StudentGuide FoundationsofBreachAttackSimulation [PDF]

Zitiervorschau

 

Student Guide  Foundations of Breach & Attack  Simulation           

 

   

Revision 2020.11.03   

  

Table of Contents  What’s In It For You

5 

Threat Informed Defense

6 

Cyber Threat Intelligence Analysis MITRE CRITS

7  7 

Defensive Engagement of The Threat

8 

Focused Sharing and Collaboration

8 

The Basics of BAS

9 

Breach & Attack Simulation Deployment Approaches

11 

Agent-Based Deployment Approach

12 

Virtual Based Deployment Approach

13 

Services Based Deployment Approach

13 

Breach & Attack Simulation Testing Approaches

14 

Behavior Emulation Testing Approach

14 

Behavior Replay Testing Approach

15 

Malware Detonation Testing Approach

15 

Services Based Testing Approach

15 

Breach & Attack Simulation Transparency Approaches

16 

Blackbox Approach

17 

Glassbox Approach

17 

Openbox Approach

17 

Framework Alignment

18 

Continuous Security Validation

19 

User/SOC/MSSP Testing

21 

Security Tool Bake Off & Proof of Concept Testing

22 

Purple Teaming

23 

Quality Assurance

25 

Your Next Steps

26 

             

  2 

                

“When we conduct a penetration test on a system, we are not changing the state of  the application with this inspection; rather, we are changing our uncertainty about  the state of the application.”  Douglas Hubbard  Author, How To Measure Anything in Cybersecurity Risk    You can apply this same idea to Breach and Attack Simulation which is what we are  here to learn about today. First, let’s talk about you. 

  3 

  

What’s In It For You  Whenever I teach a class I always like to start by telling the students “What’s in it for  them.” Why? Because it’s important. Your time is important, so I want you to know  upfront what I’m going to trade you for your time today. 

A new skill in a rapidly expanding field of security  The need for breach and attack simulation tools and expertise is growing, and in this  course, we are going to introduce you to the concept of Breach and Attack  Simulation and Threat Informed Defense.    We’re also going to talk about different things you should consider when selecting a  BAS tool and then we will cover some of the major use cases for BAS. 

Hands-on labs  I know for me, one of the best parts of training is getting my hands dirty in whatever  it is I just learned. Throughout this course, you are going to use our AttackIQ Cyber  Range along with the AttackIQ platform to perform some labs and hopefully put  some of this new knowledge into practice. 

Certification  We want you to be able to show off your new skill on your resume or LinkedIn profile,  so we’ve partnered with Acclaim to offer certification badges. 

CPE Credits  We’ve partnered with ISC(2) to offer CPE Credits for this course. You will get a pdf  certificate after passing the assessment at the end of the course, but if you provide  us with your ISC(2) member number in your profile we can automatically register the  CPE Hours for you. 

 

    4 

  

Threat Informed Defense  Before we start talking about BAS, or Breach and Attack Simulation - you’ll hear me  use the terms interchangeably throughout the course; I want to introduce you to the  concept of threat informed defense.  A threat informed defense is a proactive approach to cybersecurity that utilizes three  elements to provide an evolving feedback loop to your security team.  Those elements are:  ●

Cyber threat intelligence analysis 

●

Defensive engagement of the threat 

●

Focused sharing and collaboration 

Let’s take a look at each of these individually  References:   ●

Cybersecurity Threat-based Defense 

 

  5 

  

Cyber Threat Intelligence  Analysis  Threat intelligence analysis is taking existing  intelligence data like TTPs, malware hashes, or  domain names and applying human intelligence  to harden cyber defenses and improve ways to  anticipate, prevent, detect, and respond to  cyber-attacks. 

MITRE CRITS  Let’s look at CRITS as an example of what goes into cyber threat intelligence analysis.  CRITS is a tool developed by MITRE and stands for Collaborative Research Into  Threats. It’s open-source and freely available ​here​. CRITS does a handful of things  that assist with intelligence analysis such as:  ●

Collecting and archiving attack artifacts 

●

Associating artifacts with stages of the cyber attack lifecycle 

●

Conducting malware reverse engineering 

●

Tracking environmental influences 

●

Connecting all of this together to shape and prioritize defenses and react to  incidents 

CRITS itself is outside of the scope of this course, but it gives us a good illustration of  some of the features of cyber threat intelligence. 

  6 

  

Defensive Engagement of The Threat  Defensive engagement of the threat takes what you’ve discovered from intelligence  analysis and allows you to look for indicators of a pending, active, or successful cyber  attack. Breach and attack simulation tools fit in well here because we can take the  behavioral models uncovered during intel analysis and use BAS to automate testing  and reporting on what those behavior patterns look like in our enterprise.   These simulation results can feed back into your threat intelligence analysis and into  the next element we’re going to talk about, which is focused sharing and  collaboration. 

Focused Sharing and Collaboration  By sharing threat actor TTPs through standards such as STIX and TAXII the security  community benefits together, or if you are part of a large organization with different  security groups information shared between groups in a standard format can help  your enterprise build a threat informed defense.  Groups like MITRE’s Center for Threat Informed Defense (CTID) bring together  sophisticated security teams from leading organizations around the world to expand  the global understanding of adversary behaviors by creating focus, collaboration,  and coordination to accelerate innovation in threat-informed defense, building on  the MITRE ATT&CK framework. 

  7 

  

The Basics of BAS  Now that we’ve talked about the methodology of a threat informed defense we can  begin to talk about Breach and Attack Simulation as a way to operationalize and  take a lot of the manual work out of implementing a threat informed defense.  The general idea between breach and attack simulation tools is similar:   ●

Organizations can choose attacker behaviors they want to see executed in  their environment. 

●

Behaviors are executed by the BAS tool. 

●

Operators observe the response from security controls. 

How these ideas are implemented and additional features provided vary from  vendor to vendor. We’re going to talk about things to consider when you’re  investigating BAS solutions in a little bit, but before we do that I want to talk about  Why BAS has become important.  Before breach and attack simulation tools existed, there were still plenty of  organizations implementing or at least partially implementing a threat informed  defense. This work was originally done through purple teaming activities where red  teams and blue teams would work together to improve their security posture.  Purple teams still exist and are beginning to become more popular, but BAS tools  can be used to help with some deficiencies of a manual process.   

Time/FTE  ●

Red Team members are generally highly skilled individuals whose time could  be better spent innovating instead of running scripts and building reports. 

●

Coordination and sharing of information between red teams and blue teams  consumes time that could be spent implementing projects and defending  the enterprise. 

  8 

  

Documentation ●

Documentation during manual efforts is often lacking because of the time  commitment or lack of resources to document what was done, how it was  done, when it was done, and by who. 

Safety ●

Without tight collaboration or understanding between red teams and blue  teams on what exercises are run by who, against what assets, and when the  idea of testing the security of your network begins to feel more like a liability  than an asset. 

When we get into Breach and Attack Simulation use cases later in this course we will  explore in more detail how BAS tools help alleviate at least some of these burdens. 

  9 

  

Breach & Attack Simulation Deployment  Approaches  When considering the use of a breach and attack simulation tool for your team,  there are a few different ways that deployment can be done.   

 

 

 

  10 

  

Agent-Based Deployment Approach  Agent-based deployments utilize individual assets in your environment to execute  tests. Generally, the agent on the host will be controlled by your BAS console. The  agent executes tests on or from the host and then reports data back to the BAS  server on the success or failure of those tests. Agents are flexible because they allow  you to deploy quickly and into specific areas of your environment.  If you are deploying agents in a production environment, you’ll want to have a good  understanding of how safe this is from your vendor. We’re going to go into testing  and transparency approaches in a bit, and having this understanding will allow you  to better understand the safety of running a BAS tool in your production  environment.  The main reason you would choose to deploy in production instead of a lab is that it  will give you more accurate results to measure against.  One of the limitations of an agent-based approach can be proper coverage.   ●

Understand what your use cases are before investigating BAS tools. This will  give you an understanding of how many hosts, VLANs, operating systems,  departments, and security domains you will test on.   

●

Do you need just a sample from your enterprise or do you want to be able to  execute on any host in your environment?   

Having the answers to these questions in mind, talk to your vendors about how they  license and scale so that they can fit your needs. 

 

  11 

  

Virtual Based Deployment Approach  A virtual based deployment can be executed in a multitude of different ways. This  could be a deployment where agents are being used but as part of an OVA. This  could also be an agentless deployment where packets are replayed to see how the  environment responds.  The main theme across a virtual deployment is that it involves lab components and  should be designed to simulate your production network.  Although this type of deployment allows you to execute actual malicious activity in a  safe manner, it does have some limitations.  Some of the limitations of a virtual based deployment include:  ●

Accuracy – The accuracy of the tests is only as reliable as the environment the  tests are executing in. If you are executing in a virtual or lab environment and  not a production environment, you risk not having an accurate measure of  your production enterprise. 

●

Complexity – The complexity of a virtual environment can definitely provide  you with testing flexibility in the future. However, the complexity of virtual  based deployment can often add time and expense to BAS projects. 

Services Based Deployment Approach  A services-based deployment method often conducts tests by simulating or  replaying attacker behavior from a cloud service against a target or range of targets.  This type of testing is often used as a form of external to internal penetration test,  usually focusing on exploitation activities.    The deployment for services based BAS tools is easy because there usually isn’t  anything to deploy.  One of the limitations of a services-based BAS deployment is that they are often  limited in how robust the testing can be. 

  12 

  

Breach & Attack Simulation Testing  Approaches  Let’s talk about four of the main approaches BAS tools take in how they execute  testing. 

  It’s important to remember that some BAS tools may incorporate more than one of  these approaches in how they run their tests, so you need to understand what is  important to your use cases and how that works with the BAS tools you are  investigating.   

Behavior Emulation Testing Approach  Behavior Emulation is taking specific behaviors of attackers and re-creating them as  unit tests in the BAS platform. This is generally a production safe approach because  you are able to focus on specific behaviors instead of payloads. If you believe a  behavior to be a risk to your production network, you can choose other behaviors  that may occur before or after the exploitation phase of an attack. 

  13 

   Behavior Emulation generally focuses on pre or post-exploitation activities. If your  use cases are focused on exploitation activities only, this may be a limitation to  consider. 

Behavior Replay Testing Approach  Behavior Replay is generally done by replaying packet captures of actual attacks.  ●

It allows you to replicate the actual behavior of an attacker, including actual  exploitation. 

●

Behavior replay allows for more robust network-based testing. 

Testing actual behavior with actual exploitation can also be a drawback if you desire  to test your production assets since these tests are much harder to make safe. 

Malware Detonation Testing Approach  Malware detonation is similar to sandboxing, but with a focus on how efficiently your  security controls respond instead of understanding how the malware operates.  Malware detonation is essentially taking known malware samples and executing  them in your test environment. This is good if you have a targeted use case for  understanding how your security controls stand up to the exploitation phase in a  very real way. Obviously, this carries a large risk of impacting the environment it is  run in and is not safe for production. 

Services Based Testing Approach  Services based testing approaches vary widely and can use a combination of all of  these testing approaches. They may even include human elements that analyze or  assist in the operation of the test.  Because services based testing can be so different from provider to provider, it’s  important to have a grasp of what is in scope and out of scope for testing and how  often testing will be done. 

 

    14 

  

Breach & Attack Simulation Transparency  Approaches How transparent the actual tests you are executing can vary from solution to  solution. Some BAS solutions may even take multiple approaches or variate the  degree of approach to how transparent they are with their content. 

 

 

 

  15 

  

Blackbox Approach  A blackbox approach leaves little visibility to the operator. Limited flexibility of testing  and the uncomplicated nature of a blackbox approach may be valuable to less  mature security organizations looking to put some sort of security control validation  project in place. However, larger or more experienced organizations may experience  difficulty in the lack of detail offered by a blackbox approach.    This type of approach can also limit red team involvement, leaving their experience  out of the validation project. 

Glassbox Approach  A glass box approach is a much more open approach than a blackbox approach. In a  glass box approach, operators can view details of how the test is being run. They can  get a deeper understanding and in some cases make changes to the configuration  of how tests are executed. An example of a glassbox approach would be packet  capture replay solutions. In this case, you are able to see the traffic being used as  part of the test, but there is little to no modification available.  A glassbox approach is useful for organizations that are larger or more mature that  would like to implement a breach and attack simulation tool, but may not have the  resources or desire to manage an Openbox approach. This may also become a  scalability limitation. If your organization does have resources and expertise to  achieve more control over how tests are executed, a glassbox approach may be  somewhat limiting. 

Openbox Approach  An open box approach takes the same approach as a glass box approach, however,  the source code of the tests is made available to operators. This allows for full  transparency and customization of how the tests are executed.  An openbox approach provides mature security organizations a ton of flexibility.  However, this testing approach may be dangerous if operators don’t have the  experience necessary to properly write tests and the proper guardrails are not in  place by the BAS tool.    16 

  

Framework Alignment  Although there are a few frameworks you could lay on top of BAS testing tools, the  most prevalent is the MITRE ATT&CK Framework. Along with many defensive tools,  breach and attack simulation tools often align themselves with the MITRE ATT&CK  Framework.    This makes sense for organizations that are trying to find a way to match security  controls to offensive tactics.  MITRE has organized attacker techniques into multiple categories along the attack  chain. On the MITRE ATT&CK website, you can drill into techniques under each  category to get a better understanding of how a technique works, threat groups  known to use the technique, how to mitigate and detect the technique, and  references to articles on the technique.  Some breach and attack simulation tools allow you to understand where your  defensive gaps may lie in the context of MITRE ATT&CK.   ●

If the tool aligns to ATT&CK, you should be able to design your test based on  techniques that are used by known threat actors. 

●

If the tool doesn’t have direct MITRE ATT&CK alignment, you can use a freely  available online tool like the ​MITRE ATT&CK Navigator​ to understand the  attack patterns of known threat actors and then find tests within your BAS  tool that align to those techniques. 

  17 

  

Continuous Security Validation Continuous security validation is the process of taking your existing individual  security controls, creating unit tests for those controls, executing those tests, and  analyzing the results  For example:  ●

You have a DLP solution or a Firewall, and you are using it to block a specific  rule or action. 

●

For every rule or action you create, you should also design a test for that rule. 

●

If I’m blocking a specific domain or URL, I would create a test that tries to  reach that domain or URL. 

If I’m blocking a specific text pattern in my DLP, I would create a test that would try  and mimic that pattern and exfiltrate data.  Let’s keep it simple and stick to the Firewall example with a blocked url. We will call  it www.blockme.com.  Once my rule has been created and the policy has been pushed to block  www.blockme.com on the firewall, I create a test using a BAS tool or even scripting  to try to make a connection from my network through the firewall and out to  www.blockme.com.  Now I execute the test and make sure that the results come back that it could not  connect. 

  18 

  

  It’s important to remember to execute this sort of testing against all firewalls to  validate that the policy you pushed was deployed correctly.  Once we’ve validated that our test to www.blockme.com is actually being blocked,  we need to schedule this test to occur regularly so that we can be certain that the  rule we put in place continues to work as desired. 

  19 

  

User/SOC/MSSP Testing  Another use case that is fairly  common for BAS tools is the  testing of your security team.  Whether that team is internal, an  MSSP, or a combination of both.    By simulating an actual attack  you can understand how your  team responds. This can be useful in identifying gaps in policy, procedure, or  training.  When designing assessments for personnel testing, it’s important to consider a  design that would emulate that of an attacker.    Using a tool like the MITRE ATT&CK Navigator can allow you to see the TTPs known  to be used by advanced threat groups. It’s also important to keep in mind what sort  of IOCs or events you expect your security team to report on during an incident. 

  20 

  

Security Tool Bake Off & Proof of Concept  Testing Alright, so you’ve identified your deficiencies while performing GAP Analysis. It’s  time to put your plan into action and start selecting tools you will purchase to cover  those gaps. Here’s the problem – you want to be as certain as possible that the tool  you are about to spend a lot of money on actually follows through on the promises to  fill those gaps.  By taking a scientific approach that is measured and repeatable with each solution  to be tested, you can make sure that you are choosing the best tool to meet your  needs. BAS tools fit in well here because they allow you to take a lot of the manual  process and documentation out of the equation.    Here are some suggestions I’ve given security teams in the past:  ●

Make sure your testing scope only includes tests that make sense for the  solution you are evaluating. It doesn’t make sense to run credential theft  testing against a network firewall solution and can skew results. 

●

If possible, execute your testing in production to get the most accurate  picture of how the product will perform in your environment 

●

Use a control – For example: If you are testing endpoint solutions, make sure  that one of the hosts you are testing does not have that endpoint solution  installed. This allows you to see where there may already be some overlap in  coverage or a false reading in your testing. 

Another side benefit of performing testing this way is that when you do choose a  solution to purchase and implement, you will already have the test designed that will  help to verify that your implementation is correct. You can also use this same test  plan continuously with that security control to ensure that environmental changes  to your enterprise do not affect how the security control operates. 

 

  21 

  

Purple Teaming  Red Teams are expensive and highly specialized. They should be innovating, not  playing gotcha! Blue Teams are overworked and spread too thinly. They should be  hunting, not maintaining.  Purple Teaming is an organizational concept by which red and blue functions occur  simultaneously, continuously, tightly coupled, and with full knowledge of each  other’s capabilities, limitations, and intent at any given time.  Given reliable access to red capabilities, this methodology allows security teams to  iteratively increase program maturity as a product of continuously clearing low-effort  attacks from the board. 

    Let’s take a look at the workflow of a purple team.  1.

Red Team executes iterative attacks against friendly cyberspace, tuned to  replicate adversary capabilities and prevent irrecoverable disruption 

2. Stopped attacks generate reports of detection and mitigation details back to  the Red Team  3. Successful attacks generate reports of the attack method and exposure  details back to the Blue Team. 

  22 

   4. Red and Blue Teams jointly debrief all actions in coordination with IT Ops;  mitigations emplaced, attack techniques refined, attack surface reduced  5. Continuous testing and improvement refines detection capabilities and  enables ever-more difficult scenario execution, which refines detection  capabilities. 

How Does BAS Fit Into Purple Teaming?  ●

Breach and Attack simulation tools can help with Red Team execution by  providing a platform to make sure test procedures are safe, controlled, and  documented. 

●

Integrations with other defensive security tools like EDR, Firewalls, AV, and  IDS/IPS can allow BAS tools to provide instant feedback in a centralized  manner to the Red Team 

●

Those same integrations can provide instant feedback and centralization for  Blue Team members as well. Some BAS platforms will also provide mitigation  information to the Blue Team as well. 

●

During the joint debrief, data collected by the BAS tool can be analyzed by  both Blue and Red team members. This data can be used as suggestions for  both sides on the next piece, which is 

●

Continuous testing and improvement. Breach and attack simulation tools  allow you to begin automating many of the low-level tasks the red team is  doing so that they can continue to innovate. Blue teams are also provided  with a way to run those lower-level red team tasks themselves to validate that  the measures taken to resolve red team discoveries are always working. 

 

  23 

  

Quality Assurance Quality Assurance testing can utilize BAS tools to help make sure security  configuration on golden images or new server deployments is correct. Testing your  golden image with a BAS tool can greatly decrease the risk of deploying new  workstations with improper configuration.    Here are a few things to keep in mind:  ●

Design your tests to match the security controls you put on the host. This  may include things like bypassing UAC, privilege escalation, registry  modification, or credential theft. 

●

Don’t just focus on security tool testing. Consider testing operating system  policy and other native controls. 

●

Utilizing a BAS tool with RBAC features can allow Desktop QA engineers to  execute testing without having access to results for separation of duties. 

●

Utilizing a BAS tool with an API can allow the process of testing to be baked  into QA automation tools 

In a world where we are seeing more and more automated deployment of servers, it  makes sense that security teams are becoming more and more involved with the  quality assurance of these servers. Breach and Attack simulation tools can allow  security teams and server deployment teams to feel confident in the configuration  and setup of new assets.    Some things to consider when using BAS in conjunction with server deployment;  ●

Don’t forget about a threat informed defense – keep tests lightweight and fast  by only testing what you’ve discovered from intel analysis. 

●

Utilize a BAS tool with an API to automate the process and test rapidly 

●

Using a BAS tool that integrates with your security stack can help security  operations teams quickly pinpoint what failed if a test does not pass

    24 

  

Your Next Steps  As adults, we learn best when we apply what we learn. I want to encourage you to  download the worksheets that are included in your course resources and use them​. 

Assessment Test  Your next immediate step is to take the assessment for this course.   ●

The assessment can be found in your student portal. 

●

You must get at least 80% to pass this course and will be able to attempt the  test twice. 

●

If you need assistance with the assessment please email  [email protected] 

Digital Credentials  After you pass the assessment, you will receive your digital credentials through the  Credly Acclaim platform​.  Digital credentials are the badges you may have seen people sharing on LinkedIn.  Digital credentials go beyond paper certificates. They are portable, verifiable, and  uniquely linked to you. They also ensure that your hard-earned achievements are  owned by you, not us - you can access and utilize your digital credential whenever,  however, you see fit – including adding it to blockchain. Digital credentials make you  - and your achievements - more visible to employers and your professional network. 

 

  25 

  

Share Your Achievements with Your Network  Your skills, competencies, and certifications are worth more than a static bullet point  on a resume or a paper certificate hanging on the wall in your office. When  represented as a digital credential, you can share your achievements with your  network in one click from Credly’s Acclaim platform. Peers and employers can verify  and learn more about what it is you can do thanks to earning a digital credential  from AttackIQ. And research shows that professionals who share their digital  credentials to professional networking sites are discovered by employers, on average,  six times more often than those who do not.   

Share Your Knowledge With Your Network  If you enjoyed this course, please tell your colleagues about the AttackIQ Academy  and share with them the things we’ve discussed today.   

Share Your Opinions  You will be emailed a link to a survey after you complete this course. We would  greatly appreciate it if you would complete this quick survey for us as it helps us to  continually improve our courses.   

  26