You can't fix what you don't know is broken...

Why is Firebind Recon Needed?

Misconfiguration

Too many activities in the maintenance window and a key step is missed, resulting in a missing or improperly applied security policy

Absentmindedness and Apathy

Security policies are changed for a temporary business need and are never changed back, or aren't kept up-to-date to begin with

Bugs

Security device (physical or virtual) has a bug and doesn’t enforce the security policies properly

Sabotage

Hacker breaks in and disables the security policies and/or device

What About Existing Solutions?

Configuration management tools are theoretical like flight simulators, analyzing configuration files to explain how the policy “should be” enforced, but not empirically testing the security instance (firewall, IPS/IDS, DLP, router ACL, etc.)

Pentesting is generally ad-hoc and can be likened to a test pilot.  Pentests are empirical, but they are limited engagement, special flights (tests) on limited routes and are not continuous

Firebind Recon is like commercial air traffic – always operating, covering all the routes continuously, and always in touch with ground control (end user) to alert when a security policy is able to be breached

Firebind Recon can play a key role in the MITRE ATT&CK Enterprise Framework by assisting with mitigation strategies for multiple techniques including Command and Control and Data Exfiltration

Example: Network Segmentation

Tactic: Command And ControlID: T1043

“Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection.”

Mitigation: Network Segmentation – ID: M1030

“Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.”