At the very least, a high-profile, bull’s-eye breach teaches the victimized organization some hard lessons. Though it’s not an easy exercise for most SOC teams, C-suites, and boards, it’s far better to learn these tough security lessons upfront, by thoroughly testing their people, processes, and technologies.
Enter the red team, whose sole mission is to rigorously test an organization’s security posture, from its cybersecurity defenses to its physical infrastructure. “Basically, red teaming is just a group that emulates bad guys,” said Quincy “QJax” Jackson. In his 2017 CyberCrime Symposium presentation, Red Team / Blue Team Exercises, he focused on cyber-readiness and defense testing.
Whether they create a dedicated internal group or hire outside specialists, organizations today need this kind of team on the offensive, said Jackson. He should know — he serves as Red Team Lead for a large global company whose SOC analysts see an average four billion cyber-events daily. In their efforts to emulate cyber-actors, red team exercises go far beyond pen testing. “This isn’t done to provide a one-time snapshot — you’re actually exploiting their systems, stealing information, and then meeting with business leaders to detail what you were able to do,” said Jackson.
With cyber-attacks growing in number and sophistication, and the technologies they depend on always changing, business and government leaders have to find ways to regularly test their cybersecurity defenses. Only then can they accurately assess their business risk. Ultimately, a red team’s job is to shine a light on that risk.
Based on his experience leading red team exercises around the world, QJax outlined different attack scenarios, performance metrics, and tools that symposium attendees could use to run “active hacker drills” that test their cyber-readiness and defense capabilities.
The Expected and the Eye-Opening
Well-designed cyber-readiness and defense exercises determine how well security controls, technologies, and information security personnel perform in different attack scenarios. These drills, said Jackson, should provide answers to essential cybersecurity questions, including:
- Are server and desktop controls performing as expected?
- Are anti-virus signatures up-to-date?
- Are proper rules loaded into the IDS?
- Will all indicators and alerts be properly analyzed?
- Do SOC analysts / infosec personnel know how to respond to a specific attack?
- Can sensitive data be exfiltrated without detection?
Sometimes findings are eye-opening. Thanks to one exercise Jackson ran, the security team discovered that its IDS, configured and running properly, wasn’t detecting a certain signature. As it turned out, the data center — along with the servers the IDS was supposed to defend — had been re-located. Nobody ever informed the IDS specialists. “Proper rules, right?” said Jackson. “That covers not only the signatures, but whether the IDS is actually watching the correct networks.”
When conducting cyber-readiness exercises, Jackson and his team spend the bulk of their time on research and skill development, as they need to be able to emulate all cyber-actor categories, from script kiddies and hobbiest hackers to cybercrime-business specialists and state-sponsored groups. “We're always trying to keep up with the bad guys, and no single person can know everything,” he said. “We all have different skill sets for understanding different types of attacks, and sometimes it comes down to basic trial and error.”
After demonstrating the processes behind a range of successful attacks, he outlined the components of a strong cyber-readiness testing methodology. Everything Jackson’s team does starts with threat intelligence, which helps them select a simulation scenario. In this phase, red teams take advantage of threat intelligence reports to identify trending attack types, as well as input from their threat intel meetings and business leaders. After selecting an attack scenario to simulate, they work to duplicate the specific tools, techniques, and practices used.
Next, they execute the test — running it not just during regular work hours and on standard workdays, but across all shifts and days of the week. They then analyze the response and score it based on select metrics. In Jackson’s exercises, primary metrics are TTD (time to detect) and TTR (time to respond). Finally, they generate an easily-digested “Lessons Learned” report for that exercise. As part of an internal red team, Jackson provides the business’s executives with dashboards encapsulating threat types and scores from all attack simulations.
Today, he said, most organizations aren’t running these kinds of tests, but he stressed the need to start. If they don’t already have sufficient in-house resources, they should either staff-up or hire third-party specialists to conduct cyber-readiness exercises. In fact, Jackson believes that detection and response tests have become more important than pen tests because cybercrime has matured to the point where “the bad guys will always get in.”
It’s time to acknowledge that reality and take action. “They're always infiltrating your network — they’re probably there right now,” said Jackson. “That means it's become more important to test your ability to detect them.”
This is the fourth post in our series presenting key takeaways from our 2017 CyberCrime Symposium, held November 2-3, 2017. The program was packed with an incredible line-up of speakers discussing the latest tools and techniques being used by cybercriminals, and most importantly, what attendees could do to enhance their organization's cyber resiliency. If you couldn’t get a seat at the event — centered on the need to “Think Global, Act Local” — or want a refresher on various sessions, this is a not-to-be-missed series!