My previous posts have examined the myriad advantages of a penetration test in general and how increasing the scope for each subsequent test can exponentially increase the value of an offensive assessment. We have also discussed the merits and changes to our penetration testing methodology and approach. This blog post will take things a step further and look in-depth at advanced offensive assessments, primarily focusing on the red team and adversary simulation, as this is an assessment that will help hone malware and ransomware defenses and test the Security Operation Center’s (SOC) ability to detect ongoing or advanced intrusions.
This type of testing has been assigned various names, including adversary simulation or threat emulation, purple teaming, and attack simulations. These assessments allow all of the various offensive assessment services (pen testing, social engineering, phishing) to work in concert to provide a more comprehensive assessment than can be offered by any one of them individually. Essentially, it is an offering that allows all of the offensive offerings to act as an advanced attacker to assess, test, breach and report on the client’s security posture from all available angles.
Red teaming is the basis of these advanced offensive assessments. A red team is a group of security assessors that approaches the assessment from the perspective of advanced attackers. The major difference between a red team engagement and a penetration test is the amount of time and number of resources that will be devoted to finding flaws in the network. Red teaming has two possible approaches that will be tailored to best meet the client’s needs and include a full scope penetration testing and adversary simulation.
Full Scope Penetration Testing
Full scope penetration testing is an engagement in which the assessor has a blanket Letter of Authorization (LoA) to test any systems owned by the client, using much of the same methodology as an Advanced Persistent Threat (APT) actor. These types of tests are very effective at weeding out vulnerabilities and broken controls over an organization’s entire digital footprint. The insight gained from this sort of test will greatly increase the assessed organization’s ability to better understand its vulnerabilities and how to prioritize them using a risk-based approach.
Although this is a very advanced test that is likely to find issues, often identifying unknown systems inside your network, it still has some bias and limitations. There is no such thing as an unlimited test for ethical hackers. There are, by necessity, a limited number of hours to devote to any one engagement. Another consideration, elegantly described by Raphael Mudge on the Cobalt Strike Blog, is:
[Red teams] have similar sophistication to what their customer faces day-to-day, but the actions of the red team are solely theirs. The red team has their own tradecraft, their own process, and their own way of doing things. They’re not really emulating anyone else [although, like all good offensive actors, they’re happy to blatantly borrow what works from others].”
Despite the best efforts and benefits that a full scope penetration test from a red team delivers, there are still other approaches.
Adversary simulation takes the concept of red teaming in a slightly different direction. Instead of the team approaching the targets as a “red team,” they instead emulate an actual known threat actor. This approach provides a level of insight that cannot be gained from any other type of testing. During the scoping and planning discussions for an adversary simulation, the red team and their target organization will discuss some of the most active and damaging threat actors that are currently out there and choose which real-world threats they would like to have their defenses tested against. This approach will allow the internal security team to truly assess their ability to detect and defend themselves from real-world attacks.
Just like any test, an adversary simulation is not a panacea and will not find every vulnerability that could be found. Adversary simulations are a key piece to a successful, mature security program and will provide insights into an organization’s defensive controls that cannot be provided any other way.
If you are interested in learning more about any of the topics I discussed in this blog post, or any others, don’t hesitate to reach out to me. Cobalt Strike Blog, referenced above, is an excellent place to learn many of the in-depth details of how adversary simulations and advanced red reaming activities work and which adversaries can be simulated.
Contact us if you are interested in learning more about all of the different types of penetration testing and CynergisTek’s ability to test your organization.