For over 40 years we have acknowledged defences are not able to prevent a Red Team from network intrusion. This hypothesis has been best articulated by Lt Col Roger Scheel (USAF) in 1979 “Few if any contemporary computer security controls have prevented a [red team] from easily accessing any information sought”. With this in mind, security professionals must approach Red Team exercises with discrete purpose and targeting intent. We explore this concept further to ensure the best possible outcome and investment return from conducting these increasingly important exercises.
2021, and 2022 thus far, has been exceptional for the discovery of enterprise vulnerabilities. Bug bounty findings, industry policing itself and others, improved regulation and raised concern over supply chains has contributed to the increase in the reported number of vulnerabilities. The vulnerabilities are reported through Common Vulnerabilities and Exposures (CVE) programs. When we consider the MITRE Corporation CVE List, the number of registered CVEs in 2011 was 4,816. We now have over 29,482 reported in 2021, a significant increase of 600%. At the end of March 2022, the total number of active CVEs listed within CVE Details was over 173644. The most interesting statistic is the vast scale of active vulnerabilities that have the dangerous Remote Control and Execution (RCE) capability and threat. CVE Details reports there are currently over 19477 active vulnerabilities with a Common Vulnerability Scoring System (CVSS) score higher than 9, that include RCE, at the time of writing.
Our business noted a significant number of automated remote attacks on our seemingly hidden attack simulation infrastructure the moments after Log4j vulnerabilities were reported in December 2021. These threat actors were targeting random domain spaces for a potluck chance of owning a network. There are three job areas where you face an adversary on a daily basis: Defense, Law Enforcement and Cyber Security.
Social engineering techniques are part of any good Red Team toolkit. In recent times, we have seen just how potent and effective these manipulative techniques can be with criminal threat actor group Lapsus$. Large organisations such as Nvidia, Samsung, Ubisoft, Vodafone, Microsoft, LG and Okta have been susceptible to social engineering from these reportedly teenagers, leading to notable publicly reported compromises. These attacks should serve as a real wake-up call to the industry.
Vulnerabilities and social engineering alone clearly presents a great opportunity for threat actors and security assessors performing Red Team engagements. Undoubtedly Red teams hold a significant upper hand, whilst defending an enterprise is relentlessly challenging. Due to these inherent weaknesses, the bar is set incredibly low to achieve a successful action on objective from a Red Team exercise. In other terms, it’s fairly straightforward for a Red Team to successfully attack an enterprise who is not adequately protected. Formally I was responsible for directing Red Team exercises across the banking industry, testing an institution’s response and resilience capabilities to systemic risks. Through my experiences I witnessed how simple it is to compromise an unsegregated network, flat network if you like, that uses a Microsoft Active Directory. This is not a dig at Microsoft, as I feel they have come a long way, but we as security architects need to embrace Zero Trust principles and rethink how access to critical data, assets, applications and services are provisioned, authorised and monitored. As a Red Team member it is extremely important we remember this position of power, act with humility and foster a collaborative engagement with Blue Teams, the protectors of the enterprise, that recognizes the challenge set before them.
Demand for Red Teaming is predominantly driven by regulatory and legislative requirements due to fiscal constraints. Unfortunately, not all organisations can afford these simulation exercises. It should come as no surprise that the highest growth areas in downstream fields includes Government and Defence, Banking, Financial Services, and Insurance (BFSI), IT and Telecom, Healthcare and Retail. For global banking, I have witnessed a steady progression away from “tell me” toward “show me” from regulators all around the globe. Reporting of cyber risk requires drastic improvement across the board due to its ever changing posture. Risk reporting can unfortunately be gamed by staff who benefit from results being watered down or plainly removed. The value from performing a Red Team exercise validates the resilience capabilities of the organisation in question through the simulation of tactics, techniques and procedures utilised by real-life threat actors. For critical services and infrastructure these simulations must be mandatory due to the interconnected nature and reliance we place on digital services (public/private). It’s not enough to rely only on monthly risk reporting for critical services. Business risk must be clearly communicated in terms and implications understood across the senior management and those who regulate the respective industry.
MITRE ATT&CK® has been one of the most useful resources in my career as this provided a framework to understand the potential attack paths and the adversary tactics, techniques and procedures. This provides insights into how you might conduct a Red Team exercise that mimics a particular threat or approach. I can not overemphasise the importance of understanding this knowledge base early in your career as this will serve you greatly.
Due to the security posture improvements at the larger end of town, threat actors are setting their eyes further down the supply chain for easy wins. A recent threat intelligence report this month indicated Non-Governmental Organisations (NGOs) had been successfully targeted for espionage across several countries. These organisations typically would not have the technical capability to detect nation state espionage. A question that I ponder regularly is, how do we provide Red Team exercises at scale to those on the front line defending our nations who may not have the resources to facilitate such an exercise? We may be pushing the cyber security issue down the hill without addressing fundamental root cases.
As leaders we must focus on building resilient capabilities (not just plans), to ensure our activities can operate without interruption. One of the most effective mechanisms to test these capabilities are Red Team exercises. The way we work has forever changed, we must adapt our assurance processes to meet this challenge. If it can be reached, it can be breached; build cyber resilience
About Michael Woods
Michael is Cyber Security Strategist with over 17 years experience gained in financial services and consulting. Michael is a former Red Team director tasked with delivering adversarial security assessments to test cyber resilience, evaluate systemic risk and meet regulatory requirements within the banking sector. Michael provides strategic consulting to address growing cyber risk and resilience concerns.
About Tannhauser
Tannhauser is a cyber security and privacy consultancy. Our team specialise in Cyber Security Strategy Consulting, virtual Chief Information Security Officer staff augmentation, Cyber Risk Quantification, Cyber Security Assurance, Cyber Resilience, Privacy Engineering and Digital Transformation. Tannhauser, helping businesses become more secure and resilient for the digital age. Security in Sync.
References:
MITRE Corporation CVE List https://cve.mitre.org/cve/
Common Vulnerability Scoring System (CVSS) https://nvd.nist.gov/vuln-metrics/cvss
CVE Details https://www.cvedetails.com/cvss-score-distribution.php
MITRE ATT&CK® https://attack.mitre.org