Blog

Adversary Simulation

Nitesh Bhatta
February 22, 2021
Home

Let's Get STARTED

Cyberattacks are one of the biggest threats to today’s businesses and one that continues to rise in severity and frequency. While this makes it vital for organisations to put the necessary measures in place to prevent, detect and respond to attacks, testing those measures is equally important.

The traditional ‘vulnerability assessment’ and ‘penetration testing’ style approach mostly highlights ‘what is vulnerable’ and ‘what the security status looks like’ on a given infrastructure at one given instance. It generally focusses on the technical aspect and in cases is driven by a checklist (tick on the box) approach, which in a way, we think would be a good starting point. However, this does not necessarily provide a business with the ability to deal with an ongoing attack, compromise, and post-compromise. This is where the ‘simulation’ or an ‘emulation’ mindset kicks in. To understand how a real attack unfolds, businesses need to adopt an adversarial mindset.

As the ancient Chinese general, and military strategist, Sun Tzu says, “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”

WHAT IS ADVERSARY SIMULATION?

An adversary simulation is a security assessment technique that effectively simulates a real-life attack. The concept is modelled after military training exercises. However, instead of soldiers lining up on the battlefield, the face-off is between teams of highly experienced security professionals. Elite hackers, who lead the adversary simulation, aims to compromise the environment, and will potentially gain access to the network either by using compromised/leaked credentials, or using advanced social engineering techniques, or compromising public-facing assets, etc. Once they have access to the internals, the team will then aim to execute lateral movements within the environment, elevate their privilege as much as possible and eventually try to exfiltrate data. All of which happens under the radar of the defensive team, while avoiding detection for as long as possible, sometimes lasting weeks or even months. The end goal is often to make the defensive team stronger and to always learn from the adversarial mindset.

In InfoTrust’s most recent engagements, we were able to use known Tactics, Techniques, and Procedures (TTPs) to simulate some of the known Iranian cyber-espionage groups (APT 39), Russian GRU tactics (APT 28) and similar common knowledge of other threat actors. This gave the organisation an assurance and complete visibility of what a real threat actor could have done to their environment.

EXPECTED OUTCOME FROM ADVERSARY SIMULATION

It takes a huge amount of knowledge to be able to accurately imitate sophisticated real-world attack techniques and methods, which makes adversary simulation difficult without external support. When organisations employ consultants to carry out an adversary simulation, they will be hiring a team of experienced security professionals or independent ethical hackers. The team will be knowledgeable in various TTPs and offensive tools being used in the most recent and notable attack chains.

By using professional consultants, organisations can learn more about the latest attack techniques and discover their unique weaknesses and vulnerabilities when put under attack. The simulation covers a multitude of domains, not only from the technical aspect but also covers the ‘human factor’ and the physical (on-site) security aspect. Consultants will be well-versed in the devious nature of cybercriminals and able to assume the mindset of sophisticated adversaries that businesses may face in the real world. This gives organisations the opportunity to fully challenge the effectiveness of their overall infrastructure and really understand how a con artist could gain access to privileged client data.

HOW DOES IT STRENGTHEN SECURITY HYGIENE?

After an adversary simulation engagement, organisations receive a comprehensive report and a debrief of what happened during the attack. The report may include what attack paths were chosen, what could have been the alternative attack paths, what lead to the compromise, what was missed out in terms of the configurations etc. This then enables the organisation to fully understand the outcome of the overall exercise. As presented earlier, the end goal is ‘preparedness’, for any future attack and to strengthen the defensive team, technologies, and place post-compromise procedures.

By having this in-depth knowledge, businesses would then be able to:

  • Elevate awareness – Gain a better understanding of the attack landscape, identify and classify a wide range of security risks that were unknown prior.
  • Assess security – Identify security appetite and effectiveness of security controls on people, process, and technology.
  • Identify gaps – Uncover weaknesses in security protocols and then monitor which would have allowed criminals to evade detection.
  • Strengthen network – Become better at detecting targeted attacks and improve breakout time.
  • Improve response – Develop remediation activities to get the business back to a normal operating state as quickly as possible.
  • Build cyber maturity – Add to security capabilities and make employees more aware of vulnerabilities in a low-risk training environment.

COULD ADVERSARY SIMULATION HELP YOUR BUSINESS?

By launching this kind of simulated attack, organisations can gauge the true strength of their security capabilities against a wide range of cyberattacks and identify areas of improvement. It also takes security testing to a next level, by not only focusing on the technology aspect but also on the “human factor”. Launching various social elements and adding wider non-technical aspects to the business can determine if a business can continue operating during such ongoing attacks. It also builds confidence in how people and processes work in a real attack scenario and under pressure in such an active attack situation. Ultimately, adversary simulation forms an important part of a vulnerability management program and to understand the overall appetite of the business from a security point of view.

Contact InfoTrust today to find out more about our adversary simulation services.

If you would like to know more about the type of security assurance services we offer such as Red Teaming and Penetration testing, please visit our other blog where we explain the two approaches further.