TL;DR: Are you wondering why you and your organization should assume breach? SCYTHE’s Adversary Emulation Lead Tim Schulz answers this frequently asked question, and covers scenarios in which using an assumed breach model can help focus on strengthening detection capabilities.
Hello everyone! Tim Schulz here to answer this question: Why should you and your organization assume breach? This question is frequently asked by our platform customers, professional service clients, and even our partners.
There comes a time in every purple team planning meeting, workshop, or demo that we get the question: why should we click on this, wouldn’t our firewall/defensive stack/user training have stopped this from executing?
Preventative measures have their place in security, MITRE’s ATT&CK Evaluation’s team has split out protection as its own category in the latest release. While purple teaming can cover the entire attack chain, the reality is that a determined adversary will achieve access eventually. The tougher question is: are you prepared for what comes next?
The overall goal of purple team exercises and adversary emulation is to best prepare organizations for detecting and responding to real world attacks. These adversaries have the time, energy, and resources to find ways to gain initial access.
Initial access represents a point in time, and is a continually moving target. However, if initial access is a key part of your goals, check out our blogs on using the SCYTHE payload as shellcode, and Defense Evasion with SCYTHE.
Below we cover some scenarios where using an assumed breach model can aid in focusing on building better detection capabilities.
Scenario 1: Phishing
Starting off with a SCYTHE twitter poll favorite, phishing has evolved over the years but has never gone away. Adversaries continue to use various forms of social engineering in combination with malicious Microsoft Office documents or compromised credentials to gain initial access to networks.
At every company, there are a number of employees that interact with external entities: to purchase new products, review resumes for job openings, and any number of other business related functions. There is a high chance that even security conscious individuals, when facing a determined adversary, will end up clicking on a website or open a malicious document.
Leveraging an assumed breach model when performing security testing allows for defender focus to move beyond blaming a single individual for opening a malicious document into ensuring that any incidents can be detected, responded, and remediated.
Scenario 2: Zero day exploits
Zero day exploits send shockwaves throughout the information security community when reported due to their previously unseen nature. Enterprise executives and senior leadership teams want to know the answer to the question: what if we get attacked by a zero day?
Recent headlines from the Microsoft Exchange zero days leveraged by HAFNIUM and Pulse VPN zero days leveraged by likely state threat actors, revealed that exploitation in the wild of zero day vulnerabilities is emerging at a rapid pace.
Working from an assumed breach testing model starts with the assumption that a compromise has already occurred, thus putting this question to rest immediately and moves the exercise into post exploitation activities and behaviors. These post exploitation activities have better logging and detection opportunities, allowing defenders to leverage their defensive stacks to greater effect.
Scenario 3: Insider Threat
Another information security boogie monster is the elusive insider threat: someone within your own organization that knowingly or unknowingly compromises internal assets.
Insider threat scenarios have a wide range of actors, from a malicious insider trying to covertly sabotage or steal valuable information to an employee unwittingly plugging in an infected USB drive. Each of these scenarios present difficult challenges for alerting and detection within an organization because it requires the security team to determine intent behind internal actions.
Working from an assumed breach testing model allows for the assumption that an insider would have performed initial execution, knowingly or unknowingly. This allows the detection engineering efforts to focus on determining other factors that may tip off malicious intent of the actions.
SCYTHE customers are not limited to how many servers they can deploy, and we recommend deploying both cloud instances and on-premise servers behind your DMZ to emulate threat actors operating from each of the above scenarios.
Scenario 4: You may already be breached.
The fourth scenario is a bit of Occam's razor: you are already (unfortunately) breached. Leveraging our other outlined scenarios and additional cases such as the SolarWinds supply chain compromise, there is a chance that your organization may be breached.
Regardless of the how, assumed breach focuses on what can be done. It encourages security teams to build better situational awareness of their environment by increasing telemetry and logging. This increased data allows detection and alerting analysis to be highly tuned and tailored for the operating environment.
The focus on the security team: the people, process, AND technology allows for organizations to mature their team and capabilities, resulting in a more resilient defensive environment.
Scenario 5: Business impact happens after breach
This last scenario is directly tied to the most prolific scourge when it comes to modern threat behaviors: ransomware. Ransomware threat actors have tried to leverage the above scenarios, even attempting to pay a Tesla employee to plug in a malicious USB drive.
Unlike other threat actors that may try to stay hidden after a breach to perform more deliberate actions, ransomware announces its presence after infecting hosts and requires a significant amount of effort to contain the spread as quickly as possible.
Not sure how to defend against ransomware? We’ve got you covered in this blog by our founder, Bryson Bort on how to get started.
Ransomware groups have been adapting to the changing security landscape to outpace security best practices. Initial ransomware locked computers to extort companies into paying to unlock, however now we have seen a rise of double-extortion ransomware that steal information in addition to locking computers in an effort to further incentivize companies to pay the ransom.
Working from an assumed breach model means that analysis of these business impacts and scenarios can happen much quicker, which is extremely important when time becomes critical to detection and remediation conversations.
SCYTHE has released adversary emulation plans for multiple ransomware threat actors on our Community Threats Github and #ThreatThursdays. SCYTHE customers can import these plans into their platform with a few clicks. We recommend starting with Maze (there are two variants in our Github), Ryuk, and Egregor emulations.
Detection and Response
A recurring theme throughout this post has been moving past initial access to focus on the tougher questions that organizations face: how do we detect these attacks and what is our response playbook? As ransomware and other threat actors continue to threaten enterprises on a regular basis, assumed breach scenarios provide a quicker and more efficient way to measure the effectiveness of people, processes, and technologies.
SCYTHE recently released a whitepaper detailing what Attack Detect and Response (ADR) tools are and how your organization can benefit by leveraging them.
About the Author
Tim Schulz is SCYTHE’s Adversary Emulation Lead. He has been helping organizations build and train teams to understand and emulate cyber threats for the last six years while working at multiple FFRDCs. He has given talks on Adaptive Emulation with ATT&CK and on Technical Leadership, and holds GXPN, GDAT, and OSCP certifications.
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors.