They don’t post all that often, but when they post, they post excellent stuff over at ClearnetSec. The latest post touches on an investigation at a financial institution in regards to an apparent compromise.
We desparetly need more reports like this. No, I don’t need to know specifics or enough to know who the victim is, but we need to know how these things are found, what worked, what didn’t, why did it stay undetected for a year, what else did the attacker do? Was it just one mistake that let them in and they could slowly own the whole network?
We have tons of journalists and media reporting on best practices and how to theoretically protect data and what should and shouldn’t be done in retrospect to the big media-covered incidents. Very few of these reports seem to be written by people experienced in the trenches, experienced with the trials and realities of the network. They are all very pundit-sounding and academic dreams of puppy dogs and sunshine and flowers.
We need to move away from those media reports and theoreticals. We need to divulge information amongst ourselves and figure out the reality. It is golden when you can take out a pen tester for some beers and start shooting the shit about how they’ve yet to test a company that wasn’t rooted, or what works most of the time and what doesn’t, or where some of the oft-overlooked nooks and crannies of networks are, or the most obscure attacks they’ve completed.
We need more surveys and reports like Jeremiah Grossman’s surveys about web application assessments and security, only we need them about actual compromises either real malicious ones or pen-tested ones. We can’t wait and pretend they aren’t there, nor can we wait for the budget or big media events to remind the C-levels about the risks. We need real, technical reports. Give me a tehnical report, and I can distill that down to language my parents could understand. That’s what I soak up.