Announcement: Cythera has joined forces with Bastion Security Group. Learn more
24 Oct / 2023
Cythera are often approached by clients looking for Red Team services, social engineering and similar attacks which emulate real-world attackers - something over and beyond traditional penetration testing. These terms are commonly used, but typically misunderstood or taken out of context. This article is intended to provide some clarity around these services and Cythera’s approach.
Penetration testing uses the same tools and tactics as an adversary, however, due to the transparent nature of the engagement and resource constraints such as time and budget, the consultant is less stealthy than an attacker would be in the real world. This means that there is an efficiency to the testing since time as at a premium. As such, a penetration tester can traditionally afford the luxury of launching attacks that are quite "noisy" by nature - be it brute force attacks or fuzzing web forms. Testers are likely to trip all manner of alerts by launching lots of requests in a short period of time. In a time-constrained white box engagement, this is standard practice. Also, the scope of a penetration test is also intentionally constrained – e.g. to a specific website, API or an entire environment. The intention of these constraints are – among other things – provide breadth of coverage over a given environment.
However, in a Red Team exercise – what Cythera has termed “Adversary Simulation” - the attacker must - by definition - remain stealthy. This means attacks take more time to plan and often execute. As a result, the engagement takes longer. The scope might be extremely bespoke (e.g. obtain Global Administrator access to M365) and the rules of engagement considerably more permissive to facilitate that outcome, employing tactics many might consider unfair (e.g. social engineering is permitted).
This is the point of red teaming - testing your defences in a way that an attacker might. In this case, “the gloves come off” – so to speak. The increase in time, budget, scope and expansion of the rules of engagement allows for a far more comprehensive testing of security that is reflective of real-world attacks, such as those traditionally seen by professional cybercriminals or advanced persistent threats (APTs). This is necessary in order to mimic what an attacker might do, which requires by definition as few constraints as possible.
This means an increase in challenge – to both the defenders to detect these attacks and the service provider to execute. It is also worth pointing out that the nature of these services inclines towards higher risk for both parties due to the fact Red Teaming involves testing people, assets, and access in live situations.
Cythera recommends organisations consider red teaming (Adversary Simulation) engagements once the organisation has a robust and well-established security program. This is to allow an organisation sufficient time to build a solid security base to reap the benefit of more rigorous testing.
How would we define “robust and well-established”? Some common indicators we would look for in discussing with our clients:
If a client cannot comfortably tick these items or at least demonstrate sufficient headway on them, then we would typically recommend different kinds of services which would be of higher value.
In short, yes.
These kinds of engagements poke considerable holes in business processes, practices as well as technical controls. Many of these issues can span different parts of the business. Some of these can become quite political internally or challenge culture. As a result, we traditionally emphasise the maturity of a client’s cybersecurity program as an essential pre-condition before conducting any Adversary Simulation engagement.
This is incredibly important when discussing engagements such as social engineering which relies on tricking users into either clicking a link, installing software or disclosing information. These exercises must be seen as an educational experience for all and not descend into a blame game. Some staff on the receiving end of these techniques may resent being targeted, or the techniques employed. They may feel they are being singled out. Also, these tests are traditionally going to be tested in a production environment and not within the relative safety of a dedicated test environment. So there is more risk on the client-side of the fence.
We at Cythera pride ourselves on establishing excellent client outcomes. Our focus is centred around being a trusted service provider and partner with our clients to give them high value, cost effective and tailored offerings.
We have invited clients to consider adding Adversary Simulation engagements as part of their security program, however, some clients will benefit from a more tailored offering. One that doesn’t fall under the Adversary Simulation banner but provides a better fit.
For most of our clients, penetration testing will come out considerably cheaper. It will cover the most territory in the shortest amount of time and unearth the most issues. When those issues and root causes that led to them have been remediated, when subsequent penetration tests are showing increasingly fewer vulnerabilities, when there are specific test cases that penetration testing may not be covered - that's when red teaming becomes more viable.
Microsoft Outlook for Windows 0-Day Vulnerability - CVE-2023-23397
Microsoft Outlook for Windows 0Day vulnerabilityCVE: CVE-2023-23397 WHAT IS VULNERABLE? All versions of Outlook for Windows Outlook Web Acces…
Read MoreWhat is Malware?
What is Malware? Malware is a broad term that refers to variety of malicious software cyber criminals use including: Worms Once a worm infilt…
Read MoreMicrosoft Office Remote Code Execution Vulnerability aka Follina
CVE: CVE-2022-30190What Is Vulnerable? Windows Office 2013 and later, including the latest patches for Office 2021What’s Happening?Microsoft O…
Read More