Adversary Simulation
Cyberattacks are one of the biggest threats to today’s businesses and one that continues to rise in severity and frequency. While this makes it vital for organisations to put the necessary measures in place to prevent, detect and respond to attacks, testing those measures is equally important.
The traditional ‘vulnerability assessment’ and ‘penetration testing’ style approach mostly highlights ‘what is vulnerable’ and ‘what the security status looks like’ on a given infrastructure at one given instance. It generally focusses on the technical aspect and in cases is driven by a checklist (tick on the box) approach, which in a way, we think would be a good starting point. However, this does not necessarily provide a business with the ability to deal with an ongoing attack, compromise, and post-compromise. This is where the ‘simulation’ or an ‘emulation’ mindset kicks in. To understand how a real attack unfolds, businesses need to adopt an adversarial mindset.
As the ancient Chinese general, and military strategist, Sun Tzu says, “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
What is Adversary Simulation?
An adversary simulation is a security assessment technique that effectively simulates a real-life attack. The concept is modelled after military training exercises. However, instead of soldiers lining up on the battlefield, the face-off is between teams of highly experienced security professionals. Elite hackers, who lead the adversary simulation, aims to compromise the environment, and will potentially gain access to the network either by using compromised/leaked credentials, or using advanced social engineering techniques, or compromising public-facing assets, etc. Once they have access to the internals, the team will then aim to execute lateral movements within the environment, elevate their privilege as much as possible and eventually try to exfiltrate data. All of which happens under the radar of the defensive team, while avoiding detection for as long as possible, sometimes lasting weeks or even months. The end goal is often to make the defensive team stronger and to always learn from the adversarial mindset.
In InfoTrust’s most recent engagements, we were able to use known Tactics, Techniques, and Procedures (TTPs) to simulate some of the known Iranian cyber-espionage groups (APT 39), Russian GRU tactics (APT 28) and similar common knowledge of other threat actors. This gave the organisation an assurance and complete visibility of what a real threat actor could have done to their environment.
Expected Outcome from Adversary Simulation
It takes a huge amount of knowledge to be able to accurately imitate sophisticated real-world attack techniques and methods, which makes adversary simulation difficult without external support. When organisations employ consultants to carry out an adversary simulation, they will be hiring a team of experienced security professionals or independent ethical hackers. The team will be knowledgeable in various TTPs and offensive tools being used in the most recent and notable attack chains.
By using professional consultants, organisations can learn more about the latest attack techniques and discover their unique weaknesses and vulnerabilities when put under attack. The simulation covers a multitude of domains, not only from the technical aspect but also covers the ‘human factor’ and the physical (on-site) security aspect. Consultants will be well-versed in the devious nature of cybercriminals and able to assume the mindset of sophisticated adversaries that businesses may face in the real world. This gives organisations the opportunity to fully challenge the effectiveness of their overall infrastructure and really understand how a con artist could gain access to privileged client data.
How Does it Strengthen Security Hygiene?
After an adversary simulation engagement, organisations receive a comprehensive report and a debrief of what happened during the attack. The report may include what attack paths were chosen, what could have been the alternative attack paths, what lead to the compromise, what was missed out in terms of the configurations etc. This then enables the organisation to fully understand the outcome of the overall exercise. As presented earlier, the end goal is ‘preparedness’, for any future attack and to strengthen the defensive team, technologies, and place post-compromise procedures.
By having this in-depth knowledge, businesses would then be able to:
- Elevate awareness – Gain a better understanding of the attack landscape, identify and classify a wide range of security risks that were unknown prior.
- Assess security – Identify security appetite and effectiveness of security controls on people, process, and technology.
- Identify gaps – Uncover weaknesses in security protocols and then monitor which would have allowed criminals to evade detection.
- Strengthen network – Become better at detecting targeted attacks and improve breakout time.
- Improve response – Develop remediation activities to get the business back to a normal operating state as quickly as possible.
- Build cyber maturity – Add to security capabilities and make employees more aware of vulnerabilities in a low-risk training environment.
Could Adversary Simulation Help Your Business?
By launching this kind of simulated attack, organisations can gauge the true strength of their security capabilities against a wide range of cyberattacks and identify areas of improvement. It also takes security testing to a next level, by not only focusing on the technology aspect but also on the “human factor”. Launching various social elements and adding wider non-technical aspects to the business can determine if a business can continue operating during such ongoing attacks. It also builds confidence in how people and processes work in a real attack scenario and under pressure in such an active attack situation. Ultimately, adversary simulation forms an important part of a vulnerability management program and to understand the overall appetite of the business from a security point of view.
Contact InfoTrust today to find out more about our adversary simulation services.
If you would like to know more about the type of security assurance services we offer such as Red Teaming and Penetration testing, please visit our other blog where we explain the two approaches further.
see our
Related resources
Mimecast recently released its State of Email Security Report for 2021. The fifth edition of its annual report used interviews with over twelve hundred of information technology and cybersecurity professionals across the globe to gather vital cybersecurity insights. The report offers an insight into the latest email threats along with advice on how to build cyber resilience and mitigate the risks of email-borne attacks.
Cyber attacks and data breaches have been commonplace in the news headlines for some time now. Although a warning from the media is certainly helpful, there is so much more that can be done when it comes to threat intelligence sharing. Threat intelligence sharing is an important part of the global cybersecurity community effort to tackle cybercrime and should form a part of every organisation’s cybersecurity strategy. Sharing cyber threat intelligence enables organisations to make informed decisions about their cybersecurity, building more effective and robust cyber defences.
One of my favourite annual reports to read is the Verizon Data Breach Investigations Report. It’s packed full of insights about the threat landscape and security leaders, in my opinion, should read this report to get a pulse on what’s happening in cyber-scape.
After all, as cyber leaders, we are here to stop breaches – so the insights gained from real cyber incidents and breaches is gold in learning how to tighten up our defences.
All businesses, large and small, are under increasing pressure to demonstrate that they are managing the risk of cyberattacks. This means having the right processes and controls in place to identify risks and vulnerabilities, protect information, as well as detect, respond, and recover in the event of cybersecurity incidents. As such, many businesses are turning to certification authorities and security frameworks to demonstrate privacy and security best practice and achieve compliance with regulatory bodies. System and Organisation Controls (SOC 2) is one such compliance framework that can help organisations to create a structured approach to cybersecurity.
Frost & Sullivan has recently released its 2021 Frost Radar: Email Security report, where its findings provide a benchmarking framework to help businesses protect their email from cyber threats.
As we operate in an increasingly digital world, every business collect, store, and share more and more data. And, amongst that data is personal information. With the OAIC marking this year’s Privacy Awareness Week (PAW) from Monday 3 May to Sunday 9 May 2021, it’s time for us all to review how we protect our customers’ personal information.
We're Here To Help