Intelligence through Attack & Penetration and IR
Part One of Persistent Threat Modeling described SecureState’s methodologies and program development for intelligence gathering and threat detection. Part Two details the primary methods used to feed the latest attacks, C2 analysis, artifacts and persistent techniques into a Threat Modeling and intelligence gathering database; Attack and Penetration tests and Incident Response intelligence.
Attack and Penetration tests are simply a simulation of an actual attacker attempting to gain unauthorized access to a company’s resources. Penetration tests are a much different process than a standard vulnerability assessment/scan in that once vulnerabilities have been discovered from either a manual or an automated process, they will be exploited or combine multiple vulnerabilities to achieve a larger attack (Vulnerability Linkage Theory) and maintain control of compromised systems and networks.
Incident Response intelligence involves both Incident Response engagement results and Incident Response test results. Incident Response engagement results take real-world analysis and tracking from actual compromised systems and networks, and incorporates that into the modeling and monitoring. Incident Response testing simulates real-world incidents and evaluates the response, but with a twist; it integrates the Attack and Penetration assessments while testing the Incident Response to provide real-life, and real-time, attacks and assessments that go way beyond traditional Table-Top exercises. Therefore, the IR Team should sit down with the company’s IT and security staff to help monitor and identify attacks while the penetration tests are being performed.
SecureState has a powerful differentiator with this approach to intelligence gathering and analysis: SecureState knows how organizations are compromised and impacted because we do ethical attacks and IR investigations daily, and incorporate our results and analysis. Organizations can gain enormous benefits from this approach because SecureState always brings along this intelligence within our deployable threat monitoring solution called ARGUS. ARGUS not only sits between our pentesters and the company’s environment to monitor and capture the entire attack and responses, but already incorporates prior incident and pentest results providing a holistic and powerful solution. ARGUS and SecureState’s intelligence gathering assesses an incident’s impact and an organization’s risk controls concurrently, combining data forensic, hacker, and risk perspectives.
At the heart of SecureState’s intelligence gathering and monitoring solutions is our integrated Research and Innovation Team. SecureState’s Research and Innovation is a core component for gathering, interpreting and presenting precise intelligence about the tools, methodologies and techniques used by attackers. This intelligence is interwoven within Threat Modeling and Persistent Threat analysis, and is used to evaluate, correlate or monitor all end-points and network nodes within the environment.
Additionally, the Research and Innovation Team continuously provides precise, updated and tested intelligence about attacker tools, techniques and risk through the integration of SecureState’s practices and methodologies:
- Ability to correlate and build new signatures, indicators of compromise and countermeasures
- Ability to extend the consultant knowledge pool, and the organization’s security team with the latest capabilities, advanced threat detection and intelligence
- Develops custom identification, containment, eradication, and remediation solutions
- Conducts continued and direct testing and forensic investigation based upon a white hat/black hat architecture and exploitation platform
The goal of intelligence is to capture the entire assessment or compromise, from successful attacks to failed attempts, ensuring the entire spectrum is covered. Additionally, all communications from attack to victim should be recorded through the environment, to identify traffic artifacts and nodes along the way that can be tuned to track and identify anomalous activity. SecureState’s recommends the following approach to obtain this goal:
- Stand-up IR monitoring and company security resources
- Assemble and augment a working IR Team
- Incorporate Law Enforcement, partnership, and security intelligence, prior IR investigations, and Attack & Penetration results
- Monitor everything when performing tests or investigations; from end-point to egress, track and record entire process from reconnaissance to compromise responses
- Funnel in Attack & Penetration reconnaissance, exploits, and C2; inject events
- Know your baselines, know your environment
- Validate, track and escalate incidents
- Store information, understand it, identify patterns and anomalies
- Correlate results and share information
- Monitor and assess company environment for attack and compromise traces, artifacts, patterns, paths, and countermeasures
- Test and learn how compromises occur, and how systems/networks response
- Rapidly determine containment and eradication ability
- Correlate system artifacts, trends and anomalous patterns
- Share results and information
- Incorporate entire assessment as a lessons-learned and intelligence sharing session
- Involve attack and penetration team, company security resources, IR Team, executives
- Mature the IR program and capabilities through what was learned
- Incorporate results into a Persistent Threat database and monitoring solution
- Share results and information
Did You Know?
While building your intelligence, threat modeling and monitoring solutions, you also are focusing on compliance: testing and auditing the environment through penetration tests and response plan reviews.
These regulations require, or recommend as best practice, IR and Attack & Penetration tests:
- PCI DSS v2
- NIST 800-66
- EU Safe Harbor
These are the risks if IR and Attack & Penetration tests are not performed:
- Financial, operational, business and legal impact
- Increased time for recovery
- Loss of integrity
- Failed Compliancy
- Fines & Reputational loss
- Legal and civil actions
- Theft of data
Provide an integrated response and monitoring capability to determine how, when, why, and where a compromise or incident occurred. Be sure to employ testing and evaluation team members who are actively engaged in and manage relationships with the security community, state and local responders, law enforcement, and everyone and anyone that possesses threat, trend and attack intelligence. Lastly, don’t be afraid to test using active penetration assessments and to share this information; Attack & Penetration tests and Incident Response investigations are cornerstones to ensure the latest threats, attacks, and persistent techniques are incorporated into a powerful Threat Modeling and intelligence gathering solution.