If security is about building a higher fence, expanding your security testing beyond the physical perimeter, network infrastructure, or policy review will help ensure the fence remains high enough so threat actors won't climb over. Advanced Adversary Simulation is a next-level engagement designed to examine how organizations' security tool suites are properly installed, monitored, and maintained. This engagement advances the typical network pen test. It examines an entire internal security team's capabilities in real-time as penetration testers identify and exploit vulnerabilities in various attack vectors.
The Cyber Red Team/Advanced Adversary Simulation¹ team is tasked with manifesting what the National Institute of Standards calls a Threat Agent without introducing any significant risk to the organization. To accomplish this, a thorough understanding of the target organization is crucial. A Cyber Red Team engagement begins with a knowledge transfer; representatives from the target organization and RedTeam Security will meet to discuss critical assets, the target industry, and the business model, as well as relevant security incidents and threat events. The Advanced Adversary Simulation Team will use this information combined with data collected during an extensive reconnaissance and intelligence gathering phase to build an Advanced Adversary Simulation Operational Plan (AASOP). This AASOP includes things like available capabilities and tactics of real Advanced Persistent Threats (APTs) the organization might face. The Cyber Red Team/Advanced Adversary Simulation Team will emulate during the engagement and intelligence the Cyber Red Team collected, which improves an adversary's strategic position. The AASOP is a deliverable at the end of the engagement. It should provide the organization with insight into the first phases of the attack chain, where there is no visibility.
The first stages of an engagement are always the same, but the next stages depend on the methodology agreed upon by the Cyber Red Team and the client.
There are two main types of engagements: Assume Breach and Blackbox.
Gen. (ret.) Michael Hayden, the former Director of the NSA and CIA, explained the motivation behind the Assume Breach methodology when he said,
"Fundamentally, if somebody wants to get in, they're getting in... accept that. What we tell clients is Number one, you're in the fight whether you like it or not. Number two, you almost certainly are penetrated."
Assume Breach means shifting the focus to internal detection and response. The strong layers of perimeter security are eschewed as the organization cedes internal access to the Cyber Red Team. Practically this typically means the Cyber Red Team provides the organization with a malware implant, which the organization executes on an internal resource to serve as a foothold. This foothold could be a workstation provisioned as a new computer to be issued to a new hire or a web server in a DMZ to simulate an adversary compromising an externally facing system. The Assume Breach methodology is commonly considered the best value-for-money because it acknowledges the realities of security testing. Time and money are expensive. The Cyber Red Team may have to spend weeks sending phishing emails and probing the organization's internet presence to get a foothold, which does not teach the organization anything. A real threat agent is not restricted by billable hours.
In a Blackbox engagement, the Advanced Adversary Simulation Team is not ceded any access but is given carte blanche (within reason) to obtain a foothold in the target environment. Physical access is often left out-of-scope, though wireless attacks and things like malware on a USB drive are permitted. The benefit of the Blackbox methodology is its realism. All stages of an attack are simulated, providing the most comprehensive assessment of the organization's security posture. Additionally, with the Assume Breach methodology, competitive or lazy defenders may know where the Cyber Red Teams' foothold is and abuse this knowledge to give themselves an unrealistic advantage. This temptation is precluded in a Blackbox engagement.
Either of these methodologies can be employed collaboratively with the defenders, i.e., the blue team, in what is known as a Purple Team engagement. The Advanced Adversary Simulation explains each step of every attack in real-time to the blue team. This constant communication provides the blue team with an unparalleled understanding of an adversary's thought process, workflow, and capabilities. It also provides the Blue Team with an opportunity to evaluate the effectiveness of their security controls and incident response processes with immediate feedback from a real adversary.
The Cyber Red Team's priority is not to lose that costly access once a foothold in the target environment has been obtained. A variety of persistence mechanisms are employed to maintain the foothold. After that, the objectives identified in the Goal Setting stage come in to play. Internal reconnaissance is performed. The Cyber Red Team needs to understand where they are to the target to create a Plan of Attack included in the RTOP or the Engagement Report.
Given that Red Teams should only be engaged by organizations that have a relatively mature security posture, the actions taken during the engagement must be kept to an absolute minimum. Any superfluous activity could be picked up by the Blue Team and compromise the entire operation. With the Plan of Attack in place, the Cyber Red Team can begin taking steps to escalate its presence and move toward the predetermined objective. This is where the process loops back on itself.
When the next step toward the goal is determined, the Cyber Red Team will return to the Foothold stage and begin obtaining the next level of access however it can. Of course, they do not want to lose this progress, so they will use persistence mechanisms to prevent that. Next, they will reorient themselves with more internal reconnaissance to see if anything changed or if there is more information available to update the Plan of Attack. The next steps are decided, and the loop repeats until the objective is achieved.
At the end of the engagement, the Advanced Adversary Simulation/Cyber Red Team will have spent weeks occupying the mind of an attacker and amassed a slew of data. This experience and information are processed and refined for the client. Deliverables frequently include:
An Advanced Adversary Simulation Operational Plan (AASOP) summarizes planned actions taken by the Advanced Adversary Simulation/Cyber Red Team and relevant events. The AASOP also includes any information obtained from reconnaissance.
An Engagement Report which includes the Plan of Attack and results, any events, timelines, the information and thought process which prompted any changes, and a list of the Tactics Techniques and Procedures (TTP's) used during the engagement, which produces the highest resolution Indicators of Compromise (IoC's). If adequately applied to monitoring, detection, and prevention, these IoC's will make the Cyber Red Team's attack path impossible to recreate.
Organizations interested in obtaining the maximum value from security testing engage an Advanced Adversary Simulation/Cyber Red Team to emulate a realistic threat agent. This process begins with information transfer and collection. The Cyber Red Team needs to know what a real threat agent for the client is. A foothold will be obtained through realistic attacks if it is a BlackBox test, or the foothold will be ceded if they Assume Breach methodology is employed. The Advanced Adversary Simulation/Cyber Red Team will then loop through efficiently, moving towards the objective; until it is achieved or the engagement period has expired.
Finally, the information and experience gained by the Cyber Red Team will be distilled into an actionable and practical format for the client.
Protect your organization from bad actors. Let RedTeam Security help you improve your security posture by identifying security treats with our Cyber Red Team Engagement. Call us at (612) 234-7848 or contact us for a free consultation with a cybersecurity expert today.
¹ Advanced Adversary Simulation is the RedTeam Security service name for a Cyber Red Team Engagement. These terms are used interchangeably within this document.