2022 Class of Fast 50: OnDefend
For more than 25 years, the Jacksonville Business Journal has identified the fastest growing companies on the First Coast.Read
A new year with the same set of problems. Instead of finding ourselves on the threshold of solving our cybersecurity woes, companies will be forced to do more with the same budget. We have already seen many organizations facing pressure to reduce their spending, including security budgets. But generating better results with less investment is going to require some new approaches to how we think about testing in our environment’s.
Start by asking these questions:
Forbes Technology Council Advisor Ben Finke has dealt extensively with Penetration testing and detecting emerging threats. In the following interview, he answers the most asked questions about Threat- Informed Pentesting.
TIP is Intelligence informed penetration test that emulates the tactics and techniques used by specific emerging threat actors that are targeting your industry,
giving you the opportunity to understand exactly how your controls would handle them.
Answering questions like, do you have some mitigation in place that prevents these actions from working? What detection do you have that would allow your team to identify this activity in place?
In a “regular” Pentest the only attack actions executed tend to be the ones that the consulting firms pentester is comfortable using. Since the Pentest frequently starts from the same point (an internally placed dropbox), you never exercise the types of ingress used by real attackers – connect over the VPN using genuine credentials, exploit an externally positioned application, phish their way into a privileged user, etc – you miss testing these systems altogether. And because threat actors use different procedures and tooling, the testing provider by the Pentester firm may not have much in common with the real threat at all.
A single TIP is not a replacement for a full Pentest. First, the scope of the scenario is very narrow and targeted based on the adversary, so plenty of available attack actions are left out of a TIP. Second, because of the narrow scope, the TIP may not provide any feedback on the security posture of other systems, which in a traditional Pentest would be examine and probe them at a minimum. TIP can be conducted either as a stand-alone exercise as a supplement to your traditional Pentest or it can be offered as an add- on to your regularly conducted test.
Threat actors tend to blur industry lines a lot but selecting a TIP that simulates an adversary known for attacking other orgs in your vertical is a good start. It’s also good to have a variety of scenarios – access over VPN, exploiting web app vulnerability, supply chain attack, or spearphishing. Each scenario is intended to drive discussion among the team around whether security controls are deployed correctly and with the right configurations. For example, if faced with the reality that the adversary gained access over the VPN, do you have enough logging data to reconstruct what happened? Do you know how to try an IP address from the VPN tool to a specific user account for the time when the access occurred? Can you revoke access successfully and within your operational time targets? When all else fails, ask your BOD and leadership what adversary they are specifically worried about.
Many of these scenarios require different starting points than a traditional pentest – they also require some scaffolding put in place in cooperation with the customer to ensure the scenario can proceed (example: credentials with VPN access), which frequently are not given during standard Pentests. These scenarios don’t open up for consultants to move around with impunity – they are strictly timebound and focused on executing the different stages of the scenario.
While using a BAS tool can provide valuable automation to repeatably test specific actions, TIP relies on the ability of a human being to execute a scenario while being able to adapt to the results they are seeing. BAS tools have limited ability to vary their procedures and payloads during execution time, which a talented and imaginative consultant can adjust on the fly during the operation. After the simulation is complete, we highly recommend retesting with BlindSPOT (OnDefend’s propietary Breach & Attack tool) to automatically retest and confirm successful remediation.
TIP scenarios are designed to be very compact, which ensures you can try more than one and that they don’t require a huge commitment of resources. As part of compressing this timescale we build in some requirements and some stages.
Requirements are the specific items needed to begin the scenario. For example, if we execute a LAPSU$ scenario, we require credentials will access to the VPN (or other remote access technology). A LAPSU$ agent will pay an employee or contractor for their creds, something which we don’t have time to execute in the simulation window. But by starting with access, we can immediately begin executing the technical actions that you would see from the threat actor.
Stages are groups of actions in a TIP scenario. Let’s say that during the FIN7 scenario we have an initial opening stage of sending the first payload in through an email. If we are unable to get any attachment through the email security filtering, we will mark that stage as preventing success, but then move to the next stage, where the customer facilitator would place the payload on the intended system so that we can move to the next stage.
The goal is to work through ALL stages, and the report for the scenario will include the details around which stages were successful, and which were not. But without having the necessary resources to start and then continue, we cannot provide the full end-to-end experience of the activity executed by the threat actor.
First – what threat are you most worried about? Or put another way, if you found out today that a breach occurred, what would your first instinct tell you is the likely way it happened? One of the great benefits of TIP is the validating assumptions you have – either good or bad. I would probably start with a scenario that is different from how you conduct your standard Pentest. If your regular Pentest starts with a focus on endpoint devices, maybe pick a scenario where the threat actor gets in through your VPN or what about simulating an exploit of one of your webservers that faces the Internet?
Once you have the scenario in mind, draw up the plan with where you expect your security tools to prevent or detect the threat actor. If you use the VPN access scenario, see how effectively you can track activity across systems. Can you carry identity through from the VPN connection itself to other network activity, or application activity? Do you have a complete picture of what that VPN client connection did while connected? Do you have a way of containing further activity from that VPN account?
It’s important that you play the scenario out all the way. Preventing some actions early in the TIP scenario is great, but it’s important to understand how your defenses would work afterwards. Don’t rely on that initial prevention as your only tested component, because as soon as the threat actor figures out a way around, you are going to want to know how your detective controls work too.