“The difference between success of an attacker or success of your defenses is dependent on the resiliency of your security infrastructure and the readiness of your people, processes, products and tools to combat a persistent adversary. Test, analyze, improve. Repeat.”
Stephan Chenette, CEO and Founder, AttackIQ
Most of us in the information security world have learned that it is no longer a question of IF you will be compromised, it is a question of WHEN and HOW it will happen. As a defender, your role is to find, prioritize and fix all of the most prevalent weaknesses, while the attacker only has to find one hole. It's an asymmetrical balance where you have to be right all of the time, while the attacker only has to be right once. Upon being compromised, it becomes a matter of how well your processes and controls enable you to:
- Detect it
- Control it
- Respond to it
Without a real-time comprehensive view of your security infrastructure, how can your organization gain true understanding and visibility into their overall IT risk?
You need to understand two important things as you prepare for the inevitable incident:
- How the attackers are likely to behave once inside your network
- Whether you understand your IT infrastructure as well as, or better than, your adversaries
These two items are what separates a manageable security incident from a devastating, possibly existential data breach.
Analyzing Attacker Behaviors
Attacker behavior is fairly predictable. It is unlikely that an attacker will go from running an exploit to stealing your most valuable data in a single step. In fact, many incident response reports indicate that the attackers were present in the network for days, weeks, months and possibly even years before they wreaked irrecoverable havoc.
Although every attack is different, common phases form “the cyber kill chain” include:
- Command and Control
Understanding the real world aspects of these phases will help you to better understand your attackers allowing you to prepare your defensive strategy to stop – or at least delay – them in their tracks. Also, this gives you better insight into the blind spots in your infrastructure and your ability to tighten the controls wherever possible.
A good example of a cyber kill chain for the BlackEnergy APT Group, which focuses its efforts in the defense and energy sector among others, includes:
- Weaponization: Microsoft Office Exploits
- Delivery: Phishing/Spear Phishing
- Exploitation: CVE-2014-4114 (“Windows OLE Remote Code Execution Vulnerability”)
- Installation: Black Energy (various versions)
- Command and Control: Various European Hosting Providers
- Action: Theft of Intellectual Property
It’s important to note that each attack phase is different for the various threat actors and/or groups – Script Kiddies, Criminals, Nation States, Corporate Espionage, Malicious Insiders, Hacktivists, etc. – and the techniques used in each phase likely differ for each cyber kill chain.
The overarching goal is to turn what we know into relevant potential attack paths that can be mimicked in order to understand the blind spots within your network. So how can we do this?
As established above, getting into a network is the attacker’s first step. At this point there is no irrecoverable damage – although it does constitute a security breach. Now is your opportunity to minimize the impact with a clear understanding your adversary’s behavior.
To move through your network – both laterally and hierarchically – the adversary will leverage systemic flaws, also known as technical debt, that exists inside your security infrastructure. These flaws are the result of the choices that have been made in the past that have often been forgotten about or even ignored. Once they are recognized and addressed however, you significantly up the technical ante for your adversaries.
Assessing your Network
It goes without saying that your adversary has a reason for compromising your network – they are after something of value. Now it is your responsibility to understand exactly what is at stake.
- What is important to you that an attacker might be interested in?
- Where are the valuable assets located within your network?
Once you’ve identified these things, you can work backwards and identify the viable attack paths, and then tighten the controls around those paths.
Through “holistic testing” you can test multiple attack sequences as well as test each phase against the various defenses. This allows you to test every possible iteration of a particular cyber kill chain. This is different than traditional testing where the last phase of an attack may never be tested due to the assumption that the first phase would be detected or prevented. You now have the ability to efficiently exercise the prevention and detection capability of end-to-end systems and processes for all relevant adversaries. This is why both holistic testing as well as unit testing of the various individual phases of an attack are so important. Once you’ve tested the complete range of attacker capabilities, your defensive shortcomings become obvious.
Securing your Defenses
By finding the blind spots in your network, identifying high value assets, and understanding the various attack paths available to reach those assets, you will improve your overall defenses.
- Various attack groups, such as Hurricane Panda, are known for targeting the aerospace defense and technology sectors among others using a persistent backdoor technique called “Sticky Keys” that allows them access to a system command prompt. Ask yourself:
- Would your defenses be able to detect this technique?
- How would you know if you have not allowed your team to safely try this technique on your hosts?
- Specific attack groups have their own modified versions of mimikatz to perform a technique called “Pass-The-Hash,” which dumps the credentials from machines running Windows operating systems and enables an attacker to move laterally across the network. The attacker doesn’t need to steal the password, just the hash value. Chillingly:
- If an attacker gains access to one of your engineering machines, are you curious to know if they’d also be able to gain access to a domain controller or a machine in finance using the same hashed credentials?
Every move made by an attacker generates logs and other potential forensic evidence inside your environment. By mimicking a real-world attack safely on your production network, you can determine if you have an overwhelming number of alerts being sent to your incident response team. Then you can rerun the tests and fine-tune the alerts to help the team focus on and respond to what matters most. Additionally, you can test to determine if there are false negatives -- missed threats -- in your logging and alerting infrastructure.
With holistic testing, you are looking for answers to the following questions:
- How far is an attacker able to get into your network without being noticed?
- What attacker actions trigger specific defensive alerts?
- What is the response time for your team?
- Which specific products in your security infrastructure generate alerts along the cyber kill chain?"
The answers to these questions are quantifiable – the data exists within your infrastructure – you just need the right tools to bring them into the light of day. Holistic testing will provide you with the answers that you need to objectively secure your defenses. Stop thinking, start knowing! While compromises are inevitable, organizations that apply these best practices are able to continuously minimize the eventual impact. Test, analyze, resolve, repeat.
About the Author
Stephan Chenette is the CEO and founder of AttackIQ, Inc. The company’s mission is to challenge the existing security landscape and enable organizations to measure the resiliency and efficacy of their security posture, gain better visibility into their full IT security infrastructure and make better data-driven security decisions. To learn more visit: https://www.attackiq.com/
Stephan brings over 20 years of cybersecurity experience to AttackIQ and joined the company from IOActive where he was the director of research for the company. Prior to that, he was the head of Websense Security Labs and a security research engineer at eEye Digital Security.
AttackIQ recently announced its GameOn! Security Challenge, which is an open call for both seasoned and aspiring security professionals to develop real-world scenarios – python packages that mimic real world techniques – for automated attack and validation testing. This is an opportunity to help make organizations around the world be more secure by learning and extending a powerful enterprise development platform for automation and orchestration around security testing.