The Art of Self-Defense: Security Validation Through Attack Simulation
Additional authors: Nic Finn
Setting the Stage
Organizations looking to develop an increasingly proactive defensive strategy are beginning to incorporate Breach and Attack Simulation (BAS) technology into their security programs. For those unfamiliar with BAS technology, our Threat & Attack Simulation team published a separate blog post highlighting what it is and a few of the associated use cases. Security control validation is a block within the construction of a proactive security posture. To effectively prepare for an inevitable cyber-attack, organizations are beginning to focus on continuous testing of their security controls against the realistic threats they face today.
Clearly defined objectives are a key first step in any breach and attack simulation exercise. What is our overarching goal for each exercise we run? Are we looking to assess the effectiveness of our security controls? To assess our incident response processes and procedures? For the purposes of this exercise, the goal of our test case was to assess the effectiveness of the security controls within a lab environment against the tactics, techniques, and procedures used by a threat actor known to target our hypothetical industry. In this exercise, we combined threat intelligence, curated by GuidePoint’s Research and Threat Intelligence (GRIT) team, with Breach and Attack Simulation technology to design and execute a custom campaign. The following sections within this blog aim to give a high-level representation of the end-to-end process of designing and executing a custom breach and attack simulation exercise.
Choosing a Threat Actor (TA) and Creating a TA Profile:
Once the determination has been made to conduct an attack simulation, it’s important to identify a valid threat worth simulating. This process may involve a significant amount of internal and external resources to complete. For example, an organization’s size, industry, and location are all factors relevant to identifying threat groups targeting your organization. Coordination with partners’ CTI teams and observing previous breaches for identifiable Tactics, Techniques, and Procedures (TTPs) may identify threat actors and groups intentionally focusing on your organization.
By correlating observed TTPs against recent reports and blogs from throughout the threat intelligence community, we can identify a likely threat group and simulate this threat, giving us the most realistic scenario faced by our organization. In our example, we utilized AlphV (AKA BlackCat), based on their considerable effect on multiple industries throughout the western hemisphere and their use of TTPs commonly used in many ransomware engagements. Utilizing high-quality reporting, such as the #StopRansomware report by CISA, coordination with peers in the CTI community, and assumptions associated with AlphV’s sophistication and capabilities, GRIT developed a profile identifying the most relevant TTPs. While AlphV has since disbanded, their TTPs are still relevant as they are used by many advanced Ransomware-as-a-Service (RaaS) groups. Additionally, validating your security controls against this group’s TTPs may also assist with mitigating the risk of successful attacks from numerous smaller and less sophisticated ransomware groups.
Breach & Attack Simulation – Building Custom Campaigns:
It all starts with good threat intelligence
A well-built simulation is only as good as the threat intelligence supporting it. Accurate and up-to-date threat intelligence allows us to build out a simulation that will adequately assess our security controls against the specific procedures known to be used by our adversary. However, we must remember to keep our test case in mind throughout each stage of the simulation build. An inaccurately designed simulation could lead to misleading data in our results and a false sense of security. If we choose to include TTPs that AlphV is not known to leverage, it may give us valuable insight into our security controls as they relate to those specific techniques and procedures, but it does not give us direct insight into our test case of how we would fare (in our current state) against AlphV. In addition to understanding the threats specific to our organization, we need to understand our own environment so that we can prepare the most holistic representation of our environment within a given exercise.
Knowing Your Environment
Understanding our environment is another key step in the preparation and design of a simulation exercise. Several key factors that come into play are:
The Build
Working with the TA profile curated by our GRIT team, we leveraged the MITRE ATT&CK Framework to break down the tactics, techniques, and procedures to be incorporated in our simulation. The image below represents the tactics and techniques from the TA profile that we chose to incorporate into our custom simulation build.
In this scenario, we wanted to ensure we tested our controls against some of AlphV’s most observed techniques. The final simulation included a mix of common attack techniques used by RaaS groups and AlphV-specific techniques. These included ProxyShell, RDP Brute Forcing, SAM Database extraction, and Cobalt Strike.
Review & Repeat
Once the simulation has been completed, we then move into a post-simulation analysis to review the results and assess the accuracy of our simulation and the effectiveness of our security controls. Often, the insights we take away from these simulation exercises are not merely “Do our security controls achieve their goals or not?” but additionally provide us with insights into the current design of our security architecture. Insights can come in the form of both affirming strengths as well as identifying gaps. In the testing of this custom simulation within our lab environment, we gleaned valuable insights into gaps related to preventative controls around credential access techniques and identified detection opportunities around defense evasion and lateral movement techniques.
With these insights in hand, the goal would be to take follow-up actions based on the recommendations provided to us to address any gaps. From there, we can quickly re-evaluate our environment to see if our changes were implemented correctly. Another potential next step may be to identify certain techniques where our security controls seem lacking and focus on testing a wide variation of procedures for those techniques to assess the depth that our security controls cover for those given techniques.
Continuous testing is the key with attack simulation and control validation. Controls that work today could be rendered ineffective next week due to the downstream impact of a change made within the environment or a number of other factors. Being able to continuously test and assess drift allows an organization to be adequately in tune with its defense posture at any given time.
In Summary
Leveraging technology, coupled with experienced practitioners, that allows for continuously assessing the security controls in your environment is an invaluable investment in bolstering an organization’s cybersecurity posture. It is also worth noting that nearly all CISA advisories consistently recommend “exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework.”
If you want to know more about how GuidePoint Security can help your organization get the most out of breach and attack simulation solutions and threat intelligence curated directly for your organization, reach out to speak to one of our experts.