Do you have a Cybersecurity strategy? Creating a planned and defined strategy is good advice for any challenge you face in your personal or professional life. Having a plan and a well-defined cybersecurity strategy could be the only thing that helps you sleep at night keeping the bad guys out as your company seeks to grow and become your greatest success. But before setting up solutions, it is recommended to define the problem properly.
In this short article, I want to share my personal experience as a member of OP Innovate’s Red Team on how we help organizations around the globe increase their cyber resilience by launching offensive campaigns. This article’s target audience is anyone with a stake in the cybersecurity agenda, from executives to security experts, from developers to the human resources that can go through and make it beneficial. Organizational awareness is a primary concern since attackers look for the weakest link, the smallest opening through which to launch their attack on the organization perimeter and get their hands on the ‘crown jewels’ (privilege management, data encryption, and more). In some cases, we have launched Red Team exercises in which the attackers gained entry by using social engineering techniques to manipulate a bookkeeper to wire money to a foreign bank account or manipulate the cleaning lady into injecting a malicious device into one of the endpoints.
During the last seven years, we managed to understand a painful truth – if you surround yourself with high enough walls, attackers will hit your neighbor next door. In cybersecurity, this means that if the organization maintains its risk appetite and keeps updating, maintaining, and improving the security measures the casual attacker may turn their attention elsewhere and search for a different victim. Of course, if an attacker with enough motivation and resources to match decides to target your organization with an advanced and persistent campaign, it’s only a matter of time until they succeed. Therefore every organization should be prepared with a crisis management plan, business continuity plan, incident response plan, among others, to protect sensitive assets against a worst-case scenario.
Our years of experience as a red team, trying to think, plan and act as the bad guys, led us to develop a model that provides organizations with the most realistic simulation of what attackers do after they mark your organization as a target. Our attack model is based on 6 steps designed to be as similar as possible to the steps taken by attackers. Mimicking these steps enables us to discover, mark, and assess the main threats and vulnerabilities waiting to be exploited.
In the following section, you will find elaboration on each step in the ‘OP Innovate offensive framework. Each step in the model can be performed independently but the power in their combination leads to valuable strategy outputs. Implementing the steps in the organization will help you understand the existing gaps and decide what are the best ways that your organization needs to adopt in order to reduce each gap.
CTI (Cyber Threat Intelligence) and OSINT (Open Source Intelligence) reconnaissance are the first operations an attacker performs prior to launching their cyber attack. The rationale here is: why to work hard to research for unknown exploits if you can find open vulnerabilities in the wild, using Google dorks, dark web, or with the help of automated tools.
Each new project we undertake begins with our Intelligence team. They own active avatars in dark web forums that discuss exploits, vulnerabilities, and sensitive data leakages. They can map the attack surfaces and provide the red team with detailed leads on exploitable weaknesses such as vulnerable systems, leaked credentials for use in phishing and social engineering, locations for physical penetration, and many more.
The CTI team presents their research findings to the rest of the team in the ‘Red Meeting’. Together they build a mind map of the most effective attack vectors to break and launch the desired impact. In some cases, the teams will make use of known vulnerabilities, while in other cases they will create a tailored campaign to prove they are vulnerable.
At this stage, we already know if the organization is using a specific cloud platform, a web app, locally networked endpoints, SCADA environment, iOS/Android, and more. We know whether they have security policies to protect against outsider and insider threats, what their most valuable assets are, which data is sensitive. We also know the team’s boundaries, when to stop the attack without triggering compliance issues and when to report critical findings. The red team looks for weaknesses that beget other weaknesses. They might use insider assistance or crawling tools to pivot between machines and escalate their privileges towards the goal of full domain takedown.
When the penetration testing phase is finished, our red team will often “switch hats” to our white one, and start exploring the lines of application source code to look for exploitable weaknesses that can be used by attackers. While the pen-testing process reveals vulnerabilities that are available for users, the code review reveals back-end weaknesses as well such as bad logic. While the secure code review is done with the help of automated code review tools, most of it leans on the creativity of our researchers asking questions such as “how can I, as an attacker, make the best use of this code to damage the asset?” and undertaking reverse engineering and deep digging initiatives.
Our main goal is to increase our clients’ cyber resilience by exposing their vulnerabilities and weaknesses. However, it’s also a process of identifying “lessons learned” and training their staff. We transfer the knowledge to the developers and mentor them in the ‘SSDLC’ (Secure Software Development Life Cycle) by showing them how their coding could be better secured and how to learn from mistakes. In some cases, we also conduct tabletop exercises for management and board of directors. As the leaders of the organization, they need to hone their ‘work under pressure’ and understand playbooks and methods of how to deal with cyber incidents when they occur.
At the end of the process, and to provide a comprehensive service, we take a look from a macro perspective and plan ahead for the future to come. Now that our team mapped out the “problem”, they are ready to suggest a proper “solution”. The team is familiar with the organization’s assets, roles, people, strengths, and weaknesses, they are ready to act as the best incident response team for any case, available 24/7 whenever needed. This is also the time to build an incident response plan, tailored playbooks, and business continuity plan.
According to an IBM study, it was found that over 77% of organizations do not have a Cyber Security Incident Response plan and that most companies take nearly 6 months to detect a data breach, even a major one.
Preventative measures can save time, prevent revenue losses, reputational damage, and unpleased shareholders. You’ll get a big RoSI (Return on Security Investment) by investing in creating a detailed and proactive cybersecurity strategy.
OP Innovate was established in 2014 to defend global enterprises from the increasing challenges of organizational cybersecurity. Our team has unmatched expertise in cyber research, penetration testing, incident response, training, and forensics. Our team members are exposed to cutting-edge responses to today’s most critical cybersecurity concerns allowing us and our partners to remain ahead of the bad guys.
Written by Shay Pinsker, COO @ OP Innovate.