That defenses are tested by attacks is now widely accepted by many organizations. For many years now, Red Team exercises have become an essential element in evaluating and improving the security of state-of-the-art IT infrastructures. In these exercises, one or more hackers simulate the behavior of an attacker and test for a set period of time both the security of a set of assets or users and the defensive capabilities of the organization’s security operations center (SOC), whose members must not know that the exercise is taking place.
The results obtained are reflected in a report containing one or more attack narratives and information on the weaknesses identified. This report is then used by the organization to improve security, minimizing the impact of future real attacks.
Red Team exercises are an excellent resource, not only for improving the organization’s defenses, but also for SOC personnel to face a realistic attack situation from which to learn, with the added benefit of being able to sit down with the attackers and discuss the play afterwards.
However, these exercises have three important limitations. First, the number of attack vectors executed is limited by the duration and the defined objectives. A Red Team will use as many techniques as it needs to achieve the exercise objectives without being discovered, terminating the exercise if the objectives are achieved or if the SOC identifies the attackers. It is possible that the Red Team may identify during the exercise alternative ways to perform certain intrusive actions, but the actions are normally limited to a single attack narrative for each of the objectives achieved.
Second, the Red Team will execute its actions from the starting position(s) agreed upon with the organization, using whatever techniques it deems necessary. An actual attack whose entry point is different from the one chosen for the Red Team exercises may base its progress on a different set of techniques that nevertheless successfully culminate the intrusive action.
Finally, Red Team exercises provide a static picture of the security state, relative to the time at which the exercise is performed. Changes in equipment configuration and the appearance and disappearance of assets in the infrastructure can make a still picture such as the one provided by the exercise insufficient for the correct evolution of defensive measures. The effects of this limitation are often mitigated by the periodic repetition of Red Team exercises, which has the counterpart that the SOC may become accustomed to a state of continuous simulation and neglect the identification of real attacks.
The key to finding an alternative approach that overcomes these limitations lies in considering the multi-stage nature of attacks. An attack is composed of a set of mutually dependent actions whose causes and consequences can be analyzed atomically and whose character does not necessarily have to be intrusive, even if it participates in an overall strategy that is intrusive [1]. We can thus see attacks as a puzzle composed of several pieces. The pieces used will depend on the starting point of the attackers and the characteristics of the attacked infrastructure.
The description of attacks provided in Red Team reports already considers this decomposition of attacks into pieces to help understand the elements that have enabled the attack to progress and to develop new defenses. To do this, Red Team uses the ATT&CK® framework, a database developed by MITRE that collects the individual actions of attacks as sets of Tactics, Techniques and Procedures (TTP). The result of the attacks executed in a Red Team exercise can then be summarized as a set of TTPs implemented at a precise time against the audited infrastructure.
But if each TTP can be considered individually, why not create a test battery with them and evaluate them one by one on the audited assets? We could then increase the area over which TTPs are evaluated and even repeat the execution of TTPs on a regular basis. This is the idea behind Breach and Attack Simulation (BAS) services[9]. This approach does not evaluate the SOC’s ability to respond to real attacks because, unlike a Red Team, the tests to be performed are standardized and no attempt is made to avoid generating alerts. Rather, the aim is to evaluate whether the security mechanisms are capable of identifying the executed TTPs and generating a useful alert for the SOC or an appropriate blocking of the action, as the case may be.
An alternative and complementary approach to the Red Team exercise is thus proposed, capable of extending the evaluation of TTPs beyond the concrete attack narrative developed by the auditors. The SOC will then be able to compose the use cases it deems appropriate from the connection of the evaluated TTPs, analyzing the chances that attackers would have of successfully executing a multi-stage attack.
In addition, if the appropriate infrastructure is in place, the evaluation of TTPs on audited assets can be automated to run on a periodic basis. This allows the assessment of TTPs to go beyond the static picture generated in a Red Team exercise, and to adapt defenses to changes in infrastructure or asset configuration as TTPs are identified that are not identified by security systems.
MITRE itself has developed an open source software called Caldera [3] to implement such a BAS service. The structure and operation of Caldera is very similar to that of many commercial C2 products used in Red Team exercises, such as Cobalt Strike: it also has a central server from which the behavior of a set of agents deployed in the assets to be audited is controlled.
However, while in the case of a Red Team exercise the deployment of the agents is part of the intrusive action and, therefore, should not be identified by the SOC, in a BAS service we count on the collaboration of the client’s defensive team for the deployment in those assets to be evaluated.
Once installed, agents will be able to execute TTPs as directed by the central server. TTPs can be executed manually, by a BAS service operator, or scheduled to be executed automatically following a sequence based on a set of conditions. In addition, once evaluated, they can be scheduled to be executed periodically, based on what is defined in the service conditions.
Regarding the design of the actions to be evaluated, Caldera already includes a set of plugins that contain TTPs already ready to be executed and that correspond to different attack profiles [4]. Among these plugins, “Atomic” [5] stands out, which adapts to Caldera all the tests included in Red Canary’s GitHub Atomic Red Team™ [6], a reference in the concrete implementation of MITRE ATT&CK® TTPs. The BAS operator only has to choose which set of TTPs he wants to evaluate on each asset and schedule their execution from the central server.
In addition to MITRE Caldera, there are other commercial platforms that implement BAS technology, such as those developed by vendors like AttackIQ or XM Cyber [7]. Regardless of how the implementation is carried out, a BAS service in an organization with a mature security level can make a significant difference in mitigating the impact of APT groups and be an indispensable complement to periodic Red Team exercises, as well as being the first stone for building a Purple Team that allows continuous improvement of protection and detection systems.
[1] Julio Navarro, Aline Deruyver and Pierre Parrend. A systematic survey on multi-step attack detection. Computers & Security, vol. 76, pages 214-249, July 2018.
Speak Your Mind