Special Thanks to our podcast sponsor, Cymulate.
On this episode, Dave Klein stops by to discuss the 3 Digital Challenges that organizations face:
- Cyber threats evolve on a daily basis and this constant threat to our environment appears to be only accelerating
- The level of vulnerabilities today is 30x what it was 10 years ago. We have more IT infrastructure, complexity, and developers in our current environment.
- In the pursuit of digital innovation, we are changing our IT infrastructure by the hour. For Example: Infrastructure as Code capabilities (Chef, Puppet, Terraform, etc.) allow developers to deploy faster and create more opportunities for misconfigured code at scale.
Breach and Attack Simulation tooling address these 3 digital challenges by focusing on Breach Attack Simulation, Vulnerability Prioritization, & Threat Exposure Management. This combined approach allows a cyber organization to ensure its security is fully optimized and its risk exposure is minimized. Key benefits of adopting Breach and Attack Simulation software include:
- Managing organizational cyber-risk end to end
- Rationalizing security spend
- Prioritizing mitigations based on validated risks
- Protecting against the latest threats in near real-time
- Preventing environmental drift
Welcome back listeners and thank you for continuing your education in CISO Tradecraft. Today we are excited to share with you a great episode focused on Breach and Attack Simulation software. To begin we will provide a solid background on Breach and Attack Simulation then we are going to bring on our special guest Dave Klein who will give us the pro tips that help CISOs maximize the value from Breach and Attack Simulation Software.
Starting from the beginning. What is Breach and Attack Simulation software and why is this needed? At the end of the day most companies are not on an island. They need to connect to clients, partners, and vendors. They need the ability for employees to visit websites. They need to host public facing websites to sell products and services. Each of these activities result in creating organizational assets such as IT equipment that has internet connectivity. Now internet connectivity isn’t a bad thing. Remember internet connectivity allows companies to generate income which allows the organization to exist. This income goes to funding expenses like the cyber organization so that is a good thing.
If bad actors with the intent and capability to cause your company harm can find your company's internet connected assets which have vulnerabilities, then you have a risk to your organization. So enter vulnerability assessment and penetration testing tools that companies can buy to identify and address this risk. Now sometimes you will hear the terms Cyber Asset Attack Surface Management or (CAASM). It’s also commonly referred to as continuous threat exposure management. Essentially these two categories of tools are the latest evolution of vulnerability management tooling that have the additional benefit of ingesting data from multiple sources. Essentially they are designed to address key questions such as:
- How do we get an inventory of what we have?
- How do we know our vulnerabilities? and
- How do we know which vulnerabilities might be exploited by threat actors?
Now if you want to take this line of questioning one step further, then you should consider adopting Breach and Attack Simulation software. Note Breach and Attack Simulation software overlaps with many of the CAASM capabilities, but it does something unique. Breach and Attack Simulation software allows you to pose as bad actors on your network and perform red team exercises. Essentially you learn how bad actors can bypass your cyber tooling and safeguards. This means you go from knowing where you are vulnerable to actually seeing how well your incident response activities perform. Example if I can take a normal user's laptop and spawn a Powershell Script or run a tool like MimiKatz to gain Domain Admin level privileges, then I want to know if the Cyber Security Incident Response team was alerted to that activity. I also want to know if the Incident Response team blocked or disabled this account in a timely manner. According to the 2022 Microsoft Digital Defense Report the median time it takes for an attacker to access your private data if you fall victim to a phishing email is 1 hour 12 minutes. The report also stated that the median time for an attacker to begin moving laterally within your corporate network once a device is compromised is 1 hour 42 minutes. Remember the difference to responding to these attacks in minutes vs hours can be the difference between how much files get encrypted when ransomware actors get into your environment.
Another thing that CISOs need to ensure is that vulnerabilities get fixed. How do you test that? You have to replay the attack.
You can think of fire drills as the comparison. If an organization only did one fire drill every 24 months, then chances are the company’s time to exit the building isn’t going to decrease all that much. It’s likely to stay the same. Now if an organization does 8-12 fire drills over the course of 24 months, then you would generally see a good decrease in departure times as people get familiar with knowing how to leave the building in a timely fashion. The good thing on Breach and Attack Simulation tools is they have the ability to replay numerous attacks with the click of a button. This can save your penetration testing team hours over manual exploitation activities which would have to be repeated to confirm successful patches and mitigations.
If we look at Breach and Attack Simulation software the tools have typically come in two flavors. One is an agent based approach. Example. A company might install an attack agent on a laptop inside the corporate environment that runs Data Loss Protection software. The attack agent might look at how much data it can exfiltrate which is not stopped by the DLP tool. The attack agent could also run similar attacks with how much malware the Antivirus detects, how much sensitive email it send outside the company despite there being an email protection solution. These attack agents can also be placed on servers to determine how effective web applications firewalls are at stopping attacks.
Essentially having an attack agent on the internal side of a trusted network and one on the outside allows an organization to evaluate the effectiveness of various cyber tools. Now there’s a few concerns with this type of approach. One, companies don't want to add more agents across their network because it steals critical system resources and makes things slower. Two, the time it takes to install and test agents means the value you can get out of these tools is delayed because cyber needs approvals from the desktop team, the network team, the firewall team, etc. before these solutions can be deployed. Three, by having an agent you don’t always truly simulate what an attacker would do since you don't have to live off the land and gain permissions the attacker did. Your agent may not be know to antivirus or EDR tools, but using windows libraries to gain access does.
Now let’s compare this with an agentless approach. This approach is quite popular since labs where agents are run don’t always look like a production environment. Example they lack the amount of traffic, don’t possess the same amount of production data, or contain last month’s versions of software.
Here attacker software may start with the premise what happens if someone from the Accounting Team opens an Excel document containing a malicious macro. Let’s see how we can automate an attack after that initial compromise step occurs. Then let’s walk through every attack identified by the Mitre Attack Framework and see what gets caught and what doesn’t. The tooling can then look at the technical safeguards in the organization that should have been applied and provide recommendations on how to increase their effectiveness. This might be something simple like adding a Windows Group Policy to stop an attack. Also breach and attack simulation tools can provide alerting recommendations to the SIEM that help identify when an endpoint attack occurred. Example: Instead of knowing that bad actors can run an attack, the Breach and Attack Simulation software actually gives you the Splunk Signature that your SOC team can leverage. That’s a great add to minimize the amount of time to improve your alerting capabilities.
Now when the breach and attack simulation software replays attacks each month, cyber leadership can look at how fast the Incident Response team detected and remediated the attack. It might be as simple as we stopped this attack before it could happen by applying the new Windows Group Policy or it took the team 4 hours to determine XYZ account had been taken over. These metrics allow you to know how well your Response plans work. So you get the value of a penetration test with the automation & scaling of vulnerability management tools.
What’s even more impressive is how these tools are evolving to meet the larger mission of cyber organizations.
Example: Most Financial and Health Care organizations have to demonstrate evidence that IT controls are working effectively. Generally this is a manual process done in the Governance Risk and Compliance (GRC) team within a cyber organization. GRC teams have to ask developers to provide evidence to various IT controls such as are you monitoring and alerting to privilege activity. Now imagine if you had an automated tool that showed evidence that monitoring tools are installed on 99% of endpoints and these tools actually stopped various MITRE attacks immediately. That evidence would minimize the data call which takes time from the developer teams.