APT Red Teams – Part 2
March 12, 2014 4 Comments
APT Red Teams – Part 2
APT Red Teams – Part 1
APT Red Teams – Part 3
Have you tested your resilience to attack? Addressing security more aggressively and working to identify areas of weakness is a more sensible, and ultimately, more effective approach than working to build a “bigger wall” that you hope attackers can’t get through.
The Paralyzing Polarization Conundrum
We are at a fascinating point in the evolution of what we now call cyber security defense. Massive data losses, theft of intellectual property, credit card breaches, denial of service – these have become a way of life for all of us. Ironically, as defenders we have access to an extraordinary array of security tools, technology and resources. But all of this technology, information, and oversight has become a veritable “Fog of More” [Source: CSC5]: competing options, priorities, opinions, and claims that can paralyze or distract an organization from vital action.
What are the most critical areas we need to address, how should an enterprise take the first step to maturing their risk management program? Rather than chase every new exceptional threat and neglect the fundamentals, how can we get on track with a roadmap of fundamentals, and guidance to measure and improve? Which defensive steps have the greatest value?
APT Red Teams – Part 2 blog discusses the importance of and contrasts the CSIS Top 20 Critical Security Controls – Control 20: Penetration Tests and Red Team Exercises. There are many parallels between APT and Red Teams. APTs advance on a “continuous area of attack” leveraging blended, multi-step targeted determined attacks while technology is ubiquitous, constantly being implemented, and is often filled with flaws as soon as it is implemented.
Red Team Goals
The goal of Red Teams is to enhance decision making by challenging assumptions and exploring new ideas, typically from the perspective of an adversary or a competitor. A Red Team, for example, might play the role of an attacker and test the security of a system. Alternatively, a red team might review and assess the assumptions of a strategic plan.
Red Teams are particularly suited to business strategy and planning focused on operational process to validate and evolve it. Whether a Red Team adopts a specific perspective, method, or toolkit depends on the nature of the problem and the circumstances of the Red Team. A Red Team that performs a given type of task repeatedly is likely to develop a process framework and an associated toolkit.
Thinking Outside the Box
Ideally Red Teams should, as follows:
- View the target problem from a systems perspective
- Shed the cultural biases of the decision maker and, as appropriate, adopt the cultural perspective of the adversary or competitor
- Employ a multidisciplinary range of skills, talents, and methods
- Understand how things work in the real world
- Avoid absolute and objective explanations of behaviors, preferences, and events
- Question everything (to include both their clients and themselves)
- Break the “rules”
One can argue that the best Red Teams are born, not trained. It seems that some people have an instinctive ability to Red Team, while others—despite extensive training—can never escape the secure but confining convention box.
Be Prepared: Test and Validate
In January 2014 the Ponemon Institute conducted a Cyber Security Incident Response study. In the study they surveyed 674 IT and IT security professionals in order to determine the level of preparedness of their Computer Security Incident Response Teams (CSIRT).
Most respondents agreed that the best thing that their organizations could do to mitigate future breaches is to improve their incident response capabilities.
How frequently does your organization assess the readiness of your incident response teams
(for instance, through tabletop exercises, red teams, or other means)?
Assessing Incident Response Readiness
Leveraging Red Teams can help both in terms of testing an organizations true resilience to attack as well as preparedness to respond to and investigate an incident. A vital win-win.
SANS Top 20 Critical Security Controls
The SANS Top 20 Critical Security Controls focus on prioritizing security functions that are effective against the latest Advanced Targeted Threats, with a strong emphasis on “what works“. They prioritize and focus on a smaller number of actionable controls with high-payoff, aiming for a “must do first” philosophy. Since the Controls were derived from the most common attack patterns and were vetted across a very broad community of government and industry, with very strong consensus on the resulting set of controls, they serve as the basis for immediate high-value action.
CSC 20: Penetration Tests and Red Team Exercises
Test the overall strength of an organization’s defenses (the technology, the processes, and the people) by simulating the objectives and actions of an attacker.
Why is SANS Control #20 Critical?
In a complex environment where technology is constantly evolving, and new attacker tradecraft appears regularly, organizations should periodically test their defenses to identify gaps and to assess their readiness. Attackers often exploit the gap between good defensive designs and intentions and implementation or maintenance.
Examples include: the time window between announcement of a vulnerability, the availability of a vendor patch, and actual installation on every machine; well-intentioned policies which have no enforcement mechanism (especially those intended to restrict risky human actions); failure to apply good configurations and other practices to the entire enterprise, or to machines that come in-and-out of the network; and failure to understand the interaction among multiple defensive tools, or with normal system operations that have security implications.
Red Team exercises take a comprehensive approach at the full spectrum of organization policies, processes, and defenses in order to improve organizational readiness, improve training for defensive practitioners, and inspect current performance levels. Independent Red Teams can provide valuable and objective insights about the existence of vulnerabilities and the efficacy of defenses and mitigating controls already in place and even of those planned for future implementation.
How to Implement This Control
Rules of Engagement
Attackers penetrate networks and systems through social engineering, via phishing attacks and by exploiting vulnerable software and hardware. Once they get access, they often burrow deep into target systems and broadly expand the number of machines over which they have control. For more details on the signature of an advanced targeted threat (APT) see Defensible Security Posture.
A problem that many companies face is that they don’t fully understand the threats against their organizations. Creating a threat profile is a key step in understanding what threats a company faces and the potential impact if an attack were to be successful. A threat profile can also help organizations prioritize resources in order to successfully defend sensitive data. For more information see APT Threat Analytics.
Many organizations do not exercise their defenses so they are uncertain about their capabilities and unprepared for identifying and responding to attack.
Developing Scenarios to Exercise and Validate Defenses
Organizations should define a clear scope and rules of engagement for penetration testing and Red Team analyses. The scope of such projects should include, at a minimum, systems with the organization’s highest value information and production processing functionality. Other lower-value systems may also be tested to see if they can be used as pivot points to compromise higher-value targets. The rules of engagement for penetration tests and Red Team analyses should describe, at a minimum, times of day for testing, duration of tests, and the overall test approach.
In developing Rules of Engagement they differ from exercise to exercise. The end result is designed to incrementally strengthen an organization’s security posture. It assists in the identification of weak areas and highlights the strengths to improve and evolve the minimum security baseline. Some initial avenues used to identify security weaknesses are, for example:
- Vulnerability scans
- Device configuration assessment
- Web application security
- Firewall rule assessment
- Segmentation / Zone controls
- System decomposition and risk analysis
- Social engineering
- Specialized tools
- Passive attacks correlated to back-end logging/alerts
Each test should have a specific goal, and provide different pertinent information. Each test by itself will not provide an overall picture of the current security state of the target system or network, but when all the areas are evaluated and put together, organizations will have a better overall picture of their security posture.
Red Team efforts can identify multiple areas of concern such as:
- System vulnerabilities
- Design flaws or weaknesses
- Personnel complacency
- Security monitoring flaws
- Response procedures
Using the above items, it’s possible to conduct a root cause analysis in an effort to assist the shoring up of the target system or network. Each area tested is designed to mimic the actual multi-step methods and tools used by a would-be hacker seeking to penetrate deeper or move laterally.
Evaluating and Understanding the TRUE Defensible Posture and Risk
The assessment team should be skilled and have the ability to identify weaknesses and use them to gain access to the target system or network. This enables the opportunity to identify weaknesses, gauge response capabilities and, and correct shortcomings. The overall goal of an assessment is to ensure the organization is as secure as possible and is prepared for future incidents.
Nearly every organization can benefit from some form or degree of Red Teams. Whether the “red team” is a highly structured, a formal unit or a self-appointed devil’s advocate, almost every idea, concept, design, or plan benefits from healthy opposition and testing. Aiming a seasoned Red Team at a problem or system at the right time with the proper mandate can steer a decision maker away from an otherwise pending catastrophe, help validate the strategy and direction and, provide useful feedback and lessons learned for other projects.
In APT Red Teams – Part 3 we will develop this foundation further and discuss some actual example Red Team exercises, as techniques, tools and tests to validate a defensible security posture.
- Ponemon Institute – Cyber Security Incident Response, January 2014
- SANS – SANS Top 20 Critical Security Controls, Version 5.0
Thanks for your interest!
Nige the Security Guy.