How to improve security posture (by testing your organization’s playbooks)

Cyber attacks can happen to any organization. It is not a matter of “if” an attack will happen, but “when.” 

By simulating attacks with dedicated exercises and engagements that mimic adversaries in the wild, leaders can foster a proactive approach to security that improves their organization’s security posture. 

Attack simulation exercises go beyond the scope of traditional penetration tests. In attack simulation exercises, real-world cyber-attacks are simulated to assess an organization's overall security readiness, including people, processes, and technology. 

The holistic perspective taken in an attack simulation is also one of the key advantages in comparison to traditional penetration testing. 

While penetration tests often focus on specific assets and finding all vulnerabilities within them, attack simulations also allow one to look left and right to identify vulnerabilities. (Looking left and right includes taking trust relationships between systems into account when creating attack vectors and seeing systems as a whole.)

Attack simulation vs. penetration testing 

Advanced attack simulation exercises play a vital role in identifying vulnerabilities that may have been overlooked in traditional security assessments, such as penetration tests. 

While penetration tests often follow a pre-defined testing methodology, such as the OWASP Web Security Testing Guide, advanced attack simulation exercises are not limited by pre-defined methodologies. 

Advanced attack simulations are dynamic and develop while the simulation is performed. The meaning of a dynamic approach lies in the fact that the red teamer constantly adapts the original plan of attack and the course of action to the new findings. 

Through sophisticated attack vectors, red teams access the infrastructure and bypass security controls to assess the organization's response and resilience. 

The dynamic approach helps organizations gain a more comprehensive understanding of their security posture as the red team can constantly adapt.

Following the attack plan also involves looking to the left and right to identify inconspicuous attack opportunities.

A good example of this is a scenario in which you get asked to gain access to the administrative area of a web application. In a traditional penetration test, the web application would be tested to identify if it is possible to get administrative access. 

In an attack simulation, you’ll test the web application, but would also try other paths to get administrative access—such as performing phishing attacks against employees. Basically, in attack simulation exercises, there should almost be no limits on how to reach a goal (even though you should still comply with the law).

Explore Professional Labs

Related read: Develop a cybersecurity workforce development plan with HTB. 

5 common weaknesses that threaten security posture

In the past, I have examined and attacked complex structures and environments, including banking (SEPA/SWIFT), operational technology (KRITIS), integration environments (DevOps), and tailored cloud environments. 

The top five weaknesses I’ve encountered during different exercises are: 

Social engineering

The human factor is the most common weakness we face when it comes to attack simulations. A few years ago, I participated in an attack simulation (red team) against a company from a zero-knowledge perspective—meaning that to start the attack, all we got was the company’s name. 

The company was known to have a very strong defensive posture and already performed multiple red team exercises in the past.  Initial access to the company network was gathered via a spear phishing attack against the HR department. The open position we targeted required technical skills for a long obsolete programming language. 

We knew that it was unlikely for the client to find a good match, and hence we created a new imaginary person that could fit exactly what they needed. The phishing attack included a multi-staged software beacon (implant) that gave us a Command and Control (C2) channel into the network. 

The spear phishing attack included several e-mail exchanges with the HR department to build up trust and establish a relationship. Finally, an email was sent with a beacon hidden in a malicious Word document that presented a CV of the applicant. 

The employee had to click a button within the document to view the CV, which executed the initial stage of the beacon and then established a C2 channel. 

Approaching humans as part of social engineering attacks isn’t limited to classic email phishing attacks, but nowadays also includes smishing attacks (SMS/WhatsApp/Signal), voice phishing, or USB drops within the client’s premises. In some situations, this even includes physical social engineering against a client’s premise. 

Weak authentication

We still identify external applications and services that allow users to use weak passwords, authentication without a second factor, or do not have an account lockout limit set for incorrect login attempts. 

Affected services include applications allowing direct access to a company’s infrastructure, but also applications that allow to get a foothold in the company’s DMZ from where it may be possible to move into the corporate network. 

Poor follow-up to incidents

One of the common patterns for organizations with weak defensive postures is that attacks are not fully followed up when they get detected. 

We have seen very often that (intentionally) triggered malware alerts are not followed up to identify the root cause and how the malware initially landed on the system. The same is often the case when compromised accounts are used to access infrastructure components. 

Another common pattern is the responsibility during a forensic investigation. Often we have seen that employees report malicious behavior to other departments/support members, but then do not follow it up—the investigation just stops with an email as no one feels responsible. 

It is very difficult to identify this kind of pattern, but one of the easier steps to identify this is to perform practical tabletop exercises in which a successful attack is simulated.

Lack of network segmentation

Once inside a network, we rarely see good network segmentation. It is often the case that network zones haven’t been separated. Nearly every employee can access critical test, pre-production, and production infrastructure.  

Legacy components

Organizations and their networks are constantly evolving, which also means that there are legacy components within them. It is not uncommon to find obsolete systems, systems without in-depth attack detection, and systems that have been forgotten about. 

These are particularly interesting during an attack simulation, as the likelihood of a successful attack is highest against legacy components or software.  

Leaders need to be more proactive with testing security playbooks

Aside from attack simulations (which not every org is ready for), there are a few practical steps leaders can take to strengthen and test security playbooks.

One of the highest priorities should be security awareness: an ongoing process that needs to continuously evolve and should be tailored to the different departments and teams. 

For example, phishing training should be delivered to all employees, especially those working with emails on a daily basis. Teams working on delivering physical goods, on the other hand, who may not use email on a daily basis, might be more exposed to device theft. So they should be trained on securely handling devices and documents.

In addition to improving security awareness, I’d encourage teams to take a proactive approach to security by: 

• Engaging in tabletop exercises: Tabletop exercises can be used to walk through hypothetical cyber attack scenarios. Within those exercises, employees across different departments can discuss how the organization would respond to identify gaps in current procedures. This exercise can also be combined with a practical part to see if defined procedures work in real-life incidents. 

• Reviewing previous incidents: Previous incidents that could be averted or were successful should be reviewed and discussed to adapt to dangerous techniques and procedures. 

• Embracing threat Intelligence: Threat intelligence should be performed permanently to discover new threats to the organization's branch of industry, new attack vectors, and exposed systems. 

There isn’t a “one size fits all” formula to describe attack simulations for an organization. Therefore, I recommend organizations provide red team training to their teams or work with attack simulation specialists to fortify their security posture and develop stronger security plans. 

Author Bio: Christian Becker (0xchrisb), Co-Founder, Y-Security Christian Becker has been working in offensive security for over 10 years and is nowadays the Co-Founder of Y-Security. He focuses on customized attack scenarios, including elements of classic penetration tests and innovative approaches to Attack Simulation. In his projects, Christian has examined and attacked complex structures and environments including banking (SEPA/SWIFT), operational technology (KRITIS), integration environments (DevOps), and tailored cloud environments. Christian has a bachelor’s degree in IT Security/Information Engineering, as well as several industry certifications, including Burp Suite Certified Practitioner, Offensive Security Experienced Penetration Tester (OSEP), Offensive Security Certified Expert (OSCE), CREST Certified Tester Web Application (CCT App) and CREST Registered Tester (CRT). Feel free to connect with him on Twitter or LinkedIn.