A Homegrown Defense Team

How do you turn a small group of security pros into an organized online crime group?

Lately Dave Aitels been thinking: whats the difference between organized online crime groups and commercial companies that do penetration testing?

"A company has a rather large budget, dedicated infrastructure and an experienced and skilled staff. So why do so many of them fight like flabby novices? The fact is, giving someone a lot of money and a big mission to solve often gives them a good excuse to get fat and useless," said Aitel, chief technology officer and founder of security software maker and consultancy Immunity, in a recent blog.

/zimages/3/28571.gifThinking like a hacker is an effective method to ward off attacks from malware writers. Click here to read more.

Thus were born the "Six Rules for Punching Above Your Weight Class," Aitels guide for turning a small group of security pros into a lean, mean hacking machine—similar to an organized online crime group.

Rule No. 1: If you cant debug it on the fly, you cant use it. "There are always going to be cases where [a tool] doesnt work, and its the users fault," Aitel said. "Networking complications between you and a target are always going to come into play. If the target has a host IPS [Intrusion Prevention System] like a scanner, you can still make the exploit work, but if youve never written an exploit, you cant."

Rule No. 2: Dont split up research from attack. This rule comes out of the time Aitel spent working at @Stake. The security company had a research team, but it was firewalled from its consulting team, Aitel said. The result: The research team ended up working for years on things that had no bearing on the job at hand.


Rule No. 3: Develop a fast-reaction team that can hit easy or very time-critical vulnerabilities within 8 hours or less. "Youre going to have different researchers better at different things. Im on the fast-reaction side rather than the slow-analysis team, but we have both on staff," Aitel said.

Rule No. 4: Focus on technology already in-house. "Your research dollars are best spent on stuff you have. Those are risks you can remove right now," Aitel said.

Rule No. 5: Develop technical partnerships with other people who can write exploits. Become part of the security research community, whose members can be found at conferences, mailing lists or RIC (real-time interface coprocessor) channels, Aitel suggests.

/zimages/3/28571.gifClick here for a basic request for proposal that can assist with identification and remediation of security risks.

Rule No. 6: One team, one mission. People naturally want to work on only Windows or only Unix, but thats not the way to success, said Aitel. Find people who can work on the whole picture.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.