Your organization's Security Gap is the inevitable lag that exists between initial intrusion and first detection. While prevention efforts should not be ignored, a true measure of an organization's APT readiness is found in its ability to quickly detect security intrusions and thoroughly uncover the extent and impact of those intrusions.
Praetorian will assess your organization's intrusion prevention, detection, and response capabilities by simulating real-world advanced threats, enabling your team to better understand and prepare for the next major security incident.
Better Understand and Prepare for Advanced Threats
Advanced Persistent Threat (APT) Simulation Overview
In today's changing security environment, where advanced persistent threats (APT) are playing such a dramatic and notable role, it is the security organization's responsibility to ensure senior leadership understands and accepts risk associated with modern-day advanced threat actors.
Praetorian helps you better understand and prepare for advanced threats by simulating real-world attacks using the same adaptive Tactics, Techniques and Procedures (TTP) that modern-day threat actors use to predict and evade your security controls and incident response best practices. Our unique offering provides a holistic approach to security testing by carefully examining weaknesses from several standpoints including systems, networks, applications, physical locations, and employees (who may be susceptible to social engineering or phishing attacks).
Praetorian's methodology follows the standard APT lifecycle that has been observed in many targeted, real-world attacks over the last decade. Specific anatomy of attack details can be defined pre-engagement to simulate desired attack scenarios, or you can leave attack decisions up to our adaptive attack team to simulate a more real-world stealth attack.
Our Methodology Follows the Advanced Persistent Threat (APT) Lifecycle
Preliminary intelligence gathering and threat modeling—specific to the target organization—is conducted in preparation for the initial compromise. Social engineering is often used to exploit one of the weakest links in security—the human element. The most common vehicle of social engineering is via email in the form of a spear phishing attack. Other popular infection methods include web application attacks, zero-day exploits, custom malware designed to evade signature-based detection, and other proprietary hacking tools.
In a spear phishing attack scenario, Praetorian leverages well-known sales and marketing resources during the reconnaissance phase to gather information about the target organization's employees. Publically available tools are used to enumerate employee names, titles, associated departments, and email addresses from the resource databases. Via these tools, a company-wide organization chart is assembled and potential targets are identified. Custom domain names are registered and used as pretext for well-crafted, effective phishing emails. When opened, the malicious email attachment or embedded link will initiate a call home across the Internet to systems controlled by Praetorian, and deliver access to the target's internal network. The victim system is infected with malware remote administration software to create network backdoors and tunneling, which allows stealth access to client infrastructure. Establishing a foothold in the target environment is the primary objective during the initial compromise.
Exploits and password cracking are used to and acquire administrator privileges over victim's computer and possibly expand it to Windows domain administrator accounts. Additional actions are taken to collect information on surrounding infrastructure, trust relationships, and Windows domain structure. The collected information is then leveraged to expand control to other workstations, servers and infrastructure elements, and perform data harvesting on these systems.
Active steps are taken to cover tracks and ensure continued control over access channels and credentials acquired in previous steps. Once persistent access has been achieved, attack methods shift to enumerating other internal assets and fulfilling defined scenario-based objectives.
The following attack scenarios serve as a representation for the kind of activities that can be performed during a typical advanced threat simulation.
Scenario 1: Web Application Attack
Praetorian notes that the forgot password feature on several web applications could be leveraged for user enumeration. Since a correct username only resulted in a redirection to another webpage and not the actual resetting of the account password, Praetorian would not need to worry about resetting passwords for all of the user accounts associated with the valid usernames that were discovered. Utilizing tools with username generation features and a username wordlist, the results of all of the requests can be filtered, and valid usernames identified.
Next, Praetorian can identify the number of password attempts that would result in a soft lockout. To be cautious and avoid locking out user accounts, Praetorian only attempted a few of the most common passwords for the list of valid usernames. Based on the response from the web application, Praetorian can quickly filter successful logins.
Scenario 2: Employee Phishing Email Attack
Social engineering exploits one of the weakest links in security. The technique uses persuasion and manipulation of people to acquire unauthorized access and/or obtain sensitive information. One of the most common vehicles of social engineering is via email in the form of a phishing attack. Many of the recent breaches that have made news headlines were due, in part, to targeted “spear” phishing campaigns. As organizations have stepped up their perimeter security, hackers have pivoted to users and client-side attacks to penetrate their targets. As an example, these phishing tactics were leveraged during both Operation Aurora and Operation Night Dragon.
Praetorian uses technical tools to enumerate employee names from public databases. The information included employee names and titles. The domain, acme-secure.com is then registered for use in the phishing attack. A phishing email is crafted for ACME Corp's employees chosen for the phishing attack. The phishing email requests users to browse to a website and run a Java applet to update their system.
Users who click the link are directed to a malicious website hosted by Praetorian. The website invites users to unknowingly install a malicious applet on their computer. Once users download the malicious applet, the applet phones home across the Internet to systems controlled by Praetorian.
Praetorian gains access to the internal network once employees run the malicious Java applet. This access is leveraged to begin the same enumeration and reconnaissance process that occurs during an internal penetration test. Praetorian's attack team is able to enumerate production MSSQL servers. By pivoting from systems compromised through phishing attacks, Praetorian is easily able to compromise the entire internal network in an efficient manner.
Scenario 3: Infected Laptop via Malware
Infected laptops or workstations are a common culprit in spreading malware. Workstations that become infected are used as a beachhead to carry out attacks on the corporate network. The most important aspect in dealing with an infected laptop is being able to detect and isolate it quickly from the network. Unfortunately, on numerous occasions, Praetorian is able to compromise a system and use this access to demonstrate a breach of the corporate and extended environments without being detected.
Based on the Verizon Data Breach Investigation Report 2012, malware was responsible for 69% of the data breaches. The primary function of malware is to install a backdoor so that an external attacker can remotely control the infected system. In simulating APT actors, once persistent access has been achieved, Praetorian then shifts efforts to enumerating other internal assets and fulfilling other primary objectives.
Scenario 4: Retail Store Physical Attack
Praetorian gains physical access to an ACME Corp retail store location and compromises network communications to intercept sensitive information. While this scenario appears unlikely, it follows methods used by Albert Gonzalez, who is accused of masterminding the combined credit card theft and subsequent reselling of more than 170 million card and ATM numbers from 2005 through 2007 – the biggest such fraud in history. His victims included companies such as Dave & Busters, Heartland Payment Systems, BJ's Wholesale Club, DSW, Office Max, Boston Market, Barnes & Noble, Sports Authority and T.J. Maxx.
Initially, Praetorian calls the store posing as ACME Corp's CISO to inform the employees of a supposed network issue that would require on-site troubleshooting by corporate network engineers. Praetorian wears ACME Corp-themed clothing, carried ACME Corp business cards and forged access badges bearing the ACME Corp logo. Praetorian is allowed access behind the retail counter, and connects laptops to the network infrastructure, which is accessible on a shelf beneath a Point-of-Sale system.
Close out meetings and final deliverables
Upon completion of the assessment Praetorian shall provide a single electronic report deliverable. The report will provide an analysis of the current state of the assessed security controls. The analysis will identify areas that need to be resolved in order to achieve an adequate level of security. The detailed contents of the deliverable are described below.
The report also includes an Anatomy of Attack section which provides an in-depth breakdown of the Tactics, Techniques and Procedures (TTP) used in the advanced threat simulation.
The report deliverable will include the following high level sections in a format suitable for management:
- Purpose of the engagement including project's scope and approach
- Positive security controls that were identified
- Tactical resolutions to immediately reduce risk in the environment
- Strategic recommendations for preventing similar issues from recurring
- An industry comparison based on consultancy experience and results from similar previous engagements
The report deliverable will also include the following in-depth analysis and recommendations for technical staff to understand the underlying risks and recommendations:
- A technical description and classification of each vulnerability
- Anatomy of exploitation including steps taken and proof in the form of screenshots
- Business or technical risk inherent in the vulnerability
- Vulnerability classification that describes the risk level as a function of vulnerability impact and ease of exploitation
- Technical description of how to mitigate the vulnerability