Full Spectrum Attack Simulation. Security Testing & Assurance in today s business

Transcription

1 Full Spectrum Attack Simulation Security Testing & Assurance in today s business

2 Full Spectrum Attack Simulation Contents Full Spectrum Attack Simulation 3 Why NCC Group 4 The key capabilities of a Full Spectrum Attack 4 Simulation Cyber security and its associated risks is one of the largest threats to organisations worldwide. Traditionally cyber security has focused on applications and infrastructure. While this is extremely important, the vectors used by attackers are becoming increasingly sophisticated and varied. Attackers are no longer limiting themselves to just cyber assets but including physical and human assets. As such, organisations need to defend and protect their business using more complex and skilled attack scenarios. A Full Spectrum Attack Simulation assessment is a bespoke engagement comprising simulated, targeted attack and response capabilities. It is designed to address your specific concerns, to deliver the insights your organisation needs to operate securely and to answer the question at the forefront of everyone s minds Are we secure enough? What assessment is right for my organisation? 5 Black 6 Red 8 Purple & Gold s 10 Simulated threat actors Modern threat actors come in many forms, each with particular nuances in their Tactics, Techniques and Procedures (TTPs). Crossover between attack groups and TTPs is also reasonably common. For example cyber criminals may look to utilise an Advanced Persistent Threat (APT) to remain within an environment to target payment systems for financial gain. The four most common threat actors replicated in a Full Spectrum Attack Simulation are: Hacktivist: Typically an individual or group with a grudge against your organisation, their motivation is often not financial but seeking to cause reputational damage and disruption. The typical TTPs are either Distributed Denial of Service (DDoS) attacks or direct defacement of websites. Cyber criminal: Typically well organised and equipped, their motivation is nearly entirely financial. TTPs are often characterised with an emphasis on large scale, sometimes indiscriminate phishing campaigns with malicious attachments designed to deploy ransomware or steal data which can be sold. Insider threat: Their activity may be malicious or accidental and due to their position they are typically difficult to identify. The TTPs are typically the exfiltration of sensitive data and occasionally internal disruption of systems. Cyber espionage/state sponsored: Compared to the other threat actors they are small in number, however very real and can pose a significant threat. Their prime motivation is information which may be exploited in a number of ways and as such they desire access to your environment for a prolonged time period. Their TTPs are characterised as an APT using a variety of attack vectors to gain and maintain access. As such they require a robust security infrastructure to defend against. Managing operational risk During a Full Spectrum Attack Simulation we aim to minimise the operational impact on the organisation. NCC Group has developed and refined a strategy and methodologies, compliant with both CBEST and CREST STAR, to minimise the operational risk based upon the following: Clearly defined engagement process: From the initial stakeholder engagement through to scope definition, planning, approvals, engagement delivery and finally reporting. Stakeholder involvement: Appropriate support and approvals from the business itself, audit and risk, operations, compliance and legal and human resources. Delivery management: Use of highly experienced attack managers and specialists. Technical controls that limit both the lifetime and scope of an exploit and the encryption of any breach communication channels. Bespoke tooling: Created, managed, tested and updated based on previous engagements to be secure and current to simulate any of the threat actors without the associated risks. Why Full Spectrum Attack Simulation? Motivations for commissioning a Full Spectrum Attack Simulation can be varied but typically include: Improving your organisation s readiness to withstand an attack from a variety of different attack vectors. Help to train your security operations (Blue ) in handling advanced and persistent attacks. Benchmarking your security operations (Blue ) performance. Understand and gain confidence in your organisation s resilience. Regulatory compliance or oversight. 2 Full Spectrum Attack Simulation Full Spectrum Attack Simulation 3

3 Why NCC Group? What assessment is right for my organisation? NCC Group is a global expert in cyber security and risk mitigation, with one of the largest teams of security consultants in the world. Our specialist teams utilise the expertise gained from delivering over 100,000 security consultancy days as well as the experience obtained from performing Full Spectrum Attack Simulation assessments for national governments and private sector organisations worldwide. NCC Group is one of only three organisations certified across the three managed CBEST criteria: simulated attack manager, simulated attack specialist and threat intelligence manager. The nature of any simulated attack assessment relies upon the expertise and knowledge of the team delivering the programme of activity. The scale and size of our cyber security business allows our Full Spectrum Attack Simulation practice to have detailed, up-to-date intelligence of attack vectors and the approaches used by threat actors. This ensure that our approach and methods of attack simulation are constantly evolving to reflect the real-world threats to your business. Our expert capability in this area provides you with an approach and output that will add significant value to the security posture of your business. Concern Who are the threat actors targeting my organisation, how would they attempt it and how likely is it they would succeed? Threat Intelligence Means of assessment Black Red Purple Gold The key capabilities of a Full Spectrum Attack Simulation are: Type Description Are my IT systems, my personnel and public communications leaking information that would assist an attack? What threat is posed from an outsider gaining physical access to my premises or indeed a malicious insider? Black Physical attack Social Engineering Aims to identify weaknesses in physical controls and staff awareness that facilitates physical access to your premises. Includes Open Source Intelligence (OSINT) gathering, physical reconnaissance, threat modelling, social engineering and culminates in physical breach attempts. Are my staff sufficiently trained to identify a phishing attack, social engineering techniques (such as tailgating or attempts to illicit information)? Can I identify the presence of malicious code once it has been deployed through , USB or DVD? Once an attacker is on my trusted network how vulnerable are my core services? Red Purple Cyber attack Cyber attack Incident response Assesses your cyber preventative controls, staff security awareness and challenges your Blue s detection and response processes. Includes focused cyber attacks from locations both inside and outside the organisation, targeting your applications, infrastructure, people, processes and data. Combines the Red and Blue activity, and sees attack and response experts embedded within your internal security operations (Blue ) during a Red engagement. The assessment aims to collaboratively replicate attacks, identify opportunities for improvement within your Blue processes and procedures, as well as increase the effectiveness of the information already gathered. The team is also able to provide guidance on the Red recommendations and how to implement them. Could an attacker maintain a long term presence to exfiltrate data whilst remaining undetected? Are my current technical controls sufficient to identify the methods used by advanced attackers? Do my staff know how to report (and where appropriate when to escalate) a potential security incident? Do my crisis management team have effective procedures and sufficient capabilities to manage the external and internal communications during a cyber security incident? Gold Cyber attack Incident response The purpose of the assessment is to identify improvements in your internal and external communications, crisis management procedures and decision making. It includes a workshop where your senior crisis management team (Gold ) will work through a pertinent scenario with NCC Group s crisis management experts. All assessments can be conducted individually or in combination, where multiple assessments are combined, the activities will naturally flow across the capabilities as intelligence and results dictate. Threat Intelligence whilst a separate service in its own right is used extensively in the initial stages of all Full Spectrum Attack Simulation engagements. Our expert threat intelligence services provide information on which threat actors are out there, what their intent is and which tactics, techniques and procedures they use to execute attacks. 4 Full Spectrum Attack Simulation Full Spectrum Attack Simulation 5

4 Black : Physical attack & social engineering Intelligence gathering: Deploy bugging device: Eavesdropping devices will be deployed in discreet locations. 10:30AM BREAKING NEWS COMPANY ASSETS CUSTOMERS STAFF PROFILES SUPPLIERS OSINT: Research in the organisation, its clients and suppliers. Threat Intelligence: Identification of threat actor s and susceptibility of staff to an approach. Deploy network device: Deployment of an assessment device that can connect to our secure testing labs. Intrusive surveillance: To actively capture data from employee s screens and documentation on desks. Digital reconnaissance: Aims to identify technology in use by encouraging users to visit NCC Group assets. Wireless reconnaissance: A review of the wireless frequencies in use and creation of a heat map. Dumpster diving: Reviewing rubbish and recycling bins for potentially sensitive material. Physical breach: Attempts to bypass access controls and enter the premises. Local environment & points of interest: Investigate any local bars and restaurants to identify and exploit any eavesdropping and elicitation opportunities. Evidence collection: Photographic and video evidence is collected during the engagement. Physical reconnaissance: Identification of entry points, perimeter defences, CCTV and personnel shift changes and patrol routes. Media drops: USB storage devices with a custom payload that connects back to the secure testing labs is deployed in and around the target premises. How easily could a determined attacker breach my physical security and access internal networks? Is my organisation leaking information that could be of assistance to an attacker? How effective is my investment in physical security controls? During a Black assessment NCC Group will: Use OSINT gathering techniques and threat intelligence activities to develop credible attack scenarios. These scenarios would guide the remainder of assessment activities. Perform reconnaissance and surveillance to assess physical security controls. Use social engineering to circumvent technical controls and access sensitive or restricted areas of the organisation. Manipulate staff to identify protected information, such as passwords or allow access into their workspaces. Determine the level of response to threats by both your staff and third parties. Prefer a less invasive approach? NCC Group offers a consultant led Physical Security Review, a service designed to overtly review all the security measures deployed. With the support of your organisation the focus of the review will be on: Policies Procedures Preventions Deterrents Activities typically covered within the review include: Physical site survey Highlighting of points of surveillance Highlighting of CCTV blind spots and recommendations on future locations Identify likely attack strategies Assess and advise on physical access security Assess current and proposed security policies Assess proposed security planning Review visitor/contractor controls Review network access and other cyber based controls 6 Full Spectrum Attack Simulation Full Spectrum Attack Simulation 7

5 Red : Cyber attack Intelligence gathering: Deploy key logger/screen monitor: Post exploitation mechanisms used to capture information such as authentication details, along with business processes. Any such information will be used to further expand the foothold on the internal network. 10:30AM BREAKING NEWS COMPANY ASSETS CUSTOMERS STAFF PROFILES SUPPLIERS OSINT: Research in the organisation, its clients and suppliers. Threat Intelligence: Identification of threat actor s and susceptibility of staff to an approach. Cyber social engineering attacks: Spear phishing ( ) Smishing (SMS) Vishing (voice) Internal network attack: The aim is to obtain administrator access to the target assets and those that may facilitate access through the following activities: Initial exploitation Host and network enumeration Privilege escalation Command and control Lateral movement External network attack: Targeting your cloud and external facing systems with the aim of compromising them and using them as a stepping stone to the internal networks. APT simulation: Simulates a persistent hostile presence on the internal network with a view to assess the organisation s ability to identify the threat and prevent data leakage. Lost/stolen laptop assessment: Aims to assess the device itself and attempt to use it to access the internal network. What risks are posed by threat actors to my business critical cyber assets? Is my organisation s investment in both cyber security preventative controls and staff awareness training effective? Am I able to detect a persistent and sustained threat and its malicious activities within my network? During a Red assessment NCC Group will: Use OSINT gathering techniques and threat intelligence activities to develop credible attack scenarios. These scenarios would guide the remainder of assessment activities. Attempt to compromise your cloud and externally facing infrastructure. Deliver specially crafted spear phishing s designed to compromise targeted staff, attempt to elicit sensitive information out of users or encourage the visiting of a malicious site through voice and SMS communications. Utilise a stolen laptop and/or wireless and wired network access obtained in the Black assessment to gain a foothold on your internal network and subsequently traverse across it in an attempt to compromise the agreed critical applications and infrastructure. Assess your organisation s ability to prevent a sophisticated, planned and sustained attack. Prefer less focus on the goal and more on comprehensive coverage? NCC Group offer a number of penetration testing and security review services that provides total confidence in the security of your: Servers and virtual infrastructure Compiled and web applications Databases Networking and security devices Core services such as Active Directory, backup and Cloud platforms Would you like to manage and initiate on demand your own Phishing assessment activities? NCC Group offers the Piranha Phishing Simulation platform. A portal that allows you to send on demand phishing s and provides educational facilities. Would you like to test the effectiveness of your Security Operations Centre (SOC) without attacking? NCC Group offers the SOCAlive service, automated, scalable and cost effective means of testing the detection and response capabilities within your SOC or Managed Security Services Provider (MSSP). Not sure if you have all the appropriate controls in place ready for such an engagement? The Cyber Security Review is a service offered by NCC Group that reviews your organisation against 20 key controls and will highlight key deficiencies in your security controls framework. 8 Full Spectrum Attack Simulation Full Spectrum Attack Simulation 9

6 Purple & Gold s: Attack & incident response 10:30AM Purple : Gold inputs: The exercise will play out simulating exchanges from: External parties such the public, media, regulators and investors. Internal parties such as security operations. News streams such as twitter, news feeds and websites. BREAKING NEWS COMPANY ASSETS CUSTOMERS STAFF PROFILES SUPPLIERS Gold : Challenge crisis simulation attendees throughout the incident on themes such as: Communication Response Operation disruption Risk assessment Scope Assesses the Blue with full knowledge of Red activities. Can optionally provide support to the Blue during the engagement. Blue assessment: The team will be assessed against their ability to identify and respond to the various kill chain phases of an attack: Delivery Exploitation Installation Command and control Actions and objectives on target Red assessment: Delivery of a variety of attacks simulating agreed threat actors targeting: External environment Internal network Users via cyber social engineering attacks Additionally APT simulation will be conducted Are my SOC team sufficiently equipped and trained to both identify and respond to current attacks? Are my existing controls sufficient to prevent a large scale incident? Is my organisation s crisis management team able to effectively manage a cyber incident? During a Purple assessment NCC Group will: Assess the Blue during a Red engagement on their ability to identify and appropriately respond to the various stages of an attack. Several realistic threat actors will be simulated to ensure thorough coverage of all TTPs. Provide a complete timeline of all attack and response activities and any assistance provided by the Purple. Recommend improvements in people skills, processes and technology, prioritised by expected improvements in security posture and practicality. During a Gold assessment NCC Group will: Assess the crisis management team s decision making, risk assessment, communication, reporting requirements and record keeping. Deliver a crisis simulation that runs through a series of interactive scenarios facilitated by experienced crisis and incident management experts. This engaging and interactive format will have an emphasis on contextual realism. These scenarios can optionally be those identified on an earlier Black or Red engagement. Need to augment your Blue capabilities? NCC Group has a number of offerings that can assist you in enhancing your defensive controls and upskilling your staff: Managed network security: Firewalls, application security and IPS DDoS Secure: Rapid self-learning DDoS protection Security analytics Threat Intelligence SIEM Professional services and training Not sufficiently prepared for an incident? NCC Group s Incident Response Planning service offers a bespoke solution comprising: The plan itself: Prepare, identify, assess, respond and learn phases Up to ten defined playbooks for incidents such as DDoS attacks, ransomware and exfiltration of data Protecting forensic evidence Communications with third parties Testing schedule Escalation to crisis management Time for testing has gone, I m in an incident now! NCC Group offer a number of services through our Cyber Defence Operations team: Cyber Incident Response Digital Forensics Compromise s 10 Full Spectrum Attack Simulation 11 Automotive Sector Full Spectrum Attack Simulation 11

7 Certifications NCC Group is able to deliver Full Spectrum Attack Simulation engagements against the following schemes: CBEST: The Bank of England scheme that delivers intelligence led Red engagements against financial organisations, mimicking the behaviour of real world threat actors. NCC Group is certified to deliver both the threat intelligence and security testing components of the scheme. CREST Simulated Target Attack and Response (STAR): A globally recognised commercial scheme that delivers highly focused attacks against an organisation based on target specific threat intelligence. icast: Intelligence-led Cyber Attack Simulation Testing created by the Hong Kong Monetary Authority for the financial industry. TIBER: Threat Intelligence Based Ethical Red ing based on CBEST and managed by De Nederlandsche Bank focused on financial institutions within the Netherlands. CIR: NCC Group is approved by NCSC to provide Cyber Incident Response service as part of the Government run Cyber Incident Response scheme certified by GCHQ and CPNI responding to sophisticated, targeted attacks against networks of national significance. CREST IR: NCC Group has been successfully assessed against the CREST criteria which focuses on the appropriate standards for Incident Response. In the media NCC Group s capability in this area has been further recognised by being selected to provide the cyber expertise for Channel 4 s Hunted TV show. About NCC Group NCC Group is a global expert in cyber security and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face. We are passionate about making the Internet safer and revolutionising the way in which organisations think about cyber security. For more information from NCC Group, please contact: +44 (0) response@nccgroup.trust NCCGTSCFSRDV10817