for loss of life or limb. And we're like, I'm again, so part of the pentast was
[00:04:05] if they wanted us to social engineer our way past the security to get into the building,
[00:04:12] a physical part of this pentast. And they had authorization if they felt threatened to shoot
[00:04:19] the aggressor. Now I was like, we not bid on this project. We. Yeah.
[00:04:26] So I was my little die tribal in this trip because you know, I've had two very prominent people
[00:04:32] come on and talk about why is 1818 right? And I have my beliefs and I know why it's number 18.
[00:04:39] And it's also why it's 18 and back to your point, people shouldn't start with the pentast.
[00:04:43] So what the pentast is testing stuff and confirm. And I like to say this in an analogy. Okay.
[00:04:49] And then we'll come back to what I'm getting at. If you were doing a pentast and let's just say
[00:04:54] your pentesting your house. And those controls you've put in place are you lock the front door,
[00:05:00] windows are you beckonacy locked, you set an alarm. You have a shot gun and it's loaded.
[00:05:06] You have a dog in the dogs been trained to bite things that don't look like you. Right?
[00:05:10] You've done all those things. You have an alarm. It's monitored. You have cameras. They're off
[00:05:13] sight and backed up. You have all these things. You have all of these layers and you've done them well.
[00:05:19] Now imagine your somebody else and you have not locked the door. You leave your safe,
[00:05:23] unlocked and have a million dollars in cash and bearer bonds in it. Your dog's been crate
[00:05:28] kindled forever and can't actually doing it. But bark in a get-all. You haven't loaded this
[00:05:32] shot gun in 12 years. You've never locked the front door, windows and check them. You don't set
[00:05:37] the alarm. You haven't paid the monitoring billion years. You have no cameras. They don't even work.
[00:05:42] Either of those two scenarios. Which one do you think you'll get the most value out of paying
[00:05:46] a criminal to tell you where your weaknesses are? You're going to get the most value out of the
[00:05:51] one where you've done all the work and all you're doing is finding the holes in your things.
[00:05:55] When you are doing a pen test and everything sucks and your doors aren't locked and your windows
[00:06:01] aren't locked and your doors aren't monitored and your alarm isn't set, you're wasting some
[00:06:06] money you are pissing in a grand. Right? There's no benefit. I'm going to be like, yeah, I walked
[00:06:10] in the front door and then I stole it out of the safe. There's my right thing. Right? Like, yeah. Yeah.
[00:06:16] I was going to rob you at the bank but I thought no, we can take it home. Yeah, yeah. But the
[00:06:25] you should only do pen testing after you've done the stuff in the beginning. That's why it's number 18.
[00:06:30] John's. He said, no, it's 18 just because it wound up at 18. Philously came on my show and very quickly
[00:06:34] said, no, and she should know because he's the head of controls. Right? He said, no,
[00:06:40] we put it there because everything has to be done first before you test it. And so let's just make sure
[00:06:43] we understand that 18 has no IG ones. It is only IG two. And that means you've already been one through
[00:06:49] 18 minus a couple. One through 17. Right? One through 18 yet again. And now it means you're at least
[00:06:57] 30 something controls and so many safe guards in, 100 somethings they've guards in. Right? Just to get
[00:07:03] to this point where you finally have a safe garden penetration testing. So just served by nose wide.
[00:07:08] It's 148 by the way. If you were to just say 18 left out but that's not IG two and three. Yeah,
[00:07:19] to your point, this is the test those things and to simulate the objectives on attacker. That's why
[00:07:25] it's so late. If we read 18.1, it says, how do a pin testing program? Comma space and you and I have
[00:07:31] been rounding around on this comma space. Yeah. Appropriate to the size comma space complexity
[00:07:38] comma space and maturity comma space of the enterprise. My point being is saying like,
[00:07:45] establish a pin testing program that's appropriate to your size complexity and maturity. And in
[00:07:49] some cases, that means that maybe we're getting into discussing automated pit anyways. Let's
[00:07:56] get to my point. I would like to highlight something on this one. I think the maturity
[00:08:00] piece is the part that should give everybody pause. And the reason why I say that is when you get
[00:08:06] into this particular arena, you're involving third party. You're going to involve some third
[00:08:12] party. And I think that the interesting thing here is you may have gone through governance,
[00:08:18] maybe you're struggling with good policy, good documentation. But one of the things that's
[00:08:22] really interesting about establishing a program is you have to define a scope that's appropriate
[00:08:27] to what you just talked about. The size of the organization, what's appropriate for the organization
[00:08:33] and and maturity. So like if you're not real sure, then you maybe should reconsider
[00:08:40] being ready to go down this path of having a penetration test before I can start it on running
[00:08:47] and automated platform and then scanning something you don't even know or tying it into some
[00:08:52] scene, a record or something you have responsibility in rights to do that. Right. When it comes
[00:08:58] in, you know, so just listing some like, hey, if you were to go say pen to us, Microsoft,
[00:09:03] because that's where your tenant sets, you may have a legal issue that depends on what
[00:09:10] you do, right? But let's just say like again, if you're not defining the scope, then gloves are off.
[00:09:17] Right. Like this is the only one that you set that scope when you're paying for it obviously,
[00:09:21] but the point is just to get in the controller, basically saying have a program that's appropriate
[00:09:27] to your size, complexity and establish the scope like such as network, what hosted services,
[00:09:34] what web applications, what APIs, the frequency, like how often am I going to do it? Is it once a
[00:09:39] year, once every three months? Is it once every 12 years? Right. What are my limitations? Like
[00:09:44] when can you do it? What needs to be excluded? What was your point of contact? Like who am I going
[00:09:48] to call when things go bad? Right. And then how do you remediate things that you find? And that's
[00:09:54] the key part, right? Like just like when we talked about incident response, one of the big parts
[00:09:58] is cutting back around and actually fixing it afterwards. You learn. Are you just jumping through
[00:10:03] all those safeguards all at once? And I'm just, you know me, I like to roll through them,
[00:10:07] you know, I like to roll through them. But the point is 18.1 and actually you know what you call
[00:10:11] a great point, Chris, because if we break down 18.1, you notice that a lot of CSSAF guards,
[00:10:19] the 18.3, four and five's point back and make 18.1 better, stronger, faster. So like I'll just share
[00:10:26] my screen for a sec for you and me, for those that are listening, sorry. Okay. But the point being is
[00:10:31] if you look at what you and I built together, right, with the working group, look at 182 is a parameter
[00:10:37] upon 181, 183 is a parameter upon 181, 184 is a parameter upon 181, 185 is a parameter upon 181, 185 is
[00:10:47] being programmed as we learn more and do more, it makes modifications to this. Right? And so that's
[00:10:52] why when you see they've giving you things to do, you aren't doing to a later safeguard.
[00:10:56] It's like, you're not even learning them to later safeguard. But they put them in the master's set
[00:11:00] of controls there, right? So I think that's a really important way of looking at it. It's
[00:11:04] you have to crawl before you walk before you run. And I think that they've done a halfway piece in
[00:11:09] job with 182. Did you set me up for a nichey quote? Maybe. Did you just set me up for a one doesn't
[00:11:15] simply fly into flying before one can fly when must first to crawl, then walk, then run, then jump?
[00:11:22] Oh, it's perfect. Oh yeah, that's fair. I didn't think about it at that level, but yeah,
[00:11:27] absolutely. So you, who's the nerd now? Thank you, did a great job of setting the stage here.
[00:11:36] So you actually jumped at, you kind of walked through the safeguards and I think it's important to
[00:11:42] that because it is somewhat fluid, right? Like it's not like you just dwell on one as you start to go
[00:11:48] through this because you're going to see how they build upon each other and the importance of them
[00:11:52] together as opposed to by themselves. And I think that's kind of different from a lot of the other
[00:11:56] controls where they do build upon each other, but like they can live in many cases on their own,
[00:12:01] right? One knows that DHCP logging by itself is important to do even if you are not doing all
[00:12:07] other safeguards in that control. There's value in it. And if the control is linear, same thing with
[00:12:13] absolutely. Yes. And you do not to. Yeah, continue. Yeah, no 18.2, it takes from program and says,
[00:12:23] this needs to be done periodically and no less than annually or yeah, at a minimum, no less than annually.
[00:12:32] Right. And 18.2 right now you've got your first constraint placed on you down one, now you're
[00:12:36] now saying, you're not listening annually. But also what it's saying is, hey, let's make sure
[00:12:40] you're scope and includes external pen testing. Well, what is external? External means stuff that's
[00:12:44] externally facing and clear box. Oh, pick box enterprise reconnaissance must be done. Environmental
[00:12:49] reconnaissance must be done so that it can use specialized skills and experience.
[00:12:54] penetration testing requires specialized skills and experience, which means no, you cannot just buy a
[00:12:59] tool necessarily and do this. I'm sorry, it's not a button. All you've automated pen testing
[00:13:06] platforms out there. There's still some layers of human ingenuity that you're not going to
[00:13:10] replicate. Now, I do believe that you might be able to replicate the bell curve and based on someone's
[00:13:16] complexity and maturity, you might be able to argue that that's a viable method to go forward. That
[00:13:20] said what they're going into here is talking about clear box and opaque box. If you're talking
[00:13:25] about a pen tester, the delineation is clear box means you've told me all these things. You've
[00:13:30] given me everything I need. You may have given me a credential into the environment. Those type of things
[00:13:34] whereas opaque box is, I don't have anything. I'm starting, I don't have any information. I
[00:13:38] don't have any knowledge. I'm just going to start where I am and move forward. I really like this one,
[00:13:43] you know, the opaque versus clear because maturity can help with this, right? So if I'm a relatively
[00:13:52] immature MSP to say, I'm opaque is okay, right? Because I can start asking questions as says,
[00:13:59] hey, I need to identify and maybe this isn't the best way to start the process but at least it's
[00:14:03] starting to help the MSP or whoever it is understand some of the limitations that they might
[00:14:09] already be aware of but it's giving some affirmation to it. Like hey, you don't know everything about
[00:14:15] your image yourself, right? You don't know everything. Well, then what this is, this is the Ocent
[00:14:20] Safe Guard, right? 18.2 says do you Rosent because it's the one that says external
[00:14:24] protesting must, that's the must word, that's old orange one must include enterprise and
[00:14:30] environmental reconnaissance. That's Ocent. That's open source intelligence, that's intelligence,
[00:14:33] that's sexual probing, those things to detect exploitable information or exploitable systems.
[00:14:39] So what's interesting is like I tell this to MSP, I'm actually doing this in my show next
[00:14:43] Wednesday, which is going to show them what I do to define stuff. Yeah. Like I'm going to show
[00:14:48] those and dig up the stuff about subdomains. I go look at your SPF records, you would
[00:14:51] put in fried P addresses. I'm going to do some new answers, those stupid questionnaires of
[00:14:56] my favorite colors blue and I love summer and my password summer one two three like yeah,
[00:15:00] you know that kind of stuff, right? So 18.2 is the beginning of external pentests.
[00:15:06] Then 18.3 says hey stupid if it's something fix it. I just want to show that this has to be a
[00:15:13] one of it. Well I want to pause for a minute, I need to pause here. I think it's important to call
[00:15:17] out 18.5 at this point because 18.5 is a repetitive of 18.2 right? It's saying to do the same thing
[00:15:25] in currently. Yeah. And the reason why I said that is because I think 18.3 and 18.4 obviously
[00:15:31] matter for both the external and the internal, even though they put the internal at the end.
[00:15:38] So I just wanted to call that out because I think it's a bit more than why they put the internal
[00:15:41] I have a pretty good idea because if they can't get in to my organization then the vulnerabilities
[00:15:47] that are inside becomes a whole lot less important. Sure does, sure does. Yeah you're talking
[00:15:52] about that like assume compromise comes in in the later terms right? So now when you're
[00:15:57] in training you're like okay I'm gonna assume they're in and I'm going to deal with it. To your point
[00:16:00] the better value in the greater good conversation is check from outside and make sure we can't
[00:16:06] get compromised from the outside. Right? But then you have to deal with people and compromise
[00:16:10] with people but the point being 18.3 says fix the crap you scanned fix the crap you found.
[00:16:17] If Matt found a way and go fix it just determine based on risk based on priority which one's
[00:16:22] going to go for first. But I go back to 181 Matt because 181 talks about specifically
[00:16:27] cut size and complexity then it talks about how you're going to define your scope and then
[00:16:32] networking all of that and it's like okay so we're now on 18.2 talking about external pentast
[00:16:37] and we exclude internal until we've gone through the the other two safe guys. I'm not saying
[00:16:44] that I disagree with the logic behind it. I'm just saying like if I'm building my program correctly
[00:16:49] based on what I've been told and what I should be doing but I shouldn't be waiting
[00:16:54] until after I've started doing some of this in some respects. I disagree,
[00:16:59] I know and the only reason I'd say that is if you think about trying to build a maturity model
[00:17:05] some kind of increase I know doing it. Fair you say. I think that you actually have less work to
[00:17:12] do so I'm going to throw bricks at me for this. It's much narrower scope. It's the shit you put
[00:17:17] an external hole facing something that has very very limited capabilities of configuration by comparison
[00:17:23] to all the shit you can do inside your domain and so if you were to go look at a vulnerability report
[00:17:29] that came out of my findings of an external pentast in fact I'll do this as when I did my
[00:17:33] NPT because I actually have my practical network penetration testers. It was a six day exam,
[00:17:39] five day live today reporting. My external pentast of this company the postament tours has been
[00:17:44] long enough now they're not using that infrastructure but the postament tours my external report
[00:17:47] was only like 36 pages. My internal report was 165 pages like imagine which one of those two you get
[00:17:55] the most value out of from a return report is to get myself good at this from a path perspective
[00:18:01] and that's why I actually survived some surprise that fixed it 183 the holiday to get after
[00:18:08] you fixed it 184 now broaden the shit out of your scope to all this internal stuff and learn
[00:18:13] all these things like what do you mean my four function levels to load that's what I need for
[00:18:17] idea F S I'm going to have to work this idea F S partner to get them that's a much right so so but
[00:18:22] what you just said I think is really important because it really says that as you work through
[00:18:27] these three safeguards you need to reevaluate what you put together for your program because
[00:18:33] if you're not a huge city like much broader yeah yeah well or you didn't define well enough
[00:18:39] to whoever it is you're engaging with for the pentast and internal type testing has started to happen
[00:18:46] even though it may not have been clearly articulated as part of your program or you over
[00:18:52] it's the it's the disease or danger of using templates or defining your scope for a pentast
[00:18:58] or allowing a vendor to tell you we do these things you're like cool awesome and you're doing
[00:19:02] all fine and let alone so let's also dig into this like think about the automated pentast
[00:19:08] that and what is an internal pentast an internal pentast assumes that I have an internal position
[00:19:13] I am on some asset and have varying degrees of access based on that internal position
[00:19:18] and now you're working to move laterally and north south or escalate yeah north south right so
[00:19:22] in my and my TPM test and taught the postamentors I gained access from an external web mail
[00:19:28] host that web mail was red cube that red cube host had a low privilege account on a machine
[00:19:34] that had an internal facing IP address and so I now had access to the internal network with very limited
[00:19:40] privilege to your point an internal pentast is now me going how did I get the domain admin and
[00:19:46] wrote a very job access and that took me 165 pages of stuff most of which was me crying and
[00:19:52] trying stuff that didn't work that's in a terrible hacker by comparison to some so just took
[00:19:57] you longer and you were dedicated you're a good hard worker be so bad and a normal access to what
[00:20:02] do they normally do to simulate put this note this intel note in your environment well now they have
[00:20:08] a high privileged asset inside your environment they can now do llm and r poisoning all kinds of stuff
[00:20:12] and so they're simulating but all pentesting says to do is simulate the actions of an act
[00:20:16] attacker so yeah I actually you know Jason's like gonna go round around about this you and I've
[00:20:21] gone round around about this I am a believer that the automated pentest if scooped well
[00:20:26] if managed well are of themselves okay the problem becomes when you read that
[00:20:34] a normally why do somebody do that they do it to sell you something to be like oh look how big
[00:20:38] is when you actually as a practitioner have to go interpret what I have to do to do this
[00:20:42] and let's say you run and go just turn up your 84st function level and now you've broken
[00:20:46] mother and daughter yeah you need to have the knowledge and capability to understand
[00:20:51] and interpret what you're seeing and make risk-based decisions and logical outcomes in past and so
[00:20:57] I just think that oftentimes we trivialize what that knowledge said is worth
[00:21:04] interpret this in a term I mean there's whole business models out there right now they're like
[00:21:07] no matter how much we take the vulnerability and attack service posture management
[00:21:12] and we find that these three would be strong together and they'll likely hit those strong together
[00:21:16] like that's how much there's people trying to help you understand this because we're not there
[00:21:20] as practitioners we have it instead of the understanding so this gets into the probability of
[00:21:25] impact that point for remediation right like there are things that may be exploitable
[00:21:30] that are unrealistically gonna happen in the wild and it's our don't understand that sometimes
[00:21:34] yeah absolutely point of why do you pay a pen tester they go and do it
[00:21:39] they show you they've done it they tell you how to fix it they don't go theoretical
[00:21:44] and I think the problem is when you look at just a necis scan or even an attack simulation platform
[00:21:49] most of them still don't give contextual understanding of things in a way they're that
[00:21:55] logical and linear so sure all right anyways correct and I'm you almost put me to sleep there
[00:22:01] no sorry but all right so clearly we've got 18.3 I think we're pretty clear on
[00:22:08] remedied or sorry remedied the findings from 18 to but I think 18 for and this gets into the
[00:22:15] IG3 this is getting into you know did what I implemented based on remediation can I validate
[00:22:22] that the measures I've taken are actually working if I think to some extent this still involves
[00:22:28] in many cases the pen testing organization you probably hired because they're gonna come back
[00:22:33] and help you with that they're not pen testing again outside of those things that they found
[00:22:40] yeah and that exactly right you you pay that hourly they come back into a research now I do believe
[00:22:47] Chris and I'm bullish on this so validate security measures what does that mean that says after
[00:22:52] I change this stuff make sure it now stops it detects it whatever it is that you're looking for as
[00:22:57] it says to detect it doesn't necessarily mean that it can stop it that is important thing here is
[00:23:04] did you see we know we know definitively that you put enough effort into breaking something
[00:23:11] eventually it breaks this is why I'm actually bringing some credence to the automated platforms and
[00:23:16] here's why literally it looked at just in the last couple days three different platforms that have
[00:23:22] all taken an atomic red team type approach if you look at what atomic red team is
[00:23:27] for anybody doesn't know atomic red team gives you easy to execute modules that you can
[00:23:31] is by red canary that you can go execute and see if your EDR if you're if you're sim if your
[00:23:37] other things have detected that there are platforms now Chris that are actually doing that
[00:23:42] in a closed loop fashion meaning they will go detonate the payload in a Python methodology on
[00:23:49] asset and then they will go look at the sim and the alert systems and see if binary they detect
[00:23:57] things so you're starting to see people actually take 18 for and product ties 18 for at least
[00:24:03] two TTPs and certain emulable things I just think we're heading out of path where that's going to be
[00:24:08] more and more viable and you can see if that while not holistic it's only 85 is high efficacy
[00:24:15] of that 85% like it's very happy and it doesn't necessarily mean that me having a pen test
[00:24:20] done needs to have that level of testing done because if you run fill in the blank I won't pick
[00:24:27] on anybody with let's say let's say it's not no one this is an example if you're running it and
[00:24:33] I run it I mean atomic tests has been run on yours and it doesn't detect it then there's some
[00:24:39] questions that you might ask that says why do I need to run it on my environment if we know
[00:24:43] this is still exploitable on the other systems that have already been tasked with the same configuration
[00:24:51] right but the point being 18 for says you need to test what you actually have to have said you
[00:24:57] fixed and when I bring this back to a bit of my belief of why it's in exists I believe
[00:25:04] a massive vacuum of governance which is Johnny foreshadowing into what governance conversations
[00:25:10] you're not going to have but I think in a vacuum of governance 18 is the breath of the past
[00:25:17] begging to deliver governance right because from the very beginning I'm going to come to
[00:25:21] again and test your crap after I find stuff I'm going to expect you to fix it and I'm going
[00:25:26] to then measure it after you fix it this is governance by definition and after they control
[00:25:31] by inspect what you expect and well and to make it simple to simplify it you know we talk about
[00:25:37] the technical piece and it might be hard for someone to wrap their heads around governance
[00:25:41] in that context because we often think of governance as only being with people but it doesn't
[00:25:45] exclude people or process from this test governance things we love the company right that's right
[00:25:51] if your will is to not have LLM and R poisoning be explored and that's some bitch gets exploited
[00:25:57] and somebody pops a hash then guess what you have failed the governance of what you
[00:26:04] expect exactly and so I think that comes back to measuring to your point being able to say
[00:26:11] did this violate our will as a combat it it worked did we give what we expected if I poured
[00:26:18] concrete and it doesn't do what concrete should do and I'm a concrete company I have failed
[00:26:23] the will of the company for my governance perspective of making a company that makes freaking
[00:26:27] concrete you might have some other problems not to let the body all right we got one
[00:26:34] left one left we touched on a little bit we did internal pent us and this one also follows
[00:26:42] the same logic of using clear or opaque as what we saw before but I think this one is really
[00:26:49] interesting because we see a lot of this in what we really want to know about ourselves like did I
[00:26:55] create did I do a good job of creating things like lease privilege are you able to take my
[00:27:01] CJ user profile and do things that you shouldn't be able to do with my user account those are
[00:27:07] things we really want to know in this day and age and I think back to your point of what you said
[00:27:11] about why it comes later if I were to go back 10 years this probably wasn't as significant of a
[00:27:18] problem because the external gate to get into the environment was really the attack surface today
[00:27:25] it's very different they're coming in because we're all stupid and a lot of our stuff does not
[00:27:31] live behind those four walls there's also things in elements so one of the things you said
[00:27:35] there are tax surface let's just make sure we define this for people protect surfaces everything you own
[00:27:41] traditionally attack surfaces what you choose to expose for attack right but there are elements
[00:27:46] of places of exposure that you have not exposed to the traditional sense of external and what I mean
[00:27:51] that is what if Chris decides to steal everything from this company Chris is a threat using internal
[00:27:58] means with access that you might want to test internal pintesting does usually conscriber of
[00:28:05] hey here's a privileged position let's see what you could do now you've compromised that out
[00:28:09] or sweet shell but what does internal pintesting mean in a future state when I mean by that is
[00:28:14] what happens when there's no hard external and juicy sweet soft center anymore when everything is
[00:28:20] asked an identity and mostly external we're all pretty much living in this new definition of external
[00:28:25] what is an internal network well that's identities access service services privileges right
[00:28:32] service principles API access like things that are not your traditional I'll just put a box in
[00:28:38] the network where freaking hard you don't give a shit I'm not talking to a domain controller anymore
[00:28:42] right talking to a cloud service and through modern methodologies and actually getting much harder
[00:28:47] with you for you to emulate and take over TLS and all of those things so the point being is like
[00:28:53] what we call an internal pintesting today and if someone was trying to define it would say
[00:28:57] well we're now on your vlan your not public IP space that's what we mean by internal how many
[00:29:03] IPs do you have in future it's going to be a very different statement of what that looks like so just
[00:29:08] take away the grain of salt there even external versus internal you might have to change the way you
[00:29:12] think about those things is time goes forward and what that means but today I agree very network
[00:29:17] centric well I think that takes us through a pen testing if you weren't overwhelmed by the idea
[00:29:24] of having a penetration done I'm just going to say this don't be overwhelmed and remember that you've
[00:29:30] gone through 17 controls or at least I think it's 16 of the 17 prior controls to get to here
[00:29:37] 15 I guess by that point you would have gone one through 18 missing 18 and 16
[00:29:45] I think that's it 13 13 doesn't have an IG one if I remember correctly
[00:29:52] possibly true live right now I have a high suspicion it's accurate but like I like you know
[00:29:59] yeah I'm pretty pretty usually pretty close but that said yeah 13 13.1 is an
[00:30:06] 13 16 18 are not in so you would only been through 15 the first time and then by the time you get
[00:30:14] 18 you have at least an IG 2 and every one of them which means you're 18 and 15 so by the time you get
[00:30:19] there you are 23 controls in and however many safeguards that has encompassed at that point
[00:30:25] nearing a hundred yeah that's fair and by the time you're getting a pen testing you ought to be
[00:30:35] in defense is not included but in control 12 you do network infrastructure management and there's
[00:30:40] some other areas yeah there's some other areas that you've done quite a bit of this to prepare so
[00:30:47] like I'm not so certain that you would have to have hit well well are sorry 13 well
[00:30:53] to do a pen test we got one gives you a sim so to do a pen test they really want to know
[00:30:58] you detect that's right that's right I know I'm totally yeah you're you're you're right
[00:31:05] I just I think that I guess where I was going what this is there is logic behind an organization
[00:31:11] having a pen test that has eye exposure whether they know all the ins and outs of having gone
[00:31:16] through a framework or not and that is John Strand's argument is that if you at least do it
[00:31:22] and you pay for enough hours for it to be valuable because remember and test usually by the hour
[00:31:27] I paid 40 hours I get a week worth of Matt's time right and so if you paid for enough hours
[00:31:33] and you were willing to take that as your exhaustive list of what you should work on from an
[00:31:37] external risk definitely a starting point love it agreed hope that you John Strand gets points
[00:31:42] there but that is not why it was prescribed if you're walking through the journey it's probably
[00:31:48] not your best effort and investment you'd be better off doing the basics well that's like going
[00:31:52] to the emergency room and it's obvious that you're believing bleeding but they're like oh and
[00:31:56] have a cough we should probably diagnose that first right they're both present right like but you
[00:32:02] know one is very obvious and you need to care this right that's right
[00:32:07] Matt as always it's a pleasure for those of you listening this has been an episode of MSP 1337
[00:32:13] thanks and have a great week