Just had a Red Team? Feel a bit sore?
So, do you now have the exposure & understanding from the board that you always wanted? They understand the implications of not changing that simple password or not spending a few extra pounds to upgrade that legacy system or implement MFA now?
Frankly they are asking very hard questions, and you are asking… oh why didn’t they engage over the last few years like this?
The gauntlet of Cyber has been well and truly thrown down, and it is yours. But what do you do now? Before they stop listening again… I’ve sketched out a few informal notes below about what I think works.
The point of a Red Team is to exercise defensive monitoring capability and efficacy, test technical controls and to disrupt the attack chain before the simulated attacker reaches target objectives. For the purposes of this blog, let’s assume your network has been rinsed.
rinse (v.) (Britain, slang) To thoroughly defeat in an argument, fight or other competition.
Practice breathing:
Firstly, take a breath. This is not an Incident Response scenario created by an attacker with malicious intent, it’s not Friday at 4.30pm. It is better to know. Honestly.
Secondly, if your Red Team drops you an epic odyssey report, with endless lists of TTPS (tactics, techniques and procedures) that were successful within the environment. Then you should really think about getting a new Red Team; the report needs to be clearly written making it clear what the actionable next steps should be; right now you need to recognise that there is a separation of a sticking plaster tactical fix and a strategic fix.
No Red Team reporting can produce a comprehensive Security Improvement Plan, they don’t know your nuances as well as you do and generally organisations don’t assign enough time for this. They don’t believe it could be this required up front, that’s what needs to happen now.
Make Friends and Influence people:
The Red and the Blue Team are your friends; they need to be friends too. Try to be constructive with them, the best way to enhance a Blue Team is with a real IR situation; it certainly sharpens the skills – second best is a Red Team.
The Red team, well, they generally want to highlight their technical prowess, but fundamentally they want clients to improve their security posture to stop the bad guys – If only they can come back next year with another new technique to bypass your nextGen layered response security solution.
Give your Security Improvement plan a name:
Seriously, based on nothing scientific other than my observations. Assigning a name seems to get more collaboration and buy in across a business. It’s totally your call and if you are struggling for a name consult an online Urban Dictionary; choose something which is vaguely amusing to only you in board update meetings.
Accept that ‘Cyber’ is hard:
A good quality attack is exceptionally hard to detect; particularly in real time with new techniques being deployed. It is probably nobody’s fault, people find ‘cyber’ hard too (and they always will).
Detection, Prevention, Education, Process & procedures are all part of the bigger picture and all just as important. Big networks are exceptionally difficult to police & defend; and there is no gold tipped bullet to take down the Cyber attackers.
Back to the findings from your Red Team findings i.e. the target for your operation.
Map your attack chains:
I know this might seem obvious in many cases; but it is worth mapping it out as related techniques that you hadn’t thought about that may allow you to add additional controls.
Initially concentrate on the path that the Red Team took from beginning to end; An example attack path; you should get this information with clear recommendations from your Red Team testing report.
- Password spray Office365 or phish MFA session
- Gain access to user mailbox
- Obtain the GAL
- Increase scope of password spray
- Spear phish internal users from an internal user
- Obtain command and control, deploy persistence
- Understand scope of current user permissions
- Take advantage of excessive privileges in order to elevate access and move laterally within the environment
- Identify privilege escalation opportunities
- Access target objectives
However, given there are likely multiple paths within your report, numerous entry points and numerous lateral movement techniques, then it's quite hard to get a handle on what to do about each attack chain in totality.
Your Red team has probably shown you a few things.
- You have a whole host of immediate fixes that are required.
- The compound threat from a reasonably skilled attacker is significant
- The basic root causes mean that there is significant work to reduce the risk to acceptable levels
- Your IT function and SOC don’t have the time and subject matter knowledge to consume all the findings and take action
Prioritise What?
This is simple, it should be Technical Risk Reduction. Where you cannot perform technical risk reduction for whatever reason, then Process and Detection should be used (and people should be taken out of the equation too ;) where possible… )
That’s pretty easy to say, we need to consider many things. A traditional PenTest position would be just to consider the most severe findings from a technical perspective, but a security improvement plan should also consider:
- Technical Severity
- Ease of exploitation
- Complexity and Dependencies
- Resourcing for fixing
- Timeframe for fixes
- New design, hardware, software required
Also reviewing the various attack chains and understanding a commonality that could be easily removed (say the lateral movement component) that, if fixed, would have a big impact and disrupt all/the majority of attack chains for little cost (effort) to the business.
Using these broader considerations, recommendations need to be categorised into those that can be addressed as the following:
Recommendations are not enough? Be Agile & Be Epic
The Red Team don’t know your business, user constraints and demands, or your existing plans as well as you. It is important to sometimes realise that issues located may only be part of the picture; simply fixing those listed probably isn’t enough to ensure a comprehensive package of improvement.
Where you cannot fix a specific issue quickly and reduce the fix; ensure that you can log any activity.
It’s a good idea to take some advice from agile development strategies. Track your issues and tasks in a system like Jira or Mantis; this is essential. Consider utilising KANBAN boards to visualise dependencies, to do tasks and blocking.
It is important to consider splitting recommendations; a quick fix sticking plaster to reduce the immediate risk and then combine with a strategic deliverable is a perfectly valid approach. In fact, it is the recommended approach.
You could fix 20 different enduser machine issues with a new desktop build; based around a new set of GPOs and a hardened tested Win10 build. Realistically; the ROI is probably higher.
Team makeup?
You have experts on tap; make use of them. Your Security Improvement programme should take priority over the business as usual IT with IT management, CISO and Board sponsorship. In the real world; we know this isn’t possible. It is therefore imperative that when setting the stall out for senior leadership you either:
- Let IT related take a back seat and relax SLAs or
- Augment with experts
The long and short, there needs to be a crossover of all local IT, third parties and expert resources to manage the Security Improvement programme effectively so to bring about a real difference to security.
Just a note on MSPs; sometimes 3rd party MSPs are integral to a security improvement process. It is essential that they understand the security improvement programme is important and where non security related items block the Security Improvement plans – these should be addressed at the highest level.
For example, we had one client where a 3rd party MSP refused (due to being contractually bound up in SLAs) to implement MFA on a support environment as it would take longer to log in and respond to issues.
Creating Security Improvement programme made of specific Security Improvement packages
Now that you have got a good handle on all the issues and have understood which bucket they should drop into and approximate timeframes then assign all your issue recommendations from your Red Team to a Security improvement package; each of those packages should have a common theme (for example, password enhancement).
Each of the issues can exist in a number of Security Improvement packages, short term tactical fixes to improve security and then in a longer term package to strategically improve the situation which is the root cause.
An example can be seen below:
Use a framework?
You can consider using the MITRE ATT&CK framework; a knowledge base and framework of over 200 techniques that adversaries may use over the course of an attack. These include specific and general techniques, as well as concepts and background information on well-known adversary groups and their campaigns.
It's great, and mapping numerous attacks on the framework can provide interesting insights on where you should spend your time. 100% you should think about utilising the MITRE ATT&CK framework to ensure that your Blue Team have good coverage.
However, realistically there are so many facets of ‘Cyber’ which are individual to an estate that there is no single framework for performing Cyber risk management which can be fully effective; the best approach is to adopt a recognised baseline of security controls.
On top of a baseline, identify additional areas within your estate which require you to invest more given your risk profile, NCC Group Risk Management and Governance can help here.
Rounding off the bunfight…
Security is not a once yearly exercise, It doesn’t matter what the inputs are to a Security Improvement programme. Use the Red Team, Cyber Incident, Risk Governance Gap Analysis as input to your Security improvement programme ongoing and your default business as usual.
It's true that Security Improvement can be hard in a fast paced business; You can hand this process over to us; NCC Group specialise in Offensive attack and Network Defence – using these two skill sets as part of a team augmentation Security Improvement and Remediation programme, we are well placed to help.
• Strategic Consultancy
• Solutions Design and Implementation
• Remediation Services
• C/Board level strategic advisor services
Whatever you do, my recommendation would be to act with purpose, as soon as possible. Challenge all the reasons why things can’t be done to improve security. Be pragmatic too, Raise the bar; even just a little bit at a time.