I recently witnessed the CIO of a publicly traded company dismissing the results of a successful red team to the Board of Directors by stating that the “the test wasn’t realistic as the red team had insider access.”
The “insider” access in this instance was a network connection with no user credentials that was obtained through multiple avenues that included spearphishing an employee’s public email address and also by plugging into a network port in a publicly accessible building (one frequented by hundreds of thousands of visitors per year). As with most environments, the attack team was able to move laterally without detection and engage in levels of compromise that, had it been a real attacker, would have been consequential and catastrophic for the company. It would have literally been a billion dollar breach.
What enterprise executives need to realize is that in today’s environment, every cyber attacker is a potential insider. Given the prevalence of BYOD (bring your own device), supply chain integrity issues, foreign travel, and the plethora of successful spearphishing campaigns, executive leadership needs to operate on a presumption of breach basis and work on reducing their attack surface through red teaming, early detection of attacks, thwarting lateral movement through the enclaving of critical systems, and having robust incident management plans in place before the breach occurs.
The U.S. Department of Defense has been operating on a presumption of breach basis since before the release of the 2011 Defense Strategy for Operating in Cyberspace and it is an important concept to understand at the corporate board level as well. A presumption of breach approach shifts your network security focus away from a perimeter defense mentality. Given the inevitability of a successful attack that breaches the internal network, corporations needs to develop a strategy for dealing with attackers inside the firewall. They need to think of every attacker as potential insider.
As noted by the Department of Defense, “Operating with a presumption of breach will require DoD to be agile and resilient, focusing its efforts on mission assurance and the preservation of critical operating capability.”
What are your organization’s critical operating capabilities? What security measures have been taken to segment critical operations and data from the more benign components of the corporate network and to ensure that critical operations continue during a breach? What technologies and countermeasures do you have in place to detect and prevent lateral movement once an attacker has established an internal foothold?
The recent billion dollar breach campaign reported in the New York Times is a perfect example of an attacker acting like an insider within the target organization. According to reports, the attackers took weeks and months to study their targets’ business processes, understand the organizational structure including which individuals had appropriate authorities, and probed critical internal systems not only for technical vulnerabilties but logic errors that could be exploited for financial gain. In recent incidents investigated by FusionX, we’ve seen attackers engage in sophisticated impersonation campaigns understanding their target down to the exact hours an executive would be on an international flight and unable to interfere with the impersonation. This attack sequencing could accurately be described as Intelligence Preparation of the Battlefield.
Red teaming plays a critical role in understanding how an attacker will target your internal network and exercises your ability to detect and respond to an attack. Consider it in this context; if you were slated to box Mike Tyson would you want to train using a static punching bag or a live sparring partner? With the live sparring partner, you have an ability to replicate your opponent, make mistakes and derive lessons learned that position you for greater success when you step in the ring. Most organizations spend millions of dollars on security detection technologies, 24/7 security operations centers, and have articulated response policies but never exercise them by simulating the real tactics, techniques, and procedures (TTP) of a human attacker. In the boxing world, fighters volunteer for their bouts. In the cyber domain, you are going to fight Mike Tyson whether you want to or not.
Properly conducted with a realistic scenario framework, red teaming also provides a critical human attacker perspective on your internal network and business processes.
Here are some key questions that the management team should be asking their Chief Information Security Officer (CISO) from a presumption of breach perspective:
Have we identified which systems and data are most critical to our organization?
What threat models have we developed to inform the risk management process for not only our most critical systems but all enterprise information assets?
How does threat intelligence inform and influence our ongoing security posture, detection capabilities, and risk management process?
Are the critical systems and data subject to a more advanced security policy to include system and data protection profiles, enclaving, and additional monitoring?
Do we have a comprehensive incident management policy?
Have we engaged in red teaming to test the incident management policy, but also our ability to detect and respond to advanced attacks?
Thinking about your security posture from a presumption of breach perspective is just one of the mechanisms organizations need to employ to address the capabilities of modern attackers. It is readily apparent that the old security models have already failed.