Log In

Reset Password

Learning from simulated cyberattacks

Worst fear: "red teams" can help companies learn how hackers can breach their IT networks

Business leaders might question the sanity of deliberately inviting a cyberattack against their company, but when done right it can prove to be a valuable experience.

The effective deployment of trained teams seeking to exploit cyberweakeness can show a business if it is prepared to withstand a real cyberattack.

Cybersecurity expert Adam Tice, of Mandiant Consulting Services, explained this during a presentation on the effective use of red teams and adversary simulation.

He spoke at the annual conference of the Bermuda chapter of Isaca, the global information systems association.

Mr Tice highlighted case studies that showed how, within a matter of hours, an organisation could be fully compromised by a team of security professionals and testers using techniques employed by hackers and cybercriminals.

On the flip side, he also noted that some corporations have impressively robust cybersecurity that can deflect most attacks. However, even here a chink in the armour was found, and it turned out to be a good old-fashioned telephone.

While cyberattacks are increasing, sometimes resulting in data theft and extortion threats, companies can respond by beefing up IT security and putting themselves to the test by hiring penetration testers or a full-blown red team, to launch a simulated attack.

That is what Mr Tice does for a living with Mandiant, where he leads proactive and responsive teams to test and assess companies and provide live incident response and remediation support.

“We support clients who have suffered major breaches, and nation state or criminal attacks. They are on the frontline fighting them, and often we are the first ones called in,” he said.

He explained that a focus intelligence group, embedded in criminal organisations across the world, acts surreptitiously to feed back information to Mandiant’s threat intelligence database. That information then helps C-suite level executives to build security programmes to defend their organisations and maintain compliance requirements.

Mr Tice is mainly involved in assisting organisations answer the question of whether they are at risk, and whether they are prepared.

Mandiant offers different levels of testing. At the white box/grey box level it is done collaboratively, with information shared by the client about the technical architecture of their organisation as they seek information on where cyberattack vulnerabilities may exist.

The next level involves more sophisticated testing, using “off the shelf, open source and publicly available attack techniques”.

Mr Tice added: “If this has been scoped right, no one knows we are coming. There is a stakeholder, or team of stakeholders, who have been read into the project, other than that no one knows.”

This makes for a real-life test of a company’s cyberdefences. A black box test is a higher level of attack with no forewarning. Beyond that is the full-strength, red team security test.

“You don’t tell us what you want us to test. We are going to use our creativity, our targeting data and what we find in reconnaissance. We are going to find the easiest and fastest way into the environment.”

Mr Tice described the cyber killchain protocol, which starts with an initial compromise, usually through a website, infected laptop computer, USB drive or wireless breach. This is followed by a establishing a foothold in the company’s cyber environment.

“This is one of the most nerve-racking times, because that initial foothold can disappear. You don’t know why. Maybe that person shutdown their laptop, maybe security detected something and shutdown the computer.”

The next stage is escalating privileges, where the goal is to assume higher level privileges within the environment.

“If I can drop on the desk of the director of IT, well he probably has some access. He probably has visibility in the various security controls, visibility into file shares and risk counsel meetings. Maybe they have reports on vulnerabilities. If I land on the director of IT’s laptop there is a lot there I can use without going all the way to ultimate control of the network.”

At this point, the killchain loops back, with the red team taking small steps, getting data, taking another step, getting more data and learning about the environment.

“We are gaining control of your environment, or demonstrating the ability to significantly affect your organisation. We are not going to take anything down. That’s counterproductive to our mission. But if we can demonstrate that we could, that should be meaningful to an organisation,” said Mr Tice.

“Often stealing executive e-mail is just about the worst thing that can happen. We’ve seen many cases where that is all they want; that visibility at executive level.”

Information can be extracted from executive e-mails on deals, acquisitions, mergers, major trades, and stock action.

Companies can train and prepare for possible attacks by disruptive groups, such as Anonymous, or criminal syndicates and nation state attackers. Engaging with a red team pits a company against a formidable adversary, albeit in a simulated way.

Mr Tice showed the good and the bad when he compared two case studies. The first was a multinational law firm. Using mostly e-mails, the red team installed two malware implants and within three days had completely compromised the company’s internal network.

However, things proved far tricker during a six-week engagement against a highly protected global financial institution.

“They have a very mature information security capability. Anything you can buy from a service provider, these guys have — and they have it in-house, not through a consulting firm. They were very good.”

The red team set to work with open source intelligence collection, where they scoured the internet and other sources for any useful information about the company. This turned up a couple of nuggets in the shape of job postings that had strayed beyond the company’s normal policy. The postings laid out details about technical infrastructure used by the company, the computer systems it operated — including the exact versions — and other security and password management systems.

The information from the job postings was combined with details posted on the LinkedIn professional networking website by interns who had worked at the company and were advertising their skills to prospective future employers.

“I knew what IPs they used, what signatures they were writing, and trainings and certifications. I can tell what you are focused on as an organisation by your training. I knew the security tools and scanners they were using,” said Mr Tice.

But even with these pieces of information, getting a foothold inside the company that so steadfastly monitored its cyberperimeter was going to be difficult. That’s when the red team found a way to leap over the perimeter, using the telephone.

The team was able to “spoof” the caller ID of a member of the company’s IT team — the names and telephone numbers of staff had been gathered from the earlier open source researching. The team tricked nine employees to visit a fake site to install a security patch that placed malware into the company’s network.

But the victory was short lived. The company’s robust IT security soon flushed out the intruders, and even started to monitor the red team’s activities.

“Their response was to kick you off immediately, and give the victim a new box [computer]. They don’t clean, they don’t scan, they don’t sanitise. Their default response was ‘that box is gone, it’s quarantined for forensic analysis, the user is getting a brand new build.’ That’s very effective at keeping someone from getting back into an environment.”

After six weeks, the red team had not met its objectives. The company had successfully fought off the adversary, however, it had been alerted to the telephone access weakness, something that many companies do not take into account.

Mr Tice encouraged companies to think seriously about their abilities to thwart cyberattacks, and to consider the risks and benefits of using red teams for adversary simulation.

He said the risks included drama between individuals in a company when uncomfortable things are pointed out by a successful, simulated cyberbreach. There is also the potential for chaos as employees scramble in the aftermath of a breach, and the extra workload will stress incident responders.

Mr Tice also said it was important to work with organisations that have a trustworthy track record of adversary simulations. “If you are going to turn attackers loose in your environment you better trust them, and trust the organisation they work with.”

As for the benefits, beyond fulfilling any compliance obligations, he said it was a “significant mechanism for effecting change. It answers some of the tough questions that you can’t answer otherwise. Can someone break in? What can you do?” he said.

“Train how you fight. Often the training is worse than reality.”