Continuous Adversary Emulation: The New Age of Security Validation

Continuous Adversary Emulation: The New Age of Security Validation

Author: Jesus Garcia, CTO + Co-founder of rThreat

Continuous Adversary Emulation - As the internet continues to expand and organizations continue to focus on innovation, the cybersecurity landscape continues to evolve as well. This rapid change is why organizations need to be more vigilant than ever to minimize their attack surface.

Adversaries are constantly evolving, improving, testing, and changing their strategies. If our adversaries are doing this, then the defenders need to be doing this as well. If we sit around hoping we won’t be the next target, we are doomed to fail.

Therefore it’s important to understand who we’re fighting against, what tactics they’re incorporating into their attack campaigns, and how to emulate those same tactics when testing the effectiveness of cyber defenses.

Let’s begin this discussion by looking at the bigger picture. What exactly is changing? What are the main hurdles that our industry is currently facing?

Shifting landscape: As more endpoints are connected to the internet, this increases the overall attack surface of most companies. With a greater emphasis on cloud migration, more endpoints and thus more entry points are available for the attackers. Companies should not only be concerned about traditional computers and servers but also devices that rely on the internet for functionality; This includes mobile devices, cloud endpoints, and embedded systems.

More sophisticated attack campaigns: Attackers’ methods are becoming more complicated and more targeted. For example, if you look at social engineering, attackers are able to trick users into performing malicious actions more effectively. No longer do scammers rely on poorly worded emails. Attackers are able to use open-source platforms like social media to get information on their target and send specially crafted spear phishing emails that are much more likely to deceive an employee. When it comes to the malware itself, people think all malware is just malware, which is not true. Attackers are able to customize and include different TTPs in their attack campaigns. This means that malware today has more functionality than ever before.

PLATINUM

Innovators

Global shortage of cybersecurity staff: According to the Center for Strategic & International Studies (CSIS), the global cybersecurity shortage is estimated to reach upwards of 1.8 million unfilled positions by 2022. More than ever, there is a huge need for skilled cybersecurity professionals. One of the biggest challenges for companies is finding good talent for their business. Think of an APT group that has 50-60 people who are developers, engineers, and security professionals who are able to create exploits from scratch, compared to as little as seven or eight people in an organization. It’s not a fair fight.

More intelligent APT groups: Advanced persistent groups (APTs) are becoming more intelligent and more sophisticated. These groups are highly organized, well-funded (oftentimes backed by nation-state adversaries), and highly skilled. These groups can remain undetected on a network for weeks or months at a time and pose a major risk for high-value targets such as government agencies or large profitable companies.

How do adversaries operate?

In our current threat landscape, companies are battling an unfair war, which is why we need to better understand what exactly we’re fighting against. To truly understand how to optimize your cyber defenses, you need to understand the adversaries, how they operate, and their tactics. The first thing we must understand is that APT groups are comprised of professionals. These groups are usually well-funded, determined, and very organized. They are responsible for the popularity of ransomware in cyberattacks, which occur on average every 14 seconds globally.

One example of this is with Kaseya, a cloud-based IT management company which was recently hit with ransomware. The attackers were able to do this by releasing a malicious “hotfix,” which once applied uploaded the ransomware payload Sodinokibi via an SQL injection. REvil claimed responsibility and is demanding $70 million in bitcoin to decrypt their information. According to the latest news, Kaseya hasn’t paid the ransom yet, but this is just one example of what these types of groups can do.

The next thing we need to understand is that our adversaries are persistent. We’re beginning to see more targeted and customized attacks that incorporate new TTPs with each attack campaign. APT groups are patient; sitting and waiting for months for the perfect moment to execute their attack.

A good example of this was the SolarWinds attack that affected 9 federal agencies and over 100 private companies. This malware was also delivered via a malicious software update. This updatewas pushed to SolarWinds clients by an APT that was sitting on their network, which goes to show how stealthy and devious these groups can be.

APT groups are also sophisticated, specializing in evasion of security software. They have a wide range of tools they take advantage of such as credential reuse. They are difficult to detect with signature-based anti-malware solutions, so it will be important that companies use sophisticated solutions that can detect threats based on behavior and other forms of detection.

Lastly, they are systemic. APT groups reuse public tools for their exploits; there are several types of open-source security tools that can be used for hacking. These attackers use these tools, public exploits, and continuously learn from past failures to improve their attacks.

How do organizations currently protect their networks?

Now let’s look at how organizations currently protect their networks. A typical organization’s defensive strategy begins with traditional security solutions like firewalls, WAF, IPS, and IDS that provide the initial defense layer. Most enterprises also use advanced security solutions and services like threat intelligence, email security, and cloud security for even more protection. Beyond this, more mature organizations will invest in tools like SIEMs that provide good logging, predictive analytics, and user behavior analytics to leverage big data. They will also have independent security evaluations as a means of testing their own defenses.

All of these strategies are good, but the problem is most solution providers fail to explain how they are able to validate that their software works and explain what artifacts their tools use to ensure protection. This leads to a false sense of security since a tool is generally only as good as the data that it is fed during its creation. If it’s not given the right data, it will be ineffective in detecting real world threats.

The importance of continuous adversary emulation

The best way to correct this mistake is to make sure you use a solution that properly emulates real-world cyberattacks. To emulate in this context means to mimic the exact tactics, techniques, and procedures (TTPs) that attackers use against your organization. This way, you can ensure that your tools and staff can detect and defend against the exact type of attacks that your organization can expect from real-world attackers. You also want to ensure that you’re running these tests on a continuous basis. In enterprise organizations, your IT environment is constantly changing. The only way to make sure you are protected is to have continuous testing. Point-in-time security assessments quickly become outdated as the IT environment changes, and therefore, they aren’t a reliable measure of your organization’s cyber resilience today.

What does attack emulation look like?

If you wanted to emulate a ransomware attack, you would need to understand the workflow of the threat actors that are targeting companies similar to yours and mimic this behavior. Here is an example of what this workflow would look like:

As you can see, this includes everything from their initial access point (insider threat) all the way down to the programming languages that they will most likely be used in creating the exploit. This is how detailed you need to be to recreate these sorts of attacks and effectively test your defenses.

One common mistake organizations make is that they hire professional pentesters who attempt to hack companies from outside the network, but this is not enough. Studies show most attackers will not start from outside the network doing port scans or methods like that, normally they will look for insiders. his is just one example of how many companies fail to properly emulate the strategies of real-world attackers.

Embrace the concept of Defend Forward

Continuous Adversary Emulation - By using breach and attack emulation solutions you can recreate these attacks and validate your security posture on a continuous basis. This type of testing will give you the most complete understanding of how your organization will do when faced with a real cyberattack.

This proactive strategy is what the U.S. Department of Defense calls “defending forward,” or getting as close to adversaries as possible to prepare and take action before threat actors strike. If this is something that you would like to test out for yourself, you can request a demo of rThreat’s platform here to gain visibility on what your true security posture looks like.