The CyberArk Red Team is a highly qualified group of industry veterans who are trained to use “any means necessary” – just as an attacker would – to help security operations teams identify and measure which threats they can detect – and which ones they cannot.
In a recent post, we asked Shay Nahari, our Head of Red Team Services, about the process and goals of simulated attacks. In this exchange, we ask additional questions about an attack simulation and his team’s approach. Here are some highlights of our conversation:
Q: How do organizations test internal and external systems, so that the exercise successfully mimics real attacks?
A: If you examine real-world breaches, you can see that adversaries are always thinking – and operating – in terms of goals, such as stealing intellectual property or financial records. With traditional penetration testing, you would have someone scan to pinpoint specific vulnerabilities, such an unpatched windows system, on the network. While this is certainly an important vulnerability to know about, advanced attackers simply don’t think like this. They are goal-driven and will try multiple times until they get into the network and on to the path that will lead them to the crown jewels. This is done by hunting for privileges that will allow them to move around on the network. Make no mistake – attackers will get in. Operating under the assumption that you’ve already been breached is the first step in improving your organization’s security posture.
Q: During Red Team adversarial simulation testing, are you asked to breach the perimeter or do begin the exercise on the inside?
A: While we’ve done both forms of testing, we preach to “assume breach,” so we most often start from within the network, on a VM or an internal user’s laptop, for example. There is always a way to get into the network either through exploiting an external facing device or through social engineering.
Q: In your attack simulation, you created a connection back to a C2 server to carry out the initial breach. What are some of the ways to gain network access?
A: We work to gain access in a variety of ways, such as deploying malicious codes in enterprise applications or abusing inherent trust both externally and internally to gain a foothold. Examples include phishing with an HTA file, link or macro embedded document to multiple people within the organization. All of these methods will lead to in-memory execution of our payloads. Once we’ve infiltrated the network, we’ll abuse trust, like credentials, misconfiguration or software vulnerability to escalate privileges locally. Attackers are lazy – they will usually choose the path of least resistance. Humans are always the easiest option to exploit.
Q: So, attackers will try to steal credentials from a compromised machine?
A: There are multiple credential locations within Windows – some of them are within windows credentials managers, user history, applications and even Outlook. Microsoft has done a lot of work to harden these locations (particularly from v8.1 on), but attackers continue to innovate, and they have found ways to circumvent these protections. If there is a privileged credential on a machine, it’s almost impossible to stop an attacker from stealing it and using it to help achieve his/her goal. That’s why it’s so important to ensure workstations don’t contain privileged accounts within the network.
(Editor’s note: CyberArk Endpoint Privilege Manager helps organizations to block and contain attacks at the endpoint, reducing the risk of information being stolen or encrypted and held for ransom. A combination of privileged security and application control reduces the risk of malware infection. Unknown applications run in a restricted mode to contain threats and behavioral analysis blocks credential theft attempts. These critical protection technologies are deployed as a single agent to strengthen existing endpoint security. It also enables security teams to enforce granular least privilege policies for IT administrators, helping organizations to effectively segregate duties on Windows servers.)
Q: Is there a difference between an external or internal attack?
A: The concept of inside vs. outside is obsolete. We view internal resources as hostile territory. Organizations need to treat their internal network in the same way they treat their external network. Just like you would not put an RDP connection outside, connected to the internet with a weak password, you should not do it internally. At the end of the day, a compromised workstation or malicious insider will lead to the same result.
Q: What is the biggest deterrent to you being able to move laterally throughout a network?
A: This is relevant to almost every threat actor out there – from script kiddies to nation states and everything in between: Lateral movement occurs after an attacker finds a user’s privileged accounts and begins impersonating that user by using those privileged accounts. In almost all of our engagements, we end up searching and querying Active Directory to figure out who is logging in and from where, in our hunt for privileges. As an attacker, if I cannot access your privileged accounts (passwords, SSH keys, tokens, etc.), my job becomes infinitely harder to do.
Interested in learning more about what our Red Team’s research? Check out our Threat Research blog, which features in-depth technical research from CyberArk Labs and Red Team security experts to help you think like an attacker by keeping you ahead of the latest threats.