The Right Fit - Matching Assessments to Security Maturity
By Steve Walker, Director, Offensive Cyber Operations
I like nothing more than researching some new technique or operational tradecraft put forward by folks like @harmj0y, @armitagehacker, @bluescreenofjeff, @subTee, etc. and putting it to use. Just as interesting is forensic investigation of major incidents to identify the actual approaches attackers take. Our team enjoys emulating an advanced adversary, and profiling known threats facing our clients. However, there are many times where our clients don’t quite know what they want, or more importantly, need. Nobody wants to hire an expensive red team only to have them blow through a network without any defenses. And nobody wants to have a report dropped on them that's the size of a book with 1000 vulnerabilities and no understanding of the real risk. In both situations the client does not get the value they are paying for.
The key to fixing this is objectively evaluating the current maturity level of your cyber security program, and selecting the type of assessment that will take your program to the next level. A little self-assessment will set you up for success, and a good consulting team should be able to help with this recommendation based on a few technical discussions.
With that in mind let’s look at 9 types engagements you’ll want to consider. The metaphor I like is of a thief wanting to steal the valuables from your house, and your steps to defend it.
Open Source Intelligence (OSINT) Assessment - “Do they have blueprints of the house?”
This is a unique service offered by Fortalice for identifying what sensitive information may be in the public domain or on the dark web. This leads to specific threat profiles to build extra protections against. Ideal Outcome: Detailed profiles of threat actors likely to target your organization, the information available to them, and recommendations for defending against these threats.
Table Top Exercises - “What would we do if we found our door busted open?”
Time is of the essence when an incident is discovered. If you have not thought through an incident response process beforehand it can be a hair-on-fire experience with missed opportunities to limit losses. Table top exercises help think through how you would contain the compromise, handle the media, identify the risk of data loss, and coordinate under stress. Ideal Outcome: Playbooks for how you will respond to different types of incidents.
Social Engineering Awareness - “Stranger danger!”
Phishing attacks are by far the most common attack method. It does not depend on system weaknesses, and capitalizes on our human nature to trust. So it follows that a recurring security awareness program is important. While most focus on the number of employees that fail to recognize an attack, I think the number of employees reporting suspicious email is equally important. More reports of phishing email increase the chances that your security team will detect and respond to the inevitable victims of social engineering. Ideal Outcome: Less employees falling victim and more reporting suspicious email or events.
Vulnerability Assessment - “How good is this lock?”
This involves an external and internal vulnerability scan and maybe some additional work around them. A privileged scan would provide the most comprehensive view at system patch level and local security vulnerabilities. Fortalice avoids these assessments as they are so narrowly focused on vulnerabilities and patch management, but you have to start somewhere.
Cyber Risk Assessment - “We should get a security system.”
I’ve heard clients say “Nobody wants to hack us.” But the reality is, if you’re in business, then you are a target. Attackers cast a wide net, and we are constantly seeing them target company financial processes. A Cyber Risk Assessment involves an external and internal network vulnerability scan and, for Fortalice, technical interviews and policy review. Ideal outcome: Knowledge of specific threats facing you, a path toward an instrumented network able to spot those threats, and policies and procedures to be able to respond when an incident occurs.
Web Application Test - “Could someone pick the lock on the front door?”
These specialized assessments involve vulnerability scans with in-depth testing of a target web site or web application. This is usually the main company website or service available on the internet, but could also be a custom internal application with access to sensitive data. This type of targeted testing is needed for complex web applications. It will ensure an attacker could not gain access to sensitive data, or worse, your network (see Equifax). The security team will almost certainly whitelist the penetration testers to prevent the test from being blocked, and denial of service testing is almost always off-limits. Ideal outcome: Ranked list of vulnerabilities that put your users, systems, or network at risk with example request/response data to assist the remediation.
Penetration Test - “Did I lock the windows, doors? How good are the locks on my bedroom doors?”
Traditional penetration testing will include an external and/or internal vulnerability scan with validation (avoiding denial of service tests). The security team knows the test is happening, and often has to whitelist the penetration testers in security tools. This is because vulnerability scans cause a lot of alerts and may trigger automatic responses that would stop the test. Some firms, like Fortalice, will use adversarial TTPs (tools, techniques and procedures) during these tests. This means they will leverage security configuration weaknesses demonstrate viable vectors to compromise the network or sensitive systems and data. This usually stops at “domain administrator” rights in Windows environments as it gives broad access to most information across the network. This adversarial approach is an important nuance that not all firms will take. You need to know these approaches in order to build defenses against it. Ideal outcome: Ranked list of key risks facing the network, the remediation of which would prevent or detect and enable response to an attack.
Red Team Engagement - “We’ve had a break-in!!”
Red Team engagements are, as a friend put it, “the full spectrum warfare of technical assessments". It will test the ability of your team to detect and respond using the protections you’ve worked so hard to put in place, and highlight the impact of gaps in those defenses. A red team operates with few restrictions and emulates a known threat or advanced attacker attempting to achieve specific objectives. It is important that only a few people know the engagement is occurring, and that the red team be given as much time as possible. This more closely matches reality, where a persistent threat has all the time in the world to move slowly and stay under the radar. Hopefully the defenders, or “blue team”, spot part of the red team’s activities, and that’s great! Some of the best red team engagements I’ve done have been when the blue team is chasing us, and we end up with some great learning opportunities for both sides. Ideal outcome: Identification of gaps in ability to detect and respond to an attack, and a blue team excited to fix them!
I hope this post helped give you an idea of what assessment would best fit your organization! Even if you still don’t feel like you’ve found the right thing, give us a call! There are several things that, in my opinion, make Fortalice unique. One of them has to be the relationships our team builds with our clients and the flexibility to build an engagement that hits the mark. This has enabled our team to highlight the impact of risks without creating an “us vs. them” mentality.
Images obtained from the following:
www.pinterest.com/nightcrawlerlov, hospitalnews.com, www.secure128.com, blog.securitymetrics.com,bmsaccountants.ie, www.stationx.net, n0where.net