Attack and Penetration tests are required by many organizations for compliance reasons, as well as highly sought after to better understand how an attacker could exploit vulnerabilities on the systems. While it is great to understand the vulnerabilities that exist and how they can be exploited, do you truly know how your organization would react to an attack in real life? Are your first responders properly trained to identify, validate and contain an incident? An Incident Response Test can reveal this information, as well as other unexpected results.
To explain briefly, Attack and Penetration tests simulate an actual attacker attempting to gain unauthorized access to a company’s resources. Penetration tests are a much different process than a standard vulnerability assessment/scan in that once vulnerabilities have been discovered from either a manual or an automated process, they will be exploited or used to combine multiple vulnerabilities to achieve a larger attack (Vulnerability Linkage Theory) and maintain control of compromised systems and networks.
An Incident Response Test involves an Internal and/or External Attack and Penetration Test, and is used to get a much deeper understanding of the Incident Response capabilities of an organization. This typically involves reviewing existing Incident Response documentation (up to, and including, a formalized Incident Response Plan), ticketing systems, alerts and alerting mechanisms, and validation that the appropriate Incident Response procedures are being followed. An Incident Response test can be performed in three different ways:
- Traditional Tabletop Exercise – A Traditional Tabletop Exercise involves engaging the Incident Responders or other technical IT staff to walk through how an incident would be handled in a ‘real life’ scenario. This is a step-by-step walkthrough of the key goals of an Incident Response engagement, and is performed to get a better understanding of the documentation currently in place and how staff would respond in theory. Custom scenarios are created which focus on the key concerns of the organization, ensuring that primary concerns are discussed and vetted in the tabletop exercise. This is the least involved test, but can help to identify gaps within documentation, monitoring and handling procedures.
- Standard Incident Response Test - A Standard Incident Response Test involves a coordinated Internal and/or External Penetration Test along with members of the SecureState Incident Response Team observing your first responders, IT and/or security staff. This goes well beyond a Tabletop Exercise, by coordinating live attacks and actual responses to meaningful event logging, notifications, and incident handling methodologies. Help desk tickets and alerts are gathered to ensure the Incident Response Plan is being executed as designed, and recommendations are made from both procedural and technical perspectives.
- Blind Incident Response Test – A Blind Incident Response test is the same as a Standard Incident Response Test, but with a twist – the observation is performed incognito or under the guise of a non-security related observation. This requires secrecy among the organization being assessed, as well as well-timed attacks / updates from the Profiling Team performing the attacks. The goal of a Blind Incident Response Test remains the same as a Traditional Incident Response Test, but provides a true reflection of how staff would respond without a manager or Incident Response Team member knowingly observing them.
We just performed a test ourselves – why do we need SecureState? The SecureState difference starts with the expertise of those performing the assessment, which goes well beyond the capabilities and understanding of traditional first responders or industry segmented incident handlers. SecureState knows how organizations are compromised, and collects data through threat modeling and intelligence, as well as strategic partnerships with organizations both public and private. Our proven track record of excellence in Penetration Testing and Incident Response handling across a wide variety of business sectors is the ideal pairing to properly assess any organization and their ability to respond to an Incident. In addition, those performing both assessments hold some of the most difficult and challenging certifications in the industry, such as Offensive Security’s OSCP and SANS’ GCIH and GREM.
You don’t know what you don’t know. Often times, SecureState will work with an organization that has had penetration tests performed by other assessment firms, which are little more than glorified vulnerability scans. By having a proper Penetration Test and Incident Response Test performed, your organization will be much better positioned to truly understand the vulnerabilities that exist and are exploitable within your organization, how to mitigate those vulnerabilities, as well as how agile your Incident Response team is and the gaps within the Incident Response process. By performing Incident Response testing in an unexpected manner, your Incident Responder’s success will be based on methodology, training and true handling expertise instead of simply repeating the same test over and over for multiple years expecting a result less than passing.
We have ARGUS. ARGUS is SecureState’s custom developed threat modeling solution, which sits between our penetration testers and the organization’s environment to monitor attacks and replies from the systems being assessed. Through existing threat modeling and intelligence, SecureState can help your organization better understand attacks that your environment is most susceptible to, the risk of your environment, and help to identify if any threats currently are in existence on your network.
Approach and Testing Outcomes. SecureState’s goal is to not only identify vulnerabilities within an organization’s environment, but to actively exploit them to see what data or additional access could be had in doing so. The pairing of this activity with an Incident Response Test shows how an incident responder would truly react in a real-life attack scenario. Going a step further, a Blind Incident Response Test will assess what happens when the incident responders must react to an incident without knowing they are being observed, giving the organization the best understanding of both successes and pitfalls in the current Incident Response Plan. Upon completion of the tests, coordinated attack times and actions are supplied to the organization, along with a review of the Incident Response Plan (if applicable), incident ticket(s) generated (if applicable), as well as any alerts or notifications, and the timeliness of those notifications, that were generated as a result of the penetration tests (again, if applicable). Incident Response Testing can help your organization with the following:
Incident Response Awareness
- Assemble and augment a working Incident Response Team
- Stand-up Incident Response monitoring and company / 3rd party security resources
- General awareness and support from upper management; portrays importance of Incident Response
- Incorporation of Law Enforcement, partnerships, security intelligence, prior Incident Response investigations, Attack & Penetration results, threat modeling, and vendor or other 3rd parties
- Monitor everything when performing tests; from end-point to egress, track and record entire process from reconnaissance to compromise responses, including the human element of Incident Response
- Determine whether alerting is working as designed or needs tuning
- Understand not only the vulnerabilities in your environment, but how they can be exploited and responded to
- Understand the types of alerts being received, the timeliness of alerts, and how to respond to information contained within them
- Gauge the ability to identify, validate, track and escalate incidents
- Correlate results and share information
- Test and learn how compromises occur, and how systems/networks respond
- Determination of incident containment and eradication ability
- Determination of how well an Incident Response plan works in theory vs. actual execution
- Conduct lessons-learned sessions to understand the complete scope of the assessment
- Involve attack and penetration team, company security resources, Incident Response Team, executives
- Develop and mature the Incident Response program and capabilities through what was learned
- Share results and information
Did You Know?
These regulations require, or recommend as best practice, IR and Attack & Penetration tests:
- PCI DSS v2
- NIST 800-66
- EU Safe Harbor
These are the risks if Incident Response and Attack & Penetration tests are not performed:
- Financial, operational, business and legal impact
- Increased time for recovery
- Loss of integrity
- Failed Compliancy – PCI DSS v2 requires an Incident Response plan to be in place andtested
- Inability to respond to incidents in a timely and effective manner, if at all
- Fines & Reputational loss
- Legal and civil actions
- Theft of data
- Cease to be able to do business
End Result. The Incident Response Test paired with Penetration Testing will provide your organization with the best possible representation of exploitable vulnerabilities and ascertainment of how your Incident Response team actually responds to the attacks. In addition, it will test any MSSP’s or third party providers as to how well they alert your organization to attacks, and validates the alerting or other security controls they may have in place. Ultimately, the pairing of these services will help to improve your overall security posture by understanding the threats on your network, how they can be exploited, and the steps your team can take to actively respond, contain and eradicate threats the organization is exposed to.