In today’s dynamic security world, organizations must understand the benefits of proactively testing their cyber security posture to properly defend against targeted attacks. An effective penetration testing and vulnerability assessment program is a critical component of enterprise security. That said, the majority of penetration tests (pentests) performed do not adequately measure an organization’s ability to detect and respond against an attack as they instead focus on leveraging antiquated methodologies and simplistic external vulnerability scans.
When conducting pentests that simulate adversary attacks, we test an organization’s security in a fundamentally different way – from the inside out, focused on what the attacker can do once they successfully obtain a connection into your environment. We believe that organizations gain much more actionable value from a pentest that simulates how an attacker can move throughout your internal environment and how your defenses stack up against peers in your specific vertical.
We recently performed an adversary simulation pentest against a financial organization (lets call them Acme Bank) that had annual testing completed by a variety of organizations. The results from their last pentest were great – (we didn’t get the details of the previous tests until after our engagement was completed) – because Acme Bank had no critical or high vulnerabilities.
Their previous pentest did not find any exploitable vulnerabilities at their perimeter and therefore was unsuccessful at exploiting Acme Bank’s infrastructure. At the end of this engagement, Acme Bank was handed a report of all the compliance checks that were tested on their network.
Job well done, Acme Bank is secure!
Well, not exactly. We started off by researching current threats against their organization. We identified that Russian adversaries were actively targeting US banks using custom client-side attacks, and used that information to successfully gain a foothold inside Acme Bank. From there, we discovered that the web based banking software they were using stored sensitive and easy-to-guess data in the session information. This resulted in anyone with a valid session having the ability to access any account user’s banking information on the Acme Bank website.
The result: Acme Bank not so secure!
In order to leverage the best return on our client’s investment for a pentest, we focus on a few fundamental actions: Simulating Adversary Actions.
An adversary simulated pentest looks at the actual tools, techniques and procedures (TTPs) adversaries are using against other organizations in specific industries in order to target the client with the tools, tactics and procedures they are most likely to encounter. Table 1 is a sample summary intelligence profile we developed during a recent pentest:
|Weapons||Malicious Adobe PDF documents.|
Adobe PDF Exploits
|Command||Randomly generated .com domains
HTTP & HTTPS
|Operations||Theft of Sensitive Information
Table 1 – List of adversary tactics, tools and procedures used against financial organizations.
Most adversaries follow a specific pattern when they target and attack an organization. Attackers typically start an attack by performing reconnaissance of the target, and then develop malware to target the information desired. An exploit is delivered to targeted users, and if successful, establishes a covert channel to communicate with the attacker infrastructure. Lastly, attackers seek to elevate privileges to move laterally throughout the network and collect sensitive information. This attack sequence is commonly called the kill chain.
By simulating an attack across each phase of the entire kill chain, we are able to provide a unique insight into a wider range of vulnerabilities in an organization’s environment. This allows us to focus on the perimeter as well as the internal security posture down to the layer of specific applications which can be exploited. Perhaps most importantly, we also evaluate the organization’s ability to detect and respond to a target attack.
The adversary simulation approach allows clients to answer the following questions:
- What information is available on the Internet that an adversary can use against my organization?
- Is there sensitive information available to the public that shouldn’t be there?
- Can my security processes detect successful spear phishing attacks, strategic web compromises, and other attack vectors that deliver malware?
- What monitoring do I have in place to alert on successful and failed exploitation attempts?
- Can my host based security detect malware designed to not be detected?
- Are my network security devices in the correct place to detect malicious activity?
- What security devices are monitoring the internal network for malicious activity?
- How does my organization respond to an attack?
Adversary simulation pentests are an important tool within a larger proactive toolset. This type of testing enables organizations to prioritize remediation efforts based on real results and reduces future risk, as well as allowing them to obtain a detailed understanding of specific areas they are protected in and areas where they need to implement additional security defenses. In short, organizations should routinely leverage adversary simulation pentests to quantify and test their ever-changing defensive architecture.