Containment Testing

If successfully attacked, how long can your organization protect its critical data?

There's no such thing as secure any more.

Debra Plunkett, head of the NSA's Information Assurance Directorate

Debora Plunkett, head of the NSA's Information Assurance Directorate, on 16 Dec 2010 said: "We have to build our systems on the assumption that adversaries will get in … the most sophisticated adversaries are going to go unnoticed on our networks".So, you should be asking yourself:

How do I know if I've been hacked?

How do I know if I'm going to be hacked?

How do I know how I'll be hacked?

How do I recover from being hacked?

How will my systems withstand attacks?

If the latest ransomware gets into my network what happens?

Behavior under attack is a crucial consideration: do your controls and processes react the way they should, under attack? Do they make things worse, or better? And, most importantly, how long do they withstand attack - is it long enough for your detection systems to notice, and for your organization to react? If not, you probably already have a problem.

The only way to know for certain how long you can hold your attackers outside your perimeter or away from your most important assets, is to test for it. This testing should be performed on your organization as a whole, to understand how your mitigations work together, as well as on individual mitigations to find out how long they will withstand an attack themselves and protect what they're meant to protect.

Such measurement is invaluable, both for your existing controls, and for future planning. Once you have good, repeatable processes for doing so, you can start applying them to testing new controls and for examining your breach containment procedures: do you have ways of isolating attackers, traffic, and systems while you clean them up and eradicate all malware off them? Should you have more analysts looking at your SIM to try to speed up detection? How can you learn more about the attackers to stop future breaches?

Occamsec's containment testing starts with targeted testing of your controls: evaluating the security of the software, hardware, and base configuration. We then move to looking at how they are deployed in your organization: do they provide protection as configured, and how much, or, how can it be better configured?

We can also help provide information on the motives and skills of your threats and attackers, otherwise termed 'threat intelligence' and work with you to develop infrastructure to 'sandbox' attackers so as to understand their methods, how they move through your network and what they are after, and use that for future response and mitigations in turn.

Coupled with threat intelligence feeds that give context based on what attackers are doing at other organizations, within underground networks and forums, and on the internet at large, containment testing can help you to maximize the window between pre-breach and compromise/exfiltration, giving you the best shot at minimizing your risk.

  • About Us

    We are a tier one information security and risk management company. Our goal is to provide our clients with tailored solutions which meet their objectives.

    Our considerable reachback capabilities allows us to ensure clients receive the very best service, with no compromises.

^ Back to Top