Given 'at least average' security best practices being enforced and still serious security incidents had happened (ones with important systems going offline)
Posted by vdorru@reddit | sysadmin | View on Reddit | 21 comments
I’m curious if others here have experienced this, and how you interpreted it afterward.
When a serious security incident happens — especially one you believed you were reasonably well prepared for — do you tend to suspect:
- A highly capable external attacker with deep knowledge of your environment, or
- An insider threat involving someone with privileged/internal knowledge who either directly caused the incident or helped enable it while making it appear external? By “insider threat,” I mean not only direct employees, but also people working for third-party vendors or infrastructure providers with some level of access to your systems. Motivations could range from money or revenge to fun.
Did you ever feel a correlation between serious security incidents and (expensive) vendor contracts being signed right afterwards?
I’m also curious how people distinguish between:
- A genuinely sophisticated external compromise, and
- An attack where insider knowledge played a major role behind the scenes.
Have you ever dealt with an incident where the level of access, timing, or precision made you question whether it could really have been purely external?
Not looking for conspiracy theories — more interested in how experienced admins/security teams think about attribution when something significant happens despite having solid controls in place.
SevaraB@reddit
Every security incident I’ve encountered has been because a policy was there, but it was enforced by people instead of technical guard rails and somebody very smart… left the door unlocked. People make mistakes.
Ssakaa@reddit
"despite having solid controls in place"
This tells me you don't actually do infosec/ir in practice.
Stronger controls don't, honestly, reduce the number of real incidents going on at a time. They increase visibility, they decrease blast radius, and they reduce the "oopsies". Moving to tighter controls will rapidly make it feel like you have an absolute onslaught of new incidents, when in fact, you're just finally seeing them.
vdorru@reddit (OP)
Yes, I don't do infosec in practice but I have good IT knowledge and it is something which I am indeed interested to learn from people which do this.
You have a system with all the correct ssh encryption keys, all the correct firewall configs, all the correct no 'root' logins, not any known 'log4j' vulnerabilities in place - so with all these things correctly configured but still your system is suddenly down today (and yesterday it was not)
How come?
Ssakaa@reddit
Statistically? Environmental failure for an actual outage. ISP, power, hardware failure, someone's kid thought the big red button in the datacenter looked fun. Granted, Amazon apparently got to add "kinetic incident" to their bingo card this year.
But, in general, for that or the vast majority of actual, non-outage inducing, incidents, I don't assume one way or the other.
What do the logs say?
GremlinNZ@reddit
Targeted attack, nation state, zero day flaws... Good luck protecting yourself if they decide you're their next victim...
Far too many C suite either think security slows productivity or gets in the way, or can barely operate their devices... Or have their PA/EA do most of it for them...
The basics? Absolutely, implement and hope you're less penetrable than the next company. But like a speeding ticket, you have to be lucky every time, the cop only has to catch you once.
rodder678@reddit
"Average" security is pretty shitty.
However, the first thing I suspect here is that what you think is a highly sophisticated compromise is actually common tradecraft for malicious actors. Your post doesn't contain any useful information to even speculate about attribution.
vdorru@reddit (OP)
You are right, many things are left to the reader to speculate on.
Lower_Fan@reddit
Most insidents are caused by below average compliance to your own standards.
A user didn't setup mfa and it wasn't forced to, a computer does not have the edr or is not reporting properly, a system is unpatched with fairly easy to hack vulnerability. The password to a system is fairly easy to crack. A firewall port is open when it shouldn't be or to system it shouldn't have access to.
One_Contribution@reddit
Average security is not a meaningful protection standard.
Do you want an average amount of structural integrity in a bridge? An average fire suppression system in a hospital?
Ssakaa@reddit
I mean, on average, bridges are built to a spec that's rather solid. If you limit it to places that have policies, standards, licensure, etc. for engineers... the "average" is driven up pretty high. And most companies tend to want average for those safety things. They want the industry standard. They don't want to spend absurd money where their competitors aren't, after all. That's why Gartner still, somehow, holds magical value to leadership types.
vdorru@reddit (OP)
How many of the servers managed are as important as a bridge or as a hospital?
One_Contribution@reddit
To an org I'd argue that most are vital to the survival of said org.An org that accepts average security is accepting a known, quantifiable exposure across every system it runs and every system those connect to. The cost of failure is often not one server. It is everything downstream.
Most probable explanation is an opportunistic external attacker who walked through an existing gap. You do not need to explain a puddle by suspecting a burst pipe if the roof has holes.
vdorru@reddit (OP)
I agree mostly with 'opportunistic external attacker who walked through an existing gap'.
If you watch the 'mafia' movies with Al Pacino whenever an incident is happening that 'cops' give big trouble always the default investigation route for the 'mafia' group is 'we have a rat, we just need to find who is it' - they know that, without somebody from within the group 'tweeting out' to the cops it is almost impossible for the 'cops' to find out new information which until now they were not able to find out.
And a group of people, no matter how 'close together' they stay - even the closest of the groups - will always be infinitely easier to penetrate from outside vs. a computer server hardnened with properly configured encryption keys, firewalls etc.
longmountain@reddit
I never underestimate the aggressiveness with which the average end user will comply with the attackers commands.
disclosure5@reddit
I've sat in on a lot of incidents and "highly capable external attacker with deep knowledge" has never been a thing I've suspected.
Your options leave out the third and more likely option - an unpatched Microsoft Exchange server, a user getting phished, etc.
vdorru@reddit (OP)
good observation.
Ok-Measurement-1575@reddit
Chaos engineering is definitely a thing.
I worked at one place where the dumbest random shit would create weekly P1s.
It felt like there was an unknown third party, likely working with the smt, triggering these faults.
vdorru@reddit (OP)
so you blame the complexity of the systems which make it easier for genuine external adversaries to hit.
Ok-Measurement-1575@reddit
It was nothing to do with complexity. It was the sociopathic machinations of 'those upstairs' for the inherited dogshit.
ItJustBorks@reddit
AI Slop.
vdorru@reddit (OP)
maybe you. Myself I'm indeed interested in what I asked.